diff options
133 files changed, 0 insertions, 8767 deletions
diff --git a/patches/9p-evict_inode-should-kick-out-i_data-not-i_mapping.patch b/patches/9p-evict_inode-should-kick-out-i_data-not-i_mapping.patch deleted file mode 100644 index 07b2d02..0000000 --- a/patches/9p-evict_inode-should-kick-out-i_data-not-i_mapping.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 4ad78628445d26e5e9487b2e8f23274ad7b0f5d3 Mon Sep 17 00:00:00 2001 -From: Al Viro <viro@zeniv.linux.org.uk> -Date: Tue, 8 Dec 2015 03:07:22 -0500 -Subject: 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping - -commit 4ad78628445d26e5e9487b2e8f23274ad7b0f5d3 upstream. - -For block devices the pagecache is associated with the inode -on bdevfs, not with the aliasing ones on the mountable filesystems. -The latter have its own ->i_data empty and ->i_mapping pointing -to the (unique per major/minor) bdevfs inode. That guarantees -cache coherence between all block device inodes with the same -device number. - -Eviction of an alias inode has no business trying to evict the -pages belonging to bdevfs one; moreover, ->i_mapping is only -safe to access when the thing is opened. At the time of -->evict_inode() the victim is definitely *not* opened. We are -about to kill the address space embedded into struct inode -(inode->i_data) and that's what we need to empty of any pages. - -9p instance tries to empty inode->i_mapping instead, which is -both unsafe and bogus - if we have several device nodes with -the same device number in different places, closing one of them -should not try to empty the (shared) page cache. - -Fortunately, other instances in the tree are OK; they are -evicting from &inode->i_data instead, as 9p one should. - -Reported-by: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com> -Tested-by: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/9p/vfs_inode.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/fs/9p/vfs_inode.c -+++ b/fs/9p/vfs_inode.c -@@ -447,9 +447,9 @@ void v9fs_evict_inode(struct inode *inod - { - struct v9fs_inode *v9inode = V9FS_I(inode); - -- truncate_inode_pages(inode->i_mapping, 0); -+ truncate_inode_pages(&inode->i_data, 0); - end_writeback(inode); -- filemap_fdatawrite(inode->i_mapping); -+ filemap_fdatawrite(&inode->i_data); - - #ifdef CONFIG_9P_FSCACHE - v9fs_cache_inode_put_cookie(inode); diff --git a/patches/acpi-use-correct-irq-when-uninstalling-acpi-interrupt-handler.patch b/patches/acpi-use-correct-irq-when-uninstalling-acpi-interrupt-handler.patch deleted file mode 100644 index c75d64d..0000000 --- a/patches/acpi-use-correct-irq-when-uninstalling-acpi-interrupt-handler.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 49e4b84333f338d4f183f28f1f3c1131b9fb2b5a Mon Sep 17 00:00:00 2001 -From: Chen Yu <yu.c.chen@intel.com> -Date: Sun, 25 Oct 2015 01:02:19 +0800 -Subject: ACPI: Use correct IRQ when uninstalling ACPI interrupt handler - -commit 49e4b84333f338d4f183f28f1f3c1131b9fb2b5a upstream. - -Currently when the system is trying to uninstall the ACPI interrupt -handler, it uses acpi_gbl_FADT.sci_interrupt as the IRQ number. -However, the IRQ number that the ACPI interrupt handled is installed -for comes from acpi_gsi_to_irq() and that is the number that should -be used for the handler removal. - -Fix this problem by using the mapped IRQ returned from acpi_gsi_to_irq() -as appropriate. - -Acked-by: Lv Zheng <lv.zheng@intel.com> -Signed-off-by: Chen Yu <yu.c.chen@intel.com> -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/acpi/osl.c | 9 ++++++--- - include/linux/acpi.h | 6 ++++++ - 2 files changed, 12 insertions(+), 3 deletions(-) - ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -85,6 +85,7 @@ static void *acpi_irq_context; - static struct workqueue_struct *kacpid_wq; - static struct workqueue_struct *kacpi_notify_wq; - struct workqueue_struct *kacpi_hotplug_wq; -+unsigned int acpi_sci_irq = INVALID_ACPI_IRQ; - EXPORT_SYMBOL(kacpi_hotplug_wq); - - /* -@@ -612,17 +613,19 @@ acpi_os_install_interrupt_handler(u32 gs - acpi_irq_handler = NULL; - return AE_NOT_ACQUIRED; - } -+ acpi_sci_irq = irq; - - return AE_OK; - } - --acpi_status acpi_os_remove_interrupt_handler(u32 irq, acpi_osd_handler handler) -+acpi_status acpi_os_remove_interrupt_handler(u32 gsi, acpi_osd_handler handler) - { -- if (irq != acpi_gbl_FADT.sci_interrupt) -+ if (gsi != acpi_gbl_FADT.sci_interrupt || !acpi_sci_irq_valid()) - return AE_BAD_PARAMETER; - -- free_irq(irq, acpi_irq); -+ free_irq(acpi_sci_irq, acpi_irq); - acpi_irq_handler = NULL; -+ acpi_sci_irq = INVALID_ACPI_IRQ; - - return AE_OK; - } ---- a/include/linux/acpi.h -+++ b/include/linux/acpi.h -@@ -110,6 +110,12 @@ int acpi_unregister_ioapic(acpi_handle h - void acpi_irq_stats_init(void); - extern u32 acpi_irq_handled; - extern u32 acpi_irq_not_handled; -+extern unsigned int acpi_sci_irq; -+#define INVALID_ACPI_IRQ ((unsigned)-1) -+static inline bool acpi_sci_irq_valid(void) -+{ -+ return acpi_sci_irq != INVALID_ACPI_IRQ; -+} - - extern int sbf_port; - extern unsigned long acpi_realmode_flags; diff --git a/patches/af_unix-fix-a-fatal-race-with-bit-fields.patch b/patches/af_unix-fix-a-fatal-race-with-bit-fields.patch deleted file mode 100644 index af11067..0000000 --- a/patches/af_unix-fix-a-fatal-race-with-bit-fields.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 60bc851ae59bfe99be6ee89d6bc50008c85ec75d Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <eric.dumazet@gmail.com> -Date: Wed, 1 May 2013 05:24:03 +0000 -Subject: af_unix: fix a fatal race with bit fields - -commit 60bc851ae59bfe99be6ee89d6bc50008c85ec75d upstream. - -Using bit fields is dangerous on ppc64/sparc64, as the compiler [1] -uses 64bit instructions to manipulate them. -If the 64bit word includes any atomic_t or spinlock_t, we can lose -critical concurrent changes. - -This is happening in af_unix, where unix_sk(sk)->gc_candidate/ -gc_maybe_cycle/lock share the same 64bit word. - -This leads to fatal deadlock, as one/several cpus spin forever -on a spinlock that will never be available again. - -A safer way would be to use a long to store flags. -This way we are sure compiler/arch wont do bad things. - -As we own unix_gc_lock spinlock when clearing or setting bits, -we can use the non atomic __set_bit()/__clear_bit(). - -recursion_level can share the same 64bit location with the spinlock, -as it is set only with this spinlock held. - -[1] bug fixed in gcc-4.8.0 : -http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52080 - -Reported-by: Ambrose Feinstein <ambrose@google.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> -Cc: Paul Mackerras <paulus@samba.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Cc: hejianet <hejianet@gmail.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - include/net/af_unix.h | 5 +++-- - net/unix/garbage.c | 12 ++++++------ - 2 files changed, 9 insertions(+), 8 deletions(-) - ---- a/include/net/af_unix.h -+++ b/include/net/af_unix.h -@@ -56,9 +56,10 @@ struct unix_sock { - struct list_head link; - atomic_long_t inflight; - spinlock_t lock; -- unsigned int gc_candidate : 1; -- unsigned int gc_maybe_cycle : 1; - unsigned char recursion_level; -+ unsigned long gc_flags; -+#define UNIX_GC_CANDIDATE 0 -+#define UNIX_GC_MAYBE_CYCLE 1 - struct socket_wq peer_wq; - wait_queue_t peer_wake; - }; ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -185,7 +185,7 @@ static void scan_inflight(struct sock *x - * have been added to the queues after - * starting the garbage collection - */ -- if (u->gc_candidate) { -+ if (test_bit(UNIX_GC_CANDIDATE, &u->gc_flags)) { - hit = true; - func(u); - } -@@ -254,7 +254,7 @@ static void inc_inflight_move_tail(struc - * of the list, so that it's checked even if it was already - * passed over - */ -- if (u->gc_maybe_cycle) -+ if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags)) - list_move_tail(&u->link, &gc_candidates); - } - -@@ -315,8 +315,8 @@ void unix_gc(void) - BUG_ON(total_refs < inflight_refs); - if (total_refs == inflight_refs) { - list_move_tail(&u->link, &gc_candidates); -- u->gc_candidate = 1; -- u->gc_maybe_cycle = 1; -+ __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags); -+ __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags); - } - } - -@@ -344,7 +344,7 @@ void unix_gc(void) - - if (atomic_long_read(&u->inflight) > 0) { - list_move_tail(&u->link, ¬_cycle_list); -- u->gc_maybe_cycle = 0; -+ __clear_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags); - scan_children(&u->sk, inc_inflight_move_tail, NULL); - } - } -@@ -356,7 +356,7 @@ void unix_gc(void) - */ - while (!list_empty(¬_cycle_list)) { - u = list_entry(not_cycle_list.next, struct unix_sock, link); -- u->gc_candidate = 0; -+ __clear_bit(UNIX_GC_CANDIDATE, &u->gc_flags); - list_move_tail(&u->link, &gc_inflight_list); - } - diff --git a/patches/ahci-fix-softreset-failed-issue-of-port-multiplier.patch b/patches/ahci-fix-softreset-failed-issue-of-port-multiplier.patch deleted file mode 100644 index a9d741e..0000000 --- a/patches/ahci-fix-softreset-failed-issue-of-port-multiplier.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 023113d24ef9e1d2b44cb2446872b17e2b01d8b1 Mon Sep 17 00:00:00 2001 -From: Xiangliang Yu <Xiangliang.Yu@amd.com> -Date: Thu, 26 Nov 2015 20:27:02 +0800 -Subject: AHCI: Fix softreset failed issue of Port Multiplier - -commit 023113d24ef9e1d2b44cb2446872b17e2b01d8b1 upstream. - -Current code doesn't update port value of Port Multiplier(PM) when -sending FIS of softreset to device, command will fail if FBS is -enabled. - -There are two ways to fix the issue: the first is to disable FBS -before sending softreset command to PM device and the second is -to update port value of PM when sending command. - -For the first way, i can't find any related rule in AHCI Spec. The -second way can avoid disabling FBS and has better performance. - -Signed-off-by: Xiangliang Yu <Xiangliang.Yu@amd.com> -Signed-off-by: Tejun Heo <tj@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/ata/libahci.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/drivers/ata/libahci.c -+++ b/drivers/ata/libahci.c -@@ -1228,6 +1228,15 @@ static int ahci_exec_polled_cmd(struct a - ata_tf_to_fis(tf, pmp, is_cmd, fis); - ahci_fill_cmd_slot(pp, 0, cmd_fis_len | flags | (pmp << 12)); - -+ /* set port value for softreset of Port Multiplier */ -+ if (pp->fbs_enabled && pp->fbs_last_dev != pmp) { -+ tmp = readl(port_mmio + PORT_FBS); -+ tmp &= ~(PORT_FBS_DEV_MASK | PORT_FBS_DEC); -+ tmp |= pmp << PORT_FBS_DEV_OFFSET; -+ writel(tmp, port_mmio + PORT_FBS); -+ pp->fbs_last_dev = pmp; -+ } -+ - /* issue & wait */ - writel(1, port_mmio + PORT_CMD_ISSUE); - diff --git a/patches/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch b/patches/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch deleted file mode 100644 index e5f8af1..0000000 --- a/patches/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c932b98c1e47312822d911c1bb76e81ef50e389c Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Wed, 4 Nov 2015 22:39:16 +0100 -Subject: ALSA: hda - Apply pin fixup for HP ProBook 6550b - -commit c932b98c1e47312822d911c1bb76e81ef50e389c upstream. - -HP ProBook 6550b needs the same pin fixup applied to other HP B-series -laptops with docks for making its headphone and dock headphone jacks -working properly. We just need to add the codec SSID to the list. - -Bugzilla: https://bugzilla.kernel.org/attachment.cgi?id=191971 -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/pci/hda/patch_sigmatel.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/pci/hda/patch_sigmatel.c -+++ b/sound/pci/hda/patch_sigmatel.c -@@ -4932,6 +4932,7 @@ static int find_mute_led_cfg(struct hda_ - static int hp_blike_system(u32 subsystem_id) - { - switch (subsystem_id) { -+ case 0x103c1473: /* HP ProBook 6550b */ - case 0x103c1520: - case 0x103c1521: - case 0x103c1523: diff --git a/patches/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch b/patches/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch deleted file mode 100644 index 23bd0de..0000000 --- a/patches/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch +++ /dev/null @@ -1,44 +0,0 @@ -From cadd16ea33a938d49aee99edd4758cc76048b399 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Tue, 27 Oct 2015 14:21:51 +0100 -Subject: ALSA: hda - Disable 64bit address for Creative HDA controllers - -commit cadd16ea33a938d49aee99edd4758cc76048b399 upstream. - -We've had many reports that some Creative sound cards with CA0132 -don't work well. Some reported that it starts working after reloading -the module, while some reported it starts working when a 32bit kernel -is used. All these facts seem implying that the chip fails to -communicate when the buffer is located in 64bit address. - -This patch addresses these issues by just adding AZX_DCAPS_NO_64BIT -flag to the corresponding PCI entries. I casually had a chance to -test an SB Recon3D board, and indeed this seems helping. - -Although this hasn't been tested on all Creative devices, it's safer -to assume that this restriction applies to the rest of them, too. So -the flag is applied to all Creative entries. - -Signed-off-by: Takashi Iwai <tiwai@suse.de> -[lizf: Backported to 3.4: drop the change to macro AZX_DCAPS_PRESET_CTHDA] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/pci/hda/hda_intel.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/sound/pci/hda/hda_intel.c -+++ b/sound/pci/hda/hda_intel.c -@@ -3144,11 +3144,13 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) - .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, - .class_mask = 0xffffff, - .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | -+ AZX_DCAPS_NO_64BIT | - AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, - #else - /* this entry seems still valid -- i.e. without emu20kx chip */ - { PCI_DEVICE(0x1102, 0x0009), - .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | -+ AZX_DCAPS_NO_64BIT | - AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, - #endif - /* Vortex86MX */ diff --git a/patches/alsa-rme96-fix-unexpected-volume-reset-after-rate-changes.patch b/patches/alsa-rme96-fix-unexpected-volume-reset-after-rate-changes.patch deleted file mode 100644 index 821c196..0000000 --- a/patches/alsa-rme96-fix-unexpected-volume-reset-after-rate-changes.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a74a821624c0c75388a193337babd17a8c02c740 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Fri, 4 Dec 2015 16:44:24 +0100 -Subject: ALSA: rme96: Fix unexpected volume reset after rate changes - -commit a74a821624c0c75388a193337babd17a8c02c740 upstream. - -rme96 driver needs to reset DAC depending on the sample rate, and this -results in resetting to the max volume suddenly. It's because of the -missing call of snd_rme96_apply_dac_volume(). - -However, calling this function right after the DAC reset still may not -work, and we need some delay before this call. Since the DAC reset -and the procedure after that are performed in the spinlock, we delay -the DAC volume restore at the end after the spinlock. - -Reported-and-tested-by: Sylvain LABOISNE <maeda1@free.fr> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/pci/rme96.c | 41 ++++++++++++++++++++++++++--------------- - 1 file changed, 26 insertions(+), 15 deletions(-) - ---- a/sound/pci/rme96.c -+++ b/sound/pci/rme96.c -@@ -704,10 +704,11 @@ snd_rme96_playback_setrate(struct rme96 - { - /* change to/from double-speed: reset the DAC (if available) */ - snd_rme96_reset_dac(rme96); -+ return 1; /* need to restore volume */ - } else { - writel(rme96->wcreg, rme96->iobase + RME96_IO_CONTROL_REGISTER); -+ return 0; - } -- return 0; - } - - static int -@@ -945,6 +946,7 @@ snd_rme96_playback_hw_params(struct snd_ - struct rme96 *rme96 = snd_pcm_substream_chip(substream); - struct snd_pcm_runtime *runtime = substream->runtime; - int err, rate, dummy; -+ bool apply_dac_volume = false; - - runtime->dma_area = (void __force *)(rme96->iobase + - RME96_IO_PLAY_BUFFER); -@@ -958,24 +960,26 @@ snd_rme96_playback_hw_params(struct snd_ - { - /* slave clock */ - if ((int)params_rate(params) != rate) { -- spin_unlock_irq(&rme96->lock); -- return -EIO; -- } -- } else if ((err = snd_rme96_playback_setrate(rme96, params_rate(params))) < 0) { -- spin_unlock_irq(&rme96->lock); -- return err; -- } -- if ((err = snd_rme96_playback_setformat(rme96, params_format(params))) < 0) { -- spin_unlock_irq(&rme96->lock); -- return err; -+ err = -EIO; -+ goto error; -+ } -+ } else { -+ err = snd_rme96_playback_setrate(rme96, params_rate(params)); -+ if (err < 0) -+ goto error; -+ apply_dac_volume = err > 0; /* need to restore volume later? */ - } -+ -+ err = snd_rme96_playback_setformat(rme96, params_format(params)); -+ if (err < 0) -+ goto error; - snd_rme96_setframelog(rme96, params_channels(params), 1); - if (rme96->capture_periodsize != 0) { - if (params_period_size(params) << rme96->playback_frlog != - rme96->capture_periodsize) - { -- spin_unlock_irq(&rme96->lock); -- return -EBUSY; -+ err = -EBUSY; -+ goto error; - } - } - rme96->playback_periodsize = -@@ -986,9 +990,16 @@ snd_rme96_playback_hw_params(struct snd_ - rme96->wcreg &= ~(RME96_WCR_PRO | RME96_WCR_DOLBY | RME96_WCR_EMP); - writel(rme96->wcreg |= rme96->wcreg_spdif_stream, rme96->iobase + RME96_IO_CONTROL_REGISTER); - } -+ -+ err = 0; -+ error: - spin_unlock_irq(&rme96->lock); -- -- return 0; -+ if (apply_dac_volume) { -+ usleep_range(3000, 10000); -+ snd_rme96_apply_dac_volume(rme96); -+ } -+ -+ return err; - } - - static int diff --git a/patches/alsa-usb-audio-add-packet-size-quirk-for-the-medeli-dd305.patch b/patches/alsa-usb-audio-add-packet-size-quirk-for-the-medeli-dd305.patch deleted file mode 100644 index bb95223..0000000 --- a/patches/alsa-usb-audio-add-packet-size-quirk-for-the-medeli-dd305.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 98d362becb6621bebdda7ed0eac7ad7ec6c37898 Mon Sep 17 00:00:00 2001 -From: Clemens Ladisch <clemens@ladisch.de> -Date: Sun, 15 Nov 2015 22:37:44 +0100 -Subject: ALSA: usb-audio: add packet size quirk for the Medeli DD305 - -commit 98d362becb6621bebdda7ed0eac7ad7ec6c37898 upstream. - -Signed-off-by: Clemens Ladisch <clemens@ladisch.de> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/usb/midi.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -1326,6 +1326,7 @@ static int snd_usbmidi_out_endpoint_crea - * Various chips declare a packet size larger than 4 bytes, but - * do not actually work with larger packets: - */ -+ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */ - case USB_ID(0x0a92, 0x1020): /* ESI M4U */ - case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */ - case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */ diff --git a/patches/alsa-usb-audio-prevent-ch345-multiport-output-sysex-corruption.patch b/patches/alsa-usb-audio-prevent-ch345-multiport-output-sysex-corruption.patch deleted file mode 100644 index 631fd36..0000000 --- a/patches/alsa-usb-audio-prevent-ch345-multiport-output-sysex-corruption.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 1ca8b201309d842642f221db7f02f71c0af5be2d Mon Sep 17 00:00:00 2001 -From: Clemens Ladisch <clemens@ladisch.de> -Date: Sun, 15 Nov 2015 22:38:29 +0100 -Subject: ALSA: usb-audio: prevent CH345 multiport output SysEx corruption - -commit 1ca8b201309d842642f221db7f02f71c0af5be2d upstream. - -The CH345 USB MIDI chip has two output ports. However, they are -multiplexed through one pin, and the number of ports cannot be reduced -even for hardware that implements only one connector, so for those -devices, data sent to either port ends up on the same hardware output. -This becomes a problem when both ports are used at the same time, as -longer MIDI commands (such as SysEx messages) are likely to be -interrupted by messages from the other port, and thus to get lost. - -It would not be possible for the driver to detect how many ports the -device actually has, except that in practice, _all_ devices built with -the CH345 have only one port. So we can just ignore the device's -descriptors, and hardcode one output port. - -Signed-off-by: Clemens Ladisch <clemens@ladisch.de> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/usb/midi.c | 3 +++ - sound/usb/quirks-table.h | 11 +++++++++++ - sound/usb/quirks.c | 1 + - sound/usb/usbaudio.h | 1 + - 4 files changed, 16 insertions(+) - ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -2215,6 +2215,9 @@ int snd_usbmidi_create(struct snd_card * - - err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); - break; -+ case QUIRK_MIDI_CH345: -+ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); -+ break; - default: - snd_printd(KERN_ERR "invalid quirk type %d\n", quirk->type); - err = -ENXIO; ---- a/sound/usb/quirks-table.h -+++ b/sound/usb/quirks-table.h -@@ -2689,6 +2689,17 @@ YAMAHA_DEVICE(0x7010, "UB99"), - .idProduct = 0x1020, - }, - -+/* QinHeng devices */ -+{ -+ USB_DEVICE(0x1a86, 0x752d), -+ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { -+ .vendor_name = "QinHeng", -+ .product_name = "CH345", -+ .ifnum = 1, -+ .type = QUIRK_MIDI_CH345 -+ } -+}, -+ - /* KeithMcMillen Stringport */ - { - USB_DEVICE(0x1f38, 0x0001), ---- a/sound/usb/quirks.c -+++ b/sound/usb/quirks.c -@@ -311,6 +311,7 @@ int snd_usb_create_quirk(struct snd_usb_ - [QUIRK_MIDI_CME] = create_any_midi_quirk, - [QUIRK_MIDI_AKAI] = create_any_midi_quirk, - [QUIRK_MIDI_FTDI] = create_any_midi_quirk, -+ [QUIRK_MIDI_CH345] = create_any_midi_quirk, - [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, - [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk, - [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk, ---- a/sound/usb/usbaudio.h -+++ b/sound/usb/usbaudio.h -@@ -81,6 +81,7 @@ enum quirk_type { - QUIRK_MIDI_AKAI, - QUIRK_MIDI_US122L, - QUIRK_MIDI_FTDI, -+ QUIRK_MIDI_CH345, - QUIRK_AUDIO_STANDARD_INTERFACE, - QUIRK_AUDIO_FIXED_ENDPOINT, - QUIRK_AUDIO_EDIROL_UAXX, diff --git a/patches/alsa-usb-audio-work-around-ch345-input-sysex-corruption.patch b/patches/alsa-usb-audio-work-around-ch345-input-sysex-corruption.patch deleted file mode 100644 index ac4bc01..0000000 --- a/patches/alsa-usb-audio-work-around-ch345-input-sysex-corruption.patch +++ /dev/null @@ -1,115 +0,0 @@ -From a91e627e3f0ed820b11d86cdc04df38f65f33a70 Mon Sep 17 00:00:00 2001 -From: Clemens Ladisch <clemens@ladisch.de> -Date: Sun, 15 Nov 2015 22:39:08 +0100 -Subject: ALSA: usb-audio: work around CH345 input SysEx corruption - -commit a91e627e3f0ed820b11d86cdc04df38f65f33a70 upstream. - -One of the many faults of the QinHeng CH345 USB MIDI interface chip is -that it does not handle received SysEx messages correctly -- every second -event packet has a wrong code index number, which is the one from the last -seen message, instead of 4. For example, the two messages "FE F0 01 02 03 -04 05 06 07 08 09 0A 0B 0C 0D 0E F7" result in the following event -packets: - -correct: CH345: -0F FE 00 00 0F FE 00 00 -04 F0 01 02 04 F0 01 02 -04 03 04 05 0F 03 04 05 -04 06 07 08 04 06 07 08 -04 09 0A 0B 0F 09 0A 0B -04 0C 0D 0E 04 0C 0D 0E -05 F7 00 00 05 F7 00 00 - -A class-compliant driver must interpret an event packet with CIN 15 as -having a single data byte, so the other two bytes would be ignored. The -message received by the host would then be missing two bytes out of six; -in this example, "F0 01 02 03 06 07 08 09 0C 0D 0E F7". - -These corrupted SysEx event packages contain only data bytes, while the -CH345 uses event packets with a correct CIN value only for messages with -a status byte, so it is possible to distinguish between these two cases by -checking for the presence of this status byte. - -(Other bugs in the CH345's input handling, such as the corruption resulting -from running status, cannot be worked around.) - -Signed-off-by: Clemens Ladisch <clemens@ladisch.de> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/usb/midi.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 42 insertions(+) - ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint { - u8 running_status_length; - } ports[0x10]; - u8 seen_f5; -+ bool in_sysex; -+ u8 last_cin; - u8 error_resubmit; - int current_port; - }; -@@ -465,6 +467,39 @@ static void snd_usbmidi_maudio_broken_ru - } - - /* -+ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4 -+ * but the previously seen CIN, but still with three data bytes. -+ */ -+static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep, -+ uint8_t *buffer, int buffer_length) -+{ -+ unsigned int i, cin, length; -+ -+ for (i = 0; i + 3 < buffer_length; i += 4) { -+ if (buffer[i] == 0 && i > 0) -+ break; -+ cin = buffer[i] & 0x0f; -+ if (ep->in_sysex && -+ cin == ep->last_cin && -+ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0) -+ cin = 0x4; -+#if 0 -+ if (buffer[i + 1] == 0x90) { -+ /* -+ * Either a corrupted running status or a real note-on -+ * message; impossible to detect reliably. -+ */ -+ } -+#endif -+ length = snd_usbmidi_cin_length[cin]; -+ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length); -+ ep->in_sysex = cin == 0x4; -+ if (!ep->in_sysex) -+ ep->last_cin = cin; -+ } -+} -+ -+/* - * CME protocol: like the standard protocol, but SysEx commands are sent as a - * single USB packet preceded by a 0x0F byte. - */ -@@ -650,6 +685,12 @@ static struct usb_protocol_ops snd_usbmi - .output_packet = snd_usbmidi_output_standard_packet, - }; - -+static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = { -+ .input = ch345_broken_sysex_input, -+ .output = snd_usbmidi_standard_output, -+ .output_packet = snd_usbmidi_output_standard_packet, -+}; -+ - /* - * AKAI MPD16 protocol: - * -@@ -2216,6 +2257,7 @@ int snd_usbmidi_create(struct snd_card * - err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); - break; - case QUIRK_MIDI_CH345: -+ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops; - err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); - break; - default: diff --git a/patches/arm-8471-1-need-to-save-restore-arm-register-r11-when-it-is-corrupted.patch b/patches/arm-8471-1-need-to-save-restore-arm-register-r11-when-it-is-corrupted.patch deleted file mode 100644 index c3056e9..0000000 --- a/patches/arm-8471-1-need-to-save-restore-arm-register-r11-when-it-is-corrupted.patch +++ /dev/null @@ -1,48 +0,0 @@ -From fa0708b320f6da4c1104fe56e01b7abf66fd16ad Mon Sep 17 00:00:00 2001 -From: Anson Huang <Anson.Huang@freescale.com> -Date: Mon, 7 Dec 2015 10:09:19 +0100 -Subject: ARM: 8471/1: need to save/restore arm register(r11) when it is - corrupted - -commit fa0708b320f6da4c1104fe56e01b7abf66fd16ad upstream. - -In cpu_v7_do_suspend routine, r11 is used while it is NOT -saved/restored, different compiler may have different usage -of ARM general registers, so it may cause issues during -calling cpu_v7_do_suspend. - -We meet kernel fault occurs when using GCC 4.8.3, r11 contains -valid value before calling into cpu_v7_do_suspend, but when returned -from this routine, r11 is corrupted and lead to kernel fault. -Doing save/restore for those corrupted registers is a must in -assemble code. - -Signed-off-by: Anson Huang <Anson.Huang@freescale.com> -Reviewed-by: Nicolas Pitre <nico@linaro.org> -Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - arch/arm/mm/proc-v7.S | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/arm/mm/proc-v7.S -+++ b/arch/arm/mm/proc-v7.S -@@ -94,7 +94,7 @@ ENDPROC(cpu_v7_dcache_clean_area) - .equ cpu_v7_suspend_size, 4 * 8 - #ifdef CONFIG_ARM_CPU_SUSPEND - ENTRY(cpu_v7_do_suspend) -- stmfd sp!, {r4 - r10, lr} -+ stmfd sp!, {r4 - r11, lr} - mrc p15, 0, r4, c13, c0, 0 @ FCSE/PID - mrc p15, 0, r5, c13, c0, 3 @ User r/o thread ID - stmia r0!, {r4 - r5} -@@ -105,7 +105,7 @@ ENTRY(cpu_v7_do_suspend) - mrc p15, 0, r9, c1, c0, 1 @ Auxiliary control register - mrc p15, 0, r10, c1, c0, 2 @ Co-processor access control - stmia r0, {r6 - r11} -- ldmfd sp!, {r4 - r10, pc} -+ ldmfd sp!, {r4 - r11, pc} - ENDPROC(cpu_v7_do_suspend) - - ENTRY(cpu_v7_do_resume) diff --git a/patches/arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch b/patches/arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch deleted file mode 100644 index e002005..0000000 --- a/patches/arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 54c09889bff6d99c8733eed4a26c9391b177c88b Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann <arnd@arndb.de> -Date: Mon, 12 Oct 2015 15:46:08 +0200 -Subject: ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode - -commit 54c09889bff6d99c8733eed4a26c9391b177c88b upstream. - -The z2 machine calls pxa27x_set_pwrmode() in order to power off -the machine, but this function gets discarded early at boot because -it is marked __init, as pointed out by kbuild: - -WARNING: vmlinux.o(.text+0x145c4): Section mismatch in reference from the function z2_power_off() to the function .init.text:pxa27x_set_pwrmode() -The function z2_power_off() references -the function __init pxa27x_set_pwrmode(). -This is often because z2_power_off lacks a __init -annotation or the annotation of pxa27x_set_pwrmode is wrong. - -This removes the __init section modifier to fix rebooting and the -build error. - -Signed-off-by: Arnd Bergmann <arnd@arndb.de> -Fixes: ba4a90a6d86a ("ARM: pxa/z2: fix building error of pxa27x_cpu_suspend() no longer available") -Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - arch/arm/mach-pxa/include/mach/pxa27x.h | 2 +- - arch/arm/mach-pxa/pxa27x.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/arm/mach-pxa/include/mach/pxa27x.h -+++ b/arch/arm/mach-pxa/include/mach/pxa27x.h -@@ -21,7 +21,7 @@ - - extern void __init pxa27x_map_io(void); - extern void __init pxa27x_init_irq(void); --extern int __init pxa27x_set_pwrmode(unsigned int mode); -+extern int pxa27x_set_pwrmode(unsigned int mode); - extern void pxa27x_cpu_pm_enter(suspend_state_t state); - - #define pxa27x_handle_irq ichp_handle_irq ---- a/arch/arm/mach-pxa/pxa27x.c -+++ b/arch/arm/mach-pxa/pxa27x.c -@@ -242,7 +242,7 @@ static struct clk_lookup pxa27x_clkregs[ - */ - static unsigned int pwrmode = PWRMODE_SLEEP; - --int __init pxa27x_set_pwrmode(unsigned int mode) -+int pxa27x_set_pwrmode(unsigned int mode) - { - switch (mode) { - case PWRMODE_SLEEP: diff --git a/patches/asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch b/patches/asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch deleted file mode 100644 index 8def82e..0000000 --- a/patches/asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 Mon Sep 17 00:00:00 2001 -From: Sachin Pandhare <sachinpandhare@gmail.com> -Date: Tue, 10 Nov 2015 23:38:02 +0530 -Subject: ASoC: wm8962: correct addresses for HPF_C_0/1 - -commit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream. - -From datasheet: -R17408 (4400h) HPF_C_1 -R17409 (4401h) HPF_C_0 -17048 -> 17408 (0x4400) -17049 -> 17409 (0x4401) - -Signed-off-by: Sachin Pandhare <sachinpandhare@gmail.com> -Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - sound/soc/codecs/wm8962.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/sound/soc/codecs/wm8962.c -+++ b/sound/soc/codecs/wm8962.c -@@ -363,8 +363,8 @@ static struct reg_default wm8962_reg[] = - { 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */ - { 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */ - -- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */ -- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */ -+ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */ -+ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */ - - { 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */ - { 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */ diff --git a/patches/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch b/patches/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch deleted file mode 100644 index 3f7ca21..0000000 --- a/patches/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch +++ /dev/null @@ -1,59 +0,0 @@ -From b582ef5c53040c5feef4c96a8f9585b6831e2441 Mon Sep 17 00:00:00 2001 -From: "Maciej W. Rozycki" <macro@imgtec.com> -Date: Mon, 26 Oct 2015 15:48:19 +0000 -Subject: binfmt_elf: Don't clobber passed executable's file header - -commit b582ef5c53040c5feef4c96a8f9585b6831e2441 upstream. - -Do not clobber the buffer space passed from `search_binary_handler' and -originally preloaded by `prepare_binprm' with the executable's file -header by overwriting it with its interpreter's file header. Instead -keep the buffer space intact and directly use the data structure locally -allocated for the interpreter's file header, fixing a bug introduced in -2.1.14 with loadable module support (linux-mips.org commit beb11695 -[Import of Linux/MIPS 2.1.14], predating kernel.org repo's history). -Adjust the amount of data read from the interpreter's file accordingly. - -This was not an issue before loadable module support, because back then -`load_elf_binary' was executed only once for a given ELF executable, -whether the function succeeded or failed. - -With loadable module support supported and enabled, upon a failure of -`load_elf_binary' -- which may for example be caused by architecture -code rejecting an executable due to a missing hardware feature requested -in the file header -- a module load is attempted and then the function -reexecuted by `search_binary_handler'. With the executable's file -header replaced with its interpreter's file header the executable can -then be erroneously accepted in this subsequent attempt. - -Signed-off-by: Maciej W. Rozycki <macro@imgtec.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/binfmt_elf.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -668,16 +668,16 @@ static int load_elf_binary(struct linux_ - */ - would_dump(bprm, interpreter); - -- retval = kernel_read(interpreter, 0, bprm->buf, -- BINPRM_BUF_SIZE); -- if (retval != BINPRM_BUF_SIZE) { -+ /* Get the exec headers */ -+ retval = kernel_read(interpreter, 0, -+ (void *)&loc->interp_elf_ex, -+ sizeof(loc->interp_elf_ex)); -+ if (retval != sizeof(loc->interp_elf_ex)) { - if (retval >= 0) - retval = -EIO; - goto out_free_dentry; - } - -- /* Get the exec headers */ -- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); - break; - } - elf_ppnt++; diff --git a/patches/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch b/patches/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch deleted file mode 100644 index 37ac757..0000000 --- a/patches/bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 Mon Sep 17 00:00:00 2001 -From: Dmitry Tunin <hanipouspilot@gmail.com> -Date: Fri, 16 Oct 2015 11:45:26 +0300 -Subject: Bluetooth: ath3k: Add support of AR3012 0cf3:817b device - -commit 18e0afab8ce3f1230ce3fef52b2e73374fd9c0e7 upstream. - -T: Bus=04 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 -D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 -P: Vendor=0cf3 ProdID=817b Rev=00.02 -C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA -I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb - -BugLink: https://bugs.launchpad.net/bugs/1506615 - -Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com> -Signed-off-by: Marcel Holtmann <marcel@holtmann.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/bluetooth/ath3k.c | 2 ++ - drivers/bluetooth/btusb.c | 1 + - 2 files changed, 3 insertions(+) - ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -94,6 +94,7 @@ static struct usb_device_id ath3k_table[ - { USB_DEVICE(0x0CF3, 0x311D) }, - { USB_DEVICE(0x0cf3, 0x3121) }, - { USB_DEVICE(0x0CF3, 0x817a) }, -+ { USB_DEVICE(0x0CF3, 0x817b) }, - { USB_DEVICE(0x0cf3, 0xe003) }, - { USB_DEVICE(0x0CF3, 0xE004) }, - { USB_DEVICE(0x0CF3, 0xE005) }, -@@ -144,6 +145,7 @@ static struct usb_device_id ath3k_blist_ - { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, -+ { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -172,6 +172,7 @@ static struct usb_device_id blacklist_ta - { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, -+ { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, diff --git a/patches/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch b/patches/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch deleted file mode 100644 index f290372..0000000 --- a/patches/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3c25a860d17b7378822f35d8c9141db9507e3beb Mon Sep 17 00:00:00 2001 -From: Aaro Koskinen <aaro.koskinen@iki.fi> -Date: Sun, 22 Nov 2015 01:08:54 +0200 -Subject: broadcom: fix PHY_ID_BCM5481 entry in the id table - -commit 3c25a860d17b7378822f35d8c9141db9507e3beb upstream. - -Commit fcb26ec5b18d ("broadcom: move all PHY_ID's to header") -updated broadcom_tbl to use PHY_IDs, but incorrectly replaced 0x0143bca0 -with PHY_ID_BCM5482 (making a duplicate entry, and completely omitting -the original). Fix that. - -Fixes: fcb26ec5b18d ("broadcom: move all PHY_ID's to header") -Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/phy/broadcom.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/phy/broadcom.c -+++ b/drivers/net/phy/broadcom.c -@@ -933,7 +933,7 @@ static struct mdio_device_id __maybe_unu - { PHY_ID_BCM5421, 0xfffffff0 }, - { PHY_ID_BCM5461, 0xfffffff0 }, - { PHY_ID_BCM5464, 0xfffffff0 }, -- { PHY_ID_BCM5482, 0xfffffff0 }, -+ { PHY_ID_BCM5481, 0xfffffff0 }, - { PHY_ID_BCM5482, 0xfffffff0 }, - { PHY_ID_BCM50610, 0xfffffff0 }, - { PHY_ID_BCM50610M, 0xfffffff0 }, diff --git a/patches/btrfs-fix-race-leading-to-bug_on-when-running-delalloc-for-nodatacow.patch b/patches/btrfs-fix-race-leading-to-bug_on-when-running-delalloc-for-nodatacow.patch deleted file mode 100644 index 7a828c0..0000000 --- a/patches/btrfs-fix-race-leading-to-bug_on-when-running-delalloc-for-nodatacow.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 1d512cb77bdbda80f0dd0620a3b260d697fd581d Mon Sep 17 00:00:00 2001 -From: Filipe Manana <fdmanana@suse.com> -Date: Mon, 9 Nov 2015 00:33:58 +0000 -Subject: Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow - -commit 1d512cb77bdbda80f0dd0620a3b260d697fd581d upstream. - -If we are using the NO_HOLES feature, we have a tiny time window when -running delalloc for a nodatacow inode where we can race with a concurrent -link or xattr add operation leading to a BUG_ON. - -This happens because at run_delalloc_nocow() we end up casting a leaf item -of type BTRFS_INODE_[REF|EXTREF]_KEY or of type BTRFS_XATTR_ITEM_KEY to a -file extent item (struct btrfs_file_extent_item) and then analyse its -extent type field, which won't match any of the expected extent types -(values BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]) and therefore trigger an -explicit BUG_ON(1). - -The following sequence diagram shows how the race happens when running a -no-cow dellaloc range [4K, 8K[ for inode 257 and we have the following -neighbour leafs: - - Leaf X (has N items) Leaf Y - - [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ] [ (257 EXTENT_DATA 8192), ... ] - slot N - 2 slot N - 1 slot 0 - - (Note the implicit hole for inode 257 regarding the [0, 8K[ range) - - CPU 1 CPU 2 - - run_dealloc_nocow() - btrfs_lookup_file_extent() - --> searches for a key with value - (257 EXTENT_DATA 4096) in the - fs/subvol tree - --> returns us a path with - path->nodes[0] == leaf X and - path->slots[0] == N - - because path->slots[0] is >= - btrfs_header_nritems(leaf X), it - calls btrfs_next_leaf() - - btrfs_next_leaf() - --> releases the path - - hard link added to our inode, - with key (257 INODE_REF 500) - added to the end of leaf X, - so leaf X now has N + 1 keys - - --> searches for the key - (257 INODE_REF 256), because - it was the last key in leaf X - before it released the path, - with path->keep_locks set to 1 - - --> ends up at leaf X again and - it verifies that the key - (257 INODE_REF 256) is no longer - the last key in the leaf, so it - returns with path->nodes[0] == - leaf X and path->slots[0] == N, - pointing to the new item with - key (257 INODE_REF 500) - - the loop iteration of run_dealloc_nocow() - does not break out the loop and continues - because the key referenced in the path - at path->nodes[0] and path->slots[0] is - for inode 257, its type is < BTRFS_EXTENT_DATA_KEY - and its offset (500) is less then our delalloc - range's end (8192) - - the item pointed by the path, an inode reference item, - is (incorrectly) interpreted as a file extent item and - we get an invalid extent type, leading to the BUG_ON(1): - - if (extent_type == BTRFS_FILE_EXTENT_REG || - extent_type == BTRFS_FILE_EXTENT_PREALLOC) { - (...) - } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) { - (...) - } else { - BUG_ON(1) - } - -The same can happen if a xattr is added concurrently and ends up having -a key with an offset smaller then the delalloc's range end. - -So fix this by skipping keys with a type smaller than -BTRFS_EXTENT_DATA_KEY. - -Signed-off-by: Filipe Manana <fdmanana@suse.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/btrfs/inode.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -1203,8 +1203,14 @@ next_slot: - num_bytes = 0; - btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]); - -- if (found_key.objectid > ino || -- found_key.type > BTRFS_EXTENT_DATA_KEY || -+ if (found_key.objectid > ino) -+ break; -+ if (WARN_ON_ONCE(found_key.objectid < ino) || -+ found_key.type < BTRFS_EXTENT_DATA_KEY) { -+ path->slots[0]++; -+ goto next_slot; -+ } -+ if (found_key.type > BTRFS_EXTENT_DATA_KEY || - found_key.offset > end) - break; - diff --git a/patches/can-sja1000-clear-interrupts-on-start.patch b/patches/can-sja1000-clear-interrupts-on-start.patch deleted file mode 100644 index 949b5d8..0000000 --- a/patches/can-sja1000-clear-interrupts-on-start.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001 -From: Mirza Krak <mirza.krak@hostmobility.com> -Date: Tue, 10 Nov 2015 14:59:34 +0100 -Subject: can: sja1000: clear interrupts on start - -commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream. - -According to SJA1000 data sheet error-warning (EI) interrupt is not -cleared by setting the controller in to reset-mode. - -Then if we have the following case: -- system is suspended (echo mem > /sys/power/state) and SJA1000 is left - in operating state -- A bus error condition occurs which activates EI interrupt, system is - still suspended which means EI interrupt will be not be handled nor - cleared. - -If the above two events occur, on resume there is no way to return the -SJA1000 to operating state, except to cycle power to it. - -By simply reading the IR register on start we will clear any previous -conditions that could be present. - -Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com> -Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> -[lizf: Backported to 3.4: s/SJA1000_IR/REG_IR/] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/can/sja1000/sja1000.