diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-08-08 17:51:33 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-08-08 17:51:36 +0100 |
commit | 0003f5b5e090ab0745a0f1f9ec221947f18da395 (patch) | |
tree | a2fc40f34ab316deffb72d85f851ab376a75ddbe | |
parent | f372ef8ab96a0b3c32d445ec7e4c3fdd9b5dca79 (diff) | |
download | linux-stable-queue-0003f5b5e090ab0745a0f1f9ec221947f18da395.tar.gz |
Add commits cc'd to stable, up to 5.1
...and their obvious dependencies.
126 files changed, 7978 insertions, 1 deletions
diff --git a/queue-3.16/3c515-fix-integer-overflow-warning.patch b/queue-3.16/3c515-fix-integer-overflow-warning.patch new file mode 100644 index 00000000..cb28daf4 --- /dev/null +++ b/queue-3.16/3c515-fix-integer-overflow-warning.patch @@ -0,0 +1,39 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Tue, 19 Mar 2019 22:15:58 +0100 +Subject: 3c515: fix integer overflow warning + +commit fb6fafbc7de4a813bb5364358bbe27f71e62b24a upstream. + +clang points out a harmless signed integer overflow: + +drivers/net/ethernet/3com/3c515.c:1530:66: error: implicit conversion from 'int' to 'short' changes value from 32783 to -32753 [-Werror,-Wconstant-conversion] + new_mode = SetRxFilter | RxStation | RxMulticast | RxBroadcast | RxProm; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~ +drivers/net/ethernet/3com/3c515.c:1532:52: error: implicit conversion from 'int' to 'short' changes value from 32775 to -32761 [-Werror,-Wconstant-conversion] + new_mode = SetRxFilter | RxStation | RxMulticast | RxBroadcast; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ +drivers/net/ethernet/3com/3c515.c:1534:38: error: implicit conversion from 'int' to 'short' changes value from 32773 to -32763 [-Werror,-Wconstant-conversion] + new_mode = SetRxFilter | RxStation | RxBroadcast; + ~ ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ + +Make the variable unsigned to avoid the overflow. + +Fixes: Linux-2.1.128pre1 +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/3com/3c515.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/3com/3c515.c ++++ b/drivers/net/ethernet/3com/3c515.c +@@ -1524,7 +1524,7 @@ static void update_stats(int ioaddr, str + static void set_rx_mode(struct net_device *dev) + { + int ioaddr = dev->base_addr; +- short new_mode; ++ unsigned short new_mode; + + if (dev->flags & IFF_PROMISC) { + if (corkscrew_debug > 3) diff --git a/queue-3.16/acpica-namespace-remove-address-node-from-global-list-after-method.patch b/queue-3.16/acpica-namespace-remove-address-node-from-global-list-after-method.patch new file mode 100644 index 00000000..d61f15f3 --- /dev/null +++ b/queue-3.16/acpica-namespace-remove-address-node-from-global-list-after-method.patch @@ -0,0 +1,58 @@ +From: Erik Schmauss <erik.schmauss@intel.com> +Date: Mon, 8 Apr 2019 13:42:26 -0700 +Subject: ACPICA: Namespace: remove address node from global list after method + termination + +commit c5781ffbbd4f742a58263458145fe7f0ac01d9e0 upstream. + +ACPICA commit b233720031a480abd438f2e9c643080929d144c3 + +ASL operation_regions declare a range of addresses that it uses. In a +perfect world, the range of addresses should be used exclusively by +the AML interpreter. The OS can use this information to decide which +drivers to load so that the AML interpreter and device drivers use +different regions of memory. + +During table load, the address information is added to a global +address range list. Each node in this list contains an address range +as well as a namespace node of the operation_region. This list is +deleted at ACPI shutdown. + +Unfortunately, ASL operation_regions can be declared inside of control +methods. Although this is not recommended, modern firmware contains +such code. New module level code changes unintentionally removed the +functionality of adding and removing nodes to the global address +range list. + +A few months ago, support for adding addresses has been re- +implemented. However, the removal of the address range list was +missed and resulted in some systems to crash due to the address list +containing bogus namespace nodes from operation_regions declared in +control methods. In order to fix the crash, this change removes +dynamic operation_regions after control method termination. + +Link: https://github.com/acpica/acpica/commit/b2337200 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475 +Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization") +Reported-by: Michael J Gruber <mjg@fedoraproject.org> +Signed-off-by: Erik Schmauss <erik.schmauss@intel.com> +Signed-off-by: Bob Moore <robert.moore@intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/acpi/acpica/nsobject.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/acpi/acpica/nsobject.c ++++ b/drivers/acpi/acpica/nsobject.c +@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_n + } + } + ++ if (obj_desc->common.type == ACPI_TYPE_REGION) { ++ acpi_ut_remove_address_range(obj_desc->region.space_id, node); ++ } ++ + /* Clear the Node entry in all cases */ + + node->object = NULL; diff --git a/queue-3.16/afs-fix-storedata-op-marshalling.patch b/queue-3.16/afs-fix-storedata-op-marshalling.patch new file mode 100644 index 00000000..fa34ac23 --- /dev/null +++ b/queue-3.16/afs-fix-storedata-op-marshalling.patch @@ -0,0 +1,99 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 27 Mar 2019 22:48:02 +0000 +Subject: afs: Fix StoreData op marshalling + +commit 8c7ae38d1ce12a0eaeba655df8562552b3596c7f upstream. + +The marshalling of AFS.StoreData, AFS.StoreData64 and YFS.StoreData64 calls +generated by ->setattr() ops for the purpose of expanding a file is +incorrect due to older documentation incorrectly describing the way the RPC +'FileLength' parameter is meant to work. + +The older documentation says that this is the length the file is meant to +end up at the end of the operation; however, it was never implemented this +way in any of the servers, but rather the file is truncated down to this +before the write operation is effected, and never expanded to it (and, +indeed, it was renamed to 'TruncPos' in 2014). + +Fix this by setting the position parameter to the new file length and doing +a zero-lengh write there. + +The bug causes Xwayland to SIGBUS due to unexpected non-expansion of a file +it then mmaps. This can be tested by giving the following test program a +filename in an AFS directory: + + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> + #include <fcntl.h> + #include <sys/mman.h> + int main(int argc, char *argv[]) + { + char *p; + int fd; + if (argc != 2) { + fprintf(stderr, + "Format: test-trunc-mmap <file>\n"); + exit(2); + } + fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC); + if (fd < 0) { + perror(argv[1]); + exit(1); + } + if (ftruncate(fd, 0x140008) == -1) { + perror("ftruncate"); + exit(1); + } + p = mmap(NULL, 4096, PROT_READ | PROT_WRITE, + MAP_SHARED, fd, 0); + if (p == MAP_FAILED) { + perror("mmap"); + exit(1); + } + p[0] = 'a'; + if (munmap(p, 4096) < 0) { + perror("munmap"); + exit(1); + } + if (close(fd) < 0) { + perror("close"); + exit(1); + } + exit(0); + } + +Fixes: 31143d5d515e ("AFS: implement basic file write support") +Reported-by: Jonathan Billings <jsbillin@umich.edu> +Tested-by: Jonathan Billings <jsbillin@umich.edu> +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: drop change in yfsclient.c] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/afs/fsclient.c | 6 +++--- + fs/afs/yfsclient.c | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/afs/fsclient.c ++++ b/fs/afs/fsclient.c +@@ -1382,8 +1382,8 @@ static int afs_fs_setattr_size64(struct + + xdr_encode_AFS_StoreStatus(&bp, attr); + +- *bp++ = 0; /* position of start of write */ +- *bp++ = 0; ++ *bp++ = htonl(attr->ia_size >> 32); /* position of start of write */ ++ *bp++ = htonl((u32) attr->ia_size); + *bp++ = 0; /* size of write */ + *bp++ = 0; + *bp++ = htonl(attr->ia_size >> 32); /* new file length */ +@@ -1433,7 +1433,7 @@ static int afs_fs_setattr_size(struct af + + xdr_encode_AFS_StoreStatus(&bp, attr); + +- *bp++ = 0; /* position of start of write */ ++ *bp++ = htonl(attr->ia_size); /* position of start of write */ + *bp++ = 0; /* size of write */ + *bp++ = htonl(attr->ia_size); /* new file length */ + diff --git a/queue-3.16/alsa-core-fix-card-races-between-register-and-disconnect.patch b/queue-3.16/alsa-core-fix-card-races-between-register-and-disconnect.patch new file mode 100644 index 00000000..d3d8f653 --- /dev/null +++ b/queue-3.16/alsa-core-fix-card-races-between-register-and-disconnect.patch @@ -0,0 +1,71 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 16 Apr 2019 17:06:33 +0200 +Subject: ALSA: core: Fix card races between register and disconnect + +commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream. + +There is a small race window in the card disconnection code that +allows the registration of another card with the very same card id. +This leads to a warning in procfs creation as caught by syzkaller. + +The problem is that we delete snd_cards and snd_cards_lock entries at +the very beginning of the disconnection procedure. This makes the +slot available to be assigned for another card object while the +disconnection procedure is being processed. Then it becomes possible +to issue a procfs registration with the existing file name although we +check the conflict beforehand. + +The fix is simply to move the snd_cards and snd_cards_lock clearances +at the end of the disconnection procedure. The references to these +entries are merely either from the global proc files like +/proc/asound/cards or from the card registration / disconnection, so +it should be fine to shift at the very end. + +Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/init.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -389,14 +389,7 @@ int snd_card_disconnect(struct snd_card + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -412,7 +405,7 @@ int snd_card_disconnect(struct snd_card + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -430,6 +423,13 @@ int snd_card_disconnect(struct snd_card + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif diff --git a/queue-3.16/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch b/queue-3.16/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch new file mode 100644 index 00000000..1641bec8 --- /dev/null +++ b/queue-3.16/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch @@ -0,0 +1,65 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Mon, 25 Mar 2019 10:38:58 +0100 +Subject: ALSA: pcm: Don't suspend stream in unrecoverable PCM state + +commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream. + +Currently PCM core sets each opened stream forcibly to SUSPENDED state +via snd_pcm_suspend_all() call, and the user-space is responsible for +re-triggering the resume manually either via snd_pcm_resume() or +prepare call. The scheme works fine usually, but there are corner +cases where the stream can't be resumed by that call: the streams +still in OPEN state before finishing hw_params. When they are +suspended, user-space cannot perform resume or prepare because they +haven't been set up yet. The only possible recovery is to re-open the +device, which isn't nice at all. Similarly, when a stream is in +DISCONNECTED state, it makes no sense to change it to SUSPENDED +state. Ditto for in SETUP state; which you can re-prepare directly. + +So, this patch addresses these issues by filtering the PCM streams to +be suspended by checking the PCM state. When a stream is in either +OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend +action is skipped. + +To be noted, this problem was originally reported for the PCM runtime +PM on HD-audio. And, the runtime PM problem itself was already +addressed (although not intended) by the code refactoring commits +3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM +ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous +snd_pcm_suspend*() calls"). These commits eliminated the +snd_pcm_suspend*() calls from the runtime PM suspend callback code +path, hence the racy OPEN state won't appear while runtime PM. +(FWIW, the race window is between snd_pcm_open_substream() and the +first power up in azx_pcm_open().) + +Although the runtime PM issue was already "fixed", the same problem is +still present for the system PM, hence this patch is still needed. +And for stable trees, this patch alone should suffice for fixing the +runtime PM problem, too. + +Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/pcm_native.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1063,8 +1063,15 @@ static int snd_pcm_pause(struct snd_pcm_ + static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state) + { + struct snd_pcm_runtime *runtime = substream->runtime; +- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED) ++ switch (runtime->status->state) { ++ case SNDRV_PCM_STATE_SUSPENDED: + return -EBUSY; ++ /* unresumable PCM state; return -EBUSY for skipping suspend */ ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_DISCONNECTED: ++ return -EBUSY; ++ } + runtime->trigger_master = substream; + return 0; + } diff --git a/queue-3.16/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch b/queue-3.16/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch new file mode 100644 index 00000000..3fc32c88 --- /dev/null +++ b/queue-3.16/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch @@ -0,0 +1,100 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Fri, 22 Mar 2019 16:00:54 +0100 +Subject: ALSA: pcm: Fix possible OOB access in PCM oss plugins + +commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream. + +The PCM OSS emulation converts and transfers the data on the fly via +"plugins". The data is converted over the dynamically allocated +buffer for each plugin, and recently syzkaller caught OOB in this +flow. + +Although the bisection by syzbot pointed out to the commit +65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer +allocations"), this is merely a commit to replace vmalloc() with +kvmalloc(), hence it can't be the cause. The further debug action +revealed that this happens in the case where a slave PCM doesn't +support only the stereo channels while the OSS stream is set up for a +mono channel. Below is a brief explanation: + +At each OSS parameter change, the driver sets up the PCM hw_params +again in snd_pcm_oss_change_params_lock(). This is also the place +where plugins are created and local buffers are allocated. The +problem is that the plugins are created before the final hw_params is +determined. Namely, two snd_pcm_hw_param_near() calls for setting the +period size and periods may influence on the final result of channels, +rates, etc, too, while the current code has already created plugins +beforehand with the premature values. So, the plugin believes that +channels=1, while the actual I/O is with channels=2, which makes the +driver reading/writing over the allocated buffer size. + +The fix is simply to move the plugin allocation code after the final +hw_params call. + +Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/oss/pcm_oss.c | 43 ++++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 21 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_loc + oss_frame_size = snd_pcm_format_physical_width(params_format(params)) * + params_channels(params) / 8; + ++ err = snd_pcm_oss_period_size(substream, params, sparams); ++ if (err < 0) ++ goto failure; ++ ++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); ++ if (err < 0) ++ goto failure; ++ ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, ++ runtime->oss.periods, NULL); ++ if (err < 0) ++ goto failure; ++ ++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ ++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams); ++ if (err < 0) { ++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); ++ goto failure; ++ } ++ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); + if (!direct) { +@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_loc + } + #endif + +- err = snd_pcm_oss_period_size(substream, params, sparams); +- if (err < 0) +- goto failure; +- +- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); +- if (err < 0) +- goto failure; +- +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, +- runtime->oss.periods, NULL); +- if (err < 0) +- goto failure; +- +- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); +- +- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) { +- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); +- goto failure; +- } +- + memset(sw_params, 0, sizeof(*sw_params)); + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; diff --git a/queue-3.16/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch b/queue-3.16/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000..659976be --- /dev/null +++ b/queue-3.16/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,48 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 20 Mar 2019 16:15:24 -0500 +Subject: ALSA: rawmidi: Fix potential Spectre v1 vulnerability + +commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream. + +info->stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap) + +Fix this by sanitizing info->stream before using it to index +rmidi->streams. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/rawmidi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -29,6 +29,7 @@ + #include <linux/mutex.h> + #include <linux/module.h> + #include <linux/delay.h> ++#include <linux/nospec.h> + #include <sound/rawmidi.h> + #include <sound/info.h> + #include <sound/control.h> +@@ -601,6 +602,7 @@ static int __snd_rawmidi_info_select(str + return -ENXIO; + if (info->stream < 0 || info->stream > 1) + return -EINVAL; ++ info->stream = array_index_nospec(info->stream, 2); + pstr = &rmidi->streams[info->stream]; + if (pstr->substream_count == 0) + return -ENOENT; diff --git a/queue-3.16/alsa-seq-fix-oob-reads-from-strlcpy.patch b/queue-3.16/alsa-seq-fix-oob-reads-from-strlcpy.patch new file mode 100644 index 00000000..b974015e --- /dev/null +++ b/queue-3.16/alsa-seq-fix-oob-reads-from-strlcpy.patch @@ -0,0 +1,48 @@ +From: Zubin Mithra <zsm@chromium.org> +Date: Thu, 4 Apr 2019 14:33:55 -0700 +Subject: ALSA: seq: Fix OOB-reads from strlcpy + +commit 212ac181c158c09038c474ba68068be49caecebb upstream. + +When ioctl calls are made with non-null-terminated userspace strings, +strlcpy causes an OOB-read from within strlen. Fix by changing to use +strscpy instead. + +Signed-off-by: Zubin Mithra <zsm@chromium.org> +Reviewed-by: Guenter Roeck <groeck@chromium.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/seq/seq_clientmgr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info + + /* fill the info fields */ + if (client_info.name[0]) +- strlcpy(client->name, client_info.name, sizeof(client->name)); ++ strscpy(client->name, client_info.name, sizeof(client->name)); + + client->filter = client_info.filter; + client->event_lost = client_info.event_lost; +@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(st + /* set queue name */ + if (! info.name[0]) + snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + queuefree(q); + + if (copy_to_user(arg, &info, sizeof(info))) +@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info( + queuefree(q); + return -EPERM; + } +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + queuefree(q); + + return 0; diff --git a/queue-3.16/alsa-seq-oss-fix-spectre-v1-vulnerability.patch b/queue-3.16/alsa-seq-oss-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000..bd8a68c5 --- /dev/null +++ b/queue-3.16/alsa-seq-oss-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,48 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 20 Mar 2019 18:42:01 -0500 +Subject: ALSA: seq: oss: Fix Spectre v1 vulnerability + +commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream. + +dev is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) + +Fix this by sanitizing dev before using it to index dp->synths. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/seq/oss/seq_oss_synth.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -617,13 +617,14 @@ int + snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); + +- if (dev < 0 || dev >= dp->max_synthdev) ++ if (!info) + return -ENXIO; + +- if (dp->synths[dev].is_midi) { ++ if (info->is_midi) { + struct midi_info minf; +- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); ++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); + inf->synth_type = SYNTH_TYPE_MIDI; + inf->synth_subtype = 0; + inf->nr_voices = 16; diff --git a/queue-3.16/arm-dts-pfla02-increase-phy-reset-duration.patch b/queue-3.16/arm-dts-pfla02-increase-phy-reset-duration.patch new file mode 100644 index 00000000..1fd84788 --- /dev/null +++ b/queue-3.16/arm-dts-pfla02-increase-phy-reset-duration.patch @@ -0,0 +1,42 @@ +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Mon, 4 Mar 2019 11:49:40 +0100 +Subject: ARM: dts: pfla02: increase phy reset duration + +commit 032f85c9360fb1a08385c584c2c4ed114b33c260 upstream. + +Increase the reset duration to ensure correct phy functionality. The +reset duration is taken from barebox commit 52fdd510de ("ARM: dts: +pfla02: use long enough reset for ethernet phy"): + + Use a longer reset time for ethernet phy Micrel KSZ9031RNX. Otherwise a + small percentage of modules have 'transmission timeouts' errors like + + barebox@Phytec phyFLEX-i.MX6 Quad Carrier-Board:/ ifup eth0 + warning: No MAC address set. Using random address 7e:94:4d:02:f8:f3 + eth0: 1000Mbps full duplex link detected + eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + +Cc: Stefan Christ <s.christ@phytec.de> +Cc: Christian Hemp <c.hemp@phytec.de> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Fixes: 3180f956668e ("ARM: dts: Phytec imx6q pfla02 and pbab01 support") +Signed-off-by: Shawn Guo <shawnguo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +@@ -302,6 +302,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ phy-reset-duration = <10>; /* in msecs */ + phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>; + status = "disabled"; + }; diff --git a/queue-3.16/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch b/queue-3.16/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch new file mode 100644 index 00000000..d0e5b927 --- /dev/null +++ b/queue-3.16/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch @@ -0,0 +1,73 @@ +From: Kohji Okuno <okuno.kohji@jp.panasonic.com> +Date: Tue, 26 Feb 2019 11:34:13 +0900 +Subject: ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected + time + +commit 91740fc8242b4f260cfa4d4536d8551804777fae upstream. + +In the current cpuidle implementation for i.MX6q, the CPU that sets +'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always +the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of +"WAIT", if the other CPU wakes up and enters IDLE state of "WFI" +istead of "WAIT", this CPU can not wake up at expired time. + Because, in the case of "WFI", the CPU must be waked up by the local +timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer +is stopped, when all CPUs execute "wfi" instruction. As a result, the +local timer interrupt is not fired. + In this situation, this CPU will wake up by IRQ different from local +timer. (e.g. broacast timer) + +So, this fix changes CPU to return to 'WAIT_CLOCKED'. + +Signed-off-by: Kohji Okuno <okuno.kohji@jp.panasonic.com> +Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle") +Signed-off-by: Shawn Guo <shawnguo@kernel.org> +[bwh: Backported to 3.16: use imx6q_set_lpm() instead of imx6_set_lpm()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/mach-imx/cpuidle-imx6q.c | 27 ++++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +--- a/arch/arm/mach-imx/cpuidle-imx6q.c ++++ b/arch/arm/mach-imx/cpuidle-imx6q.c +@@ -14,30 +14,23 @@ + #include "common.h" + #include "cpuidle.h" + +-static atomic_t master = ATOMIC_INIT(0); +-static DEFINE_SPINLOCK(master_lock); ++static int num_idle_cpus = 0; ++static DEFINE_SPINLOCK(cpuidle_lock); + + static int imx6q_enter_wait(struct cpuidle_device *dev, + struct cpuidle_driver *drv, int index) + { +- if (atomic_inc_return(&master) == num_online_cpus()) { +- /* +- * With this lock, we prevent other cpu to exit and enter +- * this function again and become the master. +- */ +- if (!spin_trylock(&master_lock)) +- goto idle; ++ spin_lock(&cpuidle_lock); ++ if (++num_idle_cpus == num_online_cpus()) + imx6q_set_lpm(WAIT_UNCLOCKED); +- cpu_do_idle(); +- imx6q_set_lpm(WAIT_CLOCKED); +- spin_unlock(&master_lock); +- goto done; +- } ++ spin_unlock(&cpuidle_lock); + +-idle: + cpu_do_idle(); +-done: +- atomic_dec(&master); ++ ++ spin_lock(&cpuidle_lock); ++ if (num_idle_cpus-- == num_online_cpus()) ++ imx6q_set_lpm(WAIT_CLOCKED); ++ spin_unlock(&cpuidle_lock); + + return index; + } diff --git a/queue-3.16/batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch b/queue-3.16/batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch new file mode 100644 index 00000000..d0aa29ac --- /dev/null +++ b/queue-3.16/batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch @@ -0,0 +1,69 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Sat, 23 Feb 2019 14:27:10 +0100 +Subject: batman-adv: Reduce claim hash refcnt only for removed entry + +commit 4ba104f468bbfc27362c393815d03aa18fb7a20f upstream. + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_bla_del_claim is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> +[bwh: Backported to 3.16: keep using batadv_claim_free_ref()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/batman-adv/bridge_loop_avoidance.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -677,6 +677,8 @@ static void batadv_bla_del_claim(struct + const uint8_t *mac, const unsigned short vid) + { + struct batadv_bla_claim search_claim, *claim; ++ struct batadv_bla_claim *claim_removed_entry; ++ struct hlist_node *claim_removed_node; + + ether_addr_copy(search_claim.addr, mac); + search_claim.vid = vid; +@@ -687,10 +689,18 @@ static void batadv_bla_del_claim(struct + batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n", + mac, BATADV_PRINT_VID(vid)); + +- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim, +- batadv_choose_claim, claim); +- batadv_claim_free_ref(claim); /* reference from the hash is gone */ ++ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash, ++ batadv_compare_claim, ++ batadv_choose_claim, claim); ++ if (!claim_removed_node) ++ goto free_claim; + ++ /* reference from the hash is gone */ ++ claim_removed_entry = hlist_entry(claim_removed_node, ++ struct batadv_bla_claim, hash_entry); ++ batadv_claim_free_ref(claim_removed_entry); ++ ++free_claim: + /* don't need the reference from hash_find() anymore */ + batadv_claim_free_ref(claim); + } diff --git a/queue-3.16/batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch b/queue-3.16/batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch new file mode 100644 index 00000000..a272217b --- /dev/null +++ b/queue-3.16/batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch @@ -0,0 +1,70 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Sat, 23 Feb 2019 14:27:10 +0100 +Subject: batman-adv: Reduce tt_global hash refcnt only for removed entry + +commit f131a56880d10932931e74773fb8702894a94a75 upstream. + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_tt_global_free is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: 7683fdc1e886 ("batman-adv: protect the local and the global trans-tables with rcu") +Reported-by: Martin Weinelt <martin@linuxlounge.net> +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Acked-by: Antonio Quartulli <a@unstable.cc> +Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/batman-adv/translation-table.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -483,14 +483,26 @@ static void batadv_tt_global_free(struct + struct batadv_tt_global_entry *tt_global, + const char *message) + { ++ struct batadv_tt_global_entry *tt_removed_entry; ++ struct hlist_node *tt_removed_node; ++ + batadv_dbg(BATADV_DBG_TT, bat_priv, + "Deleting global tt entry %pM (vid: %d): %s\n", + tt_global->common.addr, + BATADV_PRINT_VID(tt_global->common.vid), message); + +- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt, +- batadv_choose_tt, &tt_global->common); +- batadv_tt_global_entry_free_ref(tt_global); ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash, ++ batadv_compare_tt, ++ batadv_choose_tt, ++ &tt_global->common); ++ if (!tt_removed_node) ++ return; ++ ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_global_entry, ++ common.hash_entry); ++ batadv_tt_global_entry_free_ref(tt_removed_entry); + } + + /** diff --git a/queue-3.16/batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch b/queue-3.16/batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch new file mode 100644 index 00000000..088ec4cb --- /dev/null +++ b/queue-3.16/batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch @@ -0,0 +1,73 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Sat, 23 Feb 2019 14:27:10 +0100 +Subject: batman-adv: Reduce tt_local hash refcnt only for removed entry + +commit 3d65b9accab4a7ed5038f6df403fbd5e298398c7 upstream. + +The batadv_hash_remove is a function which searches the hashtable for an +entry using a needle, a hashtable bucket selection function and a compare +function. It will lock the bucket list and delete an entry when the compare +function matches it with the needle. It returns the pointer to the +hlist_node which matches or NULL when no entry matches the needle. + +The batadv_tt_local_remove is not itself protected in anyway to avoid that +any other function is modifying the hashtable between the search for the +entry and the call to batadv_hash_remove. It can therefore happen that the +entry either doesn't exist anymore or an entry was deleted which is not the +same object as the needle. In such an situation, the reference counter (for +the reference stored in the hashtable) must not be reduced for the needle. +Instead the reference counter of the actually removed entry has to be +reduced. + +Otherwise the reference counter will underflow and the object might be +freed before all its references were dropped. The kref helpers reported +this problem as: + + refcount_t: underflow; use-after-free. + +Fixes: ef72706a0543 ("batman-adv: protect tt_local_entry from concurrent delete events") +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/batman-adv/translation-table.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -1021,9 +1021,10 @@ uint16_t batadv_tt_local_remove(struct b + const uint8_t *addr, unsigned short vid, + const char *message, bool roaming) + { ++ struct batadv_tt_local_entry *tt_removed_entry; + struct batadv_tt_local_entry *tt_local_entry; + uint16_t flags, curr_flags = BATADV_NO_FLAGS; +- void *tt_entry_exists; ++ struct hlist_node *tt_removed_node; + + tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid); + if (!tt_local_entry) +@@ -1052,15 +1053,18 @@ uint16_t batadv_tt_local_remove(struct b + */ + batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL); + +- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash, ++ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash, + batadv_compare_tt, + batadv_choose_tt, + &tt_local_entry->common); +- if (!tt_entry_exists) ++ if (!tt_removed_node) + goto out; + +- /* extra call to free the local tt entry */ +- batadv_tt_local_entry_free_ref(tt_local_entry); ++ /* drop reference of remove hash entry */ ++ tt_removed_entry = hlist_entry(tt_removed_node, ++ struct batadv_tt_local_entry, ++ common.hash_entry); ++ batadv_tt_local_entry_free_ref(tt_removed_entry); + + out: + if (tt_local_entry) diff --git a/queue-3.16/block-do-not-leak-memory-in-bio_copy_user_iov.patch b/queue-3.16/block-do-not-leak-memory-in-bio_copy_user_iov.patch new file mode 100644 index 00000000..ca40d77b --- /dev/null +++ b/queue-3.16/block-do-not-leak-memory-in-bio_copy_user_iov.patch @@ -0,0 +1,37 @@ +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com> +Date: Wed, 10 Apr 2019 16:27:51 -0400 +Subject: block: do not leak memory in bio_copy_user_iov() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925 upstream. + +When bio_add_pc_page() fails in bio_copy_user_iov() we should free +the page we just allocated otherwise we are leaking it. + +Cc: linux-block@vger.kernel.org +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com> +Signed-off-by: Jérôme Glisse <jglisse@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + block/bio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct req + } + } + +- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) ++ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) { ++ if (!map_data) ++ __free_page(page); + break; ++ } + + len -= bytes; + offset = 0; diff --git a/queue-3.16/btrfs-prop-fix-vanished-compression-property-after-failed-set.patch b/queue-3.16/btrfs-prop-fix-vanished-compression-property-after-failed-set.patch new file mode 100644 index 00000000..22bc07fc --- /dev/null +++ b/queue-3.16/btrfs-prop-fix-vanished-compression-property-after-failed-set.patch @@ -0,0 +1,43 @@ +From: Anand Jain <anand.jain@oracle.com> +Date: Tue, 2 Apr 2019 18:07:40 +0800 +Subject: btrfs: prop: fix vanished compression property after failed set + +commit 272e5326c7837697882ce3162029ba893059b616 upstream. + +The compression property resets to NULL, instead of the old value if we +fail to set the new compression parameter. + + $ btrfs prop get /btrfs compression + compression=lzo + $ btrfs prop set /btrfs compression zli + ERROR: failed to set compression for /btrfs: Invalid argument + $ btrfs prop get /btrfs compression + +This is because the compression property ->validate() is successful for +'zli' as the strncmp() used the length passed from the userspace. + +Fix it by using the expected string length in strncmp(). + +Fixes: 63541927c8d1 ("Btrfs: add support for inode properties") +Fixes: 5c1aab1dd544 ("btrfs: Add zstd support") +Reviewed-by: Nikolay Borisov <nborisov@suse.com> +Signed-off-by: Anand Jain <anand.jain@oracle.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: "zstd" is not supported] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/fs/btrfs/props.c ++++ b/fs/btrfs/props.c +@@ -378,9 +378,9 @@ int btrfs_subvol_inherit_props(struct bt + + static int prop_compression_validate(const char *value, size_t len) + { +- if (!strncmp("lzo", value, len)) ++ if (!strncmp("lzo", value, 3)) + return 0; +- else if (!strncmp("zlib", value, len)) ++ else if (!strncmp("zlib", value, 4)) + return 0; + + return -EINVAL; diff --git a/queue-3.16/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch b/queue-3.16/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch new file mode 100644 index 00000000..b2aebd27 --- /dev/null +++ b/queue-3.16/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch @@ -0,0 +1,39 @@ +From: Jeff Layton <jlayton@kernel.org> +Date: Wed, 17 Apr 2019 12:58:28 -0400 +Subject: ceph: ensure d_name stability in ceph_dentry_hash() + +commit 76a495d666e5043ffc315695f8241f5e94a98849 upstream. + +Take the d_lock here to ensure that d_name doesn't change. + +Signed-off-by: Jeff Layton <jlayton@kernel.org> +Reviewed-by: "Yan, Zheng" <zyan@redhat.com> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ceph/dir.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1327,6 +1327,7 @@ void ceph_dentry_lru_del(struct dentry * + unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + { + struct ceph_inode_info *dci = ceph_inode(dir); ++ unsigned hash; + + switch (dci->i_dir_layout.dl_dir_hash) { + case 0: /* for backward compat */ +@@ -1334,8 +1335,11 @@ unsigned ceph_dentry_hash(struct inode * + return dn->d_name.hash; + + default: +- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash, ++ spin_lock(&dn->d_lock); ++ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash, + dn->d_name.name, dn->d_name.len); ++ spin_unlock(&dn->d_lock); ++ return hash; + } + } + diff --git a/queue-3.16/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch b/queue-3.16/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch new file mode 100644 index 00000000..041148b4 --- /dev/null +++ b/queue-3.16/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch @@ -0,0 +1,33 @@ +From: Frank Sorenson <sorenson@redhat.com> +Date: Tue, 16 Apr 2019 08:37:27 -0500 +Subject: cifs: do not attempt cifs operation on smb2+ rename error + +commit 652727bbe1b17993636346716ae5867627793647 upstream. + +A path-based rename returning EBUSY will incorrectly try opening +the file with a cifs (NT Create AndX) operation on an smb2+ mount, +which causes the server to force a session close. + +If the mount is smb2+, skip the fallback. + +Signed-off-by: Frank Sorenson <sorenson@redhat.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -1627,6 +1627,10 @@ cifs_do_rename(const unsigned int xid, s + if (rc == 0 || rc != -EBUSY) + goto do_rename_exit; + ++ /* Don't fall back to using SMB on SMB 2+ mount */ ++ if (server->vals->protocol_id != 0) ++ goto do_rename_exit; ++ + /* open-file renames don't work across directories */ + if (to_dentry->d_parent != from_dentry->d_parent) + goto do_rename_exit; diff --git a/queue-3.16/cifs-fix-handle-leak-in-smb2_query_symlink.patch b/queue-3.16/cifs-fix-handle-leak-in-smb2_query_symlink.patch new file mode 100644 index 00000000..8cb98819 --- /dev/null +++ b/queue-3.16/cifs-fix-handle-leak-in-smb2_query_symlink.patch @@ -0,0 +1,32 @@ +From: Ronnie Sahlberg <lsahlber@redhat.com> +Date: Wed, 10 Apr 2019 07:47:22 +1000 +Subject: cifs: fix handle leak in smb2_query_symlink() + +commit e6d0fb7b34f264f72c33053558a360a6a734905e upstream. + +If we enter smb2_query_symlink() for something that is not a symlink +and where the SMB2_open() would succeed we would never end up +closing this handle and would thus leak a handle on the server. + +Fix this by immediately calling SMB2_close() on successfull open. + +Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/smb2ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -906,6 +906,8 @@ smb2_query_symlink(const unsigned int xi + + rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_buf); + ++ if (!rc) ++ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + if (!rc || !err_buf) { + kfree(utf16_path); + return -ENOENT; diff --git a/queue-3.16/cifs-keep-fileinfo-handle-live-during-oplock-break.patch b/queue-3.16/cifs-keep-fileinfo-handle-live-during-oplock-break.patch new file mode 100644 index 00000000..002c713f --- /dev/null +++ b/queue-3.16/cifs-keep-fileinfo-handle-live-during-oplock-break.patch @@ -0,0 +1,174 @@ +From: Aurelien Aptel <aaptel@suse.com> +Date: Fri, 29 Mar 2019 10:49:12 +0100 +Subject: CIFS: keep FileInfo handle live during oplock break + +commit b98749cac4a695f084a5ff076f4510b23e353ecd upstream. + +In the oplock break handler, writing pending changes from pages puts +the FileInfo handle. If the refcount reaches zero it closes the handle +and waits for any oplock break handler to return, thus causing a deadlock. + +To prevent this situation: + +* We add a wait flag to cifsFileInfo_put() to decide whether we should + wait for running/pending oplock break handlers + +* We keep an additionnal reference of the SMB FileInfo handle so that + for the rest of the handler putting the handle won't close it. + - The ref is bumped everytime we queue the handler via the + cifs_queue_oplock_break() helper. + - The ref is decremented at the end of the handler + +This bug was triggered by xfstest 464. + +Also important fix to address the various reports of +oops in smb2_push_mandatory_locks + +Signed-off-by: Aurelien Aptel <aaptel@suse.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/cifsglob.h | 2 ++ + fs/cifs/file.c | 30 +++++++++++++++++++++++++----- + fs/cifs/misc.c | 25 +++++++++++++++++++++++-- + fs/cifs/smb2misc.c | 6 +++--- + 4 files changed, 53 insertions(+), 10 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1092,6 +1092,7 @@ cifsFileInfo_get_locked(struct cifsFileI + } + + struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); + void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + + #define CIFS_CACHE_READ_FLG 1 +@@ -1579,6 +1580,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock; + #endif /* CONFIG_CIFS_ACL */ + + void cifs_oplock_break(struct work_struct *work); ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile); + + extern const struct slow_work_ops cifs_oplock_break_ops; + extern struct workqueue_struct *cifsiod_wq; +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -359,13 +359,31 @@ cifsFileInfo_get(struct cifsFileInfo *ci + return cifs_file; + } + +-/* +- * Release a reference on the file private data. This may involve closing +- * the filehandle out on the server. Must be called without holding +- * tcon->open_file_lock and cifs_file->file_info_lock. ++/** ++ * cifsFileInfo_put - release a reference of file priv data ++ * ++ * Always potentially wait for oplock handler. See _cifsFileInfo_put(). + */ + void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + { ++ _cifsFileInfo_put(cifs_file, true); ++} ++ ++/** ++ * _cifsFileInfo_put - release a reference of file priv data ++ * ++ * This may involve closing the filehandle @cifs_file out on the ++ * server. Must be called without holding tcon->open_file_lock and ++ * cifs_file->file_info_lock. ++ * ++ * If @wait_for_oplock_handler is true and we are releasing the last ++ * reference, wait for any running oplock break handler of the file ++ * and cancel any pending one. If calling this function from the ++ * oplock break handler, you need to pass false. ++ * ++ */ ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) ++{ + struct inode *inode = cifs_file->dentry->d_inode; + struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); + struct TCP_Server_Info *server = tcon->ses->server; +@@ -412,7 +430,8 @@ void cifsFileInfo_put(struct cifsFileInf + + spin_unlock(&tcon->open_file_lock); + +- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break); ++ oplock_break_cancelled = wait_oplock_handler ? ++ cancel_work_sync(&cifs_file->oplock_break) : false; + + if (!tcon->need_reconnect && !cifs_file->invalidHandle) { + struct TCP_Server_Info *server = tcon->ses->server; +@@ -3701,6 +3720,7 @@ void cifs_oplock_break(struct work_struc + cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */); + cifs_done_oplock_break(cinode); + } + +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -477,8 +477,7 @@ is_valid_oplock_break(char *buffer, stru + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &pCifsInode->flags); + +- queue_work(cifsoplockd_wq, +- &netfile->oplock_break); ++ cifs_queue_oplock_break(netfile); + netfile->oplock_break_cancelled = false; + + spin_unlock(&tcon->open_file_lock); +@@ -610,6 +609,28 @@ void cifs_put_writer(struct cifsInodeInf + spin_unlock(&cinode->writers_lock); + } + ++/** ++ * cifs_queue_oplock_break - queue the oplock break handler for cfile ++ * ++ * This function is called from the demultiplex thread when it ++ * receives an oplock break for @cfile. ++ * ++ * Assumes the tcon->open_file_lock is held. ++ * Assumes cfile->file_info_lock is NOT held. ++ */ ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile) ++{ ++ /* ++ * Bump the handle refcount now while we hold the ++ * open_file_lock to enforce the validity of it for the oplock ++ * break handler. The matching put is done at the end of the ++ * handler. ++ */ ++ cifsFileInfo_get(cfile); ++ ++ queue_work(cifsoplockd_wq, &cfile->oplock_break); ++} ++ + void cifs_done_oplock_break(struct cifsInodeInfo *cinode) + { + clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -458,7 +458,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc + clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + +- queue_work(cifsoplockd_wq, &cfile->oplock_break); ++ cifs_queue_oplock_break(cfile); + kfree(lw); + return true; + } +@@ -602,8 +602,8 @@ smb2_is_valid_oplock_break(char *buffer, + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + spin_unlock(&cfile->file_info_lock); +- queue_work(cifsoplockd_wq, +- &cfile->oplock_break); ++ ++ cifs_queue_oplock_break(cfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); diff --git a/queue-3.16/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-3.16/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch new file mode 100644 index 00000000..14397274 --- /dev/null +++ b/queue-3.16/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch @@ -0,0 +1,31 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 19 Mar 2019 05:46:18 -0700 +Subject: dccp: do not use ipv6 header for ipv4 flow + +commit e0aa67709f89d08c8d8e5bdd9e0b649df61d0090 upstream. + +When a dual stack dccp listener accepts an ipv4 flow, +it should not attempt to use an ipv6 header or +inet6_iif() helper. + +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/dccp/ipv6.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -491,8 +491,8 @@ static struct sock *dccp_v6_request_recv + newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; +- newnp->mcast_oif = inet6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-3.16/dccp-fix-memleak-in-__feat_register_sp.patch b/queue-3.16/dccp-fix-memleak-in-__feat_register_sp.patch new file mode 100644 index 00000000..f5ece16f --- /dev/null +++ b/queue-3.16/dccp-fix-memleak-in-__feat_register_sp.patch @@ -0,0 +1,35 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Mon, 1 Apr 2019 09:35:54 +0800 +Subject: dccp: Fix memleak in __feat_register_sp + +commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream. + +If dccp_feat_push_change fails, we forget free the mem +which is alloced by kmemdup in dccp_feat_clone_sp_val. + +Reported-by: Hulk Robot <hulkci@huawei.com> +Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values") +Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/dccp/feat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/dccp/feat.c ++++ b/net/dccp/feat.c +@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis + if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len)) + return -ENOMEM; + +- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval); ++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) { ++ kfree(fval.sp.vec); ++ return -ENOMEM; ++ } ++ ++ return 0; + } + + /** diff --git a/queue-3.16/device_cgroup-fix-rcu-imbalance-in-error-case.patch b/queue-3.16/device_cgroup-fix-rcu-imbalance-in-error-case.patch new file mode 100644 index 00000000..4b0d9bf4 --- /dev/null +++ b/queue-3.16/device_cgroup-fix-rcu-imbalance-in-error-case.patch @@ -0,0 +1,37 @@ +From: Jann Horn <jannh@google.com> +Date: Tue, 19 Mar 2019 02:36:59 +0100 +Subject: device_cgroup: fix RCU imbalance in error case + +commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream. + +When dev_exception_add() returns an error (due to a failed memory +allocation), make sure that we move the RCU preemption count back to where +it was before we were called. We dropped the RCU read lock inside the loop +body, so we can't just "break". + +sparse complains about this, too: + +$ make -s C=2 security/device_cgroup.o +./include/linux/rcupdate.h:647:9: warning: context imbalance in +'propagate_exception' - unexpected unlock + +Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()") +Signed-off-by: Jann Horn <jannh@google.com> +Acked-by: Michal Hocko <mhocko@suse.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + security/device_cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -568,7 +568,7 @@ static int propagate_exception(struct de + devcg->behavior == DEVCG_DEFAULT_ALLOW) { + rc = dev_exception_add(devcg, ex); + if (rc) +- break; ++ return rc; + } else { + /* + * in the other possible cases: diff --git a/queue-3.16/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch b/queue-3.16/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch new file mode 100644 index 00000000..b8a98ba4 --- /dev/null +++ b/queue-3.16/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch @@ -0,0 +1,104 @@ +From: Mike Snitzer <snitzer@redhat.com> +Date: Wed, 3 Apr 2019 12:23:11 -0400 +Subject: dm: disable DISCARD if the underlying storage no longer supports it + +commit bcb44433bba5eaff293888ef22ffa07f1f0347d6 upstream. + +Storage devices which report supporting discard commands like +WRITE_SAME_16 with unmap, but reject discard commands sent to the +storage device. This is a clear storage firmware bug but it doesn't +change the fact that should a program cause discards to be sent to a +multipath device layered on this buggy storage, all paths can end up +failed at the same time from the discards, causing possible I/O loss. + +The first discard to a path will fail with Illegal Request, Invalid +field in cdb, e.g.: + kernel: sd 8:0:8:19: [sdfn] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE + kernel: sd 8:0:8:19: [sdfn] tag#0 Sense Key : Illegal Request [current] + kernel: sd 8:0:8:19: [sdfn] tag#0 Add. Sense: Invalid field in cdb + kernel: sd 8:0:8:19: [sdfn] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 a0 08 00 00 00 80 00 00 00 + kernel: blk_update_request: critical target error, dev sdfn, sector 10487808 + +The SCSI layer converts this to the BLK_STS_TARGET error number, the sd +device disables its support for discard on this path, and because of the +BLK_STS_TARGET error multipath fails the discard without failing any +path or retrying down a different path. But subsequent discards can +cause path failures. Any discards sent to the path which already failed +a discard ends up failing with EIO from blk_cloned_rq_check_limits with +an "over max size limit" error since the discard limit was set to 0 by +the sd driver for the path. As the error is EIO, this now fails the +path and multipath tries to send the discard down the next path. This +cycle continues as discards are sent until all paths fail. + +Fix this by training DM core to disable DISCARD if the underlying +storage already did so. + +Also, fix branching in dm_done() and clone_endio() to reflect the +mutually exclussive nature of the IO operations in question. + +Reported-by: David Jeffery <djeffery@redhat.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +[bwh: Backported to 3.16: + - Keep using op & flag to check operation type + - Keep using bdev_get_queue() to find queue in clone_endio() + - WRITE_ZEROES is not handled + - Use queue_flag_clear() instead of blk_queue_flag_clear() + - Adjust filenames, context + - Declare disable_discard() static as its only user is in the same + source file] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -756,6 +756,15 @@ static void dec_pending(struct dm_io *io + } + } + ++static void disable_discard(struct mapped_device *md) ++{ ++ struct queue_limits *limits = dm_get_queue_limits(md); ++ ++ /* device doesn't really support DISCARD, disable it */ ++ limits->max_discard_sectors = 0; ++ queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue); ++} ++ + static void disable_write_same(struct mapped_device *md) + { + struct queue_limits *limits = dm_get_queue_limits(md); +@@ -792,9 +801,14 @@ static void clone_endio(struct bio *bio, + } + } + +- if (unlikely(r == -EREMOTEIO && (bio->bi_rw & REQ_WRITE_SAME) && +- !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors)) +- disable_write_same(md); ++ if (unlikely(r == -EREMOTEIO)) { ++ if (bio->bi_rw & REQ_DISCARD && ++ !bdev_get_queue(bio->bi_bdev)->limits.max_discard_sectors) ++ disable_discard(md); ++ else if (bio->bi_rw & REQ_WRITE_SAME && ++ !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors) ++ disable_write_same(md); ++ } + + free_tio(md, tio); + dec_pending(io, error); +@@ -996,9 +1010,14 @@ static void dm_done(struct request *clon + r = rq_end_io(tio->ti, clone, error, &tio->info); + } + +- if (unlikely(r == -EREMOTEIO && (clone->cmd_flags & REQ_WRITE_SAME) && +- !clone->q->limits.max_write_same_sectors)) +- disable_write_same(tio->md); ++ if (unlikely(r == -EREMOTEIO)) { ++ if (clone->cmd_flags & REQ_DISCARD && ++ !clone->q->limits.max_discard_sectors) ++ disable_discard(tio->md); ++ else if (clone->cmd_flags & REQ_WRITE_SAME && ++ !clone->q->limits.max_write_same_sectors) ++ disable_write_same(tio->md); ++ } + + if (r <= 0) + /* The target wants to complete the I/O */ diff --git a/queue-3.16/dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch b/queue-3.16/dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch new file mode 100644 index 00000000..dfa8eeb7 --- /dev/null +++ b/queue-3.16/dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch @@ -0,0 +1,78 @@ +From: Ilya Dryomov <idryomov@gmail.com> +Date: Tue, 26 Mar 2019 20:20:58 +0100 +Subject: dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum + errors + +commit eb40c0acdc342b815d4d03ae6abb09e80c0f2988 upstream. + +Some devices don't use blk_integrity but still want stable pages +because they do their own checksumming. Examples include rbd and iSCSI +when data digests are negotiated. Stacking DM (and thus LVM) on top of +these devices results in sporadic checksum errors. + +Set BDI_CAP_STABLE_WRITES if any underlying device has it set. + +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +[bwh: Backported to 3.16: request_queue::backing_dev_info is a struct + not a pointer] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/md/dm-table.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1432,6 +1432,36 @@ static bool dm_table_supports_write_same + return true; + } + ++static int device_requires_stable_pages(struct dm_target *ti, ++ struct dm_dev *dev, sector_t start, ++ sector_t len, void *data) ++{ ++ struct request_queue *q = bdev_get_queue(dev->bdev); ++ ++ return q && bdi_cap_stable_pages_required(&q->backing_dev_info); ++} ++ ++/* ++ * If any underlying device requires stable pages, a table must require ++ * them as well. Only targets that support iterate_devices are considered: ++ * don't want error, zero, etc to require stable pages. ++ */ ++static bool dm_table_requires_stable_pages(struct dm_table *t) ++{ ++ struct dm_target *ti; ++ unsigned i; ++ ++ for (i = 0; i < dm_table_get_num_targets(t); i++) { ++ ti = dm_table_get_target(t, i); ++ ++ if (ti->type->iterate_devices && ++ ti->type->iterate_devices(ti, device_requires_stable_pages, NULL)) ++ return true; ++ } ++ ++ return false; ++} ++ + void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q, + struct queue_limits *limits) + { +@@ -1474,6 +1504,15 @@ void dm_table_set_restrictions(struct dm + dm_table_set_integrity(t); + + /* ++ * Some devices don't use blk_integrity but still want stable pages ++ * because they do their own checksumming. ++ */ ++ if (dm_table_requires_stable_pages(t)) ++ q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES; ++ else ++ q->backing_dev_info.capabilities &= ~BDI_CAP_STABLE_WRITES; ++ ++ /* + * Determine whether or not this queue's I/O timings contribute + * to the entropy pool, Only request-based targets use this. + * Clear QUEUE_FLAG_ADD_RANDOM if any underlying device does not diff --git a/queue-3.16/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch b/queue-3.16/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch new file mode 100644 index 00000000..4ce0bad5 --- /dev/null +++ b/queue-3.16/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch @@ -0,0 +1,44 @@ +From: Lukas Czerner <lczerner@redhat.com> +Date: Fri, 15 Mar 2019 00:15:32 -0400 +Subject: ext4: add missing brelse() in add_new_gdb_meta_bg() + +commit d64264d6218e6892edd832dc3a5a5857c2856c53 upstream. + +Currently in add_new_gdb_meta_bg() there is a missing brelse of gdb_bh +in case ext4_journal_get_write_access() fails. +Additionally kvfree() is missing in the same error path. Fix it by +moving the ext4_journal_get_write_access() before the ext4 sb update as +Ted suggested and release n_group_desc and gdb_bh in case it fails. + +Fixes: 61a9c11e5e7a ("ext4: add missing brelse() add_new_gdb_meta_bg()'s error path") +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/resize.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -908,11 +908,18 @@ static int add_new_gdb_meta_bg(struct su + memcpy(n_group_desc, o_group_desc, + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *)); + n_group_desc[gdb_num] = gdb_bh; ++ ++ BUFFER_TRACE(gdb_bh, "get_write_access"); ++ err = ext4_journal_get_write_access(handle, gdb_bh); ++ if (err) { ++ kvfree(n_group_desc); ++ brelse(gdb_bh); ++ return err; ++ } ++ + EXT4_SB(sb)->s_group_desc = n_group_desc; + EXT4_SB(sb)->s_gdb_count++; + ext4_kvfree(o_group_desc); +- BUFFER_TRACE(gdb_bh, "get_write_access"); +- err = ext4_journal_get_write_access(handle, gdb_bh); + return err; + } + diff --git a/queue-3.16/ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch b/queue-3.16/ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch new file mode 100644 index 00000000..1eeac45f --- /dev/null +++ b/queue-3.16/ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch @@ -0,0 +1,65 @@ +From: "zhangyi (F)" <yi.zhang@huawei.com> +Date: Sat, 23 Mar 2019 11:43:05 -0400 +Subject: ext4: brelse all indirect buffer in ext4_ind_remove_space() + +commit 674a2b27234d1b7afcb0a9162e81b2e53aeef217 upstream. + +All indirect buffers get by ext4_find_shared() should be released no +mater the branch should be freed or not. But now, we forget to release +the lower depth indirect buffers when removing space from the same +higher depth indirect block. It will lead to buffer leak and futher +more, it may lead to quota information corruption when using old quota, +consider the following case. + + - Create and mount an empty ext4 filesystem without extent and quota + features, + - quotacheck and enable the user & group quota, + - Create some files and write some data to them, and then punch hole + to some files of them, it may trigger the buffer leak problem + mentioned above. + - Disable quota and run quotacheck again, it will create two new + aquota files and write the checked quota information to them, which + probably may reuse the freed indirect block(the buffer and page + cache was not freed) as data block. + - Enable quota again, it will invoke + vfs_load_quota_inode()->invalidate_bdev() to try to clean unused + buffers and pagecache. Unfortunately, because of the buffer of quota + data block is still referenced, quota code cannot read the up to date + quota info from the device and lead to quota information corruption. + +This problem can be reproduced by xfstests generic/231 on ext3 file +system or ext4 file system without extent and quota features. + +This patch fix this problem by releasing the missing indirect buffers, +in ext4_ind_remove_space(). + +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/indirect.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -1481,10 +1481,14 @@ end_range: + partial->p + 1, + partial2->p, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); ++ while (partial > chain) { ++ BUFFER_TRACE(partial->bh, "call brelse"); ++ brelse(partial->bh); ++ } ++ while (partial2 > chain2) { ++ BUFFER_TRACE(partial2->bh, "call brelse"); ++ brelse(partial2->bh); ++ } + return 0; + } + diff --git a/queue-3.16/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch b/queue-3.16/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch new file mode 100644 index 00000000..af31e311 --- /dev/null +++ b/queue-3.16/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch @@ -0,0 +1,74 @@ +From: Lukas Czerner <lczerner@redhat.com> +Date: Thu, 14 Mar 2019 23:20:25 -0400 +Subject: ext4: fix data corruption caused by unaligned direct AIO + +commit 372a03e01853f860560eade508794dd274e9b390 upstream. + +Ext4 needs to serialize unaligned direct AIO because the zeroing of +partial blocks of two competing unaligned AIOs can result in data +corruption. + +However it decides not to serialize if the potentially unaligned aio is +past i_size with the rationale that no pending writes are possible past +i_size. Unfortunately if the i_size is not block aligned and the second +unaligned write lands past i_size, but still into the same block, it has +the potential of corrupting the previous unaligned write to the same +block. + +This is (very simplified) reproducer from Frank + + // 41472 = (10 * 4096) + 512 + // 37376 = 41472 - 4096 + + ftruncate(fd, 41472); + io_prep_pwrite(iocbs[0], fd, buf[0], 4096, 37376); + io_prep_pwrite(iocbs[1], fd, buf[1], 4096, 41472); + + io_submit(io_ctx, 1, &iocbs[1]); + io_submit(io_ctx, 1, &iocbs[2]); + + io_getevents(io_ctx, 2, 2, events, NULL); + +Without this patch the 512B range from 40960 up to the start of the +second unaligned write (41472) is going to be zeroed overwriting the data +written by the first write. This is a data corruption. + +00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 +* +0000a000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 + +With this patch the data corruption is avoided because we will recognize +the unaligned_aio and wait for the unwritten extent conversion. + +00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +* +00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 +* +0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 +* +0000b200 + +Reported-by: Frank Sorenson <fsorenso@redhat.com> +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Fixes: e9e3bcecf44c ("ext4: serialize unaligned asynchronous DIO") +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -79,7 +79,7 @@ ext4_unaligned_aio(struct inode *inode, + struct super_block *sb = inode->i_sb; + int blockmask = sb->s_blocksize - 1; + +- if (pos >= i_size_read(inode)) ++ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize)) + return 0; + + if ((pos | iov_iter_alignment(from)) & blockmask) diff --git a/queue-3.16/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch b/queue-3.16/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000..e8020f2c --- /dev/null +++ b/queue-3.16/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch @@ -0,0 +1,93 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Thu, 25 Apr 2019 22:24:05 -0700 +Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference + +commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream. + +Syzkaller report this: + + sysctl could not get directory: /net//bridge -12 + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline] + RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline] + RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline] + RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459 + Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48 + RSP: 0018:ffff8881bb507778 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a + RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568 + RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4 + R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + erase_entry fs/proc/proc_sysctl.c:178 [inline] + erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207 + start_unregistering fs/proc/proc_sysctl.c:331 [inline] + drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0x68/0x1000 [br_netfilter] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter] + Dumping ftrace buffer: + (ftrace buffer empty) + ---[ end trace 68741688d5fbfe85 ]--- + +commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer +dereference in put_links") forgot to handle start_unregistering() case, +while header->parent is NULL, it calls erase_header() and as seen in the +above syzkaller call trace, accessing &header->parent->root will trigger +a NULL pointer dereference. + +As that commit explained, there is also no need to call +start_unregistering() if header->parent is NULL. + +Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com +Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links") +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Reported-by: Hulk Robot <hulkci@huawei.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Cc: Luis Chamberlain <mcgrof@kernel.org> +Cc: Alexey Dobriyan <adobriyan@gmail.com> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/proc/proc_sysctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1550,9 +1550,11 @@ static void drop_sysctl_table(struct ctl + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + diff --git a/queue-3.16/fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch b/queue-3.16/fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch new file mode 100644 index 00000000..ad54b069 --- /dev/null +++ b/queue-3.16/fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch @@ -0,0 +1,94 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Thu, 28 Mar 2019 20:44:40 -0700 +Subject: fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links + +commit 23da9588037ecdd4901db76a5b79a42b529c4ec3 upstream. + +Syzkaller reports: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599 +Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91 +RSP: 0018:ffff8881d828f238 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267 +RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178 +RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259 +R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4 +R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000 +FS: 00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0xbc/0x1000 [br_netfilter] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 +RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73] +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace 770020de38961fd0 ]--- + +A new dir entry can be created in get_subdir and its 'header->parent' is +set to NULL. Only after insert_header success, it will be set to 'dir', +otherwise 'header->parent' is set to NULL and drop_sysctl_table is called. +However in err handling path of get_subdir, drop_sysctl_table also be +called on 'new->header' regardless its value of parent pointer. Then +put_links is called, which triggers NULL-ptr deref when access member of +header->parent. + +In fact we have multiple error paths which call drop_sysctl_table() there, +upon failure on insert_links() we also call drop_sysctl_table().And even +in the successful case on __register_sysctl_table() we still always call +drop_sysctl_table().This patch fix it. + +Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Reported-by: Hulk Robot <hulkci@huawei.com> +Acked-by: Luis Chamberlain <mcgrof@kernel.org> +Cc: Kees Cook <keescook@chromium.org> +Cc: Alexey Dobriyan <adobriyan@gmail.com> +Cc: Alexei Starovoitov <ast@kernel.org> +Cc: Daniel Borkmann <daniel@iogearbox.net> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: Eric W. Biederman <ebiederm@xmission.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/proc/proc_sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1550,7 +1550,8 @@ static void drop_sysctl_table(struct ctl + if (--header->nreg) + return; + +- put_links(header); ++ if (parent) ++ put_links(header); + start_unregistering(header); + if (!--header->count) + kfree_rcu(header, rcu); diff --git a/queue-3.16/futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch b/queue-3.16/futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch new file mode 100644 index 00000000..e78ec3ce --- /dev/null +++ b/queue-3.16/futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch @@ -0,0 +1,42 @@ +From: Chen Jie <chenjie6@huawei.com> +Date: Fri, 15 Mar 2019 03:44:38 +0000 +Subject: futex: Ensure that futex address is aligned in handle_futex_death() + +commit 5a07168d8d89b00fe1760120714378175b3ef992 upstream. + +The futex code requires that the user space addresses of futexes are 32bit +aligned. sys_futex() checks this in futex_get_keys() but the robust list +code has no alignment check in place. + +As a consequence the kernel crashes on architectures with strict alignment +requirements in handle_futex_death() when trying to cmpxchg() on an +unaligned futex address which was retrieved from the robust list. + +[ tglx: Rewrote changelog, proper sizeof() based alignement check and add + comment ] + +Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core") +Signed-off-by: Chen Jie <chenjie6@huawei.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: <dvhart@infradead.org> +Cc: <peterz@infradead.org> +Cc: <zengweilin@huawei.com> +Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/futex.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2909,6 +2909,10 @@ int handle_futex_death(u32 __user *uaddr + { + u32 uval, uninitialized_var(nval), mval; + ++ /* Futex address must be 32bit aligned */ ++ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0) ++ return -1; ++ + retry: + if (get_user(uval, uaddr)) + return -1; diff --git a/queue-3.16/gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch b/queue-3.16/gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch new file mode 100644 index 00000000..9583e274 --- /dev/null +++ b/queue-3.16/gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch @@ -0,0 +1,35 @@ +From: Axel Lin <axel.lin@ingics.com> +Date: Mon, 11 Mar 2019 21:29:37 +0800 +Subject: gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input + +commit c5bc6e526d3f217ed2cc3681d256dc4a2af4cc2b upstream. + +Current code test wrong value so it does not verify if the written +data is correctly read back. Fix it. +Also make it return -EPERM if read value does not match written bit, +just like it done for adnp_gpio_direction_output(). + +Fixes: 5e969a401a01 ("gpio: Add Avionic Design N-bit GPIO expander support") +Signed-off-by: Axel Lin <axel.lin@ingics.com> +Reviewed-by: Thierry Reding <thierry.reding@gmail.com> +Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpio/gpio-adnp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-adnp.c ++++ b/drivers/gpio/gpio-adnp.c +@@ -140,8 +140,10 @@ static int adnp_gpio_direction_input(str + if (err < 0) + goto out; + +- if (err & BIT(pos)) +- err = -EACCES; ++ if (value & BIT(pos)) { ++ err = -EPERM; ++ goto out; ++ } + + err = 0; + diff --git a/queue-3.16/ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch b/queue-3.16/ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch new file mode 100644 index 00000000..0d648b5f --- /dev/null +++ b/queue-3.16/ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch @@ -0,0 +1,33 @@ +From: Jack Morgenstein <jackm@dev.mellanox.co.il> +Date: Wed, 6 Mar 2019 19:17:56 +0200 +Subject: IB/mlx4: Fix race condition between catas error reset and aliasguid + flows + +commit 587443e7773e150ae29e643ee8f41a1eed226565 upstream. + +Code review revealed a race condition which could allow the catas error +flow to interrupt the alias guid query post mechanism at random points. +Thiis is fixed by doing cancel_delayed_work_sync() instead of +cancel_delayed_work() during the alias guid mechanism destroy flow. + +Fixes: a0c64a17aba8 ("mlx4: Add alias_guid mechanism") +Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> +Signed-off-by: Leon Romanovsky <leonro@mellanox.com> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/alias_GUID.c ++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c +@@ -579,8 +579,8 @@ void mlx4_ib_destroy_alias_guid_service( + unsigned long flags; + + for (i = 0 ; i < dev->num_ports; i++) { +- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work); + det = &sriov->alias_guid.ports_guid[i]; ++ cancel_delayed_work_sync(&det->alias_guid_work); + spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags); + while (!list_empty(&det->cb_list)) { + cb_ctx = list_entry(det->cb_list.next, diff --git a/queue-3.16/iio-ad_sigma_delta-select-channel-when-reading-register.patch b/queue-3.16/iio-ad_sigma_delta-select-channel-when-reading-register.patch new file mode 100644 index 00000000..9d4096b4 --- /dev/null +++ b/queue-3.16/iio-ad_sigma_delta-select-channel-when-reading-register.patch @@ -0,0 +1,30 @@ +From: Dragos Bogdan <dragos.bogdan@analog.com> +Date: Tue, 19 Mar 2019 12:47:00 +0200 +Subject: iio: ad_sigma_delta: select channel when reading register + +commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream. + +The desired channel has to be selected in order to correctly fill the +buffer with the corresponding data. +The `ad_sd_write_reg()` already does this, but for the +`ad_sd_read_reg_raw()` this was omitted. + +Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com> +Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/adc/ad_sigma_delta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_ + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); diff --git a/queue-3.16/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch b/queue-3.16/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch new file mode 100644 index 00000000..6a8571cd --- /dev/null +++ b/queue-3.16/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch @@ -0,0 +1,64 @@ +From: Georg Ottinger <g.ottinger@abatec.at> +Date: Wed, 30 Jan 2019 14:42:02 +0100 +Subject: iio: adc: at91: disable adc channel interrupt in timeout case + +commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream. + +Having a brief look at at91_adc_read_raw() it is obvious that in the case +of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is +omitted. If 2 different channels are queried we can end up with a +situation where two interrupts are enabled, but only one interrupt is +cleared in the interrupt handler. Resulting in a interrupt loop and a +system hang. + +Signed-off-by: Georg Ottinger <g.ottinger@abatec.at> +Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/adc/at91_adc.