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/net/can/sja1000/sja1000.c -+++ b/drivers/net/can/sja1000/sja1000.c -@@ -177,6 +177,9 @@ static void sja1000_start(struct net_dev - priv->write_reg(priv, REG_RXERR, 0x0); - priv->read_reg(priv, REG_ECC); - -+ /* clear interrupt flags */ -+ priv->read_reg(priv, REG_IR); -+ - /* leave reset mode */ - set_normal_mode(dev); - } diff --git a/patches/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch b/patches/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch deleted file mode 100644 index 115ef04..0000000 --- a/patches/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4afa5f9617927453ac04b24b584f6c718dfb4f45 Mon Sep 17 00:00:00 2001 -From: Herbert Xu <herbert@gondor.apana.org.au> -Date: Sun, 1 Nov 2015 17:11:19 +0800 -Subject: crypto: algif_hash - Only export and import on sockets with data - -commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream. - -The hash_accept call fails to work on sockets that have not received -any data. For some algorithm implementations it may cause crashes. - -This patch fixes this by ensuring that we only export and import on -sockets that have received data. - -Reported-by: Harsh Jain <harshjain.prof@gmail.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Tested-by: Stephan Mueller <smueller@chronox.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - crypto/algif_hash.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -192,9 +192,14 @@ static int hash_accept(struct socket *so - struct sock *sk2; - struct alg_sock *ask2; - struct hash_ctx *ctx2; -+ bool more; - int err; - -- err = crypto_ahash_export(req, state); -+ lock_sock(sk); -+ more = ctx->more; -+ err = more ? crypto_ahash_export(req, state) : 0; -+ release_sock(sk); -+ - if (err) - return err; - -@@ -205,7 +210,10 @@ static int hash_accept(struct socket *so - sk2 = newsock->sk; - ask2 = alg_sk(sk2); - ctx2 = ask2->private; -- ctx2->more = 1; -+ ctx2->more = more; -+ -+ if (!more) -+ return err; - - err = crypto_ahash_import(&ctx2->req, state); - if (err) { diff --git a/patches/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch b/patches/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch deleted file mode 100644 index 1d83aec..0000000 --- a/patches/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 70d906bc17500edfa9bdd8c8b7e59618c7911613 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Sun, 6 Dec 2015 02:51:37 +0100 -Subject: crypto: skcipher - Copy iv from desc even for 0-len walks - -commit 70d906bc17500edfa9bdd8c8b7e59618c7911613 upstream. - -Some ciphers actually support encrypting zero length plaintexts. For -example, many AEAD modes support this. The resulting ciphertext for -those winds up being only the authentication tag, which is a result of -the key, the iv, the additional data, and the fact that the plaintext -had zero length. The blkcipher constructors won't copy the IV to the -right place, however, when using a zero length input, resulting in -some significant problems when ciphers call their initialization -routines, only to find that the ->iv parameter is uninitialized. One -such example of this would be using chacha20poly1305 with a zero length -input, which then calls chacha20, which calls the key setup routine, -which eventually OOPSes due to the uninitialized ->iv member. - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - crypto/ablkcipher.c | 2 +- - crypto/blkcipher.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/crypto/ablkcipher.c -+++ b/crypto/ablkcipher.c -@@ -280,12 +280,12 @@ static int ablkcipher_walk_first(struct - if (WARN_ON_ONCE(in_irq())) - return -EDEADLK; - -+ walk->iv = req->info; - walk->nbytes = walk->total; - if (unlikely(!walk->total)) - return 0; - - walk->iv_buffer = NULL; -- walk->iv = req->info; - if (unlikely(((unsigned long)walk->iv & alignmask))) { - int err = ablkcipher_copy_iv(walk, tfm, alignmask); - if (err) ---- a/crypto/blkcipher.c -+++ b/crypto/blkcipher.c -@@ -329,12 +329,12 @@ static int blkcipher_walk_first(struct b - if (WARN_ON_ONCE(in_irq())) - return -EDEADLK; - -+ walk->iv = desc->info; - walk->nbytes = walk->total; - if (unlikely(!walk->total)) - return 0; - - walk->buffer = NULL; -- walk->iv = desc->info; - if (unlikely(((unsigned long)walk->iv & alignmask))) { - int err = blkcipher_copy_iv(walk, tfm, alignmask); - if (err) diff --git a/patches/devres-fix-a-for-loop-bounds-check.patch b/patches/devres-fix-a-for-loop-bounds-check.patch deleted file mode 100644 index 1249426..0000000 --- a/patches/devres-fix-a-for-loop-bounds-check.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1f35d04a02a652f14566f875aef3a6f2af4cb77b Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Mon, 21 Sep 2015 19:21:51 +0300 -Subject: devres: fix a for loop bounds check - -commit 1f35d04a02a652f14566f875aef3a6f2af4cb77b upstream. - -The iomap[] array has PCIM_IOMAP_MAX (6) elements and not -DEVICE_COUNT_RESOURCE (16). This bug was found using a static checker. -It may be that the "if (!(mask & (1 << i)))" check means we never -actually go past the end of the array in real life. - -Fixes: ec04b075843d ('iomap: implement pcim_iounmap_regions()') -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Acked-by: Tejun Heo <tj@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - lib/devres.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/lib/devres.c -+++ b/lib/devres.c -@@ -390,7 +390,7 @@ void pcim_iounmap_regions(struct pci_dev - if (!iomap) - return; - -- for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) { -+ for (i = 0; i < PCIM_IOMAP_MAX; i++) { - if (!(mask & (1 << i))) - continue; - diff --git a/patches/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch b/patches/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch deleted file mode 100644 index b243231..0000000 --- a/patches/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ed8b45a3679eb49069b094c0711b30833f27c734 Mon Sep 17 00:00:00 2001 -From: Joe Thornber <ejt@redhat.com> -Date: Thu, 10 Dec 2015 14:37:53 +0000 -Subject: dm btree: fix bufio buffer leaks in dm_btree_del() error path - -commit ed8b45a3679eb49069b094c0711b30833f27c734 upstream. - -If dm_btree_del()'s call to push_frame() fails, e.g. due to -btree_node_validator finding invalid metadata, the dm_btree_del() error -path must unlock all frames (which have active dm-bufio buffers) that -were pushed onto the del_stack. - -Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio -buffers have leaked, e.g.: - device-mapper: bufio: leaked buffer 3, hold count 1, list 0 - -Signed-off-by: Joe Thornber <ejt@redhat.com> -Signed-off-by: Mike Snitzer <snitzer@redhat.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/md/persistent-data/dm-btree.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -230,6 +230,16 @@ static void pop_frame(struct del_stack * - dm_tm_unlock(s->tm, f->b); - } - -+static void unlock_all_frames(struct del_stack *s) -+{ -+ struct frame *f; -+ -+ while (unprocessed_frames(s)) { -+ f = s->spine + s->top--; -+ dm_tm_unlock(s->tm, f->b); -+ } -+} -+ - int dm_btree_del(struct dm_btree_info *info, dm_block_t root) - { - int r; -@@ -285,9 +295,13 @@ int dm_btree_del(struct dm_btree_info *i - f->current_child = f->nr_children; - } - } -- - out: -+ if (r) { -+ /* cleanup all frames of del_stack */ -+ unlock_all_frames(s); -+ } - kfree(s); -+ - return r; - } - EXPORT_SYMBOL_GPL(dm_btree_del); diff --git a/patches/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch b/patches/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch deleted file mode 100644 index 9a85573..0000000 --- a/patches/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd Mon Sep 17 00:00:00 2001 -From: Mike Snitzer <snitzer@redhat.com> -Date: Mon, 23 Nov 2015 16:24:45 -0500 -Subject: dm btree: fix leak of bufio-backed block in btree_split_sibling error - path - -commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream. - -The block allocated at the start of btree_split_sibling() is never -released if later insert_at() fails. - -Fix this by releasing the previously allocated bufio block using -unlock_block(). - -Reported-by: Mikulas Patocka <mpatocka@redhat.com> -Signed-off-by: Mike Snitzer <snitzer@redhat.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/md/persistent-data/dm-btree.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/md/persistent-data/dm-btree.c -+++ b/drivers/md/persistent-data/dm-btree.c -@@ -450,8 +450,10 @@ static int btree_split_sibling(struct sh - - r = insert_at(sizeof(__le64), pn, parent_index + 1, - le64_to_cpu(rn->keys[0]), &location); -- if (r) -+ if (r) { -+ unlock_block(s->info, right); - return r; -+ } - - if (key < le64_to_cpu(rn->keys[0])) { - unlock_block(s->info, right); diff --git a/patches/drm-radeon-fix-hotplug-race-at-startup.patch b/patches/drm-radeon-fix-hotplug-race-at-startup.patch deleted file mode 100644 index 98767ff..0000000 --- a/patches/drm-radeon-fix-hotplug-race-at-startup.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 7f98ca454ad373fc1b76be804fa7138ff68c1d27 Mon Sep 17 00:00:00 2001 -From: Dave Airlie <airlied@redhat.com> -Date: Thu, 20 Aug 2015 10:13:55 +1000 -Subject: drm/radeon: fix hotplug race at startup - -commit 7f98ca454ad373fc1b76be804fa7138ff68c1d27 upstream. - -We apparantly get a hotplug irq before we've initialised -modesetting, - -[drm] Loading R100 Microcode -BUG: unable to handle kernel NULL pointer dereference at (null) -IP: [<c125f56f>] __mutex_lock_slowpath+0x23/0x91 -*pde = 00000000 -Oops: 0002 [#1] -Modules linked in: radeon(+) drm_kms_helper ttm drm i2c_algo_bit backlight pcspkr psmouse evdev sr_mod input_leds led_class cdrom sg parport_pc parport floppy intel_agp intel_gtt lpc_ich acpi_cpufreq processor button mfd_core agpgart uhci_hcd ehci_hcd rng_core snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm usbcore usb_common i2c_i801 i2c_core snd_timer snd soundcore thermal_sys -CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 4.2.0-rc7-00015-gbf67402 #111 -Hardware name: MicroLink /D850MV , BIOS MV85010A.86A.0067.P24.0304081124 04/08/2003 -Workqueue: events radeon_hotplug_work_func [radeon] -task: f6ca5900 ti: f6d3e000 task.ti: f6d3e000 -EIP: 0060:[<c125f56f>] EFLAGS: 00010282 CPU: 0 -EIP is at __mutex_lock_slowpath+0x23/0x91 -EAX: 00000000 EBX: f5e900fc ECX: 00000000 EDX: fffffffe -ESI: f6ca5900 EDI: f5e90100 EBP: f5e90000 ESP: f6d3ff0c - DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 -CR0: 8005003b CR2: 00000000 CR3: 36f61000 CR4: 000006d0 -Stack: - f5e90100 00000000 c103c4c1 f6d2a5a0 f5e900fc f6df394c c125f162 f8b0faca - f6d2a5a0 c138ca00 f6df394c f7395600 c1034741 00d40000 00000000 f6d2a5a0 - c138ca00 f6d2a5b8 c138ca10 c1034b58 00000001 f6d40000 f6ca5900 f6d0c940 -Call Trace: - [<c103c4c1>] ? dequeue_task_fair+0xa4/0xb7 - [<c125f162>] ? mutex_lock+0x9/0xa - [<f8b0faca>] ? radeon_hotplug_work_func+0x17/0x57 [radeon] - [<c1034741>] ? process_one_work+0xfc/0x194 - [<c1034b58>] ? worker_thread+0x18d/0x218 - [<c10349cb>] ? rescuer_thread+0x1d5/0x1d5 - [<c103742a>] ? kthread+0x7b/0x80 - [<c12601c0>] ? ret_from_kernel_thread+0x20/0x30 - [<c10373af>] ? init_completion+0x18/0x18 -Code: 42 08 e8 8e a6 dd ff c3 57 56 53 83 ec 0c 8b 35 48 f7 37 c1 8b 10 4a 74 1a 89 c3 8d 78 04 8b 40 08 89 63 - -Reported-and-Tested-by: Meelis Roos <mroos@linux.ee> -Signed-off-by: Dave Airlie <airlied@redhat.com> -Cc: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/gpu/drm/radeon/radeon_irq_kms.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/gpu/drm/radeon/radeon_irq_kms.c -+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c -@@ -51,6 +51,11 @@ static void radeon_hotplug_work_func(str - struct drm_mode_config *mode_config = &dev->mode_config; - struct drm_connector *connector; - -+ /* we can race here at startup, some boards seem to trigger -+ * hotplug irqs when they shouldn't. */ -+ if (!rdev->mode_info.mode_config_initialized) -+ return; -+ - mutex_lock(&mode_config->mutex); - if (mode_config->num_connector) { - list_for_each_entry(connector, &mode_config->connector_list, head) diff --git a/patches/drm-ttm-fixed-a-read-write-lock-imbalance.patch b/patches/drm-ttm-fixed-a-read-write-lock-imbalance.patch deleted file mode 100644 index 6ef3ca1..0000000 --- a/patches/drm-ttm-fixed-a-read-write-lock-imbalance.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 025af189fb44250206dd8a32fa4a682392af3301 Mon Sep 17 00:00:00 2001 -From: Thomas Hellstrom <thellstrom@vmware.com> -Date: Fri, 20 Nov 2015 11:43:50 -0800 -Subject: drm/ttm: Fixed a read/write lock imbalance - -commit 025af189fb44250206dd8a32fa4a682392af3301 upstream. - -In ttm_write_lock(), the uninterruptible path should call -__ttm_write_lock() not __ttm_read_lock(). This fixes a vmwgfx hang -on F23 start up. - -syeh: Extracted this from one of Thomas' internal patches. - -Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> -Reviewed-by: Sinclair Yeh <syeh@vmware.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/gpu/drm/ttm/ttm_lock.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/ttm/ttm_lock.c -+++ b/drivers/gpu/drm/ttm/ttm_lock.c -@@ -180,7 +180,7 @@ int ttm_write_lock(struct ttm_lock *lock - spin_unlock(&lock->lock); - } - } else -- wait_event(lock->queue, __ttm_read_lock(lock)); -+ wait_event(lock->queue, __ttm_write_lock(lock)); - - return ret; - } diff --git a/patches/ext4-fix-handling-of-extended-tv_sec.patch b/patches/ext4-fix-handling-of-extended-tv_sec.patch deleted file mode 100644 index 07074f3..0000000 --- a/patches/ext4-fix-handling-of-extended-tv_sec.patch +++ /dev/null @@ -1,108 +0,0 @@ -From a4dad1ae24f850410c4e60f22823cba1289b8d52 Mon Sep 17 00:00:00 2001 -From: David Turner <novalis@novalis.org> -Date: Tue, 24 Nov 2015 14:34:37 -0500 -Subject: ext4: Fix handling of extended tv_sec - -commit a4dad1ae24f850410c4e60f22823cba1289b8d52 upstream. - -In ext4, the bottom two bits of {a,c,m}time_extra are used to extend -the {a,c,m}time fields, deferring the year 2038 problem to the year -2446. - -When decoding these extended fields, for times whose bottom 32 bits -would represent a negative number, sign extension causes the 64-bit -extended timestamp to be negative as well, which is not what's -intended. This patch corrects that issue, so that the only negative -{a,c,m}times are those between 1901 and 1970 (as per 32-bit signed -timestamps). - -Some older kernels might have written pre-1970 dates with 1,1 in the -extra bits. This patch treats those incorrectly-encoded dates as -pre-1970, instead of post-2311, until kernel 4.20 is released. -Hopefully by then e2fsck will have fixed up the bad data. - -Also add a comment explaining the encoding of ext4's extra {a,c,m}time -bits. - -Signed-off-by: David Turner <novalis@novalis.org> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Reported-by: Mark Harris <mh8928@yahoo.com> -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=23732 -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/ext4/ext4.h | 51 ++++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 44 insertions(+), 7 deletions(-) - ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -26,6 +26,7 @@ - #include <linux/seqlock.h> - #include <linux/mutex.h> - #include <linux/timer.h> -+#include <linux/version.h> - #include <linux/wait.h> - #include <linux/blockgroup_lock.h> - #include <linux/percpu_counter.h> -@@ -704,19 +705,55 @@ struct move_extent { - <= (EXT4_GOOD_OLD_INODE_SIZE + \ - (einode)->i_extra_isize)) \ - -+/* -+ * We use an encoding that preserves the times for extra epoch "00": -+ * -+ * extra msb of adjust for signed -+ * epoch 32-bit 32-bit tv_sec to -+ * bits time decoded 64-bit tv_sec 64-bit tv_sec valid time range -+ * 0 0 1 -0x80000000..-0x00000001 0x000000000 1901-12-13..1969-12-31 -+ * 0 0 0 0x000000000..0x07fffffff 0x000000000 1970-01-01..2038-01-19 -+ * 0 1 1 0x080000000..0x0ffffffff 0x100000000 2038-01-19..2106-02-07 -+ * 0 1 0 0x100000000..0x17fffffff 0x100000000 2106-02-07..2174-02-25 -+ * 1 0 1 0x180000000..0x1ffffffff 0x200000000 2174-02-25..2242-03-16 -+ * 1 0 0 0x200000000..0x27fffffff 0x200000000 2242-03-16..2310-04-04 -+ * 1 1 1 0x280000000..0x2ffffffff 0x300000000 2310-04-04..2378-04-22 -+ * 1 1 0 0x300000000..0x37fffffff 0x300000000 2378-04-22..2446-05-10 -+ * -+ * Note that previous versions of the kernel on 64-bit systems would -+ * incorrectly use extra epoch bits 1,1 for dates between 1901 and -+ * 1970. e2fsck will correct this, assuming that it is run on the -+ * affected filesystem before 2242. -+ */ -+ - static inline __le32 ext4_encode_extra_time(struct timespec *time) - { -- return cpu_to_le32((sizeof(time->tv_sec) > 4 ? -- (time->tv_sec >> 32) & EXT4_EPOCH_MASK : 0) | -- ((time->tv_nsec << EXT4_EPOCH_BITS) & EXT4_NSEC_MASK)); -+ u32 extra = sizeof(time->tv_sec) > 4 ? -+ ((time->tv_sec - (s32)time->tv_sec) >> 32) & EXT4_EPOCH_MASK : 0; -+ return cpu_to_le32(extra | (time->tv_nsec << EXT4_EPOCH_BITS)); - } - - static inline void ext4_decode_extra_time(struct timespec *time, __le32 extra) - { -- if (sizeof(time->tv_sec) > 4) -- time->tv_sec |= (__u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) -- << 32; -- time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; -+ if (unlikely(sizeof(time->tv_sec) > 4 && -+ (extra & cpu_to_le32(EXT4_EPOCH_MASK)))) { -+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0) -+ /* Handle legacy encoding of pre-1970 dates with epoch -+ * bits 1,1. We assume that by kernel version 4.20, -+ * everyone will have run fsck over the affected -+ * filesystems to correct the problem. (This -+ * backwards compatibility may be removed before this -+ * time, at the discretion of the ext4 developers.) -+ */ -+ u64 extra_bits = le32_to_cpu(extra) & EXT4_EPOCH_MASK; -+ if (extra_bits == 3 && ((time->tv_sec) & 0x80000000) != 0) -+ extra_bits = 0; -+ time->tv_sec += extra_bits << 32; -+#else -+ time->tv_sec += (u64)(le32_to_cpu(extra) & EXT4_EPOCH_MASK) << 32; -+#endif -+ } -+ time->tv_nsec = (le32_to_cpu(extra) & EXT4_NSEC_MASK) >> EXT4_EPOCH_BITS; - } - - #define EXT4_INODE_SET_XTIME(xtime, inode, raw_inode) \ diff --git a/patches/ext4-jbd2-ensure-entering-into-panic-after-recording-an-error-in-superblock.patch b/patches/ext4-jbd2-ensure-entering-into-panic-after-recording-an-error-in-superblock.patch deleted file mode 100644 index a74e81a..0000000 --- a/patches/ext4-jbd2-ensure-entering-into-panic-after-recording-an-error-in-superblock.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 4327ba52afd03fc4b5afa0ee1d774c9c5b0e85c5 Mon Sep 17 00:00:00 2001 -From: Daeho Jeong <daeho.jeong@samsung.com> -Date: Sun, 18 Oct 2015 17:02:56 -0400 -Subject: ext4, jbd2: ensure entering into panic after recording an error in - superblock - -commit 4327ba52afd03fc4b5afa0ee1d774c9c5b0e85c5 upstream. - -If a EXT4 filesystem utilizes JBD2 journaling and an error occurs, the -journaling will be aborted first and the error number will be recorded -into JBD2 superblock and, finally, the system will enter into the -panic state in "errors=panic" option. But, in the rare case, this -sequence is little twisted like the below figure and it will happen -that the system enters into panic state, which means the system reset -in mobile environment, before completion of recording an error in the -journal superblock. In this case, e2fsck cannot recognize that the -filesystem failure occurred in the previous run and the corruption -wouldn't be fixed. - -Task A Task B -ext4_handle_error() --> jbd2_journal_abort() - -> __journal_abort_soft() - -> __jbd2_journal_abort_hard() - | -> journal->j_flags |= JBD2_ABORT; - | - | __ext4_abort() - | -> jbd2_journal_abort() - | | -> __journal_abort_soft() - | | -> if (journal->j_flags & JBD2_ABORT) - | | return; - | -> panic() - | - -> jbd2_journal_update_sb_errno() - -Tested-by: Hobin Woo <hobin.woo@samsung.com> -Signed-off-by: Daeho Jeong <daeho.jeong@samsung.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/ext4/super.c | 12 ++++++++++-- - fs/jbd2/journal.c | 6 +++++- - include/linux/jbd2.h | 1 + - 3 files changed, 16 insertions(+), 3 deletions(-) - ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -483,9 +483,13 @@ static void ext4_handle_error(struct sup - ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only"); - sb->s_flags |= MS_RDONLY; - } -- if (test_opt(sb, ERRORS_PANIC)) -+ if (test_opt(sb, ERRORS_PANIC)) { -+ if (EXT4_SB(sb)->s_journal && -+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) -+ return; - panic("EXT4-fs (device %s): panic forced after error\n", - sb->s_id); -+ } - } - - void __ext4_error(struct super_block *sb, const char *function, -@@ -659,8 +663,12 @@ void __ext4_abort(struct super_block *sb - jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO); - save_error_info(sb, function, line); - } -- if (test_opt(sb, ERRORS_PANIC)) -+ if (test_opt(sb, ERRORS_PANIC)) { -+ if (EXT4_SB(sb)->s_journal && -+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) -+ return; - panic("EXT4-fs panic from previous error\n"); -+ } - } - - void ext4_msg(struct super_block *sb, const char *prefix, const char *fmt, ...) ---- a/fs/jbd2/journal.c -+++ b/fs/jbd2/journal.c -@@ -1921,8 +1921,12 @@ static void __journal_abort_soft (journa - - __jbd2_journal_abort_hard(journal); - -- if (errno) -+ if (errno) { - jbd2_journal_update_sb_errno(journal); -+ write_lock(&journal->j_state_lock); -+ journal->j_flags |= JBD2_REC_ERR; -+ write_unlock(&journal->j_state_lock); -+ } - } - - /** ---- a/include/linux/jbd2.h -+++ b/include/linux/jbd2.h -@@ -954,6 +954,7 @@ struct journal_s - #define JBD2_ABORT_ON_SYNCDATA_ERR 0x040 /* Abort the journal on file - * data write error in ordered - * mode */ -+#define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */ - - /* - * Function declarations for the journaling transaction and buffer diff --git a/patches/firewire-ohci-fix-jmicron-jmb38x-it-context-discovery.patch b/patches/firewire-ohci-fix-jmicron-jmb38x-it-context-discovery.patch deleted file mode 100644 index 7465931..0000000 --- a/patches/firewire-ohci-fix-jmicron-jmb38x-it-context-discovery.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 100ceb66d5c40cc0c7018e06a9474302470be73c Mon Sep 17 00:00:00 2001 -From: Stefan Richter <stefanr@s5r6.in-berlin.de> -Date: Tue, 3 Nov 2015 01:46:21 +0100 -Subject: firewire: ohci: fix JMicron JMB38x IT context discovery - -commit 100ceb66d5c40cc0c7018e06a9474302470be73c upstream. - -Reported by Clifford and Craig for JMicron OHCI-1394 + SDHCI combo -controllers: Often or even most of the time, the controller is -initialized with the message "added OHCI v1.10 device as card 0, 4 IR + -0 IT contexts, quirks 0x10". With 0 isochronous transmit DMA contexts -(IT contexts), applications like audio output are impossible. - -However, OHCI-1394 demands that at least 4 IT contexts are implemented -by the link layer controller, and indeed JMicron JMB38x do implement -four of them. Only their IsoXmitIntMask register is unreliable at early -access. - -With my own JMB381 single function controller I found: - - I can reproduce the problem with a lower probability than Craig's. - - If I put a loop around the section which clears and reads - IsoXmitIntMask, then either the first or the second attempt will - return the correct initial mask of 0x0000000f. I never encountered - a case of needing more than a second attempt. - - Consequently, if I put a dummy reg_read(...IsoXmitIntMaskSet) - before the first write, the subsequent read will return the correct - result. - - If I merely ignore a wrong read result and force the known real - result, later isochronous transmit DMA usage works just fine. - -So let's just fix this chip bug up by the latter method. Tested with -JMB381 on kernel 3.13 and 4.3. - -Since OHCI-1394 generally requires 4 IT contexts at a minium, this -workaround is simply applied whenever the initial read of IsoXmitIntMask -returns 0, regardless whether it's a JMicron chip or not. I never heard -of this issue together with any other chip though. - -I am not 100% sure that this fix works on the OHCI-1394 part of JMB380 -and JMB388 combo controllers exactly the same as on the JMB381 single- -function controller, but so far I haven't had a chance to let an owner -of a combo chip run a patched kernel. - -Strangely enough, IsoRecvIntMask is always reported correctly, even -though it is probed right before IsoXmitIntMask. - -Reported-by: Clifford Dunn -Reported-by: Craig Moore <craig.moore@qenos.com> -Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> -[lizf: Backported to 3.4: use dev_notice() instead of ohci_notice()] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/firewire/ohci.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/firewire/ohci.c -+++ b/drivers/firewire/ohci.c -@@ -3620,6 +3620,11 @@ static int __devinit pci_probe(struct pc - - reg_write(ohci, OHCI1394_IsoXmitIntMaskSet, ~0); - ohci->it_context_support = reg_read(ohci, OHCI1394_IsoXmitIntMaskSet); -+ /* JMicron JMB38x often shows 0 at first read, just ignore it */ -+ if (!ohci->it_context_support) { -+ dev_notice(&dev->dev, "overriding IsoXmitIntMask\n"); -+ ohci->it_context_support = 0xf; -+ } - reg_write(ohci, OHCI1394_IsoXmitIntMaskClear, ~0); - ohci->it_context_mask = ohci->it_context_support; - ohci->n_it = hweight32(ohci->it_context_mask); diff --git a/patches/fix-incomplete-backport-of-commit-0f792cf949a0.patch b/patches/fix-incomplete-backport-of-commit-0f792cf949a0.patch deleted file mode 100644 index 8ac1add..0000000 --- a/patches/fix-incomplete-backport-of-commit-0f792cf949a0.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8dd02e0afb0b7accbedd1e1685ee40c1209095f0 Mon Sep 17 00:00:00 2001 -From: Zefan Li <lizefan@huawei.com> -Date: Sun, 9 Oct 2016 19:06:49 +0800 -Subject: [PATCH 2/4] Fix incomplete backport of commit 0f792cf949a0 - -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - mm/hugetlb.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -2929,13 +2929,17 @@ out_page_table_lock: - unlock_page(pagecache_page); - put_page(pagecache_page); - } -- if (page != pagecache_page) -- unlock_page(page); -- put_page(page); -- - out_mutex: - mutex_unlock(&hugetlb_instantiation_mutex); -- -+ /* -+ * Generally it's safe to hold refcount during waiting page lock. But -+ * here we just wait to defer the next page fault to avoid busy loop and -+ * the page is not used after unlocked before returning from the current -+ * page fault. So we are safe from accessing freed page, even if we wait -+ * here without taking refcount. -+ */ -+ if (need_wait_lock) -+ wait_on_page_locked(page); - return ret; - } - diff --git a/patches/fix-incomplete-backport-of-commit-423f04d63cf4.patch b/patches/fix-incomplete-backport-of-commit-423f04d63cf4.patch deleted file mode 100644 index e66aa9d..0000000 --- a/patches/fix-incomplete-backport-of-commit-423f04d63cf4.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 432621e038f9dce48ad04471d28ada37a52626a2 Mon Sep 17 00:00:00 2001 -From: Zefan Li <lizefan@huawei.com> -Date: Sun, 9 Oct 2016 19:00:59 +0800 -Subject: [PATCH 1/4] Fix incomplete backport of commit 423f04d63cf4 - -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/md/raid1.c | 3 --- - 1 file changed, 3 deletions(-) - ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -1272,11 +1272,8 @@ static void error(struct mddev *mddev, s - set_bit(Blocked, &rdev->flags); - spin_lock_irqsave(&conf->device_lock, flags); - if (test_and_clear_bit(In_sync, &rdev->flags)) { -- unsigned long flags; -- spin_lock_irqsave(&conf->device_lock, flags); - mddev->degraded++; - set_bit(Faulty, &rdev->flags); -- spin_unlock_irqrestore(&conf->device_lock, flags); - /* - * if recovery is running, make sure it aborts. - */ diff --git a/patches/fix-sysvfs-symlinks.patch b/patches/fix-sysvfs-symlinks.patch deleted file mode 100644 index e617d24..0000000 --- a/patches/fix-sysvfs-symlinks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0ebf7f10d67a70e120f365018f1c5fce9ddc567d Mon Sep 17 00:00:00 2001 -From: Al Viro <viro@zeniv.linux.org.uk> -Date: Mon, 23 Nov 2015 21:11:08 -0500 -Subject: fix sysvfs symlinks - -commit 0ebf7f10d67a70e120f365018f1c5fce9ddc567d upstream. - -The thing got broken back in 2002 - sysvfs does *not* have inline -symlinks; even short ones have bodies stored in the first block -of file. sysv_symlink() handles that correctly; unfortunately, -attempting to look an existing symlink up will end up confusing -them for inline symlinks, and interpret the block number containing -the body as the body itself. - -Nobody has noticed until now, which says something about the level -of testing sysvfs gets ;-/ - -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/sysv/inode.c | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - ---- a/fs/sysv/inode.c -+++ b/fs/sysv/inode.c -@@ -176,14 +176,8 @@ void sysv_set_inode(struct inode *inode, - inode->i_fop = &sysv_dir_operations; - inode->i_mapping->a_ops = &sysv_aops; - } else if (S_ISLNK(inode->i_mode)) { -- if (inode->i_blocks) { -- inode->i_op = &sysv_symlink_inode_operations; -- inode->i_mapping->a_ops = &sysv_aops; -- } else { -- inode->i_op = &sysv_fast_symlink_inode_operations; -- nd_terminate_link(SYSV_I(inode)->i_data, inode->i_size, -- sizeof(SYSV_I(inode)->i_data) - 1); -- } -+ inode->i_op = &sysv_symlink_inode_operations; -+ inode->i_mapping->a_ops = &sysv_aops; - } else - init_special_inode(inode, inode->i_mode, rdev); - } diff --git a/patches/fs-cache-don-t-override-netfs-s-primary_index-if-registering-failed.patch b/patches/fs-cache-don-t-override-netfs-s-primary_index-if-registering-failed.patch deleted file mode 100644 index 93df0dc..0000000 --- a/patches/fs-cache-don-t-override-netfs-s-primary_index-if-registering-failed.patch +++ /dev/null @@ -1,88 +0,0 @@ -From b130ed5998e62879a66bad08931a2b5e832da95c Mon Sep 17 00:00:00 2001 -From: Kinglong Mee <kinglongmee@gmail.com> -Date: Wed, 4 Nov 2015 15:20:24 +0000 -Subject: FS-Cache: Don't override netfs's primary_index if registering failed - -commit b130ed5998e62879a66bad08931a2b5e832da95c upstream. - -Only override netfs->primary_index when registering success. - -Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -[lizf: Backported to 3.4: there are no n_active and flags in primary_index] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/fscache/netfs.c | 31 +++++++++++++++---------------- - 1 file changed, 15 insertions(+), 16 deletions(-) - ---- a/fs/fscache/netfs.c -+++ b/fs/fscache/netfs.c -@@ -22,6 +22,7 @@ static LIST_HEAD(fscache_netfs_list); - int __fscache_register_netfs(struct fscache_netfs *netfs) - { - struct fscache_netfs *ptr; -+ struct fscache_cookie *cookie; - int ret; - - _enter("{%s}", netfs->name); -@@ -29,24 +30,23 @@ int __fscache_register_netfs(struct fsca - INIT_LIST_HEAD(&netfs->link); - - /* allocate a cookie for the primary index */ -- netfs->primary_index = -- kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL); -+ cookie = kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL); - -- if (!netfs->primary_index) { -+ if (!cookie) { - _leave(" = -ENOMEM"); - return -ENOMEM; - } - - /* initialise the primary index cookie */ -- atomic_set(&netfs->primary_index->usage, 1); -- atomic_set(&netfs->primary_index->n_children, 0); -+ atomic_set(&cookie->usage, 1); -+ atomic_set(&cookie->n_children, 0); - -- netfs->primary_index->def = &fscache_fsdef_netfs_def; -- netfs->primary_index->parent = &fscache_fsdef_index; -- netfs->primary_index->netfs_data = netfs; -+ cookie->def = &fscache_fsdef_netfs_def; -+ cookie->parent = &fscache_fsdef_index; -+ cookie->netfs_data = netfs; - -- spin_lock_init(&netfs->primary_index->lock); -- INIT_HLIST_HEAD(&netfs->primary_index->backing_objects); -+ spin_lock_init(&cookie->lock); -+ INIT_HLIST_HEAD(&cookie->backing_objects); - - /* check the netfs type is not already present */ - down_write(&fscache_addremove_sem); -@@ -57,9 +57,10 @@ int __fscache_register_netfs(struct fsca - goto already_registered; - } - -- atomic_inc(&netfs->primary_index->parent->usage); -- atomic_inc(&netfs->primary_index->parent->n_children); -+ atomic_inc(&cookie->parent->usage); -+ atomic_inc(&cookie->parent->n_children); - -+ netfs->primary_index = cookie; - list_add(&netfs->link, &fscache_netfs_list); - ret = 0; - -@@ -69,10 +70,8 @@ int __fscache_register_netfs(struct fsca - already_registered: - up_write(&fscache_addremove_sem); - -- if (ret < 0) { -- kmem_cache_free(fscache_cookie_jar, netfs->primary_index); -- netfs->primary_index = NULL; -- } -+ if (ret < 0) -+ kmem_cache_free(fscache_cookie_jar, cookie); - - _leave(" = %d", ret); - return ret; diff --git a/patches/fs-cache-handle-a-write-to-the-page-immediately-beyond-the-eof-marker.patch b/patches/fs-cache-handle-a-write-to-the-page-immediately-beyond-the-eof-marker.patch deleted file mode 100644 index b5cfb48..0000000 --- a/patches/fs-cache-handle-a-write-to-the-page-immediately-beyond-the-eof-marker.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 102f4d900c9c8f5ed89ae4746d493fe3ebd7ba64 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Nov 2015 15:20:42 +0000 -Subject: FS-Cache: Handle a write to the page immediately beyond the EOF - marker - -commit 102f4d900c9c8f5ed89ae4746d493fe3ebd7ba64 upstream. - -Handle a write being requested to the page immediately beyond the EOF -marker on a cache object. Currently this gets an assertion failure in -CacheFiles because the EOF marker is used there to encode information about -a partial page at the EOF - which could lead to an unknown blank spot in -the file if we extend the file over it. - -The problem is actually in fscache where we check the index of the page -being written against store_limit. store_limit is set to the number of -pages that we're allowed to store by fscache_set_store_limit() - which -means it's one more than the index of the last page we're allowed to store. -The problem is that we permit writing to a page with an index _equal_ to -the store limit - when we should reject that case. - -Whilst we're at it, change the triggered assertion in CacheFiles to just -return -ENOBUFS instead. - -The assertion failure looks something like this: - -CacheFiles: Assertion failed -1000 < 7b1 is false -------------[ cut here ]------------ -kernel BUG at fs/cachefiles/rdwr.c:962! -... -RIP: 0010:[<ffffffffa02c9e83>] [<ffffffffa02c9e83>] cachefiles_write_page+0x273/0x2d0 [cachefiles] - -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/cachefiles/rdwr.c | 80 ++++++++++++++++++++++++++++----------------------- - fs/fscache/page.c | 2 - - 2 files changed, 45 insertions(+), 37 deletions(-) - ---- a/fs/cachefiles/rdwr.c -+++ b/fs/cachefiles/rdwr.c -@@ -914,6 +914,15 @@ int cachefiles_write_page(struct fscache - cache = container_of(object->fscache.cache, - struct cachefiles_cache, cache); - -+ pos = (loff_t)page->index << PAGE_SHIFT; -+ -+ /* We mustn't write more data than we have, so we have to beware of a -+ * partial page at EOF. -+ */ -+ eof = object->fscache.store_limit_l; -+ if (pos >= eof) -+ goto error; -+ - /* write the page to the backing filesystem and let it store it in its - * own time */ - dget(object->backer); -@@ -922,47 +931,46 @@ int cachefiles_write_page(struct fscache - cache->cache_cred); - if (IS_ERR(file)) { - ret = PTR_ERR(file); -- } else { -+ goto error_2; -+ } -+ if (!file->f_op->write) { - ret = -EIO; -- if (file->f_op->write) { -- pos = (loff_t) page->index << PAGE_SHIFT; -- -- /* we mustn't write more data than we have, so we have -- * to beware of a partial page at EOF */ -- eof = object->fscache.store_limit_l; -- len = PAGE_SIZE; -- if (eof & ~PAGE_MASK) { -- ASSERTCMP(pos, <, eof); -- if (eof - pos < PAGE_SIZE) { -- _debug("cut short %llx to %llx", -- pos, eof); -- len = eof - pos; -- ASSERTCMP(pos + len, ==, eof); -- } -- } -- -- data = kmap(page); -- old_fs = get_fs(); -- set_fs(KERNEL_DS); -- ret = file->f_op->write( -- file, (const void __user *) data, len, &pos); -- set_fs(old_fs); -- kunmap(page); -- if (ret != len) -- ret = -EIO; -- } -- fput(file); -+ goto error_2; - } - -- if (ret < 0) { -- if (ret == -EIO) -- cachefiles_io_error_obj( -- object, "Write page to backing file failed"); -- ret = -ENOBUFS; -+ len = PAGE_SIZE; -+ if (eof & ~PAGE_MASK) { -+ if (eof - pos < PAGE_SIZE) { -+ _debug("cut short %llx to %llx", -+ pos, eof); -+ len = eof - pos; -+ ASSERTCMP(pos + len, ==, eof); -+ } - } - -- _leave(" = %d", ret); -- return ret; -+ data = kmap(page); -+ old_fs = get_fs(); -+ set_fs(KERNEL_DS); -+ ret = file->f_op->write( -+ file, (const void __user *) data, len, &pos); -+ set_fs(old_fs); -+ kunmap(page); -+ fput(file); -+ if (ret != len) -+ goto error_eio; -+ -+ _leave(" = 0"); -+ return 0; -+ -+error_eio: -+ ret = -EIO; -+error_2: -+ if (ret == -EIO) -+ cachefiles_io_error_obj(object, -+ "Write page to backing file failed"); -+error: -+ _leave(" = -ENOBUFS [%d]", ret); -+ return -ENOBUFS; - } - - /* ---- a/fs/fscache/page.c -+++ b/fs/fscache/page.c -@@ -676,7 +676,7 @@ static void fscache_write_op(struct fsca - goto superseded; - page = results[0]; - _debug("gang %d [%lx]", n, page->index); -- if (page->index > op->store_limit) { -+ if (page->index >= op->store_limit) { - fscache_stat(&fscache_n_store_pages_over_limit); - goto superseded; - } diff --git a/patches/fs-cache-increase-reference-of-parent-after-registering-netfs-success.patch b/patches/fs-cache-increase-reference-of-parent-after-registering-netfs-success.patch deleted file mode 100644 index 6cee7e4..0000000 --- a/patches/fs-cache-increase-reference-of-parent-after-registering-netfs-success.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 Mon Sep 17 00:00:00 2001 -From: Kinglong Mee <kinglongmee@gmail.com> -Date: Wed, 4 Nov 2015 15:20:15 +0000 -Subject: FS-Cache: Increase reference of parent after registering, netfs - success - -commit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream. - -If netfs exist, fscache should not increase the reference of parent's -usage and n_children, otherwise, never be decreased. - -v2: thanks David's suggest, - move increasing reference of parent if success - use kmem_cache_free() freeing primary_index directly - -v3: don't move "netfs->primary_index->parent = &fscache_fsdef_index;" - -Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/fscache/netfs.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - ---- a/fs/fscache/netfs.c -+++ b/fs/fscache/netfs.c -@@ -45,9 +45,6 @@ int __fscache_register_netfs(struct fsca - netfs->primary_index->parent = &fscache_fsdef_index; - netfs->primary_index->netfs_data = netfs; - -- atomic_inc(&netfs->primary_index->parent->usage); -- atomic_inc(&netfs->primary_index->parent->n_children); -- - spin_lock_init(&netfs->primary_index->lock); - INIT_HLIST_HEAD(&netfs->primary_index->backing_objects); - -@@ -60,6 +57,9 @@ int __fscache_register_netfs(struct fsca - goto already_registered; - } - -+ atomic_inc(&netfs->primary_index->parent->usage); -+ atomic_inc(&netfs->primary_index->parent->n_children); -+ - list_add(&netfs->link, &fscache_netfs_list); - ret = 0; - -@@ -70,8 +70,7 @@ already_registered: - up_write(&fscache_addremove_sem); - - if (ret < 0) { -- netfs->primary_index->parent = NULL; -- __fscache_cookie_put(netfs->primary_index); -+ kmem_cache_free(fscache_cookie_jar, netfs->primary_index); - netfs->primary_index = NULL; - } - diff --git a/patches/ftrace-scripts-fix-incorrect-use-of-sprintf-in-recordmcount.patch b/patches/ftrace-scripts-fix-incorrect-use-of-sprintf-in-recordmcount.patch deleted file mode 100644 index bf3fc3d..0000000 --- a/patches/ftrace-scripts-fix-incorrect-use-of-sprintf-in-recordmcount.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 713a3e4de707fab49d5aa4bceb77db1058572a7b Mon Sep 17 00:00:00 2001 -From: Colin Ian King <colin.king@canonical.com> -Date: Wed, 30 Dec 2015 23:06:41 +0000 -Subject: ftrace/scripts: Fix incorrect use of sprintf in recordmcount - -commit 713a3e4de707fab49d5aa4bceb77db1058572a7b upstream. - -Fix build warning: - -scripts/recordmcount.c:589:4: warning: format not a string -literal and no format arguments [-Wformat-security] - sprintf("%s: failed\n", file); - -Fixes: a50bd43935586 ("ftrace/scripts: Have recordmcount copy the object file") -Link: http://lkml.kernel.org/r/1451516801-16951-1-git-send-email-colin.king@canonical.com - -Cc: Li Bin <huawei.libin@huawei.com> -Cc: Russell King <rmk+kernel@arm.linux.org.uk> -Cc: Will Deacon <will.deacon@arm.com> -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: Steven Rostedt <rostedt@goodmis.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - scripts/recordmcount.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/scripts/recordmcount.c -+++ b/scripts/recordmcount.c -@@ -546,7 +546,7 @@ main(int argc, char *argv[]) - do_file(file); - break; - case SJ_FAIL: /* error in do_file or below */ -- sprintf("%s: failed\n", file); -+ fprintf(stderr, "%s: failed\n", file); - ++n_error; - break; - case SJ_SUCCEED: /* premature success */ diff --git a/patches/ftrace-scripts-have-recordmcount-copy-the-object-file.patch b/patches/ftrace-scripts-have-recordmcount-copy-the-object-file.patch deleted file mode 100644 index 44f6bb2..0000000 --- a/patches/ftrace-scripts-have-recordmcount-copy-the-object-file.patch +++ /dev/null @@ -1,255 +0,0 @@ -From a50bd43935586420fb75f4558369eb08566fac5e Mon Sep 17 00:00:00 2001 -From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org> -Date: Tue, 15 Dec 2015 16:06:10 -0500 -Subject: ftrace/scripts: Have recordmcount copy the object file - -commit a50bd43935586420fb75f4558369eb08566fac5e upstream. - -Russell King found that he had weird side effects when compiling the kernel -with hard linked ccache. The reason was that recordmcount modified the -kernel in place via mmap, and when a file gets modified twice by -recordmcount, it will complain about it. To fix this issue, Russell wrote a -patch that checked if the file was hard linked more than once and would -unlink it if it was. - -Linus Torvalds was not happy with the fact that recordmcount does this in -place modification. Instead of doing the unlink only if the file has two or -more hard links, it does the unlink all the time. In otherwords, it always -does a copy if it changed something. That is, it does the write out if a -change was made. - -Signed-off-by: Steven Rostedt <rostedt@goodmis.