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_ + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; diff --git a/queue-3.16/iio-core-fix-a-possible-circular-locking-dependency.patch b/queue-3.16/iio-core-fix-a-possible-circular-locking-dependency.patch new file mode 100644 index 00000000..85132092 --- /dev/null +++ b/queue-3.16/iio-core-fix-a-possible-circular-locking-dependency.patch @@ -0,0 +1,149 @@ +From: Fabrice Gasnier <fabrice.gasnier@st.com> +Date: Mon, 25 Mar 2019 14:01:23 +0100 +Subject: iio: core: fix a possible circular locking dependency + +commit 7f75591fc5a123929a29636834d1bcb8b5c9fee3 upstream. + +This fixes a possible circular locking dependency detected warning seen +with: +- CONFIG_PROVE_LOCKING=y +- consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc") + +When using the IIO consumer interface, e.g. iio_channel_get(), the consumer +device will likely call iio_read_channel_raw() or similar that rely on +'info_exist_lock' mutex. + +typically: +... + mutex_lock(&chan->indio_dev->info_exist_lock); + if (chan->indio_dev->info == NULL) { + ret = -ENODEV; + goto err_unlock; + } + ret = do_some_ops() +err_unlock: + mutex_unlock(&chan->indio_dev->info_exist_lock); + return ret; +... + +Same mutex is also hold in iio_device_unregister(). + +The following deadlock warning happens when: +- the consumer device has called an API like iio_read_channel_raw() + at least once. +- the consumer driver is unregistered, removed (unbind from sysfs) + +====================================================== +WARNING: possible circular locking dependency detected +4.19.24 #577 Not tainted +------------------------------------------------------ +sh/372 is trying to acquire lock: +(kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84 + +but task is already holding lock: +(&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&dev->info_exist_lock){+.+.}: + __mutex_lock+0x70/0xa3c + mutex_lock_nested+0x1c/0x24 + iio_read_channel_raw+0x1c/0x60 + iio_read_channel_info+0xa8/0xb0 + dev_attr_show+0x1c/0x48 + sysfs_kf_seq_show+0x84/0xec + seq_read+0x154/0x528 + __vfs_read+0x2c/0x15c + vfs_read+0x8c/0x110 + ksys_read+0x4c/0xac + ret_fast_syscall+0x0/0x28 + 0xbedefb60 + +-> #0 (kn->count#30){++++}: + lock_acquire+0xd8/0x268 + __kernfs_remove+0x288/0x374 + kernfs_remove_by_name_ns+0x3c/0x84 + remove_files+0x34/0x78 + sysfs_remove_group+0x40/0x9c + sysfs_remove_groups+0x24/0x34 + device_remove_attrs+0x38/0x64 + device_del+0x11c/0x360 + cdev_device_del+0x14/0x2c + iio_device_unregister+0x24/0x60 + release_nodes+0x1bc/0x200 + device_release_driver_internal+0x1a0/0x230 + unbind_store+0x80/0x130 + kernfs_fop_write+0x100/0x1e4 + __vfs_write+0x2c/0x160 + vfs_write+0xa4/0x17c + ksys_write+0x4c/0xac + ret_fast_syscall+0x0/0x28 + 0xbe906840 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&dev->info_exist_lock); + lock(kn->count#30); + lock(&dev->info_exist_lock); + lock(kn->count#30); + + *** DEADLOCK *** +... + +cdev_device_del() can be called without holding the lock. It should be safe +as info_exist_lock prevents kernelspace consumers to use the exported +routines during/after provider removal. cdev_device_del() is for userspace. + +Help to reproduce: +See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt +sysv { + compatible = "voltage-divider"; + io-channels = <&adc 0>; + output-ohms = <22>; + full-ohms = <222>; +}; + +First, go to iio:deviceX for the "voltage-divider", do one read: +$ cd /sys/bus/iio/devices/iio:deviceX +$ cat in_voltage0_raw + +Then, unbind the consumer driver. It triggers above deadlock warning. +$ cd /sys/bus/platform/drivers/iio-rescale/ +$ echo sysv > unbind + +Note I don't actually expect stable will pick this up all the +way back into IIO being in staging, but if's probably valid that +far back. + +Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com> +Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister") +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/industrialio-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1195,12 +1195,12 @@ EXPORT_SYMBOL(iio_device_register); + **/ + void iio_device_unregister(struct iio_dev *indio_dev) + { +- mutex_lock(&indio_dev->info_exist_lock); +- + device_del(&indio_dev->dev); + + if (indio_dev->chrdev.dev) + cdev_del(&indio_dev->chrdev); ++ ++ mutex_lock(&indio_dev->info_exist_lock); + iio_device_unregister_debugfs(indio_dev); + + iio_disable_all_buffers(indio_dev); diff --git a/queue-3.16/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch b/queue-3.16/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch new file mode 100644 index 00000000..22ca403d --- /dev/null +++ b/queue-3.16/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch @@ -0,0 +1,36 @@ +From: Jean-Francois Dagenais <jeff.dagenais@gmail.com> +Date: Wed, 6 Mar 2019 15:56:06 -0500 +Subject: iio: dac: mcp4725: add missing powerdown bits in store eeprom + +commit 06003531502d06bc89d32528f6ec96bf978790f9 upstream. + +When issuing the write DAC register and write eeprom command, the two +powerdown bits (PD0 and PD1) are assumed by the chip to be present in +the bytes sent. Leaving them at 0 implies "powerdown disabled" which is +a different state that the current one. By adding the current state of +the powerdown in the i2c write, the chip will correctly power-on exactly +like as it is at the moment of store_eeprom call. + +This is documented in MCP4725's datasheet, FIGURE 6-2: "Write Commands +for DAC Input Register and EEPROM" and MCP4726's datasheet, FIGURE 6-3: +"Write All Memory Command". + +Signed-off-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com> +Acked-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/dac/mcp4725.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/dac/mcp4725.c ++++ b/drivers/iio/dac/mcp4725.c +@@ -86,6 +86,7 @@ static ssize_t mcp4725_store_eeprom(stru + return 0; + + inoutbuf[0] = 0x60; /* write EEPROM */ ++ inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0; + inoutbuf[1] = data->dac_value >> 4; + inoutbuf[2] = (data->dac_value & 0xf) << 4; + diff --git a/queue-3.16/iio-fix-scan-mask-selection.patch b/queue-3.16/iio-fix-scan-mask-selection.patch new file mode 100644 index 00000000..a7513c25 --- /dev/null +++ b/queue-3.16/iio-fix-scan-mask-selection.patch @@ -0,0 +1,38 @@ +From: Lars-Peter Clausen <lars@metafoo.de> +Date: Wed, 20 Feb 2019 17:11:32 +0200 +Subject: iio: Fix scan mask selection + +commit 20ea39ef9f2f911bd01c69519e7d69cfec79fde3 upstream. + +The trialmask is expected to have all bits set to 0 after allocation. +Currently kmalloc_array() is used which does not zero the memory and so +random bits are set. This results in random channels being enabled when +they shouldn't. Replace kmalloc_array() with kcalloc() which has the same +interface but zeros the memory. + +Note the fix is actually required earlier than the below fixes tag, but +will require a manual backport due to move from kmalloc to kmalloc_array. + +Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> +Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> +Fixes commit 057ac1acdfc4 ("iio: Use kmalloc_array() in iio_scan_mask_set()"). +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/industrialio-buffer.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -836,9 +836,8 @@ int iio_scan_mask_set(struct iio_dev *in + const unsigned long *mask; + unsigned long *trialmask; + +- trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), +- sizeof(*trialmask), +- GFP_KERNEL); ++ trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength), ++ sizeof(*trialmask), GFP_KERNEL); + if (trialmask == NULL) + return -ENOMEM; + if (!indio_dev->masklength) { diff --git a/queue-3.16/iio-use-kmalloc_array-in-iio_scan_mask_set.patch b/queue-3.16/iio-use-kmalloc_array-in-iio_scan_mask_set.patch new file mode 100644 index 00000000..7d3f2c9f --- /dev/null +++ b/queue-3.16/iio-use-kmalloc_array-in-iio_scan_mask_set.patch @@ -0,0 +1,35 @@ +From: Markus Elfring <elfring@users.sourceforge.net> +Date: Fri, 23 Sep 2016 22:30:32 +0200 +Subject: iio: Use kmalloc_array() in iio_scan_mask_set() + +commit 057ac1acdfc4743f066fcefe359385cad00549eb upstream. + +A multiplication for the size determination of a memory allocation +indicated that an array data structure should be processed. +Thus use the corresponding function "kmalloc_array". + +This issue was detected by using the Coccinelle software. + +Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> +Signed-off-by: Jonathan Cameron <jic23@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/industrialio-buffer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -836,10 +836,9 @@ int iio_scan_mask_set(struct iio_dev *in + const unsigned long *mask; + unsigned long *trialmask; + +- trialmask = kmalloc(sizeof(*trialmask)* +- BITS_TO_LONGS(indio_dev->masklength), +- GFP_KERNEL); +- ++ trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), ++ sizeof(*trialmask), ++ GFP_KERNEL); + if (trialmask == NULL) + return -ENOMEM; + if (!indio_dev->masklength) { diff --git a/queue-3.16/iommu-amd-set-exclusion-range-correctly.patch b/queue-3.16/iommu-amd-set-exclusion-range-correctly.patch new file mode 100644 index 00000000..1ae2201d --- /dev/null +++ b/queue-3.16/iommu-amd-set-exclusion-range-correctly.patch @@ -0,0 +1,32 @@ +From: Joerg Roedel <jroedel@suse.de> +Date: Fri, 12 Apr 2019 12:50:31 +0200 +Subject: iommu/amd: Set exclusion range correctly + +commit 3c677d206210f53a4be972211066c0f1cd47fe12 upstream. + +The exlcusion range limit register needs to contain the +base-address of the last page that is part of the range, as +bits 0-11 of this register are treated as 0xfff by the +hardware for comparisons. + +So correctly set the exclusion range in the hardware to the +last page which is _in_ the range. + +Fixes: b2026aa2dce44 ('x86, AMD IOMMU: add functions for programming IOMMU MMIO space') +Signed-off-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iommu/amd_iommu_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -293,7 +293,7 @@ static void iommu_write_l2(struct amd_io + static void iommu_set_exclusion_range(struct amd_iommu *iommu) + { + u64 start = iommu->exclusion_start & PAGE_MASK; +- u64 limit = (start + iommu->exclusion_length) & PAGE_MASK; ++ u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK; + u64 entry; + + if (!iommu->exclusion_start) diff --git a/queue-3.16/iommu-vt-d-check-capability-before-disabling-protected-memory.patch b/queue-3.16/iommu-vt-d-check-capability-before-disabling-protected-memory.patch new file mode 100644 index 00000000..fdde23a9 --- /dev/null +++ b/queue-3.16/iommu-vt-d-check-capability-before-disabling-protected-memory.patch @@ -0,0 +1,34 @@ +From: Lu Baolu <baolu.lu@linux.intel.com> +Date: Wed, 20 Mar 2019 09:58:33 +0800 +Subject: iommu/vt-d: Check capability before disabling protected memory + +commit 5bb71fc790a88d063507dc5d445ab8b14e845591 upstream. + +The spec states in 10.4.16 that the Protected Memory Enable +Register should be treated as read-only for implementations +not supporting protected memory regions (PLMR and PHMR fields +reported as Clear in the Capability register). + +Cc: Jacob Pan <jacob.jun.pan@linux.intel.com> +Cc: mark gross <mgross@intel.com> +Suggested-by: Ashok Raj <ashok.raj@intel.com> +Fixes: f8bab73515ca5 ("intel-iommu: PMEN support") +Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> +Signed-off-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iommu/intel-iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1394,6 +1394,9 @@ static void iommu_disable_protect_mem_re + u32 pmen; + unsigned long flags; + ++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap)) ++ return; ++ + raw_spin_lock_irqsave(&iommu->register_lock, flags); + pmen = readl(iommu->reg + DMAR_PMEN_REG); + pmen &= ~DMA_PMEN_EPM; diff --git a/queue-3.16/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch b/queue-3.16/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch new file mode 100644 index 00000000..30f22e59 --- /dev/null +++ b/queue-3.16/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch @@ -0,0 +1,149 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Sat, 27 Apr 2019 16:49:06 -0700 +Subject: ipv6/flowlabel: wait rcu grace period before put_pid() + +commit 6c0afef5fb0c27758f4d52b2210c61b6bd8b4470 upstream. + +syzbot was able to catch a use-after-free read in pid_nr_ns() [1] + +ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid +but fl_free() releases fl->owner.pid before rcu grace period is started. + +[1] + +BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407 +Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087 + +CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 + kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 + pid_nr_ns+0x128/0x140 kernel/pid.c:407 + ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794 + seq_read+0xad3/0x1130 fs/seq_file.c:268 + proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227 + do_loop_readv_writev fs/read_write.c:701 [inline] + do_loop_readv_writev fs/read_write.c:688 [inline] + do_iter_read+0x4a9/0x660 fs/read_write.c:922 + vfs_readv+0xf0/0x160 fs/read_write.c:984 + kernel_readv fs/splice.c:358 [inline] + default_file_splice_read+0x475/0x890 fs/splice.c:413 + do_splice_to+0x12a/0x190 fs/splice.c:876 + splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1062 + do_sendfile+0x597/0xd00 fs/read_write.c:1443 + __do_sys_sendfile64 fs/read_write.c:1498 [inline] + __se_sys_sendfile64 fs/read_write.c:1490 [inline] + __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x458da9 +Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9 +RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4 +R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff + +Allocated by task 17543: + save_stack+0x45/0xd0 mm/kasan/common.c:75 + set_track mm/kasan/common.c:87 [inline] + __kasan_kmalloc mm/kasan/common.c:497 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 + kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505 + slab_post_alloc_hook mm/slab.h:437 [inline] + slab_alloc mm/slab.c:3393 [inline] + kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555 + alloc_pid+0x55/0x8f0 kernel/pid.c:168 + copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932 + copy_process kernel/fork.c:1709 [inline] + _do_fork+0x257/0xfd0 kernel/fork.c:2226 + __do_sys_clone kernel/fork.c:2333 [inline] + __se_sys_clone kernel/fork.c:2327 [inline] + __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 7789: + save_stack+0x45/0xd0 mm/kasan/common.c:75 + set_track mm/kasan/common.c:87 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 + __cache_free mm/slab.c:3499 [inline] + kmem_cache_free+0x86/0x260 mm/slab.c:3765 + put_pid.part.0+0x111/0x150 kernel/pid.c:111 + put_pid+0x20/0x30 kernel/pid.c:105 + fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102 + ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + +The buggy address belongs to the object at ffff888094012a00 + which belongs to the cache pid_2 of size 88 +The buggy address is located 4 bytes inside of + 88-byte region [ffff888094012a00, ffff888094012a58) +The buggy address belongs to the page: +page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980 +flags: 0x1fffc0000000200(slab) +raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080 +raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc +>ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + ^ + ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc + +Fixes: 4f82f45730c6 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Eric W. Biederman <ebiederm@xmission.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: Move the release_net() call too, not that it does + anything.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -94,16 +94,22 @@ static struct ip6_flowlabel *fl_lookup(s + return fl; + } + ++static void fl_free_rcu(struct rcu_head *head) ++{ ++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); ++ ++ if (fl->share == IPV6_FL_S_PROCESS) ++ put_pid(fl->owner.pid); ++ release_net(fl->fl_net); ++ kfree(fl->opt); ++ kfree(fl); ++} ++ + + static void fl_free(struct ip6_flowlabel *fl) + { +- if (fl) { +- if (fl->share == IPV6_FL_S_PROCESS) +- put_pid(fl->owner.pid); +- release_net(fl->fl_net); +- kfree(fl->opt); +- kfree_rcu(fl, rcu); +- } ++ if (fl) ++ call_rcu(&fl->rcu, fl_free_rcu); + } + + static void fl_release(struct ip6_flowlabel *fl) diff --git a/queue-3.16/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch b/queue-3.16/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch new file mode 100644 index 00000000..62917ee8 --- /dev/null +++ b/queue-3.16/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch @@ -0,0 +1,34 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Thu, 25 Apr 2019 12:06:54 -0400 +Subject: ipv6: invert flowlabel sharing check in process and user mode + +commit 95c169251bf734aa555a1e8043e4d88ec97a04ec upstream. + +A request for a flowlabel fails in process or user exclusive mode must +fail if the caller pid or uid does not match. Invert the test. + +Previously, the test was unsafe wrt PID recycling, but indeed tested +for inequality: fl1->owner != fl->owner + +Fixes: 4f82f45730c68 ("net ip6 flowlabel: Make owner a union of struct pid* and kuid_t") +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv6/ip6_flowlabel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -630,9 +630,9 @@ recheck: + if (fl1->share == IPV6_FL_S_EXCL || + fl1->share != fl->share || + ((fl1->share == IPV6_FL_S_PROCESS) && +- (fl1->owner.pid == fl->owner.pid)) || ++ (fl1->owner.pid != fl->owner.pid)) || + ((fl1->share == IPV6_FL_S_USER) && +- uid_eq(fl1->owner.uid, fl->owner.uid))) ++ !uid_eq(fl1->owner.uid, fl->owner.uid))) + goto release; + + err = -ENOMEM; diff --git a/queue-3.16/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch b/queue-3.16/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch new file mode 100644 index 00000000..aee61df9 --- /dev/null +++ b/queue-3.16/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch @@ -0,0 +1,57 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Sun, 24 Feb 2019 01:50:20 +0900 +Subject: kprobes: Mark ftrace mcount handler functions nokprobe + +commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream. + +Mark ftrace mcount handler functions nokprobe since +probing on these functions with kretprobe pushes +return address incorrectly on kretprobe shadow stack. + +Reported-by: Francis Deslauriers <francis.deslauriers@efficios.com> +Tested-by: Andrea Righi <righi.andrea@gmail.com> +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Acked-by: Steven Rostedt <rostedt@goodmis.org> +Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: there is no ftrace_ops_assist_func()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -32,6 +32,7 @@ + #include <linux/list.h> + #include <linux/hash.h> + #include <linux/rcupdate.h> ++#include <linux/kprobes.h> + + #include <trace/events/sched.h> + +@@ -4508,7 +4509,7 @@ static struct ftrace_ops control_ops = { + INIT_OPS_HASH(control_ops) + }; + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -4561,11 +4562,13 @@ static void ftrace_ops_list_func(unsigne + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + static void clear_ftrace_swapper(void) diff --git a/queue-3.16/kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch b/queue-3.16/kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch new file mode 100644 index 00000000..b0a4d858 --- /dev/null +++ b/queue-3.16/kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch @@ -0,0 +1,138 @@ +From: Ben Gardon <bgardon@google.com> +Date: Mon, 8 Apr 2019 11:07:30 -0700 +Subject: kvm: mmu: Fix overflow on kvm mmu page limit calculation + +commit bc8a3d8925a8fa09fa550e0da115d95851ce33c6 upstream. + +KVM bases its memory usage limits on the total number of guest pages +across all memslots. However, those limits, and the calculations to +produce them, use 32 bit unsigned integers. This can result in overflow +if a VM has more guest pages that can be represented by a u32. As a +result of this overflow, KVM can use a low limit on the number of MMU +pages it will allocate. This makes KVM unable to map all of guest memory +at once, prompting spurious faults. + +Tested: Ran all kvm-unit-tests on an Intel Haswell machine. This patch + introduced no new failures. + +Signed-off-by: Ben Gardon <bgardon@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/include/asm/kvm_host.h | 12 ++++++------ + arch/x86/kvm/mmu.c | 13 ++++++------- + arch/x86/kvm/mmu.h | 2 +- + arch/x86/kvm/x86.c | 4 ++-- + 4 files changed, 15 insertions(+), 16 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -88,7 +88,7 @@ static inline gfn_t gfn_to_index(gfn_t g + #define IOPL_SHIFT 12 + + #define KVM_PERMILLE_MMU_PAGES 20 +-#define KVM_MIN_ALLOC_MMU_PAGES 64 ++#define KVM_MIN_ALLOC_MMU_PAGES 64UL + #define KVM_MMU_HASH_SHIFT 10 + #define KVM_NUM_MMU_PAGES (1 << KVM_MMU_HASH_SHIFT) + #define KVM_MIN_FREE_MMU_PAGES 5 +@@ -552,9 +552,9 @@ struct kvm_apic_map { + }; + + struct kvm_arch { +- unsigned int n_used_mmu_pages; +- unsigned int n_requested_mmu_pages; +- unsigned int n_max_mmu_pages; ++ unsigned long n_used_mmu_pages; ++ unsigned long n_requested_mmu_pages; ++ unsigned long n_max_mmu_pages; + unsigned int indirect_shadow_pages; + unsigned long mmu_valid_gen; + struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES]; +@@ -810,8 +810,8 @@ void kvm_mmu_write_protect_pt_masked(str + gfn_t gfn_offset, unsigned long mask); + void kvm_mmu_zap_all(struct kvm *kvm); + void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm); +-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm); +-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages); ++unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm); ++void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long kvm_nr_mmu_pages); + + int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3); + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -1492,7 +1492,7 @@ static int is_empty_shadow_page(u64 *spt + * aggregate version in order to make the slab shrinker + * faster + */ +-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr) ++static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr) + { + kvm->arch.n_used_mmu_pages += nr; + percpu_counter_add(&kvm_total_used_mmu_pages, nr); +@@ -2207,7 +2207,7 @@ static bool prepare_zap_oldest_mmu_page( + * Changing the number of mmu pages allocated to the vm + * Note: if goal_nr_mmu_pages is too small, you will get dead lock + */ +-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages) ++void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages) + { + LIST_HEAD(invalid_list); + +@@ -4505,10 +4505,10 @@ nomem: + /* + * Caculate mmu pages needed for kvm. + */ +-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm) ++unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm) + { +- unsigned int nr_mmu_pages; +- unsigned int nr_pages = 0; ++ unsigned long nr_mmu_pages; ++ unsigned long nr_pages = 0; + struct kvm_memslots *slots; + struct kvm_memory_slot *memslot; + +@@ -4518,8 +4518,7 @@ unsigned int kvm_mmu_calculate_mmu_pages + nr_pages += memslot->npages; + + nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000; +- nr_mmu_pages = max(nr_mmu_pages, +- (unsigned int) KVM_MIN_ALLOC_MMU_PAGES); ++ nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES); + + return nr_mmu_pages; + } +--- a/arch/x86/kvm/mmu.h ++++ b/arch/x86/kvm/mmu.h +@@ -81,7 +81,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_ + bool execonly); + bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu); + +-static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm) ++static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm) + { + if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages) + return kvm->arch.n_max_mmu_pages - +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3529,7 +3529,7 @@ static int kvm_vm_ioctl_set_identity_map + } + + static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm, +- u32 kvm_nr_mmu_pages) ++ unsigned long kvm_nr_mmu_pages) + { + if (kvm_nr_mmu_pages < KVM_MIN_ALLOC_MMU_PAGES) + return -EINVAL; +@@ -3543,7 +3543,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages + return 0; + } + +-static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm) ++static unsigned long kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm) + { + return kvm->arch.n_max_mmu_pages; + } diff --git a/queue-3.16/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch b/queue-3.16/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch new file mode 100644 index 00000000..da01bde6 --- /dev/null +++ b/queue-3.16/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch @@ -0,0 +1,73 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Fri, 15 Feb 2019 12:48:39 -0800 +Subject: KVM: Reject device ioctls from processes other than the VM's creator + +commit ddba91801aeb5c160b660caed1800eb3aef403f8 upstream. + +KVM's API requires thats ioctls must be issued from the same process +that created the VM. In other words, userspace can play games with a +VM's file descriptors, e.g. fork(), SCM_RIGHTS, etc..., but only the +creator can do anything useful. Explicitly reject device ioctls that +are issued by a process other than the VM's creator, and update KVM's +API documentation to extend its requirements to device ioctls. + +Fixes: 852b6d57dc7f ("kvm: add device control API") +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + Documentation/virtual/kvm/api.txt | 16 +++++++++++----- + virt/kvm/kvm_main.c | 3 +++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/Documentation/virtual/kvm/api.txt ++++ b/Documentation/virtual/kvm/api.txt +@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong + + - VM ioctls: These query and set attributes that affect an entire virtual + machine, for example memory layout. In addition a VM ioctl is used to +- create virtual cpus (vcpus). ++ create virtual cpus (vcpus) and devices. + + Only run VM ioctls from the same process (address space) that was used + to create the VM. +@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong + Only run vcpu ioctls from the same thread that was used to create the + vcpu. + ++ - device ioctls: These query and set attributes that control the operation ++ of a single device. ++ ++ device ioctls must be issued from the same process (address space) that ++ was used to create the VM. + + 2. File descriptors + ------------------- +@@ -32,10 +37,11 @@ The kvm API is centered around file desc + open("/dev/kvm") obtains a handle to the kvm subsystem; this handle + can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this + handle will create a VM file descriptor which can be used to issue VM +-ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu +-and return a file descriptor pointing to it. Finally, ioctls on a vcpu +-fd can be used to control the vcpu, including the important task of +-actually running guest code. ++ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will ++create a virtual cpu or device and return a file descriptor pointing to ++the new resource. Finally, ioctls on a vcpu or device fd can be used ++to control the vcpu or device. For vcpus, this includes the important ++task of actually running guest code. + + In general file descriptors can be migrated among processes by means + of fork() and the SCM_RIGHTS facility of unix domain socket. These +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2240,6 +2240,9 @@ static long kvm_device_ioctl(struct file + { + struct kvm_device *dev = filp->private_data; + ++ if (dev->kvm->mm != current->mm) ++ return -EIO; ++ + switch (ioctl) { + case KVM_SET_DEVICE_ATTR: + return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg); diff --git a/queue-3.16/kvm-vmx-handle-vmlaunch-vmresume-failure-properly.patch b/queue-3.16/kvm-vmx-handle-vmlaunch-vmresume-failure-properly.patch new file mode 100644 index 00000000..703b84c5 --- /dev/null +++ b/queue-3.16/kvm-vmx-handle-vmlaunch-vmresume-failure-properly.patch @@ -0,0 +1,57 @@ +From: Jim Mattson <jmattson@google.com> +Date: Thu, 14 Sep 2017 16:31:42 -0700 +Subject: kvm: vmx: Handle VMLAUNCH/VMRESUME failure properly + +commit b060ca3b2e9e72ef005e2042476f95ee0b8839e9 upstream. + +On an early VMLAUNCH/VMRESUME failure (i.e. one which sets the +VM-instruction error field of the current VMCS), the launch state of +the current VMCS is not set to "launched," and the VM-exit information +fields of the current VMCS (including IDT-vectoring information and +exit reason) are stale. + +On a late VMLAUNCH/VMRESUME failure (i.e. one which sets the high bit +of the exit reason field), the launch state of the current VMCS is not +set to "launched," and only two of the VM-exit information fields of +the current VMCS are modified (exit reason and exit +qualification). The remaining VM-exit information fields of the +current VMCS (including IDT-vectoring information, in particular) are +stale. + +Signed-off-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/vmx.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7627,12 +7627,6 @@ static void __noclone vmx_vcpu_run(struc + | (1 << VCPU_EXREG_CR3)); + vcpu->arch.regs_dirty = 0; + +- vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD); +- +- vmx->loaded_vmcs->launched = 1; +- +- vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); +- + /* + * the KVM_REQ_EVENT optimization bit is only on for one entry, and if + * we did not inject a still-pending event to L1 now because of +@@ -7642,6 +7636,14 @@ static void __noclone vmx_vcpu_run(struc + kvm_make_request(KVM_REQ_EVENT, vcpu); + + vmx->nested.nested_run_pending = 0; ++ vmx->idt_vectoring_info = 0; ++ ++ vmx->exit_reason = vmx->fail ? 0xdead : vmcs_read32(VM_EXIT_REASON); ++ if (vmx->fail || (vmx->exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY)) ++ return; ++ ++ vmx->loaded_vmcs->launched = 1; ++ vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD); + + vmx_complete_atomic_exit(vmx); + vmx_recover_nmi_blocking(vmx); diff --git a/queue-3.16/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch b/queue-3.16/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch new file mode 100644 index 00000000..454aa962 --- /dev/null +++ b/queue-3.16/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch @@ -0,0 +1,124 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Thu, 7 Mar 2019 15:43:02 -0800 +Subject: KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts + +commit 0cf9135b773bf32fba9dd8e6699c1b331ee4b749 upstream. + +The CPUID flag ARCH_CAPABILITIES is unconditioinally exposed to host +userspace for all x86 hosts, i.e. KVM advertises ARCH_CAPABILITIES +regardless of hardware support under the pretense that KVM fully +emulates MSR_IA32_ARCH_CAPABILITIES. Unfortunately, only VMX hosts +handle accesses to MSR_IA32_ARCH_CAPABILITIES (despite KVM_GET_MSRS +also reporting MSR_IA32_ARCH_CAPABILITIES for all hosts). + +Move the MSR_IA32_ARCH_CAPABILITIES handling to common x86 code so +that it's emulated on AMD hosts. + +Fixes: 1eaafe91a0df4 ("kvm: x86: IA32_ARCH_CAPABILITIES is always supported") +Reported-by: Xiaoyao Li <xiaoyao.li@linux.intel.com> +Cc: Jim Mattson <jmattson@google.com> +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: + - Keep using guest_cpuid_has_arch_capabilities() to check the CPUID + - Keep using rdmsrl() to get the initial value of IA32_ARCH_CAPABILITIES + - Adjust filenames, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/vmx.c | 13 ------------- + arch/x86/kvm/x86.c | 12 ++++++++++++ + 4 files changed, 13 insertions(+), 14 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -363,6 +363,7 @@ struct kvm_vcpu_arch { + int mp_state; + u64 ia32_misc_enable_msr; + bool tpr_access_reporting; ++ u64 arch_capabilities; + + /* + * Paging state of the vcpu +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -433,7 +433,6 @@ struct vcpu_vmx { + u64 msr_guest_kernel_gs_base; + #endif + +- u64 arch_capabilities; + u64 spec_ctrl; + + u32 vm_entry_controls_shadow; +@@ -2481,12 +2480,6 @@ static int vmx_get_msr(struct kvm_vcpu * + + msr_info->data = to_vmx(vcpu)->spec_ctrl; + break; +- case MSR_IA32_ARCH_CAPABILITIES: +- if (!msr_info->host_initiated && +- !guest_cpuid_has_arch_capabilities(vcpu)) +- return 1; +- msr_info->data = to_vmx(vcpu)->arch_capabilities; +- break; + case MSR_IA32_SYSENTER_CS: + msr_info->data = vmcs_read32(GUEST_SYSENTER_CS); + break; +@@ -2636,11 +2629,6 @@ static int vmx_set_msr(struct kvm_vcpu * + vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD, + MSR_TYPE_W); + break; +- case MSR_IA32_ARCH_CAPABILITIES: +- if (!msr_info->host_initiated) +- return 1; +- vmx->arch_capabilities = data; +- break; + case MSR_IA32_CR_PAT: + if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) { + if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) +@@ -4583,9 +4571,6 @@ static int vmx_vcpu_setup(struct vcpu_vm + ++vmx->nmsrs; + } + +- if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) +- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities); +- + vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl); + + /* 22.2.1, 20.8.1 */ +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2089,6 +2089,11 @@ int kvm_set_msr_common(struct kvm_vcpu * + case MSR_F15H_EX_CFG: + break; + ++ case MSR_IA32_ARCH_CAPABILITIES: ++ if (!msr_info->host_initiated) ++ return 1; ++ vcpu->arch.arch_capabilities = data; ++ break; + case MSR_EFER: + return set_efer(vcpu, data); + case MSR_K7_HWCR: +@@ -2479,6 +2484,12 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_IA32_UCODE_REV: + msr_info->data = 0x100000000ULL; + break; ++ case MSR_IA32_ARCH_CAPABILITIES: ++ if (!msr_info->host_initiated && ++ !guest_cpuid_has_arch_capabilities(vcpu)) ++ return 1; ++ msr_info->data = vcpu->arch.arch_capabilities; ++ break; + case MSR_MTRRcap: + msr_info->data = 0x500 | KVM_NR_VAR_MTRR; + break; +@@ -6957,6 +6968,9 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu + { + int r; + ++ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) ++ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ++ vcpu->arch.arch_capabilities); + vcpu->arch.mtrr_state.have_fixed = 1; + r = vcpu_load(vcpu); + if (r) diff --git a/queue-3.16/kvm-x86-ia32_arch_capabilities-is-always-supported.patch b/queue-3.16/kvm-x86-ia32_arch_capabilities-is-always-supported.patch new file mode 100644 index 00000000..6063202b --- /dev/null +++ b/queue-3.16/kvm-x86-ia32_arch_capabilities-is-always-supported.patch @@ -0,0 +1,48 @@ +From: Jim Mattson <jmattson@google.com> +Date: Wed, 9 May 2018 14:29:35 -0700 +Subject: kvm: x86: IA32_ARCH_CAPABILITIES is always supported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 1eaafe91a0df4157521b6417b3dd8430bf5f52f0 upstream. + +If there is a possibility that a VM may migrate to a Skylake host, +then the hypervisor should report IA32_ARCH_CAPABILITIES.RSBA[bit 2] +as being set (future work, of course). This implies that +CPUID.(EAX=7,ECX=0):EDX.ARCH_CAPABILITIES[bit 29] should be +set. Therefore, kvm should report this CPUID bit as being supported +whether or not the host supports it. Userspace is still free to clear +the bit if it chooses. + +For more information on RSBA, see Intel's white paper, "Retpoline: A +Branch Target Injection Mitigation" (Document Number 337131-001), +currently available at https://bugzilla.kernel.org/show_bug.cgi?id=199511. + +Since the IA32_ARCH_CAPABILITIES MSR is emulated in kvm, there is no +dependency on hardware support for this feature. + +Signed-off-by: Jim Mattson <jmattson@google.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Fixes: 28c1c9fabf48 ("KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES") +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/cpuid.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -395,6 +395,11 @@ static inline int __do_cpuid_ent(struct + entry->ebx |= F(TSC_ADJUST); + entry->edx &= kvm_cpuid_7_0_edx_x86_features; + cpuid_mask(&entry->edx, 10); ++ /* ++ * We emulate ARCH_CAPABILITIES in software even ++ * if the host doesn't support it. ++ */ ++ entry->edx |= F(ARCH_CAPABILITIES); + } else { + entry->ebx = 0; + entry->edx = 0; diff --git a/queue-3.16/kvm-x86-move-tracepoints-outside-extended-quiescent-state.patch b/queue-3.16/kvm-x86-move-tracepoints-outside-extended-quiescent-state.patch new file mode 100644 index 00000000..8654826e --- /dev/null +++ b/queue-3.16/kvm-x86-move-tracepoints-outside-extended-quiescent-state.patch @@ -0,0 +1,71 @@ +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Thu, 10 Dec 2015 18:37:32 +0100 +Subject: kvm: x86: move tracepoints outside extended quiescent state + +commit 8b89fe1f6c430589122542f228a802d34995bebd upstream. + +Invoking tracepoints within kvm_guest_enter/kvm_guest_exit causes a +lockdep splat. + +Reported-by: Borislav Petkov <bp@alien8.de> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: we don't have wait_lapic_expire()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3588,6 +3588,8 @@ static int handle_exit(struct kvm_vcpu * + struct kvm_run *kvm_run = vcpu->run; + u32 exit_code = svm->vmcb->control.exit_code; + ++ trace_kvm_exit(exit_code, vcpu, KVM_ISA_SVM); ++ + if (!is_cr_intercept(svm, INTERCEPT_CR0_WRITE)) + vcpu->arch.cr0 = svm->vmcb->save.cr0; + if (npt_enabled) +@@ -4113,8 +4115,6 @@ static void svm_vcpu_run(struct kvm_vcpu + vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp; + vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip; + +- trace_kvm_exit(svm->vmcb->control.exit_code, vcpu, KVM_ISA_SVM); +- + if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI)) + kvm_before_handle_nmi(&svm->vcpu); + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7025,6 +7025,8 @@ static int vmx_handle_exit(struct kvm_vc + u32 exit_reason = vmx->exit_reason; + u32 vectoring_info = vmx->idt_vectoring_info; + ++ trace_kvm_exit(exit_reason, vcpu, KVM_ISA_VMX); ++ + /* If guest state is invalid, start emulating */ + if (vmx->emulation_required) + return handle_invalid_guest_state(vcpu); +@@ -7630,7 +7632,6 @@ static void __noclone vmx_vcpu_run(struc + vmx->loaded_vmcs->launched = 1; + + vmx->exit_reason = vmcs_read32(VM_EXIT_REASON); +- trace_kvm_exit(vmx->exit_reason, vcpu, KVM_ISA_VMX); + + /* + * the KVM_REQ_EVENT optimization bit is only on for one entry, and if +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6211,6 +6211,7 @@ static int vcpu_enter_guest(struct kvm_v + if (req_immediate_exit) + smp_send_reschedule(vcpu->cpu); + ++ trace_kvm_entry(vcpu->vcpu_id); + kvm_guest_enter(); + + if (unlikely(vcpu->arch.switch_db_regs)) { +@@ -6222,7 +6223,6 @@ static int vcpu_enter_guest(struct kvm_v + set_debugreg(vcpu->arch.dr6, 6); + } + +- trace_kvm_entry(vcpu->vcpu_id); + kvm_x86_ops->run(vcpu); + + /* diff --git a/queue-3.16/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch b/queue-3.16/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch new file mode 100644 index 00000000..08614bec --- /dev/null +++ b/queue-3.16/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch @@ -0,0 +1,46 @@ +From: Vitaly Kuznetsov <vkuznets@redhat.com> +Date: Wed, 3 Apr 2019 16:06:42 +0200 +Subject: KVM: x86: svm: make sure NMI is injected after nmi_singlestep + +commit 99c221796a810055974b54c02e8f53297e48d146 upstream. + +I noticed that apic test from kvm-unit-tests always hangs on my EPYC 7401P, +the hanging test nmi-after-sti is trying to deliver 30000 NMIs and tracing +shows that we're sometimes able to deliver a few but never all. + +When we're trying to inject an NMI we may fail to do so immediately for +various reasons, however, we still need to inject it so enable_nmi_window() +arms nmi_singlestep mode. #DB occurs as expected, but we're not checking +for pending NMIs before entering the guest and unless there's a different +event to process, the NMI will never get delivered. + +Make KVM_REQ_EVENT request on the vCPU from db_interception() to make sure +pending NMIs are checked and possibly injected. + +Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/svm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1783,6 +1783,7 @@ static int pf_interception(struct vcpu_s + static int db_interception(struct vcpu_svm *svm) + { + struct kvm_run *kvm_run = svm->vcpu.run; ++ struct kvm_vcpu *vcpu = &svm->vcpu; + + if (!(svm->vcpu.guest_debug & + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) && +@@ -1796,6 +1797,8 @@ static int db_interception(struct vcpu_s + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); ++ /* Make sure we check for pending NMIs upon entry */ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + + if (svm->vcpu.guest_debug & diff --git a/queue-3.16/l2ip-fix-possible-use-after-free.patch b/queue-3.16/l2ip-fix-possible-use-after-free.patch new file mode 100644 index 00000000..3396aecd --- /dev/null +++ b/queue-3.16/l2ip-fix-possible-use-after-free.patch @@ -0,0 +1,80 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 30 Apr 2019 06:27:58 -0700 +Subject: l2ip: fix possible use-after-free + +commit a622b40035d16196bf19b2b33b854862595245fc upstream. + +Before taking a refcount on a rcu protected structure, +we need to make sure the refcount is not zero. + +syzbot reported : + +refcount_t: increment on 0; use-after-free. +WARNING: CPU: 1 PID: 23533 at lib/refcount.c:156 refcount_inc_checked lib/refcount.c:156 [inline] +WARNING: CPU: 1 PID: 23533 at lib/refcount.c:156 refcount_inc_checked+0x61/0x70 lib/refcount.c:154 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 1 PID: 23533 Comm: syz-executor.2 Not tainted 5.1.0-rc7+ #93 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + panic+0x2cb/0x65c kernel/panic.c:214 + __warn.cold+0x20/0x45 kernel/panic.c:571 + report_bug+0x263/0x2b0 lib/bug.c:186 + fixup_bug arch/x86/kernel/traps.c:179 [inline] + fixup_bug arch/x86/kernel/traps.c:174 [inline] + do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 + do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 + invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 +RIP: 0010:refcount_inc_checked lib/refcount.c:156 [inline] +RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:154 +Code: 1d 98 2b 2a 06 31 ff 89 de e8 db 2c 40 fe 84 db 75 dd e8 92 2b 40 fe 48 c7 c7 20 7a a1 87 c6 05 78 2b 2a 06 01 e8 7d d9 12 fe <0f> 0b eb c1 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 +RSP: 0018:ffff888069f0fba8 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 000000000000f353 RSI: ffffffff815afcb6 RDI: ffffed100d3e1f67 +RBP: ffff888069f0fbb8 R08: ffff88809b1845c0 R09: ffffed1015d23ef1 +R10: ffffed1015d23ef0 R11: ffff8880ae91f787 R12: ffff8880a8f26968 +R13: 0000000000000004 R14: dffffc0000000000 R15: ffff8880a49a6440 + l2tp_tunnel_inc_refcount net/l2tp/l2tp_core.h:240 [inline] + l2tp_tunnel_get+0x250/0x580 net/l2tp/l2tp_core.c:173 + pppol2tp_connect+0xc00/0x1c70 net/l2tp/l2tp_ppp.c:702 + __sys_connect+0x266/0x330 net/socket.c:1808 + __do_sys_connect net/socket.c:1819 [inline] + __se_sys_connect net/socket.c:1816 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:1816 + +Fixes: 54652eb12c1b ("l2tp: hold tunnel while looking up sessions in l2tp_netlink") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: use atomic not refcount API] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/l2tp/l2tp_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -217,8 +217,8 @@ struct l2tp_tunnel *l2tp_tunnel_get(cons + + rcu_read_lock_bh(); + list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- if (tunnel->tunnel_id == tunnel_id) { +- l2tp_tunnel_inc_refcount(tunnel); ++ if (tunnel->tunnel_id == tunnel_id && ++ atomic_inc_not_zero(&tunnel->ref_count)) { + rcu_read_unlock_bh(); + + return tunnel; +@@ -238,8 +238,8 @@ struct l2tp_tunnel *l2tp_tunnel_get_nth( + + rcu_read_lock_bh(); + list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- if (++count > nth) { +- l2tp_tunnel_inc_refcount(tunnel); ++ if (++count > nth && ++ atomic_inc_not_zero(&tunnel->ref_count)) { + rcu_read_unlock_bh(); + return tunnel; + } diff --git a/queue-3.16/l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch b/queue-3.16/l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch new file mode 100644 index 00000000..89c39c77 --- /dev/null +++ b/queue-3.16/l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch @@ -0,0 +1,30 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 23 Apr 2019 09:43:26 -0700 +Subject: l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() + +commit c1c477217882c610a2ba0268f5faf36c9c092528 upstream. + +Canonical way to fetch sk_user_data from an encap_rcv() handler called +from UDP stack in rcu protected section is to use rcu_dereference_sk_user_data(), +otherwise compiler might read it multiple times. + +Fixes: d00fa9adc528 ("il2tp: fix races with tunnel socket close") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: James Chapman <jchapman@katalix.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/l2tp/l2tp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -997,7 +997,7 @@ int l2tp_udp_encap_recv(struct sock *sk, + { + struct l2tp_tunnel *tunnel; + +- tunnel = l2tp_tunnel(sk); ++ tunnel = rcu_dereference_sk_user_data(sk); + if (tunnel == NULL) + goto pass_up; + diff --git a/queue-3.16/lib-string.c-implement-a-basic-bcmp.patch b/queue-3.16/lib-string.c-implement-a-basic-bcmp.patch new file mode 100644 index 00000000..5ccaa6b3 --- /dev/null +++ b/queue-3.16/lib-string.c-implement-a-basic-bcmp.patch @@ -0,0 +1,102 @@ +From: Nick Desaulniers <ndesaulniers@google.com> +Date: Fri, 5 Apr 2019 18:38:45 -0700 +Subject: lib/string.c: implement a basic bcmp + +commit 5f074f3e192f10c9fade898b9b3b8812e3d83342 upstream. + +A recent optimization in Clang (r355672) lowers comparisons of the +return value of memcmp against zero to comparisons of the return value +of bcmp against zero. This helps some platforms that implement bcmp +more efficiently than memcmp. glibc simply aliases bcmp to memcmp, but +an optimized implementation is in the works. + +This results in linkage failures for all targets with Clang due to the +undefined symbol. For now, just implement bcmp as a tailcail to memcmp +to unbreak the build. This routine can be further optimized in the +future. + +Other ideas discussed: + + * A weak alias was discussed, but breaks for architectures that define + their own implementations of memcmp since aliases to declarations are + not permitted (only definitions). Arch-specific memcmp + implementations typically declare memcmp in C headers, but implement + them in assembly. + + * -ffreestanding also is used sporadically throughout the kernel. + + * -fno-builtin-bcmp doesn't work when doing LTO. + +Link: https://bugs.llvm.org/show_bug.cgi?id=41035 +Link: https://code.woboq.org/userspace/glibc/string/memcmp.c.html#bcmp +Link: https://github.com/llvm/llvm-project/commit/8e16d73346f8091461319a7dfc4ddd18eedcff13 +Link: https://github.com/ClangBuiltLinux/linux/issues/416 +Link: http://lkml.kernel.org/r/20190313211335.165605-1-ndesaulniers@google.com +Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> +Reported-by: Nathan Chancellor <natechancellor@gmail.com> +Reported-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Suggested-by: Arnd Bergmann <arnd@arndb.de> +Suggested-by: James Y Knight <jyknight@google.com> +Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Suggested-by: Nathan Chancellor <natechancellor@gmail.com> +Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> +Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> +Tested-by: Nathan Chancellor <natechancellor@gmail.com> +Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Cc: David Laight <David.Laight@ACULAB.COM> +Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Dan Williams <dan.j.williams@intel.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/string.h | 3 +++ + lib/string.c | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+) + +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -113,6 +113,9 @@ extern void * memscan(void *,int,__kerne + #ifndef __HAVE_ARCH_MEMCMP + extern int memcmp(const void *,const void *,__kernel_size_t); + #endif ++#ifndef __HAVE_ARCH_BCMP ++extern int bcmp(const void *,const void *,__kernel_size_t); ++#endif + #ifndef __HAVE_ARCH_MEMCHR + extern void * memchr(const void *,int,__kernel_size_t); + #endif +--- a/lib/string.c ++++ b/lib/string.c +@@ -776,6 +776,26 @@ __visible int memcmp(const void *cs, con + EXPORT_SYMBOL(memcmp); + #endif + ++#ifndef __HAVE_ARCH_BCMP ++/** ++ * bcmp - returns 0 if and only if the buffers have identical contents. ++ * @a: pointer to first buffer. ++ * @b: pointer to second buffer. ++ * @len: size of buffers. ++ * ++ * The sign or magnitude of a non-zero return value has no particular ++ * meaning, and architectures may implement their own more efficient bcmp(). So ++ * while this particular implementation is a simple (tail) call to memcmp, do ++ * not rely on anything but whether the return value is zero or non-zero. ++ */ ++#undef bcmp ++int bcmp(const void *a, const void *b, size_t len) ++{ ++ return memcmp(a, b, len); ++} ++EXPORT_SYMBOL(bcmp); ++#endif ++ + #ifndef __HAVE_ARCH_MEMSCAN + /** + * memscan - Find a character in an area of memory. diff --git a/queue-3.16/locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch b/queue-3.16/locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch new file mode 100644 index 00000000..1d230e3c --- /dev/null +++ b/queue-3.16/locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch @@ -0,0 +1,58 @@ +From: Frederic Weisbecker <frederic@kernel.org> +Date: Mon, 6 Nov 2017 16:01:17 +0100 +Subject: locking/lockdep: Add IRQs disabled/enabled assertion APIs: + lockdep_assert_irqs_enabled()/disabled() + +commit f54bb2ec02c839f6bfe3e8d438cd93d30b4809dd upstream. + +Checking whether IRQs are enabled or disabled is a very common sanity +check, however not free of overhead especially on fastpath where such +assertion is very common. + +Lockdep is a good host for such concurrency correctness check and it +even already tracks down IRQs disablement state. Just reuse its +machinery. This will allow us to get rid of the flags pop and check +overhead from fast path when kernel is built for production. + +Suggested-by: Peter Zijlstra <peterz@infradead.org> +Signed-off-by: Frederic Weisbecker <frederic@kernel.org> +Acked-by: Thomas Gleixner <tglx@linutronix.de> +Cc: David S . Miller <davem@davemloft.net> +Cc: Lai Jiangshan <jiangshanlai@gmail.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> +Cc: Tejun Heo <tj@kernel.org> +Link: http://lkml.kernel.org/r/1509980490-4285-2-git-send-email-frederic@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/lockdep.h | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/include/linux/lockdep.h ++++ b/include/linux/lockdep.h +@@ -525,9 +525,24 @@ do { \ + lock_acquire(&(lock)->dep_map, 0, 0, 1, 1, NULL, _THIS_IP_); \ + lock_release(&(lock)->dep_map, 0, _THIS_IP_); \ + } while (0) ++ ++#define lockdep_assert_irqs_enabled() do { \ ++ WARN_ONCE(debug_locks && !current->lockdep_recursion && \ ++ !current->hardirqs_enabled, \ ++ "IRQs not enabled as expected\n"); \ ++ } while (0) ++ ++#define lockdep_assert_irqs_disabled() do { \ ++ WARN_ONCE(debug_locks && !current->lockdep_recursion && \ ++ current->hardirqs_enabled, \ ++ "IRQs not disabled as expected\n"); \ ++ } while (0) ++ + #else + # define might_lock(lock) do { } while (0) + # define might_lock_read(lock) do { } while (0) ++# define lockdep_assert_irqs_enabled() do { } while (0) ++# define lockdep_assert_irqs_disabled() do { } while (0) + #endif + + #ifdef CONFIG_PROVE_RCU diff --git a/queue-3.16/mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch b/queue-3.16/mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch new file mode 100644 index 00000000..ddccf795 --- /dev/null +++ b/queue-3.16/mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch @@ -0,0 +1,32 @@ +From: Johannes Berg <johannes.berg@intel.com> +Date: Mon, 15 Apr 2019 11:39:33 +0200 +Subject: mac80211: don't attempt to rename ERR_PTR() debugfs dirs + +commit 517879147493a5e1df6b89a50f708f1133fcaddb upstream. + +We need to dereference the directory to get its parent to +be able to rename it, so it's clearly not safe to try to +do this with ERR_PTR() pointers. Skip in this case. + +It seems that this is most likely what was causing the +report by syzbot, but I'm not entirely sure as it didn't +come with a reproducer this time. + +Reported-by: syzbot+4ece1a28b8f4730547c9@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/mac80211/debugfs_netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/debugfs_netdev.c ++++ b/net/mac80211/debugfs_netdev.c +@@ -735,7 +735,7 @@ void ieee80211_debugfs_rename_netdev(str + + dir = sdata->vif.debugfs_dir; + +- if (!dir) ++ if (IS_ERR_OR_NULL(dir)) + return; + + sprintf(buf, "netdev:%s", sdata->name); diff --git a/queue-3.16/mac8390-fix-mmio-access-size-probe.patch b/queue-3.16/mac8390-fix-mmio-access-size-probe.patch new file mode 100644 index 00000000..90de2cef --- /dev/null +++ b/queue-3.16/mac8390-fix-mmio-access-size-probe.patch @@ -0,0 +1,71 @@ +From: Finn Thain <fthain@telegraphics.com.au> +Date: Sat, 16 Mar 2019 14:21:19 +1100 +Subject: mac8390: Fix mmio access size probe + +commit bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb upstream. + +The bug that Stan reported is as follows. After a restart, a 16-bit NIC +may be incorrectly identified as a 32-bit NIC and stop working. + +mac8390 slot.E: Memory length resource not found, probing +mac8390 slot.E: Farallon EtherMac II-C (type farallon) +mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access. + +The bug never arises after a cold start and only intermittently after a +warm start. (I didn't investigate why the bug is intermittent.) + +It turns out that memcpy_toio() is deprecated and memcmp_withio() also +has issues. Replacing these calls with mmio accessors fixes the problem. + +Reported-and-tested-by: Stan Johnson <userm57@yahoo.com> +Fixes: 2964db0f5904 ("m68k: Mac DP8390 update") +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/8390/mac8390.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/8390/mac8390.c ++++ b/drivers/net/ethernet/8390/mac8390.c +@@ -153,8 +153,6 @@ static void dayna_block_input(struct net + static void dayna_block_output(struct net_device *dev, int count, + const unsigned char *buf, int start_page); + +-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) +- + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ + static void slow_sane_get_8390_hdr(struct net_device *dev, + struct e8390_pkt_hdr *hdr, int ring_page); +@@ -241,19 +239,26 @@ static enum mac8390_type __init mac8390_ + + static enum mac8390_access __init mac8390_testio(volatile unsigned long membase) + { +- unsigned long outdata = 0xA5A0B5B0; +- unsigned long indata = 0x00000000; ++ u32 outdata = 0xA5A0B5B0; ++ u32 indata = 0; ++ + /* Try writing 32 bits */ +- memcpy_toio((void __iomem *)membase, &outdata, 4); +- /* Now compare them */ +- if (memcmp_withio(&outdata, membase, 4) == 0) ++ nubus_writel(outdata, membase); ++ /* Now read it back */ ++ indata = nubus_readl(membase); ++ if (outdata == indata) + return ACCESS_32; ++ ++ outdata = 0xC5C0D5D0; ++ indata = 0; ++ + /* Write 16 bit output */ + word_memcpy_tocard(membase, &outdata, 4); + /* Now read it back */ + word_memcpy_fromcard(&indata, membase, 4); + if (outdata == indata) + return ACCESS_16; ++ + return ACCESS_UNKNOWN; + } + diff --git a/queue-3.16/mips-scall64-o32-fix-indirect-syscall-number-load.patch b/queue-3.16/mips-scall64-o32-fix-indirect-syscall-number-load.patch new file mode 100644 index 00000000..1465d5ec --- /dev/null +++ b/queue-3.16/mips-scall64-o32-fix-indirect-syscall-number-load.patch @@ -0,0 +1,48 @@ +From: Aurelien Jarno <aurelien@aurel32.net> +Date: Tue, 9 Apr 2019 16:53:55 +0200 +Subject: MIPS: scall64-o32: Fix indirect syscall number load +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 79b4a9cf0e2ea8203ce777c8d5cfa86c71eae86e upstream. + +Commit 4c21b8fd8f14 (MIPS: seccomp: Handle indirect system calls (o32)) +added indirect syscall detection for O32 processes running on MIPS64, +but it did not work correctly for big endian kernel/processes. The +reason is that the syscall number is loaded from ARG1 using the lw +instruction while this is a 64-bit value, so zero is loaded instead of +the syscall number. + +Fix the code by using the ld instruction instead. When running a 32-bit +processes on a 64 bit CPU, the values are properly sign-extended, so it +ensures the value passed to syscall_trace_enter is correct. + +Recent systemd versions with seccomp enabled whitelist the getpid +syscall for their internal processes (e.g. systemd-journald), but call +it through syscall(SYS_getpid). This fix therefore allows O32 big endian +systems with a 64-bit kernel to run recent systemd versions. + +Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <jhogan@kernel.org> +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/mips/kernel/scall64-o32.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -124,7 +124,7 @@ trace_a_syscall: + subu t1, v0, __NR_O32_Linux + move a1, v0 + bnez t1, 1f /* __NR_syscall at offset 0 */ +- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ ++ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ + .set pop + + 1: jal syscall_trace_enter diff --git a/queue-3.16/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch b/queue-3.16/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch new file mode 100644 index 00000000..ee648b0d --- /dev/null +++ b/queue-3.16/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch @@ -0,0 +1,46 @@ +From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Date: Thu, 18 Apr 2019 17:50:20 -0700 +Subject: mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y + CONFIG_SMP=n + +commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream. + +Commit 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly") +depends on skipping vmstat entries with empty name introduced in +7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in +/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change +semantics of nr_indirectly_reclaimable_bytes"). + +So skipping no longer works and /proc/vmstat has misformatted lines " 0". + +This patch simply shows debug counters "nr_tlb_remote_*" for UP. + +Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz +Fixes: 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly") +Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Roman Gushchin <guro@fb.com> +Cc: Jann Horn <jannh@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + mm/vmstat.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -861,13 +861,8 @@ const char * const vmstat_text[] = { + "thp_zero_page_alloc_failed", + #endif + #ifdef CONFIG_DEBUG_TLBFLUSH +-#ifdef CONFIG_SMP + "nr_tlb_remote_flush", + "nr_tlb_remote_flush_received", +-#else +- "", /* nr_tlb_remote_flush */ +- "", /* nr_tlb_remote_flush_received */ +-#endif /* CONFIG_SMP */ + "nr_tlb_local_flush_all", + "nr_tlb_local_flush_one", + #endif /* CONFIG_DEBUG_TLBFLUSH */ diff --git a/queue-3.16/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch b/queue-3.16/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch new file mode 100644 index 00000000..972e6480 --- /dev/null +++ b/queue-3.16/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch @@ -0,0 +1,37 @@ +From: Liu Jian <liujian56@huawei.com> +Date: Sun, 3 Mar 2019 15:04:18 +0800 +Subject: mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer + +commit d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b upstream. + +In function do_write_buffer(), in the for loop, there is a case +chip_ready() returns 1 while chip_good() returns 0, so it never +break the loop. +To fix this, chip_good() is enough and it should timeout if it stay +bad for a while. + +Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value") +Signed-off-by: Yi Huaijie <yihuaijie@huawei.com> +Signed-off-by: Liu Jian <liujian56@huawei.com> +Reviewed-by: Tokunori Ikegami <ikegami_to@yahoo.co.jp> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1538,7 +1538,11 @@ static int __xipram do_write_buffer(stru + continue; + } + +- if (time_after(jiffies, timeo) && !chip_ready(map, adr)) ++ /* ++ * We check "time_after" and "!chip_good" before checking "chip_good" to avoid ++ * the failure due to scheduling. ++ */ ++ if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) + break; + + if (chip_good(map, adr, datum)) { diff --git a/queue-3.16/net-bridge-multicast-use-rcu-to-access-port-list-from.patch b/queue-3.16/net-bridge-multicast-use-rcu-to-access-port-list-from.patch new file mode 100644 index 00000000..9b502604 --- /dev/null +++ b/queue-3.16/net-bridge-multicast-use-rcu-to-access-port-list-from.patch @@ -0,0 +1,39 @@ +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Date: Thu, 11 Apr 2019 15:08:25 +0300 +Subject: net: bridge: multicast: use rcu to access port list from + br_multicast_start_querier + +commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 upstream. + +br_multicast_start_querier() walks over the port list but it can be +called from a timer with only multicast_lock held which doesn't protect +the port list, so use RCU to walk over it. + +Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires") +Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/br_multicast.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2036,7 +2036,8 @@ static void br_multicast_start_querier(s + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -2048,6 +2049,7 @@ static void br_multicast_start_querier(s + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) diff --git a/queue-3.16/net-mac8390-use-standard-memcpy_-from-to-io.patch b/queue-3.16/net-mac8390-use-standard-memcpy_-from-to-io.patch new file mode 100644 index 00000000..b4d8b199 --- /dev/null +++ b/queue-3.16/net-mac8390-use-standard-memcpy_-from-to-io.patch @@ -0,0 +1,81 @@ +From: Geert Uytterhoeven <geert@linux-m68k.org> +Date: Tue, 26 Jun 2018 20:32:22 +0200 +Subject: net: mac8390: Use standard memcpy_{from,to}io() + +commit 4042cd756e193f49469d31a23d5b85c4dca2a3b6 upstream. + +The mac8390 driver defines its own variants of memcpy_fromio() and +memcpy_toio(), using similar implementations, but different function +signatures. + +Remove the custom definitions of memcpy_fromio() and memcpy_toio(), and +adjust all callers to the standard signatures. + +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> +Acked-by: David S. Miller <davem@davemloft.net> +Acked-by: Greg Ungerer <gerg@linux-m68k.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/8390/mac8390.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/8390/mac8390.c ++++ b/drivers/net/ethernet/8390/mac8390.c +@@ -153,9 +153,6 @@ static void dayna_block_input(struct net + static void dayna_block_output(struct net_device *dev, int count, + const unsigned char *buf, int start_page); + +-#define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c)) +-#define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c)) +- + #define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) + + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ +@@ -247,7 +244,7 @@ static enum mac8390_access __init mac839 + unsigned long outdata = 0xA5A0B5B0; + unsigned long indata = 0x00000000; + /* Try writing 32 bits */ +- memcpy_toio(membase, &outdata, 4); ++ memcpy_toio((void __iomem *)membase, &outdata, 4); + /* Now compare them */ + if (memcmp_withio(&outdata, membase, 4) == 0) + return ACCESS_32; +@@ -742,7 +739,7 @@ static void sane_get_8390_hdr(struct net + struct e8390_pkt_hdr *hdr, int ring_page) + { + unsigned long hdr_start = (ring_page - WD_START_PG)<<8; +- memcpy_fromio(hdr, dev->mem_start + hdr_start, 4); ++ memcpy_fromio(hdr, (void __iomem *)dev->mem_start + hdr_start, 4); + /* Fix endianness */ + hdr->count = swab16(hdr->count); + } +@@ -756,13 +753,16 @@ static void sane_block_input(struct net_ + if (xfer_start + count > ei_status.rmem_end) { + /* We must wrap the input move. */ + int semi_count = ei_status.rmem_end - xfer_start; +- memcpy_fromio(skb->data, dev->mem_start + xfer_base, ++ memcpy_fromio(skb->data, ++ (void __iomem *)dev->mem_start + xfer_base, + semi_count); + count -= semi_count; +- memcpy_fromio(skb->data + semi_count, ei_status.rmem_start, +- count); ++ memcpy_fromio(skb->data + semi_count, ++ (void __iomem *)ei_status.rmem_start, count); + } else { +- memcpy_fromio(skb->data, dev->mem_start + xfer_base, count); ++ memcpy_fromio(skb->data, ++ (void __iomem *)dev->mem_start + xfer_base, ++ count); + } + } + +@@ -771,7 +771,7 @@ static void sane_block_output(struct net + { + long shmem = (start_page - WD_START_PG)<<8; + +- memcpy_toio(dev->mem_start + shmem, buf, count); ++ memcpy_toio((void __iomem *)dev->mem_start + shmem, buf, count); + } + + /* dayna block input/output */ diff --git a/queue-3.16/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch b/queue-3.16/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch new file mode 100644 index 00000000..a56eee60 --- /dev/null +++ b/queue-3.16/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch @@ -0,0 +1,39 @@ +From: Heiner Kallweit <hkallweit1@gmail.com> +Date: Fri, 22 Mar 2019 20:00:20 +0100 +Subject: net: phy: don't clear BMCR in genphy_soft_reset + +commit d29f5aa0bc0c321e1b9e4658a2a7e08e885da52a upstream. + +So far we effectively clear the BMCR register. Some PHY's can deal +with this (e.g. because they reset BMCR to a default as part of a +soft-reset) whilst on others this causes issues because e.g. the +autoneg bit is cleared. Marvell is an example, see also thread [0]. +So let's be a little bit more gentle and leave all bits we're not +interested in as-is. This change is needed for PHY drivers to +properly deal with the original patch. + +[0] https://marc.info/?t=155264050700001&r=1&w=2 + +Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") +Tested-by: Phil Reid <preid@electromag.com.au> +Tested-by: liweihang <liweihang@hisilicon.com> +Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: open-code phy_set_bits()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1072,7 +1072,10 @@ int genphy_soft_reset(struct phy_device + { + int ret; + +- ret = phy_write(phydev, MII_BMCR, BMCR_RESET); ++ ret = phy_read(phydev, MII_BMCR); ++ if (ret < 0) ++ return ret; ++ ret = phy_write(phydev, MII_BMCR, ret | BMCR_RESET); + if (ret < 0) + return ret; + diff --git a/queue-3.16/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch b/queue-3.16/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch new file mode 100644 index 00000000..dabf0353 --- /dev/null +++ b/queue-3.16/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch @@ -0,0 +1,177 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 24 Apr 2019 05:35:00 -0700 +Subject: net/rose: fix unbound loop in rose_loopback_timer() + +commit 0453c682459583910d611a96de928f4442205493 upstream. + +This patch adds a limit on the number of skbs that fuzzers can queue +into loopback_queue. 1000 packets for rose loopback seems more than enough. + +Then, since we now have multiple cpus in most linux hosts, +we also need to limit the number of skbs rose_loopback_timer() +can dequeue at each round. + +rose_loopback_queue() can be drop-monitor friendly, calling +consume_skb() or kfree_skb() appropriately. + +Finally, use mod_timer() instead of del_timer() + add_timer() + +syzbot report was : + +rcu: INFO: rcu_preempt self-detected stall on CPU +rcu: 0-...!: (10499 ticks this GP) idle=536/1/0x4000000000000002 softirq=103291/103291 fqs=34 +rcu: (t=10500 jiffies g=140321 q=323) +rcu: rcu_preempt kthread starved for 10426 jiffies! g140321 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=1 +rcu: RCU grace-period kthread stack dump: +rcu_preempt I29168 10 2 0x80000000 +Call Trace: + context_switch kernel/sched/core.c:2877 [inline] + __schedule+0x813/0x1cc0 kernel/sched/core.c:3518 + schedule+0x92/0x180 kernel/sched/core.c:3562 + schedule_timeout+0x4db/0xfd0 kernel/time/timer.c:1803 + rcu_gp_fqs_loop kernel/rcu/tree.c:1971 [inline] + rcu_gp_kthread+0x962/0x17b0 kernel/rcu/tree.c:2128 + kthread+0x357/0x430 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 +NMI backtrace for cpu 0 +CPU: 0 PID: 7632 Comm: kworker/0:4 Not tainted 5.1.0-rc5+ #172 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events iterate_cleanup_work +Call Trace: + <IRQ> + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101 + nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62 + arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 + trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] + rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1223 + print_cpu_stall kernel/rcu/tree.c:1360 [inline] + check_cpu_stall kernel/rcu/tree.c:1434 [inline] + rcu_pending kernel/rcu/tree.c:3103 [inline] + rcu_sched_clock_irq.cold+0x500/0xa4a kernel/rcu/tree.c:2544 + update_process_times+0x32/0x80 kernel/time/timer.c:1635 + tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161 + tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271 + __run_hrtimer kernel/time/hrtimer.c:1389 [inline] + __hrtimer_run_queues+0x33e/0xde0 kernel/time/hrtimer.c:1451 + hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509 + local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] + smp_apic_timer_interrupt+0x120/0x570 arch/x86/kernel/apic/apic.c:1060 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 +RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:95 +Code: 89 25 b4 6e ec 08 41 bc f4 ff ff ff e8 cd 5d ea ff 48 c7 05 9e 6e ec 08 00 00 00 00 e9 a4 e9 ff ff 90 90 90 90 90 90 90 90 90 <55> 48 89 e5 48 8b 75 08 65 48 8b 04 25 00 ee 01 00 65 8b 15 c8 60 +RSP: 0018:ffff8880ae807ce0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 +RAX: ffff88806fd40640 RBX: dffffc0000000000 RCX: ffffffff863fbc56 +RDX: 0000000000000100 RSI: ffffffff863fbc1d RDI: ffff88808cf94228 +RBP: ffff8880ae807d10 R08: ffff88806fd40640 R09: ffffed1015d00f8b +R10: ffffed1015d00f8a R11: 0000000000000003 R12: ffff88808cf941c0 +R13: 00000000fffff034 R14: ffff8882166cd840 R15: 0000000000000000 + rose_loopback_timer+0x30d/0x3f0 net/rose/rose_loopback.c:91 + call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 + expire_timers kernel/time/timer.c:1362 [inline] + __run_timers kernel/time/timer.c:1681 [inline] + __run_timers kernel/time/timer.c:1649 [inline] + run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 + __do_softirq+0x266/0x95a kernel/softirq.c:293 + do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: Also move assignments to + loopback_timer.{data,function} into rose_loopback_init(), done upstream + in commit 4966babd904d "net/rose: Convert timers to use timer_setup()".] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/rose/rose_loopback.