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - scripts/recordmcount.c | 145 +++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 110 insertions(+), 35 deletions(-) - ---- a/scripts/recordmcount.c -+++ b/scripts/recordmcount.c -@@ -35,12 +35,17 @@ - - static int fd_map; /* File descriptor for file being modified. */ - static int mmap_failed; /* Boolean flag. */ --static void *ehdr_curr; /* current ElfXX_Ehdr * for resource cleanup */ - static char gpfx; /* prefix for global symbol name (sometimes '_') */ - static struct stat sb; /* Remember .st_size, etc. */ - static jmp_buf jmpenv; /* setjmp/longjmp per-file error escape */ - static const char *altmcount; /* alternate mcount symbol name */ - static int warn_on_notrace_sect; /* warn when section has mcount not being recorded */ -+static void *file_map; /* pointer of the mapped file */ -+static void *file_end; /* pointer to the end of the mapped file */ -+static int file_updated; /* flag to state file was changed */ -+static void *file_ptr; /* current file pointer location */ -+static void *file_append; /* added to the end of the file */ -+static size_t file_append_size; /* how much is added to end of file */ - - /* setjmp() return values */ - enum { -@@ -54,10 +59,14 @@ static void - cleanup(void) - { - if (!mmap_failed) -- munmap(ehdr_curr, sb.st_size); -+ munmap(file_map, sb.st_size); - else -- free(ehdr_curr); -- close(fd_map); -+ free(file_map); -+ file_map = NULL; -+ free(file_append); -+ file_append = NULL; -+ file_append_size = 0; -+ file_updated = 0; - } - - static void __attribute__((noreturn)) -@@ -79,12 +88,22 @@ succeed_file(void) - static off_t - ulseek(int const fd, off_t const offset, int const whence) - { -- off_t const w = lseek(fd, offset, whence); -- if (w == (off_t)-1) { -- perror("lseek"); -+ switch (whence) { -+ case SEEK_SET: -+ file_ptr = file_map + offset; -+ break; -+ case SEEK_CUR: -+ file_ptr += offset; -+ break; -+ case SEEK_END: -+ file_ptr = file_map + (sb.st_size - offset); -+ break; -+ } -+ if (file_ptr < file_map) { -+ fprintf(stderr, "lseek: seek before file\n"); - fail_file(); - } -- return w; -+ return file_ptr - file_map; - } - - static size_t -@@ -101,12 +120,38 @@ uread(int const fd, void *const buf, siz - static size_t - uwrite(int const fd, void const *const buf, size_t const count) - { -- size_t const n = write(fd, buf, count); -- if (n != count) { -- perror("write"); -- fail_file(); -+ size_t cnt = count; -+ off_t idx = 0; -+ -+ file_updated = 1; -+ -+ if (file_ptr + count >= file_end) { -+ off_t aoffset = (file_ptr + count) - file_end; -+ -+ if (aoffset > file_append_size) { -+ file_append = realloc(file_append, aoffset); -+ file_append_size = aoffset; -+ } -+ if (!file_append) { -+ perror("write"); -+ fail_file(); -+ } -+ if (file_ptr < file_end) { -+ cnt = file_end - file_ptr; -+ } else { -+ cnt = 0; -+ idx = aoffset - count; -+ } - } -- return n; -+ -+ if (cnt) -+ memcpy(file_ptr, buf, cnt); -+ -+ if (cnt < count) -+ memcpy(file_append + idx, buf + cnt, count - cnt); -+ -+ file_ptr += count; -+ return count; - } - - static void * -@@ -163,9 +208,7 @@ static int make_nop_x86(void *map, size_ - */ - static void *mmap_file(char const *fname) - { -- void *addr; -- -- fd_map = open(fname, O_RDWR); -+ fd_map = open(fname, O_RDONLY); - if (fd_map < 0 || fstat(fd_map, &sb) < 0) { - perror(fname); - fail_file(); -@@ -174,29 +217,58 @@ static void *mmap_file(char const *fname - fprintf(stderr, "not a regular file: %s\n", fname); - fail_file(); - } -- addr = mmap(0, sb.st_size, PROT_READ|PROT_WRITE, MAP_PRIVATE, -- fd_map, 0); -+ file_map = mmap(0, sb.st_size, PROT_READ|PROT_WRITE, MAP_PRIVATE, -+ fd_map, 0); - mmap_failed = 0; -- if (addr == MAP_FAILED) { -+ if (file_map == MAP_FAILED) { - mmap_failed = 1; -- addr = umalloc(sb.st_size); -- uread(fd_map, addr, sb.st_size); -+ file_map = umalloc(sb.st_size); -+ uread(fd_map, file_map, sb.st_size); - } -- if (sb.st_nlink != 1) { -- /* file is hard-linked, break the hard link */ -- close(fd_map); -- if (unlink(fname) < 0) { -- perror(fname); -- fail_file(); -- } -- fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); -- if (fd_map < 0) { -- perror(fname); -+ close(fd_map); -+ -+ file_end = file_map + sb.st_size; -+ -+ return file_map; -+} -+ -+static void write_file(const char *fname) -+{ -+ char tmp_file[strlen(fname) + 4]; -+ size_t n; -+ -+ if (!file_updated) -+ return; -+ -+ sprintf(tmp_file, "%s.rc", fname); -+ -+ /* -+ * After reading the entire file into memory, delete it -+ * and write it back, to prevent weird side effects of modifying -+ * an object file in place. -+ */ -+ fd_map = open(tmp_file, O_WRONLY | O_TRUNC | O_CREAT, sb.st_mode); -+ if (fd_map < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ n = write(fd_map, file_map, sb.st_size); -+ if (n != sb.st_size) { -+ perror("write"); -+ fail_file(); -+ } -+ if (file_append_size) { -+ n = write(fd_map, file_append, file_append_size); -+ if (n != file_append_size) { -+ perror("write"); - fail_file(); - } -- uwrite(fd_map, addr, sb.st_size); - } -- return addr; -+ close(fd_map); -+ if (rename(tmp_file, fname) < 0) { -+ perror(fname); -+ fail_file(); -+ } - } - - /* w8rev, w8nat, ...: Handle endianness. */ -@@ -303,7 +375,6 @@ do_file(char const *const fname) - Elf32_Ehdr *const ehdr = mmap_file(fname); - unsigned int reltype = 0; - -- ehdr_curr = ehdr; - w = w4nat; - w2 = w2nat; - w8 = w8nat; -@@ -415,6 +486,7 @@ do_file(char const *const fname) - } - } /* end switch */ - -+ write_file(fname); - cleanup(); - } - -@@ -467,11 +539,14 @@ main(int argc, char *argv[]) - case SJ_SETJMP: /* normal sequence */ - /* Avoid problems if early cleanup() */ - fd_map = -1; -- ehdr_curr = NULL; - mmap_failed = 1; -+ file_map = NULL; -+ file_ptr = NULL; -+ file_updated = 0; - do_file(file); - break; - case SJ_FAIL: /* error in do_file or below */ -+ sprintf("%s: failed\n", file); - ++n_error; - break; - case SJ_SUCCEED: /* premature success */ diff --git a/patches/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch b/patches/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch deleted file mode 100644 index b922870..0000000 --- a/patches/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 3ca8138f014a913f98e6ef40e939868e1e9ea876 Mon Sep 17 00:00:00 2001 -From: Roman Gushchin <klamm@yandex-team.ru> -Date: Mon, 12 Oct 2015 16:33:44 +0300 -Subject: fuse: break infinite loop in fuse_fill_write_pages() - -commit 3ca8138f014a913f98e6ef40e939868e1e9ea876 upstream. - -I got a report about unkillable task eating CPU. Further -investigation shows, that the problem is in the fuse_fill_write_pages() -function. If iov's first segment has zero length, we get an infinite -loop, because we never reach iov_iter_advance() call. - -Fix this by calling iov_iter_advance() before repeating an attempt to -copy data from userspace. - -A similar problem is described in 124d3b7041f ("fix writev regression: -pan hanging unkillable and un-straceable"). If zero-length segmend -is followed by segment with invalid address, -iov_iter_fault_in_readable() checks only first segment (zero-length), -iov_iter_copy_from_user_atomic() skips it, fails at second and -returns zero -> goto again without skipping zero-length segment. - -Patch calls iov_iter_advance() before goto again: we'll skip zero-length -segment at second iteraction and iov_iter_fault_in_readable() will detect -invalid address. - -Special thanks to Konstantin Khlebnikov, who helped a lot with the commit -description. - -Cc: Andrew Morton <akpm@linux-foundation.org> -Cc: Maxim Patlasov <mpatlasov@parallels.com> -Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> -Signed-off-by: Roman Gushchin <klamm@yandex-team.ru> -Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> -Fixes: ea9b9907b82a ("fuse: implement perform_write") -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/fuse/file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -846,6 +846,7 @@ static ssize_t fuse_fill_write_pages(str - - mark_page_accessed(page); - -+ iov_iter_advance(ii, tmp); - if (!tmp) { - unlock_page(page); - page_cache_release(page); -@@ -857,7 +858,6 @@ static ssize_t fuse_fill_write_pages(str - req->pages[req->num_pages] = page; - req->num_pages++; - -- iov_iter_advance(ii, tmp); - count += tmp; - pos += tmp; - offset += tmp; diff --git a/patches/genirq-prevent-chip-buslock-deadlock.patch b/patches/genirq-prevent-chip-buslock-deadlock.patch deleted file mode 100644 index 44729e3..0000000 --- a/patches/genirq-prevent-chip-buslock-deadlock.patch +++ /dev/null @@ -1,77 +0,0 @@ -From abc7e40c81d113ef4bacb556f0a77ca63ac81d85 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner <tglx@linutronix.de> -Date: Sun, 13 Dec 2015 18:12:30 +0100 -Subject: genirq: Prevent chip buslock deadlock -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit abc7e40c81d113ef4bacb556f0a77ca63ac81d85 upstream. - -If a interrupt chip utilizes chip->buslock then free_irq() can -deadlock in the following way: - -CPU0 CPU1 - interrupt(X) (Shared or spurious) -free_irq(X) interrupt_thread(X) -chip_bus_lock(X) - irq_finalize_oneshot(X) - chip_bus_lock(X) -synchronize_irq(X) - -synchronize_irq() waits for the interrupt thread to complete, -i.e. forever. - -Solution is simple: Drop chip_bus_lock() before calling -synchronize_irq() as we do with the irq_desc lock. There is nothing to -be protected after the point where irq_desc lock has been released. - -This adds chip_bus_lock/unlock() to the remove_irq() code path, but -that's actually correct in the case where remove_irq() is called on -such an interrupt. The current users of remove_irq() are not affected -as none of those interrupts is on a chip which requires buslock. - -Reported-by: Fredrik Markström <fredrik.markstrom@gmail.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - kernel/irq/manage.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/kernel/irq/manage.c -+++ b/kernel/irq/manage.c -@@ -1181,6 +1181,7 @@ static struct irqaction *__free_irq(unsi - if (!desc) - return NULL; - -+ chip_bus_lock(desc); - raw_spin_lock_irqsave(&desc->lock, flags); - - /* -@@ -1194,7 +1195,7 @@ static struct irqaction *__free_irq(unsi - if (!action) { - WARN(1, "Trying to free already-free IRQ %d\n", irq); - raw_spin_unlock_irqrestore(&desc->lock, flags); -- -+ chip_bus_sync_unlock(desc); - return NULL; - } - -@@ -1223,6 +1224,7 @@ static struct irqaction *__free_irq(unsi - #endif - - raw_spin_unlock_irqrestore(&desc->lock, flags); -+ chip_bus_sync_unlock(desc); - - unregister_handler_proc(irq, action); - -@@ -1296,9 +1298,7 @@ void free_irq(unsigned int irq, void *de - desc->affinity_notify = NULL; - #endif - -- chip_bus_lock(desc); - kfree(__free_irq(irq, dev_id)); -- chip_bus_sync_unlock(desc); - } - EXPORT_SYMBOL(free_irq); - diff --git a/patches/hid-core-avoid-uninitialized-buffer-access.patch b/patches/hid-core-avoid-uninitialized-buffer-access.patch deleted file mode 100644 index efee385..0000000 --- a/patches/hid-core-avoid-uninitialized-buffer-access.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 79b568b9d0c7c5d81932f4486d50b38efdd6da6d Mon Sep 17 00:00:00 2001 -From: Richard Purdie <richard.purdie@linuxfoundation.org> -Date: Fri, 18 Sep 2015 16:31:33 -0700 -Subject: HID: core: Avoid uninitialized buffer access - -commit 79b568b9d0c7c5d81932f4486d50b38efdd6da6d upstream. - -hid_connect adds various strings to the buffer but they're all -conditional. You can find circumstances where nothing would be written -to it but the kernel will still print the supposedly empty buffer with -printk. This leads to corruption on the console/in the logs. - -Ensure buf is initialized to an empty string. - -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> -[dvhart: Initialize string to "" rather than assign buf[0] = NULL;] -Cc: Jiri Kosina <jikos@kernel.org> -Cc: linux-input@vger.kernel.org -Signed-off-by: Darren Hart <dvhart@linux.intel.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/hid/hid-core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1301,7 +1301,7 @@ int hid_connect(struct hid_device *hdev, - "Multi-Axis Controller" - }; - const char *type, *bus; -- char buf[64]; -+ char buf[64] = ""; - unsigned int i; - int len; - int ret; diff --git a/patches/iio-lpc32xx_adc-fix-warnings-caused-by-enabling-unprepared-clock.patch b/patches/iio-lpc32xx_adc-fix-warnings-caused-by-enabling-unprepared-clock.patch deleted file mode 100644 index 1dcc6ce..0000000 --- a/patches/iio-lpc32xx_adc-fix-warnings-caused-by-enabling-unprepared-clock.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 01bb70ae0b98d266fa3e860482c7ce22fa482a6e Mon Sep 17 00:00:00 2001 -From: Vladimir Zapolskiy <vz@mleia.com> -Date: Sat, 17 Oct 2015 21:44:38 +0300 -Subject: iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock - -commit 01bb70ae0b98d266fa3e860482c7ce22fa482a6e upstream. - -If common clock framework is configured, the driver generates a warning, -which is fixed by this change: - - root@devkit3250:~# cat /sys/bus/iio/devices/iio\:device0/in_voltage0_raw - ------------[ cut here ]------------ - WARNING: CPU: 0 PID: 724 at drivers/clk/clk.c:727 clk_core_enable+0x2c/0xa4() - Modules linked in: sc16is7xx snd_soc_uda1380 - CPU: 0 PID: 724 Comm: cat Not tainted 4.3.0-rc2+ #198 - Hardware name: LPC32XX SoC (Flattened Device Tree) - Backtrace: - [<>] (dump_backtrace) from [<>] (show_stack+0x18/0x1c) - [<>] (show_stack) from [<>] (dump_stack+0x20/0x28) - [<>] (dump_stack) from [<>] (warn_slowpath_common+0x90/0xb8) - [<>] (warn_slowpath_common) from [<>] (warn_slowpath_null+0x24/0x2c) - [<>] (warn_slowpath_null) from [<>] (clk_core_enable+0x2c/0xa4) - [<>] (clk_core_enable) from [<>] (clk_enable+0x24/0x38) - [<>] (clk_enable) from [<>] (lpc32xx_read_raw+0x38/0x80) - [<>] (lpc32xx_read_raw) from [<>] (iio_read_channel_info+0x70/0x94) - [<>] (iio_read_channel_info) from [<>] (dev_attr_show+0x28/0x4c) - [<>] (dev_attr_show) from [<>] (sysfs_kf_seq_show+0x8c/0xf0) - [<>] (sysfs_kf_seq_show) from [<>] (kernfs_seq_show+0x2c/0x30) - [<>] (kernfs_seq_show) from [<>] (seq_read+0x1c8/0x440) - [<>] (seq_read) from [<>] (kernfs_fop_read+0x38/0x170) - [<>] (kernfs_fop_read) from [<>] (do_readv_writev+0x16c/0x238) - [<>] (do_readv_writev) from [<>] (vfs_readv+0x50/0x58) - [<>] (vfs_readv) from [<>] (default_file_splice_read+0x1a4/0x308) - [<>] (default_file_splice_read) from [<>] (do_splice_to+0x78/0x84) - [<>] (do_splice_to) from [<>] (splice_direct_to_actor+0xc8/0x1cc) - [<>] (splice_direct_to_actor) from [<>] (do_splice_direct+0xa0/0xb8) - [<>] (do_splice_direct) from [<>] (do_sendfile+0x1a8/0x30c) - [<>] (do_sendfile) from [<>] (SyS_sendfile64+0x104/0x10c) - [<>] (SyS_sendfile64) from [<>] (ret_fast_syscall+0x0/0x38) - -Signed-off-by: Vladimir Zapolskiy <vz@mleia.com> -Signed-off-by: Jonathan Cameron <jic23@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/staging/iio/adc/lpc32xx_adc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/staging/iio/adc/lpc32xx_adc.c -+++ b/drivers/staging/iio/adc/lpc32xx_adc.c -@@ -75,7 +75,7 @@ static int lpc32xx_read_raw(struct iio_d - - if (mask == 0) { - mutex_lock(&indio_dev->mlock); -- clk_enable(info->clk); -+ clk_prepare_enable(info->clk); - /* Measurement setup */ - __raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm, - LPC32XX_ADC_SELECT(info->adc_base)); -@@ -83,7 +83,7 @@ static int lpc32xx_read_raw(struct iio_d - __raw_writel(AD_PDN_CTRL | AD_STROBE, - LPC32XX_ADC_CTRL(info->adc_base)); - wait_for_completion(&info->completion); /* set by ISR */ -- clk_disable(info->clk); -+ clk_disable_unprepare(info->clk); - *val = info->value; - mutex_unlock(&indio_dev->mlock); - diff --git a/patches/iommu-vt-d-fix-atsr-handling-for-root-complex-integrated-endpoints.patch b/patches/iommu-vt-d-fix-atsr-handling-for-root-complex-integrated-endpoints.patch deleted file mode 100644 index e9d4b4e..0000000 --- a/patches/iommu-vt-d-fix-atsr-handling-for-root-complex-integrated-endpoints.patch +++ /dev/null @@ -1,54 +0,0 @@ -From d14053b3c714178525f22660e6aaf41263d00056 Mon Sep 17 00:00:00 2001 -From: David Woodhouse <David.Woodhouse@intel.com> -Date: Thu, 15 Oct 2015 09:28:06 +0100 -Subject: iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit d14053b3c714178525f22660e6aaf41263d00056 upstream. - -The VT-d specification says that "Software must enable ATS on endpoint -devices behind a Root Port only if the Root Port is reported as -supporting ATS transactions." - -We walk up the tree to find a Root Port, but for integrated devices we -don't find one — we get to the host bridge. In that case we *should* -allow ATS. Currently we don't, which means that we are incorrectly -failing to use ATS for the integrated graphics. Fix that. - -We should never break out of this loop "naturally" with bus==NULL, -since we'll always find bridge==NULL in that case (and now return 1). - -So remove the check for (!bridge) after the loop, since it can never -happen. If it did, it would be worthy of a BUG_ON(!bridge). But since -it'll oops anyway in that case, that'll do just as well. - -Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> -[lizf: Backported to 3.4: - - adjust context - - drop the last part of the changes of the patch] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/iommu/intel-iommu.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -3586,10 +3586,15 @@ found: - for (bus = dev->bus; bus; bus = bus->parent) { - struct pci_dev *bridge = bus->self; - -- if (!bridge || !pci_is_pcie(bridge) || -+ /* If it's an integrated device, allow ATS */ -+ if (!bridge) -+ return 1; -+ /* Connected via non-PCIe: no ATS */ -+ if (!pci_is_pcie(bridge) || - bridge->pcie_type == PCI_EXP_TYPE_PCI_BRIDGE) - return 0; - -+ /* If we found the root port, look it up in the ATSR */ - if (bridge->pcie_type == PCI_EXP_TYPE_ROOT_PORT) { - for (i = 0; i < atsru->devices_cnt; i++) - if (atsru->devices[i] == bridge) diff --git a/patches/ip6mr-call-del_timer_sync-in-ip6mr_free_table.patch b/patches/ip6mr-call-del_timer_sync-in-ip6mr_free_table.patch deleted file mode 100644 index e68903d..0000000 --- a/patches/ip6mr-call-del_timer_sync-in-ip6mr_free_table.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7ba0c47c34a1ea5bc7a24ca67309996cce0569b5 Mon Sep 17 00:00:00 2001 -From: WANG Cong <xiyou.wangcong@gmail.com> -Date: Tue, 31 Mar 2015 11:01:47 -0700 -Subject: ip6mr: call del_timer_sync() in ip6mr_free_table() - -commit 7ba0c47c34a1ea5bc7a24ca67309996cce0569b5 upstream. - -We need to wait for the flying timers, since we -are going to free the mrtable right after it. - -Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv6/ip6mr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -333,7 +333,7 @@ static struct mr6_table *ip6mr_new_table - - static void ip6mr_free_table(struct mr6_table *mrt) - { -- del_timer(&mrt->ipmr_expire_timer); -+ del_timer_sync(&mrt->ipmr_expire_timer); - mroute_clean_tables(mrt); - kfree(mrt); - } diff --git a/patches/ipv6-addrlabel-fix-ip6addrlbl_get.patch b/patches/ipv6-addrlabel-fix-ip6addrlbl_get.patch deleted file mode 100644 index a9d061f..0000000 --- a/patches/ipv6-addrlabel-fix-ip6addrlbl_get.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e459dfeeb64008b2d23bdf600f03b3605dbb8152 Mon Sep 17 00:00:00 2001 -From: Andrey Ryabinin <aryabinin@virtuozzo.com> -Date: Mon, 21 Dec 2015 12:54:45 +0300 -Subject: ipv6/addrlabel: fix ip6addrlbl_get() - -commit e459dfeeb64008b2d23bdf600f03b3605dbb8152 upstream. - -ip6addrlbl_get() has never worked. If ip6addrlbl_hold() succeeded, -ip6addrlbl_get() will exit with '-ESRCH'. If ip6addrlbl_hold() failed, -ip6addrlbl_get() will use about to be free ip6addrlbl_entry pointer. - -Fix this by inverting ip6addrlbl_hold() check. - -Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") -Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> -Reviewed-by: Cong Wang <cwang@twopensource.com> -Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv6/addrlabel.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv6/addrlabel.c -+++ b/net/ipv6/addrlabel.c -@@ -558,7 +558,7 @@ static int ip6addrlbl_get(struct sk_buff - - rcu_read_lock(); - p = __ipv6_addr_label(net, addr, ipv6_addr_type(addr), ifal->ifal_index); -- if (p && ip6addrlbl_hold(p)) -+ if (p && !ip6addrlbl_hold(p)) - p = NULL; - lseq = ip6addrlbl_table.seq; - rcu_read_unlock(); diff --git a/patches/ipv6-don-t-call-fib6_run_gc-until-routing-is-ready.patch b/patches/ipv6-don-t-call-fib6_run_gc-until-routing-is-ready.patch deleted file mode 100644 index 44e4915..0000000 --- a/patches/ipv6-don-t-call-fib6_run_gc-until-routing-is-ready.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 2c861cc65ef4604011a0082e4dcdba2819aa191a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz> -Date: Mon, 9 Sep 2013 21:45:04 +0200 -Subject: ipv6: don't call fib6_run_gc() until routing is ready - -commit 2c861cc65ef4604011a0082e4dcdba2819aa191a upstream. - -When loading the ipv6 module, ndisc_init() is called before -ip6_route_init(). As the former registers a handler calling -fib6_run_gc(), this opens a window to run the garbage collector -before necessary data structures are initialized. If a network -device is initialized in this window, adding MAC address to it -triggers a NETDEV_CHANGEADDR event, leading to a crash in -fib6_clean_all(). - -Take the event handler registration out of ndisc_init() into a -separate function ndisc_late_init() and move it after -ip6_route_init(). - -Signed-off-by: Michal Kubecek <mkubecek@suse.cz> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - include/net/ndisc.h | 2 ++ - net/ipv6/af_inet6.c | 6 ++++++ - net/ipv6/ndisc.c | 18 +++++++++++------- - 3 files changed, 19 insertions(+), 7 deletions(-) - ---- a/include/net/ndisc.h -+++ b/include/net/ndisc.h -@@ -117,7 +117,9 @@ static inline struct neighbour *__ipv6_n - } - - extern int ndisc_init(void); -+extern int ndisc_late_init(void); - -+extern void ndisc_late_cleanup(void); - extern void ndisc_cleanup(void); - - extern int ndisc_rcv(struct sk_buff *skb); ---- a/net/ipv6/af_inet6.c -+++ b/net/ipv6/af_inet6.c -@@ -1161,6 +1161,9 @@ static int __init inet6_init(void) - err = ip6_route_init(); - if (err) - goto ip6_route_fail; -+ err = ndisc_late_init(); -+ if (err) -+ goto ndisc_late_fail; - err = ip6_flowlabel_init(); - if (err) - goto ip6_flowlabel_fail; -@@ -1221,6 +1224,8 @@ ipv6_exthdrs_fail: - addrconf_fail: - ip6_flowlabel_cleanup(); - ip6_flowlabel_fail: -+ ndisc_late_cleanup(); -+ndisc_late_fail: - ip6_route_cleanup(); - ip6_route_fail: - #ifdef CONFIG_PROC_FS -@@ -1288,6 +1293,7 @@ static void __exit inet6_exit(void) - ipv6_exthdrs_exit(); - addrconf_cleanup(); - ip6_flowlabel_cleanup(); -+ ndisc_late_cleanup(); - ip6_route_cleanup(); - #ifdef CONFIG_PROC_FS - ---- a/net/ipv6/ndisc.c -+++ b/net/ipv6/ndisc.c -@@ -1867,24 +1867,28 @@ int __init ndisc_init(void) - if (err) - goto out_unregister_pernet; - #endif -- err = register_netdevice_notifier(&ndisc_netdev_notifier); -- if (err) -- goto out_unregister_sysctl; - out: - return err; - --out_unregister_sysctl: - #ifdef CONFIG_SYSCTL -- neigh_sysctl_unregister(&nd_tbl.parms); - out_unregister_pernet: --#endif - unregister_pernet_subsys(&ndisc_net_ops); - goto out; -+#endif - } - --void ndisc_cleanup(void) -+int __init ndisc_late_init(void) -+{ -+ return register_netdevice_notifier(&ndisc_netdev_notifier); -+} -+ -+void ndisc_late_cleanup(void) - { - unregister_netdevice_notifier(&ndisc_netdev_notifier); -+} -+ -+void ndisc_cleanup(void) -+{ - #ifdef CONFIG_SYSCTL - neigh_sysctl_unregister(&nd_tbl.parms); - #endif diff --git a/patches/ipv6-fix-handling-of-blackhole-and-prohibit-routes.patch b/patches/ipv6-fix-handling-of-blackhole-and-prohibit-routes.patch deleted file mode 100644 index 2d011bd..0000000 --- a/patches/ipv6-fix-handling-of-blackhole-and-prohibit-routes.patch +++ /dev/null @@ -1,104 +0,0 @@ -From ef2c7d7b59708d54213c7556a82d14de9a7e4475 Mon Sep 17 00:00:00 2001 -From: Nicolas Dichtel <nicolas.dichtel@6wind.com> -Date: Wed, 5 Sep 2012 02:12:42 +0000 -Subject: ipv6: fix handling of blackhole and prohibit routes - -commit ef2c7d7b59708d54213c7556a82d14de9a7e4475 upstream. - -When adding a blackhole or a prohibit route, they were handling like classic -routes. Moreover, it was only possible to add this kind of routes by specifying -an interface. - -Bug already reported here: - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498498 - -Before the patch: - $ ip route add blackhole 2001::1/128 - RTNETLINK answers: No such device - $ ip route add blackhole 2001::1/128 dev eth0 - $ ip -6 route | grep 2001 - 2001::1 dev eth0 metric 1024 - -After: - $ ip route add blackhole 2001::1/128 - $ ip -6 route | grep 2001 - blackhole 2001::1 dev lo metric 1024 error -22 - -v2: wrong patch -v3: add a field fc_type in struct fib6_config to store RTN_* type - -Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - include/net/ip6_fib.h | 1 + - net/ipv6/route.c | 32 ++++++++++++++++++++++++++++---- - 2 files changed, 29 insertions(+), 4 deletions(-) - ---- a/include/net/ip6_fib.h -+++ b/include/net/ip6_fib.h -@@ -37,6 +37,7 @@ struct fib6_config { - int fc_ifindex; - u32 fc_flags; - u32 fc_protocol; -+ u32 fc_type; /* only 8 bits are used */ - - struct in6_addr fc_dst; - struct in6_addr fc_src; ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -1399,8 +1399,18 @@ int ip6_route_add(struct fib6_config *cf - } - rt->dst.output = ip6_pkt_discard_out; - rt->dst.input = ip6_pkt_discard; -- rt->dst.error = -ENETUNREACH; - rt->rt6i_flags = RTF_REJECT|RTF_NONEXTHOP; -+ switch (cfg->fc_type) { -+ case RTN_BLACKHOLE: -+ rt->dst.error = -EINVAL; -+ break; -+ case RTN_PROHIBIT: -+ rt->dst.error = -EACCES; -+ break; -+ default: -+ rt->dst.error = -ENETUNREACH; -+ break; -+ } - goto install_route; - } - -@@ -2343,8 +2353,11 @@ static int rtm_to_fib6_config(struct sk_ - cfg->fc_src_len = rtm->rtm_src_len; - cfg->fc_flags = RTF_UP; - cfg->fc_protocol = rtm->rtm_protocol; -+ cfg->fc_type = rtm->rtm_type; - -- if (rtm->rtm_type == RTN_UNREACHABLE) -+ if (rtm->rtm_type == RTN_UNREACHABLE || -+ rtm->rtm_type == RTN_BLACKHOLE || -+ rtm->rtm_type == RTN_PROHIBIT) - cfg->fc_flags |= RTF_REJECT; - - if (rtm->rtm_type == RTN_LOCAL) -@@ -2474,8 +2487,19 @@ static int rt6_fill_node(struct net *net - table = RT6_TABLE_UNSPEC; - rtm->rtm_table = table; - NLA_PUT_U32(skb, RTA_TABLE, table); -- if (rt->rt6i_flags & RTF_REJECT) -- rtm->rtm_type = RTN_UNREACHABLE; -+ if (rt->rt6i_flags & RTF_REJECT) { -+ switch (rt->dst.error) { -+ case -EINVAL: -+ rtm->rtm_type = RTN_BLACKHOLE; -+ break; -+ case -EACCES: -+ rtm->rtm_type = RTN_PROHIBIT; -+ break; -+ default: -+ rtm->rtm_type = RTN_UNREACHABLE; -+ break; -+ } -+ } - else if (rt->rt6i_flags & RTF_LOCAL) - rtm->rtm_type = RTN_LOCAL; - else if (rt->dst.dev && (rt->dst.dev->flags & IFF_LOOPBACK)) diff --git a/patches/ipv6-fix-tunnel-error-handling.patch b/patches/ipv6-fix-tunnel-error-handling.patch deleted file mode 100644 index ad96b65..0000000 --- a/patches/ipv6-fix-tunnel-error-handling.patch +++ /dev/null @@ -1,49 +0,0 @@ -From ebac62fe3d24c0ce22dd83afa7b07d1a2aaef44d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz> -Date: Tue, 3 Nov 2015 08:51:07 +0100 -Subject: ipv6: fix tunnel error handling - -commit ebac62fe3d24c0ce22dd83afa7b07d1a2aaef44d upstream. - -Both tunnel6_protocol and tunnel46_protocol share the same error -handler, tunnel6_err(), which traverses through tunnel6_handlers list. -For ipip6 tunnels, we need to traverse tunnel46_handlers as we do e.g. -in tunnel46_rcv(). Current code can generate an ICMPv6 error message -with an IPv4 packet embedded in it. - -Fixes: 73d605d1abbd ("[IPSEC]: changing API of xfrm6_tunnel_register") -Signed-off-by: Michal Kubecek <mkubecek@suse.cz> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv6/tunnel6.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/net/ipv6/tunnel6.c -+++ b/net/ipv6/tunnel6.c -@@ -145,6 +145,16 @@ static void tunnel6_err(struct sk_buff * - break; - } - -+static void tunnel46_err(struct sk_buff *skb, struct inet6_skb_parm *opt, -+ u8 type, u8 code, int offset, __be32 info) -+{ -+ struct xfrm6_tunnel *handler; -+ -+ for_each_tunnel_rcu(tunnel46_handlers, handler) -+ if (!handler->err_handler(skb, opt, type, code, offset, info)) -+ break; -+} -+ - static const struct inet6_protocol tunnel6_protocol = { - .handler = tunnel6_rcv, - .err_handler = tunnel6_err, -@@ -153,7 +163,7 @@ static const struct inet6_protocol tunne - - static const struct inet6_protocol tunnel46_protocol = { - .handler = tunnel46_rcv, -- .err_handler = tunnel6_err, -+ .err_handler = tunnel46_err, - .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, - }; - diff --git a/patches/ipv6-update-ip6_rt_last_gc-every-time-gc-is-run.patch b/patches/ipv6-update-ip6_rt_last_gc-every-time-gc-is-run.patch deleted file mode 100644 index feb89dc..0000000 --- a/patches/ipv6-update-ip6_rt_last_gc-every-time-gc-is-run.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 49a18d86f66d33a20144ecb5a34bba0d1856b260 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz> -Date: Thu, 1 Aug 2013 10:04:24 +0200 -Subject: ipv6: update ip6_rt_last_gc every time GC is run - -commit 49a18d86f66d33a20144ecb5a34bba0d1856b260 upstream. - -As pointed out by Eric Dumazet, net->ipv6.ip6_rt_last_gc should -hold the last time garbage collector was run so that we should -update it whenever fib6_run_gc() calls fib6_clean_all(), not only -if we got there from ip6_dst_gc(). - -Signed-off-by: Michal Kubecek <mkubecek@suse.cz> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv6/ip6_fib.c | 6 +++++- - net/ipv6/route.c | 4 +--- - 2 files changed, 6 insertions(+), 4 deletions(-) - ---- a/net/ipv6/ip6_fib.c -+++ b/net/ipv6/ip6_fib.c -@@ -1595,6 +1595,8 @@ static DEFINE_SPINLOCK(fib6_gc_lock); - - void fib6_run_gc(unsigned long expires, struct net *net, bool force) - { -+ unsigned long now; -+ - if (force) { - spin_lock_bh(&fib6_gc_lock); - } else if (!spin_trylock_bh(&fib6_gc_lock)) { -@@ -1607,10 +1609,12 @@ void fib6_run_gc(unsigned long expires, - gc_args.more = icmp6_dst_gc(); - - fib6_clean_all(net, fib6_age, 0, NULL); -+ now = jiffies; -+ net->ipv6.ip6_rt_last_gc = now; - - if (gc_args.more) - mod_timer(&net->ipv6.ip6_fib_timer, -- round_jiffies(jiffies -+ round_jiffies(now - + net->ipv6.sysctl.ip6_rt_gc_interval)); - else - del_timer(&net->ipv6.ip6_fib_timer); ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -1230,7 +1230,6 @@ static void icmp6_clean_all(int (*func)( - - static int ip6_dst_gc(struct dst_ops *ops) - { -- unsigned long now = jiffies; - struct net *net = container_of(ops, struct net, ipv6.ip6_dst_ops); - int rt_min_interval = net->ipv6.sysctl.ip6_rt_gc_min_interval; - int rt_max_size = net->ipv6.sysctl.ip6_rt_max_size; -@@ -1240,13 +1239,12 @@ static int ip6_dst_gc(struct dst_ops *op - int entries; - - entries = dst_entries_get_fast(ops); -- if (time_after(rt_last_gc + rt_min_interval, now) && -+ if (time_after(rt_last_gc + rt_min_interval, jiffies) && - entries <= rt_max_size) - goto out; - - net->ipv6.ip6_rt_gc_expire++; - fib6_run_gc(net->ipv6.ip6_rt_gc_expire, net, entries > rt_max_size); -- net->ipv6.ip6_rt_last_gc = now; - entries = dst_entries_get_slow(ops); - if (entries < ops->gc_thresh) - net->ipv6.ip6_rt_gc_expire = rt_gc_timeout>>1; diff --git a/patches/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch b/patches/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch deleted file mode 100644 index bcb089a..0000000 --- a/patches/jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch +++ /dev/null @@ -1,59 +0,0 @@ -From bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 Mon Sep 17 00:00:00 2001 -From: Jan Kara <jack@suse.cz> -Date: Tue, 24 Nov 2015 15:34:35 -0500 -Subject: jbd2: Fix unreclaimed pages after truncate in data=journal mode - -commit bc23f0c8d7ccd8d924c4e70ce311288cb3e61ea8 upstream. - -Ted and Namjae have reported that truncated pages don't get timely -reclaimed after being truncated in data=journal mode. The following test -triggers the issue easily: - -for (i = 0; i < 1000; i++) { - pwrite(fd, buf, 1024*1024, 0); - fsync(fd); - fsync(fd); - ftruncate(fd, 0); -} - -The reason is that journal_unmap_buffer() finds that truncated buffers -are not journalled (jh->b_transaction == NULL), they are part of -checkpoint list of a transaction (jh->b_cp_transaction != NULL) and have -been already written out (!buffer_dirty(bh)). We clean such buffers but -we leave them in the checkpoint list. Since checkpoint transaction holds -a reference to the journal head, these buffers cannot be released until -the checkpoint transaction is cleaned up. And at that point we don't -call release_buffer_page() anymore so pages detached from mapping are -lingering in the system waiting for reclaim to find them and free them. - -Fix the problem by removing buffers from transaction checkpoint lists -when journal_unmap_buffer() finds out they don't have to be there -anymore. - -Reported-and-tested-by: Namjae Jeon <namjae.jeon@samsung.com> -Fixes: de1b794130b130e77ffa975bb58cb843744f9ae5 -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/jbd2/transaction.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1904,6 +1904,7 @@ static int journal_unmap_buffer(journal_ - - if (!buffer_dirty(bh)) { - /* bdflush has written it. We can drop it now */ -+ __jbd2_journal_remove_checkpoint(jh); - goto zap_buffer; - } - -@@ -1941,6 +1942,7 @@ static int journal_unmap_buffer(journal_ - /* The orphan record's transaction has - * committed. We can cleanse this buffer */ - clear_buffer_jbddirty(bh); -+ __jbd2_journal_remove_checkpoint(jh); - goto zap_buffer; - } - } diff --git a/patches/keys-fix-race-between-read-and-revoke.patch b/patches/keys-fix-race-between-read-and-revoke.patch deleted file mode 100644 index 6157f75..0000000 --- a/patches/keys-fix-race-between-read-and-revoke.patch +++ /dev/null @@ -1,112 +0,0 @@ -From b4a1b4f5047e4f54e194681125c74c0aa64d637d Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 18 Dec 2015 01:34:26 +0000 -Subject: KEYS: Fix race between read and revoke - -commit b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream. - -This fixes CVE-2015-7550. - -There's a race between keyctl_read() and keyctl_revoke(). If the revoke -happens between keyctl_read() checking the validity of a key and the key's -semaphore being taken, then the key type read method will see a revoked key. - -This causes a problem for the user-defined key type because it assumes in -its read method that there will always be a payload in a non-revoked key -and doesn't check for a NULL pointer. - -Fix this by making keyctl_read() check the validity of a key after taking -semaphore instead of before. - -I think the bug was introduced with the original keyrings code. - -This was discovered by a multithreaded test program generated by syzkaller -(http://github.com/google/syzkaller). Here's a cleaned up version: - - #include <sys/types.h> - #include <keyutils.h> - #include <pthread.h> - void *thr0(void *arg) - { - key_serial_t key = (unsigned long)arg; - keyctl_revoke(key); - return 0; - } - void *thr1(void *arg) - { - key_serial_t key = (unsigned long)arg; - char buffer[16]; - keyctl_read(key, buffer, 16); - return 0; - } - int main() - { - key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); - pthread_t th[5]; - pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); - pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); - pthread_join(th[0], 0); - pthread_join(th[1], 0); - pthread_join(th[2], 0); - pthread_join(th[3], 0); - return 0; - } - -Build as: - - cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread - -Run as: - - while keyctl-race; do :; done - -as it may need several iterations to crash the kernel. The crash can be -summarised as: - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 - IP: [<ffffffff81279b08>] user_read+0x56/0xa3 - ... - Call Trace: - [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7 - [<ffffffff81277815>] SyS_keyctl+0x83/0xe0 - [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f - -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: David Howells <dhowells@redhat.com> -Tested-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: James Morris <james.l.morris@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - security/keys/keyctl.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -702,16 +702,16 @@ long keyctl_read_key(key_serial_t keyid, - - /* the key is probably readable - now try to read it */ - can_read_key: -- ret = key_validate(key); -- if (ret == 0) { -- ret = -EOPNOTSUPP; -- if (key->type->read) { -- /* read the data with the semaphore held (since we -- * might sleep) */ -- down_read(&key->sem); -+ ret = -EOPNOTSUPP; -+ if (key->type->read) { -+ /* Read the data with the semaphore held (since we might sleep) -+ * to protect against the key being updated or revoked. -+ */ -+ down_read(&key->sem); -+ ret = key_validate(key); -+ if (ret == 0) - ret = key->type->read(key, buffer, buflen); -- up_read(&key->sem); -- } -+ up_read(&key->sem); - } - - error2: diff --git a/patches/mac-validate-mac_partition-is-within-sector.patch b/patches/mac-validate-mac_partition-is-within-sector.patch deleted file mode 100644 index a70f1d6..0000000 --- a/patches/mac-validate-mac_partition-is-within-sector.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 02e2a5bfebe99edcf9d694575a75032d53fe1b73 Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Thu, 19 Nov 2015 17:18:54 -0800 -Subject: mac: validate mac_partition is within sector - -commit 02e2a5bfebe99edcf9d694575a75032d53fe1b73 upstream. - -If md->signature == MAC_DRIVER_MAGIC and md->block_size == 1023, a single -512 byte sector would be read (secsize / 512). However the partition -structure would be located past the end of the buffer (secsize % 512). - -Signed-off-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Jens Axboe <axboe@fb.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - block/partitions/mac.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/block/partitions/mac.c -+++ b/block/partitions/mac.c -@@ -32,7 +32,7 @@ int mac_partition(struct parsed_partitio - Sector sect; - unsigned char *data; - int slot, blocks_in_map; -- unsigned secsize; -+ unsigned secsize, datasize, partoffset; - #ifdef CONFIG_PPC_PMAC - int found_root = 0; - int found_root_goodness = 0; -@@ -50,10 +50,14 @@ int mac_partition(struct parsed_partitio - } - secsize = be16_to_cpu(md->block_size); - put_dev_sector(sect); -- data = read_part_sector(state, secsize/512, §); -+ datasize = round_down(secsize, 512); -+ data = read_part_sector(state, datasize / 512, §); - if (!data) - return -1; -- part = (struct mac_partition *) (data + secsize%512); -+ partoffset = secsize % 512; -+ if (partoffset + sizeof(*part) > datasize) -+ return -1; -+ part = (struct mac_partition *) (data + partoffset); - if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { - put_dev_sector(sect); - return 0; /* not a MacOS disk */ diff --git a/patches/mac80211-fix-driver-rssi-event-calculations.patch b/patches/mac80211-fix-driver-rssi-event-calculations.patch deleted file mode 100644 index d74db08..0000000 --- a/patches/mac80211-fix-driver-rssi-event-calculations.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8ec6d97871f37e4743678ea4a455bd59580aa0f4 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Fri, 28 Aug 2015 10:52:53 +0200 -Subject: mac80211: fix driver RSSI event calculations - -commit 8ec6d97871f37e4743678ea4a455bd59580aa0f4 upstream. - -The ifmgd->ave_beacon_signal value cannot be taken as is for -comparisons, it must be divided by since it's represented -like that for better accuracy of the EWMA calculations. This -would lead to invalid driver RSSI events. Fix the used value. - -Fixes: 615f7b9bb1f8 ("mac80211: add driver RSSI threshold events") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/mac80211/mlme.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -2384,7 +2384,7 @@ static void ieee80211_rx_mgmt_beacon(str - - if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold && - ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) { -- int sig = ifmgd->ave_beacon_signal; -+ int sig = ifmgd->ave_beacon_signal / 16; - int last_sig = ifmgd->last_ave_beacon_signal; - - /* diff --git a/patches/mac80211-mesh-fix-call_rcu-usage.patch b/patches/mac80211-mesh-fix-call_rcu-usage.patch deleted file mode 100644 index 403bdde..0000000 --- a/patches/mac80211-mesh-fix-call_rcu-usage.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Tue, 17 Nov 2015 14:25:21 +0100 -Subject: mac80211: mesh: fix call_rcu() usage - -commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream. - -When using call_rcu(), the called function may be delayed quite -significantly, and without a matching rcu_barrier() there's no -way to be sure it has finished. -Therefore, global state that could be gone/freed/reused should -never be touched in the callback. - -Fix this in mesh by moving the atomic_dec() into the caller; -that's not really a problem since we already unlinked the path -and it will be destroyed anyway. - -This fixes a crash Jouni observed when running certain tests in -a certain order, in which the mesh interface was torn down, the -memory reused for a function pointer (work struct) and running -that then crashed since the pointer had been decremented by 1, -resulting in an invalid instruction byte stream. - -Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation") -Reported-by: Jouni Malinen <j@w1.fi> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/mac80211/mesh_pathtbl.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/net/mac80211/mesh_pathtbl.c -+++ b/net/mac80211/mesh_pathtbl.c -@@ -757,10 +757,8 @@ void mesh_plink_broken(struct sta_info * - static void mesh_path_node_reclaim(struct rcu_head *rp) - { - struct mpath_node *node = container_of(rp, struct mpath_node, rcu); -- struct ieee80211_sub_if_data *sdata = node->mpath->sdata; - - del_timer_sync(&node->mpath->timer); -- atomic_dec(&sdata->u.mesh.mpaths); - kfree(node->mpath); - kfree(node); - } -@@ -768,8 +766,9 @@ static void mesh_path_node_reclaim(struc - /* needs to be called with the corresponding hashwlock taken */ - static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) - { -- struct mesh_path *mpath; -- mpath = node->mpath; -+ struct mesh_path *mpath = node->mpath; -+ struct ieee80211_sub_if_data *sdata = node->mpath->sdata; -+ - spin_lock(&mpath->state_lock); - mpath->flags |= MESH_PATH_RESOLVING; - if (mpath->is_gate) -@@ -777,6 +776,7 @@ static void __mesh_path_del(struct mesh_ - hlist_del_rcu(&node->list); - call_rcu(&node->rcu, mesh_path_node_reclaim); - spin_unlock(&mpath->state_lock); -+ atomic_dec(&sdata->u.mesh.mpaths); - atomic_dec(&tbl->entries); - } - diff --git a/patches/macvlan-fix-leak-in-macvlan_handle_frame.patch b/patches/macvlan-fix-leak-in-macvlan_handle_frame.patch deleted file mode 100644 index 1788ab4..0000000 --- a/patches/macvlan-fix-leak-in-macvlan_handle_frame.