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/net/rose/rose_loopback.c ++++ b/net/rose/rose_loopback.c +@@ -16,15 +16,19 @@ + #include <linux/init.h> + + static struct sk_buff_head loopback_queue; ++#define ROSE_LOOPBACK_LIMIT 1000 + static struct timer_list loopback_timer; + + static void rose_set_loopback_timer(void); ++static void rose_loopback_timer(unsigned long); + + void rose_loopback_init(void) + { + skb_queue_head_init(&loopback_queue); + + init_timer(&loopback_timer); ++ loopback_timer.data = 0; ++ loopback_timer.function = &rose_loopback_timer; + } + + static int rose_loopback_running(void) +@@ -34,33 +38,27 @@ static int rose_loopback_running(void) + + int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh) + { +- struct sk_buff *skbn; ++ struct sk_buff *skbn = NULL; + +- skbn = skb_clone(skb, GFP_ATOMIC); ++ if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT) ++ skbn = skb_clone(skb, GFP_ATOMIC); + +- kfree_skb(skb); +- +- if (skbn != NULL) { ++ if (skbn) { ++ consume_skb(skb); + skb_queue_tail(&loopback_queue, skbn); + + if (!rose_loopback_running()) + rose_set_loopback_timer(); ++ } else { ++ kfree_skb(skb); + } + + return 1; + } + +-static void rose_loopback_timer(unsigned long); +- + static void rose_set_loopback_timer(void) + { +- del_timer(&loopback_timer); +- +- loopback_timer.data = 0; +- loopback_timer.function = &rose_loopback_timer; +- loopback_timer.expires = jiffies + 10; +- +- add_timer(&loopback_timer); ++ mod_timer(&loopback_timer, jiffies + 10); + } + + static void rose_loopback_timer(unsigned long param) +@@ -71,8 +69,12 @@ static void rose_loopback_timer(unsigned + struct sock *sk; + unsigned short frametype; + unsigned int lci_i, lci_o; ++ int count; + +- while ((skb = skb_dequeue(&loopback_queue)) != NULL) { ++ for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) { ++ skb = skb_dequeue(&loopback_queue); ++ if (!skb) ++ return; + if (skb->len < ROSE_MIN_LEN) { + kfree_skb(skb); + continue; +@@ -109,6 +111,8 @@ static void rose_loopback_timer(unsigned + kfree_skb(skb); + } + } ++ if (!skb_queue_empty(&loopback_queue)) ++ mod_timer(&loopback_timer, jiffies + 1); + } + + void __exit rose_loopback_clear(void) diff --git a/queue-3.16/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch b/queue-3.16/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch new file mode 100644 index 00000000..2114c3f0 --- /dev/null +++ b/queue-3.16/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch @@ -0,0 +1,60 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Tue, 19 Mar 2019 10:16:53 +0800 +Subject: net-sysfs: call dev_hold if kobject_init_and_add success + +commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e upstream. + +In netdev_queue_add_kobject and rx_queue_add_kobject, +if sysfs_create_group failed, kobject_put will call +netdev_queue_release to decrease dev refcont, however +dev_hold has not be called. So we will see this while +unregistering dev: + +unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 + +Reported-by: Hulk Robot <hulkci@huawei.com> +Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/core/net-sysfs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -788,6 +788,8 @@ static int rx_queue_add_kobject(struct n + if (error) + return error; + ++ dev_hold(queue->dev); ++ + if (net->sysfs_rx_queue_group) { + error = sysfs_create_group(kobj, net->sysfs_rx_queue_group); + if (error) { +@@ -797,7 +799,6 @@ static int rx_queue_add_kobject(struct n + } + + kobject_uevent(kobj, KOBJ_ADD); +- dev_hold(queue->dev); + + return error; + } +@@ -1146,6 +1147,8 @@ static int netdev_queue_add_kobject(stru + if (error) + return error; + ++ dev_hold(queue->dev); ++ + #ifdef CONFIG_BQL + error = sysfs_create_group(kobj, &dql_group); + if (error) { +@@ -1155,7 +1158,6 @@ static int netdev_queue_add_kobject(stru + #endif + + kobject_uevent(kobj, KOBJ_ADD); +- dev_hold(queue->dev); + + return 0; + } diff --git a/queue-3.16/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch b/queue-3.16/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch new file mode 100644 index 00000000..8cb96064 --- /dev/null +++ b/queue-3.16/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch @@ -0,0 +1,84 @@ +From: Wang Hai <wanghai26@huawei.com> +Date: Wed, 20 Mar 2019 14:25:05 -0400 +Subject: net-sysfs: Fix memory leak in netdev_register_kobject + +commit 6b70fc94afd165342876e53fc4b2f7d085009945 upstream. + +When registering struct net_device, it will call + register_netdevice -> + netdev_register_kobject -> + device_initialize(dev); + dev_set_name(dev, "%s", ndev->name) + device_add(dev) + register_queue_kobjects(ndev) + +In netdev_register_kobject(), if device_add(dev) or +register_queue_kobjects(ndev) failed. Register_netdevice() +will return error, causing netdev_freemem(ndev) to be +called to free net_device, however put_device(&dev->dev)->..-> +kobject_cleanup() won't be called, resulting in a memory leak. + +syzkaller report this: +BUG: memory leak +unreferenced object 0xffff8881f4fad168 (size 8): +comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) +hex dump (first 8 bytes): + 77 70 61 6e 30 00 ff ff wpan0... +backtrace: + [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 + [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 + [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 + [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 + [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 + [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 + [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] + [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] + [<00000000e4b3df51>] 0xffffffffc1500e0e + [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 + [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 + [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 + [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 + [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 + [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 + [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 + +Reported-by: Hulk Robot <hulkci@huawei.com> +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Hai <wanghai26@huawei.com> +Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/core/net-sysfs.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1378,16 +1378,20 @@ int netdev_register_kobject(struct net_d + + error = device_add(dev); + if (error) +- return error; ++ goto error_put_device; + + error = register_queue_kobjects(net); +- if (error) { +- device_del(dev); +- return error; +- } ++ if (error) ++ goto error_device_del; + + pm_runtime_set_memalloc_noio(dev, true); + ++ return 0; ++ ++error_device_del: ++ device_del(dev); ++error_put_device: ++ put_device(dev); + return error; + } + diff --git a/queue-3.16/net-xfrm-add-_rcu-tag-for-rcu-protected-pointer-in-netns_xfrm.patch b/queue-3.16/net-xfrm-add-_rcu-tag-for-rcu-protected-pointer-in-netns_xfrm.patch new file mode 100644 index 00000000..6355269a --- /dev/null +++ b/queue-3.16/net-xfrm-add-_rcu-tag-for-rcu-protected-pointer-in-netns_xfrm.patch @@ -0,0 +1,122 @@ +From: Su Yanjun <suyj.fnst@cn.fujitsu.com> +Date: Wed, 6 Mar 2019 20:54:08 -0500 +Subject: net: xfrm: Add '_rcu' tag for rcu protected pointer in netns_xfrm + +commit f10e0010fae8174dc20bdc872bcaa85baa925cb7 upstream. + +For rcu protected pointers, we'd better add '__rcu' for them. + +Once added '__rcu' tag for rcu protected pointer, the sparse tool reports +warnings. + +net/xfrm/xfrm_user.c:1198:39: sparse: expected struct sock *sk +net/xfrm/xfrm_user.c:1198:39: sparse: got struct sock [noderef] <asn:4> *nlsk +[...] + +So introduce a new wrapper function of nlmsg_unicast to handle type +conversions. + +This patch also fixes a direct access of a rcu protected socket. + +Fixes: be33690d8fcf("[XFRM]: Fix aevent related crash") +Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/net/netns/xfrm.h | 2 +- + net/xfrm/xfrm_user.c | 30 +++++++++++++++++++++++------- + 2 files changed, 24 insertions(+), 8 deletions(-) + +--- a/include/net/netns/xfrm.h ++++ b/include/net/netns/xfrm.h +@@ -43,7 +43,7 @@ struct netns_xfrm { + struct work_struct policy_hash_work; + + +- struct sock *nlsk; ++ struct sock __rcu *nlsk; + struct sock *nlsk_stash; + + u32 sysctl_aevent_etime; +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -973,6 +973,22 @@ static inline int xfrm_nlmsg_multicast(s + return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); + } + ++/* A similar wrapper like xfrm_nlmsg_multicast checking that nlsk is still ++ * available. ++ */ ++static inline int xfrm_nlmsg_unicast(struct net *net, struct sk_buff *skb, ++ u32 pid) ++{ ++ struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); ++ ++ if (!nlsk) { ++ kfree_skb(skb); ++ return -EPIPE; ++ } ++ ++ return nlmsg_unicast(nlsk, skb, pid); ++} ++ + static inline size_t xfrm_spdinfo_msgsize(void) + { + return NLMSG_ALIGN(4) +@@ -1033,7 +1049,7 @@ static int xfrm_get_spdinfo(struct sk_bu + if (build_spdinfo(r_skb, net, sportid, seq, *flags) < 0) + BUG(); + +- return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); ++ return xfrm_nlmsg_unicast(net, r_skb, sportid); + } + + static inline size_t xfrm_sadinfo_msgsize(void) +@@ -1090,7 +1106,7 @@ static int xfrm_get_sadinfo(struct sk_bu + if (build_sadinfo(r_skb, net, sportid, seq, *flags) < 0) + BUG(); + +- return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); ++ return xfrm_nlmsg_unicast(net, r_skb, sportid); + } + + static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -1110,7 +1126,7 @@ static int xfrm_get_sa(struct sk_buff *s + if (IS_ERR(resp_skb)) { + err = PTR_ERR(resp_skb); + } else { +- err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); ++ err = xfrm_nlmsg_unicast(net, resp_skb, NETLINK_CB(skb).portid); + } + xfrm_state_put(x); + out_noput: +@@ -1168,7 +1184,7 @@ static int xfrm_alloc_userspi(struct sk_ + goto out; + } + +- err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); ++ err = xfrm_nlmsg_unicast(net, resp_skb, NETLINK_CB(skb).portid); + + out: + xfrm_state_put(x); +@@ -1692,8 +1708,8 @@ static int xfrm_get_policy(struct sk_buf + if (IS_ERR(resp_skb)) { + err = PTR_ERR(resp_skb); + } else { +- err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, +- NETLINK_CB(skb).portid); ++ err = xfrm_nlmsg_unicast(net, resp_skb, ++ NETLINK_CB(skb).portid); + } + } else { + xfrm_audit_policy_delete(xp, err ? 0 : 1, true); +@@ -1846,7 +1862,7 @@ static int xfrm_get_ae(struct sk_buff *s + + if (build_aevent(r_skb, x, &c) < 0) + BUG(); +- err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); ++ err = xfrm_nlmsg_unicast(net, r_skb, NETLINK_CB(skb).portid); + spin_unlock_bh(&x->lock); + xfrm_state_put(x); + return err; diff --git a/queue-3.16/netfilter-bridge-set-skb-transport_header-before-entering.patch b/queue-3.16/netfilter-bridge-set-skb-transport_header-before-entering.patch new file mode 100644 index 00000000..a6311583 --- /dev/null +++ b/queue-3.16/netfilter-bridge-set-skb-transport_header-before-entering.patch @@ -0,0 +1,44 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Wed, 13 Mar 2019 16:33:29 +0800 +Subject: netfilter: bridge: set skb transport_header before entering + NF_INET_PRE_ROUTING + +commit e166e4fdaced850bee3d5ee12a5740258fb30587 upstream. + +Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"), +skb->transport_header has been always set before entering INET +netfilter. This patch is to set skb->transport_header for bridge +before entering INET netfilter by bridge-nf-call-iptables. + +It also fixes an issue that sctp_error() couldn't compute a right +csum due to unset skb->transport_header. + +Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") +Reported-by: Li Shuang <shuali@redhat.com> +Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Acked-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: adjust filenames, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -659,6 +659,8 @@ static unsigned int br_nf_pre_routing_ip + return NF_DROP; + + skb->protocol = htons(ETH_P_IPV6); ++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); ++ + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, + br_nf_pre_routing_finish_ipv6); + +@@ -715,6 +717,7 @@ static unsigned int br_nf_pre_routing(co + return NF_DROP; + store_orig_dstaddr(skb); + skb->protocol = htons(ETH_P_IP); ++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; + + NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, + br_nf_pre_routing_finish); diff --git a/queue-3.16/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch b/queue-3.16/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch new file mode 100644 index 00000000..9b80978d --- /dev/null +++ b/queue-3.16/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch @@ -0,0 +1,30 @@ +From: Florian Westphal <fw@strlen.de> +Date: Mon, 15 Apr 2019 00:43:00 +0200 +Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON + +commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream. + +It means userspace gave us a ruleset where there is some other +data after the ebtables target but before the beginning of the next rule. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2011,7 +2011,8 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; diff --git a/queue-3.16/nfs-fix-mount-umount-race-in-nlmclnt.patch b/queue-3.16/nfs-fix-mount-umount-race-in-nlmclnt.patch new file mode 100644 index 00000000..3473cc3a --- /dev/null +++ b/queue-3.16/nfs-fix-mount-umount-race-in-nlmclnt.patch @@ -0,0 +1,44 @@ +From: NeilBrown <neilb@suse.com> +Date: Tue, 19 Mar 2019 11:33:24 +1100 +Subject: NFS: fix mount/umount race in nlmclnt. + +commit 4a9be28c45bf02fa0436808bb6c0baeba30e120e upstream. + +If the last NFSv3 unmount from a given host races with a mount from the +same host, we can destroy an nlm_host that is still in use. + +Specifically nlmclnt_lookup_host() can increment h_count on +an nlm_host that nlmclnt_release_host() has just successfully called +refcount_dec_and_test() on. +Once nlmclnt_lookup_host() drops the mutex, nlm_destroy_host_lock() +will be called to destroy the nlmclnt which is now in use again. + +The cause of the problem is that the dec_and_test happens outside the +locked region. This is easily fixed by using +refcount_dec_and_mutex_lock(). + +Fixes: 8ea6ecc8b075 ("lockd: Create client-side nlm_host cache") +Signed-off-by: NeilBrown <neilb@suse.com> +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +[bwh: Backported to 3.16: use atomic instead of refcount API] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/lockd/host.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/lockd/host.c ++++ b/fs/lockd/host.c +@@ -288,12 +288,11 @@ void nlmclnt_release_host(struct nlm_hos + + WARN_ON_ONCE(host->h_server); + +- if (atomic_dec_and_test(&host->h_count)) { ++ if (atomic_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) { + WARN_ON_ONCE(!list_empty(&host->h_lockowners)); + WARN_ON_ONCE(!list_empty(&host->h_granted)); + WARN_ON_ONCE(!list_empty(&host->h_reclaim)); + +- mutex_lock(&nlm_host_mutex); + nlm_destroy_host_locked(host); + mutex_unlock(&nlm_host_mutex); + } diff --git a/queue-3.16/packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch b/queue-3.16/packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch new file mode 100644 index 00000000..20cd8f05 --- /dev/null +++ b/queue-3.16/packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch @@ -0,0 +1,61 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Mon, 29 Apr 2019 11:46:55 -0400 +Subject: packet: in recvmsg msg_name return at least sizeof sockaddr_ll + +commit b2cf86e1563e33a14a1c69b3e508d15dc12f804c upstream. + +Packet send checks that msg_name is at least sizeof sockaddr_ll. +Packet recv must return at least this length, so that its output +can be passed unmodified to packet send. + +This ceased to be true since adding support for lladdr longer than +sll_addr. Since, the return value uses true address length. + +Always return at least sizeof sockaddr_ll, even if address length +is shorter. Zero the padding bytes. + +Change v1->v2: do not overwrite zeroed padding again. use copy_len. + +Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") +Suggested-by: David Laight <David.Laight@aculab.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/packet/af_packet.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3027,19 +3027,28 @@ static int packet_recvmsg(struct kiocb * + sock_recv_ts_and_drops(msg, sk, skb); + + if (msg->msg_name) { ++ int copy_len; ++ + /* If the address length field is there to be filled + * in, we fill it in now. + */ + if (sock->type == SOCK_PACKET) { + __sockaddr_check_size(sizeof(struct sockaddr_pkt)); + msg->msg_namelen = sizeof(struct sockaddr_pkt); ++ copy_len = msg->msg_namelen; + } else { + struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; + msg->msg_namelen = sll->sll_halen + + offsetof(struct sockaddr_ll, sll_addr); ++ copy_len = msg->msg_namelen; ++ if (msg->msg_namelen < sizeof(struct sockaddr_ll)) { ++ memset(msg->msg_name + ++ offsetof(struct sockaddr_ll, sll_addr), ++ 0, sizeof(sll->sll_addr)); ++ msg->msg_namelen = sizeof(struct sockaddr_ll); ++ } + } +- memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, +- msg->msg_namelen); ++ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); + } + + if (pkt_sk(sk)->auxdata) { diff --git a/queue-3.16/packet-validate-msg_namelen-in-send-directly.patch b/queue-3.16/packet-validate-msg_namelen-in-send-directly.patch new file mode 100644 index 00000000..cd6aa3bb --- /dev/null +++ b/queue-3.16/packet-validate-msg_namelen-in-send-directly.patch @@ -0,0 +1,94 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Mon, 29 Apr 2019 11:53:18 -0400 +Subject: packet: validate msg_namelen in send directly + +commit 486efdc8f6ce802b27e15921d2353cc740c55451 upstream. + +Packet sockets in datagram mode take a destination address. Verify its +length before passing to dev_hard_header. + +Prior to 2.6.14-rc3, the send code ignored sll_halen. This is +established behavior. Directly compare msg_namelen to dev->addr_len. + +Change v1->v2: initialize addr in all paths + +Fixes: 6b8d95f1795c4 ("packet: validate address length if non-zero") +Suggested-by: David Laight <David.Laight@aculab.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/packet/af_packet.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2278,8 +2278,8 @@ static int tpacket_snd(struct packet_soc + void *ph; + DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); + bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); ++ unsigned char *addr = NULL; + int tp_len, size_max; +- unsigned char *addr; + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen; +@@ -2289,7 +2289,6 @@ static int tpacket_snd(struct packet_soc + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2299,10 +2298,13 @@ static int tpacket_snd(struct packet_soc + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_put; ++ if (po->sk.sk_socket->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_put; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -2435,7 +2437,7 @@ static int packet_snd(struct socket *soc + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- unsigned char *addr; ++ unsigned char *addr = NULL; + int err, reserve = 0; + struct virtio_net_hdr vnet_hdr = { 0 }; + int offset = 0; +@@ -2453,7 +2455,6 @@ static int packet_snd(struct socket *soc + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2461,10 +2462,13 @@ static int packet_snd(struct socket *soc + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_unlock; ++ if (sock->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_unlock; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; diff --git a/queue-3.16/pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch b/queue-3.16/pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch new file mode 100644 index 00000000..e72fb22f --- /dev/null +++ b/queue-3.16/pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch @@ -0,0 +1,32 @@ +From: Andre Przywara <andre.przywara@arm.com> +Date: Fri, 5 Apr 2019 16:20:47 +0100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller + +commit 9cde402a59770a0669d895399c13407f63d7d209 upstream. + +There is a Marvell 88SE9170 PCIe SATA controller I found on a board here. +Some quick testing with the ARM SMMU enabled reveals that it suffers from +the same requester ID mixup problems as the other Marvell chips listed +already. + +Add the PCI vendor/device ID to the list of chips which need the +workaround. + +Signed-off-by: Andre Przywara <andre.przywara@arm.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3514,6 +3514,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172, + quirk_dma_func1_alias); diff --git a/queue-3.16/perf-core-restore-mmap-record-type-correctly.patch b/queue-3.16/perf-core-restore-mmap-record-type-correctly.patch new file mode 100644 index 00000000..ee9d3e40 --- /dev/null +++ b/queue-3.16/perf-core-restore-mmap-record-type-correctly.patch @@ -0,0 +1,55 @@ +From: Stephane Eranian <eranian@google.com> +Date: Thu, 7 Mar 2019 10:52:33 -0800 +Subject: perf/core: Restore mmap record type correctly + +commit d9c1bb2f6a2157b38e8eb63af437cb22701d31ee upstream. + +On mmap(), perf_events generates a RECORD_MMAP record and then checks +which events are interested in this record. There are currently 2 +versions of mmap records: RECORD_MMAP and RECORD_MMAP2. MMAP2 is larger. +The event configuration controls which version the user level tool +accepts. + +If the event->attr.mmap2=1 field then MMAP2 record is returned. The +perf_event_mmap_output() takes care of this. It checks attr->mmap2 and +corrects the record fields before putting it in the sampling buffer of +the event. At the end the function restores the modified MMAP record +fields. + +The problem is that the function restores the size but not the type. +Thus, if a subsequent event only accepts MMAP type, then it would +instead receive an MMAP2 record with a size of MMAP record. + +This patch fixes the problem by restoring the record type on exit. + +Signed-off-by: Stephane Eranian <eranian@google.com> +Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Andi Kleen <ak@linux.intel.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Kan Liang <kan.liang@linux.intel.com> +Fixes: 13d7a2410fa6 ("perf: Add attr->mmap2 attribute to an event") +Link: http://lkml.kernel.org/r/20190307185233.225521-1-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/events/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5445,6 +5445,7 @@ static void perf_event_mmap_output(struc + struct perf_output_handle handle; + struct perf_sample_data sample; + int size = mmap_event->event_id.header.size; ++ u32 type = mmap_event->event_id.header.type; + int ret; + + if (!perf_event_mmap_match(event, data)) +@@ -5488,6 +5489,7 @@ static void perf_event_mmap_output(struc + perf_output_end(&handle); + out: + mmap_event->event_id.header.size = size; ++ mmap_event->event_id.header.type = type; + } + + static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) diff --git a/queue-3.16/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch b/queue-3.16/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch new file mode 100644 index 00000000..decf8c30 --- /dev/null +++ b/queue-3.16/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch @@ -0,0 +1,53 @@ +From: Changbin Du <changbin.du@gmail.com> +Date: Sat, 16 Mar 2019 16:05:56 +0800 +Subject: perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() + +commit d982b33133284fa7efa0e52ae06b88f9be3ea764 upstream. + + ================================================================= + ==20875==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 1160 byte(s) in 1 object(s) allocated from: + #0 0x7f1b6fc84138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x55bd50005599 in zalloc util/util.h:23 + #2 0x55bd500068f5 in perf_evsel__newtp_idx util/evsel.c:327 + #3 0x55bd4ff810fc in perf_evsel__newtp /home/work/linux/tools/perf/util/evsel.h:216 + #4 0x55bd4ff81608 in test__perf_evsel__tp_sched_test tests/evsel-tp-sched.c:69 + #5 0x55bd4ff528e6 in run_test tests/builtin-test.c:358 + #6 0x55bd4ff52baf in test_and_print tests/builtin-test.c:388 + #7 0x55bd4ff543fe in __cmd_test tests/builtin-test.c:583 + #8 0x55bd4ff5572f in cmd_test tests/builtin-test.c:722 + #9 0x55bd4ffc4087 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #10 0x55bd4ffc45c6 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #11 0x55bd4ffc49ca in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #12 0x55bd4ffc5138 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #13 0x7f1b6e34809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + Indirect leak of 19 byte(s) in 1 object(s) allocated from: + #0 0x7f1b6fc83f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) + #1 0x7f1b6e3ac30f in vasprintf (/lib/x86_64-linux-gnu/libc.so.6+0x8830f) + +Signed-off-by: Changbin Du <changbin.du@gmail.com> +Reviewed-by: Jiri Olsa <jolsa@kernel.org> +Cc: Alexei Starovoitov <ast@kernel.org> +Cc: Daniel Borkmann <daniel@iogearbox.net> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Steven Rostedt (VMware) <rostedt@goodmis.org> +Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields") +Link: http://lkml.kernel.org/r/20190316080556.3075-17-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/tests/evsel-tp-sched.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -77,5 +77,6 @@ int test__perf_evsel__tp_sched_test(void + if (perf_evsel__test_field(evsel, "target_cpu", 4, true)) + ret = -1; + ++ perf_evsel__delete(evsel); + return ret; + } diff --git a/queue-3.16/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch b/queue-3.16/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch new file mode 100644 index 00000000..44ba0865 --- /dev/null +++ b/queue-3.16/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch @@ -0,0 +1,31 @@ +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Thu, 4 Apr 2019 12:20:05 +0000 +Subject: powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 + +commit dd9a994fc68d196a052b73747e3366c57d14a09e upstream. + +Commit b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC +inconsistencies across Y2038") changed the type of wtom_clock_sec +to s64 on PPC64. Therefore, VDSO32 needs to read it with a 4 bytes +shift in order to retrieve the lower part of it. + +Fixes: b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038") +Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de> +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/kernel/vdso32/gettimeofday.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S +@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime) + * can be used, r7 contains NSEC_PER_SEC. + */ + +- lwz r5,WTOM_CLOCK_SEC(r9) ++ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9) + lwz r6,WTOM_CLOCK_NSEC(r9) + + /* We now have our offset in r5,r6. We create a fake dependency diff --git a/queue-3.16/powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch b/queue-3.16/powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch new file mode 100644 index 00000000..9c9532de --- /dev/null +++ b/queue-3.16/powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch @@ -0,0 +1,117 @@ +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Thu, 14 Mar 2019 00:14:38 +1100 +Subject: powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 + +commit b5b4453e7912f056da1ca7572574cada32ecb60c upstream. + +Jakub Drnec reported: + Setting the realtime clock can sometimes make the monotonic clock go + back by over a hundred years. Decreasing the realtime clock across + the y2k38 threshold is one reliable way to reproduce. Allegedly this + can also happen just by running ntpd, I have not managed to + reproduce that other than booting with rtc at >2038 and then running + ntp. When this happens, anything with timers (e.g. openjdk) breaks + rather badly. + +And included a test case (slightly edited for brevity): + #define _POSIX_C_SOURCE 199309L + #include <stdio.h> + #include <time.h> + #include <stdlib.h> + #include <unistd.h> + + long get_time(void) { + struct timespec tp; + clock_gettime(CLOCK_MONOTONIC, &tp); + return tp.tv_sec + tp.tv_nsec / 1000000000; + } + + int main(void) { + long last = get_time(); + while(1) { + long now = get_time(); + if (now < last) { + printf("clock went backwards by %ld seconds!\n", last - now); + } + last = now; + sleep(1); + } + return 0; + } + +Which when run concurrently with: + # date -s 2040-1-1 + # date -s 2037-1-1 + +Will detect the clock going backward. + +The root cause is that wtom_clock_sec in struct vdso_data is only a +32-bit signed value, even though we set its value to be equal to +tk->wall_to_monotonic.tv_sec which is 64-bits. + +Because the monotonic clock starts at zero when the system boots the +wall_to_montonic.tv_sec offset is negative for current and future +dates. Currently on a freshly booted system the offset will be in the +vicinity of negative 1.5 billion seconds. + +However if the wall clock is set past the Y2038 boundary, the offset +from wall to monotonic becomes less than negative 2^31, and no longer +fits in 32-bits. When that value is assigned to wtom_clock_sec it is +truncated and becomes positive, causing the VDSO assembly code to +calculate CLOCK_MONOTONIC incorrectly. + +That causes CLOCK_MONOTONIC to jump ahead by ~4 billion seconds which +it is not meant to do. Worse, if the time is then set back before the +Y2038 boundary CLOCK_MONOTONIC will jump backward. + +We can fix it simply by storing the full 64-bit offset in the +vdso_data, and using that in the VDSO assembly code. We also shuffle +some of the fields in vdso_data to avoid creating a hole. + +The original commit that added the CLOCK_MONOTONIC support to the VDSO +did actually use a 64-bit value for wtom_clock_sec, see commit +a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to +32 bits kernel") (Nov 2005). However just 3 days later it was +converted to 32-bits in commit 0c37ec2aa88b ("[PATCH] powerpc: vdso +fixes (take #2)"), and the bug has existed since then AFAICS. + +Fixes: 0c37ec2aa88b ("[PATCH] powerpc: vdso fixes (take #2)") +Link: http://lkml.kernel.org/r/HaC.ZfES.62bwlnvAvMP.1STMMj@seznam.cz +Reported-by: Jakub Drnec <jaydee@email.cz> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +[bwh: Backported to 3.16: CLOCK_MONOTONIC_COARSE is not handled by + this vDSO] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/include/asm/vdso_datapage.h | 8 ++++---- + arch/powerpc/kernel/vdso64/gettimeofday.S | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/vdso_datapage.h ++++ b/arch/powerpc/include/asm/vdso_datapage.h +@@ -82,10 +82,10 @@ struct vdso_data { + __u32 icache_block_size; /* L1 i-cache block size */ + __u32 dcache_log_block_size; /* L1 d-cache log block size */ + __u32 icache_log_block_size; /* L1 i-cache log block size */ +- __s32 wtom_clock_sec; /* Wall to monotonic clock */ +- __s32 wtom_clock_nsec; +- struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ +- __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */ ++ __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */ ++ __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec */ ++ __s64 wtom_clock_sec; /* Wall to monotonic clock sec */ ++ struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ + __u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */ + __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */ + }; +--- a/arch/powerpc/kernel/vdso64/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso64/gettimeofday.S +@@ -85,7 +85,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime) + * At this point, r4,r5 contain our sec/nsec values. + */ + +- lwa r6,WTOM_CLOCK_SEC(r3) ++ ld r6,WTOM_CLOCK_SEC(r3) + lwa r9,WTOM_CLOCK_NSEC(r3) + + /* We now have our result in r6,r9. We create a fake dependency diff --git a/queue-3.16/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch b/queue-3.16/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch new file mode 100644 index 00000000..4224833f --- /dev/null +++ b/queue-3.16/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch @@ -0,0 +1,95 @@ +From: Vijayakumar Durai <vijayakumar.durai1@vivint.com> +Date: Wed, 27 Mar 2019 11:03:17 +0100 +Subject: rt2x00: do not increment sequence number while re-transmitting + +commit 746ba11f170603bf1eaade817553a6c2e9135bbe upstream. + +Currently rt2x00 devices retransmit the management frames with +incremented sequence number if hardware is assigning the sequence. + +This is HW bug fixed already for non-QOS data frames, but it should +be fixed for management frames except beacon. + +Without fix retransmitted frames have wrong SN: + + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1 + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1 + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1 + +With the fix SN stays correctly the same: + + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C + +Signed-off-by: Vijayakumar Durai <vijayakumar.durai1@vivint.com> +[sgruszka: simplify code, change comments and changelog] +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filenames, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/rt2x00/rt2x00.h | 1 - + drivers/net/wireless/rt2x00/rt2x00mac.c | 10 ---------- + drivers/net/wireless/rt2x00/rt2x00queue.c | 15 +++++++++------ + 3 files changed, 9 insertions(+), 17 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/rt2x00/rt2x00.h +@@ -666,7 +666,6 @@ enum rt2x00_state_flags { + CONFIG_CHANNEL_HT40, + CONFIG_POWERSAVING, + CONFIG_HT_DISABLED, +- CONFIG_QOS_DISABLED, + + /* + * Mark we currently are sequentially reading TX_STA_FIFO register +--- a/drivers/net/wireless/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c +@@ -682,19 +682,9 @@ void rt2x00mac_bss_info_changed(struct i + rt2x00dev->intf_associated--; + + rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated); +- +- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); + } + + /* +- * Check for access point which do not support 802.11e . We have to +- * generate data frames sequence number in S/W for such AP, because +- * of H/W bug. +- */ +- if (changes & BSS_CHANGED_QOS && !bss_conf->qos) +- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); +- +- /* + * When the erp information has changed, we should perform + * additional configuration steps. For all other changes we are done. + */ +--- a/drivers/net/wireless/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c +@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descri + if (!test_bit(REQUIRE_SW_SEQNO, &rt2x00dev->cap_flags)) { + /* + * rt2800 has a H/W (or F/W) bug, device incorrectly increase +- * seqno on retransmited data (non-QOS) frames. To workaround +- * the problem let's generate seqno in software if QOS is +- * disabled. ++ * seqno on retransmitted data (non-QOS) and management frames. ++ * To workaround the problem let's generate seqno in software. ++ * Except for beacons which are transmitted periodically by H/W ++ * hence hardware has to assign seqno for them. + */ +- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags)) +- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); +- else ++ if (ieee80211_is_beacon(hdr->frame_control)) { ++ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + /* H/W will generate sequence number */ + return; ++ } ++ ++ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + } + + /* diff --git a/queue-3.16/sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch b/queue-3.16/sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch new file mode 100644 index 00000000..191823cb --- /dev/null +++ b/queue-3.16/sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch @@ -0,0 +1,79 @@ +From: Mel Gorman <mgorman@techsingularity.net> +Date: Tue, 19 Mar 2019 12:36:10 +0000 +Subject: sched/fair: Do not re-read ->h_load_next during hierarchical load + calculation + +commit 0e9f02450da07fc7b1346c8c32c771555173e397 upstream. + +A NULL pointer dereference bug was reported on a distribution kernel but +the same issue should be present on mainline kernel. It occured on s390 +but should not be arch-specific. A partial oops looks like: + + Unable to handle kernel pointer dereference in virtual kernel address space + ... + Call Trace: + ... + try_to_wake_up+0xfc/0x450 + vhost_poll_wakeup+0x3a/0x50 [vhost] + __wake_up_common+0xbc/0x178 + __wake_up_common_lock+0x9e/0x160 + __wake_up_sync_key+0x4e/0x60 + sock_def_readable+0x5e/0x98 + +The bug hits any time between 1 hour to 3 days. The dereference occurs +in update_cfs_rq_h_load when accumulating h_load. The problem is that +cfq_rq->h_load_next is not protected by any locking and can be updated +by parallel calls to task_h_load. Depending on the compiler, code may be +generated that re-reads cfq_rq->h_load_next after the check for NULL and +then oops when reading se->avg.load_avg. The dissassembly showed that it +was possible to reread h_load_next after the check for NULL. + +While this does not appear to be an issue for later compilers, it's still +an accident if the correct code is generated. Full locking in this path +would have high overhead so this patch uses READ_ONCE to read h_load_next +only once and check for NULL before dereferencing. It was confirmed that +there were no further oops after 10 days of testing. + +As Peter pointed out, it is also necessary to use WRITE_ONCE() to avoid any +potential problems with store tearing. + +Signed-off-by: Mel Gorman <mgorman@techsingularity.net> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Mike Galbraith <efault@gmx.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Fixes: 685207963be9 ("sched: Move h_load calculation to task_h_load()") +Link: https://lkml.kernel.org/r/20190319123610.nsivgf3mjbjjesxb@techsingularity.net +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: use ACCESS_ONCE()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/sched/fair.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -5487,10 +5487,10 @@ static void update_cfs_rq_h_load(struct + if (cfs_rq->last_h_load_update == now) + return; + +- cfs_rq->h_load_next = NULL; ++ ACCESS_ONCE(cfs_rq->h_load_next) = NULL; + for_each_sched_entity(se) { + cfs_rq = cfs_rq_of(se); +- cfs_rq->h_load_next = se; ++ ACCESS_ONCE(cfs_rq->h_load_next) = se; + if (cfs_rq->last_h_load_update == now) + break; + } +@@ -5500,7 +5500,7 @@ static void update_cfs_rq_h_load(struct + cfs_rq->last_h_load_update = now; + } + +- while ((se = cfs_rq->h_load_next) != NULL) { ++ while ((se = ACCESS_ONCE(cfs_rq->h_load_next)) != NULL) { + load = cfs_rq->h_load; + load = div64_ul(load * se->avg.load_avg_contrib, + cfs_rq->runnable_load_avg + 1); diff --git a/queue-3.16/sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch b/queue-3.16/sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch new file mode 100644 index 00000000..d687169f --- /dev/null +++ b/queue-3.16/sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch @@ -0,0 +1,96 @@ +From: Phil Auld <pauld@redhat.com> +Date: Tue, 19 Mar 2019 09:00:05 -0400 +Subject: sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup + +commit 2e8e19226398db8265a8e675fcc0118b9e80c9e8 upstream. + +With extremely short cfs_period_us setting on a parent task group with a large +number of children the for loop in sched_cfs_period_timer() can run until the +watchdog fires. There is no guarantee that the call to hrtimer_forward_now() +will ever return 0. The large number of children can make +do_sched_cfs_period_timer() take longer than the period. + + NMI watchdog: Watchdog detected hard LOCKUP on cpu 24 + RIP: 0010:tg_nop+0x0/0x10 + <IRQ> + walk_tg_tree_from+0x29/0xb0 + unthrottle_cfs_rq+0xe0/0x1a0 + distribute_cfs_runtime+0xd3/0xf0 + sched_cfs_period_timer+0xcb/0x160 + ? sched_cfs_slack_timer+0xd0/0xd0 + __hrtimer_run_queues+0xfb/0x270 + hrtimer_interrupt+0x122/0x270 + smp_apic_timer_interrupt+0x6a/0x140 + apic_timer_interrupt+0xf/0x20 + </IRQ> + +To prevent this we add protection to the loop that detects when the loop has run +too many times and scales the period and quota up, proportionally, so that the timer +can complete before then next period expires. This preserves the relative runtime +quota while preventing the hard lockup. + +A warning is issued reporting this state and the new values. + +Signed-off-by: Phil Auld <pauld@redhat.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Anton Blanchard <anton@ozlabs.org> +Cc: Ben Segall <bsegall@google.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: https://lkml.kernel.org/r/20190319130005.25492-1-pauld@redhat.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/sched/fair.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3704,6 +3704,8 @@ static enum hrtimer_restart sched_cfs_sl + return HRTIMER_NORESTART; + } + ++extern const u64 max_cfs_quota_period; ++ + static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + { + struct cfs_bandwidth *cfs_b = +@@ -3711,6 +3713,7 @@ static enum hrtimer_restart sched_cfs_pe + ktime_t now; + int overrun; + int idle = 0; ++ int count = 0; + + raw_spin_lock(&cfs_b->lock); + for (;;) { +@@ -3720,6 +3723,28 @@ static enum hrtimer_restart sched_cfs_pe + if (!overrun) + break; + ++ if (++count > 3) { ++ u64 new, old = ktime_to_ns(cfs_b->period); ++ ++ new = (old * 147) / 128; /* ~115% */ ++ new = min(new, max_cfs_quota_period); ++ ++ cfs_b->period = ns_to_ktime(new); ++ ++ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */ ++ cfs_b->quota *= new; ++ cfs_b->quota = div64_u64(cfs_b->quota, old); ++ ++ pr_warn_ratelimited( ++ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n", ++ smp_processor_id(), ++ div_u64(new, NSEC_PER_USEC), ++ div_u64(cfs_b->quota, NSEC_PER_USEC)); ++ ++ /* reset count so we don't come right back in here */ ++ count = 0; ++ } ++ + idle = do_sched_cfs_period_timer(cfs_b, overrun); + } + raw_spin_unlock(&cfs_b->lock); diff --git a/queue-3.16/sched-numa-fix-a-possible-divide-by-zero.patch b/queue-3.16/sched-numa-fix-a-possible-divide-by-zero.patch new file mode 100644 index 00000000..ce0bc020 --- /dev/null +++ b/queue-3.16/sched-numa-fix-a-possible-divide-by-zero.patch @@ -0,0 +1,48 @@ +From: Xie XiuQi <xiexiuqi@huawei.com> +Date: Sat, 20 Apr 2019 16:34:16 +0800 +Subject: sched/numa: Fix a possible divide-by-zero + +commit a860fa7b96e1a1c974556327aa1aee852d434c21 upstream. + +sched_clock_cpu() may not be consistent between CPUs. If a task +migrates to another CPU, then se.exec_start is set to that CPU's +rq_clock_task() by update_stats_curr_start(). Specifically, the new +value might be before the old value due to clock skew. + +So then if in numa_get_avg_runtime() the expression: + + 'now - p->last_task_numa_placement' + +ends up as -1, then the divider '*period + 1' in task_numa_placement() +is 0 and things go bang. Similar to update_curr(), check if time goes +backwards to avoid this. + +[ peterz: Wrote new changelog. ] +[ mingo: Tweaked the code comment. ] + +Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: cj.chengjian@huawei.com +Link: http://lkml.kernel.org/r/20190425080016.GX11158@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/sched/fair.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -1503,6 +1503,10 @@ static u64 numa_get_avg_runtime(struct t + if (p->last_task_numa_placement) { + delta = runtime - p->last_sum_exec_runtime; + *period = now - p->last_task_numa_placement; ++ ++ /* Avoid time going backwards, prevent potential divide error: */ ++ if (unlikely((s64)*period < 0)) ++ *period = 0; + } else { + delta = p->se.avg.runnable_avg_sum; + *period = p->se.avg.runnable_avg_period; diff --git a/queue-3.16/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch b/queue-3.16/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch new file mode 100644 index 00000000..91a1cbf6 --- /dev/null +++ b/queue-3.16/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch @@ -0,0 +1,78 @@ +From: Steffen Maier <maier@linux.ibm.com> +Date: Tue, 26 Mar 2019 14:36:58 +0100 +Subject: scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host + +commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream. + +An already deleted SCSI device can exist on the Scsi_Host and remain there +because something still holds a reference. A new SCSI device with the same +H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created. When +we try to unblock an rport, we still find the deleted SCSI device and +return early because the zfcp_scsi_dev of that SCSI device is not +ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if +the new proper SCSI device would be in good state. + +Therefore, skip deleted SCSI devices when iterating the sdevs of the shost. +[cf. __scsi_device_lookup{_by_target}() or scsi_device_get()] + +The following abbreviated trace sequence can indicate such problem: + +Area : REC +Tag : ersfs_3 +LUN : 0x4045400300000000 +WWPN : 0x50050763031bd327 +LUN status : 0x40000000 not ZFCP_STATUS_COMMON_UNBLOCKED +Ready count : n not incremented yet +Running count : 0x00000000 +ERP want : 0x01 +ERP need : 0xc1 ZFCP_ERP_ACTION_NONE + +Area : REC +Tag : ersfs_3 +LUN : 0x4045400300000000 +WWPN : 0x50050763031bd327 +LUN status : 0x41000000 +Ready count : n+1 +Running count : 0x00000000 +ERP want : 0x01 +ERP need : 0x01 + +... + +Area : REC +Level : 4 only with increased trace level +Tag : ertru_l +LUN : 0x4045400300000000 +WWPN : 0x50050763031bd327 +LUN status : 0x40000000 +Request ID : 0x0000000000000000 +ERP status : 0x01800000 +ERP step : 0x1000 +ERP action : 0x01 +ERP count : 0x00 + +NOT followed by a trace record with tag "scpaddy" +for WWPN 0x50050763031bd327. + +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") +Reviewed-by: Jens Remus <jremus@linux.ibm.com> +Reviewed-by: Benjamin Block <bblock@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/s390/scsi/zfcp_erp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -1313,6 +1313,9 @@ static void zfcp_erp_try_rport_unblock(s + struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); + int lun_status; + ++ if (sdev->sdev_state == SDEV_DEL || ++ sdev->sdev_state == SDEV_CANCEL) ++ continue; + if (zsdev->port != port) + continue; + /* LUN under port of interest */ diff --git a/queue-3.16/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch b/queue-3.16/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch new file mode 100644 index 00000000..694c1af9 --- /dev/null +++ b/queue-3.16/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch @@ -0,0 +1,90 @@ +From: Steffen Maier <maier@linux.ibm.com> +Date: Tue, 26 Mar 2019 14:36:59 +0100 +Subject: scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV + FCP devices + +commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream. + +Suppose more than one non-NPIV FCP device is active on the same channel. +Send I/O to storage and have some of the pending I/O run into a SCSI +command timeout, e.g. due to bit errors on the fibre. Now the error +situation stops. However, we saw FCP requests continue to timeout in the +channel. The abort will be successful, but the subsequent TUR fails. +Scsi_eh starts. The LUN reset fails. The target reset fails. The host +reset only did an FCP device recovery. However, for non-NPIV FCP devices, +this does not close and reopen ports on the SAN-side if other non-NPIV FCP +device(s) share the same open ports. + +In order to resolve the continuing FCP request timeouts, we need to +explicitly close and reopen ports on the SAN-side. + +This was missing since the beginning of zfcp in v2.6.0 history commit +ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter."). + +Note: The FSF requests for forced port reopen could run into FSF request +timeouts due to other reasons. This would trigger an internal FCP device +recovery. Pending forced port reopen recoveries would get dismissed. So +some ports might not get fully reopened during this host reset handler. +However, subsequent I/O would trigger the above described escalation and +eventually all ports would be forced reopen to resolve any continuing FCP +request timeouts due to earlier bit errors. + +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Jens Remus <jremus@linux.ibm.com> +Reviewed-by: Benjamin Block <bblock@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/s390/scsi/zfcp_erp.c | 14 ++++++++++++++ + drivers/s390/scsi/zfcp_ext.h | 2 ++ + drivers/s390/scsi/zfcp_scsi.c | 4 ++++ + 3 files changed, 20 insertions(+) + +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(st + add_timer(&erp_action->timer); + } + ++void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag) ++{ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ write_lock_irqsave(&adapter->erp_lock, flags); ++ read_lock(&adapter->port_list_lock); ++ list_for_each_entry(port, &adapter->port_list, list) ++ _zfcp_erp_port_forced_reopen(port, clear, dbftag); ++ read_unlock(&adapter->port_list_lock); ++ write_unlock_irqrestore(&adapter->erp_lock, flags); ++} ++ + static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter, + int clear, char *id) + { +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(s + extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *); ++extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag); + extern void zfcp_erp_set_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *); +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -347,6 +347,10 @@ static int zfcp_scsi_eh_host_reset_handl + struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; + int ret = SUCCESS, fc_ret; + ++ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) { ++ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p"); ++ zfcp_erp_wait(adapter); ++ } + zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); + zfcp_erp_wait(adapter); + fc_ret = fc_block_scsi_eh(scpnt); diff --git a/queue-3.16/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch b/queue-3.16/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch new file mode 100644 index 00000000..4e16f943 --- /dev/null +++ b/queue-3.16/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch @@ -0,0 +1,37 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Mon, 18 Mar 2019 19:47:00 +0800 +Subject: sctp: get sctphdr by offset in sctp_compute_cksum + +commit 273160ffc6b993c7c91627f5a84799c66dfe4dee upstream. + +sctp_hdr(skb) only works when skb->transport_header is set properly. + +But in Netfilter, skb->transport_header for ipv6 is not guaranteed +to be right value for sctphdr. It would cause to fail to check the +checksum for sctp packets. + +So fix it by using offset, which is always right in all places. + +v1->v2: + - Fix the changelog. + +Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") +Reported-by: Li Shuang <shuali@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/net/sctp/checksum.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/sctp/checksum.h ++++ b/include/net/sctp/checksum.h +@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(_ + static inline __le32 sctp_compute_cksum(const struct sk_buff *skb, + unsigned int offset) + { +- struct sctphdr *sh = sctp_hdr(skb); ++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset); + const struct skb_checksum_ops ops = { + .update = sctp_csum_update, + .combine = sctp_csum_combine, diff --git a/queue-3.16/serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch b/queue-3.16/serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch new file mode 100644 index 00000000..da9af751 --- /dev/null +++ b/queue-3.16/serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch @@ -0,0 +1,27 @@ +From: Aditya Pakki <pakki001@umn.edu> +Date: Mon, 18 Mar 2019 18:44:14 -0500 +Subject: serial: max310x: Fix to avoid potential NULL pointer dereference + +commit 3a10e3dd52e80b9a97a3346020024d17b2c272d6 upstream. + +of_match_device can return a NULL pointer when matching device is not +found. This patch avoids a scenario causing NULL pointer derefernce. + +Signed-off-by: Aditya Pakki <pakki001@umn.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/max310x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -1324,6 +1324,8 @@ static int max310x_spi_probe(struct spi_ + if (spi->dev.of_node) { + const struct of_device_id *of_id = + of_match_device(max310x_dt_ids, &spi->dev); ++ if (!of_id) ++ return -ENODEV; + + devtype = (struct max310x_devtype *)of_id->data; + } else { diff --git a/queue-3.16/serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch b/queue-3.16/serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch new file mode 100644 index 00000000..b54a12ca --- /dev/null +++ b/queue-3.16/serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch @@ -0,0 +1,43 @@ +From: Hoan Nguyen An <na-hoan@jinso.co.jp> +Date: Mon, 18 Mar 2019 18:26:32 +0900 +Subject: serial: sh-sci: Fix setting SCSCR_TIE while transferring data + +commit 93bcefd4c6bad4c69dbc4edcd3fbf774b24d930d upstream. + +We disable transmission interrupt (clear SCSCR_TIE) after all data has been transmitted +(if uart_circ_empty(xmit)). While transmitting, if the data is still in the tty buffer, +re-enable the SCSCR_TIE bit, which was done at sci_start_tx(). +This is unnecessary processing, wasting CPU operation if the data transmission length is large. +And further, transmit end, FIFO empty bits disabling have also been performed in the step above. + +Signed-off-by: Hoan Nguyen An <na-hoan@jinso.co.jp> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/sh-sci.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -633,19 +633,9 @@ static void sci_transmit_chars(struct ua + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); +- if (uart_circ_empty(xmit)) { ++ if (uart_circ_empty(xmit)) + sci_stop_tx(port); +- } else { +- ctrl = serial_port_in(port, SCSCR); + +- if (port->type != PORT_SCI) { +- serial_port_in(port, SCxSR); /* Dummy read */ +- serial_port_out(port, SCxSR, SCxSR_TDxE_CLEAR(port)); +- } +- +- ctrl |= SCSCR_TIE; +- serial_port_out(port, SCSCR, ctrl); +- } + } + + /* On SH3, SCIF may read end-of-break as a space->mark char */ diff --git a/queue-3.16/series b/queue-3.16/series index 4b843b8a..ecced155 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -1 +1,125 @@ ipv6-check-sk-sk_type-and-protocol-early-in-ip_mroute_set-getsockopt.patch +xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch +net-xfrm-add-_rcu-tag-for-rcu-protected-pointer-in-netns_xfrm.patch +staging-iio-meter-fixed-typo.patch +iio-use-kmalloc_array-in-iio_scan_mask_set.patch +iio-fix-scan-mask-selection.patch +iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch +perf-core-restore-mmap-record-type-correctly.patch +ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch +ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch +xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch +iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch +ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch +staging-speakup_soft-fix-alternate-speech-with-other-synths.patch +powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch +netfilter-bridge-set-skb-transport_header-before-entering.patch +udf-fix-crash-on-io-error-during-truncate.patch +net-mac8390-use-standard-memcpy_-from-to-io.patch +mac8390-fix-mmio-access-size-probe.patch +sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch +nfs-fix-mount-umount-race-in-nlmclnt.patch +arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch +usb-serial-ftdi_sio-add-additional-novatech-products.patch +serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch +tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch +tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch +serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch +device_cgroup-fix-rcu-imbalance-in-error-case.patch +perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch +net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch +tcp-do-not-use-ipv6-header-for-ipv4-flow.patch +dccp-do-not-use-ipv6-header-for-ipv4-flow.patch +3c515-fix-integer-overflow-warning.patch +arm-dts-pfla02-increase-phy-reset-duration.patch +usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch +staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch +alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch +alsa-seq-oss-fix-spectre-v1-vulnerability.patch +net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch +iommu-vt-d-check-capability-before-disabling-protected-memory.patch +futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch +alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch +gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch +xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch +ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch +iio-ad_sigma_delta-select-channel-when-reading-register.patch +batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch +batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch +batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch +alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch +net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch +scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch +scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch +usb-serial-cp210x-add-new-device-id.patch +afs-fix-storedata-op-marshalling.patch +kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch +kvm-x86-ia32_arch_capabilities-is-always-supported.patch +kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch +fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch +iio-core-fix-a-possible-circular-locking-dependency.patch +dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch +dccp-fix-memleak-in-__feat_register_sp.patch +xfrm4-fix-header-checks-in-_decode_session4.patch +xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch +xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch +sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch +btrfs-prop-fix-vanished-compression-property-after-failed-set.patch +xtensa-fix-return_address.patch +dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch +mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch +xen-prevent-buffer-overflow-in-privcmd-ioctl.patch +alsa-seq-fix-oob-reads-from-strlcpy.patch +pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch +sunrpc-don-t-mark-uninitialised-items-as-valid.patch +lib-string.c-implement-a-basic-bcmp.patch +xsysace-fix-error-handling-in-ace_setup.patch +powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch +acpica-namespace-remove-address-node-from-global-list-after-method.patch +block-do-not-leak-memory-in-bio_copy_user_iov.patch +net-bridge-multicast-use-rcu-to-access-port-list-from.patch +iommu-amd-set-exclusion-range-correctly.patch +rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch +vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch +locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch +x86-speculation-prevent-deadlock-on-ssb_state-lock.patch +mips-scall64-o32-fix-indirect-syscall-number-load.patch +usb-core-fix-unterminated-string-returned-by-usb_string.patch +staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch +staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch +kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch +kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep.patch +kvm-x86-move-tracepoints-outside-extended-quiescent-state.patch +kvm-vmx-handle-vmlaunch-vmresume-failure-properly.patch +x86-kvm-move-kvm_load-put_guest_xcr0-into-atomic-context.patch +tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch +cifs-fix-handle-leak-in-smb2_query_symlink.patch +cifs-keep-fileinfo-handle-live-during-oplock-break.patch +sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch +alsa-core-fix-card-races-between-register-and-disconnect.patch +tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch +x86-kprobes-verify-stack-frame-on-kretprobe.patch +kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch +x86-kprobes-avoid-kretprobe-recursion-bug.patch +mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch +usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch +team-fix-possible-recursive-locking-when-add-slaves.patch +netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch +mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch +ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch +cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch +net-rose-fix-unbound-loop-in-rose_loopback_timer.patch +usb-yurex-fix-protection-fault-after-device-removal.patch +usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch +usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch +sched-numa-fix-a-possible-divide-by-zero.patch +l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch +trace-fix-preempt_enable_no_resched-abuse.patch +fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch +slip-make-slhc_free-silently-accept-an-error-pointer.patch +ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch +ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch +l2ip-fix-possible-use-after-free.patch +packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch +packet-validate-msg_namelen-in-send-directly.patch +ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch diff --git a/queue-3.16/slip-make-slhc_free-silently-accept-an-error-pointer.patch b/queue-3.16/slip-make-slhc_free-silently-accept-an-error-pointer.patch new file mode 100644 index 00000000..10641db2 --- /dev/null +++ b/queue-3.16/slip-make-slhc_free-silently-accept-an-error-pointer.patch @@ -0,0 +1,44 @@ +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Thu, 25 Apr 2019 16:13:58 -0700 +Subject: slip: make slhc_free() silently accept an error pointer + +commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream. + +This way, slhc_free() accepts what slhc_init() returns, whether that is +an error or not. + +In particular, the pattern in sl_alloc_bufs() is + + slcomp = slhc_init(16, 16); + ... + slhc_free(slcomp); + +for the error handling path, and rather than complicate that code, just +make it ok to always free what was returned by the init function. + +That's what the code used to do before commit 4ab42d78e37a ("ppp, slip: +Validate VJ compression slot parameters completely") when slhc_init() +just returned NULL for the error case, with no actual indication of the +details of the error. + +Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com +Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") +Acked-by: Ben Hutchings <ben@decadent.org.uk> +Cc: David Miller <davem@davemloft.net> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/slip/slhc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) diff --git a/queue-3.16/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch b/queue-3.16/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000..a31ebca3 --- /dev/null +++ b/queue-3.16/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,40 @@ +From: Ian Abbott <abbotti@mev.co.uk> +Date: Mon, 15 Apr 2019 12:52:30 +0100 +Subject: staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf + +commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream. + +`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `vmk80xx_detach()` will be called from the core comedi +module code to clean up. `vmk80xx_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already been freed, leading to a +double-free error. Fix it by removing the call to +`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying +on `vmk80xx_detach()` to free the memory. + +Signed-off-by: Ian Abbott <abbotti@mev.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(str + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-3.16/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch b/queue-3.16/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch new file mode 100644 index 00000000..619a55c5 --- /dev/null +++ b/queue-3.16/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch @@ -0,0 +1,105 @@ +From: Ian Abbott <abbotti@mev.co.uk> +Date: Mon, 15 Apr 2019 12:10:14 +0100 +Subject: staging: comedi: vmk80xx: Fix use of uninitialized semaphore + +commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream. + +If `vmk80xx_auto_attach()` returns an error, the core comedi module code +will call `vmk80xx_detach()` to clean up. If `vmk80xx_auto_attach()` +successfully allocated the comedi device private data, +`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained +in the private data has been initialized and uses it. Unfortunately, +there are a couple of places where `vmk80xx_auto_attach()` can return an +error after allocating the device private data but before initializing +the semaphore, so this assumption is invalid. Fix it by initializing +the semaphore just after allocating the private data in +`vmk80xx_auto_attach()` before any other errors can be returned. + +I believe this was the cause of the following syzbot crash report +<https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>: + +usb 1-1: config 0 has no interface number 0 +usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d +usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +usb 1-1: config 0 descriptor?? +vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device. +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + assign_lock_key kernel/locking/lockdep.c:786 [inline] + register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 + __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 + lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 + down+0x12/0x80 kernel/locking/semaphore.c:58 + vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829 + comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 + comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 + comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] + comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 + comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] + comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 + comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 + usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 + generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 + usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 + process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 + worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 + kthread+0x313/0x420 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com +Signed-off-by: Ian Abbott <abbotti@mev.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -872,6 +872,8 @@ static int vmk80xx_auto_attach(struct co + + devpriv->model = boardinfo->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -880,8 +882,6 @@ static int vmk80xx_auto_attach(struct co + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8061_MODEL) { diff --git a/queue-3.16/staging-iio-meter-fixed-typo.patch b/queue-3.16/staging-iio-meter-fixed-typo.patch new file mode 100644 index 00000000..a115fe45 --- /dev/null +++ b/queue-3.16/staging-iio-meter-fixed-typo.patch @@ -0,0 +1,29 @@ +From: Leonard Pollak <leonardp@tr-host.de> +Date: Wed, 13 Feb 2019 11:19:52 +0100 +Subject: Staging: iio: meter: fixed typo + +commit 0a8a29be499cbb67df79370aaf5109085509feb8 upstream. + +This patch fixes an obvious typo, which will cause erroneously returning the Peak +Voltage instead of the Peak Current. + +Signed-off-by: Leonard Pollak <leonardp@tr-host.de> +Acked-by: Michael Hennerich <michael.hennerich@analog.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/iio/meter/ade7854.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/meter/ade7854.c ++++ b/drivers/staging/iio/meter/ade7854.c +@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(S_IWUSR | S_IR + static IIO_DEV_ATTR_IPEAK(S_IWUSR | S_IRUGO, + ade7854_read_32bit, + ade7854_write_32bit, +- ADE7854_VPEAK); ++ ADE7854_IPEAK); + static IIO_DEV_ATTR_APHCAL(S_IWUSR | S_IRUGO, + ade7854_read_16bit, + ade7854_write_16bit, diff --git a/queue-3.16/staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch b/queue-3.16/staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch new file mode 100644 index 00000000..dca7f856 --- /dev/null +++ b/queue-3.16/staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch @@ -0,0 +1,62 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 21 Mar 2019 09:26:38 +0300 +Subject: staging: rtl8712: uninitialized memory in read_bbreg_hdl() + +commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e upstream. + +Colin King reported a bug in read_bbreg_hdl(): + + memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); + +The problem is that "val" is uninitialized. + +This code is obviously not useful, but so far as I can tell +"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful +either. For now the easiest fix is to just call r8712_free_cmd_obj() +and return. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Reported-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/rtl8712/rtl8712_cmd.c | 10 +--------- + drivers/staging/rtl8712/rtl8712_cmd.h | 2 +- + 2 files changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/staging/rtl8712/rtl8712_cmd.c ++++ b/drivers/staging/rtl8712/rtl8712_cmd.c +@@ -155,19 +155,11 @@ static u8 write_macreg_hdl(struct _adapt + + static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) + { +- u32 val; +- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); + struct readBB_parm *prdbbparm; + struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; + + prdbbparm = (struct readBB_parm *)pcmd->parmbuf; +- if (pcmd->rsp && pcmd->rspsz > 0) +- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); +- pcmd_callback = cmd_callback[pcmd->cmdcode].callback; +- if (pcmd_callback == NULL) +- r8712_free_cmd_obj(pcmd); +- else +- pcmd_callback(padapter, pcmd); ++ r8712_free_cmd_obj(pcmd); + return H2C_SUCCESS; + } + +--- a/drivers/staging/rtl8712/rtl8712_cmd.h ++++ b/drivers/staging/rtl8712/rtl8712_cmd.h +@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd { + static struct _cmd_callback cmd_callback[] = { + {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/ + {GEN_CMD_CODE(_Write_MACREG), NULL}, +- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback}, ++ {GEN_CMD_CODE(_Read_BBREG), NULL}, + {GEN_CMD_CODE(_Write_BBREG), NULL}, + {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback}, + {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/ diff --git a/queue-3.16/staging-speakup_soft-fix-alternate-speech-with-other-synths.patch b/queue-3.16/staging-speakup_soft-fix-alternate-speech-with-other-synths.patch new file mode 100644 index 00000000..4b09b377 --- /dev/null +++ b/queue-3.16/staging-speakup_soft-fix-alternate-speech-with-other-synths.patch @@ -0,0 +1,82 @@ +From: Samuel Thibault <samuel.thibault@ens-lyon.org> +Date: Thu, 7 Mar 2019 23:06:57 +0100 +Subject: staging: speakup_soft: Fix alternate speech with other synths + +commit 45ac7b31bc6c4af885cc5b5d6c534c15bcbe7643 upstream. + +When switching from speakup_soft to another synth, speakup_soft would +keep calling synth_buffer_getc() from softsynthx_read. + +Let's thus make synth.c export the knowledge of the current synth, so +that speakup_soft can determine whether it should be running. + +speakup_soft also needs to set itself alive, otherwise the switch would +let it remain silent. + +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: + - There's no Unicode support + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/staging/speakup/speakup_soft.c ++++ b/drivers/staging/speakup/speakup_soft.c +@@ -213,10 +213,13 @@ static ssize_t softsynth_read(struct fil + DEFINE_WAIT(wait); + + spin_lock_irqsave(&speakup_info.spinlock, flags); ++ synth_soft.alive = 1; + while (1) { + prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE); +- if (!synth_buffer_empty() || speakup_info.flushing) +- break; ++ if (synth_current() == &synth_soft) { ++ if (!synth_buffer_empty() || speakup_info.flushing) ++ break; ++ } + spin_unlock_irqrestore(&speakup_info.spinlock, flags); + if (fp->f_flags & O_NONBLOCK) { + finish_wait(&speakup_event, &wait); +@@ -234,6 +237,8 @@ static ssize_t softsynth_read(struct fil + cp = buf; + init = get_initstring(); + while (chars_sent < count) { ++ if (synth_current() != &synth_soft) ++ break; + if (speakup_info.flushing) { + speakup_info.flushing = 0; + ch = '\x18'; +@@ -286,7 +291,8 @@ static unsigned int softsynth_poll(struc + poll_wait(fp, &speakup_event, wait); + + spin_lock_irqsave(&speakup_info.spinlock, flags); +- if (!synth_buffer_empty() || speakup_info.flushing) ++ if (synth_current() == &synth_soft && ++ (!synth_buffer_empty() || speakup_info.flushing)) + ret = POLLIN | POLLRDNORM; + spin_unlock_irqrestore(&speakup_info.spinlock, flags); + return ret; +--- a/drivers/staging/speakup/spk_priv.h ++++ b/drivers/staging/speakup/spk_priv.h +@@ -72,6 +72,7 @@ extern int synth_request_region(u_long, + extern int synth_release_region(u_long, u_long); + extern int synth_add(struct spk_synth *in_synth); + extern void synth_remove(struct spk_synth *in_synth); ++struct spk_synth *synth_current(void); + + extern struct speakup_info_t speakup_info; + +--- a/drivers/staging/speakup/synth.c ++++ b/drivers/staging/speakup/synth.c +@@ -475,4 +475,10 @@ void synth_remove(struct spk_synth *in_s + } + EXPORT_SYMBOL_GPL(synth_remove); + ++struct spk_synth *synth_current(void) ++{ ++ return synth; ++} ++EXPORT_SYMBOL_GPL(synth_current); ++ + short spk_punc_masks[] = { 0, SOME, MOST, PUNC, PUNC|B_SYM }; diff --git a/queue-3.16/sunrpc-don-t-mark-uninitialised-items-as-valid.patch b/queue-3.16/sunrpc-don-t-mark-uninitialised-items-as-valid.patch new file mode 100644 index 00000000..4d8fb944 --- /dev/null +++ b/queue-3.16/sunrpc-don-t-mark-uninitialised-items-as-valid.patch @@ -0,0 +1,53 @@ +From: NeilBrown <neilb@suse.com> +Date: Fri, 5 Apr 2019 11:34:40 +1100 +Subject: sunrpc: don't mark uninitialised items as VALID. + +commit d58431eacb226222430940134d97bfd72f292fcd upstream. + +A recent commit added a call to cache_fresh_locked() +when an expired item was found. +The call sets the CACHE_VALID flag, so it is important +that the item actually is valid. +There are two ways it could be valid: +1/ If ->update has been called to fill in relevant content +2/ if CACHE_NEGATIVE is set, to say that content doesn't exist. + +An expired item that is waiting for an update will be neither. +Setting CACHE_VALID will mean that a subsequent call to cache_put() +will be likely to dereference uninitialised pointers. + +So we must make sure the item is valid, and we already have code to do +that in try_to_negate_entry(). This takes the hash lock and so cannot +be used directly, so take out the two lines that we need and use them. + +Now cache_fresh_locked() is certain to be called only on +a valid item. + +Fixes: 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued request") +Signed-off-by: NeilBrown <neilb@suse.