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e639b8d8a7a728f0b05ef2df6cb6b45dc3d4e556 Mon Sep 17 00:00:00 2001 -From: Sabrina Dubroca <sd@queasysnail.net> -Date: Mon, 16 Nov 2015 22:54:20 +0100 -Subject: macvlan: fix leak in macvlan_handle_frame - -commit e639b8d8a7a728f0b05ef2df6cb6b45dc3d4e556 upstream. - -Reset pskb in macvlan_handle_frame in case skb_share_check returned a -clone. - -Fixes: 8a4eb5734e8d ("net: introduce rx_handler results and logic around that") -Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/macvlan.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/net/macvlan.c -+++ b/drivers/net/macvlan.c -@@ -173,6 +173,7 @@ static rx_handler_result_t macvlan_handl - skb = ip_check_defrag(skb, IP_DEFRAG_MACVLAN); - if (!skb) - return RX_HANDLER_CONSUMED; -+ *pskb = skb; - eth = eth_hdr(skb); - src = macvlan_hash_lookup(port, eth->h_source); - if (!src) -@@ -222,6 +223,7 @@ static rx_handler_result_t macvlan_handl - if (!skb) - goto out; - -+ *pskb = skb; - skb->dev = dev; - skb->pkt_type = PACKET_HOST; - diff --git a/patches/megaraid_sas-do-not-use-page_size-for-max_sectors.patch b/patches/megaraid_sas-do-not-use-page_size-for-max_sectors.patch deleted file mode 100644 index a7e3db2..0000000 --- a/patches/megaraid_sas-do-not-use-page_size-for-max_sectors.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 357ae967ad66e357f78b5cfb5ab6ca07fb4a7758 Mon Sep 17 00:00:00 2001 -From: "sumit.saxena@avagotech.com" <sumit.saxena@avagotech.com> -Date: Thu, 15 Oct 2015 13:40:04 +0530 -Subject: megaraid_sas: Do not use PAGE_SIZE for max_sectors - -commit 357ae967ad66e357f78b5cfb5ab6ca07fb4a7758 upstream. - -Do not use PAGE_SIZE marco to calculate max_sectors per I/O -request. Driver code assumes PAGE_SIZE will be always 4096 which can -lead to wrongly calculated value if PAGE_SIZE is not 4096. This issue -was reported in Ubuntu Bugzilla Bug #1475166. - -Signed-off-by: Sumit Saxena <sumit.saxena@avagotech.com> -Signed-off-by: Kashyap Desai <kashyap.desai@avagotech.com> -Reviewed-by: Tomas Henzl <thenzl@redhat.com> -Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/scsi/megaraid/megaraid_sas.h | 2 ++ - drivers/scsi/megaraid/megaraid_sas_base.c | 2 +- - 2 files changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/megaraid/megaraid_sas.h -+++ b/drivers/scsi/megaraid/megaraid_sas.h -@@ -300,6 +300,8 @@ enum MR_EVT_ARGS { - MR_EVT_ARGS_GENERIC, - }; - -+ -+#define SGE_BUFFER_SIZE 4096 - /* - * define constants for device list query options - */ ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -3582,7 +3582,7 @@ static int megasas_init_fw(struct megasa - } - - instance->max_sectors_per_req = instance->max_num_sge * -- PAGE_SIZE / 512; -+ SGE_BUFFER_SIZE / 512; - if (tmp_sectors && (instance->max_sectors_per_req > tmp_sectors)) - instance->max_sectors_per_req = tmp_sectors; - diff --git a/patches/megaraid_sas-smap-restriction-do-not-access-user-memory-from-ioctl-code.patch b/patches/megaraid_sas-smap-restriction-do-not-access-user-memory-from-ioctl-code.patch deleted file mode 100644 index a3b02ae..0000000 --- a/patches/megaraid_sas-smap-restriction-do-not-access-user-memory-from-ioctl-code.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 323c4a02c631d00851d8edc4213c4d184ef83647 Mon Sep 17 00:00:00 2001 -From: "sumit.saxena@avagotech.com" <sumit.saxena@avagotech.com> -Date: Thu, 15 Oct 2015 13:40:54 +0530 -Subject: megaraid_sas : SMAP restriction--do not access user memory from IOCTL - code - -commit 323c4a02c631d00851d8edc4213c4d184ef83647 upstream. - -This is an issue on SMAP enabled CPUs and 32 bit apps running on 64 bit -OS. Do not access user memory from kernel code. The SMAP bit restricts -accessing user memory from kernel code. - -Signed-off-by: Sumit Saxena <sumit.saxena@avagotech.com> -Signed-off-by: Kashyap Desai <kashyap.desai@avagotech.com> -Reviewed-by: Tomas Henzl <thenzl@redhat.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/scsi/megaraid/megaraid_sas_base.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -5014,6 +5014,9 @@ static int megasas_mgmt_compat_ioctl_fw( - int i; - int error = 0; - compat_uptr_t ptr; -+ unsigned long local_raw_ptr; -+ u32 local_sense_off; -+ u32 local_sense_len; - - if (clear_user(ioc, sizeof(*ioc))) - return -EFAULT; -@@ -5031,9 +5034,15 @@ static int megasas_mgmt_compat_ioctl_fw( - * sense_len is not null, so prepare the 64bit value under - * the same condition. - */ -- if (ioc->sense_len) { -+ if (get_user(local_raw_ptr, ioc->frame.raw) || -+ get_user(local_sense_off, &ioc->sense_off) || -+ get_user(local_sense_len, &ioc->sense_len)) -+ return -EFAULT; -+ -+ -+ if (local_sense_len) { - void __user **sense_ioc_ptr = -- (void __user **)(ioc->frame.raw + ioc->sense_off); -+ (void __user **)((u8*)local_raw_ptr + local_sense_off); - compat_uptr_t *sense_cioc_ptr = - (compat_uptr_t *)(cioc->frame.raw + cioc->sense_off); - if (get_user(ptr, sense_cioc_ptr) || diff --git a/patches/mips-atomic-fix-comment-describing-atomic64_add_unless-s-return-value.patch b/patches/mips-atomic-fix-comment-describing-atomic64_add_unless-s-return-value.patch deleted file mode 100644 index 5ba9454..0000000 --- a/patches/mips-atomic-fix-comment-describing-atomic64_add_unless-s-return-value.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f25319d2cb439249a6859f53ad42ffa332b0acba Mon Sep 17 00:00:00 2001 -From: Ralf Baechle <ralf@linux-mips.org> -Date: Fri, 16 Oct 2015 23:09:57 +0200 -Subject: MIPS: atomic: Fix comment describing atomic64_add_unless's return - value. - -commit f25319d2cb439249a6859f53ad42ffa332b0acba upstream. - -Signed-off-by: Ralf Baechle <ralf@linux-mips.org> -Fixes: f24219b4e90cf70ec4a211b17fbabc725a0ddf3c -(cherry picked from commit f0a232cde7be18a207fd057dd79bbac8a0a45dec) -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - arch/mips/include/asm/atomic.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/mips/include/asm/atomic.h -+++ b/arch/mips/include/asm/atomic.h -@@ -679,7 +679,7 @@ static __inline__ long atomic64_sub_if_p - * @u: ...unless v is equal to u. - * - * Atomically adds @a to @v, so long as it was not @u. -- * Returns the old value of @v. -+ * Returns true iff @v was not @u. - */ - static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) - { diff --git a/patches/misdn-fix-a-loop-count.patch b/patches/misdn-fix-a-loop-count.patch deleted file mode 100644 index af3f6b0..0000000 --- a/patches/misdn-fix-a-loop-count.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 40d24c4d8a7430aa4dfd7a665fa3faf3b05b673f Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Tue, 15 Dec 2015 13:07:52 +0300 -Subject: mISDN: fix a loop count - -commit 40d24c4d8a7430aa4dfd7a665fa3faf3b05b673f upstream. - -There are two issue here. -1) cnt starts as maxloop + 1 so all these loops iterate one more time - than intended. -2) At the end of the loop we test for "if (maxloop && !cnt)" but for - the first two loops, we end with cnt equal to -1. Changing this to - a pre-op means we end with cnt set to 0. - -Fixes: cae86d4a4e56 ('mISDN: Add driver for Infineon ISDN chipset family') -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/isdn/hardware/mISDN/mISDNipac.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/isdn/hardware/mISDN/mISDNipac.c -+++ b/drivers/isdn/hardware/mISDN/mISDNipac.c -@@ -1156,7 +1156,7 @@ mISDNipac_irq(struct ipac_hw *ipac, int - - if (ipac->type & IPAC_TYPE_IPACX) { - ista = ReadIPAC(ipac, ISACX_ISTA); -- while (ista && cnt--) { -+ while (ista && --cnt) { - pr_debug("%s: ISTA %02x\n", ipac->name, ista); - if (ista & IPACX__ICA) - ipac_irq(&ipac->hscx[0], ista); -@@ -1168,7 +1168,7 @@ mISDNipac_irq(struct ipac_hw *ipac, int - } - } else if (ipac->type & IPAC_TYPE_IPAC) { - ista = ReadIPAC(ipac, IPAC_ISTA); -- while (ista && cnt--) { -+ while (ista && --cnt) { - pr_debug("%s: ISTA %02x\n", ipac->name, ista); - if (ista & (IPAC__ICD | IPAC__EXD)) { - istad = ReadISAC(isac, ISAC_ISTA); -@@ -1186,7 +1186,7 @@ mISDNipac_irq(struct ipac_hw *ipac, int - ista = ReadIPAC(ipac, IPAC_ISTA); - } - } else if (ipac->type & IPAC_TYPE_HSCX) { -- while (cnt) { -+ while (--cnt) { - ista = ReadIPAC(ipac, IPAC_ISTAB + ipac->hscx[1].off); - pr_debug("%s: B2 ISTA %02x\n", ipac->name, ista); - if (ista) -@@ -1197,7 +1197,6 @@ mISDNipac_irq(struct ipac_hw *ipac, int - mISDNisac_irq(isac, istad); - if (0 == (ista | istad)) - break; -- cnt--; - } - } - if (cnt > maxloop) /* only for ISAC/HSCX without PCI IRQ test */ diff --git a/patches/mm-hugetlb-call-huge_pte_alloc-only-if-ptep-is-null.patch b/patches/mm-hugetlb-call-huge_pte_alloc-only-if-ptep-is-null.patch deleted file mode 100644 index 7d68207..0000000 --- a/patches/mm-hugetlb-call-huge_pte_alloc-only-if-ptep-is-null.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0d777df5d8953293be090d9ab5a355db893e8357 Mon Sep 17 00:00:00 2001 -From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> -Date: Fri, 11 Dec 2015 13:40:49 -0800 -Subject: mm: hugetlb: call huge_pte_alloc() only if ptep is null - -commit 0d777df5d8953293be090d9ab5a355db893e8357 upstream. - -Currently at the beginning of hugetlb_fault(), we call huge_pte_offset() -and check whether the obtained *ptep is a migration/hwpoison entry or -not. And if not, then we get to call huge_pte_alloc(). This is racy -because the *ptep could turn into migration/hwpoison entry after the -huge_pte_offset() check. This race results in BUG_ON in -huge_pte_alloc(). - -We don't have to call huge_pte_alloc() when the huge_pte_offset() -returns non-NULL, so let's fix this bug with moving the code into else -block. - -Note that the *ptep could turn into a migration/hwpoison entry after -this block, but that's not a problem because we have another -!pte_present check later (we never go into hugetlb_no_page() in that -case.) - -Fixes: 290408d4a250 ("hugetlb: hugepage migration core") -Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> -Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com> -Acked-by: David Rientjes <rientjes@google.com> -Cc: Hugh Dickins <hughd@google.com> -Cc: Dave Hansen <dave.hansen@intel.com> -Cc: Mel Gorman <mgorman@suse.de> -Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> -Cc: Mike Kravetz <mike.kravetz@oracle.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - mm/hugetlb.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/mm/hugetlb.c -+++ b/mm/hugetlb.c -@@ -2835,12 +2835,12 @@ int hugetlb_fault(struct mm_struct *mm, - } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry))) - return VM_FAULT_HWPOISON_LARGE | - VM_FAULT_SET_HINDEX(h - hstates); -+ } else { -+ ptep = huge_pte_alloc(mm, address, huge_page_size(h)); -+ if (!ptep) -+ return VM_FAULT_OOM; - } - -- ptep = huge_pte_alloc(mm, address, huge_page_size(h)); -- if (!ptep) -- return VM_FAULT_OOM; -- - /* - * Serialize hugepage allocation and instantiation, so that we don't - * get spurious allocation failures if two CPUs race to instantiate diff --git a/patches/mm-memory_hotplug.c-check-for-missing-sections-in-test_pages_in_a_zone.patch b/patches/mm-memory_hotplug.c-check-for-missing-sections-in-test_pages_in_a_zone.patch deleted file mode 100644 index f606307..0000000 --- a/patches/mm-memory_hotplug.c-check-for-missing-sections-in-test_pages_in_a_zone.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 5f0f2887f4de9508dcf438deab28f1de8070c271 Mon Sep 17 00:00:00 2001 -From: Andrew Banman <abanman@sgi.com> -Date: Tue, 29 Dec 2015 14:54:25 -0800 -Subject: mm/memory_hotplug.c: check for missing sections in - test_pages_in_a_zone() - -commit 5f0f2887f4de9508dcf438deab28f1de8070c271 upstream. - -test_pages_in_a_zone() does not account for the possibility of missing -sections in the given pfn range. pfn_valid_within always returns 1 when -CONFIG_HOLES_IN_ZONE is not set, allowing invalid pfns from missing -sections to pass the test, leading to a kernel oops. - -Wrap an additional pfn loop with PAGES_PER_SECTION granularity to check -for missing sections before proceeding into the zone-check code. - -This also prevents a crash from offlining memory devices with missing -sections. Despite this, it may be a good idea to keep the related patch -'[PATCH 3/3] drivers: memory: prohibit offlining of memory blocks with -missing sections' because missing sections in a memory block may lead to -other problems not covered by the scope of this fix. - -Signed-off-by: Andrew Banman <abanman@sgi.com> -Acked-by: Alex Thorlton <athorlton@sgi.com> -Cc: Russ Anderson <rja@sgi.com> -Cc: Alex Thorlton <athorlton@sgi.com> -Cc: Yinghai Lu <yinghai@kernel.org> -Cc: Greg KH <greg@kroah.com> -Cc: Seth Jennings <sjennings@variantweb.net> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - mm/memory_hotplug.c | 31 +++++++++++++++++++------------ - 1 file changed, 19 insertions(+), 12 deletions(-) - ---- a/mm/memory_hotplug.c -+++ b/mm/memory_hotplug.c -@@ -716,23 +716,30 @@ int is_mem_section_removable(unsigned lo - */ - static int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn) - { -- unsigned long pfn; -+ unsigned long pfn, sec_end_pfn; - struct zone *zone = NULL; - struct page *page; - int i; -- for (pfn = start_pfn; -+ for (pfn = start_pfn, sec_end_pfn = SECTION_ALIGN_UP(start_pfn); - pfn < end_pfn; -- pfn += MAX_ORDER_NR_PAGES) { -- i = 0; -- /* This is just a CONFIG_HOLES_IN_ZONE check.*/ -- while ((i < MAX_ORDER_NR_PAGES) && !pfn_valid_within(pfn + i)) -- i++; -- if (i == MAX_ORDER_NR_PAGES) -+ pfn = sec_end_pfn + 1, sec_end_pfn += PAGES_PER_SECTION) { -+ /* Make sure the memory section is present first */ -+ if (!present_section_nr(pfn_to_section_nr(pfn))) - continue; -- page = pfn_to_page(pfn + i); -- if (zone && page_zone(page) != zone) -- return 0; -- zone = page_zone(page); -+ for (; pfn < sec_end_pfn && pfn < end_pfn; -+ pfn += MAX_ORDER_NR_PAGES) { -+ i = 0; -+ /* This is just a CONFIG_HOLES_IN_ZONE check.*/ -+ while ((i < MAX_ORDER_NR_PAGES) && -+ !pfn_valid_within(pfn + i)) -+ i++; -+ if (i == MAX_ORDER_NR_PAGES) -+ continue; -+ page = pfn_to_page(pfn + i); -+ if (zone && page_zone(page) != zone) -+ return 0; -+ zone = page_zone(page); -+ } - } - return 1; - } diff --git a/patches/mm-remove-gup_flags-foll_write-games-from-__get_user_pages.patch b/patches/mm-remove-gup_flags-foll_write-games-from-__get_user_pages.patch deleted file mode 100644 index 859c53a..0000000 --- a/patches/mm-remove-gup_flags-foll_write-games-from-__get_user_pages.patch +++ /dev/null @@ -1,140 +0,0 @@ -From: Michal Hocko <mhocko@suse.com> -Date: Sun, 16 Oct 2016 11:55:00 +0200 -Subject: mm, gup: close FOLL MAP_PRIVATE race - -commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. - -faultin_page drops FOLL_WRITE after the page fault handler did the CoW -and then we retry follow_page_mask to get our CoWed page. This is racy, -however because the page might have been unmapped by that time and so -we would have to do a page fault again, this time without CoW. This -would cause the page cache corruption for FOLL_FORCE on MAP_PRIVATE -read only mappings with obvious consequences. - -This is an ancient bug that was actually already fixed once by Linus -eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race -for write access") but that was then undone due to problems on s390 -by commit f33ea7f404e5 ("fix get_user_pages bug") because s390 didn't -have proper dirty pte tracking until abf09bed3cce ("s390/mm: implement -software dirty bits"). This wasn't a problem at the time as pointed out -by Hugh Dickins because madvise relied on mmap_sem for write up until -0a27a14a6292 ("mm: madvise avoid exclusive mmap_sem") but since then we -can race with madvise which can unmap the fresh COWed page or with KSM -and corrupt the content of the shared page. - -This patch is based on the Linus' approach to not clear FOLL_WRITE after -the CoW page fault (aka VM_FAULT_WRITE) but instead introduces FOLL_COW -to note this fact. The flag is then rechecked during follow_pfn_pte to -enforce the page fault again if we do not see the CoWed page. Linus was -suggesting to check pte_dirty again as s390 is OK now. But that would -make backporting to some old kernels harder. So instead let's just make -sure that vm_normal_page sees a pure anonymous page. - -This would guarantee we are seeing a real CoW page. Introduce -can_follow_write_pte which checks both pte_write and falls back to -PageAnon on forced write faults which passed CoW already. Thanks to Hugh -to point out that a special care has to be taken for KSM pages because -our COWed page might have been merged with a KSM one and keep its -PageAnon flag. - -Fixes: 0a27a14a6292 ("mm: madvise avoid exclusive mmap_sem") -Reported-by: Phil "not Paul" Oester <kernel@linuxace.com> -Disclosed-by: Andy Lutomirski <luto@kernel.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Michal Hocko <mhocko@suse.com> -[bwh: Backported to 3.2: - - Adjust filename, context, indentation - - The 'no_page' exit path in follow_page() is different, so open-code the - cleanup - - Delete a now-unused label] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - include/linux/mm.h | 1 + - mm/memory.c | 39 ++++++++++++++++++++++++++++----------- - 2 files changed, 29 insertions(+), 11 deletions(-) - ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -1525,6 +1525,7 @@ struct page *follow_page(struct vm_area_ - #define FOLL_MLOCK 0x40 /* mark page as mlocked */ - #define FOLL_SPLIT 0x80 /* don't return transhuge pages, split them */ - #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */ -+#define FOLL_COW 0x4000 /* internal GUP flag */ - - typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, - void *data); ---- a/mm/memory.c -+++ b/mm/memory.c -@@ -1447,6 +1447,24 @@ int zap_vma_ptes(struct vm_area_struct * - } - EXPORT_SYMBOL_GPL(zap_vma_ptes); - -+static inline bool can_follow_write_pte(pte_t pte, struct page *page, -+ unsigned int flags) -+{ -+ if (pte_write(pte)) -+ return true; -+ -+ /* -+ * Make sure that we are really following CoWed page. We do not really -+ * have to care about exclusiveness of the page because we only want -+ * to ensure that once COWed page hasn't disappeared in the meantime -+ * or it hasn't been merged to a KSM page. -+ */ -+ if ((flags & FOLL_FORCE) && (flags & FOLL_COW)) -+ return page && PageAnon(page) && !PageKsm(page); -+ -+ return false; -+} -+ - /** - * follow_page - look up a page descriptor from a user-virtual address - * @vma: vm_area_struct mapping @address -@@ -1529,10 +1547,13 @@ split_fallthrough: - pte = *ptep; - if (!pte_present(pte)) - goto no_page; -- if ((flags & FOLL_WRITE) && !pte_write(pte)) -- goto unlock; - - page = vm_normal_page(vma, address, pte); -+ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) { -+ pte_unmap_unlock(ptep, ptl); -+ return NULL; -+ } -+ - if (unlikely(!page)) { - if ((flags & FOLL_DUMP) || - !is_zero_pfn(pte_pfn(pte))) -@@ -1575,7 +1596,7 @@ split_fallthrough: - unlock_page(page); - } - } --unlock: -+ - pte_unmap_unlock(ptep, ptl); - out: - return page; -@@ -1809,17 +1830,13 @@ int __get_user_pages(struct task_struct - * The VM_FAULT_WRITE bit tells us that - * do_wp_page has broken COW when necessary, - * even if maybe_mkwrite decided not to set -- * pte_write. We can thus safely do subsequent -- * page lookups as if they were reads. But only -- * do so when looping for pte_write is futile: -- * in some cases userspace may also be wanting -- * to write to the gotten user page, which a -- * read fault here might prevent (a readonly -- * page might get reCOWed by userspace write). -+ * pte_write. We cannot simply drop FOLL_WRITE -+ * here because the COWed page might be gone by -+ * the time we do the subsequent page lookups. - */ - if ((ret & VM_FAULT_WRITE) && - !(vma->vm_flags & VM_WRITE)) -- foll_flags &= ~FOLL_WRITE; -+ foll_flags |= FOLL_COW; - - cond_resched(); - } diff --git a/patches/mm-vmstat-allow-wq-concurrency-to-discover-memory-reclaim-doesn-t-make-any-progress.patch b/patches/mm-vmstat-allow-wq-concurrency-to-discover-memory-reclaim-doesn-t-make-any-progress.patch deleted file mode 100644 index d6c4561..0000000 --- a/patches/mm-vmstat-allow-wq-concurrency-to-discover-memory-reclaim-doesn-t-make-any-progress.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 373ccbe5927034b55bdc80b0f8b54d6e13fe8d12 Mon Sep 17 00:00:00 2001 -From: Michal Hocko <mhocko@suse.com> -Date: Fri, 11 Dec 2015 13:40:32 -0800 -Subject: mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't - make any progress - -commit 373ccbe5927034b55bdc80b0f8b54d6e13fe8d12 upstream. - -Tetsuo Handa has reported that the system might basically livelock in -OOM condition without triggering the OOM killer. - -The issue is caused by internal dependency of the direct reclaim on -vmstat counter updates (via zone_reclaimable) which are performed from -the workqueue context. If all the current workers get assigned to an -allocation request, though, they will be looping inside the allocator -trying to reclaim memory but zone_reclaimable can see stalled numbers so -it will consider a zone reclaimable even though it has been scanned way -too much. WQ concurrency logic will not consider this situation as a -congested workqueue because it relies that worker would have to sleep in -such a situation. This also means that it doesn't try to spawn new -workers or invoke the rescuer thread if the one is assigned to the -queue. - -In order to fix this issue we need to do two things. First we have to -let wq concurrency code know that we are in trouble so we have to do a -short sleep. In order to prevent from issues handled by 0e093d99763e -("writeback: do not sleep on the congestion queue if there are no -congested BDIs or if significant congestion is not being encountered in -the current zone") we limit the sleep only to worker threads which are -the ones of the interest anyway. - -The second thing to do is to create a dedicated workqueue for vmstat and -mark it WQ_MEM_RECLAIM to note it participates in the reclaim and to -have a spare worker thread for it. - -Signed-off-by: Michal Hocko <mhocko@suse.com> -Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Cc: Tejun Heo <tj@kernel.org> -Cc: Cristopher Lameter <clameter@sgi.com> -Cc: Joonsoo Kim <js1304@gmail.com> -Cc: Arkadiusz Miskiewicz <arekm@maven.pl> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - mm/backing-dev.c | 19 ++++++++++++++++--- - mm/vmstat.c | 6 ++++-- - 2 files changed, 20 insertions(+), 5 deletions(-) - ---- a/mm/backing-dev.c -+++ b/mm/backing-dev.c -@@ -843,8 +843,9 @@ EXPORT_SYMBOL(congestion_wait); - * jiffies for either a BDI to exit congestion of the given @sync queue - * or a write to complete. - * -- * In the absence of zone congestion, cond_resched() is called to yield -- * the processor if necessary but otherwise does not sleep. -+ * In the absence of zone congestion, a short sleep or a cond_resched is -+ * performed to yield the processor and to allow other subsystems to make -+ * a forward progress. - * - * The return value is 0 if the sleep is for the full timeout. Otherwise, - * it is the number of jiffies that were still remaining when the function -@@ -864,7 +865,19 @@ long wait_iff_congested(struct zone *zon - */ - if (atomic_read(&nr_bdi_congested[sync]) == 0 || - !zone_is_reclaim_congested(zone)) { -- cond_resched(); -+ -+ /* -+ * Memory allocation/reclaim might be called from a WQ -+ * context and the current implementation of the WQ -+ * concurrency control doesn't recognize that a particular -+ * WQ is congested if the worker thread is looping without -+ * ever sleeping. Therefore we have to do a short sleep -+ * here rather than calling cond_resched(). -+ */ -+ if (current->flags & PF_WQ_WORKER) -+ schedule_timeout(1); -+ else -+ cond_resched(); - - /* In case we scheduled, work out time remaining */ - ret = timeout - (jiffies - start); ---- a/mm/vmstat.c -+++ b/mm/vmstat.c -@@ -1139,13 +1139,14 @@ static const struct file_operations proc - #endif /* CONFIG_PROC_FS */ - - #ifdef CONFIG_SMP -+static struct workqueue_struct *vmstat_wq; - static DEFINE_PER_CPU(struct delayed_work, vmstat_work); - int sysctl_stat_interval __read_mostly = HZ; - - static void vmstat_update(struct work_struct *w) - { - refresh_cpu_vm_stats(smp_processor_id()); -- schedule_delayed_work(&__get_cpu_var(vmstat_work), -+ queue_delayed_work(vmstat_wq, &__get_cpu_var(vmstat_work), - round_jiffies_relative(sysctl_stat_interval)); - } - -@@ -1154,7 +1155,7 @@ static void __cpuinit start_cpu_timer(in - struct delayed_work *work = &per_cpu(vmstat_work, cpu); - - INIT_DELAYED_WORK_DEFERRABLE(work, vmstat_update); -- schedule_delayed_work_on(cpu, work, __round_jiffies_relative(HZ, cpu)); -+ queue_delayed_work_on(cpu, vmstat_wq, work, __round_jiffies_relative(HZ, cpu)); - } - - /* -@@ -1204,6 +1205,7 @@ static int __init setup_vmstat(void) - - register_cpu_notifier(&vmstat_notifier); - -+ vmstat_wq = alloc_workqueue("vmstat", WQ_FREEZABLE|WQ_MEM_RECLAIM, 0); - for_each_online_cpu(cpu) - start_cpu_timer(cpu); - #endif diff --git a/patches/mm-vmstat-fix-wrong-wq-sleep-when-memory-reclaim-doesn-t-make-any-progress.patch b/patches/mm-vmstat-fix-wrong-wq-sleep-when-memory-reclaim-doesn-t-make-any-progress.patch deleted file mode 100644 index 007059f..0000000 --- a/patches/mm-vmstat-fix-wrong-wq-sleep-when-memory-reclaim-doesn-t-make-any-progress.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 564e81a57f9788b1475127012e0fd44e9049e342 Mon Sep 17 00:00:00 2001 -From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> -Date: Fri, 5 Feb 2016 15:36:30 -0800 -Subject: mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any - progress - -commit 564e81a57f9788b1475127012e0fd44e9049e342 upstream. - -Jan Stancek has reported that system occasionally hanging after "oom01" -testcase from LTP triggers OOM. Guessing from a result that there is a -kworker thread doing memory allocation and the values between "Node 0 -Normal free:" and "Node 0 Normal:" differs when hanging, vmstat is not -up-to-date for some reason. - -According to commit 373ccbe59270 ("mm, vmstat: allow WQ concurrency to -discover memory reclaim doesn't make any progress"), it meant to force -the kworker thread to take a short sleep, but it by error used -schedule_timeout(1). We missed that schedule_timeout() in state -TASK_RUNNING doesn't do anything. - -Fix it by using schedule_timeout_uninterruptible(1) which forces the -kworker thread to take a short sleep in order to make sure that vmstat -is up-to-date. - -Fixes: 373ccbe59270 ("mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress") -Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Reported-by: Jan Stancek <jstancek@redhat.com> -Acked-by: Michal Hocko <mhocko@suse.com> -Cc: Tejun Heo <tj@kernel.org> -Cc: Cristopher Lameter <clameter@sgi.com> -Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> -Cc: Arkadiusz Miskiewicz <arekm@maven.pl> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - mm/backing-dev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/mm/backing-dev.c -+++ b/mm/backing-dev.c -@@ -875,7 +875,7 @@ long wait_iff_congested(struct zone *zon - * here rather than calling cond_resched(). - */ - if (current->flags & PF_WQ_WORKER) -- schedule_timeout(1); -+ schedule_timeout_uninterruptible(1); - else - cond_resched(); - diff --git a/patches/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch b/patches/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch deleted file mode 100644 index 5a35bf6..0000000 --- a/patches/mtd-mtdpart-fix-add_mtd_partitions-error-path.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e5bae86797141e4a95e42d825f737cb36d7b8c37 Mon Sep 17 00:00:00 2001 -From: Boris BREZILLON <boris.brezillon@free-electrons.com> -Date: Thu, 30 Jul 2015 12:18:03 +0200 -Subject: mtd: mtdpart: fix add_mtd_partitions error path - -commit e5bae86797141e4a95e42d825f737cb36d7b8c37 upstream. - -If we fail to allocate a partition structure in the middle of the partition -creation process, the already allocated partitions are never removed, which -means they are still present in the partition list and their resources are -never freed. - -Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> -Signed-off-by: Brian Norris <computersforpeace@gmail.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/mtd/mtdpart.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/mtd/mtdpart.c -+++ b/drivers/mtd/mtdpart.c -@@ -632,8 +632,10 @@ int add_mtd_partitions(struct mtd_info * - - for (i = 0; i < nbparts; i++) { - slave = allocate_partition(master, parts + i, i, cur_offset); -- if (IS_ERR(slave)) -+ if (IS_ERR(slave)) { -+ del_mtd_partitions(master); - return PTR_ERR(slave); -+ } - - mutex_lock(&mtd_partitions_mutex); - list_add(&slave->list, &mtd_partitions); diff --git a/patches/mwifiex-fix-mwifiex_rdeeprom_read.patch b/patches/mwifiex-fix-mwifiex_rdeeprom_read.patch deleted file mode 100644 index b5183f6..0000000 --- a/patches/mwifiex-fix-mwifiex_rdeeprom_read.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Mon, 21 Sep 2015 19:19:53 +0300 -Subject: mwifiex: fix mwifiex_rdeeprom_read() - -commit 1f9c6e1bc1ba5f8a10fcd6e99d170954d7c6d382 upstream. - -There were several bugs here. - -1) The done label was in the wrong place so we didn't copy any - information out when there was no command given. - -2) We were using PAGE_SIZE as the size of the buffer instead of - "PAGE_SIZE - pos". - -3) snprintf() returns the number of characters that would have been - printed if there were enough space. If there was not enough space - (and we had fixed the memory corruption bug #2) then it would result - in an information leak when we do simple_read_from_buffer(). I've - changed it to use scnprintf() instead. - -I also removed the initialization at the start of the function, because -I thought it made the code a little more clear. - -Fixes: 5e6e3a92b9a4 ('wireless: mwifiex: initial commit for Marvell mwifiex driver') -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Acked-by: Amitkumar Karwar <akarwar@marvell.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/wireless/mwifiex/debugfs.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - ---- a/drivers/net/wireless/mwifiex/debugfs.c -+++ b/drivers/net/wireless/mwifiex/debugfs.c -@@ -621,7 +621,7 @@ mwifiex_rdeeprom_read(struct file *file, - (struct mwifiex_private *) file->private_data; - unsigned long addr = get_zeroed_page(GFP_KERNEL); - char *buf = (char *) addr; -- int pos = 0, ret = 0, i; -+ int pos, ret, i; - u8 value[MAX_EEPROM_DATA]; - - if (!buf) -@@ -629,7 +629,7 @@ mwifiex_rdeeprom_read(struct file *file, - - if (saved_offset == -1) { - /* No command has been given */ -- pos += snprintf(buf, PAGE_SIZE, "0"); -+ pos = snprintf(buf, PAGE_SIZE, "0"); - goto done; - } - -@@ -638,17 +638,17 @@ mwifiex_rdeeprom_read(struct file *file, - (u16) saved_bytes, value); - if (ret) { - ret = -EINVAL; -- goto done; -+ goto out_free; - } - -- pos += snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); -+ pos = snprintf(buf, PAGE_SIZE, "%d %d ", saved_offset, saved_bytes); - - for (i = 0; i < saved_bytes; i++) -- pos += snprintf(buf + strlen(buf), PAGE_SIZE, "%d ", value[i]); -- -- ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); -+ pos += scnprintf(buf + pos, PAGE_SIZE - pos, "%d ", value[i]); - - done: -+ ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos); -+out_free: - free_page(addr); - return ret; - } diff --git a/patches/net-core-revert-net-fix-__netdev_update_features-return.-and-add-comment.patch b/patches/net-core-revert-net-fix-__netdev_update_features-return.-and-add-comment.patch deleted file mode 100644 index 524a541..0000000 --- a/patches/net-core-revert-net-fix-__netdev_update_features-return.-and-add-comment.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 17b85d29e82cc3c874a497a8bc5764d6a2b043e2 Mon Sep 17 00:00:00 2001 -From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Date: Tue, 17 Nov 2015 15:49:06 +0100 -Subject: net/core: revert "net: fix __netdev_update_features return.." and add - comment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 17b85d29e82cc3c874a497a8bc5764d6a2b043e2 upstream. - -This reverts commit 00ee59271777 ("net: fix __netdev_update_features return -on ndo_set_features failure") -and adds a comment explaining why it's okay to return a value other than -0 upon error. Some drivers might actually change flags and return an -error so it's better to fire a spurious notification rather than miss -these. - -CC: MichaÅ‚ MirosÅ‚aw <mirq-linux@rere.qmqm.pl> -Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/core/dev.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -5368,7 +5368,10 @@ int __netdev_update_features(struct net_ - netdev_err(dev, - "set_features() failed (%d); wanted %pNF, left %pNF\n", - err, &features, &dev->features); -- return 0; -+ /* return non-0 since some features might have changed and -+ * it's better to fire a spurious notification than miss it -+ */ -+ return -1; - } - - if (!err) diff --git a/patches/net-fix-__netdev_update_features-return-on-ndo_set_features-failure.patch b/patches/net-fix-__netdev_update_features-return-on-ndo_set_features-failure.patch deleted file mode 100644 index 5c68c76..0000000 --- a/patches/net-fix-__netdev_update_features-return-on-ndo_set_features-failure.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 00ee5927177792a6e139d50b6b7564d35705556a Mon Sep 17 00:00:00 2001 -From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Date: Fri, 13 Nov 2015 15:20:24 +0100 -Subject: net: fix __netdev_update_features return on ndo_set_features failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 00ee5927177792a6e139d50b6b7564d35705556a upstream. - -If ndo_set_features fails __netdev_update_features() will return -1 but -this is wrong because it is expected to return 0 if no features were -changed (see netdev_update_features()), which will cause a netdev -notifier to be called without any actual changes. Fix this by returning -0 if ndo_set_features fails. - -Fixes: 6cb6a27c45ce ("net: Call netdev_features_change() from netdev_update_features()") -CC: MichaÅ‚ MirosÅ‚aw <mirq-linux@rere.qmqm.pl> -Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/core/dev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -5368,7 +5368,7 @@ int __netdev_update_features(struct net_ - netdev_err(dev, - "set_features() failed (%d); wanted %pNF, left %pNF\n", - err, &features, &dev->features); -- return -1; -+ return 0; - } - - if (!err) diff --git a/patches/net-fix-a-race-in-dst_release.patch b/patches/net-fix-a-race-in-dst_release.patch deleted file mode 100644 index 5269469..0000000 --- a/patches/net-fix-a-race-in-dst_release.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d69bbf88c8d0b367cf3e3a052f6daadf630ee566 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Mon, 9 Nov 2015 17:51:23 -0800 -Subject: net: fix a race in dst_release() - -commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 upstream. - -Only cpu seeing dst refcount going to 0 can safely -dereference dst->flags. - -Otherwise an other cpu might already have freed the dst. - -Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst") -Reported-by: Greg Thelen <gthelen@google.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/core/dst.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/core/dst.c -+++ b/net/core/dst.c -@@ -272,7 +272,7 @@ void dst_release(struct dst_entry *dst) - - newrefcnt = atomic_dec_return(&dst->__refcnt); - WARN_ON(newrefcnt < 0); -- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) { -+ if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) { - dst = dst_destroy(dst); - if (dst) - __dst_free(dst); diff --git a/patches/net-fix-skb-csum-races-when-peeking.patch b/patches/net-fix-skb-csum-races-when-peeking.patch deleted file mode 100644 index 357da94..0000000 --- a/patches/net-fix-skb-csum-races-when-peeking.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Herbert Xu <herbert@gondor.apana.org.au> -Date: Mon, 13 Jul 2015 20:01:42 +0800 -Subject: net: Fix skb csum races when peeking - -[ Upstream commit 89c22d8c3b278212eef6a8cc66b570bc840a6f5a ] - -When we calculate the checksum on the recv path, we store the -result in the skb as an optimisation in case we need the checksum -again down the line. - -This is in fact bogus for the MSG_PEEK case as this is done without -any locking. So multiple threads can peek and then store the result -to the same skb, potentially resulting in bogus skb states. - -This patch fixes this by only storing the result if the skb is not -shared. This preserves the optimisations for the few cases where -it can be done safely due to locking or other reasons, e.g., SIOCINQ. - -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/core/datagram.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/core/datagram.c -+++ b/net/core/datagram.c -@@ -695,7 +695,8 @@ __sum16 __skb_checksum_complete_head(str - if (likely(!sum)) { - if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE)) - netdev_rx_csum_fault(skb->dev); -- skb->ip_summed = CHECKSUM_UNNECESSARY; -+ if (!skb_shared(skb)) -+ skb->ip_summed = CHECKSUM_UNNECESSARY; - } - return sum; - } diff --git a/patches/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch b/patches/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch deleted file mode 100644 index 93a5c65..0000000 --- a/patches/net-fix-use-after-free-in-the-recvmmsg-exit-path.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 34b88a68f26a75e4fded796f1a49c40f82234b7d Mon Sep 17 00:00:00 2001 -From: Arnaldo Carvalho de Melo <acme@redhat.com> -Date: Mon, 14 Mar 2016 09:56:35 -0300 -Subject: net: Fix use after free in the recvmmsg exit path - -commit 34b88a68f26a75e4fded796f1a49c40f82234b7d upstream. - -The syzkaller fuzzer hit the following use-after-free: - - Call Trace: - [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295 - [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261 - [< inline >] SYSC_recvmmsg net/socket.c:2281 - [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270 - [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a - arch/x86/entry/entry_64.S:185 - -And, as Dmitry rightly assessed, that is because we can drop the -reference and then touch it when the underlying recvmsg calls return -some packets and then hit an error, which will make recvmmsg to set -sock->sk->sk_err, oops, fix it. - -Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com> -Cc: Alexander Potapenko <glider@google.com> -Cc: Eric Dumazet <edumazet@google.com> -Cc: Kostya Serebryany <kcc@google.com> -Cc: Sasha Levin <sasha.levin@oracle.com> -Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall") -http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/socket.c | 38 +++++++++++++++++++------------------- - 1 file changed, 19 insertions(+), 19 deletions(-) - ---- a/net/socket.c -+++ b/net/socket.c -@@ -2332,31 +2332,31 @@ int __sys_recvmmsg(int fd, struct mmsghd - break; - } - --out_put: -- fput_light(sock->file, fput_needed); -- - if (err == 0) -- return datagrams; -+ goto out_put; -+ -+ if (datagrams == 0) { -+ datagrams = err; -+ goto out_put; -+ } - -- if (datagrams != 0) { -+ /* -+ * We may return less entries than requested (vlen) if the -+ * sock is non block and there aren't enough datagrams... -+ */ -+ if (err != -EAGAIN) { - /* -- * We may return less entries than requested (vlen) if the -- * sock is non block and there aren't enough datagrams... -+ * ... or if recvmsg returns an error after we -+ * received some datagrams, where we record the -+ * error to return on the next call or if the -+ * app asks about it using getsockopt(SO_ERROR). - */ -- if (err != -EAGAIN) { -- /* -- * ... or if recvmsg returns an error after we -- * received some datagrams, where we record the -- * error to return on the next call or if the -- * app asks about it using getsockopt(SO_ERROR). -- */ -- sock->sk->sk_err = -err; -- } -- -- return datagrams; -+ sock->sk->sk_err = -err; - } -+out_put: -+ fput_light(sock->file, fput_needed); - -- return err; -+ return datagrams; - } - - SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, diff --git a/patches/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch b/patches/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch deleted file mode 100644 index 907fa71..0000000 --- a/patches/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 4c6980462f32b4f282c5d8e5f7ea8070e2937725 Mon Sep 17 00:00:00 2001 -From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Date: Fri, 20 Nov 2015 13:54:20 +0100 -Subject: net: ip6mr: fix static mfc/dev leaks on table destruction - -commit 4c6980462f32b4f282c5d8e5f7ea8070e2937725 upstream. - -Similar to ipv4, when destroying an mrt table the static mfc entries and -the static devices are kept, which leads to devices that can never be -destroyed (because of refcnt taken) and leaked memory. Make sure that -everything is cleaned up on netns destruction. - -Fixes: 8229efdaef1e ("netns: ip6mr: enable namespace support in ipv6 multicast forwarding code") -CC: Benjamin Thery <benjamin.thery@bull.net> -Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Reviewed-by: Cong Wang <cwang@twopensource.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv6/ip6mr.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -117,7 +117,7 @@ static int __ip6mr_fill_mroute(struct mr - struct mfc6_cache *c, struct rtmsg *rtm); - static int ip6mr_rtm_dumproute(struct sk_buff *skb, - struct netlink_callback *cb); --static void mroute_clean_tables(struct mr6_table *mrt); -+static void mroute_clean_tables(struct mr6_table *mrt, bool all); - static void ipmr_expire_process(unsigned long arg); - - #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES -@@ -334,7 +334,7 @@ static struct mr6_table *ip6mr_new_table - static void ip6mr_free_table(struct mr6_table *mrt) - { - del_timer_sync(&mrt->ipmr_expire_timer); -- mroute_clean_tables(mrt); -+ mroute_clean_tables(mrt, true); - kfree(mrt); - } - -@@ -1472,7 +1472,7 @@ static int ip6mr_mfc_add(struct net *net - * Close the multicast socket, and clear the vif tables etc - */ - --static void mroute_clean_tables(struct mr6_table *mrt) -+static void mroute_clean_tables(struct mr6_table *mrt, bool all) - { - int i; - LIST_HEAD(list); -@@ -1482,8 +1482,9 @@ static void mroute_clean_tables(struct m - * Shut down all active vif entries - */ - for (i = 0; i < mrt->maxvif; i++) { -- if (!(mrt->vif6_table[i].flags & VIFF_STATIC)) -- mif6_delete(mrt, i, &list); -+ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC)) -+ continue; -+ mif6_delete(mrt, i, &list); - } - unregister_netdevice_many(&list); - -@@ -1492,7 +1493,7 @@ static void mroute_clean_tables(struct m - */ - for (i = 0; i < MFC6_LINES; i++) { - list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) { -- if (c->mfc_flags & MFC_STATIC) -+ if (!all && (c->mfc_flags & MFC_STATIC)) - continue; - write_lock_bh(&mrt_lock); - list_del(&c->list); -@@ -1546,7 +1547,7 @@ int ip6mr_sk_done(struct sock *sk) - net->ipv6.devconf_all->mc_forwarding--; - write_unlock_bh(&mrt_lock); - -- mroute_clean_tables(mrt); -+ mroute_clean_tables(mrt, false); - err = 0; - break; - } diff --git a/patches/net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch b/patches/net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch deleted file mode 100644 index f43d875..0000000 --- a/patches/net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 6adc5fd6a142c6e2c80574c1db0c7c17dedaa42e Mon Sep 17 00:00:00 2001 -From: Konstantin Khlebnikov <koct9i@gmail.com> -Date: Tue, 1 Dec 2015 01:14:48 +0300 -Subject: net/neighbour: fix crash at dumping device-agnostic proxy entries - -commit 6adc5fd6a142c6e2c80574c1db0c7c17dedaa42e upstream. - -Proxy entries could have null pointer to net-device. - -Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com> -Fixes: 84920c1420e2 ("net: Allow ipv6 proxies and arp proxies be shown with iproute2") -Signed-off-by: David S. Miller <davem@davemloft.net> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/core/neighbour.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/core/neighbour.c -+++ b/net/core/neighbour.c -@@ -2186,7 +2186,7 @@ static int pneigh_fill_info(struct sk_bu - ndm->ndm_pad2 = 0; - ndm->ndm_flags = pn->flags | NTF_PROXY; - ndm->ndm_type = NDA_DST; -- ndm->ndm_ifindex = pn->dev->ifindex; -+ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0; - ndm->ndm_state = NUD_NONE; - - NLA_PUT(skb, NDA_DST, tbl->key_len, pn->key); -@@ -2259,7 +2259,7 @@ static int pneigh_dump_table(struct neig - if (h > s_h) - s_idx = 0; - for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) { -- if (dev_net(n->dev) != net) -+ if (pneigh_net(n) != net) - continue; - if (idx < s_idx) - goto next; diff --git a/patches/net-possible-use-after-free-in-dst_release.patch b/patches/net-possible-use-after-free-in-dst_release.patch deleted file mode 100644 index 6d96343..0000000 --- a/patches/net-possible-use-after-free-in-dst_release.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 07a5d38453599052aff0877b16bb9c1585f08609 Mon Sep 17 00:00:00 2001 -From: Francesco Ruggeri <fruggeri@aristanetworks.com> -Date: Wed, 6 Jan 2016 00:18:48 -0800 -Subject: net: possible use after free in dst_release - -commit 07a5d38453599052aff0877b16bb9c1585f08609 upstream. - -dst_release should not access dst->flags after decrementing -__refcnt to 0. The dst_entry may be in dst_busy_list and -dst_gc_task may dst_destroy it before dst_release gets a chance -to access dst->flags. - -Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()") -Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst") -Signed-off-by: Francesco Ruggeri <fruggeri@arista.com> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/core/dst.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/core/dst.c -+++ b/net/core/dst.c -@@ -269,10 +269,11 @@ void dst_release(struct dst_entry *dst) - { - if (dst) { - int newrefcnt; -+ unsigned short nocache = dst->flags & DST_NOCACHE; - - newrefcnt = atomic_dec_return(&dst->__refcnt); - WARN_ON(newrefcnt < 0); -- if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) { -+ if (!newrefcnt && unlikely(nocache)) { - dst = dst_destroy(dst); - if (dst) - __dst_free(dst); diff --git a/patches/nfs-if-we-have-no-valid-attrs-then-don-t-declare-the-attribute-cache-valid.patch b/patches/nfs-if-we-have-no-valid-attrs-then-don-t-declare-the-attribute-cache-valid.patch deleted file mode 100644 index db176ae..0000000 --- a/patches/nfs-if-we-have-no-valid-attrs-then-don-t-declare-the-attribute-cache-valid.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c812012f9ca7cf89c9e1a1cd512e6c3b5be04b85 Mon Sep 17 00:00:00 2001 -From: Jeff Layton <jlayton@poochiereds.net> -Date: Wed, 25 Nov 2015 13:50:11 -0500 -Subject: nfs: if we have no valid attrs, then don't declare the attribute - cache valid - -commit c812012f9ca7cf89c9e1a1cd512e6c3b5be04b85 upstream. - -If we pass in an empty nfs_fattr struct to nfs_update_inode, it will -(correctly) not update any of the attributes, but it then clears the -NFS_INO_INVALID_ATTR flag, which indicates that the attributes are -up to date. Don't clear the flag if the fattr struct has no valid -attrs to apply. - -Reviewed-by: Steve French <steve.french@primarydata.com> -Signed-off-by: Jeff Layton <jeff.layton@primarydata.com> -Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/nfs/inode.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/fs/nfs/inode.c -+++ b/fs/nfs/inode.c -@@ -1458,7 +1458,11 @@ static int nfs_update_inode(struct inode - nfsi->attrtimeo_timestamp = now; - } - } -- invalid &= ~NFS_INO_INVALID_ATTR; -+ -+ /* Don't declare attrcache up to date if there were no attrs! */ -+ if (fattr->valid != 0) -+ invalid &= ~NFS_INO_INVALID_ATTR; -+ - /* Don't invalidate the data if we were to blame */ - if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) - || S_ISLNK(inode->i_mode))) diff --git a/patches/ocfs2-fix-bug-when-calculate-new-backup-super.patch b/patches/ocfs2-fix-bug-when-calculate-new-backup-super.patch deleted file mode 100644 index 19884d0..0000000 --- a/patches/ocfs2-fix-bug-when-calculate-new-backup-super.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 5c9ee4cbf2a945271f25b89b137f2c03bbc3be33 Mon Sep 17 00:00:00 2001 -From: Joseph Qi <joseph.qi@huawei.com> -Date: Tue, 29 Dec 2015 14:54:06 -0800 -Subject: ocfs2: fix BUG when calculate new backup super - -commit 5c9ee4cbf2a945271f25b89b137f2c03bbc3be33 upstream. - -When resizing, it firstly extends the last gd. Once it should backup -super in the gd, it calculates new backup super and update the -corresponding value. - -But it currently doesn't consider the situation that the backup super is -already done. And in this case, it still sets the bit in gd bitmap and -then decrease from bg_free_bits_count, which leads to a corrupted gd and -trigger the BUG in ocfs2_block_group_set_bits: - - BUG_ON(le16_to_cpu(bg->bg_free_bits_count) < num_bits); - -So check whether the backup super is done and then do the updates. - -Signed-off-by: Joseph Qi <joseph.qi@huawei.com> -Reviewed-by: Jiufei Xue <xuejiufei@huawei.com> -Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com> -Cc: Mark Fasheh <mfasheh@suse.de> -Cc: Joel Becker <jlbec@evilplan.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/ocfs2/resize.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - ---- a/fs/ocfs2/resize.c -+++ b/fs/ocfs2/resize.c -@@ -56,11 +56,12 @@ static u16 ocfs2_calc_new_backup_super(s - int new_clusters, - u32 first_new_cluster, - u16 cl_cpg, -+ u16 old_bg_clusters, - int set) - { - int i; - u16 backups = 0; -- u32 cluster; -+ u32 cluster, lgd_cluster; - u64 blkno, gd_blkno, lgd_blkno = le64_to_cpu(gd->bg_blkno); - - for (i = 0; i < OCFS2_MAX_BACKUP_SUPERBLOCKS; i++) { -@@ -73,6 +74,12 @@ static u16 ocfs2_calc_new_backup_super(s - else if (gd_blkno > lgd_blkno) - break; - -+ /* check if already done backup super */ -+ lgd_cluster = ocfs2_blocks_to_clusters(inode->i_sb, lgd_blkno); -+ lgd_cluster += old_bg_clusters; -+ if (lgd_cluster >= cluster) -+ continue; -+ - if (set) - ocfs2_set_bit(cluster % cl_cpg, - (unsigned long *)gd->bg_bitmap); -@@ -101,6 +108,7 @@ static int ocfs2_update_last_group_and_i - u16 chain, num_bits, backups = 0; - u16 cl_bpc = le16_to_cpu(cl->cl_bpc); - u16 cl_cpg = le16_to_cpu(cl->cl_cpg); -+ u16 old_bg_clusters; - - trace_ocfs2_update_last_group_and_inode(new_clusters, - first_new_cluster); -@@ -114,6 +122,7 @@ static int ocfs2_update_last_group_and_i - - group = (struct ocfs2_group_desc *)group_bh->b_data; - -+ old_bg_clusters = le16_to_cpu(group->bg_bits) / cl_bpc; - /* update the group first. */ - num_bits = new_clusters * cl_bpc; - le16_add_cpu(&group->bg_bits, num_bits); -@@ -129,7 +138,7 @@ static int ocfs2_update_last_group_and_i - group, - new_clusters, - first_new_cluster, -- cl_cpg, 1); -+ cl_cpg, old_bg_clusters, 1); - le16_add_cpu(&group->bg_free_bits_count, -1 * backups); - } - -@@ -169,7 +178,7 @@ out_rollback: - group, - new_clusters, - first_new_cluster, -- cl_cpg, 0); -+ cl_cpg, old_bg_clusters, 0); - le16_add_cpu(&group->bg_free_bits_count, backups); - le16_add_cpu(&group->bg_bits, -1 * num_bits); - le16_add_cpu(&group->bg_free_bits_count, -1 * num_bits); diff --git a/patches/parisc-fix-syscall-restarts.patch b/patches/parisc-fix-syscall-restarts.patch deleted file mode 100644 index a7b928e..0000000 --- a/patches/parisc-fix-syscall-restarts.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 71a71fb5374a23be36a91981b5614590b9e722c3 Mon Sep 17 00:00:00 2001 -From: Helge Deller <deller@gmx.de> -Date: Mon, 21 Dec 2015 10:03:30 +0100 -Subject: parisc: Fix syscall restarts - -commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream. - -On parisc syscalls which are interrupted by signals sometimes failed to -restart and instead returned -ENOSYS which in the worst case lead to -userspace crashes. -A similiar problem existed on MIPS and was fixed by commit e967ef02 -("MIPS: Fix restart of indirect syscalls"). - -On parisc the current syscall restart code assumes that all syscall -callers load the syscall number in the delay slot of the ble -instruction. That's how it is e.g. done in the unistd.h header file: - ble 0x100(%sr2, %r0) - ldi #syscall_nr, %r20 -Because of that assumption the current code never restored %r20 before -returning to userspace. - -This assumption is at least not true for code which uses the glibc -syscall() function, which instead uses this syntax: - ble 0x100(%sr2, %r0) - copy regX, %r20 -where regX depend on how the compiler optimizes the code and register -usage. - -This patch fixes this problem by adding code to analyze how the syscall -number is loaded in the delay branch and - if needed - copy the syscall -number to regX prior returning to userspace for the syscall restart. - -Signed-off-by: Helge Deller <deller@gmx.de> -Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - arch/parisc/kernel/signal.c | 67 ++++++++++++++++++++++++++++++++++---------- - 1 file changed, 52 insertions(+), 15 deletions(-) - ---- a/arch/parisc/kernel/signal.c -+++ b/arch/parisc/kernel/signal.c -@@ -468,6 +468,55 @@ handle_signal(unsigned long sig, siginfo - return 1; - } - -+/* -+ * Check how the syscall number gets loaded into %r20 within -+ * the delay branch in userspace and adjust as needed. -+ */ -+ -+static void check_syscallno_in_delay_branch(struct pt_regs *regs) -+{ -+ u32 opcode, source_reg; -+ u32 __user *uaddr; -+ int err; -+ -+ /* Usually we don't have to restore %r20 (the system call number) -+ * because it gets loaded in the delay slot of the branch external -+ * instruction via the ldi instruction. -+ * In some cases a register-to-register copy instruction might have -+ * been used instead, in which case we need to copy the syscall -+ * number into the source register before returning to userspace. -+ */ -+ -+ /* A syscall is just a branch, so all we have to do is fiddle the -+ * return pointer so that the ble instruction gets executed again. -+ */ -+ regs->gr[31] -= 8; /* delayed branching */ -+ -+ /* Get assembler opcode of code in delay branch */ -+ uaddr = (unsigned int *) ((regs->gr[31] & ~3) + 4); -+ err = get_user(opcode, uaddr); -+ if (err) -+ return; -+ -+ /* Check if delay branch uses "ldi int,%r20" */ -+ if ((opcode & 0xffff0000) == 0x34140000) -+ return; /* everything ok, just return */ -+ -+ /* Check if delay branch uses "nop" */ -+ if (opcode == INSN_NOP) -+ return; -+ -+ /* Check if delay branch uses "copy %rX,%r20" */ -+ if ((opcode & 0xffe0ffff) == 0x08000254) { -+ source_reg = (opcode >> 16) & 31; -+ regs->gr[source_reg] = regs->gr[20]; -+ return; -+ } -+ -+ pr_warn("syscall restart: %s (pid %d): unexpected opcode 0x%08x\n", -+ current->comm, task_pid_nr(current), opcode); -+} -+ - static inline void - syscall_restart(struct pt_regs *regs, struct k_sigaction *ka) - { -@@ -489,10 +538,7 @@ syscall_restart(struct pt_regs *regs, st - } - /* fallthrough */ - case -ERESTARTNOINTR: -- /* A syscall is just a branch, so all -- * we have to do is fiddle the return pointer. -- */ -- regs->gr[31] -= 8; /* delayed branching */ -+ check_syscallno_in_delay_branch(regs); - /* Preserve original r28. */ - regs->gr[28] = regs->orig_r28; - break; -@@ -543,18 +589,9 @@ insert_restart_trampoline(struct pt_regs - } - case -ERESTARTNOHAND: - case -ERESTARTSYS: -- case -ERESTARTNOINTR: { -- /* Hooray for delayed branching. We don't -- * have to restore %r20 (the system call -- * number) because it gets loaded in the delay -- * slot of the branch external instruction. -- */ -- regs->gr[31] -= 8; -- /* Preserve original r28. */ -- regs->gr[28] = regs->orig_r28; -- -+ case -ERESTARTNOINTR: -+ check_syscallno_in_delay_branch(regs); - return; -- } - default: - break; - } diff --git a/patches/parisc-iommu-fix-panic-due-to-trying-to-allocate-too-large-region.patch b/patches/parisc-iommu-fix-panic-due-to-trying-to-allocate-too-large-region.patch deleted file mode 100644 index 03ab8b2..0000000 --- a/patches/parisc-iommu-fix-panic-due-to-trying-to-allocate-too-large-region.patch +++ /dev/null @@ -1,124 +0,0 @@ -From e46e31a3696ae2d66f32c207df3969613726e636 Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka <mpatocka@redhat.com> -Date: Mon, 30 Nov 2015 14:47:46 -0500 -Subject: parisc iommu: fix panic due to trying to allocate too large region - -commit e46e31a3696ae2d66f32c207df3969613726e636 upstream. - -When using the Promise TX2+ SATA controller on PA-RISC, the system often -crashes with kernel panic, for example just writing data with the dd -utility will make it crash. - -Kernel panic - not syncing: drivers/parisc/sba_iommu.c: I/O MMU @ 000000000000a000 is out of mapping resources - -CPU: 0 PID: 18442 Comm: mkspadfs Not tainted 4.4.0-rc2 #2 -Backtrace: - [<000000004021497c>] show_stack+0x14/0x20 - [<0000000040410bf0>] dump_stack+0x88/0x100 - [<000000004023978c>] panic+0x124/0x360 - [<0000000040452c18>] sba_alloc_range+0x698/0x6a0 - [<0000000040453150>] sba_map_sg+0x260/0x5b8 - [<000000000c18dbb4>] ata_qc_issue+0x264/0x4a8 [libata] - [<000000000c19535c>] ata_scsi_translate+0xe4/0x220 [libata] - [<000000000c19a93c>] ata_scsi_queuecmd+0xbc/0x320 [libata] - [<0000000040499bbc>] scsi_dispatch_cmd+0xfc/0x130 - [<000000004049da34>] scsi_request_fn+0x6e4/0x970 - [<00000000403e95a8>] __blk_run_queue+0x40/0x60 - [<00000000403e9d8c>] blk_run_queue+0x3c/0x68 - [<000000004049a534>] scsi_run_queue+0x2a4/0x360 - [<000000004049be68>] scsi_end_request+0x1a8/0x238 - [<000000004049de84>] scsi_io_completion+0xfc/0x688 - [<0000000040493c74>] scsi_finish_command+0x17c/0x1d0 - -The cause of the crash is not exhaustion of the IOMMU space, there is -plenty of free pages. The function sba_alloc_range is called with size -0x11000, thus the pages_needed variable is 0x11. The function -sba_search_bitmap is called with bits_wanted 0x11 and boundary size is -0x10 (because dma_get_seg_boundary(dev) returns 0xffff). - -The function sba_search_bitmap attempts to allocate 17 pages that must not -cross 16-page boundary - it can't satisfy this requirement -(iommu_is_span_boundary always returns true) and fails even if there are -many free entries in the IOMMU space. - -How did it happen that we try to allocate 17 pages that don't cross -16-page boundary? The cause is in the function iommu_coalesce_chunks. This -function tries to coalesce adjacent entries in the scatterlist. The -function does several checks if it may coalesce one entry with the next, -one of those checks is this: - - if (startsg->length + dma_len > max_seg_size) - break; - -When it finishes coalescing adjacent entries, it allocates the mapping: - -sg_dma_len(contig_sg) = dma_len; -dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE); -sg_dma_address(contig_sg) = - PIDE_FLAG - | (iommu_alloc_range(ioc, dev, dma_len) << IOVP_SHIFT) - | dma_offset; - -It is possible that (startsg->length + dma_len > max_seg_size) is false -(we are just near the 0x10000 max_seg_size boundary), so the funcion -decides to coalesce this entry with the next entry. When the coalescing -succeeds, the function performs - dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE); -And now, because of non-zero dma_offset, dma_len is greater than 0x10000. -iommu_alloc_range (a pointer to sba_alloc_range) is called and it attempts -to allocate 17 pages for a device that must not cross 16-page boundary. - -To fix the bug, we must make sure that dma_len after addition of -dma_offset and alignment doesn't cross the segment boundary. I.e. change - if (startsg->length + dma_len > max_seg_size) - break; -to - if (ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > max_seg_size) - break; - -This patch makes this change (it precalculates max_seg_boundary at the -beginning of the function iommu_coalesce_chunks). I also added a check -that the mapping length doesn't exceed dma_get_seg_boundary(dev) (it is -not needed for Promise TX2+ SATA, but it may be needed for other devices -that have dma_get_seg_boundary lower than dma_get_max_seg_size). - -Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> -Signed-off-by: Helge Deller <deller@gmx.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/parisc/iommu-helpers.h | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - ---- a/drivers/parisc/iommu-helpers.h -+++ b/drivers/parisc/iommu-helpers.h -@@ -104,7 +104,11 @@ iommu_coalesce_chunks(struct ioc *ioc, s - struct scatterlist *contig_sg; /* contig chunk head */ - unsigned long dma_offset, dma_len; /* start/len of DMA stream */ - unsigned int n_mappings = 0; -- unsigned int max_seg_size = dma_get_max_seg_size(dev); -+ unsigned int max_seg_size = min(dma_get_max_seg_size(dev), -+ (unsigned)DMA_CHUNK_SIZE); -+ unsigned int max_seg_boundary = dma_get_seg_boundary(dev) + 1; -+ if (max_seg_boundary) /* check if the addition above didn't overflow */ -+ max_seg_size = min(max_seg_size, max_seg_boundary); - - while (nents > 0) { - -@@ -139,14 +143,11 @@ iommu_coalesce_chunks(struct ioc *ioc, s - - /* - ** First make sure current dma stream won't -- ** exceed DMA_CHUNK_SIZE if we coalesce the -+ ** exceed max_seg_size if we coalesce the - ** next entry. - */ -- if(unlikely(ALIGN(dma_len + dma_offset + startsg->length, -- IOVP_SIZE) > DMA_CHUNK_SIZE)) -- break; -- -- if (startsg->length + dma_len > max_seg_size) -+ if (unlikely(ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > -+ max_seg_size)) - break; - - /* diff --git a/patches/perf-fix-inherited-events-vs.-tracepoint-filters.patch b/patches/perf-fix-inherited-events-vs.-tracepoint-filters.patch deleted file mode 100644 index 8c34630..0000000 --- a/patches/perf-fix-inherited-events-vs.-tracepoint-filters.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b71b437eedaed985062492565d9d421d975ae845 Mon Sep 17 00:00:00 2001 -From: Peter Zijlstra <peterz@infradead.org> -Date: Mon, 2 Nov 2015 10:50:51 +0100 -Subject: perf: Fix inherited events vs. tracepoint filters -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit b71b437eedaed985062492565d9d421d975ae845 upstream. - -Arnaldo reported that tracepoint filters seem to misbehave (ie. not -apply) on inherited events. - -The fix is obvious; filters are only set on the actual (parent) -event, use the normal pattern of using this parent event for filters. -This is safe because each child event has a reference to it. - -Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org> -Tested-by: Arnaldo Carvalho de Melo <acme@kernel.org> -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: Adrian Hunter <adrian.hunter@intel.com> -Cc: Arnaldo Carvalho de Melo <acme@redhat.com> -Cc: David Ahern <dsahern@gmail.com> -Cc: FrĂ©dĂ©ric Weisbecker <fweisbec@gmail.com> -Cc: Jiri Olsa <jolsa@kernel.org> -Cc: Jiri Olsa <jolsa@redhat.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Steven Rostedt <rostedt@goodmis.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Wang Nan <wangnan0@huawei.com> -Link: http://lkml.kernel.org/r/20151102095051.GN17308@twins.programming.kicks-ass.net -Signed-off-by: Ingo Molnar <mingo@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - kernel/events/core.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -5366,6 +5366,10 @@ static int perf_tp_filter_match(struct p - { - void *record = data->raw->data; - -+ /* only top level events have filters set */ -+ if (event->parent) -+ event = event->parent; -+ - if (likely(!event->filter) || filter_match_preds(event->filter, record)) - return 1; - return 0; diff --git a/patches/recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch b/patches/recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch deleted file mode 100644 index 36e653e..0000000 --- a/patches/recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c84da8b9ad3761eef43811181c7e896e9834b26b Mon Sep 17 00:00:00 2001 -From: libin <huawei.libin@huawei.com> -Date: Tue, 3 Nov 2015 08:58:47 +0800 -Subject: recordmcount: Fix endianness handling bug for nop_mcount - -commit c84da8b9ad3761eef43811181c7e896e9834b26b upstream. - -In nop_mcount, shdr->sh_offset and welp->r_offset should handle -endianness properly, otherwise it will trigger Segmentation fault -if the recordmcount main and file.o have different endianness. - -Link: http://lkml.kernel.org/r/563806C7.7070606@huawei.com - -Signed-off-by: Li Bin <huawei.libin@huawei.com> -Signed-off-by: Steven Rostedt <rostedt@goodmis.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - scripts/recordmcount.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/scripts/recordmcount.h -+++ b/scripts/recordmcount.h -@@ -375,7 +375,7 @@ static void nop_mcount(Elf_Shdr const *c - - if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { - if (make_nop) -- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset); -+ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset)); - if (warn_on_notrace_sect && !once) { - printf("Section %s has mcount callers being ignored\n", - txtname); diff --git a/patches/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch b/patches/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch deleted file mode 100644 index e951a90..0000000 --- a/patches/revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 Mon Sep 17 00:00:00 2001 -From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com> -Date: Thu, 29 Oct 2015 10:24:23 -0200 -Subject: Revert "dm mpath: fix stalls when handling invalid ioctls" - -commit 47796938c46b943d157ac8a6f9ed4e3b98b83cf4 upstream. - -This reverts commit a1989b330093578ea5470bea0a00f940c444c466. - -That commit introduced a regression at least for the case of the SG_IO ioctl() -running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there -are no active paths: the ioctl() fails with the ENOTTY errno immediately rather -than blocking due to queue_if_no_path until a path becomes active, for example. - -That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices -(qemu "-device scsi-block" [1], libvirt "<disk type='block' device='lun'>" [2]) -from multipath devices; which leads to SCSI/filesystem errors in such a guest. - -More general scenarios can hit that regression too. The following demonstration -employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective -(some output & user changes omitted for brevity and comments added for clarity). - -Reverting that commit restores normal operation (queueing) in failing scenarios; -tested on linux-next (next-20151022). - -1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM) - - $ cat sg_simple0.c - ... see [3] ... - $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c - $ gcc sgio_inquiry.c -o sgio_inquiry - -2) The ioctl() works fine with active paths present. - - # multipath -l 85ag56 - 85ag56 (...) dm-19 IBM ,2145 - size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw - |-+- policy='service-time 0' prio=0 status=active - | |- 8:0:11:0 sdz 65:144 active undef running - | `- 9:0:9:0 sdbf 67:144 active undef running - `-+- policy='service-time 0' prio=0 status=enabled - |- 8:0:12:0 sdae 65:224 active undef running - `- 9:0:12:0 sdbo 68:32 active undef running - - $ ./sgio_inquiry /dev/mapper/85ag56 - Some of the INQUIRY command's response: - IBM 2145 0000 - INQUIRY duration=0 millisecs, resid=0 - -3) The ioctl() fails with ENOTTY errno with _no_ active paths present, - for unprivileged users (rather than blocking due to queue_if_no_path). - - # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \ - do multipathd -k"fail path $path"; done - - # multipath -l 85ag56 - 85ag56 (...) dm-19 IBM ,2145 - size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw - |-+- policy='service-time 0' prio=0 status=enabled - | |- 8:0:11:0 sdz 65:144 failed undef running - | `- 9:0:9:0 sdbf 67:144 failed undef running - `-+- policy='service-time 0' prio=0 status=enabled - |- 8:0:12:0 sdae 65:224 failed undef running - `- 9:0:12:0 sdbo 68:32 failed undef running - - $ ./sgio_inquiry /dev/mapper/85ag56 - sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device - -4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285); - it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl(). - - $ dmesg - <...> - [] device-mapper: multipath: Failing path 65:144. - [] device-mapper: multipath: Failing path 67:144. - [] device-mapper: multipath: Failing path 65:224. - [] device-mapper: multipath: Failing path 68:32. - [] sgio_inquiry: sending ioctl 2285 to a partition! - -5) The ioctl() only works if the SYS_CAP_RAWIO capability is present - (then queueing happens -- in this example, queue_if_no_path is set); - this is due to a conditional check in scsi_verify_blk_ioctl(). - - # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56' - sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device - - # ./sgio_inquiry /dev/mapper/85ag56 & - [1] 72830 - - # cat /proc/72830/stack - [<c00000171c0df700>] 0xc00000171c0df700 - [<c000000000015934>] __switch_to+0x204/0x350 - [<c000000000152d4c>] msleep+0x5c/0x80 - [<c00000000077dfb0>] dm_blk_ioctl+0x70/0x170 - [<c000000000487c40>] blkdev_ioctl+0x2b0/0x9b0 - [<c0000000003128e4>] block_ioctl+0x64/0xd0 - [<c0000000002dd3b0>] do_vfs_ioctl+0x490/0x780 - [<c0000000002dd774>] SyS_ioctl+0xd4/0xf0 - [<c000000000009358>] system_call+0x38/0xd0 - -6) This is the function call chain exercised in this analysis: - -SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c - -> do_vfs_ioctl() - -> vfs_ioctl() - ... - error = filp->f_op->unlocked_ioctl(filp, cmd, arg); - ... - -> dm_blk_ioctl() @ drivers/md/dm.c - -> multipath_ioctl() @ drivers/md/dm-mpath.c - ... - (bdev = NULL, due to no active paths) - ... - if (!bdev || <...>) { - int err = scsi_verify_blk_ioctl(NULL, cmd); - if (err) - r = err; - } - ... - -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c - ... - if (bd && bd == bd->bd_contains) // not taken (bd = NULL) - return 0; - ... - if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user) - return 0; - ... - printk_ratelimited(KERN_WARNING - "%s: sending ioctl %x to a partition!\n" <...>); - - return -ENOIOCTLCMD; - <- - ... - return r ? : <...> - <- - ... - if (error == -ENOIOCTLCMD) - error = -ENOTTY; - out: - return error; - ... - -Links: -[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52 -[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device') -[3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03) - -Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com> -Signed-off-by: Mike Snitzer <snitzer@redhat.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/md/dm-mpath.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - ---- a/drivers/md/dm-mpath.c -+++ b/drivers/md/dm-mpath.c -@@ -1553,11 +1553,8 @@ static int multipath_ioctl(struct dm_tar - /* - * Only pass ioctls through if the device sizes match exactly. - */ -- if (!bdev || ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) { -- int err = scsi_verify_blk_ioctl(NULL, cmd); -- if (err) -- r = err; -- } -+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) -+ r = scsi_verify_blk_ioctl(NULL, cmd); - - return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg); - } diff --git a/patches/revert-usb-add-device-quirk-for-asus-t100-base-stati.patch b/patches/revert-usb-add-device-quirk-for-asus-t100-base-stati.patch deleted file mode 100644 index cd9be30..0000000 --- a/patches/revert-usb-add-device-quirk-for-asus-t100-base-stati.patch +++ /dev/null @@ -1,59 +0,0 @@ -From d3c9cefbd27122111214925e4bf10293a19563ea Mon Sep 17 00:00:00 2001 -From: Zefan Li <lizefan@huawei.com> -Date: Sun, 9 Oct 2016 19:20:47 +0800 -Subject: [PATCH 3/4] Revert "USB: Add device quirk for ASUS T100 Base Station - keyboard" - -This reverts commit eea5a87d270e8d6925063019c3b0f3ff61fcb49a. - -Conflicts: - drivers/usb/core/quirks.c - include/linux/usb/quirks.h - -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/core/hub.c | 6 ++---- - drivers/usb/core/quirks.c | 4 ---- - include/linux/usb/quirks.h | 3 --- - 3 files changed, 2 insertions(+), 11 deletions(-) - ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -1655,10 +1655,8 @@ void usb_set_device_state(struct usb_dev - || new_state == USB_STATE_SUSPENDED) - ; /* No change to wakeup settings */ - else if (new_state == USB_STATE_CONFIGURED) -- wakeup = (udev->quirks & -- USB_QUIRK_IGNORE_REMOTE_WAKEUP) ? 0 : -- udev->actconfig->desc.bmAttributes & -- USB_CONFIG_ATT_WAKEUP; -+ wakeup = udev->actconfig->desc.bmAttributes -+ & USB_CONFIG_ATT_WAKEUP; - else - wakeup = 0; - } ---- a/drivers/usb/core/quirks.c -+++ b/drivers/usb/core/quirks.c -@@ -184,10 +184,6 @@ static const struct usb_device_id usb_in - { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), - .driver_info = USB_QUIRK_RESET_RESUME }, - -- /* ASUS Base Station(T100) */ -- { USB_DEVICE(0x0b05, 0x17e0), .driver_info = -- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, -- - /* Protocol and OTG Electrical Test Device */ - { USB_DEVICE(0x1a0a, 0x0200), .driver_info = - USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, ---- a/include/linux/usb/quirks.h -+++ b/include/linux/usb/quirks.h -@@ -30,9 +30,6 @@ - descriptor */ - #define USB_QUIRK_DELAY_INIT 0x00000040 - --/* device generates spurious wakeup, ignore remote wakeup capability */ --#define USB_QUIRK_IGNORE_REMOTE_WAKEUP 0x00000200 -- - /* device can't handle device_qualifier descriptor requests */ - #define USB_QUIRK_DEVICE_QUALIFIER 0x00000100 - diff --git a/patches/revert-usb-add-otg-pet-device-to-tpl.patch b/patches/revert-usb-add-otg-pet-device-to-tpl.patch deleted file mode 100644 index db72843..0000000 --- a/patches/revert-usb-add-otg-pet-device-to-tpl.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0a86eabab1d89cd947a550098670c4cbbb5c00be Mon Sep 17 00:00:00 2001 -From: Zefan Li <lizefan@huawei.com> -Date: Sun, 9 Oct 2016 19:23:12 +0800 -Subject: [PATCH 4/4] Revert "USB: Add OTG PET device to TPL" - -This reverts commit 97fa724b23c3dd22e9c0979ad0e9d260cc6d545d. - -Conflicts: - drivers/usb/core/quirks.c - -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/core/otg_whitelist.h | 5 ----- - drivers/usb/core/quirks.c | 4 ---- - 2 files changed, 9 deletions(-) - ---- a/drivers/usb/core/otg_whitelist.h -+++ b/drivers/usb/core/otg_whitelist.h -@@ -59,11 +59,6 @@ static int is_targeted(struct usb_device - le16_to_cpu(dev->descriptor.idProduct) == 0xbadd)) - return 0; - -- /* OTG PET device is always targeted (see OTG 2.0 ECN 6.4.2) */ -- if ((le16_to_cpu(dev->descriptor.idVendor) == 0x1a0a && -- le16_to_cpu(dev->descriptor.idProduct) == 0x0200)) -- return 1; -- - /* NOTE: can't use usb_match_id() since interface caches - * aren't set up yet. this is cut/paste from that code. - */ ---- a/drivers/usb/core/quirks.c -+++ b/drivers/usb/core/quirks.c -@@ -184,10 +184,6 @@ static const struct usb_device_id usb_in - { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), - .driver_info = USB_QUIRK_RESET_RESUME }, - -- /* Protocol and OTG Electrical Test Device */ -- { USB_DEVICE(0x1a0a, 0x0200), .driver_info = -- USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, -- - { } /* terminating entry must be last */ - }; - diff --git a/patches/rfkill-copy-the-name-into-the-rfkill-struct.patch b/patches/rfkill-copy-the-name-into-the-rfkill-struct.patch deleted file mode 100644 index 502b51b..0000000 --- a/patches/rfkill-copy-the-name-into-the-rfkill-struct.patch +++ /dev/null @@ -1,56 +0,0 @@ -From b7bb110008607a915298bf0f47d25886ecb94477 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Thu, 10 Dec 2015 10:37:51 +0100 -Subject: rfkill: copy the name into the rfkill struct - -commit b7bb110008607a915298bf0f47d25886ecb94477 upstream. - -Some users of rfkill, like NFC and cfg80211, use a dynamic name when -allocating rfkill, in those cases dev_name(). Therefore, the pointer -passed to rfkill_alloc() might not be valid forever, I specifically -found the case that the rfkill name was quite obviously an invalid -pointer (or at least garbage) when the wiphy had been renamed. - -Fix this by making a copy of the rfkill name in rfkill_alloc(). - -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/rfkill/core.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/net/rfkill/core.c -+++ b/net/rfkill/core.c -@@ -51,7 +51,6 @@ - struct rfkill { - spinlock_t lock; - -- const char *name; - enum rfkill_type type; - - unsigned long state; -@@ -75,6 +74,7 @@ struct rfkill { - struct delayed_work poll_work; - struct work_struct uevent_work; - struct work_struct sync_work; -+ char name[]; - }; - #define to_rfkill(d) container_of(d, struct rfkill, dev) - -@@ -849,14 +849,14 @@ struct rfkill * __must_check rfkill_allo - if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES)) - return NULL; - -- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL); -+ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL); - if (!rfkill) - return NULL; - - spin_lock_init(&rfkill->lock); - INIT_LIST_HEAD(&rfkill->node); - rfkill->type = type; -- rfkill->name = name; -+ strcpy(rfkill->name, name); - rfkill->ops = ops; - rfkill->data = ops_data; - diff --git a/patches/ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch b/patches/ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch deleted file mode 100644 index fb50e27..0000000 --- a/patches/ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch +++ /dev/null @@ -1,59 +0,0 @@ -From b81f472a208d3e2b4392faa6d17037a89442f4ce Mon Sep 17 00:00:00 2001 -From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org> -Date: Mon, 23 Nov 2015 10:35:36 -0500 -Subject: ring-buffer: Update read stamp with first real commit on page - -commit b81f472a208d3e2b4392faa6d17037a89442f4ce upstream. - -Do not update the read stamp after swapping out the reader page from the -write buffer. If the reader page is swapped out of the buffer before an -event is written to it, then the read_stamp may get an out of date -timestamp, as the page timestamp is updated on the first commit to that -page. - -rb_get_reader_page() only returns a page if it has an event on it, otherwise -it will return NULL. At that point, check if the page being returned has -events and has not been read yet. Then at that point update the read_stamp -to match the time stamp of the reader page. - -Signed-off-by: Steven Rostedt <rostedt@goodmis.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - kernel/trace/ring_buffer.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -1549,12 +1549,6 @@ rb_set_commit_to_write(struct ring_buffe - goto again; - } - --static void rb_reset_reader_page(struct ring_buffer_per_cpu *cpu_buffer) --{ -- cpu_buffer->read_stamp = cpu_buffer->reader_page->page->time_stamp; -- cpu_buffer->reader_page->read = 0; --} -- - static void rb_inc_iter(struct ring_buffer_iter *iter) - { - struct ring_buffer_per_cpu *cpu_buffer = iter->cpu_buffer; -@@ -3094,7 +3088,7 @@ rb_get_reader_page(struct ring_buffer_pe - - /* Finally update the reader page to the new head */ - cpu_buffer->reader_page = reader; -- rb_reset_reader_page(cpu_buffer); -+ cpu_buffer->reader_page->read = 0; - - if (overwrite != cpu_buffer->last_overrun) { - cpu_buffer->lost_events = overwrite - cpu_buffer->last_overrun; -@@ -3104,6 +3098,10 @@ rb_get_reader_page(struct ring_buffer_pe - goto again; - - out: -+ /* Update the read_stamp on the first event */ -+ if (reader && reader->read == 0) -+ cpu_buffer->read_stamp = reader->page->time_stamp; -+ - arch_spin_unlock(&cpu_buffer->lock); - local_irq_restore(flags); - diff --git a/patches/sata_sil-disable-trim.patch b/patches/sata_sil-disable-trim.patch deleted file mode 100644 index 86c935c..0000000 --- a/patches/sata_sil-disable-trim.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka <mpatocka@redhat.com> -Date: Thu, 26 Nov 2015 12:00:59 -0500 -Subject: sata_sil: disable trim - -commit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream. - -When I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any -TRIM command results in I/O errors being reported in the log. There is -other similar error reported with TRIM and the SIL controller: -https://bugs.centos.org/view.php?id=5880 - -Apparently the controller doesn't support TRIM commands. This patch -disables TRIM support on the SATA SIL controller. - -ata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 -ata7.00: BMDMA2 stat 0x50001 -ata7.00: failed command: DATA SET MANAGEMENT -ata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out - res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error) -ata7.00: status: { DRDY ERR } -ata7.00: error: { ABRT } -ata7.00: device reported invalid CHS sector 0 -sd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE -sd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor] -sd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command -sd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00 -blk_update_request: I/O error, dev sdb, sector 2200968 - -Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> -Signed-off-by: Tejun Heo <tj@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/ata/sata_sil.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/ata/sata_sil.c -+++ b/drivers/ata/sata_sil.c -@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_de - unsigned int n, quirks = 0; - unsigned char model_num[ATA_ID_PROD_LEN + 1]; - -+ /* This controller doesn't support trim */ -+ dev->horkage |= ATA_HORKAGE_NOTRIM; -+ - ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); - - for (n = 0; sil_blacklist[n].product; n++) diff --git a/patches/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch b/patches/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch deleted file mode 100644 index 0a11f99..0000000 --- a/patches/sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 Mon Sep 17 00:00:00 2001 -From: Xunlei Pang <xlpang@redhat.com> -Date: Wed, 2 Dec 2015 19:52:59 +0800 -Subject: sched/core: Clear the root_domain cpumasks in init_rootdomain() - -commit 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 upstream. - -root_domain::rto_mask allocated through alloc_cpumask_var() -contains garbage data, this may cause problems. For instance, -When doing pull_rt_task(), it may do useless iterations if -rto_mask retains some extra garbage bits. Worse still, this -violates the isolated domain rule for clustered scheduling -using cpuset, because the tasks(with all the cpus allowed) -belongs to one root domain can be pulled away into another -root domain. - -The patch cleans the garbage by using zalloc_cpumask_var() -instead of alloc_cpumask_var() for root_domain::rto_mask -allocation, thereby addressing the issues. - -Do the same thing for root_domain's other cpumask memembers: -dlo_mask, span, and online. - -Signed-off-by: Xunlei Pang <xlpang@redhat.com> -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Mike Galbraith <efault@gmx.de> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Steven Rostedt <rostedt@goodmis.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Link: http://lkml.kernel.org/r/1449057179-29321-1-git-send-email-xlpang@redhat.com -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[lizf: there's no rd->dlo_mask, so remove the change to it] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - kernel/sched/core.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -5931,11 +5931,11 @@ static int init_rootdomain(struct root_d - { - memset(rd, 0, sizeof(*rd)); - -- if (!alloc_cpumask_var(&rd->span, GFP_KERNEL)) -+ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL)) - goto out; -- if (!alloc_cpumask_var(&rd->online, GFP_KERNEL)) -+ if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL)) - goto free_span; -- if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) -+ if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) - goto free_online; - - if (cpupri_init(&rd->cpupri) != 0) diff --git a/patches/scripts-recordmcount-break-hardlinks.patch b/patches/scripts-recordmcount-break-hardlinks.patch deleted file mode 100644 index 4a22bcd..0000000 --- a/patches/scripts-recordmcount-break-hardlinks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From dd39a26538e37f6c6131e829a4a510787e43c783 Mon Sep 17 00:00:00 2001 -From: Russell King <rmk+kernel@arm.linux.org.uk> -Date: Fri, 11 Dec 2015 12:09:03 +0000 -Subject: scripts: recordmcount: break hardlinks - -commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream. - -recordmcount edits the file in-place, which can cause problems when -using ccache in hardlink mode. Arrange for recordmcount to break a -hardlinked object. - -Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk - -Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> -Signed-off-by: Steven Rostedt <rostedt@goodmis.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - scripts/recordmcount.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/scripts/recordmcount.c -+++ b/scripts/recordmcount.c -@@ -182,6 +182,20 @@ static void *mmap_file(char const *fname - addr = umalloc(sb.st_size); - uread(fd_map, addr, sb.st_size); - } -+ if (sb.st_nlink != 1) { -+ /* file is hard-linked, break the hard link */ -+ close(fd_map); -+ if (unlink(fname) < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); -+ if (fd_map < 0) { -+ perror(fname); -+ fail_file(); -+ } -+ uwrite(fd_map, addr, sb.st_size); -+ } - return addr; - } - diff --git a/patches/scsi-restart-list-search-after-unlock-in-scsi_remove_target.patch b/patches/scsi-restart-list-search-after-unlock-in-scsi_remove_target.patch deleted file mode 100644 index 78d2398..0000000 --- a/patches/scsi-restart-list-search-after-unlock-in-scsi_remove_target.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 40998193560dab6c3ce8d25f4fa58a23e252ef38 Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig <hch@lst.de> -Date: Mon, 19 Oct 2015 16:35:46 +0200 -Subject: scsi: restart list search after unlock in scsi_remove_target - -commit 40998193560dab6c3ce8d25f4fa58a23e252ef38 upstream. - -When dropping a lock while iterating a list we must restart the search -as other threads could have manipulated the list under us. Without this -we can get stuck in an endless loop. This bug was introduced by - -commit bc3f02a795d3b4faa99d37390174be2a75d091bd -Author: Dan Williams <djbw@fb.com> -Date: Tue Aug 28 22:12:10 2012 -0700 - - [SCSI] scsi_remove_target: fix softlockup regression on hot remove - -Which was itself trying to fix a reported soft lockup issue - -http://thread.gmane.org/gmane.linux.kernel/1348679 - -However, we believe even with this revert of the original patch, the soft -lockup problem has been fixed by - -commit f2495e228fce9f9cec84367547813cbb0d6db15a -Author: James Bottomley <JBottomley@Parallels.com> -Date: Tue Jan 21 07:01:41 2014 -0800 - - [SCSI] dual scan thread bug fix - -Thanks go to Dan Williams <dan.j.williams@intel.com> for tracking all this -prior history down. - -Reported-by: Johannes Thumshirn <jthumshirn@suse.de> -Signed-off-by: Christoph Hellwig <hch@lst.de> -Tested-by: Johannes Thumshirn <jthumshirn@suse.de> -Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> -Fixes: bc3f02a795d3b4faa99d37390174be2a75d091bd -Signed-off-by: James Bottomley <JBottomley@Odin.com> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/scsi/scsi_sysfs.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -1020,31 +1020,23 @@ static void __scsi_remove_target(struct - void scsi_remove_target(struct device *dev) - { - struct Scsi_Host *shost = dev_to_shost(dev->parent); -- struct scsi_target *starget, *last = NULL; -+ struct scsi_target *starget; - unsigned long flags; - -- /* remove targets being careful to lookup next entry before -- * deleting the last -- */ -+restart: - spin_lock_irqsave(shost->host_lock, flags); - list_for_each_entry(starget, &shost->__targets, siblings) { - if (starget->state == STARGET_DEL) - continue; - if (starget->dev.parent == dev || &starget->dev == dev) { -- /* assuming new targets arrive at the end */ - starget->reap_ref++; - spin_unlock_irqrestore(shost->host_lock, flags); -- if (last) -- scsi_target_reap(last); -- last = starget; - __scsi_remove_target(starget); -- spin_lock_irqsave(shost->host_lock, flags); -+ scsi_target_reap(starget); -+ goto restart; - } - } - spin_unlock_irqrestore(shost->host_lock, flags); -- -- if (last) -- scsi_target_reap(last); - } - EXPORT_SYMBOL(scsi_remove_target); - diff --git a/patches/scsi_sysfs-fix-queue_ramp_up_period-return-code.patch b/patches/scsi_sysfs-fix-queue_ramp_up_period-return-code.patch deleted file mode 100644 index 4b302bb..0000000 --- a/patches/scsi_sysfs-fix-queue_ramp_up_period-return-code.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 863e02d0e173bb9d8cea6861be22820b25c076cc Mon Sep 17 00:00:00 2001 -From: Peter Oberparleiter <oberpar@linux.vnet.ibm.com> -Date: Tue, 27 Oct 2015 10:49:54 +0100 -Subject: scsi_sysfs: Fix queue_ramp_up_period return code - -commit 863e02d0e173bb9d8cea6861be22820b25c076cc upstream. - -Writing a number to /sys/bus/scsi/devices/<sdev>/queue_ramp_up_period -returns the value of that number instead of the number of bytes written. -This behavior can confuse programs expecting POSIX write() semantics. -Fix this by returning the number of bytes written instead. - -Signed-off-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com> -Reviewed-by: Hannes Reinecke <hare@suse.de> -Reviewed-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com> -Reviewed-by: Ewan D. Milne <emilne@redhat.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/scsi/scsi_sysfs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/scsi/scsi_sysfs.c -+++ b/drivers/scsi/scsi_sysfs.c -@@ -793,7 +793,7 @@ sdev_store_queue_ramp_up_period(struct d - return -EINVAL; - - sdev->queue_ramp_up_period = msecs_to_jiffies(period); -- return period; -+ return count; - } - - static struct device_attribute sdev_attr_queue_ramp_up_period = diff --git a/patches/sctp-prevent-soft-lockup-when-sctp_accept-is-called-during-a-timeout-event.patch b/patches/sctp-prevent-soft-lockup-when-sctp_accept-is-called-during-a-timeout-event.patch deleted file mode 100644 index cf345d6..0000000 --- a/patches/sctp-prevent-soft-lockup-when-sctp_accept-is-called-during-a-timeout-event.patch +++ /dev/null @@ -1,186 +0,0 @@ -From: Karl Heiss <kheiss@gmail.com> -Date: Thu, 24 Sep 2015 12:15:07 -0400 -Subject: sctp: Prevent soft lockup when sctp_accept() is called during a - timeout event - -commit 635682a14427d241bab7bbdeebb48a7d7b91638e upstream. - -A case can occur when sctp_accept() is called by the user during -a heartbeat timeout event after the 4-way handshake. Since -sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the -bh_sock_lock in sctp_generate_heartbeat_event() will be taken with -the listening socket but released with the new association socket. -The result is a deadlock on any future attempts to take the listening -socket lock. - -Note that this race can occur with other SCTP timeouts that take -the bh_lock_sock() in the event sctp_accept() is called. - - BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0] - ... - RIP: 0010:[<ffffffff8152d48e>] [<ffffffff8152d48e>] _spin_lock+0x1e/0x30 - RSP: 0018:ffff880028323b20 EFLAGS: 00000206 - RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000 - RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48 - RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000 - R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0 - R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225 - FS: 0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b - CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0 - DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 - Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0) - Stack: - ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000 - <d> 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00 - <d> ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8 - Call Trace: - <IRQ> - [<ffffffffa01c2582>] ? sctp_rcv+0x492/0xa10 [sctp] - [<ffffffff8148c559>] ? nf_iterate+0x69/0xb0 - [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0 - [<ffffffff8148c716>] ? nf_hook_slow+0x76/0x120 - [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0 - [<ffffffff8149757d>] ? ip_local_deliver_finish+0xdd/0x2d0 - [<ffffffff81497808>] ? ip_local_deliver+0x98/0xa0 - [<ffffffff81496ccd>] ? ip_rcv_finish+0x12d/0x440 - [<ffffffff81497255>] ? ip_rcv+0x275/0x350 - [<ffffffff8145cfeb>] ? __netif_receive_skb+0x4ab/0x750 - ... - -With lockdep debugging: - - ===================================== - [ BUG: bad unlock balance detected! ] - ------------------------------------- - CslRx/12087 is trying to release lock (slock-AF_INET) at: - [<ffffffffa01bcae0>] sctp_generate_timeout_event+0x40/0xe0 [sctp] - but there are no more locks to release! - - other info that might help us debug this: - 2 locks held by CslRx/12087: - #0: (&asoc->timers[i]){+.-...}, at: [<ffffffff8108ce1f>] run_timer_softirq+0x16f/0x3e0 - #1: (slock-AF_INET){+.-...}, at: [<ffffffffa01bcac3>] sctp_generate_timeout_event+0x23/0xe0 [sctp] - -Ensure the socket taken is also the same one that is released by -saving a copy of the socket before entering the timeout event -critical section. - -Signed-off-by: Karl Heiss <kheiss@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.2: - - Net namespaces are not used - - Keep using sctp_bh_{,un}lock_sock() - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/sctp/sm_sideeffect.c | 34 +++++++++++++++++++--------------- - 1 file changed, 19 insertions(+), 15 deletions(-) - ---- a/net/sctp/sm_sideeffect.c -+++ b/net/sctp/sm_sideeffect.c -@@ -249,11 +249,12 @@ void sctp_generate_t3_rtx_event(unsigned - int error; - struct sctp_transport *transport = (struct sctp_transport *) peer; - struct sctp_association *asoc = transport->asoc; -+ struct sock *sk = asoc->base.sk; - - /* Check whether a task is in the sock. */ - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__); - - /* Try again later. */ -@@ -276,10 +277,10 @@ void sctp_generate_t3_rtx_event(unsigned - transport, GFP_ATOMIC); - - if (error) -- asoc->base.sk->sk_err = -error; -+ sk->sk_err = -error; - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_transport_put(transport); - } - -@@ -289,10 +290,11 @@ out_unlock: - static void sctp_generate_timeout_event(struct sctp_association *asoc, - sctp_event_timeout_t timeout_type) - { -+ struct sock *sk = asoc->base.sk; - int error = 0; - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy: timer %d\n", - __func__, - timeout_type); -@@ -316,10 +318,10 @@ static void sctp_generate_timeout_event( - (void *)timeout_type, GFP_ATOMIC); - - if (error) -- asoc->base.sk->sk_err = -error; -+ sk->sk_err = -error; - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_association_put(asoc); - } - -@@ -369,9 +371,10 @@ void sctp_generate_heartbeat_event(unsig - int error = 0; - struct sctp_transport *transport = (struct sctp_transport *) data; - struct sctp_association *asoc = transport->asoc; -+ struct sock *sk = asoc->base.sk; - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__); - - /* Try again later. */ -@@ -392,10 +395,10 @@ void sctp_generate_heartbeat_event(unsig - transport, GFP_ATOMIC); - - if (error) -- asoc->base.sk->sk_err = -error; -+ sk->sk_err = -error; - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_transport_put(transport); - } - -@@ -406,9 +409,10 @@ void sctp_generate_proto_unreach_event(u - { - struct sctp_transport *transport = (struct sctp_transport *) data; - struct sctp_association *asoc = transport->asoc; -+ struct sock *sk = asoc->base.sk; - -- sctp_bh_lock_sock(asoc->base.sk); -- if (sock_owned_by_user(asoc->base.sk)) { -+ sctp_bh_lock_sock(sk); -+ if (sock_owned_by_user(sk)) { - SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__); - - /* Try again later. */ -@@ -429,7 +433,7 @@ void sctp_generate_proto_unreach_event(u - asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC); - - out_unlock: -- sctp_bh_unlock_sock(asoc->base.sk); -+ sctp_bh_unlock_sock(sk); - sctp_association_put(asoc); - } - diff --git a/patches/sctp-start-t5-timer-only-when-peer-rwnd-is-0-and-local-state-is-shutdown_pending.patch b/patches/sctp-start-t5-timer-only-when-peer-rwnd-is-0-and-local-state-is-shutdown_pending.patch deleted file mode 100644 index a6ee7a0..0000000 --- a/patches/sctp-start-t5-timer-only-when-peer-rwnd-is-0-and-local-state-is-shutdown_pending.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: lucien <lucien.xin@gmail.com> -Date: Sat, 5 Dec 2015 15:35:36 +0800 -Subject: sctp: start t5 timer only when peer rwnd is 0 and local state is - SHUTDOWN_PENDING - -commit 8a0d19c5ed417c78d03f4e0fa7215e58c40896d8 upstream. - -when A sends a data to B, then A close() and enter into SHUTDOWN_PENDING -state, if B neither claim his rwnd is 0 nor send SACK for this data, A -will keep retransmitting this data until t5 timeout, Max.Retrans times -can't work anymore, which is bad. - -if B's rwnd is not 0, it should send abort after Max.Retrans times, only -when B's rwnd == 0 and A's retransmitting beyonds Max.Retrans times, A -will start t5 timer, which is also commit f8d960524328 ("sctp: Enforce -retransmission limit during shutdown") means, but it lacks the condition -peer rwnd == 0. - -so fix it by adding a bit (zero_window_announced) in peer to record if -the last rwnd is 0. If it was, zero_window_announced will be set. and use -this bit to decide if start t5 timer when local.state is SHUTDOWN_PENDING. - -Fixes: commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown") -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.2: change sack_needed to bitfield as done earlier upstream] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - include/net/sctp/structs.h | 3 ++- - net/sctp/outqueue.c | 1 + - net/sctp/sm_statefuns.c | 3 ++- - 3 files changed, 5 insertions(+), 2 deletions(-) - ---- a/include/net/sctp/structs.h -+++ b/include/net/sctp/structs.h -@@ -1587,7 +1587,8 @@ struct sctp_association { - * : order. When DATA chunks are out of order, - * : SACK's are not delayed (see Section 6). - */ -- __u8 sack_needed; /* Do we need to sack the peer? */ -+ __u8 sack_needed:1, /* Do we need to sack the peer? */ -+ zero_window_announced:1; - __u32 sack_cnt; - - /* These are capabilities which our peer advertised. */ ---- a/net/sctp/outqueue.c -+++ b/net/sctp/outqueue.c -@@ -1265,6 +1265,7 @@ int sctp_outq_sack(struct sctp_outq *q, - */ - - sack_a_rwnd = ntohl(sack->a_rwnd); -+ asoc->peer.zero_window_announced = !sack_a_rwnd; - outstanding = q->outstanding_bytes; - - if (outstanding < sack_a_rwnd) ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -5299,7 +5299,8 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx( - SCTP_INC_STATS(SCTP_MIB_T3_RTX_EXPIREDS); - - if (asoc->overall_error_count >= asoc->max_retrans) { -- if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { -+ if (asoc->peer.zero_window_announced && -+ asoc->state == SCTP_STATE_SHUTDOWN_PENDING) { - /* - * We are here likely because the receiver had its rwnd - * closed for a while and we have not been able to diff --git a/patches/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch b/patches/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch deleted file mode 100644 index 4410299..0000000 --- a/patches/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch +++ /dev/null @@ -1,43 +0,0 @@ -From ed5a377d87dc4c87fb3e1f7f698cba38cd893103 Mon Sep 17 00:00:00 2001 -From: lucien <lucien.xin@gmail.com> -Date: Thu, 12 Nov 2015 13:07:07 +0800 -Subject: sctp: translate host order to network order when setting a hmacid - -commit ed5a377d87dc4c87fb3e1f7f698cba38cd893103 upstream. - -now sctp auth cannot work well when setting a hmacid manually, which -is caused by that we didn't use the network order for hmacid, so fix -it by adding the transformation in sctp_auth_ep_set_hmacs. - -even we set hmacid with the network order in userspace, it still -can't work, because of this condition in sctp_auth_ep_set_hmacs(): - - if (id > SCTP_AUTH_HMAC_ID_MAX) - return -EOPNOTSUPP; - -so this wasn't working before and thus it won't break compatibility. - -Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.") -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> -Acked-by: Neil Horman <nhorman@tuxdriver.com> -Acked-by: Vlad Yasevich <vyasevich@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/sctp/auth.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/sctp/auth.c -+++ b/net/sctp/auth.c -@@ -804,8 +804,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_e - if (!has_sha1) - return -EINVAL; - -- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0], -- hmacs->shmac_num_idents * sizeof(__u16)); -+ for (i = 0; i < hmacs->shmac_num_idents; i++) -+ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]); - ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) + - hmacs->shmac_num_idents * sizeof(__u16)); - return 0; diff --git a/patches/ser_gigaset-fix-deallocation-of-platform-device-structure.patch b/patches/ser_gigaset-fix-deallocation-of-platform-device-structure.patch deleted file mode 100644 index 76fea8d..0000000 --- a/patches/ser_gigaset-fix-deallocation-of-platform-device-structure.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4c5e354a974214dfb44cd23fa0429327693bc3ea Mon Sep 17 00:00:00 2001 -From: Tilman Schmidt <tilman@imap.cc> -Date: Tue, 15 Dec 2015 18:11:30 +0100 -Subject: ser_gigaset: fix deallocation of platform device structure - -commit 4c5e354a974214dfb44cd23fa0429327693bc3ea upstream. - -When shutting down the device, the struct ser_cardstate must not be -kfree()d immediately after the call to platform_device_unregister() -since the embedded struct platform_device is still in use. -Move the kfree() call to the release method instead. - -Signed-off-by: Tilman Schmidt <tilman@imap.cc> -Fixes: 2869b23e4b95 ("drivers/isdn/gigaset: new M101 driver (v2)") -Reported-by: Sasha Levin <sasha.levin@oracle.com> -Signed-off-by: Paul Bolle <pebolle@tiscali.nl> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/isdn/gigaset/ser-gigaset.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/drivers/isdn/gigaset/ser-gigaset.c -+++ b/drivers/isdn/gigaset/ser-gigaset.c -@@ -371,19 +371,23 @@ static void gigaset_freecshw(struct card - tasklet_kill(&cs->write_tasklet); - if (!cs->hw.ser) - return; -- dev_set_drvdata(&cs->hw.ser->dev.dev, NULL); - platform_device_unregister(&cs->hw.ser->dev); -- kfree(cs->hw.ser); -- cs->hw.ser = NULL; - } - - static void gigaset_device_release(struct device *dev) - { - struct platform_device *pdev = to_platform_device(dev); -+ struct cardstate *cs = dev_get_drvdata(dev); - - /* adapted from platform_device_release() in drivers/base/platform.c */ - kfree(dev->platform_data); - kfree(pdev->resource); -+ -+ if (!cs) -+ return; -+ dev_set_drvdata(dev, NULL); -+ kfree(cs->hw.ser); -+ cs->hw.ser = NULL; - } - - /* diff --git a/patches/ser_gigaset-remove-unnecessary-kfree-calls-from-release-method.patch b/patches/ser_gigaset-remove-unnecessary-kfree-calls-from-release-method.patch deleted file mode 100644 index a866c3b..0000000 --- a/patches/ser_gigaset-remove-unnecessary-kfree-calls-from-release-method.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8aeb3c3d655e22d3aa5ba49f313157bd27354bb4 Mon Sep 17 00:00:00 2001 -From: Tilman Schmidt <tilman@imap.cc> -Date: Tue, 15 Dec 2015 18:11:31 +0100 -Subject: ser_gigaset: remove unnecessary kfree() calls from release method - -commit 8aeb3c3d655e22d3aa5ba49f313157bd27354bb4 upstream. - -device->platform_data and platform_device->resource are never used -and remain NULL through their entire life. Drops the kfree() calls -for them from the device release method. - -Signed-off-by: Tilman Schmidt <tilman@imap.cc> -Signed-off-by: Paul Bolle <pebolle@tiscali.nl> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/isdn/gigaset/ser-gigaset.c | 5 ----- - 1 file changed, 5 deletions(-) - ---- a/drivers/isdn/gigaset/ser-gigaset.c -+++ b/drivers/isdn/gigaset/ser-gigaset.c -@@ -376,13 +376,8 @@ static void gigaset_freecshw(struct card - - static void gigaset_device_release(struct device *dev) - { -- struct platform_device *pdev = to_platform_device(dev); - struct cardstate *cs = dev_get_drvdata(dev); - -- /* adapted from platform_device_release() in drivers/base/platform.c */ -- kfree(dev->platform_data); -- kfree(pdev->resource); -- - if (!cs) - return; - dev_set_drvdata(dev, NULL); diff --git a/patches/ser_gigaset-use-container_of-instead-of-detour.patch b/patches/ser_gigaset-use-container_of-instead-of-detour.patch deleted file mode 100644 index eb36f1d..0000000 --- a/patches/ser_gigaset-use-container_of-instead-of-detour.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 8d2c3ab4445640957d136caa3629857d63544a2a Mon Sep 17 00:00:00 2001 -From: Paul Bolle <pebolle@tiscali.nl> -Date: Thu, 18 Feb 2016 21:29:08 +0100 -Subject: ser_gigaset: use container_of() instead of detour - -commit 8d2c3ab4445640957d136caa3629857d63544a2a upstream. - -The purpose of gigaset_device_release() is to kfree() the struct -ser_cardstate that contains our struct device. This is done via a bit of -a detour. First we make our struct device's driver_data point to the -container of our struct ser_cardstate (which is a struct cardstate). In -gigaset_device_release() we then retrieve that driver_data again. And -after that we finally kfree() the struct ser_cardstate that was saved in -the struct cardstate. - -All of this can be achieved much easier by using container_of() to get -from our struct device to its container, struct ser_cardstate. Do so. - -Note that at the time the detour was implemented commit b8b2c7d845d5 -("base/platform: assert that dev_pm_domain callbacks are called -unconditionally") had just entered the tree. That commit disconnected -our platform_device and our platform_driver. These were reconnected -again in v4.5-rc2 through commit 25cad69f21f5 ("base/platform: Fix -platform drivers with no probe callback"). And one of the consequences -of that fix was that it broke the detour via driver_data. That's because -it made __device_release_driver() stop being a NOP for our struct device -and actually do stuff again. One of the things it now does, is setting -our driver_data to NULL. That, in turn, makes it impossible for -gigaset_device_release() to get to our struct cardstate. Which has the -net effect of leaking a struct ser_cardstate at every call of this -driver's tty close() operation. So using container_of() has the -additional benefit of actually working. - -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Tested-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: Paul Bolle <pebolle@tiscali.nl> -Acked-by: Tilman Schmidt <tilman@imap.cc> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/isdn/gigaset/ser-gigaset.c | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - ---- a/drivers/isdn/gigaset/ser-gigaset.c -+++ b/drivers/isdn/gigaset/ser-gigaset.c -@@ -376,13 +376,7 @@ static void gigaset_freecshw(struct card - - static void gigaset_device_release(struct device *dev) - { -- struct cardstate *cs = dev_get_drvdata(dev); -- -- if (!cs) -- return; -- dev_set_drvdata(dev, NULL); -- kfree(cs->hw.ser); -- cs->hw.ser = NULL; -+ kfree(container_of(dev, struct ser_cardstate, dev.dev)); - } - - /* -@@ -411,7 +405,6 @@ static int gigaset_initcshw(struct cards - cs->hw.ser = NULL; - return 0; - } -- dev_set_drvdata(&cs->hw.ser->dev.dev, cs); - - tasklet_init(&cs->write_tasklet, - gigaset_modem_fill, (unsigned long) cs); diff --git a/patches/series b/patches/series index 6779316..e69de29 100644 --- a/patches/series +++ b/patches/series @@ -1,131 +0,0 @@ -mac80211-fix-driver-rssi-event-calculations.patch -wm831x_power-use-irqf_oneshot-to-request-threaded-irqs.patch -mwifiex-fix-mwifiex_rdeeprom_read.patch -devres-fix-a-for-loop-bounds-check.patch -arm-pxa-remove-incorrect-__init-annotation-on-pxa27x_set_pwrmode.patch -mips-atomic-fix-comment-describing-atomic64_add_unless-s-return-value.patch -recordmcount-fix-endianness-handling-bug-for-nop_mcount.patch -ipv6-fix-tunnel-error-handling.patch -scsi-restart-list-search-after-unlock-in-scsi_remove_target.patch -net-fix-a-race-in-dst_release.patch -fs-cache-increase-reference-of-parent-after-registering-netfs-success.patch -fs-cache-don-t-override-netfs-s-primary_index-if-registering-failed.patch -fs-cache-handle-a-write-to-the-page-immediately-beyond-the-eof-marker.patch -hid-core-avoid-uninitialized-buffer-access.patch -mtd-mtdpart-fix-add_mtd_partitions-error-path.patch -iommu-vt-d-fix-atsr-handling-for-root-complex-integrated-endpoints.patch -ext4-jbd2-ensure-entering-into-panic-after-recording-an-error-in-superblock.patch -bluetooth-ath3k-add-support-of-ar3012-0cf3-817b-device.patch -staging-rtl8712-add-device-id-for-sitecom-wla2100.patch -acpi-use-correct-irq-when-uninstalling-acpi-interrupt-handler.patch -alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch -megaraid_sas-do-not-use-page_size-for-max_sectors.patch -revert-dm-mpath-fix-stalls-when-handling-invalid-ioctls.patch -crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch -megaraid_sas-smap-restriction-do-not-access-user-memory-from-ioctl-code.patch -alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch -firewire-ohci-fix-jmicron-jmb38x-it-context-discovery.patch -x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch -btrfs-fix-race-leading-to-bug_on-when-running-delalloc-for-nodatacow.patch -perf-fix-inherited-events-vs.-tracepoint-filters.patch -scsi_sysfs-fix-queue_ramp_up_period-return-code.patch -binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch -sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch -usb-musb-core-fix-order-of-arguments-to-ulpi-write-callback.patch -net-fix-__netdev_update_features-return-on-ndo_set_features-failure.patch -mac80211-mesh-fix-call_rcu-usage.patch -macvlan-fix-leak-in-macvlan_handle_frame.patch -tcp-md5-fix-lockdep-annotation.patch -usblp-do-not-set-task_interruptible-before-lock.patch -ip6mr-call-del_timer_sync-in-ip6mr_free_table.patch -net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch -broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch -ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch -net-neighbour-fix-crash-at-dumping-device-agnostic-proxy-entries.patch -iio-lpc32xx_adc-fix-warnings-caused-by-enabling-unprepared-clock.patch -alsa-usb-audio-add-packet-size-quirk-for-the-medeli-dd305.patch -alsa-usb-audio-prevent-ch345-multiport-output-sysex-corruption.patch -alsa-usb-audio-work-around-ch345-input-sysex-corruption.patch -usb-serial-option-add-support-for-novatel-mifi-usb620l.patch -asoc-wm8962-correct-addresses-for-hpf_c_0-1.patch -usb-option-add-xs-stick-w100-2-from-4g-systems.patch -mac-validate-mac_partition-is-within-sector.patch -can-sja1000-clear-interrupts-on-start.patch -vfs-make-sendfile-2-killable-even-better.patch -vfs-avoid-softlockups-with-sendfile-2.patch -nfs-if-we-have-no-valid-attrs-then-don-t-declare-the-attribute-cache-valid.patch -wan-x25-fix-use-after-free-in-x25_asy_open_tty.patch -sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch -x86-signal-fix-restart_syscall-number-for-x32-tasks.patch -fix-sysvfs-symlinks.patch -fuse-break-infinite-loop-in-fuse_fill_write_pages.patch -usb-cp210x-remove-cp2110-id-from-compatibility-list.patch -ext4-fix-handling-of-extended-tv_sec.patch -jbd2-fix-unreclaimed-pages-after-truncate-in-data-journal-mode.patch -ahci-fix-softreset-failed-issue-of-port-multiplier.patch -sata_sil-disable-trim.patch -usb-whci-hcd-add-check-for-dma-mapping-error.patch -dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch -usb-xhci-fix-config-fail-of-fs-hub-behind-a-hs-hub-with-mtt.patch -alsa-rme96-fix-unexpected-volume-reset-after-rate-changes.patch -sctp-start-t5-timer-only-when-peer-rwnd-is-0-and-local-state-is-shutdown_pending.patch -9p-evict_inode-should-kick-out-i_data-not-i_mapping.patch -crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch -rfkill-copy-the-name-into-the-rfkill-struct.patch -dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch -ses-fix-problems-with-simple-enclosures.patch -vgaarb-fix-signal-handling-in-vga_get.patch -ses-fix-additional-element-traversal-bug.patch -parisc-iommu-fix-panic-due-to-trying-to-allocate-too-large-region.patch -mm-vmstat-allow-wq-concurrency-to-discover-memory-reclaim-doesn-t-make-any-progress.patch -mm-hugetlb-call-huge_pte_alloc-only-if-ptep-is-null.patch -tty-fix-gpf-in-flush_to_ldisc.patch -genirq-prevent-chip-buslock-deadlock.patch -sh_eth-fix-tx-buffer-byte-swapping.patch -arm-8471-1-need-to-save-restore-arm-register-r11-when-it-is-corrupted.patch -misdn-fix-a-loop-count.patch -ser_gigaset-fix-deallocation-of-platform-device-structure.patch -spi-fix-parent-device-reference-leak.patch -scripts-recordmcount-break-hardlinks.patch -ftrace-scripts-have-recordmcount-copy-the-object-file.patch -xen-add-ring_copy_request.patch -xen-netback-don-t-use-last-request-to-determine-minimum-tx-credit.patch -xen-netback-use-ring_copy_request-throughout.patch -xen-blkback-only-read-request-operation-from-shared-ring-once.patch -xen-pciback-save-xen_pci_op-commands-before-processing-it.patch -xen-pciback-return-error-on-xen_pci_op_enable_msi-when-device-has-msi-or-msi-x-enabled.patch -xen-pciback-return-error-on-xen_pci_op_enable_msix-when-device-has-msi-or-msi-x-enabled.patch -xen-pciback-do-not-install-an-irq-handler-for-msi-interrupts.patch -xen-pciback-for-xen_pci_op_disable_msi-x-only-disable-if-device-has-msi-x-enabled.patch -xen-pciback-don-t-allow-msi-x-ops-if-pci_command_memory-is-not-set.patch -usb-ipaq.c-fix-a-timeout-loop.patch -usb-fix-invalid-memory-access-in-hub_activate.patch -keys-fix-race-between-read-and-revoke.patch -parisc-fix-syscall-restarts.patch -ipv6-addrlabel-fix-ip6addrlbl_get.patch -ocfs2-fix-bug-when-calculate-new-backup-super.patch -mm-memory_hotplug.c-check-for-missing-sections-in-test_pages_in_a_zone.patch -ftrace-scripts-fix-incorrect-use-of-sprintf-in-recordmcount.patch -net-possible-use-after-free-in-dst_release.patch -af_unix-fix-a-fatal-race-with-bit-fields.patch -usb-ti_usb_3410_502-fix-id-table-size.patch -net-fix-skb-csum-races-when-peeking.patch -udp-properly-support-msg_peek-with-truncated-buffers.patch -drm-radeon-fix-hotplug-race-at-startup.patch -sctp-prevent-soft-lockup-when-sctp_accept-is-called-during-a-timeout-event.patch -ipv6-update-ip6_rt_last_gc-every-time-gc-is-run.patch -ipv6-don-t-call-fib6_run_gc-until-routing-is-ready.patch -ipv6-fix-handling-of-blackhole-and-prohibit-routes.patch -fix-incomplete-backport-of-commit-423f04d63cf4.patch -fix-incomplete-backport-of-commit-0f792cf949a0.patch -revert-usb-add-device-quirk-for-asus-t100-base-stati.patch -revert-usb-add-otg-pet-device-to-tpl.patch -tcp-make-challenge-acks-less-predictable.patch -time-prevent-early-expiry-of-hrtimers-clock_realtime-at-the-leap-second-edge.patch -mm-vmstat-fix-wrong-wq-sleep-when-memory-reclaim-doesn-t-make-any-progress.patch -xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch -ser_gigaset-remove-unnecessary-kfree-calls-from-release-method.patch -ser_gigaset-use-container_of-instead-of-detour.patch -net-core-revert-net-fix-__netdev_update_features-return.-and-add-comment.patch -mm-remove-gup_flags-foll_write-games-from-__get_user_pages.patch -net-fix-use-after-free-in-the-recvmmsg-exit-path.patch diff --git a/patches/ses-fix-additional-element-traversal-bug.patch b/patches/ses-fix-additional-element-traversal-bug.patch deleted file mode 100644 index c63046b..0000000 --- a/patches/ses-fix-additional-element-traversal-bug.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 5e1033561da1152c57b97ee84371dba2b3d64c25 Mon Sep 17 00:00:00 2001 -From: James Bottomley <James.Bottomley@HansenPartnership.com> -Date: Fri, 11 Dec 2015 09:16:38 -0800 -Subject: ses: fix additional element traversal bug - -commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream. - -KASAN found that our additional element processing scripts drop off -the end of the VPD page into unallocated space. The reason is that -not every element has additional information but our traversal -routines think they do, leading to them expecting far more additional -information than is present. Fix this by adding a gate to the -traversal routine so that it only processes elements that are expected -to have additional information (list is in SES-2 section 6.1.13.1: -Additional Element Status diagnostic page overview) - -Reported-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> -Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> -Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/scsi/ses.c | 10 +++++++++- - include/linux/enclosure.h | 4 ++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/ses.c -+++ b/drivers/scsi/ses.c -@@ -454,7 +454,15 @@ static void ses_enclosure_data_process(s - if (desc_ptr) - desc_ptr += len; - -- if (addl_desc_ptr) -+ if (addl_desc_ptr && -+ /* only find additional descriptions for specific devices */ -+ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || -+ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || -+ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || -+ /* these elements are optional */ -+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || -+ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || -+ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) - addl_desc_ptr += addl_desc_ptr[1] + 2; - - } ---- a/include/linux/enclosure.h -+++ b/include/linux/enclosure.h -@@ -29,7 +29,11 @@ - /* A few generic types ... taken from ses-2 */ - enum enclosure_component_type { - ENCLOSURE_COMPONENT_DEVICE = 0x01, -+ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, -+ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, -+ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, - ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, -+ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, - }; - - /* ses-2 common element status */ diff --git a/patches/ses-fix-problems-with-simple-enclosures.patch b/patches/ses-fix-problems-with-simple-enclosures.patch deleted file mode 100644 index 75930bc..0000000 --- a/patches/ses-fix-problems-with-simple-enclosures.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 3417c1b5cb1fdc10261dbed42b05cc93166a78fd Mon Sep 17 00:00:00 2001 -From: James Bottomley <James.Bottomley@HansenPartnership.com> -Date: Tue, 8 Dec 2015 09:00:31 -0800 -Subject: ses: Fix problems with simple enclosures - -commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream. - -Simple enclosure implementations (mostly USB) are allowed to return only -page 8 to every diagnostic query. That really confuses our -implementation because we assume the return is the page we asked for and -end up doing incorrect offsets based on bogus information leading to -accesses outside of allocated ranges. Fix that by checking the page -code of the return and giving an error if it isn't the one we asked for. -This should fix reported bugs with USB storage by simply refusing to -attach to enclosures that behave like this. It's also good defensive -practise now that we're starting to see more USB enclosures. - -Reported-by: Andrea Gelmini <andrea.gelmini@gelma.net> -Reviewed-by: Ewan D. Milne <emilne@redhat.com> -Reviewed-by: Tomas Henzl <thenzl@redhat.com> -Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/scsi/ses.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/ses.c -+++ b/drivers/scsi/ses.c -@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev) - static int ses_recv_diag(struct scsi_device *sdev, int page_code, - void *buf, int bufflen) - { -+ int ret; - unsigned char cmd[] = { - RECEIVE_DIAGNOSTIC, - 1, /* Set PCV bit */ -@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_dev - bufflen & 0xff, - 0 - }; -+ unsigned char recv_page_code; - -- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, -+ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, - NULL, SES_TIMEOUT, SES_RETRIES, NULL); -+ if (unlikely(!ret)) -+ return ret; -+ -+ recv_page_code = ((unsigned char *)buf)[0]; -+ -+ if (likely(recv_page_code == page_code)) -+ return ret; -+ -+ /* successful diagnostic but wrong page code. This happens to some -+ * USB devices, just print a message and pretend there was an error */ -+ -+ sdev_printk(KERN_ERR, sdev, -+ "Wrong diagnostic page; asked for %d got %u\n", -+ page_code, recv_page_code); -+ -+ return -EINVAL; - } - - static int ses_send_diag(struct scsi_device *sdev, int page_code, diff --git a/patches/sh_eth-fix-tx-buffer-byte-swapping.patch b/patches/sh_eth-fix-tx-buffer-byte-swapping.patch deleted file mode 100644 index 0a28e3a..0000000 --- a/patches/sh_eth-fix-tx-buffer-byte-swapping.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3e2309937f1e5d538ff13da5fb8de41196927c61 Mon Sep 17 00:00:00 2001 -From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> -Date: Sun, 13 Dec 2015 21:27:04 +0300 -Subject: sh_eth: fix TX buffer byte-swapping - -commit 3e2309937f1e5d538ff13da5fb8de41196927c61 upstream. - -For the little-endian SH771x kernels the driver has to byte-swap the RX/TX -buffers, however yet unset physcial address from the TX descriptor is used -to call sh_eth_soft_swap(). Use 'skb->data' instead... - -Fixes: 31fcb99d9958 ("net: sh_eth: remove __flush_purge_region") -Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/ethernet/renesas/sh_eth.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/drivers/net/ethernet/renesas/sh_eth.c -+++ b/drivers/net/ethernet/renesas/sh_eth.c -@@ -1513,8 +1513,7 @@ static int sh_eth_start_xmit(struct sk_b - txdesc = &mdp->tx_ring[entry]; - /* soft swap. */ - if (!mdp->cd->hw_swap) -- sh_eth_soft_swap(phys_to_virt(ALIGN(txdesc->addr, 4)), -- skb->len + 2); -+ sh_eth_soft_swap(PTR_ALIGN(skb->data, 4), skb->len + 2); - txdesc->addr = dma_map_single(&ndev->dev, skb->data, skb->len, - DMA_TO_DEVICE); - if (skb->len < ETHERSMALL) diff --git a/patches/spi-fix-parent-device-reference-leak.patch b/patches/spi-fix-parent-device-reference-leak.patch deleted file mode 100644 index d9d8e5b..0000000 --- a/patches/spi-fix-parent-device-reference-leak.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 157f38f993919b648187ba341bfb05d0e91ad2f6 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Mon, 14 Dec 2015 16:16:19 +0100 -Subject: spi: fix parent-device reference leak - -commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream. - -Fix parent-device reference leak due to SPI-core taking an unnecessary -reference to the parent when allocating the master structure, a -reference that was never released. - -Note that driver core takes its own reference to the parent when the -master device is registered. - -Fixes: 49dce689ad4e ("spi doesn't need class_device") -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/spi/spi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/spi/spi.c -+++ b/drivers/spi/spi.c -@@ -846,7 +846,7 @@ struct spi_master *spi_alloc_master(stru - - device_initialize(&master->dev); - master->dev.class = &spi_master_class; -- master->dev.parent = get_device(dev); -+ master->dev.parent = dev; - spi_master_set_devdata(master, &master[1]); - - return master; diff --git a/patches/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch b/patches/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch deleted file mode 100644 index bdabc58..0000000 --- a/patches/staging-rtl8712-add-device-id-for-sitecom-wla2100.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 Mon Sep 17 00:00:00 2001 -From: Larry Finger <Larry.Finger@lwfinger.net> -Date: Sun, 18 Oct 2015 22:14:48 -0500 -Subject: staging: rtl8712: Add device ID for Sitecom WLA2100 - -commit 1e6e63283691a2a9048a35d9c6c59cf0abd342e4 upstream. - -This adds the USB ID for the Sitecom WLA2100. The Windows 10 inf file -was checked to verify that the addition is correct. - -Reported-by: Frans van de Wiel <fvdw@fvdw.eu> -Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> -Cc: Frans van de Wiel <fvdw@fvdw.eu> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/staging/rtl8712/usb_intf.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/staging/rtl8712/usb_intf.c -+++ b/drivers/staging/rtl8712/usb_intf.c -@@ -147,6 +147,7 @@ static struct usb_device_id rtl871x_usb_ - {USB_DEVICE(0x0DF6, 0x0058)}, - {USB_DEVICE(0x0DF6, 0x0049)}, - {USB_DEVICE(0x0DF6, 0x004C)}, -+ {USB_DEVICE(0x0DF6, 0x006C)}, - {USB_DEVICE(0x0DF6, 0x0064)}, - /* Skyworth */ - {USB_DEVICE(0x14b2, 0x3300)}, diff --git a/patches/tcp-make-challenge-acks-less-predictable.patch b/patches/tcp-make-challenge-acks-less-predictable.patch deleted file mode 100644 index bbba122..0000000 --- a/patches/tcp-make-challenge-acks-less-predictable.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 75ff39ccc1bd5d3c455b6822ab09e533c551f758 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Sun, 10 Jul 2016 10:04:02 +0200 -Subject: tcp: make challenge acks less predictable - -commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 upstream. - -Yue Cao claims that current host rate limiting of challenge ACKS -(RFC 5961) could leak enough information to allow a patient attacker -to hijack TCP sessions. He will soon provide details in an academic -paper. - -This patch increases the default limit from 100 to 1000, and adds -some randomization so that the attacker can no longer hijack -sessions without spending a considerable amount of probes. - -Based on initial analysis and patch from Linus. - -Note that we also have per socket rate limiting, so it is tempting -to remove the host limit in the future. - -v2: randomize the count of challenge acks per second, not the period. - -Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") -Reported-by: Yue Cao <ycao009@ucr.edu> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Neal Cardwell <ncardwell@google.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Acked-by: Yuchung Cheng <ycheng@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[lizf: Backported to 3.4: - - adjust context - - use ACCESS_ONCE instead WRITE_ONCE/READ_ONCE - - open-code prandom_u32_max()] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv4/tcp_input.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -89,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_most - EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); - - /* rfc5961 challenge ack rate limiting */ --int sysctl_tcp_challenge_ack_limit = 100; -+int sysctl_tcp_challenge_ack_limit = 1000; - - int sysctl_tcp_stdurg __read_mostly; - int sysctl_tcp_rfc1337 __read_mostly; -@@ -3701,13 +3701,18 @@ static void tcp_send_challenge_ack(struc - /* unprotected vars, we dont care of overwrites */ - static u32 challenge_timestamp; - static unsigned int challenge_count; -- u32 now = jiffies / HZ; -+ u32 count, now = jiffies / HZ; - - if (now != challenge_timestamp) { -+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; -+ - challenge_timestamp = now; -- challenge_count = 0; -+ ACCESS_ONCE(challenge_count) = half + -+ (u32)(((u64)random32() * sysctl_tcp_challenge_ack_limit) >> 32); - } -- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { -+ count = ACCESS_ONCE(challenge_count); -+ if (count > 0) { -+ ACCESS_ONCE(challenge_count) = count - 1; - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); - tcp_send_ack(sk); - } diff --git a/patches/tcp-md5-fix-lockdep-annotation.patch b/patches/tcp-md5-fix-lockdep-annotation.patch deleted file mode 100644 index fea6e87..0000000 --- a/patches/tcp-md5-fix-lockdep-annotation.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 1b8e6a01e19f001e9f93b39c32387961c91ed3cc Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 18 Nov 2015 12:40:13 -0800 -Subject: tcp: md5: fix lockdep annotation - -commit 1b8e6a01e19f001e9f93b39c32387961c91ed3cc upstream. - -When a passive TCP is created, we eventually call tcp_md5_do_add() -with sk pointing to the child. It is not owner by the user yet (we -will add this socket into listener accept queue a bit later anyway) - -But we do own the spinlock, so amend the lockdep annotation to avoid -following splat : - -[ 8451.090932] net/ipv4/tcp_ipv4.c:923 suspicious rcu_dereference_protected() usage! -[ 8451.090932] -[ 8451.090932] other info that might help us debug this: -[ 8451.090932] -[ 8451.090934] -[ 8451.090934] rcu_scheduler_active = 1, debug_locks = 1 -[ 8451.090936] 3 locks held by socket_sockopt_/214795: -[ 8451.090936] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff855c6ac1>] __netif_receive_skb_core+0x151/0xe90 -[ 8451.090947] #1: (rcu_read_lock){.+.+..}, at: [<ffffffff85618143>] ip_local_deliver_finish+0x43/0x2b0 -[ 8451.090952] #2: (slock-AF_INET){+.-...}, at: [<ffffffff855acda5>] sk_clone_lock+0x1c5/0x500 -[ 8451.090958] -[ 8451.090958] stack backtrace: -[ 8451.090960] CPU: 7 PID: 214795 Comm: socket_sockopt_ - -[ 8451.091215] Call Trace: -[ 8451.091216] <IRQ> [<ffffffff856fb29c>] dump_stack+0x55/0x76 -[ 8451.091229] [<ffffffff85123b5b>] lockdep_rcu_suspicious+0xeb/0x110 -[ 8451.091235] [<ffffffff8564544f>] tcp_md5_do_add+0x1bf/0x1e0 -[ 8451.091239] [<ffffffff85645751>] tcp_v4_syn_recv_sock+0x1f1/0x4c0 -[ 8451.091242] [<ffffffff85642b27>] ? tcp_v4_md5_hash_skb+0x167/0x190 -[ 8451.091246] [<ffffffff85647c78>] tcp_check_req+0x3c8/0x500 -[ 8451.091249] [<ffffffff856451ae>] ? tcp_v4_inbound_md5_hash+0x11e/0x190 -[ 8451.091253] [<ffffffff85647170>] tcp_v4_rcv+0x3c0/0x9f0 -[ 8451.091256] [<ffffffff85618143>] ? ip_local_deliver_finish+0x43/0x2b0 -[ 8451.091260] [<ffffffff856181b6>] ip_local_deliver_finish+0xb6/0x2b0 -[ 8451.091263] [<ffffffff85618143>] ? ip_local_deliver_finish+0x43/0x2b0 -[ 8451.091267] [<ffffffff85618d38>] ip_local_deliver+0x48/0x80 -[ 8451.091270] [<ffffffff85618510>] ip_rcv_finish+0x160/0x700 -[ 8451.091273] [<ffffffff8561900e>] ip_rcv+0x29e/0x3d0 -[ 8451.091277] [<ffffffff855c74b7>] __netif_receive_skb_core+0xb47/0xe90 - -Fixes: a8afca0329988 ("tcp: md5: protects md5sig_info with RCU") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Willem de Bruijn <willemb@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv4/tcp_ipv4.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -983,7 +983,8 @@ int tcp_md5_do_add(struct sock *sk, cons - } - - md5sig = rcu_dereference_protected(tp->md5sig_info, -- sock_owned_by_user(sk)); -+ sock_owned_by_user(sk) || -+ lockdep_is_held(&sk->sk_lock.slock)); - if (!md5sig) { - md5sig = kmalloc(sizeof(*md5sig), gfp); - if (!md5sig) diff --git a/patches/time-prevent-early-expiry-of-hrtimers-clock_realtime-at-the-leap-second-edge.patch b/patches/time-prevent-early-expiry-of-hrtimers-clock_realtime-at-the-leap-second-edge.patch deleted file mode 100644 index 4944514..0000000 --- a/patches/time-prevent-early-expiry-of-hrtimers-clock_realtime-at-the-leap-second-edge.patch +++ /dev/null @@ -1,271 +0,0 @@ -From 833f32d763028c1bb371c64f457788b933773b3e Mon Sep 17 00:00:00 2001 -From: John Stultz <john.stultz@linaro.org> -Date: Thu, 11 Jun 2015 15:54:55 -0700 -Subject: time: Prevent early expiry of hrtimers[CLOCK_REALTIME] at the leap - second edge - -commit 833f32d763028c1bb371c64f457788b933773b3e upstream. - -Currently, leapsecond adjustments are done at tick time. As a result, -the leapsecond was applied at the first timer tick *after* the -leapsecond (~1-10ms late depending on HZ), rather then exactly on the -second edge. - -This was in part historical from back when we were always tick based, -but correcting this since has been avoided since it adds extra -conditional checks in the gettime fastpath, which has performance -overhead. - -However, it was recently pointed out that ABS_TIME CLOCK_REALTIME -timers set for right after the leapsecond could fire a second early, -since some timers may be expired before we trigger the timekeeping -timer, which then applies the leapsecond. - -This isn't quite as bad as it sounds, since behaviorally it is similar -to what is possible w/ ntpd made leapsecond adjustments done w/o using -the kernel discipline. Where due to latencies, timers may fire just -prior to the settimeofday call. (Also, one should note that all -applications using CLOCK_REALTIME timers should always be careful, -since they are prone to quirks from settimeofday() disturbances.) - -However, the purpose of having the kernel do the leap adjustment is to -avoid such latencies, so I think this is worth fixing. - -So in order to properly keep those timers from firing a second early, -this patch modifies the ntp and timekeeping logic so that we keep -enough state so that the update_base_offsets_now accessor, which -provides the hrtimer core the current time, can check and apply the -leapsecond adjustment on the second edge. This prevents the hrtimer -core from expiring timers too early. - -This patch does not modify any other time read path, so no additional -overhead is incurred. However, this also means that the leap-second -continues to be applied at tick time for all other read-paths. - -Apologies to Richard Cochran, who pushed for similar changes years -ago, which I resisted due to the concerns about the performance -overhead. - -While I suspect this isn't extremely critical, folks who care about -strict leap-second correctness will likely want to watch -this. Potentially a -stable candidate eventually. - -Originally-suggested-by: Richard Cochran <richardcochran@gmail.com> -Reported-by: Daniel Bristot de Oliveira <bristot@redhat.com> -Reported-by: Prarit Bhargava <prarit@redhat.com> -Signed-off-by: John Stultz <john.stultz@linaro.org> -Cc: Richard Cochran <richardcochran@gmail.com> -Cc: Jan Kara <jack@suse.cz> -Cc: Jiri Bohac <jbohac@suse.cz> -Cc: Shuah Khan <shuahkh@osg.samsung.com> -Cc: Ingo Molnar <mingo@kernel.org> -Link: http://lkml.kernel.org/r/1434063297-28657-4-git-send-email-john.stultz@linaro.org -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -[Yadi: Move do_adjtimex to timekeeping.c and solve context issues] -Signed-off-by: Hu <yadi.hu@windriver.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - kernel/time/ntp.c | 45 ++++++++++++++++++++++++++++++++++++++------- - kernel/time/timekeeping.c | 37 +++++++++++++++++++++++++++++++++++-- - 2 files changed, 73 insertions(+), 9 deletions(-) - ---- a/kernel/time/ntp.c -+++ b/kernel/time/ntp.c -@@ -34,6 +34,7 @@ unsigned long tick_nsec; - static u64 tick_length; - static u64 tick_length_base; - -+#define SECS_PER_DAY 86400 - #define MAX_TICKADJ 500LL /* usecs */ - #define MAX_TICKADJ_SCALED \ - (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ) -@@ -78,6 +79,9 @@ static long time_adjust; - /* constant (boot-param configurable) NTP tick adjustment (upscaled) */ - static s64 ntp_tick_adj; - -+/* second value of the next pending leapsecond, or KTIME_MAX if no leap */ -+static s64 ntp_next_leap_sec = KTIME_MAX; -+ - #ifdef CONFIG_NTP_PPS - - /* -@@ -354,6 +358,8 @@ void ntp_clear(void) - time_maxerror = NTP_PHASE_LIMIT; - time_esterror = NTP_PHASE_LIMIT; - -+ ntp_next_leap_sec = KTIME_MAX; -+ - ntp_update_frequency(); - - tick_length = tick_length_base; -@@ -377,6 +383,21 @@ u64 ntp_tick_length(void) - return ret; - } - -+/** -+ * ntp_get_next_leap - Returns the next leapsecond in CLOCK_REALTIME ktime_t -+ * -+ * Provides the time of the next leapsecond against CLOCK_REALTIME in -+ * a ktime_t format. Returns KTIME_MAX if no leapsecond is pending. -+ */ -+ktime_t ntp_get_next_leap(void) -+{ -+ ktime_t ret; -+ -+ if ((time_state == TIME_INS) && (time_status & STA_INS)) -+ return ktime_set(ntp_next_leap_sec, 0); -+ ret.tv64 = KTIME_MAX; -+ return ret; -+} - - /* - * this routine handles the overflow of the microsecond field -@@ -403,15 +424,21 @@ int second_overflow(unsigned long secs) - */ - switch (time_state) { - case TIME_OK: -- if (time_status & STA_INS) -+ if (time_status & STA_INS) { - time_state = TIME_INS; -- else if (time_status & STA_DEL) -+ ntp_next_leap_sec = secs + SECS_PER_DAY - -+ (secs % SECS_PER_DAY); -+ } else if (time_status & STA_DEL) { - time_state = TIME_DEL; -+ ntp_next_leap_sec = secs + SECS_PER_DAY - -+ ((secs+1) % SECS_PER_DAY); -+ } - break; - case TIME_INS: -- if (!(time_status & STA_INS)) -+ if (!(time_status & STA_INS)) { -+ ntp_next_leap_sec = KTIME_MAX; - time_state = TIME_OK; -- else if (secs % 86400 == 0) { -+ } else if (secs % SECS_PER_DAY == 0) { - leap = -1; - time_state = TIME_OOP; - time_tai++; -@@ -420,10 +447,12 @@ int second_overflow(unsigned long secs) - } - break; - case TIME_DEL: -- if (!(time_status & STA_DEL)) -+ if (!(time_status & STA_DEL)) { -+ ntp_next_leap_sec = KTIME_MAX; - time_state = TIME_OK; -- else if ((secs + 1) % 86400 == 0) { -+ } else if ((secs + 1) % SECS_PER_DAY == 0) { - leap = 1; -+ ntp_next_leap_sec = KTIME_MAX; - time_tai--; - time_state = TIME_WAIT; - printk(KERN_NOTICE -@@ -431,6 +460,7 @@ int second_overflow(unsigned long secs) - } - break; - case TIME_OOP: -+ ntp_next_leap_sec = KTIME_MAX; - time_state = TIME_WAIT; - break; - -@@ -549,6 +579,7 @@ static inline void process_adj_status(st - if ((time_status & STA_PLL) && !(txc->status & STA_PLL)) { - time_state = TIME_OK; - time_status = STA_UNSYNC; -+ ntp_next_leap_sec = KTIME_MAX; - /* restart PPS frequency calibration */ - pps_reset_freq_interval(); - } -@@ -619,7 +650,7 @@ static inline void process_adjtimex_mode - * adjtimex mainly allows reading (and writing, if superuser) of - * kernel time-keeping variables. used by xntpd. - */ --int do_adjtimex(struct timex *txc) -+int __do_adjtimex(struct timex *txc) - { - struct timespec ts; - int result; ---- a/kernel/time/timekeeping.c -+++ b/kernel/time/timekeeping.c -@@ -21,6 +21,9 @@ - #include <linux/tick.h> - #include <linux/stop_machine.h> - -+extern ktime_t ntp_get_next_leap(void); -+extern int __do_adjtimex(struct timex *); -+ - /* Structure holding internal timekeeping values. */ - struct timekeeper { - /* Current clocksource used for timekeeping. */ -@@ -30,6 +33,8 @@ struct timekeeper { - /* The shift value of the current clocksource. */ - int shift; - -+ /* CLOCK_MONOTONIC time value of a pending leap-second*/ -+ ktime_t next_leap_ktime; - /* Number of clock cycles in one NTP interval. */ - cycle_t cycle_interval; - /* Number of clock shifted nano seconds in one NTP interval. */ -@@ -186,6 +191,17 @@ static void update_rt_offset(void) - timekeeper.offs_real = timespec_to_ktime(tmp); - } - -+/* -+ * tk_update_leap_state - helper to update the next_leap_ktime -+ */ -+static inline void tk_update_leap_state(struct timekeeper *tk) -+{ -+ tk->next_leap_ktime = ntp_get_next_leap(); -+ if (tk->next_leap_ktime.tv64 != KTIME_MAX) -+ /* Convert to monotonic time */ -+ tk->next_leap_ktime = ktime_sub(tk->next_leap_ktime, tk->offs_real); -+} -+ - /* must hold write on timekeeper.lock */ - static void timekeeping_update(bool clearntp) - { -@@ -193,6 +209,7 @@ static void timekeeping_update(bool clea - timekeeper.ntp_error = 0; - ntp_clear(); - } -+ tk_update_leap_state(&timekeeper); - update_rt_offset(); - update_vsyscall(&timekeeper.xtime, &timekeeper.wall_to_monotonic, - timekeeper.clock, timekeeper.mult); -@@ -1329,10 +1346,16 @@ ktime_t ktime_get_update_offsets(ktime_t - - *offs_real = timekeeper.offs_real; - *offs_boot = timekeeper.offs_boot; -+ -+ now = ktime_add_ns(ktime_set(secs, 0), nsecs); -+ now = ktime_sub(now, *offs_real); -+ -+ /* Handle leapsecond insertion adjustments */ -+ if (unlikely(now.tv64 >= timekeeper.next_leap_ktime.tv64)) -+ *offs_real = ktime_sub(timekeeper.offs_real, ktime_set(1, 0)); -+ - } while (read_seqretry(&timekeeper.lock, seq)); - -- now = ktime_add_ns(ktime_set(secs, 0), nsecs); -- now = ktime_sub(now, *offs_real); - return now; - } - #endif -@@ -1354,6 +1377,16 @@ ktime_t ktime_get_monotonic_offset(void) - } - EXPORT_SYMBOL_GPL(ktime_get_monotonic_offset); - -+/* -+ * do_adjtimex() - Accessor function to NTP __do_adjtimex function -+ */ -+int do_adjtimex(struct timex *txc) -+{ -+ int ret; -+ ret = __do_adjtimex(txc); -+ tk_update_leap_state(&timekeeper); -+ return ret; -+} - - /** - * xtime_update() - advances the timekeeping infrastructure diff --git a/patches/tty-fix-gpf-in-flush_to_ldisc.patch b/patches/tty-fix-gpf-in-flush_to_ldisc.patch deleted file mode 100644 index f0939d1..0000000 --- a/patches/tty-fix-gpf-in-flush_to_ldisc.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 9ce119f318ba1a07c29149301f1544b6c4bea52a Mon Sep 17 00:00:00 2001 -From: Peter Hurley <peter@hurleysoftware.com> -Date: Fri, 27 Nov 2015 14:25:08 -0500 -Subject: tty: Fix GPF in flush_to_ldisc() - -commit 9ce119f318ba1a07c29149301f1544b6c4bea52a upstream. - -A line discipline which does not define a receive_buf() method can -can cause a GPF if data is ever received [1]. Oddly, this was known -to the author of n_tracesink in 2011, but never fixed. - -[1] GPF report - BUG: unable to handle kernel NULL pointer dereference at (null) - IP: [< (null)>] (null) - PGD 3752d067 PUD 37a7b067 PMD 0 - Oops: 0010 [#1] SMP KASAN - Modules linked in: - CPU: 2 PID: 148 Comm: kworker/u10:2 Not tainted 4.4.0-rc2+ #51 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 - Workqueue: events_unbound flush_to_ldisc - task: ffff88006da94440 ti: ffff88006db60000 task.ti: ffff88006db60000 - RIP: 0010:[<0000000000000000>] [< (null)>] (null) - RSP: 0018:ffff88006db67b50 EFLAGS: 00010246 - RAX: 0000000000000102 RBX: ffff88003ab32f88 RCX: 0000000000000102 - RDX: 0000000000000000 RSI: ffff88003ab330a6 RDI: ffff88003aabd388 - RBP: ffff88006db67c48 R08: ffff88003ab32f9c R09: ffff88003ab31fb0 - R10: ffff88003ab32fa8 R11: 0000000000000000 R12: dffffc0000000000 - R13: ffff88006db67c20 R14: ffffffff863df820 R15: ffff88003ab31fb8 - FS: 0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b - CR2: 0000000000000000 CR3: 0000000037938000 CR4: 00000000000006e0 - Stack: - ffffffff829f46f1 ffff88006da94bf8 ffff88006da94bf8 0000000000000000 - ffff88003ab31fb0 ffff88003aabd438 ffff88003ab31ff8 ffff88006430fd90 - ffff88003ab32f9c ffffed0007557a87 1ffff1000db6cf78 ffff88003ab32078 - Call Trace: - [<ffffffff8127cf91>] process_one_work+0x8f1/0x17a0 kernel/workqueue.c:2030 - [<ffffffff8127df14>] worker_thread+0xd4/0x1180 kernel/workqueue.c:2162 - [<ffffffff8128faaf>] kthread+0x1cf/0x270 drivers/block/aoe/aoecmd.c:1302 - [<ffffffff852a7c2f>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 - Code: Bad RIP value. - RIP [< (null)>] (null) - RSP <ffff88006db67b50> - CR2: 0000000000000000 - ---[ end trace a587f8947e54d6ea ]--- - -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: Peter Hurley <peter@hurleysoftware.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[lizf: Backportd to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/tty/tty_buffer.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/tty/tty_buffer.c -+++ b/drivers/tty/tty_buffer.c -@@ -443,7 +443,8 @@ static void flush_to_ldisc(struct work_s - flag_buf = head->flag_buf_ptr + head->read; - head->read += count; - spin_unlock_irqrestore(&tty->buf.lock, flags); -- disc->ops->receive_buf(tty, char_buf, -+ if (disc->ops->receive_buf) -+ disc->ops->receive_buf(tty, char_buf, - flag_buf, count); - spin_lock_irqsave(&tty->buf.lock, flags); - } diff --git a/patches/udp-properly-support-msg_peek-with-truncated-buffers.patch b/patches/udp-properly-support-msg_peek-with-truncated-buffers.patch deleted file mode 100644 index 5c28c02..0000000 --- a/patches/udp-properly-support-msg_peek-with-truncated-buffers.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 30 Dec 2015 08:51:12 -0500 -Subject: udp: properly support MSG_PEEK with truncated buffers - -commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream. - -Backport of this upstream commit into stable kernels : -89c22d8c3b27 ("net: Fix skb csum races when peeking") -exposed a bug in udp stack vs MSG_PEEK support, when user provides -a buffer smaller than skb payload. - -In this case, -skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), - msg->msg_iov); -returns -EFAULT. - -This bug does not happen in upstream kernels since Al Viro did a great -job to replace this into : -skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); -This variant is safe vs short buffers. - -For the time being, instead reverting Herbert Xu patch and add back -skb->ip_summed invalid changes, simply store the result of -udp_lib_checksum_complete() so that we avoid computing the checksum a -second time, and avoid the problematic -skb_copy_and_csum_datagram_iovec() call. - -This patch can be applied on recent kernels as it avoids a double -checksumming, then backported to stable kernels as a bug fix. - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: David S. Miller <davem@davemloft.net> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - net/ipv4/udp.c | 6 ++++-- - net/ipv6/udp.c | 6 ++++-- - 2 files changed, 8 insertions(+), 4 deletions(-) - ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1175,6 +1175,7 @@ int udp_recvmsg(struct kiocb *iocb, stru - int peeked, off = 0; - int err; - int is_udplite = IS_UDPLITE(sk); -+ bool checksum_valid = false; - bool slow; - - if (flags & MSG_ERRQUEUE) -@@ -1200,11 +1201,12 @@ try_again: - */ - - if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { -- if (udp_lib_checksum_complete(skb)) -+ checksum_valid = !udp_lib_checksum_complete(skb); -+ if (!checksum_valid) - goto csum_copy_err; - } - -- if (skb_csum_unnecessary(skb)) -+ if (checksum_valid || skb_csum_unnecessary(skb)) - err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), - msg->msg_iov, copied); - else { ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -345,6 +345,7 @@ int udpv6_recvmsg(struct kiocb *iocb, st - int peeked, off = 0; - int err; - int is_udplite = IS_UDPLITE(sk); -+ bool checksum_valid = false; - int is_udp4; - bool slow; - -@@ -376,11 +377,12 @@ try_again: - */ - - if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { -- if (udp_lib_checksum_complete(skb)) -+ checksum_valid = !udp_lib_checksum_complete(skb); -+ if (!checksum_valid) - goto csum_copy_err; - } - -- if (skb_csum_unnecessary(skb)) -+ if (checksum_valid || skb_csum_unnecessary(skb)) - err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), - msg->msg_iov, copied ); - else { diff --git a/patches/usb-cp210x-remove-cp2110-id-from-compatibility-list.patch b/patches/usb-cp210x-remove-cp2110-id-from-compatibility-list.patch deleted file mode 100644 index f591529..0000000 --- a/patches/usb-cp210x-remove-cp2110-id-from-compatibility-list.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7c90e610b60cd1ed6abafd806acfaedccbbe52d1 Mon Sep 17 00:00:00 2001 -From: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com> -Date: Tue, 10 Nov 2015 16:40:13 -0600 -Subject: USB: cp210x: Remove CP2110 ID from compatibility list - -commit 7c90e610b60cd1ed6abafd806acfaedccbbe52d1 upstream. - -CP2110 ID (0x10c4, 0xea80) doesn't belong here because it's a HID -and completely different from CP210x devices. - -Signed-off-by: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/serial/cp210x.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -138,7 +138,6 @@ static const struct usb_device_id id_tab - { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ -- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */ - { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ - { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ - { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ diff --git a/patches/usb-fix-invalid-memory-access-in-hub_activate.patch b/patches/usb-fix-invalid-memory-access-in-hub_activate.patch deleted file mode 100644 index 11ff280..0000000 --- a/patches/usb-fix-invalid-memory-access-in-hub_activate.patch +++ /dev/null @@ -1,88 +0,0 @@ -From e50293ef9775c5f1cf3fcc093037dd6a8c5684ea Mon Sep 17 00:00:00 2001 -From: Alan Stern <stern@rowland.harvard.edu> -Date: Wed, 16 Dec 2015 13:32:38 -0500 -Subject: USB: fix invalid memory access in hub_activate() - -commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream. - -Commit 8520f38099cc ("USB: change hub initialization sleeps to -delayed_work") changed the hub_activate() routine to make part of it -run in a workqueue. However, the commit failed to take a reference to -the usb_hub structure or to lock the hub interface while doing so. As -a result, if a hub is plugged in and quickly unplugged before the work -routine can run, the routine will try to access memory that has been -deallocated. Or, if the hub is unplugged while the routine is -running, the memory may be deallocated while it is in active use. - -This patch fixes the problem by taking a reference to the usb_hub at -the start of hub_activate() and releasing it at the end (when the work -is finished), and by locking the hub interface while the work routine -is running. It also adds a check at the start of the routine to see -if the hub has already been disconnected, in which nothing should be -done. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-by: Alexandru Cornea <alexandru.cornea@intel.com> -Tested-by: Alexandru Cornea <alexandru.cornea@intel.com> -Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work") -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[lizf: Backported to 3.4: add forward declaration of hub_release()] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/core/hub.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -156,6 +156,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rws - #define HUB_DEBOUNCE_STABLE 100 - - -+static void hub_release(struct kref *kref); - static int usb_reset_and_verify_device(struct usb_device *udev); - - static inline char *portspeed(struct usb_hub *hub, int portstatus) -@@ -797,10 +798,20 @@ static void hub_activate(struct usb_hub - unsigned delay; - - /* Continue a partial initialization */ -- if (type == HUB_INIT2) -- goto init2; -- if (type == HUB_INIT3) -+ if (type == HUB_INIT2 || type == HUB_INIT3) { -+ device_lock(hub->intfdev); -+ -+ /* Was the hub disconnected while we were waiting? */ -+ if (hub->disconnected) { -+ device_unlock(hub->intfdev); -+ kref_put(&hub->kref, hub_release); -+ return; -+ } -+ if (type == HUB_INIT2) -+ goto init2; - goto init3; -+ } -+ kref_get(&hub->kref); - - /* The superspeed hub except for root hub has to use Hub Depth - * value as an offset into the route string to locate the bits -@@ -990,6 +1001,7 @@ static void hub_activate(struct usb_hub - PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func3); - schedule_delayed_work(&hub->init_work, - msecs_to_jiffies(delay)); -+ device_unlock(hub->intfdev); - return; /* Continues at init3: below */ - } else { - msleep(delay); -@@ -1010,6 +1022,11 @@ static void hub_activate(struct usb_hub - /* Allow autosuspend if it was suppressed */ - if (type <= HUB_INIT3) - usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); -+ -+ if (type == HUB_INIT2 || type == HUB_INIT3) -+ device_unlock(hub->intfdev); -+ -+ kref_put(&hub->kref, hub_release); - } - - /* Implement the continuations for the delays above */ diff --git a/patches/usb-ipaq.c-fix-a-timeout-loop.patch b/patches/usb-ipaq.c-fix-a-timeout-loop.patch deleted file mode 100644 index 005c10c..0000000 --- a/patches/usb-ipaq.c-fix-a-timeout-loop.patch +++ /dev/null @@ -1,31 +0,0 @@ -From abdc9a3b4bac97add99e1d77dc6d28623afe682b Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Wed, 16 Dec 2015 14:06:37 +0300 -Subject: USB: ipaq.c: fix a timeout loop - -commit abdc9a3b4bac97add99e1d77dc6d28623afe682b upstream. - -The code expects the loop to end with "retries" set to zero but, because -it is a post-op, it will end set to -1. I have fixed this by moving the -decrement inside the loop. - -Fixes: 014aa2a3c32e ('USB: ipaq: minor ipaq_open() cleanup.') -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/serial/ipaq.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/usb/serial/ipaq.c -+++ b/drivers/usb/serial/ipaq.c -@@ -550,7 +550,8 @@ static int ipaq_open(struct tty_struct * - * through. Since this has a reasonably high failure rate, we retry - * several times. - */ -- while (retries--) { -+ while (retries) { -+ retries--; - result = usb_control_msg(serial->dev, - usb_sndctrlpipe(serial->dev, 0), 0x22, 0x21, - 0x1, 0, NULL, 0, 100); diff --git a/patches/usb-musb-core-fix-order-of-arguments-to-ulpi-write-callback.patch b/patches/usb-musb-core-fix-order-of-arguments-to-ulpi-write-callback.patch deleted file mode 100644 index b110f2e..0000000 --- a/patches/usb-musb-core-fix-order-of-arguments-to-ulpi-write-callback.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 705e63d2b29c8bbf091119084544d353bda70393 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de> -Date: Fri, 23 Oct 2015 09:53:50 +0200 -Subject: usb: musb: core: fix order of arguments to ulpi write callback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 705e63d2b29c8bbf091119084544d353bda70393 upstream. - -There is a bit of a mess in the order of arguments to the ulpi write -callback. There is - - int ulpi_write(struct ulpi *ulpi, u8 addr, u8 val) - -in drivers/usb/common/ulpi.c; - - struct usb_phy_io_ops { - ... - int (*write)(struct usb_phy *x, u32 val, u32 reg); - } - -in include/linux/usb/phy.h. - -The callback registered by the musb driver has to comply to the latter, -but up to now had "offset" first which effectively made the function -broken for correct users. So flip the order and while at it also -switch to the parameter names of struct usb_phy_io_ops's write. - -Fixes: ffb865b1e460 ("usb: musb: add ulpi access operations") -Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> -Signed-off-by: Felipe Balbi <balbi@ti.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/musb/musb_core.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/drivers/usb/musb/musb_core.c -+++ b/drivers/usb/musb/musb_core.c -@@ -131,7 +131,7 @@ static inline struct musb *dev_to_musb(s - /*-------------------------------------------------------------------------*/ - - #ifndef CONFIG_BLACKFIN --static int musb_ulpi_read(struct usb_phy *phy, u32 offset) -+static int musb_ulpi_read(struct usb_phy *phy, u32 reg) - { - void __iomem *addr = phy->io_priv; - int i = 0; -@@ -150,7 +150,7 @@ static int musb_ulpi_read(struct usb_phy - * ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM. - */ - -- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); -+ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); - musb_writeb(addr, MUSB_ULPI_REG_CONTROL, - MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR); - -@@ -175,7 +175,7 @@ out: - return ret; - } - --static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data) -+static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg) - { - void __iomem *addr = phy->io_priv; - int i = 0; -@@ -190,8 +190,8 @@ static int musb_ulpi_write(struct usb_ph - power &= ~MUSB_POWER_SUSPENDM; - musb_writeb(addr, MUSB_POWER, power); - -- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset); -- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data); -+ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg); -+ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val); - musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ); - - while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL) diff --git a/patches/usb-option-add-xs-stick-w100-2-from-4g-systems.patch b/patches/usb-option-add-xs-stick-w100-2-from-4g-systems.patch deleted file mode 100644 index 32f6490..0000000 --- a/patches/usb-option-add-xs-stick-w100-2-from-4g-systems.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 638148e20c7f8f6e95017fdc13bce8549a6925e0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> -Date: Wed, 18 Nov 2015 21:12:33 +0100 -Subject: USB: option: add XS Stick W100-2 from 4G Systems -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 638148e20c7f8f6e95017fdc13bce8549a6925e0 upstream. - -Thomas reports -" -4gsystems sells two total different LTE-surfsticks under the same name. -.. -The newer version of XS Stick W100 is from "omega" -.. -Under windows the driver switches to the same ID, and uses MI03\6 for -network and MI01\6 for modem. -.. -echo "1c9e 9b01" > /sys/bus/usb/drivers/qmi_wwan/new_id -echo "1c9e 9b01" > /sys/bus/usb-serial/drivers/option1/new_id - -T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 -D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 -P: Vendor=1c9e ProdID=9b01 Rev=02.32 -S: Manufacturer=USB Modem -S: Product=USB Modem -S: SerialNumber= -C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA -I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option -I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option -I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option -I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan -I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage - -Now all important things are there: - -wwp0s29f7u2i3 (net), ttyUSB2 (at), cdc-wdm0 (qmi), ttyUSB1 (at) - -There is also ttyUSB0, but it is not usable, at least not for at. - -The device works well with qmi and ModemManager-NetworkManager. -" - -Reported-by: Thomas Schäfer <tschaefer@t-online.de> -Signed-off-by: Bjørn Mork <bjorn@mork.no> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/serial/option.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -352,6 +352,7 @@ static void option_instat_callback(struc - /* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick * - * It seems to contain a Qualcomm QSC6240/6290 chipset */ - #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603 -+#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01 - - /* iBall 3.5G connect wireless modem */ - #define IBALL_3_5G_CONNECT 0x9605 -@@ -525,6 +526,11 @@ static const struct option_blacklist_inf - .sendsetup = BIT(0) | BIT(1), - }; - -+static const struct option_blacklist_info four_g_w100_blacklist = { -+ .sendsetup = BIT(1) | BIT(2), -+ .reserved = BIT(3), -+}; -+ - static const struct option_blacklist_info alcatel_x200_blacklist = { - .sendsetup = BIT(0) | BIT(1), - .reserved = BIT(4), -@@ -1621,6 +1627,9 @@ static const struct usb_device_id option - { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14), - .driver_info = (kernel_ulong_t)&four_g_w14_blacklist - }, -+ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), -+ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist -+ }, - { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, - { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) }, - { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) }, diff --git a/patches/usb-serial-option-add-support-for-novatel-mifi-usb620l.patch b/patches/usb-serial-option-add-support-for-novatel-mifi-usb620l.patch deleted file mode 100644 index 195db83..0000000 --- a/patches/usb-serial-option-add-support-for-novatel-mifi-usb620l.patch +++ /dev/null @@ -1,45 +0,0 @@ -From e07af133c3e2716db25e3e1e1d9f10c2088e9c1a Mon Sep 17 00:00:00 2001 -From: Aleksander Morgado <aleksander@aleksander.es> -Date: Wed, 11 Nov 2015 19:51:40 +0100 -Subject: USB: serial: option: add support for Novatel MiFi USB620L -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit e07af133c3e2716db25e3e1e1d9f10c2088e9c1a upstream. - -Also known as Verizon U620L. - -The device is modeswitched from 1410:9020 to 1410:9022 by selecting the -4th USB configuration: - - $ sudo usb_modeswitch –v 0x1410 –p 0x9020 –u 4 - -This configuration provides a ECM interface as well as TTYs ('Enterprise -Mode' according to the U620 Linux integration guide). - -Signed-off-by: Aleksander Morgado <aleksander@aleksander.es> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/serial/option.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -162,6 +162,7 @@ static void option_instat_callback(struc - #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001 - #define NOVATELWIRELESS_PRODUCT_E362 0x9010 - #define NOVATELWIRELESS_PRODUCT_E371 0x9011 -+#define NOVATELWIRELESS_PRODUCT_U620L 0x9022 - #define NOVATELWIRELESS_PRODUCT_G2 0xA010 - #define NOVATELWIRELESS_PRODUCT_MC551 0xB001 - -@@ -1045,6 +1046,7 @@ static const struct usb_device_id option - { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) }, - { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) }, - { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) }, -+ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) }, - - { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) }, - { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) }, diff --git a/patches/usb-ti_usb_3410_502-fix-id-table-size.patch b/patches/usb-ti_usb_3410_502-fix-id-table-size.patch deleted file mode 100644 index c115dac..0000000 --- a/patches/usb-ti_usb_3410_502-fix-id-table-size.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 24e1fdb327b97cde4ff92e7ceca86f9882a723e6 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings <ben@decadent.org.uk> -Date: Wed, 23 Dec 2015 13:25:54 +0000 -Subject: [PATCH] USB: ti_usb_3410_502: Fix ID table size - -Commit 35a2fbc941ac ("USB: serial: ti_usb_3410_5052: new device id for -Abbot strip port cable") failed to update the size of the -ti_id_table_3410 array. This doesn't need to be fixed upstream -following commit d7ece6515e12 ("USB: ti_usb_3410_5052: remove -vendor/product module parameters") but should be fixed in stable -branches older than 3.12. - -Backports of commit c9d09dc7ad10 ("USB: serial: ti_usb_3410_5052: add -Abbott strip port ID to combined table as well.") similarly failed to -update the size of the ti_id_table_combined array. - -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/serial/ti_usb_3410_5052.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/usb/serial/ti_usb_3410_5052.c -+++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -164,7 +164,7 @@ static unsigned int product_5052_count; - /* the array dimension is the number of default entries plus */ - /* TI_EXTRA_VID_PID_COUNT user defined entries plus 1 terminating */ - /* null entry */ --static struct usb_device_id ti_id_table_3410[15+TI_EXTRA_VID_PID_COUNT+1] = { -+static struct usb_device_id ti_id_table_3410[16+TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) }, - { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) }, - { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) }, -@@ -190,7 +190,7 @@ static struct usb_device_id ti_id_table_ - { USB_DEVICE(TI_VENDOR_ID, TI_5052_FIRMWARE_PRODUCT_ID) }, - }; - --static struct usb_device_id ti_id_table_combined[19+2*TI_EXTRA_VID_PID_COUNT+1] = { -+static struct usb_device_id ti_id_table_combined[20+2*TI_EXTRA_VID_PID_COUNT+1] = { - { USB_DEVICE(TI_VENDOR_ID, TI_3410_PRODUCT_ID) }, - { USB_DEVICE(TI_VENDOR_ID, TI_3410_EZ430_ID) }, - { USB_DEVICE(MTS_VENDOR_ID, MTS_GSM_NO_FW_PRODUCT_ID) }, diff --git a/patches/usb-whci-hcd-add-check-for-dma-mapping-error.patch b/patches/usb-whci-hcd-add-check-for-dma-mapping-error.patch deleted file mode 100644 index beaaa48..0000000 --- a/patches/usb-whci-hcd-add-check-for-dma-mapping-error.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f9fa1887dcf26bd346665a6ae3d3f53dec54cba1 Mon Sep 17 00:00:00 2001 -From: Alexey Khoroshilov <khoroshilov@ispras.ru> -Date: Sat, 21 Nov 2015 00:36:44 +0300 -Subject: USB: whci-hcd: add check for dma mapping error - -commit f9fa1887dcf26bd346665a6ae3d3f53dec54cba1 upstream. - -qset_fill_page_list() do not check for dma mapping errors. - -Found by Linux Driver Verification project (linuxtesting.org). - -Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/host/whci/qset.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/usb/host/whci/qset.c -+++ b/drivers/usb/host/whci/qset.c -@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct wh - if (std->pl_virt == NULL) - return -ENOMEM; - std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len, DMA_TO_DEVICE); -+ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) { -+ kfree(std->pl_virt); -+ return -EFAULT; -+ } - - for (p = 0; p < std->num_pointers; p++) { - std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); diff --git a/patches/usb-xhci-fix-config-fail-of-fs-hub-behind-a-hs-hub-with-mtt.patch b/patches/usb-xhci-fix-config-fail-of-fs-hub-behind-a-hs-hub-with-mtt.patch deleted file mode 100644 index e51d704..0000000 --- a/patches/usb-xhci-fix-config-fail-of-fs-hub-behind-a-hs-hub-with-mtt.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 096b110a3dd3c868e4610937c80d2e3f3357c1a9 Mon Sep 17 00:00:00 2001 -From: Chunfeng Yun <chunfeng.yun@mediatek.com> -Date: Fri, 4 Dec 2015 15:53:43 +0200 -Subject: usb: xhci: fix config fail of FS hub behind a HS hub with MTT - -commit 096b110a3dd3c868e4610937c80d2e3f3357c1a9 upstream. - -if a full speed hub connects to a high speed hub which -supports MTT, the MTT field of its slot context will be set -to 1 when xHCI driver setups an xHCI virtual device in -xhci_setup_addressable_virt_dev(); once usb core fetch its -hub descriptor, and need to update the xHC's internal data -structures for the device, the HUB field of its slot context -will be set to 1 too, meanwhile MTT is also set before, -this will cause configure endpoint command fail, so in the -case, we should clear MTT to 0 for full speed hub according -to section 6.2.2 - -Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com> -Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/host/xhci.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -4123,8 +4123,16 @@ int xhci_update_hub_device(struct usb_hc - ctrl_ctx->add_flags |= cpu_to_le32(SLOT_FLAG); - slot_ctx = xhci_get_slot_ctx(xhci, config_cmd->in_ctx); - slot_ctx->dev_info |= cpu_to_le32(DEV_HUB); -+ /* -+ * refer to section 6.2.2: MTT should be 0 for full speed hub, -+ * but it may be already set to 1 when setup an xHCI virtual -+ * device, so clear it anyway. -+ */ - if (tt->multi) - slot_ctx->dev_info |= cpu_to_le32(DEV_MTT); -+ else if (hdev->speed == USB_SPEED_FULL) -+ slot_ctx->dev_info &= cpu_to_le32(~DEV_MTT); -+ - if (xhci->hci_version > 0x95) { - xhci_dbg(xhci, "xHCI version %x needs hub " - "TT think time and number of ports\n", diff --git a/patches/usblp-do-not-set-task_interruptible-before-lock.patch b/patches/usblp-do-not-set-task_interruptible-before-lock.patch deleted file mode 100644 index bf00f1d..0000000 --- a/patches/usblp-do-not-set-task_interruptible-before-lock.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 19cd80a214821f4b558560ebd76bfb2c38b4f3d8 Mon Sep 17 00:00:00 2001 -From: Jiri Slaby <jslaby@suse.cz> -Date: Mon, 2 Nov 2015 10:27:00 +0100 -Subject: usblp: do not set TASK_INTERRUPTIBLE before lock - -commit 19cd80a214821f4b558560ebd76bfb2c38b4f3d8 upstream. - -It is not permitted to set task state before lock. usblp_wwait sets -the state to TASK_INTERRUPTIBLE and calls mutex_lock_interruptible. -Upon return from that function, the state will be TASK_RUNNING again. - -This is clearly a bug and a warning is generated with LOCKDEP too: -WARNING: CPU: 1 PID: 5109 at kernel/sched/core.c:7404 __might_sleep+0x7d/0x90() -do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffffa0c588d0>] usblp_wwait+0xa0/0x310 [usblp] -Modules linked in: ... -CPU: 1 PID: 5109 Comm: captmon Tainted: G W 4.2.5-0.gef2823b-default #1 -Hardware name: LENOVO 23252SG/23252SG, BIOS G2ET33WW (1.13 ) 07/24/2012 - ffffffff81a4edce ffff880236ec7ba8 ffffffff81716651 0000000000000000 - ffff880236ec7bf8 ffff880236ec7be8 ffffffff8106e146 0000000000000282 - ffffffff81a50119 000000000000028b 0000000000000000 ffff8802dab7c508 -Call Trace: -... - [<ffffffff8106e1c6>] warn_slowpath_fmt+0x46/0x50 - [<ffffffff8109a8bd>] __might_sleep+0x7d/0x90 - [<ffffffff8171b20f>] mutex_lock_interruptible_nested+0x2f/0x4b0 - [<ffffffffa0c588fc>] usblp_wwait+0xcc/0x310 [usblp] - [<ffffffffa0c58bb2>] usblp_write+0x72/0x350 [usblp] - [<ffffffff8121ed98>] __vfs_write+0x28/0xf0 -... - -Commit 7f477358e2384c54b190cc3b6ce28277050a041b (usblp: Implement the -ENOSPC convention) moved the set prior locking. So move it back after -the lock. - -Signed-off-by: Jiri Slaby <jslaby@suse.cz> -Fixes: 7f477358e2 ("usblp: Implement the ENOSPC convention") -Acked-By: Pete Zaitcev <zaitcev@yahoo.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/usb/class/usblp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/class/usblp.c -+++ b/drivers/usb/class/usblp.c -@@ -861,11 +861,11 @@ static int usblp_wwait(struct usblp *usb - - add_wait_queue(&usblp->wwait, &waita); - for (;;) { -- set_current_state(TASK_INTERRUPTIBLE); - if (mutex_lock_interruptible(&usblp->mut)) { - rc = -EINTR; - break; - } -+ set_current_state(TASK_INTERRUPTIBLE); - rc = usblp_wtest(usblp, nonblock); - mutex_unlock(&usblp->mut); - if (rc <= 0) diff --git a/patches/vfs-avoid-softlockups-with-sendfile-2.patch b/patches/vfs-avoid-softlockups-with-sendfile-2.patch deleted file mode 100644 index 5cc43f6..0000000 --- a/patches/vfs-avoid-softlockups-with-sendfile-2.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c2489e07c0a71a56fb2c84bc0ee66cddfca7d068 Mon Sep 17 00:00:00 2001 -From: Jan Kara <jack@suse.cz> -Date: Mon, 23 Nov 2015 13:09:51 +0100 -Subject: vfs: Avoid softlockups with sendfile(2) - -commit c2489e07c0a71a56fb2c84bc0ee66cddfca7d068 upstream. - -The following test program from Dmitry can cause softlockups or RCU -stalls as it copies 1GB from tmpfs into eventfd and we don't have any -scheduling point at that path in sendfile(2) implementation: - - int r1 = eventfd(0, 0); - int r2 = memfd_create("", 0); - unsigned long n = 1<<30; - fallocate(r2, 0, 0, n); - sendfile(r1, r2, 0, n); - -Add cond_resched() into __splice_from_pipe() to fix the problem. - -CC: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/splice.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -935,6 +935,7 @@ ssize_t __splice_from_pipe(struct pipe_i - - splice_from_pipe_begin(sd); - do { -+ cond_resched(); - ret = splice_from_pipe_next(pipe, sd); - if (ret > 0) - ret = splice_from_pipe_feed(pipe, sd, actor); diff --git a/patches/vfs-make-sendfile-2-killable-even-better.patch b/patches/vfs-make-sendfile-2-killable-even-better.patch deleted file mode 100644 index 9907dc5..0000000 --- a/patches/vfs-make-sendfile-2-killable-even-better.patch +++ /dev/null @@ -1,53 +0,0 @@ -From c725bfce7968009756ed2836a8cd7ba4dc163011 Mon Sep 17 00:00:00 2001 -From: Jan Kara <jack@suse.cz> -Date: Mon, 23 Nov 2015 13:09:50 +0100 -Subject: vfs: Make sendfile(2) killable even better - -commit c725bfce7968009756ed2836a8cd7ba4dc163011 upstream. - -Commit 296291cdd162 (mm: make sendfile(2) killable) fixed an issue where -sendfile(2) was doing a lot of tiny writes into a filesystem and thus -was unkillable for a long time. However sendfile(2) can be (mis)used to -issue lots of writes into arbitrary file descriptor such as evenfd or -similar special file descriptors which never hit the standard filesystem -write path and thus are still unkillable. E.g. the following example -from Dmitry burns CPU for ~16s on my test system without possibility to -be killed: - - int r1 = eventfd(0, 0); - int r2 = memfd_create("", 0); - unsigned long n = 1<<30; - fallocate(r2, 0, 0, n); - sendfile(r1, r2, 0, n); - -There are actually quite a few tests for pending signals in sendfile -code however we data to write is always available none of them seems to -trigger. So fix the problem by adding a test for pending signal into -splice_from_pipe_next() also before the loop waiting for pipe buffers to -be available. This should fix all the lockup issues with sendfile of the -do-ton-of-tiny-writes nature. - -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - fs/splice.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -850,6 +850,13 @@ EXPORT_SYMBOL(splice_from_pipe_feed); - */ - int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd) - { -+ /* -+ * Check for signal early to make process killable when there are -+ * always buffers available -+ */ -+ if (signal_pending(current)) -+ return -ERESTARTSYS; -+ - while (!pipe->nrbufs) { - if (!pipe->writers) - return 0; diff --git a/patches/vgaarb-fix-signal-handling-in-vga_get.patch b/patches/vgaarb-fix-signal-handling-in-vga_get.patch deleted file mode 100644 index 35ff3bc..0000000 --- a/patches/vgaarb-fix-signal-handling-in-vga_get.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e Mon Sep 17 00:00:00 2001 -From: "Kirill A. Shutemov" <kirill@shutemov.name> -Date: Mon, 30 Nov 2015 04:17:31 +0200 -Subject: vgaarb: fix signal handling in vga_get() - -commit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream. - -There are few defects in vga_get() related to signal hadning: - - - we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE - case; - - - if we found pending signal we must remove ourself from wait queue - and change task state back to running; - - - -ERESTARTSYS is more appropriate, I guess. - -Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name> -Reviewed-by: David Herrmann <dh.herrmann@gmail.com> -Signed-off-by: Dave Airlie <airlied@redhat.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/gpu/vga/vgaarb.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/vga/vgaarb.c -+++ b/drivers/gpu/vga/vgaarb.c -@@ -381,8 +381,10 @@ int vga_get(struct pci_dev *pdev, unsign - set_current_state(interruptible ? - TASK_INTERRUPTIBLE : - TASK_UNINTERRUPTIBLE); -- if (signal_pending(current)) { -- rc = -EINTR; -+ if (interruptible && signal_pending(current)) { -+ __set_current_state(TASK_RUNNING); -+ remove_wait_queue(&vga_wait_queue, &wait); -+ rc = -ERESTARTSYS; - break; - } - schedule(); diff --git a/patches/wan-x25-fix-use-after-free-in-x25_asy_open_tty.patch b/patches/wan-x25-fix-use-after-free-in-x25_asy_open_tty.patch deleted file mode 100644 index 253ec7a..0000000 --- a/patches/wan-x25-fix-use-after-free-in-x25_asy_open_tty.patch +++ /dev/null @@ -1,64 +0,0 @@ -From ee9159ddce14bc1dec9435ae4e3bd3153e783706 Mon Sep 17 00:00:00 2001 -From: Peter Hurley <peter@hurleysoftware.com> -Date: Fri, 27 Nov 2015 14:18:39 -0500 -Subject: wan/x25: Fix use-after-free in x25_asy_open_tty() - -commit ee9159ddce14bc1dec9435ae4e3bd3153e783706 upstream. - -The N_X25 line discipline may access the previous line discipline's closed -and already-freed private data on open [1]. - -The tty->disc_data field _never_ refers to valid data on entry to the -line discipline's open() method. Rather, the ldisc is expected to -initialize that field for its own use for the lifetime of the instance -(ie. from open() to close() only). - -[1] - [ 634.336761] ================================================================== - [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 - [ 634.339558] Read of size 4 by task syzkaller_execu/8981 - [ 634.340359] ============================================================================= - [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected - ... - [ 634.405018] Call Trace: - [ 634.405277] dump_stack (lib/dump_stack.c:52) - [ 634.405775] print_trailer (mm/slub.c:655) - [ 634.406361] object_err (mm/slub.c:662) - [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) - [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) - [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) - [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) - [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) - [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) - [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) - [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) - [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) - -Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com> -Signed-off-by: Peter Hurley <peter@hurleysoftware.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/wan/x25_asy.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - ---- a/drivers/net/wan/x25_asy.c -+++ b/drivers/net/wan/x25_asy.c -@@ -546,16 +546,12 @@ static void x25_asy_receive_buf(struct t - - static int x25_asy_open_tty(struct tty_struct *tty) - { -- struct x25_asy *sl = tty->disc_data; -+ struct x25_asy *sl; - int err; - - if (tty->ops->write == NULL) - return -EOPNOTSUPP; - -- /* First make sure we're not already connected. */ -- if (sl && sl->magic == X25_ASY_MAGIC) -- return -EEXIST; -- - /* OK. Find a free X.25 channel to use. */ - sl = x25_asy_alloc(); - if (sl == NULL) diff --git a/patches/wm831x_power-use-irqf_oneshot-to-request-threaded-irqs.patch b/patches/wm831x_power-use-irqf_oneshot-to-request-threaded-irqs.patch deleted file mode 100644 index 09d8c2d..0000000 --- a/patches/wm831x_power-use-irqf_oneshot-to-request-threaded-irqs.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 90adf98d9530054b8e665ba5a928de4307231d84 Mon Sep 17 00:00:00 2001 -From: Valentin Rothberg <valentinrothberg@gmail.com> -Date: Tue, 22 Sep 2015 19:00:40 +0200 -Subject: wm831x_power: Use IRQF_ONESHOT to request threaded IRQs - -commit 90adf98d9530054b8e665ba5a928de4307231d84 upstream. - -Since commit 1c6c69525b40 ("genirq: Reject bogus threaded irq requests") -threaded IRQs without a primary handler need to be requested with -IRQF_ONESHOT, otherwise the request will fail. - -scripts/coccinelle/misc/irqf_oneshot.cocci detected this issue. - -Fixes: b5874f33bbaf ("wm831x_power: Use genirq") -Signed-off-by: Valentin Rothberg <valentinrothberg@gmail.com> -Signed-off-by: Sebastian Reichel <sre@kernel.org> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/power/wm831x_power.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/power/wm831x_power.c -+++ b/drivers/power/wm831x_power.c -@@ -567,7 +567,7 @@ static __devinit int wm831x_power_probe( - - irq = platform_get_irq_byname(pdev, "SYSLO"); - ret = request_threaded_irq(irq, NULL, wm831x_syslo_irq, -- IRQF_TRIGGER_RISING, "System power low", -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "System power low", - power); - if (ret != 0) { - dev_err(&pdev->dev, "Failed to request SYSLO IRQ %d: %d\n", -@@ -577,7 +577,7 @@ static __devinit int wm831x_power_probe( - - irq = platform_get_irq_byname(pdev, "PWR SRC"); - ret = request_threaded_irq(irq, NULL, wm831x_pwr_src_irq, -- IRQF_TRIGGER_RISING, "Power source", -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "Power source", - power); - if (ret != 0) { - dev_err(&pdev->dev, "Failed to request PWR SRC IRQ %d: %d\n", -@@ -588,7 +588,7 @@ static __devinit int wm831x_power_probe( - for (i = 0; i < ARRAY_SIZE(wm831x_bat_irqs); i++) { - irq = platform_get_irq_byname(pdev, wm831x_bat_irqs[i]); - ret = request_threaded_irq(irq, NULL, wm831x_bat_irq, -- IRQF_TRIGGER_RISING, -+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, - wm831x_bat_irqs[i], - power); - if (ret != 0) { diff --git a/patches/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch b/patches/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch deleted file mode 100644 index dce8226..0000000 --- a/patches/x86-cpu-call-verify_cpu-after-having-entered-long-mode-too.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 04633df0c43d710e5f696b06539c100898678235 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov <bp@suse.de> -Date: Thu, 5 Nov 2015 16:57:56 +0100 -Subject: x86/cpu: Call verify_cpu() after having entered long mode too - -commit 04633df0c43d710e5f696b06539c100898678235 upstream. - -When we get loaded by a 64-bit bootloader, kernel entry point is -startup_64 in head_64.S. We don't trust any and all bootloaders because -some will fiddle with CPU configuration so we go ahead and massage each -CPU into sanity again. - -For example, some dell BIOSes have this XD disable feature which set -IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround -for other OSes but Linux sure doesn't need it. - -A similar thing is present in the Surface 3 firmware - see -https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit -only on the BSP: - - # rdmsr -a 0x1a0 - 400850089 - 850089 - 850089 - 850089 - -I know, right?! - -There's not even an off switch in there. - -So fix all those cases by sanitizing the 64-bit entry point too. For -that, make verify_cpu() callable in 64-bit mode also. - -Requested-and-debugged-by: "H. Peter Anvin" <hpa@zytor.com> -Reported-and-tested-by: Bastien Nocera <bugzilla@hadess.net> -Signed-off-by: Borislav Petkov <bp@suse.de> -Cc: Matt Fleming <matt@codeblueprint.co.uk> -Cc: Peter Zijlstra <peterz@infradead.org> -Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -[lizf: Backported to 3.4: adjust context] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - arch/x86/kernel/head_64.S | 8 ++++++++ - arch/x86/kernel/verify_cpu.S | 12 +++++++----- - 2 files changed, 15 insertions(+), 5 deletions(-) - ---- a/arch/x86/kernel/head_64.S -+++ b/arch/x86/kernel/head_64.S -@@ -45,6 +45,9 @@ L3_START_KERNEL = pud_index(__START_KERN - .globl startup_64 - startup_64: - -+ /* Sanitize CPU configuration */ -+ call verify_cpu -+ - /* - * At this point the CPU runs in 64bit mode CS.L = 1 CS.D = 1, - * and someone has loaded an identity mapped page table -@@ -160,6 +163,9 @@ ENTRY(secondary_startup_64) - * after the boot processor executes this code. - */ - -+ /* Sanitize CPU configuration */ -+ call verify_cpu -+ - /* Enable PAE mode and PGE */ - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax - movq %rax, %cr4 -@@ -253,6 +259,8 @@ ENTRY(secondary_startup_64) - pushq %rax # target address in negative space - lretq - -+#include "verify_cpu.S" -+ - /* SMP bootup changes these two */ - __REFDATA - .align 8 ---- a/arch/x86/kernel/verify_cpu.S -+++ b/arch/x86/kernel/verify_cpu.S -@@ -34,10 +34,11 @@ - #include <asm/msr-index.h> - - verify_cpu: -- pushfl # Save caller passed flags -- pushl $0 # Kill any dangerous flags -- popfl -+ pushf # Save caller passed flags -+ push $0 # Kill any dangerous flags -+ popf - -+#ifndef __x86_64__ - pushfl # standard way to check for cpuid - popl %eax - movl %eax,%ebx -@@ -48,6 +49,7 @@ verify_cpu: - popl %eax - cmpl %eax,%ebx - jz verify_cpu_no_longmode # cpu has no cpuid -+#endif - - movl $0x0,%eax # See if cpuid 1 is implemented - cpuid -@@ -130,10 +132,10 @@ verify_cpu_sse_test: - jmp verify_cpu_sse_test # try again - - verify_cpu_no_longmode: -- popfl # Restore caller passed flags -+ popf # Restore caller passed flags - movl $1,%eax - ret - verify_cpu_sse_ok: -- popfl # Restore caller passed flags -+ popf # Restore caller passed flags - xorl %eax, %eax - ret diff --git a/patches/x86-signal-fix-restart_syscall-number-for-x32-tasks.patch b/patches/x86-signal-fix-restart_syscall-number-for-x32-tasks.patch deleted file mode 100644 index abd5106..0000000 --- a/patches/x86-signal-fix-restart_syscall-number-for-x32-tasks.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 22eab1108781eff09961ae7001704f7bd8fb1dce Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" <ldv@altlinux.org> -Date: Tue, 1 Dec 2015 00:54:36 +0300 -Subject: x86/signal: Fix restart_syscall number for x32 tasks - -commit 22eab1108781eff09961ae7001704f7bd8fb1dce upstream. - -When restarting a syscall with regs->ax == -ERESTART_RESTARTBLOCK, -regs->ax is assigned to a restart_syscall number. For x32 tasks, this -syscall number must have __X32_SYSCALL_BIT set, otherwise it will be -an x86_64 syscall number instead of a valid x32 syscall number. This -issue has been there since the introduction of x32. - -Reported-by: strace/tests/restart_syscall.test -Reported-and-tested-by: Elvira Khabirova <lineprinter0@gmail.com> -Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> -Cc: Elvira Khabirova <lineprinter0@gmail.com> -Link: http://lkml.kernel.org/r/20151130215436.GA25996@altlinux.org -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - arch/x86/kernel/signal.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - ---- a/arch/x86/kernel/signal.c -+++ b/arch/x86/kernel/signal.c -@@ -748,12 +748,15 @@ handle_signal(unsigned long sig, siginfo - return 0; - } - --#ifdef CONFIG_X86_32 --#define NR_restart_syscall __NR_restart_syscall --#else /* !CONFIG_X86_32 */ --#define NR_restart_syscall \ -- test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : __NR_restart_syscall --#endif /* CONFIG_X86_32 */ -+static inline unsigned long get_nr_restart_syscall(const struct pt_regs *regs) -+{ -+#if defined(CONFIG_X86_32) || !defined(CONFIG_X86_64) -+ return __NR_restart_syscall; -+#else /* !CONFIG_X86_32 && CONFIG_X86_64 */ -+ return test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : -+ __NR_restart_syscall | (regs->orig_ax & __X32_SYSCALL_BIT); -+#endif /* CONFIG_X86_32 || !CONFIG_X86_64 */ -+} - - /* - * Note that 'init' is a special process: it doesn't get signals it doesn't -@@ -795,7 +798,7 @@ static void do_signal(struct pt_regs *re - break; - - case -ERESTART_RESTARTBLOCK: -- regs->ax = NR_restart_syscall; -+ regs->ax = get_nr_restart_syscall(regs); - regs->ip -= 2; - break; - } diff --git a/patches/xen-add-ring_copy_request.patch b/patches/xen-add-ring_copy_request.patch deleted file mode 100644 index e3d8b1d..0000000 --- a/patches/xen-add-ring_copy_request.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 454d5d882c7e412b840e3c99010fe81a9862f6fb Mon Sep 17 00:00:00 2001 -From: David Vrabel <david.vrabel@citrix.com> -Date: Fri, 30 Oct 2015 14:58:08 +0000 -Subject: xen: Add RING_COPY_REQUEST() - -commit 454d5d882c7e412b840e3c99010fe81a9862f6fb upstream. - -Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly -(i.e., by not considering that the other end may alter the data in the -shared ring while it is being inspected). Safe usage of a request -generally requires taking a local copy. - -Provide a RING_COPY_REQUEST() macro to use instead of -RING_GET_REQUEST() and an open-coded memcpy(). This takes care of -ensuring that the copy is done correctly regardless of any possible -compiler optimizations. - -Use a volatile source to prevent the compiler from reordering or -omitting the copy. - -This is part of XSA155. - -Signed-off-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - include/xen/interface/io/ring.h | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/include/xen/interface/io/ring.h -+++ b/include/xen/interface/io/ring.h -@@ -181,6 +181,20 @@ struct __name##_back_ring { \ - #define RING_GET_REQUEST(_r, _idx) \ - (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) - -+/* -+ * Get a local copy of a request. -+ * -+ * Use this in preference to RING_GET_REQUEST() so all processing is -+ * done on a local copy that cannot be modified by the other end. -+ * -+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this -+ * to be ineffective where _req is a struct which consists of only bitfields. -+ */ -+#define RING_COPY_REQUEST(_r, _idx, _req) do { \ -+ /* Use volatile to force the copy into _req. */ \ -+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ -+} while (0) -+ - #define RING_GET_RESPONSE(_r, _idx) \ - (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) - diff --git a/patches/xen-blkback-only-read-request-operation-from-shared-ring-once.patch b/patches/xen-blkback-only-read-request-operation-from-shared-ring-once.patch deleted file mode 100644 index 3523525..0000000 --- a/patches/xen-blkback-only-read-request-operation-from-shared-ring-once.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1f13d75ccb806260079e0679d55d9253e370ec8a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> -Date: Tue, 3 Nov 2015 16:34:09 +0000 -Subject: xen-blkback: only read request operation from shared ring once -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 1f13d75ccb806260079e0679d55d9253e370ec8a upstream. - -A compiler may load a switch statement value multiple times, which could -be bad when the value is in memory shared with the frontend. - -When converting a non-native request to a native one, ensure that -src->operation is only loaded once by using READ_ONCE(). - -This is part of XSA155. - -Signed-off-by: Roger Pau MonnĂ© <roger.pau@citrix.com> -Signed-off-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -[lizf: Backported to 3.4: - - adjust context - - call ACCESS_ONCE instead of READ_ONCE] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/block/xen-blkback/common.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/drivers/block/xen-blkback/common.h -+++ b/drivers/block/xen-blkback/common.h -@@ -256,8 +256,8 @@ static inline void blkif_get_x86_32_req( - struct blkif_x86_32_request *src) - { - int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST; -- dst->operation = src->operation; -- switch (src->operation) { -+ dst->operation = ACCESS_ONCE(src->operation); -+ switch (dst->operation) { - case BLKIF_OP_READ: - case BLKIF_OP_WRITE: - case BLKIF_OP_WRITE_BARRIER: -@@ -292,8 +292,8 @@ static inline void blkif_get_x86_64_req( - struct blkif_x86_64_request *src) - { - int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST; -- dst->operation = src->operation; -- switch (src->operation) { -+ dst->operation = ACCESS_ONCE(src->operation); -+ switch (dst->operation) { - case BLKIF_OP_READ: - case BLKIF_OP_WRITE: - case BLKIF_OP_WRITE_BARRIER: diff --git a/patches/xen-netback-don-t-use-last-request-to-determine-minimum-tx-credit.patch b/patches/xen-netback-don-t-use-last-request-to-determine-minimum-tx-credit.patch deleted file mode 100644 index 00802d8..0000000 --- a/patches/xen-netback-don-t-use-last-request-to-determine-minimum-tx-credit.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357 Mon Sep 17 00:00:00 2001 -From: David Vrabel <david.vrabel@citrix.com> -Date: Fri, 30 Oct 2015 15:16:01 +0000 -Subject: xen-netback: don't use last request to determine minimum Tx credit - -commit 0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357 upstream. - -The last from guest transmitted request gives no indication about the -minimum amount of credit that the guest might need to send a packet -since the last packet might have been a small one. - -Instead allow for the worst case 128 KiB packet. - -This is part of XSA155. - -Reviewed-by: Wei Liu <wei.liu2@citrix.com> -Signed-off-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -[lizf: Backported to 3.4: s/queue/vif/g] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/xen-netback/netback.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -856,9 +856,7 @@ static void tx_add_credit(struct xenvif - * Allow a burst big enough to transmit a jumbo packet of up to 128kB. - * Otherwise the interface can seize up due to insufficient credit. - */ -- max_burst = RING_GET_REQUEST(&vif->tx, vif->tx.req_cons)->size; -- max_burst = min(max_burst, 131072UL); -- max_burst = max(max_burst, vif->credit_bytes); -+ max_burst = max(131072UL, vif->credit_bytes); - - /* Take care that adding a new chunk of credit doesn't wrap to zero. */ - max_credit = vif->remaining_credit + vif->credit_bytes; diff --git a/patches/xen-netback-use-ring_copy_request-throughout.patch b/patches/xen-netback-use-ring_copy_request-throughout.patch deleted file mode 100644 index 64a2364..0000000 --- a/patches/xen-netback-use-ring_copy_request-throughout.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 68a33bfd8403e4e22847165d149823a2e0e67c9c Mon Sep 17 00:00:00 2001 -From: David Vrabel <david.vrabel@citrix.com> -Date: Fri, 30 Oct 2015 15:17:06 +0000 -Subject: xen-netback: use RING_COPY_REQUEST() throughout - -commit 68a33bfd8403e4e22847165d149823a2e0e67c9c upstream. - -Instead of open-coding memcpy()s and directly accessing Tx and Rx -requests, use the new RING_COPY_REQUEST() that ensures the local copy -is correct. - -This is more than is strictly necessary for guest Rx requests since -only the id and gref fields are used and it is harmless if the -frontend modifies these. - -This is part of XSA155. - -Reviewed-by: Wei Liu <wei.liu2@citrix.com> -Signed-off-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -[lizf: Backported to 3.4: - - adjust context - - s/queue/vif/g] -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/net/xen-netback/netback.c | 30 ++++++++++++++---------------- - 1 file changed, 14 insertions(+), 16 deletions(-) - ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -398,17 +398,17 @@ static struct netbk_rx_meta *get_next_rx - struct netrx_pending_operations *npo) - { - struct netbk_rx_meta *meta; -- struct xen_netif_rx_request *req; -+ struct xen_netif_rx_request req; - -- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++); -+ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req); - - meta = npo->meta + npo->meta_prod++; - meta->gso_size = 0; - meta->size = 0; -- meta->id = req->id; -+ meta->id = req.id; - - npo->copy_off = 0; -- npo->copy_gref = req->gref; -+ npo->copy_gref = req.gref; - - return meta; - } -@@ -510,7 +510,7 @@ static int netbk_gop_skb(struct sk_buff - struct xenvif *vif = netdev_priv(skb->dev); - int nr_frags = skb_shinfo(skb)->nr_frags; - int i; -- struct xen_netif_rx_request *req; -+ struct xen_netif_rx_request req; - struct netbk_rx_meta *meta; - unsigned char *data; - int head = 1; -@@ -520,14 +520,14 @@ static int netbk_gop_skb(struct sk_buff - - /* Set up a GSO prefix descriptor, if necessary */ - if (skb_shinfo(skb)->gso_size && vif->gso_prefix) { -- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++); -+ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req); - meta = npo->meta + npo->meta_prod++; - meta->gso_size = skb_shinfo(skb)->gso_size; - meta->size = 0; -- meta->id = req->id; -+ meta->id = req.id; - } - -- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++); -+ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req); - meta = npo->meta + npo->meta_prod++; - - if (!vif->gso_prefix) -@@ -536,9 +536,9 @@ static int netbk_gop_skb(struct sk_buff - meta->gso_size = 0; - - meta->size = 0; -- meta->id = req->id; -+ meta->id = req.id; - npo->copy_off = 0; -- npo->copy_gref = req->gref; -+ npo->copy_gref = req.gref; - - data = skb->data; - while (data < skb_tail_pointer(skb)) { -@@ -882,7 +882,7 @@ static void netbk_tx_err(struct xenvif * - make_tx_response(vif, txp, XEN_NETIF_RSP_ERROR); - if (cons == end) - break; -- txp = RING_GET_REQUEST(&vif->tx, cons++); -+ RING_COPY_REQUEST(&vif->tx, cons++, txp); - } while (1); - vif->tx.req_cons = cons; - xen_netbk_check_rx_xenvif(vif); -@@ -943,8 +943,7 @@ static int netbk_count_requests(struct x - drop_err = -E2BIG; - } - -- memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots), -- sizeof(*txp)); -+ RING_COPY_REQUEST(&vif->tx, cons + slots, txp); - - /* If the guest submitted a frame >= 64 KiB then - * first->size overflowed and following slots will -@@ -1226,8 +1225,7 @@ static int xen_netbk_get_extras(struct x - return -EBADR; - } - -- memcpy(&extra, RING_GET_REQUEST(&vif->tx, cons), -- sizeof(extra)); -+ RING_COPY_REQUEST(&vif->tx, cons, &extra); - if (unlikely(!extra.type || - extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) { - vif->tx.req_cons = ++cons; -@@ -1422,7 +1420,7 @@ static unsigned xen_netbk_tx_build_gops( - - idx = vif->tx.req_cons; - rmb(); /* Ensure that we see the request before we copy it. */ -- memcpy(&txreq, RING_GET_REQUEST(&vif->tx, idx), sizeof(txreq)); -+ RING_COPY_REQUEST(&vif->tx, idx, &txreq); - - /* Credit-based scheduling. */ - if (txreq.size > vif->remaining_credit && diff --git a/patches/xen-pciback-do-not-install-an-irq-handler-for-msi-interrupts.patch b/patches/xen-pciback-do-not-install-an-irq-handler-for-msi-interrupts.patch deleted file mode 100644 index 4ed0c3c..0000000 --- a/patches/xen-pciback-do-not-install-an-irq-handler-for-msi-interrupts.patch +++ /dev/null @@ -1,77 +0,0 @@ -From a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Mon, 2 Nov 2015 17:24:08 -0500 -Subject: xen/pciback: Do not install an IRQ handler for MSI interrupts. - -commit a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 upstream. - -Otherwise an guest can subvert the generic MSI code to trigger -an BUG_ON condition during MSI interrupt freeing: - - for (i = 0; i < entry->nvec_used; i++) - BUG_ON(irq_has_action(entry->irq + i)); - -Xen PCI backed installs an IRQ handler (request_irq) for -the dev->irq whenever the guest writes PCI_COMMAND_MEMORY -(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is -done in case the device has legacy interrupts the GSI line -is shared by the backend devices. - -To subvert the backend the guest needs to make the backend -to change the dev->irq from the GSI to the MSI interrupt line, -make the backend allocate an interrupt handler, and then command -the backend to free the MSI interrupt and hit the BUG_ON. - -Since the backend only calls 'request_irq' when the guest -writes to the PCI_COMMAND register the guest needs to call -XEN_PCI_OP_enable_msi before any other operation. This will -cause the generic MSI code to setup an MSI entry and -populate dev->irq with the new PIRQ value. - -Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY -and cause the backend to setup an IRQ handler for dev->irq -(which instead of the GSI value has the MSI pirq). See -'xen_pcibk_control_isr'. - -Then the guest disables the MSI: XEN_PCI_OP_disable_msi -which ends up triggering the BUG_ON condition in 'free_msi_irqs' -as there is an IRQ handler for the entry->irq (dev->irq). - -Note that this cannot be done using MSI-X as the generic -code does not over-write dev->irq with the MSI-X PIRQ values. - -The patch inhibits setting up the IRQ handler if MSI or -MSI-X (for symmetry reasons) code had been called successfully. - -P.S. -Xen PCIBack when it sets up the device for the guest consumption -ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device). -XSA-120 addendum patch removed that - however when upstreaming said -addendum we found that it caused issues with qemu upstream. That -has now been fixed in qemu upstream. - -This is part of XSA-157 - -Reviewed-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -69,6 +69,13 @@ static void xen_pcibk_control_isr(struct - enable ? "enable" : "disable"); - - if (enable) { -+ /* -+ * The MSI or MSI-X should not have an IRQ handler. Otherwise -+ * if the guest terminates we BUG_ON in free_msi_irqs. -+ */ -+ if (dev->msi_enabled || dev->msix_enabled) -+ goto out; -+ - rc = request_irq(dev_data->irq, - xen_pcibk_guest_interrupt, IRQF_SHARED, - dev_data->irq_name, dev); diff --git a/patches/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_memory-is-not-set.patch b/patches/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_memory-is-not-set.patch deleted file mode 100644 index fea4fe3..0000000 --- a/patches/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_memory-is-not-set.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Mon, 2 Nov 2015 18:13:27 -0500 -Subject: xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set. - -commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 upstream. - -commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way") -teaches us that dealing with MSI-X can be troublesome. - -Further checks in the MSI-X architecture shows that if the -PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we -may not be able to access the BAR (since they are memory regions). - -Since the MSI-X tables are located in there.. that can lead -to us causing PCIe errors. Inhibit us performing any -operation on the MSI-X unless the MEMORY bit is set. - -Note that Xen hypervisor with: -"x86/MSI-X: access MSI-X table only after having enabled MSI-X" -will return: -xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3! - -When the generic MSI code tries to setup the PIRQ without -MEMORY bit set. Which means with later versions of Xen -(4.6) this patch is not neccessary. - -This is part of XSA-157 - -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback_ops.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -211,6 +211,7 @@ int xen_pcibk_enable_msix(struct xen_pci - struct xen_pcibk_dev_data *dev_data; - int i, result; - struct msix_entry *entries; -+ u16 cmd; - - if (unlikely(verbose_request)) - printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n", -@@ -222,7 +223,12 @@ int xen_pcibk_enable_msix(struct xen_pci - if (dev->msix_enabled) - return -EALREADY; - -- if (dev->msi_enabled) -+ /* -+ * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able -+ * to access the BARs where the MSI-X entries reside. -+ */ -+ pci_read_config_word(dev, PCI_COMMAND, &cmd); -+ if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY)) - return -ENXIO; - - entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL); diff --git a/patches/xen-pciback-for-xen_pci_op_disable_msi-x-only-disable-if-device-has-msi-x-enabled.patch b/patches/xen-pciback-for-xen_pci_op_disable_msi-x-only-disable-if-device-has-msi-x-enabled.patch deleted file mode 100644 index b505045..0000000 --- a/patches/xen-pciback-for-xen_pci_op_disable_msi-x-only-disable-if-device-has-msi-x-enabled.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 7cfb905b9638982862f0331b36ccaaca5d383b49 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Wed, 1 Apr 2015 10:49:47 -0400 -Subject: xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device - has MSI(X) enabled. - -commit 7cfb905b9638982862f0331b36ccaaca5d383b49 upstream. - -Otherwise just continue on, returning the same values as -previously (return of 0, and op->result has the PIRQ value). - -This does not change the behavior of XEN_PCI_OP_disable_msi[|x]. - -The pci_disable_msi or pci_disable_msix have the checks for -msi_enabled or msix_enabled so they will error out immediately. - -However the guest can still call these operations and cause -us to disable the 'ack_intr'. That means the backend IRQ handler -for the legacy interrupt will not respond to interrupts anymore. - -This will lead to (if the device is causing an interrupt storm) -for the Linux generic code to disable the interrupt line. - -Naturally this will only happen if the device in question -is plugged in on the motherboard on shared level interrupt GSI. - -This is part of XSA-157 - -Reviewed-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback_ops.c | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -184,20 +184,23 @@ static - int xen_pcibk_disable_msi(struct xen_pcibk_device *pdev, - struct pci_dev *dev, struct xen_pci_op *op) - { -- struct xen_pcibk_dev_data *dev_data; -- - if (unlikely(verbose_request)) - printk(KERN_DEBUG DRV_NAME ": %s: disable MSI\n", - pci_name(dev)); -- pci_disable_msi(dev); - -+ if (dev->msi_enabled) { -+ struct xen_pcibk_dev_data *dev_data; -+ -+ pci_disable_msi(dev); -+ -+ dev_data = pci_get_drvdata(dev); -+ if (dev_data) -+ dev_data->ack_intr = 1; -+ } - op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0; - if (unlikely(verbose_request)) - printk(KERN_DEBUG DRV_NAME ": %s: MSI: %d\n", pci_name(dev), - op->value); -- dev_data = pci_get_drvdata(dev); -- if (dev_data) -- dev_data->ack_intr = 1; - return 0; - } - -@@ -263,23 +266,27 @@ static - int xen_pcibk_disable_msix(struct xen_pcibk_device *pdev, - struct pci_dev *dev, struct xen_pci_op *op) - { -- struct xen_pcibk_dev_data *dev_data; - if (unlikely(verbose_request)) - printk(KERN_DEBUG DRV_NAME ": %s: disable MSI-X\n", - pci_name(dev)); -- pci_disable_msix(dev); - -+ if (dev->msix_enabled) { -+ struct xen_pcibk_dev_data *dev_data; -+ -+ pci_disable_msix(dev); -+ -+ dev_data = pci_get_drvdata(dev); -+ if (dev_data) -+ dev_data->ack_intr = 1; -+ } - /* - * SR-IOV devices (which don't have any legacy IRQ) have - * an undefined IRQ value of zero. - */ - op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0; - if (unlikely(verbose_request)) -- printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n", pci_name(dev), -- op->value); -- dev_data = pci_get_drvdata(dev); -- if (dev_data) -- dev_data->ack_intr = 1; -+ printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n", -+ pci_name(dev), op->value); - return 0; - } - #endif diff --git a/patches/xen-pciback-return-error-on-xen_pci_op_enable_msi-when-device-has-msi-or-msi-x-enabled.patch b/patches/xen-pciback-return-error-on-xen_pci_op_enable_msi-when-device-has-msi-or-msi-x-enabled.patch deleted file mode 100644 index f0179f5..0000000 --- a/patches/xen-pciback-return-error-on-xen_pci_op_enable_msi-when-device-has-msi-or-msi-x-enabled.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Fri, 3 Apr 2015 11:08:22 -0400 -Subject: xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has - MSI or MSI-X enabled - -commit 56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d upstream. - -The guest sequence of: - - a) XEN_PCI_OP_enable_msi - b) XEN_PCI_OP_enable_msi - c) XEN_PCI_OP_disable_msi - -results in hitting an BUG_ON condition in the msi.c code. - -The MSI code uses an dev->msi_list to which it adds MSI entries. -Under the above conditions an BUG_ON() can be hit. The device -passed in the guest MUST have MSI capability. - -The a) adds the entry to the dev->msi_list and sets msi_enabled. -The b) adds a second entry but adding in to SysFS fails (duplicate entry) -and deletes all of the entries from msi_list and returns (with msi_enabled -is still set). c) pci_disable_msi passes the msi_enabled checks and hits: - -BUG_ON(list_empty(dev_to_msi_list(&dev->dev))); - -and blows up. - -The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard -against that. The check for msix_enabled is not stricly neccessary. - -This is part of XSA-157. - -Reviewed-by: David Vrabel <david.vrabel@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback_ops.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -143,7 +143,12 @@ int xen_pcibk_enable_msi(struct xen_pcib - if (unlikely(verbose_request)) - printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev)); - -- status = pci_enable_msi(dev); -+ if (dev->msi_enabled) -+ status = -EALREADY; -+ else if (dev->msix_enabled) -+ status = -ENXIO; -+ else -+ status = pci_enable_msi(dev); - - if (status) { - pr_warn_ratelimited(DRV_NAME ": %s: error enabling MSI for guest %u: err %d\n", diff --git a/patches/xen-pciback-return-error-on-xen_pci_op_enable_msix-when-device-has-msi-or-msi-x-enabled.patch b/patches/xen-pciback-return-error-on-xen_pci_op_enable_msix-when-device-has-msi-or-msi-x-enabled.patch deleted file mode 100644 index e0e6261..0000000 --- a/patches/xen-pciback-return-error-on-xen_pci_op_enable_msix-when-device-has-msi-or-msi-x-enabled.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Mon, 2 Nov 2015 18:07:44 -0500 -Subject: xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has - MSI or MSI-X enabled - -commit 5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 upstream. - -The guest sequence of: - - a) XEN_PCI_OP_enable_msix - b) XEN_PCI_OP_enable_msix - -results in hitting an NULL pointer due to using freed pointers. - -The device passed in the guest MUST have MSI-X capability. - -The a) constructs and SysFS representation of MSI and MSI groups. -The b) adds a second set of them but adding in to SysFS fails (duplicate entry). -'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that -in a) pdev->msi_irq_groups is still set) and also free's ALL of the -MSI-X entries of the device (the ones allocated in step a) and b)). - -The unwind code: 'free_msi_irqs' deletes all the entries and tries to -delete the pdev->msi_irq_groups (which hasn't been set to NULL). -However the pointers in the SysFS are already freed and we hit an -NULL pointer further on when 'strlen' is attempted on a freed pointer. - -The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard -against that. The check for msi_enabled is not stricly neccessary. - -This is part of XSA-157 - -Reviewed-by: David Vrabel <david.vrabel@citrix.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -205,9 +205,16 @@ int xen_pcibk_enable_msix(struct xen_pci - if (unlikely(verbose_request)) - printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n", - pci_name(dev)); -+ - if (op->value > SH_INFO_MAX_VEC) - return -EINVAL; - -+ if (dev->msix_enabled) -+ return -EALREADY; -+ -+ if (dev->msi_enabled) -+ return -ENXIO; -+ - entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL); - if (entries == NULL) - return -ENOMEM; diff --git a/patches/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch b/patches/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch deleted file mode 100644 index 06db7a9..0000000 --- a/patches/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d159457b84395927b5a52adb72f748dd089ad5e5 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Thu, 11 Feb 2016 16:10:24 -0500 -Subject: xen/pciback: Save the number of MSI-X entries to be copied later. - -commit d159457b84395927b5a52adb72f748dd089ad5e5 upstream. - -Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save -xen_pci_op commands before processing it) broke enabling MSI-X because -it would never copy the resulting vectors into the response. The -number of vectors requested was being overwritten by the return value -(typically zero for success). - -Save the number of vectors before processing the op, so the correct -number of vectors are copied afterwards. - -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Reviewed-by: Jan Beulich <jbeulich@suse.com> -Signed-off-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback_ops.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -331,6 +331,9 @@ void xen_pcibk_do_op(struct work_struct - struct xen_pcibk_dev_data *dev_data = NULL; - struct xen_pci_op *op = &pdev->op; - int test_intx = 0; -+#ifdef CONFIG_PCI_MSI -+ unsigned int nr = 0; -+#endif - - *op = pdev->sh_info->op; - barrier(); -@@ -359,6 +362,7 @@ void xen_pcibk_do_op(struct work_struct - op->err = xen_pcibk_disable_msi(pdev, dev, op); - break; - case XEN_PCI_OP_enable_msix: -+ nr = op->value; - op->err = xen_pcibk_enable_msix(pdev, dev, op); - break; - case XEN_PCI_OP_disable_msix: -@@ -381,7 +385,7 @@ void xen_pcibk_do_op(struct work_struct - if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) { - unsigned int i; - -- for (i = 0; i < op->value; i++) -+ for (i = 0; i < nr; i++) - pdev->sh_info->op.msix_entries[i].vector = - op->msix_entries[i].vector; - } diff --git a/patches/xen-pciback-save-xen_pci_op-commands-before-processing-it.patch b/patches/xen-pciback-save-xen_pci_op-commands-before-processing-it.patch deleted file mode 100644 index 99f00fc..0000000 --- a/patches/xen-pciback-save-xen_pci_op-commands-before-processing-it.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Date: Mon, 16 Nov 2015 12:40:48 -0500 -Subject: xen/pciback: Save xen_pci_op commands before processing it - -commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 upstream. - -Double fetch vulnerabilities that happen when a variable is -fetched twice from shared memory but a security check is only -performed the first time. - -The xen_pcibk_do_op function performs a switch statements on the op->cmd -value which is stored in shared memory. Interestingly this can result -in a double fetch vulnerability depending on the performed compiler -optimization. - -This patch fixes it by saving the xen_pci_op command before -processing it. We also use 'barrier' to make sure that the -compiler does not perform any optimization. - -This is part of XSA155. - -Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Jan Beulich <JBeulich@suse.com> -Signed-off-by: David Vrabel <david.vrabel@citrix.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Zefan Li <lizefan@huawei.com> ---- - drivers/xen/xen-pciback/pciback.h | 1 + - drivers/xen/xen-pciback/pciback_ops.c | 15 ++++++++++++++- - 2 files changed, 15 insertions(+), 1 deletion(-) - ---- a/drivers/xen/xen-pciback/pciback.h -+++ b/drivers/xen/xen-pciback/pciback.h -@@ -37,6 +37,7 @@ struct xen_pcibk_device { - struct xen_pci_sharedinfo *sh_info; - unsigned long flags; - struct work_struct op_work; -+ struct xen_pci_op op; - }; - - struct xen_pcibk_dev_data { ---- a/drivers/xen/xen-pciback/pciback_ops.c -+++ b/drivers/xen/xen-pciback/pciback_ops.c -@@ -297,9 +297,11 @@ void xen_pcibk_do_op(struct work_struct - container_of(data, struct xen_pcibk_device, op_work); - struct pci_dev *dev; - struct xen_pcibk_dev_data *dev_data = NULL; -- struct xen_pci_op *op = &pdev->sh_info->op; -+ struct xen_pci_op *op = &pdev->op; - int test_intx = 0; - -+ *op = pdev->sh_info->op; -+ barrier(); - dev = xen_pcibk_get_pci_dev(pdev, op->domain, op->bus, op->devfn); - - if (dev == NULL) -@@ -341,6 +343,17 @@ void xen_pcibk_do_op(struct work_struct - if ((dev_data->enable_intx != test_intx)) - xen_pcibk_control_isr(dev, 0 /* no reset */); - } -+ pdev->sh_info->op.err = op->err; -+ pdev->sh_info->op.value = op->value; -+#ifdef CONFIG_PCI_MSI -+ if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) { -+ unsigned int i; -+ -+ for (i = 0; i < op->value; i++) -+ pdev->sh_info->op.msix_entries[i].vector = -+ op->msix_entries[i].vector; -+ } -+#endif - /* Tell the driver domain that we're done. */ - wmb(); - clear_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags); |