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sunrpc/cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -50,6 +50,7 @@ static void cache_init(struct cache_head + h->last_refresh = now; + } + ++static inline int cache_is_valid(struct cache_head *h); + static void cache_fresh_locked(struct cache_head *head, time_t expiry); + static void cache_fresh_unlocked(struct cache_head *head, + struct cache_detail *detail); +@@ -98,6 +99,8 @@ struct cache_head *sunrpc_cache_lookup(s + *hp = tmp->next; + tmp->next = NULL; + detail->entries --; ++ if (cache_is_valid(tmp) == -EAGAIN) ++ set_bit(CACHE_NEGATIVE, &tmp->flags); + cache_fresh_locked(tmp, 0); + freeme = tmp; + break; diff --git a/queue-3.16/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-3.16/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch new file mode 100644 index 00000000..d867c5e2 --- /dev/null +++ b/queue-3.16/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch @@ -0,0 +1,38 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 19 Mar 2019 05:45:35 -0700 +Subject: tcp: do not use ipv6 header for ipv4 flow + +commit 89e4130939a20304f4059ab72179da81f5347528 upstream. + +When a dual stack tcp listener accepts an ipv4 flow, +it should not attempt to use an ipv6 header or tcp_v6_iif() helper. + +Fixes: 1397ed35f22d ("ipv6: add flowinfo for tcp6 pkt_options for all cases") +Fixes: df3687ffc665 ("ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv6/tcp_ipv6.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1183,11 +1183,11 @@ static struct sock *tcp_v6_syn_recv_sock + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; +- newnp->mcast_oif = inet6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; +- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; ++ newnp->rcv_flowinfo = 0; + if (np->repflow) +- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); ++ newnp->flow_label = 0; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-3.16/team-fix-possible-recursive-locking-when-add-slaves.patch b/queue-3.16/team-fix-possible-recursive-locking-when-add-slaves.patch new file mode 100644 index 00000000..7720e734 --- /dev/null +++ b/queue-3.16/team-fix-possible-recursive-locking-when-add-slaves.patch @@ -0,0 +1,47 @@ +From: Hangbin Liu <liuhangbin@gmail.com> +Date: Fri, 19 Apr 2019 14:31:00 +0800 +Subject: team: fix possible recursive locking when add slaves + +commit 925b0c841e066b488cc3a60272472b2c56300704 upstream. + +If we add a bond device which is already the master of the team interface, +we will hold the team->lock in team_add_slave() first and then request the +lock in team_set_mac_address() again. The functions are called like: + +- team_add_slave() + - team_port_add() + - team_port_enter() + - team_modeop_port_enter() + - __set_port_dev_addr() + - dev_set_mac_address() + - bond_set_mac_address() + - dev_set_mac_address() + - team_set_mac_address + +Although team_upper_dev_link() would check the upper devices but it is +called too late. Fix it by adding a checking before processing the slave. + +v2: Do not split the string in netdev_err() + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Acked-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: netlink doesn't support extack] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1116,6 +1116,12 @@ static int team_port_add(struct team *te + return -EINVAL; + } + ++ if (netdev_has_upper_dev(dev, port_dev)) { ++ netdev_err(dev, "Device %s is already an upper device of the team interface\n", ++ portname); ++ return -EBUSY; ++ } ++ + if (port_dev->features & NETIF_F_VLAN_CHALLENGED && + vlan_uses_dev(dev)) { + netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n", diff --git a/queue-3.16/tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch b/queue-3.16/tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch new file mode 100644 index 00000000..c829fc41 --- /dev/null +++ b/queue-3.16/tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch @@ -0,0 +1,40 @@ +From: Jie Liu <liujie165@huawei.com> +Date: Tue, 16 Apr 2019 13:10:09 +0800 +Subject: tipc: set sysctl_tipc_rmem and named_timeout right range + +commit 4bcd4ec1017205644a2697bccbc3b5143f522f5f upstream. + +We find that sysctl_tipc_rmem and named_timeout do not have the right minimum +setting. sysctl_tipc_rmem should be larger than zero, like sysctl_tcp_rmem. +And named_timeout as a timeout setting should be not less than zero. + +Fixes: cc79dd1ba9c10 ("tipc: change socket buffer overflow control to respect sk_rcvbuf") +Fixes: a5325ae5b8bff ("tipc: add name distributor resiliency queue") +Signed-off-by: Jie Liu <liujie165@huawei.com> +Reported-by: Qiang Ning <ningqiang1@huawei.com> +Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> +Reviewed-by: Miaohe Lin <linmiaohe@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: only the tipc_rmem sysctl exists here] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/tipc/sysctl.c ++++ b/net/tipc/sysctl.c +@@ -37,6 +37,7 @@ + + #include <linux/sysctl.h> + ++static int one = 1; + static struct ctl_table_header *tipc_ctl_hdr; + + static struct ctl_table tipc_table[] = { +@@ -45,7 +46,8 @@ static struct ctl_table tipc_table[] = { + .data = &sysctl_tipc_rmem, + .maxlen = sizeof(sysctl_tipc_rmem), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &one, + }, + {} + }; diff --git a/queue-3.16/tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch b/queue-3.16/tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch new file mode 100644 index 00000000..bb73e656 --- /dev/null +++ b/queue-3.16/tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch @@ -0,0 +1,53 @@ +From: Rikard Falkeborn <rikard.falkeborn@gmail.com> +Date: Tue, 9 Apr 2019 11:15:29 +0200 +Subject: tools lib traceevent: Fix missing equality check for strcmp + +commit f32c2877bcb068a718bb70094cd59ccc29d4d082 upstream. + +There was a missing comparison with 0 when checking if type is "s64" or +"u64". Therefore, the body of the if-statement was entered if "type" was +"u64" or not "s64", which made the first strcmp() redundant since if +type is "u64", it's not "s64". + +If type is "s64", the body of the if-statement is not entered but since +the remainder of the function consists of if-statements which will not +be entered if type is "s64", we will just return "val", which is +correct, albeit at the cost of a few more calls to strcmp(), i.e., it +will behave just as if the if-statement was entered. + +If type is neither "s64" or "u64", the body of the if-statement will be +entered incorrectly and "val" returned. This means that any type that is +checked after "s64" and "u64" is handled the same way as "s64" and +"u64", i.e., the limiting of "val" to fit in for example "s8" is never +reached. + +This was introduced in the kernel tree when the sources were copied from +trace-cmd in commit f7d82350e597 ("tools/events: Add files to create +libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei +("Implement typecasting in parser") when the function was introduced, +i.e., it has always behaved the wrong way. + +Detected by cppcheck. + +Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com> +Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com> +Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") +Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/lib/traceevent/event-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2065,7 +2065,7 @@ eval_type_str(unsigned long long val, co + return val & 0xffffffff; + + if (strcmp(type, "u64") == 0 || +- strcmp(type, "s64")) ++ strcmp(type, "s64") == 0) + return val; + + if (strcmp(type, "s8") == 0) diff --git a/queue-3.16/trace-fix-preempt_enable_no_resched-abuse.patch b/queue-3.16/trace-fix-preempt_enable_no_resched-abuse.patch new file mode 100644 index 00000000..8fa1bf2f --- /dev/null +++ b/queue-3.16/trace-fix-preempt_enable_no_resched-abuse.patch @@ -0,0 +1,43 @@ +From: Peter Zijlstra <peterz@infradead.org> +Date: Tue, 23 Apr 2019 22:03:18 +0200 +Subject: trace: Fix preempt_enable_no_resched() abuse + +commit d6097c9e4454adf1f8f2c9547c2fa6060d55d952 upstream. + +Unless the very next line is schedule(), or implies it, one must not use +preempt_enable_no_resched(). It can cause a preemption to go missing and +thereby cause arbitrary delays, breaking the PREEMPT=y invariant. + +Link: http://lkml.kernel.org/r/20190423200318.GY14281@hirez.programming.kicks-ass.net + +Cc: Waiman Long <longman@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Will Deacon <will.deacon@arm.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: the arch/x86 maintainers <x86@kernel.org> +Cc: Davidlohr Bueso <dave@stgolabs.net> +Cc: Tim Chen <tim.c.chen@linux.intel.com> +Cc: huang ying <huang.ying.caritas@gmail.com> +Cc: Roman Gushchin <guro@fb.com> +Cc: Alexei Starovoitov <ast@kernel.org> +Cc: Daniel Borkmann <daniel@iogearbox.net> +Fixes: 2c2d7329d8af ("tracing/ftrace: use preempt_enable_no_resched_notrace in ring_buffer_time_stamp()") +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -729,7 +729,7 @@ u64 ring_buffer_time_stamp(struct ring_b + + preempt_disable_notrace(); + time = rb_time_stamp(buffer); +- preempt_enable_no_resched_notrace(); ++ preempt_enable_notrace(); + + return time; + } diff --git a/queue-3.16/tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch b/queue-3.16/tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000..705ad71f --- /dev/null +++ b/queue-3.16/tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,32 @@ +From: Kangjie Lu <kjlu@umn.edu> +Date: Fri, 15 Mar 2019 12:16:06 -0500 +Subject: tty: atmel_serial: fix a potential NULL pointer dereference + +commit c85be041065c0be8bc48eda4c45e0319caf1d0e5 upstream. + +In case dmaengine_prep_dma_cyclic fails, the fix returns a proper +error code to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu <kjlu@umn.edu> +Fixes: 34df42f59a60 ("serial: at91: add rx dma support") +Acked-by: Richard Genoud <richard.genoud@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/atmel_serial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1045,6 +1045,10 @@ static int atmel_prepare_rx_dma(struct u + sg_dma_len(&atmel_port->sg_rx)/2, + DMA_DEV_TO_MEM, + DMA_PREP_INTERRUPT); ++ if (!desc) { ++ dev_err(port->dev, "Preparing DMA cyclic failed\n"); ++ goto chan_err; ++ } + desc->callback = atmel_complete_rx_dma; + desc->callback_param = port; + atmel_port->desc_rx = desc; diff --git a/queue-3.16/tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch b/queue-3.16/tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000..322b8bc4 --- /dev/null +++ b/queue-3.16/tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,30 @@ +From: Kangjie Lu <kjlu@umn.edu> +Date: Thu, 14 Mar 2019 02:21:51 -0500 +Subject: tty: mxs-auart: fix a potential NULL pointer dereference + +commit 6734330654dac550f12e932996b868c6d0dcb421 upstream. + +In case ioremap fails, the fix returns -ENOMEM to avoid NULL +pointer dereferences. +Multiple places use port.membase. + +Signed-off-by: Kangjie Lu <kjlu@umn.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/mxs-auart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1075,6 +1075,10 @@ static int mxs_auart_probe(struct platfo + + s->port.mapbase = r->start; + s->port.membase = ioremap(r->start, resource_size(r)); ++ if (!s->port.membase) { ++ ret = -ENOMEM; ++ goto out_disable_clks; ++ } + s->port.ops = &mxs_auart_ops; + s->port.iotype = UPIO_MEM; + s->port.fifosize = MXS_AUART_FIFO_SIZE; diff --git a/queue-3.16/udf-fix-crash-on-io-error-during-truncate.patch b/queue-3.16/udf-fix-crash-on-io-error-during-truncate.patch new file mode 100644 index 00000000..9e5c93fd --- /dev/null +++ b/queue-3.16/udf-fix-crash-on-io-error-during-truncate.patch @@ -0,0 +1,33 @@ +From: Jan Kara <jack@suse.cz> +Date: Mon, 11 Mar 2019 15:04:18 +0100 +Subject: udf: Fix crash on IO error during truncate + +commit d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 upstream. + +When truncate(2) hits IO error when reading indirect extent block the +code just bugs with: + +kernel BUG at linux-4.15.0/fs/udf/truncate.c:249! +... + +Fix the problem by bailing out cleanly in case of IO error. + +Reported-by: jean-luc malet <jeanluc.malet@gmail.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/udf/truncate.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -261,6 +261,9 @@ void udf_truncate_extents(struct inode * + epos.block = eloc; + epos.bh = udf_tread(sb, + udf_get_lb_pblock(sb, &eloc, 0)); ++ /* Error reading indirect block? */ ++ if (!epos.bh) ++ return; + if (elen) + indirect_ext_len = + (elen + sb->s_blocksize - 1) >> diff --git a/queue-3.16/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch b/queue-3.16/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch new file mode 100644 index 00000000..c7f077e8 --- /dev/null +++ b/queue-3.16/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch @@ -0,0 +1,29 @@ +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Wed, 1 May 2019 22:46:11 -0400 +Subject: ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour + +commit 4e9036042fedaffcd868d7f7aa948756c48c637d upstream. + +To choose whether to pick the GID from the old (16bit) or new (32bit) +field, we should check if the old gid field is set to 0xffff. Mainline +checks the old *UID* field instead - cut'n'paste from the corresponding +code in ufs_get_inode_uid(). + +Fixes: 252e211e90ce +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ufs/util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ufs/util.h ++++ b/fs/ufs/util.h +@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb + case UFS_UID_44BSD: + return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid); + case UFS_UID_EFT: +- if (inode->ui_u1.oldids.ui_suid == 0xFFFF) ++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF) + return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid); + /* Fall through */ + default: diff --git a/queue-3.16/usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch b/queue-3.16/usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch new file mode 100644 index 00000000..f2b55030 --- /dev/null +++ b/queue-3.16/usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch @@ -0,0 +1,217 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Fri, 19 Apr 2019 13:52:38 -0400 +Subject: USB: core: Fix bug caused by duplicate interface PM usage counter + +commit c2b71462d294cf517a0bc6e4fd6424d7cee5596f upstream. + +The syzkaller fuzzer reported a bug in the USB hub driver which turned +out to be caused by a negative runtime-PM usage counter. This allowed +a hub to be runtime suspended at a time when the driver did not expect +it. The symptom is a WARNING issued because the hub's status URB is +submitted while it is already active: + + URB 0000000031fb463e submitted while active + WARNING: CPU: 0 PID: 2917 at drivers/usb/core/urb.c:363 + +The negative runtime-PM usage count was caused by an unfortunate +design decision made when runtime PM was first implemented for USB. +At that time, USB class drivers were allowed to unbind from their +interfaces without balancing the usage counter (i.e., leaving it with +a positive count). The core code would take care of setting the +counter back to 0 before allowing another driver to bind to the +interface. + +Later on when runtime PM was implemented for the entire kernel, the +opposite decision was made: Drivers were required to balance their +runtime-PM get and put calls. In order to maintain backward +compatibility, however, the USB subsystem adapted to the new +implementation by keeping an independent usage counter for each +interface and using it to automatically adjust the normal usage +counter back to 0 whenever a driver was unbound. + +This approach involves duplicating information, but what is worse, it +doesn't work properly in cases where a USB class driver delays +decrementing the usage counter until after the driver's disconnect() +routine has returned and the counter has been adjusted back to 0. +Doing so would cause the usage counter to become negative. There's +even a warning about this in the USB power management documentation! + +As it happens, this is exactly what the hub driver does. The +kick_hub_wq() routine increments the runtime-PM usage counter, and the +corresponding decrement is carried out by hub_event() in the context +of the hub_wq work-queue thread. This work routine may sometimes run +after the driver has been unbound from its interface, and when it does +it causes the usage counter to go negative. + +It is not possible for hub_disconnect() to wait for a pending +hub_event() call to finish, because hub_disconnect() is called with +the device lock held and hub_event() acquires that lock. The only +feasible fix is to reverse the original design decision: remove the +duplicate interface-specific usage counter and require USB drivers to +balance their runtime PM gets and puts. As far as I know, all +existing drivers currently do this. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-and-tested-by: syzbot+7634edaea4d0b341c625@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: + - Adjust documentation filename + - Don't add ReST markup in documentation + - Update use of pm_usage_cnt in poseidon driver, which has been + removed upstream] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/Documentation/usb/power-management.txt ++++ b/Documentation/usb/power-management.txt +@@ -345,11 +345,15 @@ autosuspend the interface's device. Whe + then the interface is considered to be idle, and the kernel may + autosuspend the device. + +-Drivers need not be concerned about balancing changes to the usage +-counter; the USB core will undo any remaining "get"s when a driver +-is unbound from its interface. As a corollary, drivers must not call +-any of the usb_autopm_* functions after their disconnect() routine has +-returned. ++Drivers must be careful to balance their overall changes to the usage ++counter. Unbalanced "get"s will remain in effect when a driver is ++unbound from its interface, preventing the device from going into ++runtime suspend should the interface be bound to a driver again. On ++the other hand, drivers are allowed to achieve this balance by calling ++the usb_autopm_* functions even after their disconnect routine ++has returned -- say from within a work-queue routine -- provided they ++retain an active reference to the interface (via usb_get_intf and ++usb_put_intf). + + Drivers using the async routines are responsible for their own + synchronization and mutual exclusion. +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -483,11 +483,6 @@ static int usb_unbind_interface(struct d + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + +- /* Undo any residual pm_autopm_get_interface_* calls */ +- for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r) +- usb_autopm_put_interface_no_suspend(intf); +- atomic_set(&intf->pm_usage_cnt, 0); +- + if (!error) + usb_autosuspend_device(udev); + +@@ -1638,7 +1633,6 @@ void usb_autopm_put_interface(struct usb + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put_sync(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1667,7 +1661,6 @@ void usb_autopm_put_interface_async(stru + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1689,7 +1682,6 @@ void usb_autopm_put_interface_no_suspend + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + pm_runtime_put_noidle(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend); +@@ -1720,8 +1712,6 @@ int usb_autopm_get_interface(struct usb_ + status = pm_runtime_get_sync(&intf->dev); + if (status < 0) + pm_runtime_put_sync(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1755,8 +1745,6 @@ int usb_autopm_get_interface_async(struc + status = pm_runtime_get(&intf->dev); + if (status < 0 && status != -EINPROGRESS) + pm_runtime_put_noidle(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1780,7 +1768,6 @@ void usb_autopm_get_interface_no_resume( + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_inc(&intf->pm_usage_cnt); + pm_runtime_get_noresume(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume); +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -767,18 +767,16 @@ static void rts51x_suspend_timer_fn(unsi + break; + case RTS51X_STAT_IDLE: + case RTS51X_STAT_SS: +- usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) { + usb_stor_dbg(us, "Ready to enter SS state\n"); + rts51x_set_stat(chip, RTS51X_STAT_SS); + /* ignore mass storage interface's children */ + pm_suspend_ignore_children(&us->pusb_intf->dev, true); + usb_autopm_put_interface_async(us->pusb_intf); +- usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + } + break; +@@ -811,11 +809,10 @@ static void rts51x_invoke_transport(stru + int ret; + + if (working_scsi(srb)) { +- usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "working scsi, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) { + ret = usb_autopm_get_interface(us->pusb_intf); + usb_stor_dbg(us, "working scsi, ret=%d\n", ret); + } +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -125,7 +125,6 @@ enum usb_interface_condition { + * @dev: driver model's view of this device + * @usb_dev: if an interface is bound to the USB major, this will point + * to the sysfs representation for that device. +- * @pm_usage_cnt: PM usage counter for this interface + * @reset_ws: Used for scheduling resets from atomic context. + * @reset_running: set to 1 if the interface is currently running a + * queued reset so that usb_cancel_queued_reset() doesn't try to +@@ -186,7 +185,6 @@ struct usb_interface { + + struct device dev; /* interface specific device info */ + struct device *usb_dev; +- atomic_t pm_usage_cnt; /* usage counter for autosuspend */ + struct work_struct reset_ws; /* for resets in atomic context */ + }; + #define to_usb_interface(d) container_of(d, struct usb_interface, dev) +--- a/drivers/media/usb/tlg2300/pd-common.h ++++ b/drivers/media/usb/tlg2300/pd-common.h +@@ -257,7 +257,7 @@ void set_debug_mode(struct video_device + #else + #define in_hibernation(pd) (0) + #endif +-#define get_pm_count(p) (atomic_read(&(p)->interface->pm_usage_cnt)) ++#define get_pm_count(p) (atomic_read(&(p)->interface->dev.power.usage_count)) + + #define log(a, ...) printk(KERN_DEBUG "\t[ %s : %.3d ] "a"\n", \ + __func__, __LINE__, ## __VA_ARGS__) diff --git a/queue-3.16/usb-core-fix-unterminated-string-returned-by-usb_string.patch b/queue-3.16/usb-core-fix-unterminated-string-returned-by-usb_string.patch new file mode 100644 index 00000000..3387c977 --- /dev/null +++ b/queue-3.16/usb-core-fix-unterminated-string-returned-by-usb_string.patch @@ -0,0 +1,45 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 15 Apr 2019 11:51:38 -0400 +Subject: USB: core: Fix unterminated string returned by usb_string() + +commit c01c348ecdc66085e44912c97368809612231520 upstream. + +Some drivers (such as the vub300 MMC driver) expect usb_string() to +return a properly NUL-terminated string, even when an error occurs. +(In fact, vub300's probe routine doesn't bother to check the return +code from usb_string().) When the driver goes on to use an +unterminated string, it leads to kernel errors such as +stack-out-of-bounds, as found by the syzkaller USB fuzzer. + +An out-of-range string index argument is not at all unlikely, given +that some devices don't provide string descriptors and therefore list +0 as the value for their string indexes. This patch makes +usb_string() return a properly terminated empty string along with the +-EINVAL error code when an out-of-range index is encountered. + +And since a USB string index is a single-byte value, indexes >= 256 +are just as invalid as values of 0 or below. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: syzbot+b75b85111c10b8d680f1@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/message.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -822,9 +822,11 @@ int usb_string(struct usb_device *dev, i + + if (dev->state == USB_STATE_SUSPENDED) + return -EHOSTUNREACH; +- if (size <= 0 || !buf || !index) ++ if (size <= 0 || !buf) + return -EINVAL; + buf[0] = 0; ++ if (index <= 0 || index >= 256) ++ return -EINVAL; + tbuf = kmalloc(256, GFP_NOIO); + if (!tbuf) + return -ENOMEM; diff --git a/queue-3.16/usb-serial-cp210x-add-new-device-id.patch b/queue-3.16/usb-serial-cp210x-add-new-device-id.patch new file mode 100644 index 00000000..1d39e906 --- /dev/null +++ b/queue-3.16/usb-serial-cp210x-add-new-device-id.patch @@ -0,0 +1,28 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Wed, 27 Mar 2019 10:11:14 +0900 +Subject: USB: serial: cp210x: add new device id + +commit a595ecdd5f60b2d93863cebb07eec7f935839b54 upstream. + +Lorenz Messtechnik has a device that is controlled by the cp210x driver, +so add the device id to the driver. The device id was provided by +Silicon-Labs for the devices from this vendor. + +Reported-by: Uli <t9cpu@web.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -76,6 +76,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */ + { USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */ + { USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */ ++ { USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */ + { USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */ + { USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */ + { USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */ diff --git a/queue-3.16/usb-serial-ftdi_sio-add-additional-novatech-products.patch b/queue-3.16/usb-serial-ftdi_sio-add-additional-novatech-products.patch new file mode 100644 index 00000000..7358173f --- /dev/null +++ b/queue-3.16/usb-serial-ftdi_sio-add-additional-novatech-products.patch @@ -0,0 +1,41 @@ +From: George McCollister <george.mccollister@gmail.com> +Date: Tue, 5 Mar 2019 16:05:03 -0600 +Subject: USB: serial: ftdi_sio: add additional NovaTech products + +commit 422c2537ba9d42320f8ab6573940269f87095320 upstream. + +Add PIDs for the NovaTech OrionLX+ and Orion I/O so they can be +automatically detected. + +Signed-off-by: George McCollister <george.mccollister@gmail.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 4 +++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -617,6 +617,8 @@ static const struct usb_device_id id_tab + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -566,7 +566,9 @@ + /* + * NovaTech product ids (FTDI_VID) + */ +-#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ ++#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ ++#define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ ++#define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ + + /* + * Synapse Wireless product ids (FTDI_VID) diff --git a/queue-3.16/usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch b/queue-3.16/usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch new file mode 100644 index 00000000..edb355c7 --- /dev/null +++ b/queue-3.16/usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch @@ -0,0 +1,43 @@ +From: Lin Yi <teroincn@163.com> +Date: Wed, 20 Mar 2019 19:04:56 +0800 +Subject: USB: serial: mos7720: fix mos_parport refcount imbalance on error + path + +commit 2908b076f5198d231de62713cb2b633a3a4b95ac upstream. + +The write_parport_reg_nonblock() helper takes a reference to the struct +mos_parport, but failed to release it in a couple of error paths after +allocation failures, leading to a memory leak. + +Johan said that move the kref_get() and mos_parport assignment to the +end of urbtrack initialisation is a better way, so move it. and +mos_parport do not used until urbtrack initialisation. + +Signed-off-by: Lin Yi <teroincn@163.com> +Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/mos7720.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -362,8 +362,6 @@ static int write_parport_reg_nonblock(st + if (!urbtrack) + return -ENOMEM; + +- kref_get(&mos_parport->ref_count); +- urbtrack->mos_parport = mos_parport; + urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urbtrack->urb) { + kfree(urbtrack); +@@ -384,6 +382,8 @@ static int write_parport_reg_nonblock(st + usb_sndctrlpipe(usbdev, 0), + (unsigned char *)urbtrack->setup, + NULL, 0, async_complete, urbtrack); ++ kref_get(&mos_parport->ref_count); ++ urbtrack->mos_parport = mos_parport; + kref_init(&urbtrack->ref_count); + INIT_LIST_HEAD(&urbtrack->urblist_entry); + diff --git a/queue-3.16/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch b/queue-3.16/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch new file mode 100644 index 00000000..e6e1d246 --- /dev/null +++ b/queue-3.16/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch @@ -0,0 +1,74 @@ +From: Malte Leip <malte@leip.net> +Date: Sun, 14 Apr 2019 12:00:12 +0200 +Subject: usb: usbip: fix isoc packet num validation in get_pipe + +commit c409ca3be3c6ff3a1eeb303b191184e80d412862 upstream. + +Change the validation of number_of_packets in get_pipe to compare the +number of packets to a fixed maximum number of packets allowed, set to +be 1024. This number was chosen due to it being used by other drivers as +well, for example drivers/usb/host/uhci-q.c + +Background/reason: +The get_pipe function in stub_rx.c validates the number of packets in +isochronous mode and aborts with an error if that number is too large, +in order to prevent malicious input from possibly triggering large +memory allocations. This was previously done by checking whether +pdu->u.cmd_submit.number_of_packets is bigger than the number of packets +that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes +if all except possibly the last packet had maximum length, given by +usb_endpoint_maxp(epd) * usb_endpoint_maxp_mult(epd). This leads to an +error if URBs with packets shorter than the maximum possible length are +submitted, which is allowed according to +Documentation/driver-api/usb/URB.rst and occurs for example with the +snd-usb-audio driver. + +Fixes: c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") +Signed-off-by: Malte Leip <malte@leip.net> +Acked-by: Shuah Khan <skhan@linuxfoundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filenames] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/usbip/stub_rx.c | 12 +++--------- + drivers/staging/usbip/usbip_common.h | 7 +++++++ + 2 files changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/staging/usbip/stub_rx.c ++++ b/drivers/staging/usbip/stub_rx.c +@@ -375,16 +375,10 @@ static int get_pipe(struct stub_device * + } + + if (usb_endpoint_xfer_isoc(epd)) { +- /* validate packet size and number of packets */ +- unsigned int maxp, packets, bytes; +- +- maxp = usb_endpoint_maxp(epd); +- maxp *= usb_endpoint_maxp_mult(epd); +- bytes = pdu->u.cmd_submit.transfer_buffer_length; +- packets = DIV_ROUND_UP(bytes, maxp); +- ++ /* validate number of packets */ + if (pdu->u.cmd_submit.number_of_packets < 0 || +- pdu->u.cmd_submit.number_of_packets > packets) { ++ pdu->u.cmd_submit.number_of_packets > ++ USBIP_MAX_ISO_PACKETS) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); +--- a/drivers/staging/usbip/usbip_common.h ++++ b/drivers/staging/usbip/usbip_common.h +@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_ + #define USBIP_DIR_OUT 0x00 + #define USBIP_DIR_IN 0x01 + ++/* ++ * Arbitrary limit for the maximum number of isochronous packets in an URB, ++ * compare for example the uhci_submit_isochronous function in ++ * drivers/usb/host/uhci-q.c ++ */ ++#define USBIP_MAX_ISO_PACKETS 1024 ++ + /** + * struct usbip_header_basic - data pertinent to every request + * @command: the usbip request type diff --git a/queue-3.16/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch b/queue-3.16/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch new file mode 100644 index 00000000..f54928d6 --- /dev/null +++ b/queue-3.16/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch @@ -0,0 +1,46 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 22 Apr 2019 11:16:04 -0400 +Subject: USB: w1 ds2490: Fix bug caused by improper use of altsetting array + +commit c114944d7d67f24e71562fcfc18d550ab787e4d4 upstream. + +The syzkaller USB fuzzer spotted a slab-out-of-bounds bug in the +ds2490 driver. This bug is caused by improper use of the altsetting +array in the usb_interface structure (the array's entries are not +always stored in numerical order), combined with a naive assumption +that all interfaces probed by the driver will have the expected number +of altsettings. + +The bug can be fixed by replacing references to the possibly +non-existent intf->altsetting[alt] entry with the guaranteed-to-exist +intf->cur_altsetting entry. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-and-tested-by: syzbot+d65f673b847a1a96cdba@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/w1/masters/ds2490.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/w1/masters/ds2490.c ++++ b/drivers/w1/masters/ds2490.c +@@ -1041,15 +1041,15 @@ static int ds_probe(struct usb_interface + /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */ + alt = 3; + err = usb_set_interface(dev->udev, +- intf->altsetting[alt].desc.bInterfaceNumber, alt); ++ intf->cur_altsetting->desc.bInterfaceNumber, alt); + if (err) { + dev_err(&dev->udev->dev, "Failed to set alternative setting %d " + "for %d interface: err=%d.\n", alt, +- intf->altsetting[alt].desc.bInterfaceNumber, err); ++ intf->cur_altsetting->desc.bInterfaceNumber, err); + goto err_out_clear; + } + +- iface_desc = &intf->altsetting[alt]; ++ iface_desc = intf->cur_altsetting; + if (iface_desc->desc.bNumEndpoints != NUM_EP-1) { + printk(KERN_INFO "Num endpoints=%d. It is not DS9490R.\n", iface_desc->desc.bNumEndpoints); + err = -EINVAL; diff --git a/queue-3.16/usb-yurex-fix-protection-fault-after-device-removal.patch b/queue-3.16/usb-yurex-fix-protection-fault-after-device-removal.patch new file mode 100644 index 00000000..e73ade2a --- /dev/null +++ b/queue-3.16/usb-yurex-fix-protection-fault-after-device-removal.patch @@ -0,0 +1,36 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Tue, 23 Apr 2019 14:48:29 -0400 +Subject: USB: yurex: Fix protection fault after device removal + +commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. + +The syzkaller USB fuzzer found a general-protection-fault bug in the +yurex driver. The fault occurs when a device has been unplugged; the +driver's interrupt-URB handler logs an error message referring to the +device by name, after the device has been unregistered and its name +deallocated. + +This problem is caused by the fact that the interrupt URB isn't +cancelled until the driver's private data structure is released, which +can happen long after the device is gone. The cure is to make sure +that the interrupt URB is killed before yurex_disconnect() returns; +this is exactly the sort of thing that usb_poison_urb() was meant for. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/misc/yurex.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_ + usb_deregister_dev(interface, &yurex_class); + + /* prevent more I/O from starting */ ++ usb_poison_urb(dev->urb); + mutex_lock(&dev->io_mutex); + dev->interface = NULL; + mutex_unlock(&dev->io_mutex); diff --git a/queue-3.16/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch b/queue-3.16/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch new file mode 100644 index 00000000..928c12b3 --- /dev/null +++ b/queue-3.16/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch @@ -0,0 +1,30 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Fri, 12 Apr 2019 14:45:12 +0100 +Subject: vxge: fix return of a free'd memblock on a failed dma mapping + +commit 0a2c34f18c94b596562bf3d019fceab998b8b584 upstream. + +Currently if a pci dma mapping failure is detected a free'd +memblock address is returned rather than a NULL (that indicates +an error). Fix this by ensuring NULL is returned on this error case. + +Addresses-Coverity: ("Use after free") +Fixes: 528f727279ae ("vxge: code cleanup and reorganization") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/neterion/vxge/vxge-config.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c +@@ -2381,6 +2381,7 @@ static void *__vxge_hw_blockpool_malloc( + vxge_os_dma_free(devh->pdev, memblock, + &dma_object->acc_handle); + status = VXGE_HW_ERR_OUT_OF_MEMORY; ++ memblock = NULL; + goto exit; + } + diff --git a/queue-3.16/x86-kprobes-avoid-kretprobe-recursion-bug.patch b/queue-3.16/x86-kprobes-avoid-kretprobe-recursion-bug.patch new file mode 100644 index 00000000..13db4768 --- /dev/null +++ b/queue-3.16/x86-kprobes-avoid-kretprobe-recursion-bug.patch @@ -0,0 +1,103 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Sun, 24 Feb 2019 01:50:49 +0900 +Subject: x86/kprobes: Avoid kretprobe recursion bug + +commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 upstream. + +Avoid kretprobe recursion loop bg by setting a dummy +kprobes to current_kprobe per-CPU variable. + +This bug has been introduced with the asm-coded trampoline +code, since previously it used another kprobe for hooking +the function return placeholder (which only has a nop) and +trampoline handler was called from that kprobe. + +This revives the old lost kprobe again. + +With this fix, we don't see deadlock anymore. + +And you can see that all inner-called kretprobe are skipped. + + event_1 235 0 + event_2 19375 19612 + +The 1st column is recorded count and the 2nd is missed count. +Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed) +(some difference are here because the counter is racy) + +Reported-by: Andrea Righi <righi.andrea@gmail.com> +Tested-by: Andrea Righi <righi.andrea@gmail.com> +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Acked-by: Steven Rostedt <rostedt@goodmis.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster") +Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kernel/kprobes/core.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -686,11 +686,16 @@ static void __used kretprobe_trampoline_ + NOKPROBE_SYMBOL(kretprobe_trampoline_holder); + NOKPROBE_SYMBOL(kretprobe_trampoline); + ++static struct kprobe kretprobe_kprobe = { ++ .addr = (void *)kretprobe_trampoline, ++}; ++ + /* + * Called from kretprobe_trampoline + */ + __visible __used void *trampoline_handler(struct pt_regs *regs) + { ++ struct kprobe_ctlblk *kcb; + struct kretprobe_instance *ri = NULL; + struct hlist_head *head, empty_rp; + struct hlist_node *tmp; +@@ -700,6 +705,17 @@ __visible __used void *trampoline_handle + void *frame_pointer; + bool skipped = false; + ++ preempt_disable(); ++ ++ /* ++ * Set a dummy kprobe for avoiding kretprobe recursion. ++ * Since kretprobe never run in kprobe handler, kprobe must not ++ * be running at this point. ++ */ ++ kcb = get_kprobe_ctlblk(); ++ __this_cpu_write(current_kprobe, &kretprobe_kprobe); ++ kcb->kprobe_status = KPROBE_HIT_ACTIVE; ++ + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ +@@ -775,10 +791,9 @@ __visible __used void *trampoline_handle + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { + __this_cpu_write(current_kprobe, &ri->rp->kp); +- get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; + ri->ret_addr = correct_ret_addr; + ri->rp->handler(ri, regs); +- __this_cpu_write(current_kprobe, NULL); ++ __this_cpu_write(current_kprobe, &kretprobe_kprobe); + } + + recycle_rp_inst(ri, &empty_rp); +@@ -794,6 +809,9 @@ __visible __used void *trampoline_handle + + kretprobe_hash_unlock(current, &flags); + ++ __this_cpu_write(current_kprobe, NULL); ++ preempt_enable(); ++ + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + kfree(ri); diff --git a/queue-3.16/x86-kprobes-verify-stack-frame-on-kretprobe.patch b/queue-3.16/x86-kprobes-verify-stack-frame-on-kretprobe.patch new file mode 100644 index 00000000..8b554e54 --- /dev/null +++ b/queue-3.16/x86-kprobes-verify-stack-frame-on-kretprobe.patch @@ -0,0 +1,107 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Sun, 24 Feb 2019 01:49:52 +0900 +Subject: x86/kprobes: Verify stack frame on kretprobe + +commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream. + +Verify the stack frame pointer on kretprobe trampoline handler, +If the stack frame pointer does not match, it skips the wrong +entry and tries to find correct one. + +This can happen if user puts the kretprobe on the function +which can be used in the path of ftrace user-function call. +Such functions should not be probed, so this adds a warning +message that reports which function should be blacklisted. + +Tested-by: Andrea Righi <righi.andrea@gmail.com> +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Acked-by: Steven Rostedt <rostedt@goodmis.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++ + include/linux/kprobes.h | 1 + + 2 files changed, 27 insertions(+) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -494,6 +494,7 @@ void arch_prepare_kretprobe(struct kretp + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -696,15 +697,21 @@ __visible __used void *trampoline_handle + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -726,8 +733,25 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -745,6 +769,8 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -197,6 +197,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; + diff --git a/queue-3.16/x86-kvm-move-kvm_load-put_guest_xcr0-into-atomic-context.patch b/queue-3.16/x86-kvm-move-kvm_load-put_guest_xcr0-into-atomic-context.patch new file mode 100644 index 00000000..39f91d6b --- /dev/null +++ b/queue-3.16/x86-kvm-move-kvm_load-put_guest_xcr0-into-atomic-context.patch @@ -0,0 +1,136 @@ +From: WANG Chao <chao.wang@ucloud.cn> +Date: Fri, 12 Apr 2019 15:55:39 +0800 +Subject: x86/kvm: move kvm_load/put_guest_xcr0 into atomic context + +commit 1811d979c71621aafc7b879477202d286f7e863b upstream. + +guest xcr0 could leak into host when MCE happens in guest mode. Because +do_machine_check() could schedule out at a few places. + +For example: + +kvm_load_guest_xcr0 +... +kvm_x86_ops->run(vcpu) { + vmx_vcpu_run + vmx_complete_atomic_exit + kvm_machine_check + do_machine_check + do_memory_failure + memory_failure + lock_page + +In this case, host_xcr0 is 0x2ff, guest vcpu xcr0 is 0xff. After schedule +out, host cpu has guest xcr0 loaded (0xff). + +In __switch_to { + switch_fpu_finish + copy_kernel_to_fpregs + XRSTORS + +If any bit i in XSTATE_BV[i] == 1 and xcr0[i] == 0, XRSTORS will +generate #GP (In this case, bit 9). Then ex_handler_fprestore kicks in +and tries to reinitialize fpu by restoring init fpu state. Same story as +last #GP, except we get DOUBLE FAULT this time. + +Signed-off-by: WANG Chao <chao.wang@ucloud.cn> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3971,6 +3971,7 @@ static void svm_vcpu_run(struct kvm_vcpu + svm->vmcb->save.cr2 = vcpu->arch.cr2; + + clgi(); ++ kvm_load_guest_xcr0(vcpu); + + /* + * If this vCPU has touched SPEC_CTRL, restore the guest's value if +@@ -4118,6 +4119,7 @@ static void svm_vcpu_run(struct kvm_vcpu + if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI)) + kvm_before_handle_nmi(&svm->vcpu); + ++ kvm_put_guest_xcr0(vcpu); + stgi(); + + /* Any pending NMI will happen here */ +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7455,6 +7455,8 @@ static void __noclone vmx_vcpu_run(struc + if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) + vmx_set_interrupt_shadow(vcpu, 0); + ++ kvm_load_guest_xcr0(vcpu); ++ + atomic_switch_perf_msrs(vmx); + debugctlmsr = get_debugctlmsr(); + +@@ -7627,6 +7629,8 @@ static void __noclone vmx_vcpu_run(struc + | (1 << VCPU_EXREG_CR3)); + vcpu->arch.regs_dirty = 0; + ++ kvm_put_guest_xcr0(vcpu); ++ + /* + * the KVM_REQ_EVENT optimization bit is only on for one entry, and if + * we did not inject a still-pending event to L1 now because of +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -590,7 +590,7 @@ void kvm_lmsw(struct kvm_vcpu *vcpu, uns + } + EXPORT_SYMBOL_GPL(kvm_lmsw); + +-static void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu) ++void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu) + { + if (kvm_read_cr4_bits(vcpu, X86_CR4_OSXSAVE) && + !vcpu->guest_xcr0_loaded) { +@@ -599,8 +599,9 @@ static void kvm_load_guest_xcr0(struct k + vcpu->guest_xcr0_loaded = 1; + } + } ++EXPORT_SYMBOL_GPL(kvm_load_guest_xcr0); + +-static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu) ++void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu) + { + if (vcpu->guest_xcr0_loaded) { + if (vcpu->arch.xcr0 != host_xcr0) +@@ -608,6 +609,7 @@ static void kvm_put_guest_xcr0(struct kv + vcpu->guest_xcr0_loaded = 0; + } + } ++EXPORT_SYMBOL_GPL(kvm_put_guest_xcr0); + + int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr) + { +@@ -6206,8 +6208,6 @@ static int vcpu_enter_guest(struct kvm_v + goto cancel_injection; + } + +- kvm_load_guest_xcr0(vcpu); +- + if (req_immediate_exit) + smp_send_reschedule(vcpu->cpu); + +@@ -6256,8 +6256,6 @@ static int vcpu_enter_guest(struct kvm_v + vcpu->mode = OUTSIDE_GUEST_MODE; + smp_wmb(); + +- kvm_put_guest_xcr0(vcpu); +- + /* Interrupt is enabled by handle_external_intr() */ + kvm_x86_ops->handle_external_intr(vcpu); + +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -148,4 +148,7 @@ extern u64 kvm_supported_xcr0(void); + extern unsigned int min_timer_period_us; + + extern struct static_key kvm_no_apic_vcpu; ++ ++void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu); ++void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu); + #endif diff --git a/queue-3.16/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch b/queue-3.16/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch new file mode 100644 index 00000000..f836d1a7 --- /dev/null +++ b/queue-3.16/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch @@ -0,0 +1,63 @@ +From: Thomas Gleixner <tglx@linutronix.de> +Date: Sun, 14 Apr 2019 19:51:06 +0200 +Subject: x86/speculation: Prevent deadlock on ssb_state::lock + +commit 2f5fb19341883bb6e37da351bc3700489d8506a7 upstream. + +Mikhail reported a lockdep splat related to the AMD specific ssb_state +lock: + + CPU0 CPU1 + lock(&st->lock); + local_irq_disable(); + lock(&(&sighand->siglock)->rlock); + lock(&st->lock); + <Interrupt> + lock(&(&sighand->siglock)->rlock); + + *** DEADLOCK *** + +The connection between sighand->siglock and st->lock comes through seccomp, +which takes st->lock while holding sighand->siglock. + +Make sure interrupts are disabled when __speculation_ctrl_update() is +invoked via prctl() -> speculation_ctrl_update(). Add a lockdep assert to +catch future offenders. + +Fixes: 1f50ddb4f418 ("x86/speculation: Handle HT correctly on AMD") +Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> +Cc: Thomas Lendacky <thomas.lendacky@amd.com> +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1904141948200.4917@nanos.tec.linutronix.de +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kernel/process.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -351,6 +351,8 @@ static __always_inline void __speculatio + u64 msr = x86_spec_ctrl_base; + bool updmsr = false; + ++ lockdep_assert_irqs_disabled(); ++ + /* + * If TIF_SSBD is different, select the proper mitigation + * method. Note that if SSBD mitigation is disabled or permanentely +@@ -402,10 +404,12 @@ static unsigned long speculation_ctrl_up + + void speculation_ctrl_update(unsigned long tif) + { ++ unsigned long flags; ++ + /* Forced update. Make sure all relevant TIF flags are different */ +- preempt_disable(); ++ local_irq_save(flags); + __speculation_ctrl_update(~tif, tif); +- preempt_enable(); ++ local_irq_restore(flags); + } + + /* Called from seccomp/prctl update */ diff --git a/queue-3.16/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch b/queue-3.16/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch new file mode 100644 index 00000000..c4d176a2 --- /dev/null +++ b/queue-3.16/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch @@ -0,0 +1,33 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 4 Apr 2019 18:12:17 +0300 +Subject: xen: Prevent buffer overflow in privcmd ioctl + +commit 42d8644bd77dd2d747e004e367cb0c895a606f39 upstream. + +The "call" variable comes from the user in privcmd_ioctl_hypercall(). +It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32) +elements. We need to put an upper bound on it to prevent an out of +bounds access. + +Fixes: 1246ae0bb992 ("xen: add variable hypercall caller") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> +Signed-off-by: Juergen Gross <jgross@suse.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/include/asm/xen/hypercall.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/include/asm/xen/hypercall.h ++++ b/arch/x86/include/asm/xen/hypercall.h +@@ -215,6 +215,9 @@ privcmd_call(unsigned call, + __HYPERCALL_DECLS; + __HYPERCALL_5ARG(a1, a2, a3, a4, a5); + ++ if (call >= PAGE_SIZE / sizeof(hypercall_page[0])) ++ return -EINVAL; ++ + stac(); + asm volatile(CALL_NOSPEC + : __HYPERCALL_5PARAM diff --git a/queue-3.16/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch b/queue-3.16/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch new file mode 100644 index 00000000..8f94c0e8 --- /dev/null +++ b/queue-3.16/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch @@ -0,0 +1,83 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Thu, 28 Feb 2019 15:18:59 +0800 +Subject: xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink + +commit b805d78d300bcf2c83d6df7da0c818b0fee41427 upstream. + +UBSAN report this: + +UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 +index 6 is out of range for type 'unsigned int [6]' +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4 + 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80 + ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8 +Call Trace: + <IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline] + <IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51 + [<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 + [<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382 + [<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289 + [<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309 + [<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243 + [<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144 + [<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline] + [<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401 + [<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273 + [<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline] + [<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391 + [<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline] + [<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926 + [<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735 + <EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52 + [<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline] + [<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446 + [<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437 + [<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92 + [<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline] + [<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline] + [<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299 + [<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245 + +The issue is triggered as this: + +xfrm_add_policy + -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX + //In my case, the index is 0x6E6BB6, so it pass the check. + -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer + -->xfrm_policy_insert + --> __xfrm_policy_link //use the orgin dir, in my case is 2 + --> xfrm_gen_index //generate policy index, there is 0x6E6BB6 + +then xfrm_policy_timer be fired + +xfrm_policy_timer + --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6 + --> xfrm_policy_delete + --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access + +Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is +valid, to fix the issue. + +Reported-by: Hulk Robot <hulkci@huawei.com> +Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Acked-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/xfrm/xfrm_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1255,7 +1255,7 @@ static int verify_newpolicy_info(struct + ret = verify_policy_dir(p->dir); + if (ret) + return ret; +- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir)) ++ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) + return -EINVAL; + + return 0; diff --git a/queue-3.16/xfrm4-fix-header-checks-in-_decode_session4.patch b/queue-3.16/xfrm4-fix-header-checks-in-_decode_session4.patch new file mode 100644 index 00000000..695af0f4 --- /dev/null +++ b/queue-3.16/xfrm4-fix-header-checks-in-_decode_session4.patch @@ -0,0 +1,72 @@ +From: Steffen Klassert <steffen.klassert@secunet.com> +Date: Fri, 23 Oct 2015 07:31:23 +0200 +Subject: xfrm4: Fix header checks in _decode_session4. + +commit 1a14f1e5550a341f76e5c8f596e9b5f8a886dfbc upstream. + +We skip the header informations if the data pointer points +already behind the header in question for some protocols. +This is because we call pskb_may_pull with a negative value +converted to unsigened int from pskb_may_pull in this case. +Skipping the header informations can lead to incorrect policy +lookups, so fix it by a check of the data pointer position +before we call pskb_may_pull. + +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/xfrm4_policy.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -131,7 +131,8 @@ _decode_session4(struct sk_buff *skb, st + break; + + case IPPROTO_ICMP: +- if (pskb_may_pull(skb, xprth + 2 - skb->data)) { ++ if (xprth + 2 < skb->data || ++ pskb_may_pull(skb, xprth + 2 - skb->data)) { + u8 *icmp = xprth; + + fl4->fl4_icmp_type = icmp[0]; +@@ -140,7 +141,8 @@ _decode_session4(struct sk_buff *skb, st + break; + + case IPPROTO_ESP: +- if (pskb_may_pull(skb, xprth + 4 - skb->data)) { ++ if (xprth + 4 < skb->data || ++ pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be32 *ehdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ehdr[0]; +@@ -148,7 +150,8 @@ _decode_session4(struct sk_buff *skb, st + break; + + case IPPROTO_AH: +- if (pskb_may_pull(skb, xprth + 8 - skb->data)) { ++ if (xprth + 8 < skb->data || ++ pskb_may_pull(skb, xprth + 8 - skb->data)) { + __be32 *ah_hdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ah_hdr[1]; +@@ -156,7 +159,8 @@ _decode_session4(struct sk_buff *skb, st + break; + + case IPPROTO_COMP: +- if (pskb_may_pull(skb, xprth + 4 - skb->data)) { ++ if (xprth + 4 < skb->data || ++ pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ipcomp_hdr = (__be16 *)xprth; + + fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); +@@ -164,7 +168,8 @@ _decode_session4(struct sk_buff *skb, st + break; + + case IPPROTO_GRE: +- if (pskb_may_pull(skb, xprth + 12 - skb->data)) { ++ if (xprth + 12 < skb->data || ++ pskb_may_pull(skb, xprth + 12 - skb->data)) { + __be16 *greflags = (__be16 *)xprth; + __be32 *gre_hdr = (__be32 *)xprth; + diff --git a/queue-3.16/xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch b/queue-3.16/xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch new file mode 100644 index 00000000..2a20ddb0 --- /dev/null +++ b/queue-3.16/xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch @@ -0,0 +1,109 @@ +From: Steffen Klassert <steffen.klassert@secunet.com> +Date: Tue, 26 Feb 2019 07:04:50 +0100 +Subject: xfrm4: Fix uninitialized memory read in _decode_session4 + +commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 upstream. + +We currently don't reload pointers pointing into skb header +after doing pskb_may_pull() in _decode_session4(). So in case +pskb_may_pull() changed the pointers, we read from random +memory. Fix this by putting all the needed infos on the +stack, so that we don't need to access the header pointers +after doing pskb_may_pull(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/xfrm4_policy.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -103,7 +103,8 @@ static void + _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + { + const struct iphdr *iph = ip_hdr(skb); +- u8 *xprth = skb_network_header(skb) + iph->ihl * 4; ++ int ihl = iph->ihl; ++ u8 *xprth = skb_network_header(skb) + ihl * 4; + struct flowi4 *fl4 = &fl->u.ip4; + int oif = 0; + +@@ -114,6 +115,11 @@ _decode_session4(struct sk_buff *skb, st + fl4->flowi4_mark = skb->mark; + fl4->flowi4_oif = reverse ? skb->skb_iif : oif; + ++ fl4->flowi4_proto = iph->protocol; ++ fl4->daddr = reverse ? iph->saddr : iph->daddr; ++ fl4->saddr = reverse ? iph->daddr : iph->saddr; ++ fl4->flowi4_tos = iph->tos; ++ + if (!ip_is_fragment(iph)) { + switch (iph->protocol) { + case IPPROTO_UDP: +@@ -125,7 +131,7 @@ _decode_session4(struct sk_buff *skb, st + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ports; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ports = (__be16 *)xprth; + + fl4->fl4_sport = ports[!!reverse]; +@@ -138,7 +144,7 @@ _decode_session4(struct sk_buff *skb, st + pskb_may_pull(skb, xprth + 2 - skb->data)) { + u8 *icmp; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + icmp = xprth; + + fl4->fl4_icmp_type = icmp[0]; +@@ -151,7 +157,7 @@ _decode_session4(struct sk_buff *skb, st + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be32 *ehdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ehdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ehdr[0]; +@@ -163,7 +169,7 @@ _decode_session4(struct sk_buff *skb, st + pskb_may_pull(skb, xprth + 8 - skb->data)) { + __be32 *ah_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ah_hdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ah_hdr[1]; +@@ -175,7 +181,7 @@ _decode_session4(struct sk_buff *skb, st + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ipcomp_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ipcomp_hdr = (__be16 *)xprth; + + fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); +@@ -188,7 +194,7 @@ _decode_session4(struct sk_buff *skb, st + __be16 *greflags; + __be32 *gre_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + greflags = (__be16 *)xprth; + gre_hdr = (__be32 *)xprth; + +@@ -205,10 +211,6 @@ _decode_session4(struct sk_buff *skb, st + break; + } + } +- fl4->flowi4_proto = iph->protocol; +- fl4->daddr = reverse ? iph->saddr : iph->daddr; +- fl4->saddr = reverse ? iph->daddr : iph->saddr; +- fl4->flowi4_tos = iph->tos; + } + + static inline int xfrm4_garbage_collect(struct dst_ops *ops) diff --git a/queue-3.16/xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch b/queue-3.16/xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch new file mode 100644 index 00000000..e76ed28e --- /dev/null +++ b/queue-3.16/xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch @@ -0,0 +1,92 @@ +From: Steffen Klassert <steffen.klassert@secunet.com> +Date: Fri, 23 Oct 2015 07:32:39 +0200 +Subject: xfrm4: Reload skb header pointers after calling pskb_may_pull. + +commit ea673a4d3a337184f3c314dcc6300bf02f39e077 upstream. + +A call to pskb_may_pull may change the pointers into the packet, +so reload the pointers after the call. + +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/xfrm4_policy.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -123,7 +123,10 @@ _decode_session4(struct sk_buff *skb, st + case IPPROTO_DCCP: + if (xprth + 4 < skb->data || + pskb_may_pull(skb, xprth + 4 - skb->data)) { +- __be16 *ports = (__be16 *)xprth; ++ __be16 *ports; ++ ++ xprth = skb_network_header(skb) + iph->ihl * 4; ++ ports = (__be16 *)xprth; + + fl4->fl4_sport = ports[!!reverse]; + fl4->fl4_dport = ports[!reverse]; +@@ -133,7 +136,10 @@ _decode_session4(struct sk_buff *skb, st + case IPPROTO_ICMP: + if (xprth + 2 < skb->data || + pskb_may_pull(skb, xprth + 2 - skb->data)) { +- u8 *icmp = xprth; ++ u8 *icmp; ++ ++ xprth = skb_network_header(skb) + iph->ihl * 4; ++ icmp = xprth; + + fl4->fl4_icmp_type = icmp[0]; + fl4->fl4_icmp_code = icmp[1]; +@@ -143,7 +149,10 @@ _decode_session4(struct sk_buff *skb, st + case IPPROTO_ESP: + if (xprth + 4 < skb->data || + pskb_may_pull(skb, xprth + 4 - skb->data)) { +- __be32 *ehdr = (__be32 *)xprth; ++ __be32 *ehdr; ++ ++ xprth = skb_network_header(skb) + iph->ihl * 4; ++ ehdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ehdr[0]; + } +@@ -152,7 +161,10 @@ _decode_session4(struct sk_buff *skb, st + case IPPROTO_AH: + if (xprth + 8 < skb->data || + pskb_may_pull(skb, xprth + 8 - skb->data)) { +- __be32 *ah_hdr = (__be32 *)xprth; ++ __be32 *ah_hdr; ++ ++ xprth = skb_network_header(skb) + iph->ihl * 4; ++ ah_hdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ah_hdr[1]; + } +@@ -161,7 +173,10 @@ _decode_session4(struct sk_buff *skb, st + case IPPROTO_COMP: + if (xprth + 4 < skb->data || + pskb_may_pull(skb, xprth + 4 - skb->data)) { +- __be16 *ipcomp_hdr = (__be16 *)xprth; ++ __be16 *ipcomp_hdr; ++ ++ xprth = skb_network_header(skb) + iph->ihl * 4; ++ ipcomp_hdr = (__be16 *)xprth; + + fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); + } +@@ -170,8 +185,12 @@ _decode_session4(struct sk_buff *skb, st + case IPPROTO_GRE: + if (xprth + 12 < skb->data || + pskb_may_pull(skb, xprth + 12 - skb->data)) { +- __be16 *greflags = (__be16 *)xprth; +- __be32 *gre_hdr = (__be32 *)xprth; ++ __be16 *greflags; ++ __be32 *gre_hdr; ++ ++ xprth = skb_network_header(skb) + iph->ihl * 4; ++ greflags = (__be16 *)xprth; ++ gre_hdr = (__be32 *)xprth; + + if (greflags[0] & GRE_KEY) { + if (greflags[0] & GRE_CSUM) diff --git a/queue-3.16/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch b/queue-3.16/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch new file mode 100644 index 00000000..fa0e6d3c --- /dev/null +++ b/queue-3.16/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch @@ -0,0 +1,32 @@ +From: Su Yanjun <suyj.fnst@cn.fujitsu.com> +Date: Thu, 14 Mar 2019 14:59:42 +0800 +Subject: xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module + +commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 upstream. + +When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly +frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the +xfrm6_tunnel_spi, so need to wait it. + +Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion") +Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com> +Acked-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv6/xfrm6_tunnel.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -390,6 +390,10 @@ static void __exit xfrm6_tunnel_fini(voi + xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); + xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); + unregister_pernet_subsys(&xfrm6_tunnel_net_ops); ++ /* Someone maybe has gotten the xfrm6_tunnel_spi. ++ * So need to wait it. ++ */ ++ rcu_barrier(); + kmem_cache_destroy(xfrm6_tunnel_spi_kmem); + } + diff --git a/queue-3.16/xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch b/queue-3.16/xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch new file mode 100644 index 00000000..ec135c8e --- /dev/null +++ b/queue-3.16/xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch @@ -0,0 +1,86 @@ +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Fri, 22 Mar 2019 17:50:17 +0200 +Subject: xhci: Don't let USB3 ports stuck in polling state prevent suspend + +commit d92f2c59cc2cbca6bfb2cc54882b58ba76b15fd4 upstream. + +Commit 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect +change or polling state is detected") was intended to prevent ports that +were still link training from being forced to U3 suspend state mid +enumeration. +This solved enumeration issues for devices with slow link training. + +Turns out some devices are stuck in the link training/polling state, +and thus that patch will prevent suspend completely for these devices. +This is seen with USB3 card readers in some MacBooks. + +Instead of preventing suspend, give some time to complete the link +training. On successful training the port will end up as connected +and enabled. +If port instead is stuck in link training the bus suspend will continue +suspending after 360ms (10 * 36ms) timeout (tPollingLFPSTimeout). + +Original patch was sent to stable, this one should go there as well + +Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected") +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/host/xhci-hub.c | 19 ++++++++++++------- + drivers/usb/host/xhci.h | 8 ++++++++ + 2 files changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1199,20 +1199,25 @@ int xhci_bus_suspend(struct usb_hcd *hcd + port_index = max_ports; + while (port_index--) { + u32 t1, t2; +- ++ int retries = 10; ++retry: + t1 = readl(port_array[port_index]); + t2 = xhci_port_state_to_neutral(t1); + portsc_buf[port_index] = 0; + +- /* Bail out if a USB3 port has a new device in link training */ +- if ((hcd->speed >= HCD_USB3) && ++ /* ++ * Give a USB3 port in link training time to finish, but don't ++ * prevent suspend as port might be stuck ++ */ ++ if ((hcd->speed >= HCD_USB3) && retries-- && + (t1 & PORT_PLS_MASK) == XDEV_POLLING) { +- bus_state->bus_suspended = 0; + spin_unlock_irqrestore(&xhci->lock, flags); +- xhci_dbg(xhci, "Bus suspend bailout, port in polling\n"); +- return -EBUSY; ++ msleep(XHCI_PORT_POLLING_LFPS_TIME); ++ spin_lock_irqsave(&xhci->lock, flags); ++ xhci_dbg(xhci, "port %d polling in bus suspend, waiting\n", ++ port_index); ++ goto retry; + } +- + /* suspend ports in U0, or bail out for new connect changes */ + if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) { + if ((t1 & PORT_CSC) && wake_enabled) { +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -413,6 +413,14 @@ struct xhci_op_regs { + */ + #define XHCI_DEFAULT_BESL 4 + ++/* ++ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports ++ * to complete link training. usually link trainig completes much faster ++ * so check status 10 times with 36ms sleep in places we need to wait for ++ * polling to complete. ++ */ ++#define XHCI_PORT_POLLING_LFPS_TIME 36 ++ + /** + * struct xhci_intr_reg - Interrupt Register Set + * @irq_pending: IMAN - Interrupt Management Register. Used to enable diff --git a/queue-3.16/xsysace-fix-error-handling-in-ace_setup.patch b/queue-3.16/xsysace-fix-error-handling-in-ace_setup.patch new file mode 100644 index 00000000..208a5893 --- /dev/null +++ b/queue-3.16/xsysace-fix-error-handling-in-ace_setup.patch @@ -0,0 +1,79 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Tue, 19 Feb 2019 08:49:56 -0800 +Subject: xsysace: Fix error handling in ace_setup + +commit 47b16820c490149c2923e8474048f2c6e7557cab upstream. + +If xace hardware reports a bad version number, the error handling code +in ace_setup() calls put_disk(), followed by queue cleanup. However, since +the disk data structure has the queue pointer set, put_disk() also +cleans and releases the queue. This results in blk_cleanup_queue() +accessing an already released data structure, which in turn may result +in a crash such as the following. + +[ 10.681671] BUG: Kernel NULL pointer dereference at 0x00000040 +[ 10.681826] Faulting instruction address: 0xc0431480 +[ 10.682072] Oops: Kernel access of bad area, sig: 11 [#1] +[ 10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440 +[ 10.682387] Modules linked in: +[ 10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G W 5.0.0-rc6-next-20190218+ #2 +[ 10.682733] NIP: c0431480 LR: c043147c CTR: c0422ad8 +[ 10.682863] REGS: cf82fbe0 TRAP: 0300 Tainted: G W (5.0.0-rc6-next-20190218+) +[ 10.683065] MSR: 00029000 <CE,EE,ME> CR: 22000222 XER: 00000000 +[ 10.683236] DEAR: 00000040 ESR: 00000000 +[ 10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000 +[ 10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000 +[ 10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000 +[ 10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800 +[ 10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114 +[ 10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114 +[ 10.684602] Call Trace: +[ 10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable) +[ 10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c +[ 10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68 +[ 10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c +[ 10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508 +[ 10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8 +[ 10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c +[ 10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464 +[ 10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4 +[ 10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc +[ 10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0 +[ 10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234 +[ 10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c +[ 10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac +[ 10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330 +[ 10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478 +[ 10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114 +[ 10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c +[ 10.687349] Instruction dump: +[ 10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008 +[ 10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008 +[ 10.688056] ---[ end trace 13c9ff51d41b9d40 ]--- + +Fix the problem by setting the disk queue pointer to NULL before calling +put_disk(). A more comprehensive fix might be to rearrange the code +to check the hardware version before initializing data structures, +but I don't know if this would have undesirable side effects, and +it would increase the complexity of backporting the fix to older kernels. + +Fixes: 74489a91dd43a ("Add support for Xilinx SystemACE CompactFlash interface") +Acked-by: Michal Simek <michal.simek@xilinx.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/block/xsysace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/block/xsysace.c ++++ b/drivers/block/xsysace.c +@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device * + return 0; + + err_read: ++ /* prevent double queue cleanup */ ++ ace->gd->queue = NULL; + put_disk(ace->gd); + err_alloc_disk: + blk_cleanup_queue(ace->queue); diff --git a/queue-3.16/xtensa-fix-return_address.patch b/queue-3.16/xtensa-fix-return_address.patch new file mode 100644 index 00000000..2ed7678f --- /dev/null +++ b/queue-3.16/xtensa-fix-return_address.patch @@ -0,0 +1,37 @@ +From: Max Filippov <jcmvbkbc@gmail.com> +Date: Thu, 4 Apr 2019 11:08:40 -0700 +Subject: xtensa: fix return_address + +commit ada770b1e74a77fff2d5f539bf6c42c25f4784db upstream. + +return_address returns the address that is one level higher in the call +stack than requested in its argument, because level 0 corresponds to its +caller's return address. Use requested level as the number of stack +frames to skip. + +This fixes the address reported by might_sleep and friends. + +Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/xtensa/kernel/stacktrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/stacktrace.c ++++ b/arch/xtensa/kernel/stacktrace.c +@@ -107,10 +107,14 @@ static int return_address_cb(struct stac + return 1; + } + ++/* ++ * level == 0 is for the return address from the caller of this function, ++ * not from this function itself. ++ */ + unsigned long return_address(unsigned level) + { + struct return_addr_data r = { +- .skip = level + 1, ++ .skip = level, + }; + walk_stackframe(stack_pointer(NULL), return_address_cb, &r); + return r.addr; diff --git a/upstream-head b/upstream-head index bf781051..e5ac138f 100644 --- a/upstream-head +++ b/upstream-head @@ -1 +1 @@ -9e98c678c2d6ae3a17cb2de55d17f69dddaa231b +e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd |