diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2020-05-19 21:49:38 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2020-05-19 22:01:32 +0100 |
commit | 55dfd5d67c45d13ed4ac65006e96a5e06fd4c040 (patch) | |
tree | a232fedfa243a7fd6e0881d33717c20f19d58352 | |
parent | 4e8a0b042e2f9b31ac23c0548a8b4f9aef4ec05d (diff) | |
download | linux-stable-queue-55dfd5d67c45d13ed4ac65006e96a5e06fd4c040.tar.gz |
Add commits cc'd to stable, up to 5.6-rc1
...plus their obvious dependencies, and a follow-up fix.
90 files changed, 5776 insertions, 1 deletions
diff --git a/queue-3.16/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch b/queue-3.16/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch new file mode 100644 index 00000000..74e3b590 --- /dev/null +++ b/queue-3.16/alsa-dummy-fix-pcm-format-loop-in-proc-output.patch @@ -0,0 +1,28 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Sat, 1 Feb 2020 09:05:30 +0100 +Subject: ALSA: dummy: Fix PCM format loop in proc output + +commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream. + +The loop termination for iterating over all formats should contain +SNDRV_PCM_FORMAT_LAST, not less than it. + +Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file") +Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/drivers/dummy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/drivers/dummy.c ++++ b/sound/drivers/dummy.c +@@ -927,7 +927,7 @@ static void print_formats(struct snd_dum + { + int i; + +- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) { ++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) { + if (dummy->pcm_hw.formats & (1ULL << i)) + snd_iprintf(buffer, " %s", snd_pcm_format_name(i)); + } diff --git a/queue-3.16/alsa-sh-fix-compile-warning-wrt-const.patch b/queue-3.16/alsa-sh-fix-compile-warning-wrt-const.patch new file mode 100644 index 00000000..ed7e804c --- /dev/null +++ b/queue-3.16/alsa-sh-fix-compile-warning-wrt-const.patch @@ -0,0 +1,33 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Sun, 5 Jan 2020 15:48:23 +0100 +Subject: ALSA: sh: Fix compile warning wrt const + +commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d upstream. + +A long-standing compile warning was seen during build test: + sound/sh/aica.c: In function 'load_aica_firmware': + sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] + +Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device") +Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/sh/aica.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/sh/aica.c ++++ b/sound/sh/aica.c +@@ -120,10 +120,10 @@ static void spu_memset(u32 toi, u32 what + } + + /* spu_memload - write to SPU address space */ +-static void spu_memload(u32 toi, void *from, int length) ++static void spu_memload(u32 toi, const void *from, int length) + { + unsigned long flags; +- u32 *froml = from; ++ const u32 *froml = from; + u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi); + int i; + u32 val; diff --git a/queue-3.16/arm-dts-at91-sama5d3-define-clock-rate-range-for-tcb1.patch b/queue-3.16/arm-dts-at91-sama5d3-define-clock-rate-range-for-tcb1.patch new file mode 100644 index 00000000..907559b6 --- /dev/null +++ b/queue-3.16/arm-dts-at91-sama5d3-define-clock-rate-range-for-tcb1.patch @@ -0,0 +1,31 @@ +From: Alexandre Belloni <alexandre.belloni@bootlin.com> +Date: Fri, 10 Jan 2020 18:20:07 +0100 +Subject: ARM: dts: at91: sama5d3: define clock rate range for tcb1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit a7e0f3fc01df4b1b7077df777c37feae8c9e8b6d upstream. + +The clock rate range for the TCB1 clock is missing. define it in the device +tree. + +Reported-by: Karl Rudbæk Olsen <karl@micro-technic.com> +Fixes: d2e8190b7916 ("ARM: at91/dt: define sama5d3 clocks") +Link: https://lore.kernel.org/r/20200110172007.1253659-2-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/boot/dts/sama5d3_tcb1.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/sama5d3_tcb1.dtsi ++++ b/arch/arm/boot/dts/sama5d3_tcb1.dtsi +@@ -23,6 +23,7 @@ + tcb1_clk: tcb1_clk { + #clock-cells = <0>; + reg = <27>; ++ atmel,clk-output-range = <0 166000000>; + }; + }; + }; diff --git a/queue-3.16/arm-dts-at91-sama5d3-fix-maximum-peripheral-clock-rates.patch b/queue-3.16/arm-dts-at91-sama5d3-fix-maximum-peripheral-clock-rates.patch new file mode 100644 index 00000000..15d8fd5c --- /dev/null +++ b/queue-3.16/arm-dts-at91-sama5d3-fix-maximum-peripheral-clock-rates.patch @@ -0,0 +1,158 @@ +From: Alexandre Belloni <alexandre.belloni@bootlin.com> +Date: Fri, 10 Jan 2020 18:20:06 +0100 +Subject: ARM: dts: at91: sama5d3: fix maximum peripheral clock rates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ee0aa926ddb0bd8ba59e33e3803b3b5804e3f5da upstream. + +Currently the maximum rate for peripheral clock is calculated based on a +typical 133MHz MCK. The maximum frequency is defined in the datasheet as a +ratio to MCK. Some sama5d3 platforms are using a 166MHz MCK. Update the +device trees to match the maximum rate based on 166MHz. + +Reported-by: Karl Rudbæk Olsen <karl@micro-technic.com> +Fixes: d2e8190b7916 ("ARM: at91/dt: define sama5d3 clocks") +Link: https://lore.kernel.org/r/20200110172007.1253659-1-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +[bwh: Backported to 3.16: uart0_clk is only defined in sama5d3_uart.dtsi] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/arm/boot/dts/sama5d3.dtsi ++++ b/arch/arm/boot/dts/sama5d3.dtsi +@@ -1031,43 +1031,43 @@ + usart0_clk: usart0_clk { + #clock-cells = <0>; + reg = <12>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + usart1_clk: usart1_clk { + #clock-cells = <0>; + reg = <13>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + usart2_clk: usart2_clk { + #clock-cells = <0>; + reg = <14>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + usart3_clk: usart3_clk { + #clock-cells = <0>; + reg = <15>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + twi0_clk: twi0_clk { + reg = <18>; + #clock-cells = <0>; +- atmel,clk-output-range = <0 16625000>; ++ atmel,clk-output-range = <0 41500000>; + }; + + twi1_clk: twi1_clk { + #clock-cells = <0>; + reg = <19>; +- atmel,clk-output-range = <0 16625000>; ++ atmel,clk-output-range = <0 41500000>; + }; + + twi2_clk: twi2_clk { + #clock-cells = <0>; + reg = <20>; +- atmel,clk-output-range = <0 16625000>; ++ atmel,clk-output-range = <0 41500000>; + }; + + mci0_clk: mci0_clk { +@@ -1083,19 +1083,19 @@ + spi0_clk: spi0_clk { + #clock-cells = <0>; + reg = <24>; +- atmel,clk-output-range = <0 133000000>; ++ atmel,clk-output-range = <0 166000000>; + }; + + spi1_clk: spi1_clk { + #clock-cells = <0>; + reg = <25>; +- atmel,clk-output-range = <0 133000000>; ++ atmel,clk-output-range = <0 166000000>; + }; + + tcb0_clk: tcb0_clk { + #clock-cells = <0>; + reg = <26>; +- atmel,clk-output-range = <0 133000000>; ++ atmel,clk-output-range = <0 166000000>; + }; + + pwm_clk: pwm_clk { +@@ -1106,7 +1106,7 @@ + adc_clk: adc_clk { + #clock-cells = <0>; + reg = <29>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + dma0_clk: dma0_clk { +@@ -1137,13 +1137,13 @@ + ssc0_clk: ssc0_clk { + #clock-cells = <0>; + reg = <38>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + ssc1_clk: ssc1_clk { + #clock-cells = <0>; + reg = <39>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + sha_clk: sha_clk { +--- a/arch/arm/boot/dts/sama5d3_can.dtsi ++++ b/arch/arm/boot/dts/sama5d3_can.dtsi +@@ -37,13 +37,13 @@ + can0_clk: can0_clk { + #clock-cells = <0>; + reg = <40>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + can1_clk: can1_clk { + #clock-cells = <0>; + reg = <41>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + }; + }; +--- a/arch/arm/boot/dts/sama5d3_uart.dtsi ++++ b/arch/arm/boot/dts/sama5d3_uart.dtsi +@@ -42,13 +42,13 @@ + uart0_clk: uart0_clk { + #clock-cells = <0>; + reg = <16>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + + uart1_clk: uart1_clk { + #clock-cells = <0>; + reg = <17>; +- atmel,clk-output-range = <0 66000000>; ++ atmel,clk-output-range = <0 83000000>; + }; + }; + }; diff --git a/queue-3.16/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch b/queue-3.16/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch new file mode 100644 index 00000000..b03329f0 --- /dev/null +++ b/queue-3.16/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch @@ -0,0 +1,65 @@ +From: Stephen Warren <swarren@nvidia.com> +Date: Thu, 3 Oct 2019 14:50:31 -0600 +Subject: ARM: tegra: Enable PLLP bypass during Tegra124 LP1 + +commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream. + +For a little over a year, U-Boot has configured the flow controller to +perform automatic RAM re-repair on off->on power transitions of the CPU +rail[1]. This is mandatory for correct operation of Tegra124. However, +RAM re-repair relies on certain clocks, which the kernel must enable and +leave running. PLLP is one of those clocks. This clock is shut down +during LP1 in order to save power. Enable bypass (which I believe routes +osc_div_clk, essentially the crystal clock, to the PLL output) so that +this clock signal toggles even though the PLL is not active. This is +required so that LP1 power mode (system suspend) operates correctly. + +The bypass configuration must then be undone when resuming from LP1, so +that all peripheral clocks run at the expected rate. Without this, many +peripherals won't work correctly; for example, the UART baud rate would +be incorrect. + +NVIDIA's downstream kernel code only does this if not compiled for +Tegra30, so the added code is made conditional upon the chip ID. +NVIDIA's downstream code makes this change conditional upon the active +CPU cluster. The upstream kernel currently doesn't support cluster +switching, so this patch doesn't test the active CPU cluster ID. + +[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair + +Reported-by: Jonathan Hunter <jonathanh@nvidia.com> +Signed-off-by: Stephen Warren <swarren@nvidia.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/mach-tegra/sleep-tegra30.S | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/arm/mach-tegra/sleep-tegra30.S ++++ b/arch/arm/mach-tegra/sleep-tegra30.S +@@ -378,6 +378,14 @@ _pll_m_c_x_done: + pll_locked r1, r0, CLK_RESET_PLLC_BASE + pll_locked r1, r0, CLK_RESET_PLLX_BASE + ++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1 ++ cmp r1, #TEGRA30 ++ beq 1f ++ ldr r1, [r0, #CLK_RESET_PLLP_BASE] ++ bic r1, r1, #(1<<31) @ disable PllP bypass ++ str r1, [r0, #CLK_RESET_PLLP_BASE] ++1: ++ + mov32 r7, TEGRA_TMRUS_BASE + ldr r1, [r7] + add r1, r1, #LOCK_DELAY +@@ -637,7 +645,10 @@ tegra30_switch_cpu_to_clk32k: + str r0, [r4, #PMC_PLLP_WB0_OVERRIDE] + + /* disable PLLP, PLLA, PLLC and PLLX */ ++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1 ++ cmp r1, #TEGRA30 + ldr r0, [r5, #CLK_RESET_PLLP_BASE] ++ orrne r0, r0, #(1 << 31) @ enable PllP bypass on fast cluster + bic r0, r0, #(1 << 30) + str r0, [r5, #CLK_RESET_PLLP_BASE] + ldr r0, [r5, #CLK_RESET_PLLA_BASE] diff --git a/queue-3.16/ath9k-fix-storage-endpoint-lookup.patch b/queue-3.16/ath9k-fix-storage-endpoint-lookup.patch new file mode 100644 index 00000000..45c21de6 --- /dev/null +++ b/queue-3.16/ath9k-fix-storage-endpoint-lookup.patch @@ -0,0 +1,32 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:44:20 +0100 +Subject: ath9k: fix storage endpoint lookup + +commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream. + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1141,7 +1141,7 @@ err_fw: + static int send_eject_command(struct usb_interface *interface) + { + struct usb_device *udev = interface_to_usbdev(interface); +- struct usb_host_interface *iface_desc = &interface->altsetting[0]; ++ struct usb_host_interface *iface_desc = interface->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep; diff --git a/queue-3.16/bonding-alb-properly-access-headers-in-bond_alb_xmit.patch b/queue-3.16/bonding-alb-properly-access-headers-in-bond_alb_xmit.patch new file mode 100644 index 00000000..19840771 --- /dev/null +++ b/queue-3.16/bonding-alb-properly-access-headers-in-bond_alb_xmit.patch @@ -0,0 +1,158 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 4 Feb 2020 19:26:05 -0800 +Subject: bonding/alb: properly access headers in bond_alb_xmit() + +commit 38f88c45404293bbc027b956def6c10cbd45c616 upstream. + +syzbot managed to send an IPX packet through bond_alb_xmit() +and af_packet and triggered a use-after-free. + +First, bond_alb_xmit() was using ipx_hdr() helper to reach +the IPX header, but ipx_hdr() was using the transport offset +instead of the network offset. In the particular syzbot +report transport offset was 0xFFFF + +This patch removes ipx_hdr() since it was only (mis)used from bonding. + +Then we need to make sure IPv4/IPv6/IPX headers are pulled +in skb->head before dereferencing anything. + +BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452 +Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108 + (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...) + +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline] + [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53 + [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282 + [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline] + [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline] + [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422 + [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469 + [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452 + [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline] + [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224 + [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline] + [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline] + [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline] + [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627 + [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238 + [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278 + [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline] + [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252 + [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline] + [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684 + [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996 + [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline] + [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Jay Vosburgh <j.vosburgh@gmail.com> +Cc: Veaceslav Falico <vfalico@gmail.com> +Cc: Andy Gospodarek <andy@greyhouse.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: + - Don't delete ipx_hdr() as it's still used by net/ipx here + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1450,26 +1450,31 @@ int bond_alb_xmit(struct sk_buff *skb, s + bool do_tx_balance = true; + u32 hash_index = 0; + const u8 *hash_start = NULL; +- struct ipv6hdr *ip6hdr; + + skb_reset_mac_header(skb); + eth_data = eth_hdr(skb); + + switch (ntohs(skb->protocol)) { + case ETH_P_IP: { +- const struct iphdr *iph = ip_hdr(skb); ++ const struct iphdr *iph; + + if (ether_addr_equal_64bits(eth_data->h_dest, mac_bcast) || +- (iph->daddr == ip_bcast) || +- (iph->protocol == IPPROTO_IGMP)) { ++ !pskb_network_may_pull(skb, sizeof(*iph))) { ++ do_tx_balance = false; ++ break; ++ } ++ iph = ip_hdr(skb); ++ if (iph->daddr == ip_bcast || iph->protocol == IPPROTO_IGMP) { + do_tx_balance = false; + break; + } + hash_start = (char *)&(iph->daddr); + hash_size = sizeof(iph->daddr); +- } + break; +- case ETH_P_IPV6: ++ } ++ case ETH_P_IPV6: { ++ const struct ipv6hdr *ip6hdr; ++ + /* IPv6 doesn't really use broadcast mac address, but leave + * that here just in case. + */ +@@ -1486,7 +1491,11 @@ int bond_alb_xmit(struct sk_buff *skb, s + break; + } + +- /* Additianally, DAD probes should not be tx-balanced as that ++ if (!pskb_network_may_pull(skb, sizeof(*ip6hdr))) { ++ do_tx_balance = false; ++ break; ++ } ++ /* Additionally, DAD probes should not be tx-balanced as that + * will lead to false positives for duplicate addresses and + * prevent address configuration from working. + */ +@@ -1496,17 +1505,26 @@ int bond_alb_xmit(struct sk_buff *skb, s + break; + } + +- hash_start = (char *)&(ipv6_hdr(skb)->daddr); +- hash_size = sizeof(ipv6_hdr(skb)->daddr); ++ hash_start = (char *)&ip6hdr->daddr; ++ hash_size = sizeof(ip6hdr->daddr); + break; +- case ETH_P_IPX: +- if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) { ++ } ++ case ETH_P_IPX: { ++ const struct ipxhdr *ipxhdr; ++ ++ if (pskb_network_may_pull(skb, sizeof(*ipxhdr))) { ++ do_tx_balance = false; ++ break; ++ } ++ ipxhdr = (struct ipxhdr *)skb_network_header(skb); ++ ++ if (ipxhdr->ipx_checksum != IPX_NO_CHECKSUM) { + /* something is wrong with this packet */ + do_tx_balance = false; + break; + } + +- if (ipx_hdr(skb)->ipx_type != IPX_TYPE_NCP) { ++ if (ipxhdr->ipx_type != IPX_TYPE_NCP) { + /* The only protocol worth balancing in + * this family since it has an "ARP" like + * mechanism +@@ -1515,9 +1533,11 @@ int bond_alb_xmit(struct sk_buff *skb, s + break; + } + ++ eth_data = eth_hdr(skb); + hash_start = (char *)eth_data->h_dest; + hash_size = ETH_ALEN; + break; ++ } + case ETH_P_ARP: + do_tx_balance = false; + if (bond_info->rlb_enabled) diff --git a/queue-3.16/brcmfmac-abort-and-release-host-after-error.patch b/queue-3.16/brcmfmac-abort-and-release-host-after-error.patch new file mode 100644 index 00000000..652665cf --- /dev/null +++ b/queue-3.16/brcmfmac-abort-and-release-host-after-error.patch @@ -0,0 +1,51 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Tue, 28 Jan 2020 14:14:57 -0800 +Subject: brcmfmac: abort and release host after error + +commit 863844ee3bd38219c88e82966d1df36a77716f3e upstream. + +With commit 216b44000ada ("brcmfmac: Fix use after free in +brcmf_sdio_readframes()") applied, we see locking timeouts in +brcmf_sdio_watchdog_thread(). + +brcmfmac: brcmf_escan_timeout: timer expired +INFO: task brcmf_wdog/mmc1:621 blocked for more than 120 seconds. +Not tainted 4.19.94-07984-g24ff99a0f713 #1 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +brcmf_wdog/mmc1 D 0 621 2 0x00000000 last_sleep: 2440793077. last_runnable: 2440766827 +[<c0aa1e60>] (__schedule) from [<c0aa2100>] (schedule+0x98/0xc4) +[<c0aa2100>] (schedule) from [<c0853830>] (__mmc_claim_host+0x154/0x274) +[<c0853830>] (__mmc_claim_host) from [<bf10c5b8>] (brcmf_sdio_watchdog_thread+0x1b0/0x1f8 [brcmfmac]) +[<bf10c5b8>] (brcmf_sdio_watchdog_thread [brcmfmac]) from [<c02570b8>] (kthread+0x178/0x180) + +In addition to restarting or exiting the loop, it is also necessary to +abort the command and to release the host. + +Fixes: 216b44000ada ("brcmfmac: Fix use after free in brcmf_sdio_readframes()") +Cc: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Matthias Kaehlcke <mka@chromium.org> +Cc: Brian Norris <briannorris@chromium.org> +Cc: Douglas Anderson <dianders@chromium.org> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Acked-by: franky.lin@broadcom.com +Acked-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index f9047db6a11d..3a08252f1a53 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -1938,6 +1938,8 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) + if (brcmf_sdio_hdparse(bus, bus->rxhdr, &rd_new, + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; ++ brcmf_sdio_rxfail(bus, true, true); ++ sdio_release_host(bus->sdiodev->func1); + brcmu_pkt_buf_free_skb(pkt); + continue; + } diff --git a/queue-3.16/brcmfmac-fix-interface-sanity-check.patch b/queue-3.16/brcmfmac-fix-interface-sanity-check.patch new file mode 100644 index 00000000..d9c34e79 --- /dev/null +++ b/queue-3.16/brcmfmac-fix-interface-sanity-check.patch @@ -0,0 +1,32 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:44:22 +0100 +Subject: brcmfmac: fix interface sanity check + +commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Cc: Arend van Spriel <arend@broadcom.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: + - Altsetting lookup is done by the IFALTS() macro + - Adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c +@@ -41,7 +41,7 @@ + + #define CONFIGDESC(usb) (&((usb)->actconfig)->desc) + #define IFPTR(usb, idx) ((usb)->actconfig->interface[(idx)]) +-#define IFALTS(usb, idx) (IFPTR((usb), (idx))->altsetting[0]) ++#define IFALTS(usb, idx) (*IFPTR((usb), (idx))->cur_altsetting) + #define IFDESC(usb, idx) IFALTS((usb), (idx)).desc + #define IFEPDESC(usb, idx, ep) (IFALTS((usb), (idx)).endpoint[(ep)]).desc + diff --git a/queue-3.16/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch b/queue-3.16/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch new file mode 100644 index 00000000..75771053 --- /dev/null +++ b/queue-3.16/brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch @@ -0,0 +1,28 @@ +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Sat, 14 Dec 2019 19:51:14 -0600 +Subject: brcmfmac: Fix memory leak in brcmf_usbdev_qinit + +commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream. + +In the implementation of brcmf_usbdev_qinit() the allocated memory for +reqs is leaking if usb_alloc_urb() fails. Release reqs in the error +handling path. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/brcm80211/brcmfmac/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c +@@ -365,6 +365,7 @@ fail: + usb_free_urb(req->urb); + list_del(q->next); + } ++ kfree(reqs); + return NULL; + + } diff --git a/queue-3.16/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch b/queue-3.16/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 00000000..abba3ea2 --- /dev/null +++ b/queue-3.16/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,34 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: brcmfmac: Fix use after free in brcmf_sdio_readframes() + +commit 216b44000ada87a63891a8214c347e05a4aea8fe upstream. + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c +@@ -1972,6 +1972,7 @@ static uint brcmf_sdio_readframes(struct + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { diff --git a/queue-3.16/btrfs-fix-race-between-adding-and-putting-tree-mod-seq-elements-and.patch b/queue-3.16/btrfs-fix-race-between-adding-and-putting-tree-mod-seq-elements-and.patch new file mode 100644 index 00000000..a89e9935 --- /dev/null +++ b/queue-3.16/btrfs-fix-race-between-adding-and-putting-tree-mod-seq-elements-and.patch @@ -0,0 +1,236 @@ +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 22 Jan 2020 12:23:20 +0000 +Subject: Btrfs: fix race between adding and putting tree mod seq elements and + nodes + +commit 7227ff4de55d931bbdc156c8ef0ce4f100c78a5b upstream. + +There is a race between adding and removing elements to the tree mod log +list and rbtree that can lead to use-after-free problems. + +Consider the following example that explains how/why the problems happens: + +1) Task A has mod log element with sequence number 200. It currently is + the only element in the mod log list; + +2) Task A calls btrfs_put_tree_mod_seq() because it no longer needs to + access the tree mod log. When it enters the function, it initializes + 'min_seq' to (u64)-1. Then it acquires the lock 'tree_mod_seq_lock' + before checking if there are other elements in the mod seq list. + Since the list it empty, 'min_seq' remains set to (u64)-1. Then it + unlocks the lock 'tree_mod_seq_lock'; + +3) Before task A acquires the lock 'tree_mod_log_lock', task B adds + itself to the mod seq list through btrfs_get_tree_mod_seq() and gets a + sequence number of 201; + +4) Some other task, name it task C, modifies a btree and because there + elements in the mod seq list, it adds a tree mod elem to the tree + mod log rbtree. That node added to the mod log rbtree is assigned + a sequence number of 202; + +5) Task B, which is doing fiemap and resolving indirect back references, + calls btrfs get_old_root(), with 'time_seq' == 201, which in turn + calls tree_mod_log_search() - the search returns the mod log node + from the rbtree with sequence number 202, created by task C; + +6) Task A now acquires the lock 'tree_mod_log_lock', starts iterating + the mod log rbtree and finds the node with sequence number 202. Since + 202 is less than the previously computed 'min_seq', (u64)-1, it + removes the node and frees it; + +7) Task B still has a pointer to the node with sequence number 202, and + it dereferences the pointer itself and through the call to + __tree_mod_log_rewind(), resulting in a use-after-free problem. + +This issue can be triggered sporadically with the test case generic/561 +from fstests, and it happens more frequently with a higher number of +duperemove processes. When it happens to me, it either freezes the VM or +it produces a trace like the following before crashing: + + [ 1245.321140] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI + [ 1245.321200] CPU: 1 PID: 26997 Comm: pool Not tainted 5.5.0-rc6-btrfs-next-52 #1 + [ 1245.321235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 + [ 1245.321287] RIP: 0010:rb_next+0x16/0x50 + [ 1245.321307] Code: .... + [ 1245.321372] RSP: 0018:ffffa151c4d039b0 EFLAGS: 00010202 + [ 1245.321388] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8ae221363c80 RCX: 6b6b6b6b6b6b6b6b + [ 1245.321409] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8ae221363c80 + [ 1245.321439] RBP: ffff8ae20fcc4688 R08: 0000000000000002 R09: 0000000000000000 + [ 1245.321475] R10: ffff8ae20b120910 R11: 00000000243f8bb1 R12: 0000000000000038 + [ 1245.321506] R13: ffff8ae221363c80 R14: 000000000000075f R15: ffff8ae223f762b8 + [ 1245.321539] FS: 00007fdee1ec7700(0000) GS:ffff8ae236c80000(0000) knlGS:0000000000000000 + [ 1245.321591] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 1245.321614] CR2: 00007fded4030c48 CR3: 000000021da16003 CR4: 00000000003606e0 + [ 1245.321642] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [ 1245.321668] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [ 1245.321706] Call Trace: + [ 1245.321798] __tree_mod_log_rewind+0xbf/0x280 [btrfs] + [ 1245.321841] btrfs_search_old_slot+0x105/0xd00 [btrfs] + [ 1245.321877] resolve_indirect_refs+0x1eb/0xc60 [btrfs] + [ 1245.321912] find_parent_nodes+0x3dc/0x11b0 [btrfs] + [ 1245.321947] btrfs_check_shared+0x115/0x1c0 [btrfs] + [ 1245.321980] ? extent_fiemap+0x59d/0x6d0 [btrfs] + [ 1245.322029] extent_fiemap+0x59d/0x6d0 [btrfs] + [ 1245.322066] do_vfs_ioctl+0x45a/0x750 + [ 1245.322081] ksys_ioctl+0x70/0x80 + [ 1245.322092] ? trace_hardirqs_off_thunk+0x1a/0x1c + [ 1245.322113] __x64_sys_ioctl+0x16/0x20 + [ 1245.322126] do_syscall_64+0x5c/0x280 + [ 1245.322139] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [ 1245.322155] RIP: 0033:0x7fdee3942dd7 + [ 1245.322177] Code: .... + [ 1245.322258] RSP: 002b:00007fdee1ec6c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 1245.322294] RAX: ffffffffffffffda RBX: 00007fded40210d8 RCX: 00007fdee3942dd7 + [ 1245.322314] RDX: 00007fded40210d8 RSI: 00000000c020660b RDI: 0000000000000004 + [ 1245.322337] RBP: 0000562aa89e7510 R08: 0000000000000000 R09: 00007fdee1ec6d44 + [ 1245.322369] R10: 0000000000000073 R11: 0000000000000246 R12: 00007fdee1ec6d48 + [ 1245.322390] R13: 00007fdee1ec6d40 R14: 00007fded40210d0 R15: 00007fdee1ec6d50 + [ 1245.322423] Modules linked in: .... + [ 1245.323443] ---[ end trace 01de1e9ec5dff3cd ]--- + +Fix this by ensuring that btrfs_put_tree_mod_seq() computes the minimum +sequence number and iterates the rbtree while holding the lock +'tree_mod_log_lock' in write mode. Also get rid of the 'tree_mod_seq_lock' +lock, since it is now redundant. + +Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions") +Fixes: 097b8a7c9e48e2 ("Btrfs: join tree mod log code with the code holding back delayed refs") +Reviewed-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: Nikolay Borisov <nborisov@suse.com> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: + - Use tree_mod_log_write_{,un}lock() in ctree.c for consistency + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/ctree.c | 8 ++------ + fs/btrfs/ctree.h | 6 ++---- + fs/btrfs/delayed-ref.c | 8 ++++---- + fs/btrfs/disk-io.c | 1 - + fs/btrfs/tests/btrfs-tests.c | 1 - + 5 files changed, 8 insertions(+), 16 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -365,12 +365,10 @@ u64 btrfs_get_tree_mod_seq(struct btrfs_ + struct seq_list *elem) + { + tree_mod_log_write_lock(fs_info); +- spin_lock(&fs_info->tree_mod_seq_lock); + if (!elem->seq) { + elem->seq = btrfs_inc_tree_mod_seq(fs_info); + list_add_tail(&elem->list, &fs_info->tree_mod_seq_list); + } +- spin_unlock(&fs_info->tree_mod_seq_lock); + tree_mod_log_write_unlock(fs_info); + + return elem->seq; +@@ -390,7 +388,7 @@ void btrfs_put_tree_mod_seq(struct btrfs + if (!seq_putting) + return; + +- spin_lock(&fs_info->tree_mod_seq_lock); ++ tree_mod_log_write_lock(fs_info); + list_del(&elem->list); + elem->seq = 0; + +@@ -401,19 +399,17 @@ void btrfs_put_tree_mod_seq(struct btrfs + * blocker with lower sequence number exists, we + * cannot remove anything from the log + */ +- spin_unlock(&fs_info->tree_mod_seq_lock); ++ tree_mod_log_write_unlock(fs_info); + return; + } + min_seq = cur_elem->seq; + } + } +- spin_unlock(&fs_info->tree_mod_seq_lock); + + /* + * anything that's lower than the lowest existing (read: blocked) + * sequence number can be removed from the tree. + */ +- tree_mod_log_write_lock(fs_info); + tm_root = &fs_info->tree_mod_log; + for (node = rb_first(tm_root); node; node = next) { + next = rb_next(node); +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1502,14 +1502,12 @@ struct btrfs_fs_info { + spinlock_t delayed_iput_lock; + struct list_head delayed_iputs; + +- /* this protects tree_mod_seq_list */ +- spinlock_t tree_mod_seq_lock; + atomic64_t tree_mod_seq; +- struct list_head tree_mod_seq_list; + +- /* this protects tree_mod_log */ ++ /* this protects tree_mod_log and tree_mod_seq_list */ + rwlock_t tree_mod_log_lock; + struct rb_root tree_mod_log; ++ struct list_head tree_mod_seq_list; + + atomic_t nr_async_submits; + atomic_t async_submit_draining; +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -344,7 +344,7 @@ void btrfs_merge_delayed_refs(struct btr + if (head->is_data) + return; + +- spin_lock(&fs_info->tree_mod_seq_lock); ++ read_lock(&fs_info->tree_mod_log_lock); + if (!list_empty(&fs_info->tree_mod_seq_list)) { + struct seq_list *elem; + +@@ -352,7 +352,7 @@ void btrfs_merge_delayed_refs(struct btr + struct seq_list, list); + seq = elem->seq; + } +- spin_unlock(&fs_info->tree_mod_seq_lock); ++ read_unlock(&fs_info->tree_mod_log_lock); + + node = rb_first(&head->ref_root); + while (node) { +@@ -377,7 +377,7 @@ int btrfs_check_delayed_seq(struct btrfs + struct seq_list *elem; + int ret = 0; + +- spin_lock(&fs_info->tree_mod_seq_lock); ++ read_lock(&fs_info->tree_mod_log_lock); + if (!list_empty(&fs_info->tree_mod_seq_list)) { + elem = list_first_entry(&fs_info->tree_mod_seq_list, + struct seq_list, list); +@@ -390,7 +390,7 @@ int btrfs_check_delayed_seq(struct btrfs + } + } + +- spin_unlock(&fs_info->tree_mod_seq_lock); ++ read_unlock(&fs_info->tree_mod_log_lock); + return ret; + } + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2167,7 +2167,6 @@ int open_ctree(struct super_block *sb, + spin_lock_init(&fs_info->delayed_iput_lock); + spin_lock_init(&fs_info->defrag_inodes_lock); + spin_lock_init(&fs_info->free_chunk_lock); +- spin_lock_init(&fs_info->tree_mod_seq_lock); + spin_lock_init(&fs_info->super_lock); + spin_lock_init(&fs_info->qgroup_op_lock); + spin_lock_init(&fs_info->buffer_lock); +--- a/fs/btrfs/tests/btrfs-tests.c ++++ b/fs/btrfs/tests/btrfs-tests.c +@@ -109,7 +109,6 @@ struct btrfs_fs_info *btrfs_alloc_dummy_ + spin_lock_init(&fs_info->qgroup_op_lock); + spin_lock_init(&fs_info->super_lock); + spin_lock_init(&fs_info->fs_roots_radix_lock); +- spin_lock_init(&fs_info->tree_mod_seq_lock); + mutex_init(&fs_info->qgroup_ioctl_lock); + mutex_init(&fs_info->qgroup_rescan_lock); + rwlock_init(&fs_info->tree_mod_log_lock); diff --git a/queue-3.16/cifs-fail-i-o-on-soft-mounts-if-sessionsetup-errors-out.patch b/queue-3.16/cifs-fail-i-o-on-soft-mounts-if-sessionsetup-errors-out.patch new file mode 100644 index 00000000..727114f4 --- /dev/null +++ b/queue-3.16/cifs-fail-i-o-on-soft-mounts-if-sessionsetup-errors-out.patch @@ -0,0 +1,46 @@ +From: Ronnie Sahlberg <lsahlber@redhat.com> +Date: Wed, 5 Feb 2020 11:08:01 +1000 +Subject: cifs: fail i/o on soft mounts if sessionsetup errors out + +commit b0dd940e582b6a60296b9847a54012a4b080dc72 upstream. + +RHBZ: 1579050 + +If we have a soft mount we should fail commands for session-setup +failures (such as the password having changed/ account being deleted/ ...) +and return an error back to the application. + +Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/smb2pdu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -250,9 +250,14 @@ smb2_reconnect(__le16 smb2_command, stru + */ + mutex_lock(&tcon->ses->session_mutex); + rc = cifs_negotiate_protocol(0, tcon->ses); +- if (!rc && tcon->ses->need_reconnect) ++ if (!rc && tcon->ses->need_reconnect) { + rc = cifs_setup_session(0, tcon->ses, nls_codepage); +- ++ if ((rc == -EACCES) && !tcon->retry) { ++ rc = -EHOSTDOWN; ++ mutex_unlock(&tcon->ses->session_mutex); ++ goto failed; ++ } ++ } + if (rc || !tcon->need_reconnect) { + mutex_unlock(&tcon->ses->session_mutex); + goto out; +@@ -290,6 +295,7 @@ out: + case SMB2_SET_INFO: + rc = -EAGAIN; + } ++failed: + unload_nls(nls_codepage); + return rc; + } diff --git a/queue-3.16/cifs-fix-task-struct-use-after-free-on-reconnect.patch b/queue-3.16/cifs-fix-task-struct-use-after-free-on-reconnect.patch new file mode 100644 index 00000000..d8c5ba0e --- /dev/null +++ b/queue-3.16/cifs-fix-task-struct-use-after-free-on-reconnect.patch @@ -0,0 +1,167 @@ +From: Vincent Whitchurch <vincent.whitchurch@axis.com> +Date: Thu, 23 Jan 2020 17:09:06 +0100 +Subject: CIFS: Fix task struct use-after-free on reconnect + +commit f1f27ad74557e39f67a8331a808b860f89254f2d upstream. + +The task which created the MID may be gone by the time cifsd attempts to +call the callbacks on MIDs from cifs_reconnect(). + +This leads to a use-after-free of the task struct in cifs_wake_up_task: + + ================================================================== + BUG: KASAN: use-after-free in __lock_acquire+0x31a0/0x3270 + Read of size 8 at addr ffff8880103e3a68 by task cifsd/630 + + CPU: 0 PID: 630 Comm: cifsd Not tainted 5.5.0-rc6+ #119 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + Call Trace: + dump_stack+0x8e/0xcb + print_address_description.constprop.5+0x1d3/0x3c0 + ? __lock_acquire+0x31a0/0x3270 + __kasan_report+0x152/0x1aa + ? __lock_acquire+0x31a0/0x3270 + ? __lock_acquire+0x31a0/0x3270 + kasan_report+0xe/0x20 + __lock_acquire+0x31a0/0x3270 + ? __wake_up_common+0x1dc/0x630 + ? _raw_spin_unlock_irqrestore+0x4c/0x60 + ? mark_held_locks+0xf0/0xf0 + ? _raw_spin_unlock_irqrestore+0x39/0x60 + ? __wake_up_common_lock+0xd5/0x130 + ? __wake_up_common+0x630/0x630 + lock_acquire+0x13f/0x330 + ? try_to_wake_up+0xa3/0x19e0 + _raw_spin_lock_irqsave+0x38/0x50 + ? try_to_wake_up+0xa3/0x19e0 + try_to_wake_up+0xa3/0x19e0 + ? cifs_compound_callback+0x178/0x210 + ? set_cpus_allowed_ptr+0x10/0x10 + cifs_reconnect+0xa1c/0x15d0 + ? generic_ip_connect+0x1860/0x1860 + ? rwlock_bug.part.0+0x90/0x90 + cifs_readv_from_socket+0x479/0x690 + cifs_read_from_socket+0x9d/0xe0 + ? cifs_readv_from_socket+0x690/0x690 + ? mempool_resize+0x690/0x690 + ? rwlock_bug.part.0+0x90/0x90 + ? memset+0x1f/0x40 + ? allocate_buffers+0xff/0x340 + cifs_demultiplex_thread+0x388/0x2a50 + ? cifs_handle_standard+0x610/0x610 + ? rcu_read_lock_held_common+0x120/0x120 + ? mark_lock+0x11b/0xc00 + ? __lock_acquire+0x14ed/0x3270 + ? __kthread_parkme+0x78/0x100 + ? lockdep_hardirqs_on+0x3e8/0x560 + ? lock_downgrade+0x6a0/0x6a0 + ? lockdep_hardirqs_on+0x3e8/0x560 + ? _raw_spin_unlock_irqrestore+0x39/0x60 + ? cifs_handle_standard+0x610/0x610 + kthread+0x2bb/0x3a0 + ? kthread_create_worker_on_cpu+0xc0/0xc0 + ret_from_fork+0x3a/0x50 + + Allocated by task 649: + save_stack+0x19/0x70 + __kasan_kmalloc.constprop.5+0xa6/0xf0 + kmem_cache_alloc+0x107/0x320 + copy_process+0x17bc/0x5370 + _do_fork+0x103/0xbf0 + __x64_sys_clone+0x168/0x1e0 + do_syscall_64+0x9b/0xec0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + Freed by task 0: + save_stack+0x19/0x70 + __kasan_slab_free+0x11d/0x160 + kmem_cache_free+0xb5/0x3d0 + rcu_core+0x52f/0x1230 + __do_softirq+0x24d/0x962 + + The buggy address belongs to the object at ffff8880103e32c0 + which belongs to the cache task_struct of size 6016 + The buggy address is located 1960 bytes inside of + 6016-byte region [ffff8880103e32c0, ffff8880103e4a40) + The buggy address belongs to the page: + page:ffffea000040f800 refcount:1 mapcount:0 mapping:ffff8880108da5c0 + index:0xffff8880103e4c00 compound_mapcount: 0 + raw: 4000000000010200 ffffea00001f2208 ffffea00001e3408 ffff8880108da5c0 + raw: ffff8880103e4c00 0000000000050003 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff8880103e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880103e3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff8880103e3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880103e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880103e3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +This can be reliably reproduced by adding the below delay to +cifs_reconnect(), running find(1) on the mount, restarting the samba +server while find is running, and killing find during the delay: + + spin_unlock(&GlobalMid_Lock); + mutex_unlock(&server->srv_mutex); + + + msleep(10000); + + + cifs_dbg(FYI, "%s: issuing mid callbacks\n", __func__); + list_for_each_safe(tmp, tmp2, &retry_list) { + mid_entry = list_entry(tmp, struct mid_q_entry, qhead); + +Fix this by holding a reference to the task struct until the MID is +freed. + +Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +[bwh: Backported to 3.16: + - In _cifs_mid_q_entry_release(), use mid instead of midEntry + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1252,6 +1252,7 @@ struct mid_q_entry { + mid_receive_t *receive; /* call receive callback */ + mid_callback_t *callback; /* call completion callback */ + void *callback_data; /* general purpose pointer for callback */ ++ struct task_struct *creator; + void *resp_buf; /* pointer to received SMB header */ + int mid_state; /* wish this were enum but can not pass to wait_event */ + unsigned int mid_flags; +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -542,6 +542,8 @@ smb2_mid_entry_alloc(const struct smb2_h + * The default is for the mid to be synchronous, so the + * default callback just wakes up the current task. + */ ++ get_task_struct(current); ++ temp->creator = current; + temp->callback = cifs_wake_up_task; + temp->callback_data = current; + } +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -72,6 +72,8 @@ AllocMidQEntry(const struct smb_hdr *smb + * The default is for the mid to be synchronous, so the + * default callback just wakes up the current task. + */ ++ get_task_struct(current); ++ temp->creator = current; + temp->callback = cifs_wake_up_task; + temp->callback_data = current; + } +@@ -86,6 +88,8 @@ static void _cifs_mid_q_entry_release(st + struct mid_q_entry *mid = container_of(refcount, struct mid_q_entry, + refcount); + ++ put_task_struct(mid->creator); ++ + mempool_free(mid, cifs_mid_poolp); + } + diff --git a/queue-3.16/clk-tegra-mark-fuse-clock-as-critical.patch b/queue-3.16/clk-tegra-mark-fuse-clock-as-critical.patch new file mode 100644 index 00000000..1a633668 --- /dev/null +++ b/queue-3.16/clk-tegra-mark-fuse-clock-as-critical.patch @@ -0,0 +1,39 @@ +From: Stephen Warren <swarren@nvidia.com> +Date: Thu, 3 Oct 2019 14:50:30 -0600 +Subject: clk: tegra: Mark fuse clock as critical + +commit bf83b96f87ae2abb1e535306ea53608e8de5dfbb upstream. + +For a little over a year, U-Boot on Tegra124 has configured the flow +controller to perform automatic RAM re-repair on off->on power +transitions of the CPU rail[1]. This is mandatory for correct operation +of Tegra124. However, RAM re-repair relies on certain clocks, which the +kernel must enable and leave running. The fuse clock is one of those +clocks. Mark this clock as critical so that LP1 power mode (system +suspend) operates correctly. + +[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair + +Reported-by: Jonathan Hunter <jonathanh@nvidia.com> +Signed-off-by: Stephen Warren <swarren@nvidia.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/clk/tegra/clk-tegra-periph.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/clk/tegra/clk-tegra-periph.c ++++ b/drivers/clk/tegra/clk-tegra-periph.c +@@ -517,7 +517,11 @@ static struct tegra_periph_init_data gat + GATE("vcp", "clk_m", 29, 0, tegra_clk_vcp, 0), + GATE("apbdma", "clk_m", 34, 0, tegra_clk_apbdma, 0), + GATE("kbc", "clk_32k", 36, TEGRA_PERIPH_ON_APB | TEGRA_PERIPH_NO_RESET, tegra_clk_kbc, 0), +- GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, 0), ++ /* ++ * Critical for RAM re-repair operation, which must occur on resume ++ * from LP1 system suspend and as part of CCPLEX cluster switching. ++ */ ++ GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, CLK_IS_CRITICAL), + GATE("fuse_burn", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse_burn, 0), + GATE("kfuse", "clk_m", 40, TEGRA_PERIPH_ON_APB, tegra_clk_kfuse, 0), + GATE("apbif", "clk_m", 107, TEGRA_PERIPH_ON_APB, tegra_clk_apbif, 0), diff --git a/queue-3.16/clocksource-prevent-double-add_timer_on-for-watchdog_timer.patch b/queue-3.16/clocksource-prevent-double-add_timer_on-for-watchdog_timer.patch new file mode 100644 index 00000000..508b7d66 --- /dev/null +++ b/queue-3.16/clocksource-prevent-double-add_timer_on-for-watchdog_timer.patch @@ -0,0 +1,91 @@ +From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Date: Fri, 31 Jan 2020 19:08:59 +0300 +Subject: clocksource: Prevent double add_timer_on() for watchdog_timer + +commit febac332a819f0e764aa4da62757ba21d18c182b upstream. + +Kernel crashes inside QEMU/KVM are observed: + + kernel BUG at kernel/time/timer.c:1154! + BUG_ON(timer_pending(timer) || !timer->function) in add_timer_on(). + +At the same time another cpu got: + + general protection fault: 0000 [#1] SMP PTI of poinson pointer 0xdead000000000200 in: + + __hlist_del at include/linux/list.h:681 + (inlined by) detach_timer at kernel/time/timer.c:818 + (inlined by) expire_timers at kernel/time/timer.c:1355 + (inlined by) __run_timers at kernel/time/timer.c:1686 + (inlined by) run_timer_softirq at kernel/time/timer.c:1699 + +Unfortunately kernel logs are badly scrambled, stacktraces are lost. + +Printing the timer->function before the BUG_ON() pointed to +clocksource_watchdog(). + +The execution of clocksource_watchdog() can race with a sequence of +clocksource_stop_watchdog() .. clocksource_start_watchdog(): + +expire_timers() + detach_timer(timer, true); + timer->entry.pprev = NULL; + raw_spin_unlock_irq(&base->lock); + call_timer_fn + clocksource_watchdog() + + clocksource_watchdog_kthread() or + clocksource_unbind() + + spin_lock_irqsave(&watchdog_lock, flags); + clocksource_stop_watchdog(); + del_timer(&watchdog_timer); + watchdog_running = 0; + spin_unlock_irqrestore(&watchdog_lock, flags); + + spin_lock_irqsave(&watchdog_lock, flags); + clocksource_start_watchdog(); + add_timer_on(&watchdog_timer, ...); + watchdog_running = 1; + spin_unlock_irqrestore(&watchdog_lock, flags); + + spin_lock(&watchdog_lock); + add_timer_on(&watchdog_timer, ...); + BUG_ON(timer_pending(timer) || !timer->function); + timer_pending() -> true + BUG() + +I.e. inside clocksource_watchdog() watchdog_timer could be already armed. + +Check timer_pending() before calling add_timer_on(). This is sufficient as +all operations are synchronized by watchdog_lock. + +Fixes: 75c5158f70c0 ("timekeeping: Update clocksource with stop_machine") +Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Link: https://lore.kernel.org/r/158048693917.4378.13823603769948933793.stgit@buzz +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/time/clocksource.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -343,8 +343,15 @@ static void clocksource_watchdog(unsigne + next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask); + if (next_cpu >= nr_cpu_ids) + next_cpu = cpumask_first(cpu_online_mask); +- watchdog_timer.expires += WATCHDOG_INTERVAL; +- add_timer_on(&watchdog_timer, next_cpu); ++ ++ /* ++ * Arm timer if not already pending: could race with concurrent ++ * pair clocksource_stop_watchdog() clocksource_start_watchdog(). ++ */ ++ if (!timer_pending(&watchdog_timer)) { ++ watchdog_timer.expires += WATCHDOG_INTERVAL; ++ add_timer_on(&watchdog_timer, next_cpu); ++ } + out: + spin_unlock(&watchdog_lock); + } diff --git a/queue-3.16/cls_rsvp-fix-rsvp_policy.patch b/queue-3.16/cls_rsvp-fix-rsvp_policy.patch new file mode 100644 index 00000000..39cb68f3 --- /dev/null +++ b/queue-3.16/cls_rsvp-fix-rsvp_policy.patch @@ -0,0 +1,98 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 31 Jan 2020 15:27:04 -0800 +Subject: cls_rsvp: fix rsvp_policy + +commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 upstream. + +NLA_BINARY can be confusing, since .len value represents +the max size of the blob. + +cls_rsvp really wants user space to provide long enough data +for TCA_RSVP_DST and TCA_RSVP_SRC attributes. + +BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline] +BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline] +BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572 +CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + rsvp_get net/sched/cls_rsvp.h:258 [inline] + gen_handle net/sched/cls_rsvp.h:402 [inline] + rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572 + tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104 + rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415 + netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45b349 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2774 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline] + netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Acked-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sched/cls_rsvp.h | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/sched/cls_rsvp.h ++++ b/net/sched/cls_rsvp.h +@@ -404,10 +404,8 @@ static u32 gen_tunnel(struct rsvp_head * + + static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = { + [TCA_RSVP_CLASSID] = { .type = NLA_U32 }, +- [TCA_RSVP_DST] = { .type = NLA_BINARY, +- .len = RSVP_DST_LEN * sizeof(u32) }, +- [TCA_RSVP_SRC] = { .type = NLA_BINARY, +- .len = RSVP_DST_LEN * sizeof(u32) }, ++ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) }, ++ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) }, + [TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) }, + }; + diff --git a/queue-3.16/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch b/queue-3.16/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch new file mode 100644 index 00000000..41c3435e --- /dev/null +++ b/queue-3.16/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch @@ -0,0 +1,38 @@ +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Thu, 5 Dec 2019 13:45:05 +0800 +Subject: crypto: af_alg - Use bh_lock_sock in sk_destruct + +commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream. + +As af_alg_release_parent may be called from BH context (most notably +due to an async request that only completes after socket closure, +or as reported here because of an RCU-delayed sk_destruct call), we +must use bh_lock_sock instead of lock_sock. + +Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com +Reported-by: Eric Dumazet <eric.dumazet@gmail.com> +Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/af_alg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -136,11 +136,13 @@ void af_alg_release_parent(struct sock * + sk = ask->parent; + ask = alg_sk(sk); + +- lock_sock(sk); ++ local_bh_disable(); ++ bh_lock_sock(sk); + ask->nokey_refcnt -= nokey; + if (!last) + last = !--ask->refcnt; +- release_sock(sk); ++ bh_unlock_sock(sk); ++ local_bh_enable(); + + if (last) + sock_put(sk); diff --git a/queue-3.16/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch b/queue-3.16/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch new file mode 100644 index 00000000..53bbbbcd --- /dev/null +++ b/queue-3.16/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch @@ -0,0 +1,34 @@ +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Fri, 6 Dec 2019 13:55:17 +0800 +Subject: crypto: api - Check spawn->alg under lock in crypto_drop_spawn + +commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream. + +We need to check whether spawn->alg is NULL under lock as otherwise +the algorithm could be removed from under us after we have checked +it and found it to be non-NULL. This could cause us to remove the +spawn from a non-existent list. + +Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/algapi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -618,11 +618,9 @@ EXPORT_SYMBOL_GPL(crypto_init_spawn2); + + void crypto_drop_spawn(struct crypto_spawn *spawn) + { +- if (!spawn->alg) +- return; +- + down_write(&crypto_alg_sem); +- list_del(&spawn->list); ++ if (spawn->alg) ++ list_del(&spawn->list); + up_write(&crypto_alg_sem); + } + EXPORT_SYMBOL_GPL(crypto_drop_spawn); diff --git a/queue-3.16/crypto-api-fix-race-condition-in-crypto_spawn_alg.patch b/queue-3.16/crypto-api-fix-race-condition-in-crypto_spawn_alg.patch new file mode 100644 index 00000000..b5683c8e --- /dev/null +++ b/queue-3.16/crypto-api-fix-race-condition-in-crypto_spawn_alg.patch @@ -0,0 +1,78 @@ +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Sat, 7 Dec 2019 22:15:15 +0800 +Subject: crypto: api - Fix race condition in crypto_spawn_alg + +commit 73669cc556462f4e50376538d77ee312142e8a8a upstream. + +The function crypto_spawn_alg is racy because it drops the lock +before shooting the dying algorithm. The algorithm could disappear +altogether before we shoot it. + +This patch fixes it by moving the shooting into the locked section. + +Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/algapi.c | 16 +++++----------- + crypto/api.c | 3 +-- + crypto/internal.h | 1 - + 3 files changed, 6 insertions(+), 14 deletions(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -628,22 +628,16 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn); + static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn) + { + struct crypto_alg *alg; +- struct crypto_alg *alg2; + + down_read(&crypto_alg_sem); + alg = spawn->alg; +- alg2 = alg; +- if (alg2) +- alg2 = crypto_mod_get(alg2); +- up_read(&crypto_alg_sem); +- +- if (!alg2) { +- if (alg) +- crypto_shoot_alg(alg); +- return ERR_PTR(-EAGAIN); ++ if (alg && !crypto_mod_get(alg)) { ++ alg->cra_flags |= CRYPTO_ALG_DYING; ++ alg = NULL; + } ++ up_read(&crypto_alg_sem); + +- return alg; ++ return alg ?: ERR_PTR(-EAGAIN); + } + + struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type, +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -345,13 +345,12 @@ static unsigned int crypto_ctxsize(struc + return len; + } + +-void crypto_shoot_alg(struct crypto_alg *alg) ++static void crypto_shoot_alg(struct crypto_alg *alg) + { + down_write(&crypto_alg_sem); + alg->cra_flags |= CRYPTO_ALG_DYING; + up_write(&crypto_alg_sem); + } +-EXPORT_SYMBOL_GPL(crypto_shoot_alg); + + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask) +--- a/crypto/internal.h ++++ b/crypto/internal.h +@@ -88,7 +88,6 @@ void crypto_alg_tested(const char *name, + void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, + struct crypto_alg *nalg); + void crypto_remove_final(struct list_head *list); +-void crypto_shoot_alg(struct crypto_alg *alg); + struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type, + u32 mask); + void *crypto_create_tfm(struct crypto_alg *alg, diff --git a/queue-3.16/crypto-pcrypt-do-not-clear-may_sleep-flag-in-original-request.patch b/queue-3.16/crypto-pcrypt-do-not-clear-may_sleep-flag-in-original-request.patch new file mode 100644 index 00000000..b640a210 --- /dev/null +++ b/queue-3.16/crypto-pcrypt-do-not-clear-may_sleep-flag-in-original-request.patch @@ -0,0 +1,29 @@ +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Fri, 29 Nov 2019 16:40:24 +0800 +Subject: crypto: pcrypt - Do not clear MAY_SLEEP flag in original request + +commit e8d998264bffade3cfe0536559f712ab9058d654 upstream. + +We should not be modifying the original request's MAY_SLEEP flag +upon completion. It makes no sense to do so anyway. + +Reported-by: Eric Biggers <ebiggers@kernel.org> +Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Tested-by: Eric Biggers <ebiggers@kernel.org> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/pcrypt.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -137,7 +137,6 @@ static void pcrypt_aead_done(struct cryp + struct padata_priv *padata = pcrypt_request_padata(preq); + + padata->info = err; +- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + + padata_do_serial(padata); + } diff --git a/queue-3.16/crypto-pcrypt-fix-user-after-free-on-module-unload.patch b/queue-3.16/crypto-pcrypt-fix-user-after-free-on-module-unload.patch new file mode 100644 index 00000000..3f3c5279 --- /dev/null +++ b/queue-3.16/crypto-pcrypt-fix-user-after-free-on-module-unload.patch @@ -0,0 +1,35 @@ +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Tue, 19 Nov 2019 17:41:31 +0800 +Subject: crypto: pcrypt - Fix user-after-free on module unload + +commit 07bfd9bdf568a38d9440c607b72342036011f727 upstream. + +On module unload of pcrypt we must unregister the crypto algorithms +first and then tear down the padata structure. As otherwise the +crypto algorithms are still alive and can be used while the padata +structure is being freed. + +Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/pcrypt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -552,11 +552,12 @@ err: + + static void __exit pcrypt_exit(void) + { ++ crypto_unregister_template(&pcrypt_tmpl); ++ + pcrypt_fini_padata(&pencrypt); + pcrypt_fini_padata(&pdecrypt); + + kset_unregister(pcrypt_kset); +- crypto_unregister_template(&pcrypt_tmpl); + } + + module_init(pcrypt_init); diff --git a/queue-3.16/crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix.patch b/queue-3.16/crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix.patch new file mode 100644 index 00000000..8b1d9052 --- /dev/null +++ b/queue-3.16/crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix.patch @@ -0,0 +1,59 @@ +From: Chuhong Yuan <hslester96@gmail.com> +Date: Tue, 10 Dec 2019 00:21:44 +0800 +Subject: crypto: picoxcell - adjust the position of tasklet_init and fix + missed tasklet_kill + +commit 7f8c36fe9be46862c4f3c5302f769378028a34fa upstream. + +Since tasklet is needed to be initialized before registering IRQ +handler, adjust the position of tasklet_init to fix the wrong order. + +Besides, to fix the missed tasklet_kill, this patch adds a helper +function and uses devm_add_action to kill the tasklet automatically. + +Fixes: ce92136843cb ("crypto: picoxcell - add support for the picoxcell crypto engines") +Signed-off-by: Chuhong Yuan <hslester96@gmail.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/crypto/picoxcell_crypto.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/picoxcell_crypto.c ++++ b/drivers/crypto/picoxcell_crypto.c +@@ -1690,6 +1690,11 @@ static bool spacc_is_compatible(struct p + return false; + } + ++static void spacc_tasklet_kill(void *data) ++{ ++ tasklet_kill(data); ++} ++ + static int spacc_probe(struct platform_device *pdev) + { + int i, err, ret = -EINVAL; +@@ -1730,6 +1735,14 @@ static int spacc_probe(struct platform_d + return -ENXIO; + } + ++ tasklet_init(&engine->complete, spacc_spacc_complete, ++ (unsigned long)engine); ++ ++ ret = devm_add_action(&pdev->dev, spacc_tasklet_kill, ++ &engine->complete); ++ if (ret) ++ return ret; ++ + if (devm_request_irq(&pdev->dev, irq->start, spacc_spacc_irq, 0, + engine->name, engine)) { + dev_err(engine->dev, "failed to request IRQ\n"); +@@ -1792,8 +1805,6 @@ static int spacc_probe(struct platform_d + INIT_LIST_HEAD(&engine->completed); + INIT_LIST_HEAD(&engine->in_progress); + engine->in_flight = 0; +- tasklet_init(&engine->complete, spacc_spacc_complete, +- (unsigned long)engine); + + platform_set_drvdata(pdev, engine); + diff --git a/queue-3.16/dm-space-map-common-fix-to-ensure-new-block-isn-t-already-in-use.patch b/queue-3.16/dm-space-map-common-fix-to-ensure-new-block-isn-t-already-in-use.patch new file mode 100644 index 00000000..bba0d270 --- /dev/null +++ b/queue-3.16/dm-space-map-common-fix-to-ensure-new-block-isn-t-already-in-use.patch @@ -0,0 +1,117 @@ +From: Joe Thornber <ejt@redhat.com> +Date: Tue, 7 Jan 2020 11:58:42 +0000 +Subject: dm space map common: fix to ensure new block isn't already in use + +commit 4feaef830de7ffdd8352e1fe14ad3bf13c9688f8 upstream. + +The space-maps track the reference counts for disk blocks allocated by +both the thin-provisioning and cache targets. There are variants for +tracking metadata blocks and data blocks. + +Transactionality is implemented by never touching blocks from the +previous transaction, so we can rollback in the event of a crash. + +When allocating a new block we need to ensure the block is free (has +reference count of 0) in both the current and previous transaction. +Prior to this fix we were doing this by searching for a free block in +the previous transaction, and relying on a 'begin' counter to track +where the last allocation in the current transaction was. This +'begin' field was not being updated in all code paths (eg, increment +of a data block reference count due to breaking sharing of a neighbour +block in the same btree leaf). + +This fix keeps the 'begin' field, but now it's just a hint to speed up +the search. Instead the current transaction is searched for a free +block, and then the old transaction is double checked to ensure it's +free. Much simpler. + +This fixes reports of sm_disk_new_block()'s BUG_ON() triggering when +DM thin-provisioning's snapshots are heavily used. + +Reported-by: Eric Wheeler <dm-devel@lists.ewheeler.net> +Signed-off-by: Joe Thornber <ejt@redhat.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + .../md/persistent-data/dm-space-map-common.c | 27 +++++++++++++++++++ + .../md/persistent-data/dm-space-map-common.h | 2 ++ + .../md/persistent-data/dm-space-map-disk.c | 6 +++-- + .../persistent-data/dm-space-map-metadata.c | 5 +++- + 4 files changed, 37 insertions(+), 3 deletions(-) + +--- a/drivers/md/persistent-data/dm-space-map-common.c ++++ b/drivers/md/persistent-data/dm-space-map-common.c +@@ -384,6 +384,33 @@ int sm_ll_find_free_block(struct ll_disk + return -ENOSPC; + } + ++int sm_ll_find_common_free_block(struct ll_disk *old_ll, struct ll_disk *new_ll, ++ dm_block_t begin, dm_block_t end, dm_block_t *b) ++{ ++ int r; ++ uint32_t count; ++ ++ do { ++ r = sm_ll_find_free_block(new_ll, begin, new_ll->nr_blocks, b); ++ if (r) ++ break; ++ ++ /* double check this block wasn't used in the old transaction */ ++ if (*b >= old_ll->nr_blocks) ++ count = 0; ++ else { ++ r = sm_ll_lookup(old_ll, *b, &count); ++ if (r) ++ break; ++ ++ if (count) ++ begin = *b + 1; ++ } ++ } while (count); ++ ++ return r; ++} ++ + static int sm_ll_mutate(struct ll_disk *ll, dm_block_t b, + int (*mutator)(void *context, uint32_t old, uint32_t *new), + void *context, enum allocation_event *ev) +--- a/drivers/md/persistent-data/dm-space-map-common.h ++++ b/drivers/md/persistent-data/dm-space-map-common.h +@@ -109,6 +109,8 @@ int sm_ll_lookup_bitmap(struct ll_disk * + int sm_ll_lookup(struct ll_disk *ll, dm_block_t b, uint32_t *result); + int sm_ll_find_free_block(struct ll_disk *ll, dm_block_t begin, + dm_block_t end, dm_block_t *result); ++int sm_ll_find_common_free_block(struct ll_disk *old_ll, struct ll_disk *new_ll, ++ dm_block_t begin, dm_block_t end, dm_block_t *result); + int sm_ll_insert(struct ll_disk *ll, dm_block_t b, uint32_t ref_count, enum allocation_event *ev); + int sm_ll_inc(struct ll_disk *ll, dm_block_t b, enum allocation_event *ev); + int sm_ll_dec(struct ll_disk *ll, dm_block_t b, enum allocation_event *ev); +--- a/drivers/md/persistent-data/dm-space-map-disk.c ++++ b/drivers/md/persistent-data/dm-space-map-disk.c +@@ -165,8 +165,10 @@ static int sm_disk_new_block(struct dm_s + enum allocation_event ev; + struct sm_disk *smd = container_of(sm, struct sm_disk, sm); + +- /* FIXME: we should loop round a couple of times */ +- r = sm_ll_find_free_block(&smd->old_ll, smd->begin, smd->old_ll.nr_blocks, b); ++ /* ++ * Any block we allocate has to be free in both the old and current ll. ++ */ ++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b); + if (r) + return r; + +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -447,7 +447,10 @@ static int sm_metadata_new_block_(struct + enum allocation_event ev; + struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); + +- r = sm_ll_find_free_block(&smm->old_ll, smm->begin, smm->old_ll.nr_blocks, b); ++ /* ++ * Any block we allocate has to be free in both the old and current ll. ++ */ ++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b); + if (r) + return r; + diff --git a/queue-3.16/efi-use-early_mem-instead-of-early_io.patch b/queue-3.16/efi-use-early_mem-instead-of-early_io.patch new file mode 100644 index 00000000..97c4a289 --- /dev/null +++ b/queue-3.16/efi-use-early_mem-instead-of-early_io.patch @@ -0,0 +1,163 @@ +From: Daniel Kiper <daniel.kiper@oracle.com> +Date: Mon, 30 Jun 2014 19:52:56 +0200 +Subject: efi: Use early_mem*() instead of early_io*() + +commit abc93f8eb6e46a480485f19256bdbda36ec78a84 upstream. + +Use early_mem*() instead of early_io*() because all mapped EFI regions +are memory (usually RAM but they could also be ROM, EPROM, EEPROM, flash, +etc.) not I/O regions. Additionally, I/O family calls do not work correctly +under Xen in our case. early_ioremap() skips the PFN to MFN conversion +when building the PTE. Using it for memory will attempt to map the wrong +machine frame. However, all artificial EFI structures created under Xen +live in dom0 memory and should be mapped/unmapped using early_mem*() family +calls which map domain memory. + +Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> +Cc: Leif Lindholm <leif.lindholm@linaro.org> +Cc: Mark Salter <msalter@redhat.com> +Signed-off-by: Matt Fleming <matt.fleming@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/platform/efi/efi.c | 28 ++++++++++++++-------------- + drivers/firmware/efi/efi.c | 4 ++-- + 2 files changed, 16 insertions(+), 16 deletions(-) + +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -435,7 +435,7 @@ void __init efi_unmap_memmap(void) + { + clear_bit(EFI_MEMMAP, &efi.flags); + if (memmap.map) { +- early_iounmap(memmap.map, memmap.nr_map * memmap.desc_size); ++ early_memunmap(memmap.map, memmap.nr_map * memmap.desc_size); + memmap.map = NULL; + } + } +@@ -475,12 +475,12 @@ static int __init efi_systab_init(void * + if (!data) + return -ENOMEM; + } +- systab64 = early_ioremap((unsigned long)phys, ++ systab64 = early_memremap((unsigned long)phys, + sizeof(*systab64)); + if (systab64 == NULL) { + pr_err("Couldn't map the system table!\n"); + if (data) +- early_iounmap(data, sizeof(*data)); ++ early_memunmap(data, sizeof(*data)); + return -ENOMEM; + } + +@@ -512,9 +512,9 @@ static int __init efi_systab_init(void * + systab64->tables; + tmp |= data ? data->tables : systab64->tables; + +- early_iounmap(systab64, sizeof(*systab64)); ++ early_memunmap(systab64, sizeof(*systab64)); + if (data) +- early_iounmap(data, sizeof(*data)); ++ early_memunmap(data, sizeof(*data)); + #ifdef CONFIG_X86_32 + if (tmp >> 32) { + pr_err("EFI data located above 4GB, disabling EFI.\n"); +@@ -524,7 +524,7 @@ static int __init efi_systab_init(void * + } else { + efi_system_table_32_t *systab32; + +- systab32 = early_ioremap((unsigned long)phys, ++ systab32 = early_memremap((unsigned long)phys, + sizeof(*systab32)); + if (systab32 == NULL) { + pr_err("Couldn't map the system table!\n"); +@@ -545,7 +545,7 @@ static int __init efi_systab_init(void * + efi_systab.nr_tables = systab32->nr_tables; + efi_systab.tables = systab32->tables; + +- early_iounmap(systab32, sizeof(*systab32)); ++ early_memunmap(systab32, sizeof(*systab32)); + } + + efi.systab = &efi_systab; +@@ -571,7 +571,7 @@ static int __init efi_runtime_init32(voi + { + efi_runtime_services_32_t *runtime; + +- runtime = early_ioremap((unsigned long)efi.systab->runtime, ++ runtime = early_memremap((unsigned long)efi.systab->runtime, + sizeof(efi_runtime_services_32_t)); + if (!runtime) { + pr_err("Could not map the runtime service table!\n"); +@@ -586,7 +586,7 @@ static int __init efi_runtime_init32(voi + efi_phys.set_virtual_address_map = + (efi_set_virtual_address_map_t *) + (unsigned long)runtime->set_virtual_address_map; +- early_iounmap(runtime, sizeof(efi_runtime_services_32_t)); ++ early_memunmap(runtime, sizeof(efi_runtime_services_32_t)); + + return 0; + } +@@ -595,7 +595,7 @@ static int __init efi_runtime_init64(voi + { + efi_runtime_services_64_t *runtime; + +- runtime = early_ioremap((unsigned long)efi.systab->runtime, ++ runtime = early_memremap((unsigned long)efi.systab->runtime, + sizeof(efi_runtime_services_64_t)); + if (!runtime) { + pr_err("Could not map the runtime service table!\n"); +@@ -610,7 +610,7 @@ static int __init efi_runtime_init64(voi + efi_phys.set_virtual_address_map = + (efi_set_virtual_address_map_t *) + (unsigned long)runtime->set_virtual_address_map; +- early_iounmap(runtime, sizeof(efi_runtime_services_64_t)); ++ early_memunmap(runtime, sizeof(efi_runtime_services_64_t)); + + return 0; + } +@@ -641,7 +641,7 @@ static int __init efi_runtime_init(void) + static int __init efi_memmap_init(void) + { + /* Map the EFI memory map */ +- memmap.map = early_ioremap((unsigned long)memmap.phys_map, ++ memmap.map = early_memremap((unsigned long)memmap.phys_map, + memmap.nr_map * memmap.desc_size); + if (memmap.map == NULL) { + pr_err("Could not map the memory map!\n"); +@@ -745,14 +745,14 @@ void __init efi_init(void) + /* + * Show what we know for posterity + */ +- c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2); ++ c16 = tmp = early_memremap(efi.systab->fw_vendor, 2); + if (c16) { + for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) + vendor[i] = *c16++; + vendor[i] = '\0'; + } else + pr_err("Could not map the firmware vendor!\n"); +- early_iounmap(tmp, 2); ++ early_memunmap(tmp, 2); + + pr_info("EFI v%u.%.02u by %s\n", + efi.systab->hdr.revision >> 16, +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -295,7 +295,7 @@ int __init efi_config_init(efi_config_ta + if (table64 >> 32) { + pr_cont("\n"); + pr_err("Table located above 4GB, disabling EFI.\n"); +- early_iounmap(config_tables, ++ early_memunmap(config_tables, + efi.systab->nr_tables * sz); + return -EINVAL; + } +@@ -311,7 +311,7 @@ int __init efi_config_init(efi_config_ta + tablep += sz; + } + pr_cont("\n"); +- early_iounmap(config_tables, efi.systab->nr_tables * sz); ++ early_memunmap(config_tables, efi.systab->nr_tables * sz); + + set_bit(EFI_CONFIG_TABLES, &efi.flags); + diff --git a/queue-3.16/efi-x86-map-the-entire-efi-vendor-string-before-copying-it.patch b/queue-3.16/efi-x86-map-the-entire-efi-vendor-string-before-copying-it.patch new file mode 100644 index 00000000..2494fd67 --- /dev/null +++ b/queue-3.16/efi-x86-map-the-entire-efi-vendor-string-before-copying-it.patch @@ -0,0 +1,63 @@ +From: Ard Biesheuvel <ardb@kernel.org> +Date: Fri, 3 Jan 2020 12:39:37 +0100 +Subject: efi/x86: Map the entire EFI vendor string before copying it + +commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c upstream. + +Fix a couple of issues with the way we map and copy the vendor string: +- we map only 2 bytes, which usually works since you get at least a + page, but if the vendor string happens to cross a page boundary, + a crash will result +- only call early_memunmap() if early_memremap() succeeded, or we will + call it with a NULL address which it doesn't like, +- while at it, switch to early_memremap_ro(), and array indexing rather + than pointer dereferencing to read the CHAR16 characters. + +Signed-off-by: Ard Biesheuvel <ardb@kernel.org> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Cc: Arvind Sankar <nivedita@alum.mit.edu> +Cc: Matthew Garrett <mjg59@google.com> +Cc: linux-efi@vger.kernel.org +Fixes: 5b83683f32b1 ("x86: EFI runtime service support") +Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: Keep using early_memremap() since + early_memremap_ro() is not defined.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/platform/efi/efi.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -718,7 +718,6 @@ void __init efi_init(void) + efi_char16_t *c16; + char vendor[100] = "unknown"; + int i = 0; +- void *tmp; + + #ifdef CONFIG_X86_32 + if (boot_params.efi_info.efi_systab_hi || +@@ -745,14 +744,16 @@ void __init efi_init(void) + /* + * Show what we know for posterity + */ +- c16 = tmp = early_memremap(efi.systab->fw_vendor, 2); ++ c16 = early_memremap(efi.systab->fw_vendor, ++ sizeof(vendor) * sizeof(efi_char16_t)); + if (c16) { +- for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) +- vendor[i] = *c16++; ++ for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i) ++ vendor[i] = c16[i]; + vendor[i] = '\0'; +- } else ++ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t)); ++ } else { + pr_err("Could not map the firmware vendor!\n"); +- early_memunmap(tmp, 2); ++ } + + pr_info("EFI v%u.%.02u by %s\n", + efi.systab->hdr.revision >> 16, diff --git a/queue-3.16/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch b/queue-3.16/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch new file mode 100644 index 00000000..0b173421 --- /dev/null +++ b/queue-3.16/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch @@ -0,0 +1,66 @@ +From: "zhangyi (F)" <yi.zhang@huawei.com> +Date: Wed, 4 Dec 2019 20:46:12 +0800 +Subject: ext4, jbd2: ensure panic when aborting with zero errno + +commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 upstream. + +JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2 +aborted, and then __ext4_abort() and ext4_handle_error() can invoke +panic if ERRORS_PANIC is specified. But if the journal has been aborted +with zero errno, jbd2_journal_abort() didn't set this flag so we can +no longer panic. Fix this by always record the proper errno in the +journal superblock. + +Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock") +Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/jbd2/checkpoint.c | 2 +- + fs/jbd2/journal.c | 15 ++++----------- + 2 files changed, 5 insertions(+), 12 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -173,7 +173,7 @@ void __jbd2_log_wait_for_space(journal_t + "journal space in %s\n", __func__, + journal->j_devname); + WARN_ON(1); +- jbd2_journal_abort(journal, 0); ++ jbd2_journal_abort(journal, -EIO); + } + write_lock(&journal->j_state_lock); + } else { +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2106,12 +2106,10 @@ static void __journal_abort_soft (journa + + __jbd2_journal_abort_hard(journal); + +- if (errno) { +- jbd2_journal_update_sb_errno(journal); +- write_lock(&journal->j_state_lock); +- journal->j_flags |= JBD2_REC_ERR; +- write_unlock(&journal->j_state_lock); +- } ++ jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); + } + + /** +@@ -2153,11 +2151,6 @@ static void __journal_abort_soft (journa + * failure to disk. ext3_error, for example, now uses this + * functionality. + * +- * Errors which originate from within the journaling layer will NOT +- * supply an errno; a null errno implies that absolutely no further +- * writes are done to the journal (unless there are any already in +- * progress). +- * + */ + + void jbd2_journal_abort(journal_t *journal, int errno) diff --git a/queue-3.16/gianfar-fix-tx-timestamping-with-a-stacked-dsa-driver.patch b/queue-3.16/gianfar-fix-tx-timestamping-with-a-stacked-dsa-driver.patch new file mode 100644 index 00000000..a16800a4 --- /dev/null +++ b/queue-3.16/gianfar-fix-tx-timestamping-with-a-stacked-dsa-driver.patch @@ -0,0 +1,82 @@ +From: Vladimir Oltean <olteanv@gmail.com> +Date: Sat, 28 Dec 2019 15:30:45 +0200 +Subject: gianfar: Fix TX timestamping with a stacked DSA driver + +commit c26a2c2ddc0115eb088873f5c309cf46b982f522 upstream. + +The driver wrongly assumes that it is the only entity that can set the +SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the +gfar_clean_tx_ring function, where the TX timestamp is collected if +necessary, the aforementioned bit is used to discriminate whether or not +the TX timestamp should be delivered to the socket's error queue. + +But a stacked driver such as a DSA switch can also set the +SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in +order to denote that the hardware timestamping process is undergoing. + +Therefore, gianfar would misinterpret the "in progress" bit as being its +own, and deliver a second skb clone in the socket's error queue, +completely throwing off a PTP process which is not expecting to receive +it, _even though_ TX timestamping is not enabled for gianfar. + +There have been discussions [0] as to whether non-MAC drivers need or +not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2 +timestamps, a sw and a hw one, to applications which only expect one). +But as of this patch, there are at least 2 PTP drivers that would break +in conjunction with gianfar: the sja1105 DSA switch and the felix +switch, by way of its ocelot core driver. + +So regardless of that conclusion, fix the gianfar driver to not do stuff +based on flags set by others and not intended for it. + +[0]: https://www.spinics.net/lists/netdev/msg619699.html + +Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support") +Signed-off-by: Vladimir Oltean <olteanv@gmail.com> +Acked-by: Richard Cochran <richardcochran@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/freescale/gianfar.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2524,13 +2524,17 @@ static void gfar_clean_tx_ring(struct gf + + while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) { + unsigned long flags; ++ bool do_tstamp; ++ ++ do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ priv->hwts_tx_en; + + frags = skb_shinfo(skb)->nr_frags; + + /* When time stamping, one additional TxBD must be freed. + * Also, we need to dma_unmap_single() the TxPAL. + */ +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) ++ if (unlikely(do_tstamp)) + nr_txbds = frags + 2; + else + nr_txbds = frags + 1; +@@ -2544,7 +2548,7 @@ static void gfar_clean_tx_ring(struct gf + (lstatus & BD_LENGTH_MASK)) + break; + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + next = next_txbd(bdp, base, tx_ring_size); + buflen = next->length + GMAC_FCB_LEN + GMAC_TXPAL_LEN; + } else +@@ -2553,7 +2557,7 @@ static void gfar_clean_tx_ring(struct gf + dma_unmap_single(priv->dev, bdp->bufPtr, + buflen, DMA_TO_DEVICE); + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + struct skb_shared_hwtstamps shhwtstamps; + u64 *ns = (u64*) (((u32)skb->data + 0x10) & ~0x7); + diff --git a/queue-3.16/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-cause-an.patch b/queue-3.16/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-cause-an.patch new file mode 100644 index 00000000..8f6b200f --- /dev/null +++ b/queue-3.16/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-cause-an.patch @@ -0,0 +1,35 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Sun, 26 Jan 2020 00:09:54 +0000 +Subject: iwlegacy: ensure loop counter addr does not wrap and cause an + infinite loop + +commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 upstream. + +The loop counter addr is a u16 where as the upper limit of the loop +is an int. In the unlikely event that the il->cfg->eeprom_size is +greater than 64K then we end up with an infinite loop since addr will +wrap around an never reach upper loop limit. Fix this by making addr +an int. + +Addresses-Coverity: ("Infinite loop") +Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Acked-by: Stanislaw Gruszka <stf_xl@wp.pl> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/iwlegacy/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlegacy/common.c ++++ b/drivers/net/wireless/iwlegacy/common.c +@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il) + u32 gp = _il_rd(il, CSR_EEPROM_GP); + int sz; + int ret; +- u16 addr; ++ int addr; + + /* allocate eeprom */ + sz = il->cfg->eeprom_size; diff --git a/queue-3.16/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-update-log-tail.patch b/queue-3.16/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-update-log-tail.patch new file mode 100644 index 00000000..5c4e4256 --- /dev/null +++ b/queue-3.16/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-update-log-tail.patch @@ -0,0 +1,48 @@ +From: Kai Li <li.kai4@h3c.com> +Date: Sat, 11 Jan 2020 10:25:42 +0800 +Subject: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail + info when load journal + +commit a09decff5c32060639a685581c380f51b14e1fc2 upstream. + +If the journal is dirty when the filesystem is mounted, jbd2 will replay +the journal but the journal superblock will not be updated by +journal_reset() because JBD2_ABORT flag is still set (it was set in +journal_init_common()). This is problematic because when a new transaction +is then committed, it will be recorded in block 1 (journal->j_tail was set +to 1 in journal_reset()). If unclean shutdown happens again before the +journal superblock is updated, the new recorded transaction will not be +replayed during the next mount (because of stale sb->s_start and +sb->s_sequence values) which can lead to filesystem corruption. + +Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail") +Signed-off-by: Kai Li <li.kai4@h3c.com> +Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/jbd2/journal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1674,6 +1674,11 @@ int jbd2_journal_load(journal_t *journal + journal->j_devname); + return -EIO; + } ++ /* ++ * clear JBD2_ABORT flag initialized in journal_init_common ++ * here to update log tail information with the newest seq. ++ */ ++ journal->j_flags &= ~JBD2_ABORT; + + /* OK, we've finished with the dynamic journal bits: + * reinitialise the dynamic contents of the superblock in memory +@@ -1681,7 +1686,6 @@ int jbd2_journal_load(journal_t *journal + if (journal_reset(journal)) + goto recovery_error; + +- journal->j_flags &= ~JBD2_ABORT; + journal->j_flags |= JBD2_LOADED; + return 0; + diff --git a/queue-3.16/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to-submit-the.patch b/queue-3.16/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to-submit-the.patch new file mode 100644 index 00000000..ba075bcb --- /dev/null +++ b/queue-3.16/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to-submit-the.patch @@ -0,0 +1,43 @@ +From: "zhangyi (F)" <yi.zhang@huawei.com> +Date: Wed, 4 Dec 2019 20:46:11 +0800 +Subject: jbd2: switch to use jbd2_journal_abort() when failed to submit the + commit record + +commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 upstream. + +We invoke jbd2_journal_abort() to abort the journal and record errno +in the jbd2 superblock when committing journal transaction besides the +failure on submitting the commit record. But there is no need for the +case and we can also invoke jbd2_journal_abort() instead of +__jbd2_journal_abort_hard(). + +Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature") +Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/jbd2/commit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -802,7 +802,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + + blk_finish_plug(&plug); +@@ -894,7 +894,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); diff --git a/queue-3.16/kconfig-fix-broken-dependency-in-randconfig-generated-.config.patch b/queue-3.16/kconfig-fix-broken-dependency-in-randconfig-generated-.config.patch new file mode 100644 index 00000000..756ce9e0 --- /dev/null +++ b/queue-3.16/kconfig-fix-broken-dependency-in-randconfig-generated-.config.patch @@ -0,0 +1,38 @@ +From: Masahiro Yamada <masahiroy@kernel.org> +Date: Sat, 1 Feb 2020 14:03:11 +0900 +Subject: kconfig: fix broken dependency in randconfig-generated .config + +commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 upstream. + +Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5) +produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y, +which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency. + +This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs +CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the +value of CONFIG_EFI is calculated. + +When this happens, the has_changed flag should be set. + +Currently, it takes the result from the last iteration. It should +accumulate all the results of the loop. + +Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig") +Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com> +Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + scripts/kconfig/confdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -1231,7 +1231,7 @@ bool conf_set_all_new_symbols(enum conf_ + + sym_calc_value(csym); + if (mode == def_random) +- has_changed = randomize_choice_values(csym); ++ has_changed |= randomize_choice_values(csym); + else { + set_all_choice_values(csym); + has_changed = true; diff --git a/queue-3.16/kvm-arm64-only-sign-extend-mmio-up-to-register-width.patch b/queue-3.16/kvm-arm64-only-sign-extend-mmio-up-to-register-width.patch new file mode 100644 index 00000000..63825650 --- /dev/null +++ b/queue-3.16/kvm-arm64-only-sign-extend-mmio-up-to-register-width.patch @@ -0,0 +1,125 @@ +From: Christoffer Dall <christoffer.dall@arm.com> +Date: Thu, 12 Dec 2019 20:50:55 +0100 +Subject: KVM: arm64: Only sign-extend MMIO up to register width + +commit b6ae256afd32f96bec0117175b329d0dd617655e upstream. + +On AArch64 you can do a sign-extended load to either a 32-bit or 64-bit +register, and we should only sign extend the register up to the width of +the register as specified in the operation (by using the 32-bit Wn or +64-bit Xn register specifier). + +As it turns out, the architecture provides this decoding information in +the SF ("Sixty-Four" -- how cute...) bit. + +Let's take advantage of this with the usual 32-bit/64-bit header file +dance and do the right thing on AArch64 hosts. + +Signed-off-by: Christoffer Dall <christoffer.dall@arm.com> +Signed-off-by: Marc Zyngier <maz@kernel.org> +Link: https://lore.kernel.org/r/20191212195055.5541-1-christoffer.dall@arm.com +[bwh: Backported to 3.16: + - Use ESR_EL2_SF + - Adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/include/asm/kvm_emulate.h | 5 +++++ + arch/arm/include/asm/kvm_mmio.h | 2 ++ + arch/arm/kvm/mmio.c | 6 ++++++ + arch/arm64/include/asm/kvm_emulate.h | 5 +++++ + arch/arm64/include/asm/kvm_mmio.h | 6 ++---- + 5 files changed, 20 insertions(+), 4 deletions(-) + +--- a/arch/arm/include/asm/kvm_emulate.h ++++ b/arch/arm/include/asm/kvm_emulate.h +@@ -105,6 +105,11 @@ static inline bool kvm_vcpu_dabt_issext( + return kvm_vcpu_get_hsr(vcpu) & HSR_SSE; + } + ++static inline bool kvm_vcpu_dabt_issf(const struct kvm_vcpu *vcpu) ++{ ++ return false; ++} ++ + static inline int kvm_vcpu_dabt_get_rd(struct kvm_vcpu *vcpu) + { + return (kvm_vcpu_get_hsr(vcpu) & HSR_SRT_MASK) >> HSR_SRT_SHIFT; +--- a/arch/arm/include/asm/kvm_mmio.h ++++ b/arch/arm/include/asm/kvm_mmio.h +@@ -26,6 +26,8 @@ + struct kvm_decode { + unsigned long rt; + bool sign_extend; ++ /* Not used on 32-bit arm */ ++ bool sixty_four; + }; + + /* +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -140,6 +140,11 @@ static inline bool kvm_vcpu_dabt_issext( + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_EL2_SSE); + } + ++static inline bool kvm_vcpu_dabt_issf(const struct kvm_vcpu *vcpu) ++{ ++ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_EL2_SF); ++} ++ + static inline int kvm_vcpu_dabt_get_rd(const struct kvm_vcpu *vcpu) + { + return (kvm_vcpu_get_hsr(vcpu) & ESR_EL2_SRT_MASK) >> ESR_EL2_SRT_SHIFT; +--- a/arch/arm64/include/asm/kvm_mmio.h ++++ b/arch/arm64/include/asm/kvm_mmio.h +@@ -22,13 +22,11 @@ + #include <asm/kvm_asm.h> + #include <asm/kvm_arm.h> + +-/* +- * This is annoying. The mmio code requires this, even if we don't +- * need any decoding. To be fixed. +- */ + struct kvm_decode { + unsigned long rt; + bool sign_extend; ++ /* Witdth of the register accessed by the faulting instruction is 64-bits */ ++ bool sixty_four; + }; + + /* +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -112,6 +112,9 @@ int kvm_handle_mmio_return(struct kvm_vc + data = (data ^ mask) - mask; + } + ++ if (!vcpu->arch.mmio_decode.sixty_four) ++ data = data & 0xffffffff; ++ + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, + &data); + data = vcpu_data_host_to_guest(vcpu, data, len); +@@ -127,6 +130,7 @@ static int decode_hsr(struct kvm_vcpu *v + unsigned long rt; + int len; + bool is_write, sign_extend; ++ bool sixty_four; + + if (kvm_vcpu_dabt_isextabt(vcpu)) { + /* cache operation on I/O addr, tell guest unsupported */ +@@ -146,6 +150,7 @@ static int decode_hsr(struct kvm_vcpu *v + + is_write = kvm_vcpu_dabt_iswrite(vcpu); + sign_extend = kvm_vcpu_dabt_issext(vcpu); ++ sixty_four = kvm_vcpu_dabt_issf(vcpu); + rt = kvm_vcpu_dabt_get_rd(vcpu); + + mmio->is_write = is_write; +@@ -153,6 +158,7 @@ static int decode_hsr(struct kvm_vcpu *v + mmio->len = len; + vcpu->arch.mmio_decode.sign_extend = sign_extend; + vcpu->arch.mmio_decode.rt = rt; ++ vcpu->arch.mmio_decode.sixty_four = sixty_four; + + /* + * The MMIO instruction is emulated and should not be re-executed diff --git a/queue-3.16/kvm-check-for-a-bad-hva-before-dropping-into-the-ghc-slow-path.patch b/queue-3.16/kvm-check-for-a-bad-hva-before-dropping-into-the-ghc-slow-path.patch new file mode 100644 index 00000000..d5b201dc --- /dev/null +++ b/queue-3.16/kvm-check-for-a-bad-hva-before-dropping-into-the-ghc-slow-path.patch @@ -0,0 +1,74 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Thu, 9 Jan 2020 15:56:18 -0800 +Subject: KVM: Check for a bad hva before dropping into the ghc slow path + +commit fcfbc617547fc6d9552cb6c1c563b6a90ee98085 upstream. + +When reading/writing using the guest/host cache, check for a bad hva +before checking for a NULL memslot, which triggers the slow path for +handing cross-page accesses. Because the memslot is nullified on error +by __kvm_gfn_to_hva_cache_init(), if the bad hva is encountered after +crossing into a new page, then the kvm_{read,write}_guest() slow path +could potentially write/access the first chunk prior to detecting the +bad hva. + +Arguably, performing a partial access is semantically correct from an +architectural perspective, but that behavior is certainly not intended. +In the original implementation, memslot was not explicitly nullified +and therefore the partial access behavior varied based on whether the +memslot itself was null, or if the hva was simply bad. The current +behavior was introduced as a seemingly unintentional side effect in +commit f1b9dd5eb86c ("kvm: Disallow wraparound in +kvm_gfn_to_hva_cache_init"), which justified the change with "since some +callers don't check the return code from this function, it sit seems +prudent to clear ghc->memslot in the event of an error". + +Regardless of intent, the partial access is dependent on _not_ checking +the result of the cache initialization, which is arguably a bug in its +own right, at best simply weird. + +Fixes: 8f964525a121 ("KVM: Allow cross page reads and writes from cached translations.") +Cc: Jim Mattson <jmattson@google.com> +Cc: Andrew Honig <ahonig@google.com> +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + virt/kvm/kvm_main.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1596,12 +1596,12 @@ int kvm_write_guest_cached(struct kvm *k + if (slots->generation != ghc->generation) + kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len); + +- if (unlikely(!ghc->memslot)) +- return kvm_write_guest(kvm, ghc->gpa, data, len); +- + if (kvm_is_error_hva(ghc->hva)) + return -EFAULT; + ++ if (unlikely(!ghc->memslot)) ++ return kvm_write_guest(kvm, ghc->gpa, data, len); ++ + r = __copy_to_user((void __user *)ghc->hva, data, len); + if (r) + return -EFAULT; +@@ -1622,12 +1622,12 @@ int kvm_read_guest_cached(struct kvm *kv + if (slots->generation != ghc->generation) + kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len); + +- if (unlikely(!ghc->memslot)) +- return kvm_read_guest(kvm, ghc->gpa, data, len); +- + if (kvm_is_error_hva(ghc->hva)) + return -EFAULT; + ++ if (unlikely(!ghc->memslot)) ++ return kvm_read_guest(kvm, ghc->gpa, data, len); ++ + r = __copy_from_user(data, (void __user *)ghc->hva, len); + if (r) + return -EFAULT; diff --git a/queue-3.16/kvm-nvmx-vmread-should-not-set-rflags-to-specify-success-in-case-of.patch b/queue-3.16/kvm-nvmx-vmread-should-not-set-rflags-to-specify-success-in-case-of.patch new file mode 100644 index 00000000..d70bd45c --- /dev/null +++ b/queue-3.16/kvm-nvmx-vmread-should-not-set-rflags-to-specify-success-in-case-of.patch @@ -0,0 +1,35 @@ +From: Miaohe Lin <linmiaohe@huawei.com> +Date: Sat, 28 Dec 2019 14:25:24 +0800 +Subject: KVM: nVMX: vmread should not set rflags to specify success in case of + #PF + +commit a4d956b9390418623ae5d07933e2679c68b6f83c upstream. + +In case writing to vmread destination operand result in a #PF, vmread +should not call nested_vmx_succeed() to set rflags to specify success. +Similar to as done in VMPTRST (See handle_vmptrst()). + +Reviewed-by: Liran Alon <liran.alon@oracle.com> +Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> +Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/vmx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6455,8 +6455,10 @@ static int handle_vmread(struct kvm_vcpu + /* _system ok, as nested_vmx_check_permission verified cpl=0 */ + if (kvm_write_guest_virt_system(vcpu, gva, &field_value, + (is_long_mode(vcpu) ? 8 : 4), +- &e)) ++ &e)) { + kvm_inject_page_fault(vcpu, &e); ++ return 1; ++ } + } + + nested_vmx_succeed(vcpu); diff --git a/queue-3.16/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch b/queue-3.16/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch new file mode 100644 index 00000000..6e707371 --- /dev/null +++ b/queue-3.16/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch @@ -0,0 +1,39 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Wed, 18 Dec 2019 13:54:46 -0800 +Subject: KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails + +commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream. + +Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any +resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page. + +Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes") +Reviewed-by: Greg Kurz <groug@kaod.org> +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Acked-by: Paul Mackerras <paulus@ozlabs.org> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/kvm/book3s_hv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -1316,7 +1316,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu + mutex_unlock(&kvm->lock); + + if (!vcore) +- goto free_vcpu; ++ goto uninit_vcpu; + + spin_lock(&vcore->lock); + ++vcore->num_threads; +@@ -1329,6 +1329,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu + + return vcpu; + ++uninit_vcpu: ++ kvm_vcpu_uninit(vcpu); + free_vcpu: + kmem_cache_free(kvm_vcpu_cache, vcpu); + out: diff --git a/queue-3.16/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch b/queue-3.16/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch new file mode 100644 index 00000000..35616147 --- /dev/null +++ b/queue-3.16/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch @@ -0,0 +1,36 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Wed, 18 Dec 2019 13:54:47 -0800 +Subject: KVM: PPC: Book3S PR: Free shared page if mmu initialization fails + +commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream. + +Explicitly free the shared page if kvmppc_mmu_init() fails during +kvmppc_core_vcpu_create(), as the page is freed only in +kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit(). + +Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page") +Reviewed-by: Greg Kurz <groug@kaod.org> +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Acked-by: Paul Mackerras <paulus@ozlabs.org> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/kvm/book3s_pr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -1346,10 +1346,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu + + err = kvmppc_mmu_init(vcpu); + if (err < 0) +- goto uninit_vcpu; ++ goto free_shared_page; + + return vcpu; + ++free_shared_page: ++ free_page((unsigned long)vcpu->arch.shared); + uninit_vcpu: + kvm_vcpu_uninit(vcpu); + free_shadow_vcpu: diff --git a/queue-3.16/kvm-x86-don-t-let-userspace-set-host-reserved-cr4-bits.patch b/queue-3.16/kvm-x86-don-t-let-userspace-set-host-reserved-cr4-bits.patch new file mode 100644 index 00000000..90946368 --- /dev/null +++ b/queue-3.16/kvm-x86-don-t-let-userspace-set-host-reserved-cr4-bits.patch @@ -0,0 +1,112 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Tue, 10 Dec 2019 14:44:13 -0800 +Subject: KVM: x86: Don't let userspace set host-reserved cr4 bits + +commit b11306b53b2540c6ba068c4deddb6a17d9f8d95b upstream. + +Calculate the host-reserved cr4 bits at runtime based on the system's +capabilities (using logic similar to __do_cpuid_func()), and use the +dynamically generated mask for the reserved bit check in kvm_set_cr4() +instead using of the static CR4_RESERVED_BITS define. This prevents +userspace from "enabling" features in cr4 that are not supported by the +system, e.g. by ignoring KVM_GET_SUPPORTED_CPUID and specifying a bogus +CPUID for the vCPU. + +Allowing userspace to set unsupported bits in cr4 can lead to a variety +of undesirable behavior, e.g. failed VM-Enter, and in general increases +KVM's attack surface. A crafty userspace can even abuse CR4.LA57 to +induce an unchecked #GP on a WRMSR. + +On a platform without LA57 support: + + KVM_SET_CPUID2 // CPUID_7_0_ECX.LA57 = 1 + KVM_SET_SREGS // CR4.LA57 = 1 + KVM_SET_MSRS // KERNEL_GS_BASE = 0x0004000000000000 + KVM_RUN + +leads to a #GP when writing KERNEL_GS_BASE into hardware: + + unchecked MSR access error: WRMSR to 0xc0000102 (tried to write 0x0004000000000000) + at rIP: 0xffffffffa00f239a (vmx_prepare_switch_to_guest+0x10a/0x1d0 [kvm_intel]) + Call Trace: + kvm_arch_vcpu_ioctl_run+0x671/0x1c70 [kvm] + kvm_vcpu_ioctl+0x36b/0x5d0 [kvm] + do_vfs_ioctl+0xa1/0x620 + ksys_ioctl+0x66/0x70 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x4c/0x170 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fc08133bf47 + +Note, the above sequence fails VM-Enter due to invalid guest state. +Userspace can allow VM-Enter to succeed (after the WRMSR #GP) by adding +a KVM_SET_SREGS w/ CR4.LA57=0 after KVM_SET_MSRS, in which case KVM will +technically leak the host's KERNEL_GS_BASE into the guest. But, as +KERNEL_GS_BASE is a userspace-defined value/address, the leak is largely +benign as a malicious userspace would simply be exposing its own data to +the guest, and attacking a benevolent userspace would require multiple +bugs in the userspace VMM. + +Cc: Jun Nakajima <jun.nakajima@intel.com> +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: + - PKE, LA57, and UMIP are totally unsupported and already included in + CR4_RESERVED_BITS + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -82,6 +82,8 @@ u64 __read_mostly efer_reserved_bits = ~ + static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE); + #endif + ++static u64 __read_mostly cr4_reserved_bits = CR4_RESERVED_BITS; ++ + #define VM_STAT(x) offsetof(struct kvm, stat.x), KVM_STAT_VM + #define VCPU_STAT(x) offsetof(struct kvm_vcpu, stat.x), KVM_STAT_VCPU + +@@ -660,13 +662,32 @@ int kvm_set_xcr(struct kvm_vcpu *vcpu, u + } + EXPORT_SYMBOL_GPL(kvm_set_xcr); + ++static u64 kvm_host_cr4_reserved_bits(struct cpuinfo_x86 *c) ++{ ++ u64 reserved_bits = CR4_RESERVED_BITS; ++ ++ if (!cpu_has(c, X86_FEATURE_XSAVE)) ++ reserved_bits |= X86_CR4_OSXSAVE; ++ ++ if (!cpu_has(c, X86_FEATURE_SMEP)) ++ reserved_bits |= X86_CR4_SMEP; ++ ++ if (!cpu_has(c, X86_FEATURE_SMAP)) ++ reserved_bits |= X86_CR4_SMAP; ++ ++ if (!cpu_has(c, X86_FEATURE_FSGSBASE)) ++ reserved_bits |= X86_CR4_FSGSBASE; ++ ++ return reserved_bits; ++} ++ + int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + { + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | + X86_CR4_SMEP | X86_CR4_SMAP; + +- if (cr4 & CR4_RESERVED_BITS) ++ if (cr4 & cr4_reserved_bits) + return 1; + + if (!guest_cpuid_has_xsave(vcpu) && (cr4 & X86_CR4_OSXSAVE)) +@@ -7220,6 +7241,8 @@ int kvm_arch_hardware_setup(void) + if (r != 0) + return r; + ++ cr4_reserved_bits = kvm_host_cr4_reserved_bits(&boot_cpu_data); ++ + kvm_init_msr_list(); + return 0; + } diff --git a/queue-3.16/kvm-x86-free-wbinvd_dirty_mask-if-vcpu-creation-fails.patch b/queue-3.16/kvm-x86-free-wbinvd_dirty_mask-if-vcpu-creation-fails.patch new file mode 100644 index 00000000..832644fc --- /dev/null +++ b/queue-3.16/kvm-x86-free-wbinvd_dirty_mask-if-vcpu-creation-fails.patch @@ -0,0 +1,32 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Wed, 18 Dec 2019 13:54:48 -0800 +Subject: KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails + +commit 16be9ddea268ad841457a59109963fff8c9de38d upstream. + +Free the vCPU's wbinvd_dirty_mask if vCPU creation fails after +kvm_arch_vcpu_init(), e.g. when installing the vCPU's file descriptor. +Do the freeing by calling kvm_arch_vcpu_free() instead of open coding +the freeing. This adds a likely superfluous, but ultimately harmless, +call to kvmclock_reset(), which only clears vcpu->arch.pv_time_enabled. +Using kvm_arch_vcpu_free() allows for additional cleanup in the future. + +Fixes: f5f48ee15c2ee ("KVM: VMX: Execute WBINVD to keep data consistency with assigned devices") +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: Also delete the preceding fx_free(), since + kvm_arch_vcpu_free() calls it.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7087,8 +7087,7 @@ void kvm_arch_vcpu_destroy(struct kvm_vc + kvm_mmu_unload(vcpu); + vcpu_put(vcpu); + +- fx_free(vcpu); +- kvm_x86_ops->vcpu_free(vcpu); ++ kvm_arch_vcpu_free(vcpu); + } + + void kvm_vcpu_reset(struct kvm_vcpu *vcpu) diff --git a/queue-3.16/kvm-x86-mmu-apply-max-pa-check-for-mmio-sptes-to-32-bit-kvm.patch b/queue-3.16/kvm-x86-mmu-apply-max-pa-check-for-mmio-sptes-to-32-bit-kvm.patch new file mode 100644 index 00000000..db2afc26 --- /dev/null +++ b/queue-3.16/kvm-x86-mmu-apply-max-pa-check-for-mmio-sptes-to-32-bit-kvm.patch @@ -0,0 +1,38 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Tue, 7 Jan 2020 16:12:10 -0800 +Subject: KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM + +commit e30a7d623dccdb3f880fbcad980b0cb589a1da45 upstream. + +Remove the bogus 64-bit only condition from the check that disables MMIO +spte optimization when the system supports the max PA, i.e. doesn't have +any reserved PA bits. 32-bit KVM always uses PAE paging for the shadow +MMU, and per Intel's SDM: + + PAE paging translates 32-bit linear addresses to 52-bit physical + addresses. + +The kernel's restrictions on max physical addresses are limits on how +much memory the kernel can reasonably use, not what physical addresses +are supported by hardware. + +Fixes: ce88decffd17 ("KVM: MMU: mmio page fault support") +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5734,7 +5734,7 @@ static void kvm_set_mmio_spte_mask(void) + * If reserved bit is not supported, clear the present bit to disable + * mmio page fault. + */ +- if (IS_ENABLED(CONFIG_X86_64) && maxphyaddr == 52) ++ if (maxphyaddr == 52) + mask &= ~1ull; + + kvm_mmu_set_mmio_spte_mask(mask); diff --git a/queue-3.16/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf.patch b/queue-3.16/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf.patch new file mode 100644 index 00000000..54b6baf3 --- /dev/null +++ b/queue-3.16/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf.patch @@ -0,0 +1,53 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:52 -0800 +Subject: KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF + attacks + +commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and +kvm_get_dr(). +Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are +exported symbols so KVM should tream them conservatively from a security +perspective. + +Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/x86.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -801,9 +801,11 @@ static void kvm_update_dr7(struct kvm_vc + + static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- vcpu->arch.db[dr] = val; ++ vcpu->arch.db[array_index_nospec(dr, size)] = val; + if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) + vcpu->arch.eff_db[dr] = val; + break; +@@ -848,9 +850,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); + + static int _kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- *val = vcpu->arch.db[dr]; ++ *val = vcpu->arch.db[array_index_nospec(dr, size)]; + break; + case 4: + if (kvm_read_cr4_bits(vcpu, X86_CR4_DE)) diff --git a/queue-3.16/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch b/queue-3.16/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000..ba749c83 --- /dev/null +++ b/queue-3.16/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,54 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:44 -0800 +Subject: KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks + +commit 8c86405f606ca8508b8d9280680166ca26723695 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + virt/kvm/ioapic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -36,6 +36,7 @@ + #include <linux/io.h> + #include <linux/slab.h> + #include <linux/export.h> ++#include <linux/nospec.h> + #include <asm/processor.h> + #include <asm/page.h> + #include <asm/current.h> +@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirec + default: + { + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; +- u64 redir_content; ++ u64 redir_content = ~0ULL; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ if (redir_index < IOAPIC_NUM_PINS) { ++ u32 index = array_index_nospec( ++ redir_index, IOAPIC_NUM_PINS); ++ ++ redir_content = ioapic->redirtbl[index].bits; ++ } + + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : diff --git a/queue-3.16/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf.patch b/queue-3.16/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf.patch new file mode 100644 index 00000000..d27df316 --- /dev/null +++ b/queue-3.16/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf.patch @@ -0,0 +1,37 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:45 -0800 +Subject: KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF + attacks + +commit 670564559ca35b439c8d8861fc399451ddf95137 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +This patch depends on patch +"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". + +Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + virt/kvm/ioapic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -312,6 +312,7 @@ static void ioapic_write_indirect(struct + ioapic_debug("change redir index %x val %x\n", index, val); + if (index >= IOAPIC_NUM_PINS) + return; ++ index = array_index_nospec(index, IOAPIC_NUM_PINS); + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; + if (ioapic->ioregsel & 1) { diff --git a/queue-3.16/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch b/queue-3.16/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000..d0ec0296 --- /dev/null +++ b/queue-3.16/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,57 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:46 -0800 +Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks + +commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: + - Add #include <linux/nospec.h> + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -35,6 +35,7 @@ + #include <asm/apicdef.h> + #include <linux/atomic.h> + #include <linux/jump_label.h> ++#include <linux/nospec.h> + #include "kvm_cache_regs.h" + #include "irq.h" + #include "trace.h" +@@ -1196,15 +1197,20 @@ static int apic_reg_write(struct kvm_lap + case APIC_LVTTHMR: + case APIC_LVTPC: + case APIC_LVT1: +- case APIC_LVTERR: ++ case APIC_LVTERR: { + /* TODO: Check vector */ ++ size_t size; ++ u32 index; ++ + if (!kvm_apic_sw_enabled(apic)) + val |= APIC_LVT_MASKED; +- +- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4]; ++ size = ARRAY_SIZE(apic_lvt_mask); ++ index = array_index_nospec( ++ (reg - APIC_LVTT) >> 4, size); ++ val &= apic_lvt_mask[index]; + apic_set_reg(apic, reg, val); +- + break; ++ } + + case APIC_LVTT: + if ((kvm_apic_get_reg(apic, APIC_LVTT) & diff --git a/queue-3.16/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf.patch b/queue-3.16/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf.patch new file mode 100644 index 00000000..95784f8a --- /dev/null +++ b/queue-3.16/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf.patch @@ -0,0 +1,56 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:49 -0800 +Subject: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF + attacks in x86.c + +commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream. + +This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and +get_msr_mce(). +Both functions contain index computations based on the +(attacker-controlled) MSR number. + +Fixes: 890ca9aefa78 ("KVM: Add MCE support") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: Add #include <linux/nospec.h>] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -48,6 +48,7 @@ + #include <linux/pci.h> + #include <linux/timekeeper_internal.h> + #include <linux/pvclock_gtod.h> ++#include <linux/nospec.h> + #include <trace/events/kvm.h> + + #define CREATE_TRACE_POINTS +@@ -1916,7 +1917,10 @@ static int set_msr_mce(struct kvm_vcpu * + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to + * workaround a BIOS/GART TBL issue on AMD K8s, ignore +@@ -2443,7 +2447,10 @@ static int get_msr_mce(struct kvm_vcpu * + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + data = vcpu->arch.mce_banks[offset]; + break; + } diff --git a/queue-3.16/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch b/queue-3.16/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000..00c34e4e --- /dev/null +++ b/queue-3.16/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,52 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:41 -0800 +Subject: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks + +commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). +kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported +symbol, so KVM should treat it conservatively from a security perspective. + +Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: Add #include <linux/nospec.h>] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/emulate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -26,6 +26,7 @@ + #include <asm/kvm_emulate.h> + #include <linux/stringify.h> + #include <asm/nospec-branch.h> ++#include <linux/nospec.h> + + #include "x86.h" + #include "tss.h" +@@ -4487,10 +4488,15 @@ done_prefixes: + } + break; + case Escape: +- if (ctxt->modrm > 0xbf) +- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; +- else ++ if (ctxt->modrm > 0xbf) { ++ size_t size = ARRAY_SIZE(opcode.u.esc->high); ++ u32 index = array_index_nospec( ++ ctxt->modrm - 0xc0, size); ++ ++ opcode = opcode.u.esc->high[index]; ++ } else { + opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; ++ } + break; + default: + return EMULATION_FAILED; diff --git a/queue-3.16/kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch b/queue-3.16/kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000..0fd513ca --- /dev/null +++ b/queue-3.16/kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,35 @@ +From: Marios Pomonis <pomonis@google.com> +Date: Wed, 11 Dec 2019 12:47:43 -0800 +Subject: KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks + +commit 14e32321f3606e4b0970200b6e5e47ee6f1e6410 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in picdev_write(). +It replaces index computations based on the (attacked-controlled) port +number with constants through a minor refactoring. + +Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation") + +Signed-off-by: Nick Finco <nifi@google.com> +Signed-off-by: Marios Pomonis <pomonis@google.com> +Reviewed-by: Andrew Honig <ahonig@google.com> +Reviewed-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: pic_{,un}lock() are called outside the switch] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -486,9 +486,11 @@ static int picdev_write(struct kvm_pic * + switch (addr) { + case 0x20: + case 0x21: ++ pic_ioport_write(&s->pics[0], addr, data); ++ break; + case 0xa0: + case 0xa1: +- pic_ioport_write(&s->pics[addr >> 7], addr, data); ++ pic_ioport_write(&s->pics[1], addr, data); + break; + case 0x4d0: + case 0x4d1: diff --git a/queue-3.16/kvm-x86-use-macros-to-compute-bank-msrs.patch b/queue-3.16/kvm-x86-use-macros-to-compute-bank-msrs.patch new file mode 100644 index 00000000..88a8a69f --- /dev/null +++ b/queue-3.16/kvm-x86-use-macros-to-compute-bank-msrs.patch @@ -0,0 +1,57 @@ +From: Chen Yucong <slaoub@gmail.com> +Date: Tue, 23 Sep 2014 10:44:35 +0800 +Subject: kvm: x86: use macros to compute bank MSRs + +commit 81760dccf8d1fe5b128b58736fe3f56a566133cb upstream. + +Avoid open coded calculations for bank MSRs by using well-defined +macros that hide the index of higher bank MSRs. + +No semantic changes. + +Signed-off-by: Chen Yucong <slaoub@gmail.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/x86.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1915,7 +1915,7 @@ static int set_msr_mce(struct kvm_vcpu * + break; + default: + if (msr >= MSR_IA32_MC0_CTL && +- msr < MSR_IA32_MC0_CTL + 4 * bank_num) { ++ msr < MSR_IA32_MCx_CTL(bank_num)) { + u32 offset = msr - MSR_IA32_MC0_CTL; + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to +@@ -2276,7 +2276,7 @@ int kvm_set_msr_common(struct kvm_vcpu * + + case MSR_IA32_MCG_CTL: + case MSR_IA32_MCG_STATUS: +- case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1: ++ case MSR_IA32_MC0_CTL ... MSR_IA32_MCx_CTL(KVM_MAX_MCE_BANKS) - 1: + return set_msr_mce(vcpu, msr, data); + + /* Performance counters are not protected by a CPUID bit, +@@ -2442,7 +2442,7 @@ static int get_msr_mce(struct kvm_vcpu * + break; + default: + if (msr >= MSR_IA32_MC0_CTL && +- msr < MSR_IA32_MC0_CTL + 4 * bank_num) { ++ msr < MSR_IA32_MCx_CTL(bank_num)) { + u32 offset = msr - MSR_IA32_MC0_CTL; + data = vcpu->arch.mce_banks[offset]; + break; +@@ -2628,7 +2628,7 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_IA32_MCG_CAP: + case MSR_IA32_MCG_CTL: + case MSR_IA32_MCG_STATUS: +- case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1: ++ case MSR_IA32_MC0_CTL ... MSR_IA32_MCx_CTL(KVM_MAX_MCE_BANKS) - 1: + return get_msr_mce(vcpu, msr_info->index, &msr_info->data); + case MSR_K7_CLK_CTL: + /* diff --git a/queue-3.16/media-iguanair-add-sanity-checks.patch b/queue-3.16/media-iguanair-add-sanity-checks.patch new file mode 100644 index 00000000..f9896788 --- /dev/null +++ b/queue-3.16/media-iguanair-add-sanity-checks.patch @@ -0,0 +1,53 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Tue, 30 Jul 2019 05:50:44 -0300 +Subject: media: iguanair: add sanity checks + +commit ab1cbdf159beba7395a13ab70bc71180929ca064 upstream. + +The driver needs to check the endpoint types, too, as opposed +to the number of endpoints. This also requires moving the check earlier. + +Reported-by: syzbot+01a77b82edaa374068e1@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Sean Young <sean@mess.org> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/rc/iguanair.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/media/rc/iguanair.c ++++ b/drivers/media/rc/iguanair.c +@@ -430,6 +430,10 @@ static int iguanair_probe(struct usb_int + int ret, pipein, pipeout; + struct usb_host_interface *idesc; + ++ idesc = intf->altsetting; ++ if (idesc->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + ir = kzalloc(sizeof(*ir), GFP_KERNEL); + rc = rc_allocate_device(); + if (!ir || !rc) { +@@ -444,18 +448,13 @@ static int iguanair_probe(struct usb_int + ir->urb_in = usb_alloc_urb(0, GFP_KERNEL); + ir->urb_out = usb_alloc_urb(0, GFP_KERNEL); + +- if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out) { ++ if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out || ++ !usb_endpoint_is_int_in(&idesc->endpoint[0].desc) || ++ !usb_endpoint_is_int_out(&idesc->endpoint[1].desc)) { + ret = -ENOMEM; + goto out; + } + +- idesc = intf->altsetting; +- +- if (idesc->desc.bNumEndpoints < 2) { +- ret = -ENODEV; +- goto out; +- } +- + ir->rc = rc; + ir->dev = &intf->dev; + ir->udev = udev; diff --git a/queue-3.16/media-iguanair-fix-endpoint-sanity-check.patch b/queue-3.16/media-iguanair-fix-endpoint-sanity-check.patch new file mode 100644 index 00000000..6ca6fb0b --- /dev/null +++ b/queue-3.16/media-iguanair-fix-endpoint-sanity-check.patch @@ -0,0 +1,35 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 3 Jan 2020 17:35:13 +0100 +Subject: media: iguanair: fix endpoint sanity check + +commit 1b257870a78b0a9ce98fdfb052c58542022ffb5b upstream. + +Make sure to use the current alternate setting, which need not be the +first one by index, when verifying the endpoint descriptors and +initialising the URBs. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 26ff63137c45 ("[media] Add support for the IguanaWorks USB IR Transceiver") +Fixes: ab1cbdf159be ("media: iguanair: add sanity checks") +Cc: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Sean Young <sean@mess.org> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/rc/iguanair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/iguanair.c ++++ b/drivers/media/rc/iguanair.c +@@ -430,7 +430,7 @@ static int iguanair_probe(struct usb_int + int ret, pipein, pipeout; + struct usb_host_interface *idesc; + +- idesc = intf->altsetting; ++ idesc = intf->cur_altsetting; + if (idesc->desc.bNumEndpoints < 2) + return -ENODEV; + diff --git a/queue-3.16/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb.patch b/queue-3.16/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb.patch new file mode 100644 index 00000000..23892e87 --- /dev/null +++ b/queue-3.16/media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb.patch @@ -0,0 +1,110 @@ +From: Will Deacon <will@kernel.org> +Date: Fri, 8 Nov 2019 16:48:38 +0100 +Subject: media: uvcvideo: Avoid cyclic entity chains due to malformed USB + descriptors + +commit 68035c80e129c4cfec659aac4180354530b26527 upstream. + +Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked +up the following WARNING from the UVC chain scanning code: + + | list_add double add: new=ffff880069084010, prev=ffff880069084010, + | next=ffff880067d22298. + | ------------[ cut here ]------------ + | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 + | Modules linked in: + | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted + | 4.14.0-rc2-42613-g1488251d1a98 #238 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + | Workqueue: usb_hub_wq hub_event + | task: ffff88006b01ca40 task.stack: ffff880064358000 + | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 + | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 + | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 + | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac + | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 + | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 + | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 + | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 + | Call Trace: + | __list_add ./include/linux/list.h:59 + | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 + | uvc_scan_chain_forward.isra.8+0x373/0x416 + | drivers/media/usb/uvc/uvc_driver.c:1471 + | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 + | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 + | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 + +Looking into the output from usbmon, the interesting part is the +following data packet: + + ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 + 00090403 00000e01 00000924 03000103 7c003328 010204db + +If we drop the lead configuration and interface descriptors, we're left +with an output terminal descriptor describing a generic display: + + /* Output terminal descriptor */ + buf[0] 09 + buf[1] 24 + buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ + buf[3] 00 /* ID */ + buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ + buf[5] 03 + buf[6] 7c + buf[7] 00 /* source ID refers to self! */ + buf[8] 33 + +The problem with this descriptor is that it is self-referential: the +source ID of 0 matches itself! This causes the 'struct uvc_entity' +representing the display to be added to its chain list twice during +'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is +processed directly from the 'dev->entities' list and then again +immediately afterwards when trying to follow the source ID in +'uvc_scan_chain_forward()' + +Add a check before adding an entity to a chain list to ensure that the +entity is not already part of a chain. + +Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Will Deacon <will@kernel.org> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/usb/uvc/uvc_driver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1369,6 +1369,11 @@ static int uvc_scan_chain_forward(struct + break; + if (forward == prev) + continue; ++ if (forward->chain.next || forward->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", forward->id); ++ return -EINVAL; ++ } + + switch (UVC_ENTITY_TYPE(forward)) { + case UVC_VC_EXTENSION_UNIT: +@@ -1450,6 +1455,13 @@ static int uvc_scan_chain_backward(struc + return -1; + } + ++ if (term->chain.next || term->chain.prev) { ++ uvc_trace(UVC_TRACE_DESCR, "Found reference to " ++ "entity %d already in chain.\n", ++ term->id); ++ return -EINVAL; ++ } ++ + if (uvc_trace_param & UVC_TRACE_PROBE) + printk(" %d", term->id); + diff --git a/queue-3.16/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch b/queue-3.16/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch new file mode 100644 index 00000000..a0f02e8d --- /dev/null +++ b/queue-3.16/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch @@ -0,0 +1,60 @@ +From: John Hubbard <jhubbard@nvidia.com> +Date: Thu, 30 Jan 2020 22:12:50 -0800 +Subject: media/v4l2-core: set pages dirty upon releasing DMA buffers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream. + +After DMA is complete, and the device and CPU caches are synchronized, +it's still required to mark the CPU pages as dirty, if the data was +coming from the device. However, this driver was just issuing a bare +put_page() call, without any set_page_dirty*() call. + +Fix the problem, by calling set_page_dirty_lock() if the CPU pages were +potentially receiving data from the device. + +Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com +Signed-off-by: John Hubbard <jhubbard@nvidia.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Cc: Mauro Carvalho Chehab <mchehab@kernel.org> +Cc: Alex Williamson <alex.williamson@redhat.com> +Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> +Cc: Björn Töpel <bjorn.topel@intel.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Dan Williams <dan.j.williams@intel.com> +Cc: Ira Weiny <ira.weiny@intel.com> +Cc: Jan Kara <jack@suse.cz> +Cc: Jason Gunthorpe <jgg@mellanox.com> +Cc: Jason Gunthorpe <jgg@ziepe.ca> +Cc: Jens Axboe <axboe@kernel.dk> +Cc: Jerome Glisse <jglisse@redhat.com> +Cc: Jonathan Corbet <corbet@lwn.net> +Cc: Kirill A. Shutemov <kirill@shutemov.name> +Cc: Leon Romanovsky <leonro@mellanox.com> +Cc: Mike Rapoport <rppt@linux.ibm.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c +@@ -316,8 +316,11 @@ int videobuf_dma_free(struct videobuf_dm + BUG_ON(dma->sglen); + + if (dma->pages) { +- for (i = 0; i < dma->nr_pages; i++) ++ for (i = 0; i < dma->nr_pages; i++) { ++ if (dma->direction == DMA_FROM_DEVICE) ++ set_page_dirty_lock(dma->pages[i]); + page_cache_release(dma->pages[i]); ++ } + kfree(dma->pages); + dma->pages = NULL; + } diff --git a/queue-3.16/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch b/queue-3.16/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch new file mode 100644 index 00000000..330c849a --- /dev/null +++ b/queue-3.16/mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch @@ -0,0 +1,54 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 30 Jan 2020 22:11:07 -0800 +Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str() + +commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream. + +What we are trying to do is change the '=' character to a NUL terminator +and then at the end of the function we restore it back to an '='. The +problem is there are two error paths where we jump to the end of the +function before we have replaced the '=' with NUL. + +We end up putting the '=' in the wrong place (possibly one element +before the start of the buffer). + +Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain +Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com +Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Dmitry Vyukov <dvyukov@google.com> +Cc: Michal Hocko <mhocko@kernel.org> +Cc: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Lee Schermerhorn <lee.schermerhorn@hp.com> +Cc: Andrea Arcangeli <aarcange@redhat.com> +Cc: Hugh Dickins <hughd@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + mm/mempolicy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2687,6 +2687,9 @@ int mpol_parse_str(char *str, struct mem + char *flags = strchr(str, '='); + int err = 1; + ++ if (flags) ++ *flags++ = '\0'; /* terminate mode string */ ++ + if (nodelist) { + /* NUL-terminate mode or flags string */ + *nodelist++ = '\0'; +@@ -2697,9 +2700,6 @@ int mpol_parse_str(char *str, struct mem + } else + nodes_clear(nodes); + +- if (flags) +- *flags++ = '\0'; /* terminate mode string */ +- + for (mode = 0; mode < MPOL_MAX; mode++) { + if (!strcmp(str, policy_modes[mode])) { + break; diff --git a/queue-3.16/mmc-spi-toggle-spi-polarity-do-not-hardcode-it.patch b/queue-3.16/mmc-spi-toggle-spi-polarity-do-not-hardcode-it.patch new file mode 100644 index 00000000..b93f1fcf --- /dev/null +++ b/queue-3.16/mmc-spi-toggle-spi-polarity-do-not-hardcode-it.patch @@ -0,0 +1,59 @@ +From: Linus Walleij <linus.walleij@linaro.org> +Date: Wed, 4 Dec 2019 16:27:49 +0100 +Subject: mmc: spi: Toggle SPI polarity, do not hardcode it + +commit af3ed119329cf9690598c5a562d95dfd128e91d6 upstream. + +The code in mmc_spi_initsequence() tries to send a burst with +high chipselect and for this reason hardcodes the device into +SPI_CS_HIGH. + +This is not good because the SPI_CS_HIGH flag indicates +logical "asserted" CS not always the physical level. In +some cases the signal is inverted in the GPIO library and +in that case SPI_CS_HIGH is already set, and enforcing +SPI_CS_HIGH again will actually drive it low. + +Instead of hard-coding this, toggle the polarity so if the +default is LOW it goes high to assert chipselect but if it +is already high then toggle it low instead. + +Cc: Phil Elwell <phil@raspberrypi.org> +Reported-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Reviewed-by: Mark Brown <broonie@kernel.org> +Link: https://lore.kernel.org/r/20191204152749.12652-1-linus.walleij@linaro.org +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/mmc/host/mmc_spi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1149,17 +1149,22 @@ static void mmc_spi_initsequence(struct + * SPI protocol. Another is that when chipselect is released while + * the card returns BUSY status, the clock must issue several cycles + * with chipselect high before the card will stop driving its output. ++ * ++ * SPI_CS_HIGH means "asserted" here. In some cases like when using ++ * GPIOs for chip select, SPI_CS_HIGH is set but this will be logically ++ * inverted by gpiolib, so if we want to ascertain to drive it high ++ * we should toggle the default with an XOR as we do here. + */ +- host->spi->mode |= SPI_CS_HIGH; ++ host->spi->mode ^= SPI_CS_HIGH; + if (spi_setup(host->spi) != 0) { + /* Just warn; most cards work without it. */ + dev_warn(&host->spi->dev, + "can't change chip-select polarity\n"); +- host->spi->mode &= ~SPI_CS_HIGH; ++ host->spi->mode ^= SPI_CS_HIGH; + } else { + mmc_spi_readbytes(host, 18); + +- host->spi->mode &= ~SPI_CS_HIGH; ++ host->spi->mode ^= SPI_CS_HIGH; + if (spi_setup(host->spi) != 0) { + /* Wot, we can't get the same setup we had before? */ + dev_err(&host->spi->dev, diff --git a/queue-3.16/net_sched-ematch-reject-invalid-tcf_em_simple.patch b/queue-3.16/net_sched-ematch-reject-invalid-tcf_em_simple.patch new file mode 100644 index 00000000..721a21a2 --- /dev/null +++ b/queue-3.16/net_sched-ematch-reject-invalid-tcf_em_simple.patch @@ -0,0 +1,77 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 24 Jan 2020 14:57:20 -0800 +Subject: net_sched: ematch: reject invalid TCF_EM_SIMPLE + +commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 upstream. + +It is possible for malicious userspace to set TCF_EM_SIMPLE bit +even for matches that should not have this bit set. + +This can fool two places using tcf_em_is_simple() + +1) tcf_em_tree_destroy() -> memory leak of em->data + if ops->destroy() is NULL + +2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes + of a kernel pointer. + +BUG: memory leak +unreferenced object 0xffff888121850a40 (size 32): + comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s) + hex dump (first 32 bytes): + 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline] + [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline] + [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline] + [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671 + [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127 + [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline] + [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32 + [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline] + [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline] + [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300 + [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline] + [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219 + [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104 + [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415 + [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 + [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 + [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline] + [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659 + [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 + [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 + [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 + [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline] + [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline] + [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com +Cc: Cong Wang <xiyou.wangcong@gmail.com> +Acked-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sched/ematch.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -241,6 +241,9 @@ static int tcf_em_validate(struct tcf_pr + goto errout; + + if (em->ops->change) { ++ err = -EINVAL; ++ if (em_hdr->flags & TCF_EM_SIMPLE) ++ goto errout; + err = em->ops->change(tp, data, data_len, em); + if (err < 0) + goto errout; diff --git a/queue-3.16/nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch b/queue-3.16/nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch new file mode 100644 index 00000000..a66993c2 --- /dev/null +++ b/queue-3.16/nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch @@ -0,0 +1,108 @@ +From: Trond Myklebust <trondmy@gmail.com> +Date: Sun, 2 Feb 2020 17:53:54 -0500 +Subject: NFS: Directory page cache pages need to be locked when read + +commit 114de38225d9b300f027e2aec9afbb6e0def154b upstream. + +When a NFS directory page cache page is removed from the page cache, +its contents are freed through a call to nfs_readdir_clear_array(). +To prevent the removal of the page cache entry until after we've +finished reading it, we must take the page lock. + +Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir") +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Reviewed-by: Benjamin Coddington <bcodding@redhat.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/nfs/dir.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -671,8 +671,6 @@ int nfs_readdir_filler(nfs_readdir_descr + static + void cache_page_release(nfs_readdir_descriptor_t *desc) + { +- if (!desc->page->mapping) +- nfs_readdir_clear_array(desc->page); + page_cache_release(desc->page); + desc->page = NULL; + } +@@ -686,19 +684,28 @@ struct page *get_cache_page(nfs_readdir_ + + /* + * Returns 0 if desc->dir_cookie was found on page desc->page_index ++ * and locks the page to prevent removal from the page cache. + */ + static +-int find_cache_page(nfs_readdir_descriptor_t *desc) ++int find_and_lock_cache_page(nfs_readdir_descriptor_t *desc) + { + int res; + + desc->page = get_cache_page(desc); + if (IS_ERR(desc->page)) + return PTR_ERR(desc->page); +- +- res = nfs_readdir_search_array(desc); ++ res = lock_page_killable(desc->page); + if (res != 0) +- cache_page_release(desc); ++ goto error; ++ res = -EAGAIN; ++ if (desc->page->mapping != NULL) { ++ res = nfs_readdir_search_array(desc); ++ if (res == 0) ++ return 0; ++ } ++ unlock_page(desc->page); ++error: ++ cache_page_release(desc); + return res; + } + +@@ -713,7 +720,7 @@ int readdir_search_pagecache(nfs_readdir + desc->last_cookie = 0; + } + do { +- res = find_cache_page(desc); ++ res = find_and_lock_cache_page(desc); + } while (res == -EAGAIN); + return res; + } +@@ -752,7 +759,6 @@ int nfs_do_filldir(nfs_readdir_descripto + desc->eof = 1; + + kunmap(desc->page); +- cache_page_release(desc); + dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n", + (unsigned long long)*desc->dir_cookie, res); + return res; +@@ -798,13 +804,13 @@ int uncached_readdir(nfs_readdir_descrip + + status = nfs_do_filldir(desc); + ++ out_release: ++ nfs_readdir_clear_array(desc->page); ++ cache_page_release(desc); + out: + dfprintk(DIRCACHE, "NFS: %s: returns %d\n", + __func__, status); + return status; +- out_release: +- cache_page_release(desc); +- goto out; + } + + /* The file offset position represents the dirent entry number. A +@@ -870,6 +876,8 @@ static int nfs_readdir(struct file *file + break; + + res = nfs_do_filldir(desc); ++ unlock_page(desc->page); ++ cache_page_release(desc); + if (res < 0) + break; + } while (!desc->eof); diff --git a/queue-3.16/nfs-fix-memory-leaks-and-corruption-in-readdir.patch b/queue-3.16/nfs-fix-memory-leaks-and-corruption-in-readdir.patch new file mode 100644 index 00000000..3bf641d4 --- /dev/null +++ b/queue-3.16/nfs-fix-memory-leaks-and-corruption-in-readdir.patch @@ -0,0 +1,76 @@ +From: Trond Myklebust <trondmy@gmail.com> +Date: Sun, 2 Feb 2020 17:53:53 -0500 +Subject: NFS: Fix memory leaks and corruption in readdir + +commit 4b310319c6a8ce708f1033d57145e2aa027a883c upstream. + +nfs_readdir_xdr_to_array() must not exit without having initialised +the array, so that the page cache deletion routines can safely +call nfs_readdir_clear_array(). +Furthermore, we should ensure that if we exit nfs_readdir_filler() +with an error, we free up any page contents to prevent a leak +if we try to fill the page again. + +Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir") +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> +Reviewed-by: Benjamin Coddington <bcodding@redhat.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/nfs/dir.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -169,6 +169,17 @@ typedef struct { + unsigned int eof:1; + } nfs_readdir_descriptor_t; + ++static ++void nfs_readdir_init_array(struct page *page) ++{ ++ struct nfs_cache_array *array; ++ ++ array = kmap_atomic(page); ++ memset(array, 0, sizeof(struct nfs_cache_array)); ++ array->eof_index = -1; ++ kunmap_atomic(array); ++} ++ + /* + * we are freeing strings created by nfs_add_to_readdir_array() + */ +@@ -181,6 +192,7 @@ void nfs_readdir_clear_array(struct page + array = kmap_atomic(page); + for (i = 0; i < array->size; i++) + kfree(array->array[i].string.name); ++ array->size = 0; + kunmap_atomic(array); + } + +@@ -580,6 +592,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir + int status = -ENOMEM; + unsigned int array_size = ARRAY_SIZE(pages); + ++ nfs_readdir_init_array(page); ++ + entry.prev_cookie = 0; + entry.cookie = desc->last_cookie; + entry.eof = 0; +@@ -596,8 +610,6 @@ int nfs_readdir_xdr_to_array(nfs_readdir + } + + array = kmap(page); +- memset(array, 0, sizeof(struct nfs_cache_array)); +- array->eof_index = -1; + + status = nfs_readdir_large_page(pages, array_size); + if (status < 0) +@@ -651,6 +663,7 @@ int nfs_readdir_filler(nfs_readdir_descr + unlock_page(page); + return 0; + error: ++ nfs_readdir_clear_array(page); + unlock_page(page); + return ret; + } diff --git a/queue-3.16/nfs-nfs_swap-should-depend-on-swap.patch b/queue-3.16/nfs-nfs_swap-should-depend-on-swap.patch new file mode 100644 index 00000000..ad434790 --- /dev/null +++ b/queue-3.16/nfs-nfs_swap-should-depend-on-swap.patch @@ -0,0 +1,34 @@ +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Mon, 30 Dec 2019 16:32:38 +0100 +Subject: nfs: NFS_SWAP should depend on SWAP + +commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc upstream. + +If CONFIG_SWAP=n, it does not make much sense to offer the user the +option to enable support for swapping over NFS, as that will still fail +at run time: + + # swapon /swap + swapon: /swap: swapon failed: Function not implemented + +Fix this by adding a dependency on CONFIG_SWAP. + +Fixes: a564b8f0398636ba ("nfs: enable swap on NFS") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/nfs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -89,7 +89,7 @@ config NFS_V4 + config NFS_SWAP + bool "Provide swap over NFS support" + default n +- depends on NFS_FS ++ depends on NFS_FS && SWAP + select SUNRPC_SWAP + help + This option enables swapon to work on files located on NFS mounts. diff --git a/queue-3.16/nfs-use-kmap-kunmap-directly.patch b/queue-3.16/nfs-use-kmap-kunmap-directly.patch new file mode 100644 index 00000000..1a330d6e --- /dev/null +++ b/queue-3.16/nfs-use-kmap-kunmap-directly.patch @@ -0,0 +1,165 @@ +From: Fabian Frederick <fabf@skynet.be> +Date: Wed, 3 May 2017 20:52:21 +0200 +Subject: nfs: use kmap/kunmap directly + +commit 0795bf8357c1887e2a95e6e4f5b89d0896a0d929 upstream. + +This patch removes useless nfs_readdir_get_array() and +nfs_readdir_release_array() as suggested by Trond Myklebust + +nfs_readdir() calls nfs_revalidate_mapping() before +readdir_search_pagecache() , nfs_do_filldir(), uncached_readdir() +so mapping should be correct. + +While kmap() can't fail, all subsequent error checks were removed +as well as unused labels. + +Signed-off-by: Fabian Frederick <fabf@skynet.be> +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/nfs/dir.c | 67 ++++++++++------------------------------------------ + 1 file changed, 12 insertions(+), 55 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -170,27 +170,6 @@ typedef struct { + } nfs_readdir_descriptor_t; + + /* +- * The caller is responsible for calling nfs_readdir_release_array(page) +- */ +-static +-struct nfs_cache_array *nfs_readdir_get_array(struct page *page) +-{ +- void *ptr; +- if (page == NULL) +- return ERR_PTR(-EIO); +- ptr = kmap(page); +- if (ptr == NULL) +- return ERR_PTR(-ENOMEM); +- return ptr; +-} +- +-static +-void nfs_readdir_release_array(struct page *page) +-{ +- kunmap(page); +-} +- +-/* + * we are freeing strings created by nfs_add_to_readdir_array() + */ + static +@@ -229,13 +208,10 @@ int nfs_readdir_make_qstr(struct qstr *s + static + int nfs_readdir_add_to_array(struct nfs_entry *entry, struct page *page) + { +- struct nfs_cache_array *array = nfs_readdir_get_array(page); ++ struct nfs_cache_array *array = kmap(page); + struct nfs_cache_array_entry *cache_entry; + int ret; + +- if (IS_ERR(array)) +- return PTR_ERR(array); +- + cache_entry = &array->array[array->size]; + + /* Check that this entry lies within the page bounds */ +@@ -254,7 +230,7 @@ int nfs_readdir_add_to_array(struct nfs_ + if (entry->eof != 0) + array->eof_index = array->size; + out: +- nfs_readdir_release_array(page); ++ kunmap(page); + return ret; + } + +@@ -343,11 +319,7 @@ int nfs_readdir_search_array(nfs_readdir + struct nfs_cache_array *array; + int status; + +- array = nfs_readdir_get_array(desc->page); +- if (IS_ERR(array)) { +- status = PTR_ERR(array); +- goto out; +- } ++ array = kmap(desc->page); + + if (*desc->dir_cookie == 0) + status = nfs_readdir_search_for_pos(array, desc); +@@ -359,8 +331,7 @@ int nfs_readdir_search_array(nfs_readdir + desc->current_index += array->size; + desc->page_index++; + } +- nfs_readdir_release_array(desc->page); +-out: ++ kunmap(desc->page); + return status; + } + +@@ -551,13 +522,10 @@ int nfs_readdir_page_filler(nfs_readdir_ + } while (!entry->eof); + + if (count == 0 || (status == -EBADCOOKIE && entry->eof != 0)) { +- array = nfs_readdir_get_array(page); +- if (!IS_ERR(array)) { +- array->eof_index = array->size; +- status = 0; +- nfs_readdir_release_array(page); +- } else +- status = PTR_ERR(array); ++ array = kmap(page); ++ array->eof_index = array->size; ++ status = 0; ++ kunmap(page); + } + + put_page(scratch); +@@ -627,11 +595,7 @@ int nfs_readdir_xdr_to_array(nfs_readdir + goto out; + } + +- array = nfs_readdir_get_array(page); +- if (IS_ERR(array)) { +- status = PTR_ERR(array); +- goto out_label_free; +- } ++ array = kmap(page); + memset(array, 0, sizeof(struct nfs_cache_array)); + array->eof_index = -1; + +@@ -655,8 +619,7 @@ int nfs_readdir_xdr_to_array(nfs_readdir + + nfs_readdir_free_large_page(pages_ptr, pages, array_size); + out_release_array: +- nfs_readdir_release_array(page); +-out_label_free: ++ kunmap(page); + nfs4_label_free(entry.label); + out: + nfs_free_fattr(entry.fattr); +@@ -754,12 +717,7 @@ int nfs_do_filldir(nfs_readdir_descripto + struct nfs_cache_array *array = NULL; + struct nfs_open_dir_context *ctx = file->private_data; + +- array = nfs_readdir_get_array(desc->page); +- if (IS_ERR(array)) { +- res = PTR_ERR(array); +- goto out; +- } +- ++ array = kmap(desc->page); + for (i = desc->cache_entry_index; i < array->size; i++) { + struct nfs_cache_array_entry *ent; + +@@ -780,8 +738,7 @@ int nfs_do_filldir(nfs_readdir_descripto + if (array->eof_index >= 0) + desc->eof = 1; + +- nfs_readdir_release_array(desc->page); +-out: ++ kunmap(desc->page); + cache_page_release(desc); + dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n", + (unsigned long long)*desc->dir_cookie, res); diff --git a/queue-3.16/of-add-of_dma_default_coherent-select-it-on-powerpc.patch b/queue-3.16/of-add-of_dma_default_coherent-select-it-on-powerpc.patch new file mode 100644 index 00000000..e2631051 --- /dev/null +++ b/queue-3.16/of-add-of_dma_default_coherent-select-it-on-powerpc.patch @@ -0,0 +1,76 @@ +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Sun, 26 Jan 2020 22:52:47 +1100 +Subject: of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc + +commit dabf6b36b83a18d57e3d4b9d50544ed040d86255 upstream. + +There's an OF helper called of_dma_is_coherent(), which checks if a +device has a "dma-coherent" property to see if the device is coherent +for DMA. + +But on some platforms devices are coherent by default, and on some +platforms it's not possible to update existing device trees to add the +"dma-coherent" property. + +So add a Kconfig symbol to allow arch code to tell +of_dma_is_coherent() that devices are coherent by default, regardless +of the presence of the property. + +Select that symbol on powerpc when NOT_COHERENT_CACHE is not set, ie. +when the system has a coherent cache. + +Fixes: 92ea637edea3 ("of: introduce of_dma_is_coherent() helper") +Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de> +Tested-by: Christian Zigotzky <chzigotzky@xenosoft.de> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Rob Herring <robh@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/Kconfig | 1 + + drivers/of/Kconfig | 4 ++++ + drivers/of/address.c | 6 +++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -89,6 +89,7 @@ config PPC + select ARCH_MIGHT_HAVE_PC_SERIO + select BINFMT_ELF + select OF ++ select OF_DMA_DEFAULT_COHERENT if !NOT_COHERENT_CACHE + select OF_EARLY_FLATTREE + select OF_RESERVED_MEM + select HAVE_FTRACE_MCOUNT_RECORD +--- a/drivers/of/Kconfig ++++ b/drivers/of/Kconfig +@@ -78,4 +78,8 @@ config OF_RESERVED_MEM + help + Helpers to allow for reservation of memory regions + ++config OF_DMA_DEFAULT_COHERENT ++ # arches should select this if DMA is coherent by default for OF devices ++ bool ++ + endmenu # OF +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -812,12 +812,16 @@ EXPORT_SYMBOL_GPL(of_dma_get_range); + * @np: device node + * + * It returns true if "dma-coherent" property was found +- * for this device in DT. ++ * for this device in the DT, or if DMA is coherent by ++ * default for OF devices on the current platform. + */ + bool of_dma_is_coherent(struct device_node *np) + { + struct device_node *node = of_node_get(np); + ++ if (IS_ENABLED(CONFIG_OF_DMA_DEFAULT_COHERENT)) ++ return true; ++ + while (node) { + if (of_property_read_bool(node, "dma-coherent")) { + of_node_put(node); diff --git a/queue-3.16/orinoco_usb-fix-interface-sanity-check.patch b/queue-3.16/orinoco_usb-fix-interface-sanity-check.patch new file mode 100644 index 00000000..9a6d317a --- /dev/null +++ b/queue-3.16/orinoco_usb-fix-interface-sanity-check.patch @@ -0,0 +1,35 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:44:23 +0100 +Subject: orinoco_usb: fix interface sanity check + +commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/orinoco/orinoco_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/orinoco/orinoco_usb.c +@@ -1602,9 +1602,9 @@ static int ezusb_probe(struct usb_interf + /* set up the endpoint information */ + /* check out the endpoints */ + +- iface_desc = &interface->altsetting[0].desc; ++ iface_desc = &interface->cur_altsetting->desc; + for (i = 0; i < iface_desc->bNumEndpoints; ++i) { +- ep = &interface->altsetting[0].endpoint[i].desc; ++ ep = &interface->cur_altsetting->endpoint[i].desc; + + if (((ep->bEndpointAddress & USB_ENDPOINT_DIR_MASK) + == USB_DIR_IN) && diff --git a/queue-3.16/padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch b/queue-3.16/padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch new file mode 100644 index 00000000..a596e547 --- /dev/null +++ b/queue-3.16/padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch @@ -0,0 +1,63 @@ +From: Daniel Jordan <daniel.m.jordan@oracle.com> +Date: Tue, 3 Dec 2019 14:31:11 -0500 +Subject: padata: always acquire cpu_hotplug_lock before pinst->lock + +commit 38228e8848cd7dd86ccb90406af32de0cad24be3 upstream. + +lockdep complains when padata's paths to update cpumasks via CPU hotplug +and sysfs are both taken: + + # echo 0 > /sys/devices/system/cpu/cpu1/online + # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask + + ====================================================== + WARNING: possible circular locking dependency detected + 5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted + ------------------------------------------------------ + bash/205 is trying to acquire lock: + ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120 + + but task is already holding lock: + ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120 + + which lock already depends on the new lock. + +padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent +order. Which should be first? CPU hotplug calls into padata with +cpu_hotplug_lock already held, so it should have priority. + +Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus") +Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com> +Cc: Eric Biggers <ebiggers@kernel.org> +Cc: Herbert Xu <herbert@gondor.apana.org.au> +Cc: Steffen Klassert <steffen.klassert@secunet.com> +Cc: linux-crypto@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/padata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -639,8 +639,8 @@ int padata_set_cpumask(struct padata_ins + struct cpumask *serial_mask, *parallel_mask; + int err = -EINVAL; + +- mutex_lock(&pinst->lock); + get_online_cpus(); ++ mutex_lock(&pinst->lock); + + switch (cpumask_type) { + case PADATA_CPU_PARALLEL: +@@ -658,8 +658,8 @@ int padata_set_cpumask(struct padata_ins + err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask); + + out: +- put_online_cpus(); + mutex_unlock(&pinst->lock); ++ put_online_cpus(); + + return err; + } diff --git a/queue-3.16/padata-remove-broken-queue-flushing.patch b/queue-3.16/padata-remove-broken-queue-flushing.patch new file mode 100644 index 00000000..91628553 --- /dev/null +++ b/queue-3.16/padata-remove-broken-queue-flushing.patch @@ -0,0 +1,132 @@ +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Tue, 19 Nov 2019 13:17:31 +0800 +Subject: padata: Remove broken queue flushing + +commit 07928d9bfc81640bab36f5190e8725894d93b659 upstream. + +The function padata_flush_queues is fundamentally broken because +it cannot force padata users to complete the request that is +underway. IOW padata has to passively wait for the completion +of any outstanding work. + +As it stands flushing is used in two places. Its use in padata_stop +is simply unnecessary because nothing depends on the queues to +be flushed afterwards. + +The other use in padata_replace is more substantial as we depend +on it to free the old pd structure. This patch instead uses the +pd->refcnt to dynamically free the pd structure once all requests +are complete. + +Fixes: 2b73b07ab8a4 ("padata: Flush the padata queues actively") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +[bwh: Backported to 3.16: padata_flush_queues() also called del_timer_sync()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -33,6 +33,8 @@ + + #define MAX_OBJ_NUM 1000 + ++static void padata_free_pd(struct parallel_data *pd); ++ + static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index) + { + int cpu, target_cpu; +@@ -299,6 +301,7 @@ static void padata_serial_worker(struct + struct padata_serial_queue *squeue; + struct parallel_data *pd; + LIST_HEAD(local_list); ++ int cnt; + + local_bh_disable(); + squeue = container_of(serial_work, struct padata_serial_queue, work); +@@ -308,6 +311,8 @@ static void padata_serial_worker(struct + list_replace_init(&squeue->serial.list, &local_list); + spin_unlock(&squeue->serial.lock); + ++ cnt = 0; ++ + while (!list_empty(&local_list)) { + struct padata_priv *padata; + +@@ -317,9 +322,12 @@ static void padata_serial_worker(struct + list_del_init(&padata->list); + + padata->serial(padata); +- atomic_dec(&pd->refcnt); ++ cnt++; + } + local_bh_enable(); ++ ++ if (atomic_sub_and_test(cnt, &pd->refcnt)) ++ padata_free_pd(pd); + } + + /** +@@ -442,7 +450,7 @@ static struct parallel_data *padata_allo + setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd); + atomic_set(&pd->seq_nr, -1); + atomic_set(&pd->reorder_objects, 0); +- atomic_set(&pd->refcnt, 0); ++ atomic_set(&pd->refcnt, 1); + pd->pinst = pinst; + spin_lock_init(&pd->lock); + +@@ -467,31 +475,6 @@ static void padata_free_pd(struct parall + kfree(pd); + } + +-/* Flush all objects out of the padata queues. */ +-static void padata_flush_queues(struct parallel_data *pd) +-{ +- int cpu; +- struct padata_parallel_queue *pqueue; +- struct padata_serial_queue *squeue; +- +- for_each_cpu(cpu, pd->cpumask.pcpu) { +- pqueue = per_cpu_ptr(pd->pqueue, cpu); +- flush_work(&pqueue->work); +- } +- +- del_timer_sync(&pd->timer); +- +- if (atomic_read(&pd->reorder_objects)) +- padata_reorder(pd); +- +- for_each_cpu(cpu, pd->cpumask.cbcpu) { +- squeue = per_cpu_ptr(pd->squeue, cpu); +- flush_work(&squeue->work); +- } +- +- BUG_ON(atomic_read(&pd->refcnt) != 0); +-} +- + static void __padata_start(struct padata_instance *pinst) + { + pinst->flags |= PADATA_INIT; +@@ -505,10 +488,6 @@ static void __padata_stop(struct padata_ + pinst->flags &= ~PADATA_INIT; + + synchronize_rcu(); +- +- get_online_cpus(); +- padata_flush_queues(pinst->pd); +- put_online_cpus(); + } + + /* Replace the internal control structure with a new one. */ +@@ -529,8 +508,8 @@ static void padata_replace(struct padata + if (!cpumask_equal(pd_old->cpumask.cbcpu, pd_new->cpumask.cbcpu)) + notification_mask |= PADATA_CPU_SERIAL; + +- padata_flush_queues(pd_old); +- padata_free_pd(pd_old); ++ if (atomic_dec_and_test(&pd_old->refcnt)) ++ padata_free_pd(pd_old); + + if (notification_mask) + blocking_notifier_call_chain(&pinst->cpumask_change_notifier, diff --git a/queue-3.16/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch b/queue-3.16/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch new file mode 100644 index 00000000..05afe661 --- /dev/null +++ b/queue-3.16/pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch @@ -0,0 +1,107 @@ +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 8 Jan 2020 14:32:08 -0700 +Subject: PCI: Don't disable bridge BARs when assigning bus resources + +commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 upstream. + +Some PCI bridges implement BARs in addition to bridge windows. For +example, here's a PLX switch: + + 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI + Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca) + (prog-if 00 [Normal decode]) + Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0 + Memory at 90a00000 (32-bit, non-prefetchable) [size=256K] + Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0 + I/O behind bridge: 00002000-00003fff + Memory behind bridge: 90000000-909fffff + Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff + +Previously, when the kernel assigned resource addresses (with the +pci=realloc command line parameter, for example) it could clear the struct +resource corresponding to the BAR. When this happened, lspci would report +this BAR as "ignored": + + Region 0: Memory at <ignored> (32-bit, non-prefetchable) [size=256K] + +This is because the kernel reports a zero start address and zero flags +in the corresponding sysfs resource file and in /proc/bus/pci/devices. +Investigation with 'lspci -x', however, shows the BIOS-assigned address +will still be programmed in the device's BAR registers. + +It's clearly a bug that the kernel lost track of the BAR value, but in most +cases, this still won't result in a visible issue because nothing uses the +memory, so nothing is affected. However, when an IOMMU is in use, it will +not reserve this space in the IOVA because the kernel no longer thinks the +range is valid. (See dmar_init_reserved_ranges() for the Intel +implementation of this.) + +Without the proper reserved range, a DMA mapping may allocate an IOVA that +matches a bridge BAR, which results in DMA accesses going to the BAR +instead of the intended RAM. + +The problem was in pci_assign_unassigned_root_bus_resources(). When any +resource from a bridge device fails to get assigned, the code set the +resource's flags to zero. This makes sense for bridge windows, as they +will be re-enabled later, but for regular BARs, it makes the kernel +permanently lose track of the fact that they decode address space. + +Change pci_assign_unassigned_root_bus_resources() and +pci_assign_unassigned_bridge_resources() so they only clear "res->flags" +for bridge *windows*, not bridge BARs. + +Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)") +Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com +[bhelgaas: commit log, check for pci_is_bridge()] +Reported-by: Kit Chow <kchow@gigaio.com> +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/setup-bus.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1650,12 +1650,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + +@@ -1716,12 +1722,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + diff --git a/queue-3.16/power-supply-sbs-battery-fix-a-signedness-bug-in.patch b/queue-3.16/power-supply-sbs-battery-fix-a-signedness-bug-in.patch new file mode 100644 index 00000000..a44a7458 --- /dev/null +++ b/queue-3.16/power-supply-sbs-battery-fix-a-signedness-bug-in.patch @@ -0,0 +1,30 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 25 Sep 2019 14:01:28 +0300 +Subject: power: supply: sbs-battery: Fix a signedness bug in + sbs_get_battery_capacity() + +commit eb368de6de32925c65a97c1e929a31cae2155aee upstream. + +The "mode" variable is an enum and in this context GCC treats it as an +unsigned int so the error handling is never triggered. + +Fixes: 51d075660457 ("bq20z75: Add support for charge properties") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/power/sbs-battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/sbs-battery.c ++++ b/drivers/power/sbs-battery.c +@@ -400,7 +400,7 @@ static int sbs_get_battery_capacity(stru + mode = BATTERY_MODE_AMPS; + + mode = sbs_set_battery_mode(client, mode); +- if (mode < 0) ++ if ((int)mode < 0) + return mode; + + ret = sbs_read_word_data(client, sbs_data[reg_offset].addr); diff --git a/queue-3.16/pxa168fb-fix-the-function-used-to-release-some-memory-in-an-error.patch b/queue-3.16/pxa168fb-fix-the-function-used-to-release-some-memory-in-an-error.patch new file mode 100644 index 00000000..0dd44904 --- /dev/null +++ b/queue-3.16/pxa168fb-fix-the-function-used-to-release-some-memory-in-an-error.patch @@ -0,0 +1,50 @@ +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Sat, 31 Aug 2019 12:00:24 +0200 +Subject: pxa168fb: Fix the function used to release some memory in an error + handling path + +commit 3c911fe799d1c338d94b78e7182ad452c37af897 upstream. + +In the probe function, some resources are allocated using 'dma_alloc_wc()', +they should be released with 'dma_free_wc()', not 'dma_free_coherent()'. + +We already use 'dma_free_wc()' in the remove function, but not in the +error handling path of the probe function. + +Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already +PAGE_ALIGNed. + +Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)") +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Reviewed-by: Lubomir Rintel <lkundrak@v3.sk> +CC: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr +[bwh: Backported to 3.16: Use dma_free_writecombine().] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -772,8 +772,8 @@ failed_free_cmap: + failed_free_clk: + clk_disable(fbi->clk); + failed_free_fbmem: +- dma_free_coherent(fbi->dev, info->fix.smem_len, +- info->screen_base, fbi->fb_start_dma); ++ dma_free_writecombine(fbi->dev, info->fix.smem_len, ++ info->screen_base, fbi->fb_start_dma); + failed_free_info: + kfree(info); + failed_put_clk: +@@ -809,7 +809,7 @@ static int pxa168fb_remove(struct platfo + + irq = platform_get_irq(pdev, 0); + +- dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len), ++ dma_free_writecombine(fbi->dev, info->fix.smem_len, + info->screen_base, info->fix.smem_start); + + clk_disable(fbi->clk); diff --git a/queue-3.16/reiserfs-fix-memory-leak-of-journal-device-string.patch b/queue-3.16/reiserfs-fix-memory-leak-of-journal-device-string.patch new file mode 100644 index 00000000..0d8592f0 --- /dev/null +++ b/queue-3.16/reiserfs-fix-memory-leak-of-journal-device-string.patch @@ -0,0 +1,36 @@ +From: Jan Kara <jack@suse.cz> +Date: Thu, 12 Dec 2019 11:30:03 +0100 +Subject: reiserfs: Fix memory leak of journal device string + +commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream. + +When a filesystem is mounted with jdev mount option, we store the +journal device name in an allocated string in superblock. However we +fail to ever free that string. Fix it. + +Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com +Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts") +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/reiserfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -589,6 +589,7 @@ static void reiserfs_put_super(struct su + reiserfs_write_unlock(s); + mutex_destroy(&REISERFS_SB(s)->lock); + destroy_workqueue(REISERFS_SB(s)->commit_wq); ++ kfree(REISERFS_SB(s)->s_jdev); + kfree(s->s_fs_info); + s->s_fs_info = NULL; + } +@@ -2188,6 +2189,7 @@ error_unlocked: + kfree(qf_names[j]); + } + #endif ++ kfree(sbi->s_jdev); + kfree(sbi); + + s->s_fs_info = NULL; diff --git a/queue-3.16/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-error-handling.patch b/queue-3.16/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-error-handling.patch new file mode 100644 index 00000000..9f4f4aa3 --- /dev/null +++ b/queue-3.16/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-error-handling.patch @@ -0,0 +1,28 @@ +From: Jan Kara <jack@suse.cz> +Date: Thu, 12 Dec 2019 11:35:58 +0100 +Subject: reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling + +commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 upstream. + +When we fail to allocate string for journal device name we jump to +'error' label which tries to unlock reiserfs write lock which is not +held. Jump to 'error_unlocked' instead. + +Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization") +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/reiserfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1901,7 +1901,7 @@ static int reiserfs_fill_super(struct su + if (!sbi->s_jdev) { + SWARN(silent, s, "", "Cannot allocate memory for " + "journal device name"); +- goto error; ++ goto error_unlocked; + } + } + #ifdef CONFIG_QUOTA diff --git a/queue-3.16/rsi-fix-use-after-free-on-failed-probe-and-unbind.patch b/queue-3.16/rsi-fix-use-after-free-on-failed-probe-and-unbind.patch new file mode 100644 index 00000000..2f23d715 --- /dev/null +++ b/queue-3.16/rsi-fix-use-after-free-on-failed-probe-and-unbind.patch @@ -0,0 +1,48 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 28 Nov 2019 18:22:00 +0100 +Subject: rsi: fix use-after-free on failed probe and unbind + +commit e93cd35101b61e4c79149be2cfc927c4b28dc60c upstream. + +Make sure to stop both URBs before returning after failed probe as well +as on disconnect to avoid use-after-free in the completion handler. + +Reported-by: syzbot+b563b7f8dbe8223a51e8@syzkaller.appspotmail.com +Fixes: a4302bff28e2 ("rsi: add bluetooth rx endpoint") +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> +Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> +Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com> +Cc: Fariya Fatima <fariyaf@gmail.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: There is no BT support, so we only need to + kill one URB on disconnect.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -245,6 +245,14 @@ static void rsi_rx_done_handler(struct u + rsi_set_event(&dev->rx_thread.event); + } + ++static void rsi_rx_urb_kill(struct rsi_hw *adapter) ++{ ++ struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev; ++ struct urb *urb = dev->rx_usb_urb[0]; ++ ++ usb_kill_urb(urb); ++} ++ + /** + * rsi_rx_urb_submit() - This function submits the given URB to the USB stack. + * @adapter: Pointer to the adapter structure. +@@ -510,6 +518,8 @@ static void rsi_disconnect(struct usb_in + if (!adapter) + return; + ++ rsi_rx_urb_kill(adapter); ++ + rsi_mac80211_detach(adapter); + rsi_deinit_usb_interface(adapter); + rsi_91x_deinit(adapter); diff --git a/queue-3.16/rsi_91x_usb-fix-interface-sanity-check.patch b/queue-3.16/rsi_91x_usb-fix-interface-sanity-check.patch new file mode 100644 index 00000000..f8f8938b --- /dev/null +++ b/queue-3.16/rsi_91x_usb-fix-interface-sanity-check.patch @@ -0,0 +1,32 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:44:25 +0100 +Subject: rsi_91x_usb: fix interface sanity check + +commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: Fariya Fatima <fariyaf@gmail.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -103,7 +103,7 @@ static int rsi_find_bulk_in_and_out_endp + __le16 buffer_size; + int ii, bep_found = 0; + +- iface_desc = &(interface->altsetting[0]); ++ iface_desc = interface->cur_altsetting; + + for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) { + endpoint = &(iface_desc->endpoint[ii].desc); diff --git a/queue-3.16/rtc-hym8563-return-einval-if-the-time-is-known-to-be-invalid.patch b/queue-3.16/rtc-hym8563-return-einval-if-the-time-is-known-to-be-invalid.patch new file mode 100644 index 00000000..a1ee8c5a --- /dev/null +++ b/queue-3.16/rtc-hym8563-return-einval-if-the-time-is-known-to-be-invalid.patch @@ -0,0 +1,31 @@ +From: Paul Kocialkowski <paul.kocialkowski@bootlin.com> +Date: Thu, 12 Dec 2019 16:31:10 +0100 +Subject: rtc: hym8563: Return -EINVAL if the time is known to be invalid + +commit f236a2a2ebabad0848ad0995af7ad1dc7029e895 upstream. + +The current code returns -EPERM when the voltage loss bit is set. +Since the bit indicates that the time value is not valid, return +-EINVAL instead, which is the appropriate error code for this +situation. + +Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver") +Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com> +Link: https://lore.kernel.org/r/20191212153111.966923-1-paul.kocialkowski@bootlin.com +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/rtc/rtc-hym8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-hym8563.c ++++ b/drivers/rtc/rtc-hym8563.c +@@ -105,7 +105,7 @@ static int hym8563_rtc_read_time(struct + + if (!hym8563->valid) { + dev_warn(&client->dev, "no valid clock/calendar values available\n"); +- return -EPERM; ++ return -EINVAL; + } + + ret = i2c_smbus_read_i2c_block_data(client, HYM8563_SEC, 7, buf); diff --git a/queue-3.16/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch b/queue-3.16/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch new file mode 100644 index 00000000..c2d9092c --- /dev/null +++ b/queue-3.16/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch @@ -0,0 +1,32 @@ +From: Quinn Tran <qutran@marvell.com> +Date: Tue, 17 Dec 2019 14:06:16 -0800 +Subject: scsi: qla2xxx: Fix mtcp dump collection failure + +commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream. + +MTCP dump failed due to MB Reg 10 was picking garbage data from stack +memory. + +Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.") +Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com +Signed-off-by: Quinn Tran <qutran@marvell.com> +Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/qla2xxx/qla_mbx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -5388,9 +5388,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t * + mcp->mb[7] = LSW(MSD(req_dma)); + mcp->mb[8] = MSW(addr); + /* Setting RAM ID to valid */ +- mcp->mb[10] |= BIT_7; + /* For MCTP RAM ID is 0x40 */ +- mcp->mb[10] |= 0x40; ++ mcp->mb[10] = BIT_7 | 0x40; + + mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1| + MBX_0; diff --git a/queue-3.16/series b/queue-3.16/series index 88ef5976..17b019e1 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -1,3 +1,91 @@ fs-namespace.c-fix-mountpoint-reference-counter-race.patch propagate_one-mnt_set_mountpoint-needs-mount_lock.patch spi-spi-dw-add-lock-protect-dw_spi-rx-tx-to-prevent-concurrent-calls.patch +padata-remove-broken-queue-flushing.patch +crypto-pcrypt-fix-user-after-free-on-module-unload.patch +crypto-pcrypt-do-not-clear-may_sleep-flag-in-original-request.patch +padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch +crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch +crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch +crypto-api-fix-race-condition-in-crypto_spawn_alg.patch +mmc-spi-toggle-spi-polarity-do-not-hardcode-it.patch +reiserfs-fix-memory-leak-of-journal-device-string.patch +reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-error-handling.patch +ath9k-fix-storage-endpoint-lookup.patch +rsi-fix-use-after-free-on-failed-probe-and-unbind.patch +brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch +brcmfmac-abort-and-release-host-after-error.patch +brcmfmac-fix-interface-sanity-check.patch +orinoco_usb-fix-interface-sanity-check.patch +rsi_91x_usb-fix-interface-sanity-check.patch +zd1211rw-fix-storage-endpoint-lookup.patch +brcmfmac-fix-memory-leak-in-brcmf_usbdev_qinit.patch +crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix.patch +scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch +rtc-hym8563-return-einval-if-the-time-is-known-to-be-invalid.patch +gianfar-fix-tx-timestamping-with-a-stacked-dsa-driver.patch +pxa168fb-fix-the-function-used-to-release-some-memory-in-an-error.patch +alsa-sh-fix-compile-warning-wrt-const.patch +clk-tegra-mark-fuse-clock-as-critical.patch +arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch +media-iguanair-add-sanity-checks.patch +media-iguanair-fix-endpoint-sanity-check.patch +arm-dts-at91-sama5d3-fix-maximum-peripheral-clock-rates.patch +arm-dts-at91-sama5d3-define-clock-rate-range-for-tcb1.patch +efi-use-early_mem-instead-of-early_io.patch +efi-x86-map-the-entire-efi-vendor-string-before-copying-it.patch +pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch +power-supply-sbs-battery-fix-a-signedness-bug-in.patch +dm-space-map-common-fix-to-ensure-new-block-isn-t-already-in-use.patch +usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch +usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch +usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch +staging-wlan-ng-ensure-error-return-is-actually-returned.patch +nfs-nfs_swap-should-depend-on-swap.patch +ubifs-fix-deadlock-in-concurrent-bulk-read-and-writepage.patch +x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear.patch +jbd2-clear-jbd2_abort-flag-before-journal_reset-to-update-log-tail.patch +kvm-arm64-only-sign-extend-mmio-up-to-register-width.patch +sparc32-fix-struct-ipc64_perm-type-definition.patch +kvm-x86-don-t-let-userspace-set-host-reserved-cr4-bits.patch +kvm-nvmx-vmread-should-not-set-rflags-to-specify-success-in-case-of.patch +x86-kvm-avoid-unused-variable-warning.patch +kvm-x86-mmu-apply-max-pa-check-for-mmio-sptes-to-32-bit-kvm.patch +usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch +usb-serial-ir-usb-fix-link-speed-handling.patch +usb-serial-ir-usb-fix-irlap-framing.patch +media-uvcvideo-avoid-cyclic-entity-chains-due-to-malformed-usb.patch +kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch +kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch +kvm-x86-free-wbinvd_dirty_mask-if-vcpu-creation-fails.patch +tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch +tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch +jbd2-switch-to-use-jbd2_journal_abort-when-failed-to-submit-the.patch +ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch +iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-cause-an.patch +cifs-fix-task-struct-use-after-free-on-reconnect.patch +net_sched-ematch-reject-invalid-tcf_em_simple.patch +kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch +kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf.patch +kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch +kvm-x86-use-macros-to-compute-bank-msrs.patch +kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf.patch +kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf.patch +kvm-check-for-a-bad-hva-before-dropping-into-the-ghc-slow-path.patch +of-add-of_dma_default_coherent-select-it-on-powerpc.patch +btrfs-fix-race-between-adding-and-putting-tree-mod-seq-elements-and.patch +mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch +media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch +tcp-clear-tp-total_retrans-in-tcp_disconnect.patch +alsa-dummy-fix-pcm-format-loop-in-proc-output.patch +clocksource-prevent-double-add_timer_on-for-watchdog_timer.patch +cls_rsvp-fix-rsvp_policy.patch +kconfig-fix-broken-dependency-in-randconfig-generated-.config.patch +nfs-use-kmap-kunmap-directly.patch +nfs-fix-memory-leaks-and-corruption-in-readdir.patch +nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch +cifs-fail-i-o-on-soft-mounts-if-sessionsetup-errors-out.patch +bonding-alb-properly-access-headers-in-bond_alb_xmit.patch +sunrpc-expiry_time-should-be-seconds-not-timeval.patch diff --git a/queue-3.16/sparc32-fix-struct-ipc64_perm-type-definition.patch b/queue-3.16/sparc32-fix-struct-ipc64_perm-type-definition.patch new file mode 100644 index 00000000..d7b66481 --- /dev/null +++ b/queue-3.16/sparc32-fix-struct-ipc64_perm-type-definition.patch @@ -0,0 +1,65 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Tue, 14 Jan 2020 14:26:14 +0100 +Subject: sparc32: fix struct ipc64_perm type definition + +commit 34ca70ef7d3a9fa7e89151597db5e37ae1d429b4 upstream. + +As discussed in the strace issue tracker, it appears that the sparc32 +sysvipc support has been broken for the past 11 years. It was however +working in compat mode, which is how it must have escaped most of the +regular testing. + +The problem is that a cleanup patch inadvertently changed the uid/gid +fields in struct ipc64_perm from 32-bit types to 16-bit types in uapi +headers. + +Both glibc and uclibc-ng still use the original types, so they should +work fine with compat mode, but not natively. Change the definitions +to use __kernel_uid32_t and __kernel_gid32_t again. + +Fixes: 83c86984bff2 ("sparc: unify ipcbuf.h") +Link: https://github.com/strace/strace/issues/116 +Cc: Sam Ravnborg <sam@ravnborg.org> +Cc: "Dmitry V . Levin" <ldv@altlinux.org> +Cc: Rich Felker <dalias@libc.org> +Cc: libc-alpha@sourceware.org +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/sparc/include/uapi/asm/ipcbuf.h | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/arch/sparc/include/uapi/asm/ipcbuf.h ++++ b/arch/sparc/include/uapi/asm/ipcbuf.h +@@ -14,19 +14,19 @@ + + struct ipc64_perm + { +- __kernel_key_t key; +- __kernel_uid_t uid; +- __kernel_gid_t gid; +- __kernel_uid_t cuid; +- __kernel_gid_t cgid; ++ __kernel_key_t key; ++ __kernel_uid32_t uid; ++ __kernel_gid32_t gid; ++ __kernel_uid32_t cuid; ++ __kernel_gid32_t cgid; + #ifndef __arch64__ +- unsigned short __pad0; ++ unsigned short __pad0; + #endif +- __kernel_mode_t mode; +- unsigned short __pad1; +- unsigned short seq; +- unsigned long long __unused1; +- unsigned long long __unused2; ++ __kernel_mode_t mode; ++ unsigned short __pad1; ++ unsigned short seq; ++ unsigned long long __unused1; ++ unsigned long long __unused2; + }; + + #endif /* __SPARC_IPCBUF_H */ diff --git a/queue-3.16/staging-wlan-ng-ensure-error-return-is-actually-returned.patch b/queue-3.16/staging-wlan-ng-ensure-error-return-is-actually-returned.patch new file mode 100644 index 00000000..faac47e9 --- /dev/null +++ b/queue-3.16/staging-wlan-ng-ensure-error-return-is-actually-returned.patch @@ -0,0 +1,32 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Tue, 14 Jan 2020 18:16:04 +0000 +Subject: staging: wlan-ng: ensure error return is actually returned + +commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream. + +Currently when the call to prism2sta_ifst fails a netdev_err error +is reported, error return variable result is set to -1 but the +function always returns 0 for success. Fix this by returning +the error value in variable result rather than 0. + +Addresses-Coverity: ("Unused value") +Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -939,7 +939,7 @@ int prism2mgmt_flashdl_state(wlandevice_ + } + } + +- return 0; ++ return result; + } + + /*---------------------------------------------------------------- diff --git a/queue-3.16/sunrpc-expiry_time-should-be-seconds-not-timeval.patch b/queue-3.16/sunrpc-expiry_time-should-be-seconds-not-timeval.patch new file mode 100644 index 00000000..162df57d --- /dev/null +++ b/queue-3.16/sunrpc-expiry_time-should-be-seconds-not-timeval.patch @@ -0,0 +1,50 @@ +From: Roberto Bergantinos Corpas <rbergant@redhat.com> +Date: Tue, 4 Feb 2020 11:32:56 +0100 +Subject: sunrpc: expiry_time should be seconds not timeval + +commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream. + +When upcalling gssproxy, cache_head.expiry_time is set as a +timeval, not seconds since boot. As such, RPC cache expiry +logic will not clean expired objects created under +auth.rpcsec.context cache. + +This has proven to cause kernel memory leaks on field. Using +64 bit variants of getboottime/timespec + +Expiration times have worked this way since 2010's c5b29f885afe "sunrpc: +use seconds since boot in expiry cache". The gssproxy code introduced +in 2012 added gss_proxy_save_rsc and introduced the bug. That's a while +for this to lurk, but it required a bit of an extreme case to make it +obvious. + +Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com> +Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..." +Tested-By: Frank Sorenson <sorenson@redhat.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +[bwh: Backported to 3.16: Use struct timespec and getboottime()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1171,6 +1171,7 @@ static int gss_proxy_save_rsc(struct cac + dprintk("RPC: No creds found!\n"); + goto out; + } else { ++ struct timespec boot; + + /* steal creds */ + rsci.cred = ud->creds; +@@ -1191,6 +1192,9 @@ static int gss_proxy_save_rsc(struct cac + &expiry, GFP_KERNEL); + if (status) + goto out; ++ ++ getboottime(&boot); ++ expiry -= boot.tv_sec; + } + + rsci.h.expiry_time = expiry; diff --git a/queue-3.16/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch b/queue-3.16/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch new file mode 100644 index 00000000..b7edd992 --- /dev/null +++ b/queue-3.16/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch @@ -0,0 +1,29 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 31 Jan 2020 09:14:47 -0800 +Subject: tcp: clear tp->total_retrans in tcp_disconnect() + +commit c13c48c00a6bc1febc73902505bdec0967bd7095 upstream. + +total_retrans needs to be cleared in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: SeongJae Park <sjpark@amazon.de> +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2363,6 +2363,7 @@ int tcp_disconnect(struct sock *sk, int + tp->window_clamp = 0; + tcp_set_ca_state(sk, TCP_CA_Open); + tcp_clear_retrans(tp); ++ tp->total_retrans = 0; + inet_csk_delack_init(sk); + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 + * issue in __tcp_select_window() diff --git a/queue-3.16/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch b/queue-3.16/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch new file mode 100644 index 00000000..1ec0f165 --- /dev/null +++ b/queue-3.16/tracing-fix-tracing_stat-return-values-in-error-handling-paths.patch @@ -0,0 +1,52 @@ +From: Luis Henriques <luis.henriques@canonical.com> +Date: Tue, 9 Sep 2014 22:49:41 +0100 +Subject: tracing: Fix tracing_stat return values in error handling paths + +commit afccc00f75bbbee4e4ae833a96c2d29a7259c693 upstream. + +tracing_stat_init() was always returning '0', even on the error paths. It +now returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails +to created the 'trace_stat' debugfs directory. + +Link: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com + +Fixes: ed6f1c996bfe4 ("tracing: Check return value of tracing_init_dentry()") +Signed-off-by: Luis Henriques <luis.henriques@canonical.com> +[ Pulled from the archeological digging of my INBOX ] +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/trace_stat.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -277,19 +277,23 @@ static int tracing_stat_init(void) + + d_tracing = tracing_init_dentry(); + if (!d_tracing) +- return 0; ++ return -ENODEV; + + stat_dir = debugfs_create_dir("trace_stat", d_tracing); +- if (!stat_dir) ++ if (!stat_dir) { + pr_warning("Could not create debugfs " + "'trace_stat' entry\n"); ++ return -ENOMEM; ++ } + return 0; + } + + static int init_stat_file(struct stat_session *session) + { +- if (!stat_dir && tracing_stat_init()) +- return -ENODEV; ++ int ret; ++ ++ if (!stat_dir && (ret = tracing_stat_init())) ++ return ret; + + session->file = debugfs_create_file(session->ts->name, 0644, + stat_dir, diff --git a/queue-3.16/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch b/queue-3.16/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch new file mode 100644 index 00000000..9573ecde --- /dev/null +++ b/queue-3.16/tracing-fix-very-unlikely-race-of-registering-two-stat-tracers.patch @@ -0,0 +1,79 @@ +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Fri, 24 Jan 2020 17:47:49 -0500 +Subject: tracing: Fix very unlikely race of registering two stat tracers + +commit dfb6cd1e654315168e36d947471bd2a0ccd834ae upstream. + +Looking through old emails in my INBOX, I came across a patch from Luis +Henriques that attempted to fix a race of two stat tracers registering the +same stat trace (extremely unlikely, as this is done in the kernel, and +probably doesn't even exist). The submitted patch wasn't quite right as it +needed to deal with clean up a bit better (if two stat tracers were the +same, it would have the same files). + +But to make the code cleaner, all we needed to do is to keep the +all_stat_sessions_mutex held for most of the registering function. + +Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com + +Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine") +Reported-by: Luis Henriques <luis.henriques@canonical.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/trace_stat.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -302,7 +302,7 @@ static int init_stat_file(struct stat_se + int register_stat_tracer(struct tracer_stat *trace) + { + struct stat_session *session, *node; +- int ret; ++ int ret = -EINVAL; + + if (!trace) + return -EINVAL; +@@ -313,17 +313,15 @@ int register_stat_tracer(struct tracer_s + /* Already registered? */ + mutex_lock(&all_stat_sessions_mutex); + list_for_each_entry(node, &all_stat_sessions, session_list) { +- if (node->ts == trace) { +- mutex_unlock(&all_stat_sessions_mutex); +- return -EINVAL; +- } ++ if (node->ts == trace) ++ goto out; + } +- mutex_unlock(&all_stat_sessions_mutex); + ++ ret = -ENOMEM; + /* Init the session */ + session = kzalloc(sizeof(*session), GFP_KERNEL); + if (!session) +- return -ENOMEM; ++ goto out; + + session->ts = trace; + INIT_LIST_HEAD(&session->session_list); +@@ -332,15 +330,16 @@ int register_stat_tracer(struct tracer_s + ret = init_stat_file(session); + if (ret) { + destroy_session(session); +- return ret; ++ goto out; + } + ++ ret = 0; + /* Register */ +- mutex_lock(&all_stat_sessions_mutex); + list_add_tail(&session->session_list, &all_stat_sessions); ++ out: + mutex_unlock(&all_stat_sessions_mutex); + +- return 0; ++ return ret; + } + + void unregister_stat_tracer(struct tracer_stat *trace) diff --git a/queue-3.16/ubifs-fix-deadlock-in-concurrent-bulk-read-and-writepage.patch b/queue-3.16/ubifs-fix-deadlock-in-concurrent-bulk-read-and-writepage.patch new file mode 100644 index 00000000..55d936fd --- /dev/null +++ b/queue-3.16/ubifs-fix-deadlock-in-concurrent-bulk-read-and-writepage.patch @@ -0,0 +1,56 @@ +From: Zhihao Cheng <chengzhihao1@huawei.com> +Date: Sat, 11 Jan 2020 17:50:36 +0800 +Subject: ubifs: Fix deadlock in concurrent bulk-read and writepage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit f5de5b83303e61b1f3fb09bd77ce3ac2d7a475f2 upstream. + +In ubifs, concurrent execution of writepage and bulk read on the same file +may cause ABBA deadlock, for example (Reproduce method see Link): + +Process A(Bulk-read starts from page4) Process B(write page4 back) + vfs_read wb_workfn or fsync + ... ... + generic_file_buffered_read write_cache_pages + ubifs_readpage LOCK(page4) + + ubifs_bulk_read ubifs_writepage + LOCK(ui->ui_mutex) ubifs_write_inode + + ubifs_do_bulk_read LOCK(ui->ui_mutex) + find_or_create_page(alloc page4) ↑ + LOCK(page4) <-- ABBA deadlock occurs! + +In order to ensure the serialization execution of bulk read, we can't +remove the big lock 'ui->ui_mutex' in ubifs_bulk_read(). Instead, we +allow ubifs_do_bulk_read() to lock page failed by replacing +find_or_create_page(FGP_LOCK) with +pagecache_get_page(FGP_LOCK | FGP_NOWAIT). + +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Suggested-by: zhangyi (F) <yi.zhang@huawei.com> +Fixes: 4793e7c5e1c ("UBIFS: add bulk-read facility") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206153 +Signed-off-by: Richard Weinberger <richard@nod.at> +[bwh: Backported to 3.16: Keep using constant GFP flags parameter.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ubifs/file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -782,8 +782,9 @@ static int ubifs_do_bulk_read(struct ubi + + if (page_offset > end_index) + break; +- page = find_or_create_page(mapping, page_offset, +- GFP_NOFS | __GFP_COLD); ++ page = pagecache_get_page(mapping, page_offset, ++ FGP_LOCK|FGP_ACCESSED|FGP_CREAT|FGP_NOWAIT, ++ GFP_NOFS | __GFP_COLD); + if (!page) + break; + if (!PageUptodate(page)) diff --git a/queue-3.16/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch b/queue-3.16/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch new file mode 100644 index 00000000..294b4d84 --- /dev/null +++ b/queue-3.16/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch @@ -0,0 +1,32 @@ +From: Bin Liu <b-liu@ti.com> +Date: Wed, 11 Dec 2019 10:10:03 -0600 +Subject: usb: dwc3: turn off VBUS when leaving host mode + +commit 09ed259fac621634d51cd986aa8d65f035662658 upstream. + +VBUS should be turned off when leaving the host mode. +Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to +turn off VBUS power. + +Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function") +Signed-off-by: Bin Liu <b-liu@ti.com> +Signed-off-by: Felipe Balbi <balbi@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -614,6 +614,9 @@ static void dwc3_core_exit_mode(struct d + /* do nothing */ + break; + } ++ ++ /* de-assert DRVVBUS for HOST and OTG mode */ ++ dwc3_set_mode(dwc, DWC3_GCTL_PRTCAP_DEVICE); + } + + #define DWC3_ALIGN_MASK (16 - 1) diff --git a/queue-3.16/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch b/queue-3.16/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch new file mode 100644 index 00000000..5cdc7965 --- /dev/null +++ b/queue-3.16/usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch @@ -0,0 +1,88 @@ +From: Bryan O'Donoghue <bryan.odonoghue@linaro.org> +Date: Thu, 9 Jan 2020 13:17:22 +0000 +Subject: usb: gadget: f_ecm: Use atomic_t to track in-flight request + +commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream. + +Currently ecm->notify_req is used to flag when a request is in-flight. +ecm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the ECM driver will +unconditionally free ecm->notify_req leading to a NULL pointer dereference. + +Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function") +Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> +Signed-off-by: Felipe Balbi <balbi@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/gadget/f_ecm.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/f_ecm.c ++++ b/drivers/usb/gadget/f_ecm.c +@@ -56,6 +56,7 @@ struct f_ecm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + /* FIXME is_open needs some irq-ish locking +@@ -384,7 +385,7 @@ static void ecm_do_notify(struct f_ecm * + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ecm->notify_count)) + return; + + event = req->buf; +@@ -424,10 +425,10 @@ static void ecm_do_notify(struct f_ecm * + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ecm->ctrl_id); + +- ecm->notify_req = NULL; ++ atomic_inc(&ecm->notify_count); + status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC); + if (status < 0) { +- ecm->notify_req = req; ++ atomic_dec(&ecm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -452,17 +453,19 @@ static void ecm_notify_complete(struct u + switch (req->status) { + case 0: + /* no fault */ ++ atomic_dec(&ecm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ecm->notify_count, 0); + ecm->notify_state = ECM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ecm->notify_count); + break; + } +- ecm->notify_req = req; + ecm_do_notify(ecm); + } + +@@ -922,6 +925,11 @@ static void ecm_unbind(struct usb_config + + usb_free_all_descriptors(f); + ++ if (atomic_read(&ecm->notify_count)) { ++ usb_ep_dequeue(ecm->notify, ecm->notify_req); ++ atomic_set(&ecm->notify_count, 0); ++ } ++ + kfree(ecm->notify_req->buf); + usb_ep_free_request(ecm->notify, ecm->notify_req); + } diff --git a/queue-3.16/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch b/queue-3.16/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch new file mode 100644 index 00000000..c6c7b688 --- /dev/null +++ b/queue-3.16/usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch @@ -0,0 +1,94 @@ +From: Bryan O'Donoghue <bryan.odonoghue@linaro.org> +Date: Thu, 9 Jan 2020 13:17:21 +0000 +Subject: usb: gadget: f_ncm: Use atomic_t to track in-flight request + +commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream. + +Currently ncm->notify_req is used to flag when a request is in-flight. +ncm->notify_req is set to NULL and when a request completes it is +subsequently reset. + +This is fundamentally buggy in that the unbind logic of the NCM driver will +unconditionally free ncm->notify_req leading to a NULL pointer dereference. + +Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility") +Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> +Signed-off-by: Felipe Balbi <balbi@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/gadget/f_ncm.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/f_ncm.c ++++ b/drivers/usb/gadget/f_ncm.c +@@ -57,6 +57,7 @@ struct f_ncm { + struct usb_ep *notify; + struct usb_request *notify_req; + u8 notify_state; ++ atomic_t notify_count; + bool is_open; + + const struct ndp_parser_opts *parser_opts; +@@ -460,7 +461,7 @@ static void ncm_do_notify(struct f_ncm * + int status; + + /* notification already in flight? */ +- if (!req) ++ if (atomic_read(&ncm->notify_count)) + return; + + event = req->buf; +@@ -500,7 +501,8 @@ static void ncm_do_notify(struct f_ncm * + event->bmRequestType = 0xA1; + event->wIndex = cpu_to_le16(ncm->ctrl_id); + +- ncm->notify_req = NULL; ++ atomic_inc(&ncm->notify_count); ++ + /* + * In double buffering if there is a space in FIFO, + * completion callback can be called right after the call, +@@ -510,7 +512,7 @@ static void ncm_do_notify(struct f_ncm * + status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC); + spin_lock(&ncm->lock); + if (status < 0) { +- ncm->notify_req = req; ++ atomic_dec(&ncm->notify_count); + DBG(cdev, "notify --> %d\n", status); + } + } +@@ -545,17 +547,19 @@ static void ncm_notify_complete(struct u + case 0: + VDBG(cdev, "Notification %02x sent\n", + event->bNotificationType); ++ atomic_dec(&ncm->notify_count); + break; + case -ECONNRESET: + case -ESHUTDOWN: ++ atomic_set(&ncm->notify_count, 0); + ncm->notify_state = NCM_NOTIFY_NONE; + break; + default: + DBG(cdev, "event %02x --> %d\n", + event->bNotificationType, req->status); ++ atomic_dec(&ncm->notify_count); + break; + } +- ncm->notify_req = req; + ncm_do_notify(ncm); + spin_unlock(&ncm->lock); + } +@@ -1382,6 +1386,11 @@ static void ncm_unbind(struct usb_config + + usb_free_all_descriptors(f); + ++ if (atomic_read(&ncm->notify_count)) { ++ usb_ep_dequeue(ncm->notify, ncm->notify_req); ++ atomic_set(&ncm->notify_count, 0); ++ } ++ + kfree(ncm->notify_req->buf); + usb_ep_free_request(ncm->notify, ncm->notify_req); + } diff --git a/queue-3.16/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch b/queue-3.16/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000..36b8baff --- /dev/null +++ b/queue-3.16/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,35 @@ +From: Johan Hovold <johan@kernel.org> +Date: Wed, 22 Jan 2020 11:15:26 +0100 +Subject: USB: serial: ir-usb: add missing endpoint sanity check + +commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream. + +Add missing endpoint sanity check to avoid dereferencing a NULL-pointer +on open() in case a device lacks a bulk-out endpoint. + +Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using +generic framework") the oops would instead happen on open() if the +device lacked a bulk-in endpoint and on write() if it lacked a bulk-out +endpoint. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/ir-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -199,6 +199,9 @@ static int ir_startup(struct usb_serial + struct usb_irda_cs_descriptor *irda_desc; + int rates; + ++ if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1) ++ return -ENODEV; ++ + irda_desc = irda_usb_find_class_desc(serial, 0); + if (!irda_desc) { + dev_err(&serial->dev->dev, diff --git a/queue-3.16/usb-serial-ir-usb-fix-irlap-framing.patch b/queue-3.16/usb-serial-ir-usb-fix-irlap-framing.patch new file mode 100644 index 00000000..5dd17fc7 --- /dev/null +++ b/queue-3.16/usb-serial-ir-usb-fix-irlap-framing.patch @@ -0,0 +1,168 @@ +From: Johan Hovold <johan@kernel.org> +Date: Wed, 22 Jan 2020 11:15:28 +0100 +Subject: USB: serial: ir-usb: fix IrLAP framing + +commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream. + +Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +switched to using the generic write implementation which may combine +multiple write requests into larger transfers. This can break the IrLAP +protocol where end-of-frame is determined using the USB short packet +mechanism, for example, if multiple frames are sent in rapid succession. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/ir-usb.c | 113 +++++++++++++++++++++++++++++------- + 1 file changed, 91 insertions(+), 22 deletions(-) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -49,9 +49,10 @@ static int buffer_size; + static int xbof = -1; + + static int ir_startup (struct usb_serial *serial); +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port); +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size); ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count); ++static int ir_write_room(struct tty_struct *tty); ++static void ir_write_bulk_callback(struct urb *urb); + static void ir_process_read_urb(struct urb *urb); + static void ir_set_termios(struct tty_struct *tty, + struct usb_serial_port *port, struct ktermios *old_termios); +@@ -81,8 +82,9 @@ static struct usb_serial_driver ir_devic + .num_ports = 1, + .set_termios = ir_set_termios, + .attach = ir_startup, +- .open = ir_open, +- .prepare_write_buffer = ir_prepare_write_buffer, ++ .write = ir_write, ++ .write_room = ir_write_room, ++ .write_bulk_callback = ir_write_bulk_callback, + .process_read_urb = ir_process_read_urb, + }; + +@@ -258,35 +260,102 @@ static int ir_startup(struct usb_serial + return 0; + } + +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port) ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count) + { +- int i; ++ struct urb *urb = NULL; ++ unsigned long flags; ++ int ret; + +- for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) +- port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET; ++ if (port->bulk_out_size == 0) ++ return -EINVAL; + +- /* Start reading from the device */ +- return usb_serial_generic_open(tty, port); +-} ++ if (count == 0) ++ return 0; + +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size) +-{ +- unsigned char *buf = dest; +- int count; ++ count = min(count, port->bulk_out_size - 1); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ if (__test_and_clear_bit(0, &port->write_urbs_free)) { ++ urb = port->write_urbs[0]; ++ port->tx_bytes += count; ++ } ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ if (!urb) ++ return 0; + + /* + * The first byte of the packet we send to the device contains an +- * inbound header which indicates an additional number of BOFs and ++ * outbound header which indicates an additional number of BOFs and + * a baud rate change. + * + * See section 5.4.2.2 of the USB IrDA spec. + */ +- *buf = ir_xbof | ir_baud; ++ *(u8 *)urb->transfer_buffer = ir_xbof | ir_baud; ++ ++ memcpy(urb->transfer_buffer + 1, buf, count); ++ ++ urb->transfer_buffer_length = count + 1; ++ urb->transfer_flags = URB_ZERO_PACKET; ++ ++ ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (ret) { ++ dev_err(&port->dev, "failed to submit write urb: %d\n", ret); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= count; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ return ret; ++ } ++ ++ return count; ++} ++ ++static void ir_write_bulk_callback(struct urb *urb) ++{ ++ struct usb_serial_port *port = urb->context; ++ int status = urb->status; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= urb->transfer_buffer_length - 1; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ switch (status) { ++ case 0: ++ break; ++ case -ENOENT: ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ dev_dbg(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ case -EPIPE: ++ dev_err(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ default: ++ dev_err(&port->dev, "nonzero write-urb status: %d\n", status); ++ break; ++ } ++ ++ usb_serial_port_softint(port); ++} ++ ++static int ir_write_room(struct tty_struct *tty) ++{ ++ struct usb_serial_port *port = tty->driver_data; ++ int count = 0; ++ ++ if (port->bulk_out_size == 0) ++ return 0; ++ ++ if (test_bit(0, &port->write_urbs_free)) ++ count = port->bulk_out_size - 1; + +- count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1, +- &port->lock); +- return count + 1; ++ return count; + } + + static void ir_process_read_urb(struct urb *urb) diff --git a/queue-3.16/usb-serial-ir-usb-fix-link-speed-handling.patch b/queue-3.16/usb-serial-ir-usb-fix-link-speed-handling.patch new file mode 100644 index 00000000..9c77c41f --- /dev/null +++ b/queue-3.16/usb-serial-ir-usb-fix-link-speed-handling.patch @@ -0,0 +1,97 @@ +From: Johan Hovold <johan@kernel.org> +Date: Wed, 22 Jan 2020 11:15:27 +0100 +Subject: USB: serial: ir-usb: fix link-speed handling + +commit 17a0184ca17e288decdca8b2841531e34d49285f upstream. + +Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB +IrDA header with common defines, but mistakingly switched to using the +class-descriptor baud-rate bitmask values for the outbound header. + +This broke link-speed handling for rates above 9600 baud, but a device +would also be able to operate at the default 9600 baud until a +link-speed request was issued (e.g. using the TCGETS ioctl). + +Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module") +Cc: Felipe Balbi <balbi@kernel.org> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/ir-usb.c | 20 ++++++++++---------- + include/linux/usb/irda.h | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -339,34 +339,34 @@ static void ir_set_termios(struct tty_st + + switch (baud) { + case 2400: +- ir_baud = USB_IRDA_BR_2400; ++ ir_baud = USB_IRDA_LS_2400; + break; + case 9600: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + break; + case 19200: +- ir_baud = USB_IRDA_BR_19200; ++ ir_baud = USB_IRDA_LS_19200; + break; + case 38400: +- ir_baud = USB_IRDA_BR_38400; ++ ir_baud = USB_IRDA_LS_38400; + break; + case 57600: +- ir_baud = USB_IRDA_BR_57600; ++ ir_baud = USB_IRDA_LS_57600; + break; + case 115200: +- ir_baud = USB_IRDA_BR_115200; ++ ir_baud = USB_IRDA_LS_115200; + break; + case 576000: +- ir_baud = USB_IRDA_BR_576000; ++ ir_baud = USB_IRDA_LS_576000; + break; + case 1152000: +- ir_baud = USB_IRDA_BR_1152000; ++ ir_baud = USB_IRDA_LS_1152000; + break; + case 4000000: +- ir_baud = USB_IRDA_BR_4000000; ++ ir_baud = USB_IRDA_LS_4000000; + break; + default: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + baud = 9600; + } + +--- a/include/linux/usb/irda.h ++++ b/include/linux/usb/irda.h +@@ -118,11 +118,22 @@ struct usb_irda_cs_descriptor { + * 6 - 115200 bps + * 7 - 576000 bps + * 8 - 1.152 Mbps +- * 9 - 5 mbps ++ * 9 - 4 Mbps + * 10..15 - Reserved + */ + #define USB_IRDA_STATUS_LINK_SPEED 0x0f + ++#define USB_IRDA_LS_NO_CHANGE 0 ++#define USB_IRDA_LS_2400 1 ++#define USB_IRDA_LS_9600 2 ++#define USB_IRDA_LS_19200 3 ++#define USB_IRDA_LS_38400 4 ++#define USB_IRDA_LS_57600 5 ++#define USB_IRDA_LS_115200 6 ++#define USB_IRDA_LS_576000 7 ++#define USB_IRDA_LS_1152000 8 ++#define USB_IRDA_LS_4000000 9 ++ + /* The following is a 4-bit value used only for + * outbound header: + * diff --git a/queue-3.16/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear.patch b/queue-3.16/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear.patch new file mode 100644 index 00000000..3061f370 --- /dev/null +++ b/queue-3.16/x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl_cpuid_clear.patch @@ -0,0 +1,58 @@ +From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> +Date: Fri, 10 Jan 2020 14:50:54 -0800 +Subject: x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR + +commit 5efc6fa9044c3356d6046c6e1da6d02572dbed6b upstream. + +/proc/cpuinfo currently reports Hardware Lock Elision (HLE) feature to +be present on boot cpu even if it was disabled during the bootup. This +is because cpuinfo_x86->x86_capability HLE bit is not updated after TSX +state is changed via the new MSR IA32_TSX_CTRL. + +Update the cached HLE bit also since it is expected to change after an +update to CPUID_CLEAR bit in MSR IA32_TSX_CTRL. + +Fixes: 95c5824f75f3 ("x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default") +Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Neelima Krishnan <neelima.krishnan@intel.com> +Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com> +Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> +Link: https://lore.kernel.org/r/2529b99546294c893dfa1c89e2b3e46da3369a59.1578685425.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kernel/cpu/tsx.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -115,11 +115,12 @@ void __init tsx_init(void) + tsx_disable(); + + /* +- * tsx_disable() will change the state of the +- * RTM CPUID bit. Clear it here since it is now +- * expected to be not set. ++ * tsx_disable() will change the state of the RTM and HLE CPUID ++ * bits. Clear them here since they are now expected to be not ++ * set. + */ + setup_clear_cpu_cap(X86_FEATURE_RTM); ++ setup_clear_cpu_cap(X86_FEATURE_HLE); + } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) { + + /* +@@ -131,10 +132,10 @@ void __init tsx_init(void) + tsx_enable(); + + /* +- * tsx_enable() will change the state of the +- * RTM CPUID bit. Force it here since it is now +- * expected to be set. ++ * tsx_enable() will change the state of the RTM and HLE CPUID ++ * bits. Force them here since they are now expected to be set. + */ + setup_force_cpu_cap(X86_FEATURE_RTM); ++ setup_force_cpu_cap(X86_FEATURE_HLE); + } + } diff --git a/queue-3.16/x86-kvm-avoid-unused-variable-warning.patch b/queue-3.16/x86-kvm-avoid-unused-variable-warning.patch new file mode 100644 index 00000000..d05370a0 --- /dev/null +++ b/queue-3.16/x86-kvm-avoid-unused-variable-warning.patch @@ -0,0 +1,41 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Mon, 20 Aug 2018 23:37:50 +0200 +Subject: x86: kvm: avoid unused variable warning + +commit 7288bde1f9df6c1475675419bdd7725ce84dec56 upstream. + +Removing one of the two accesses of the maxphyaddr variable led to +a harmless warning: + +arch/x86/kvm/x86.c: In function 'kvm_set_mmio_spte_mask': +arch/x86/kvm/x86.c:6563:6: error: unused variable 'maxphyaddr' [-Werror=unused-variable] + +Removing the #ifdef seems to be the nicest workaround, as it +makes the code look cleaner than adding another #ifdef. + +Fixes: 28a1f3ac1d0c ("kvm: x86: Set highest physical address bits in non-present/reserved SPTEs") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/x86.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5730,14 +5730,12 @@ static void kvm_set_mmio_spte_mask(void) + /* Set the present bit. */ + mask |= 1ull; + +-#ifdef CONFIG_X86_64 + /* + * If reserved bit is not supported, clear the present bit to disable + * mmio page fault. + */ +- if (maxphyaddr == 52) ++ if (IS_ENABLED(CONFIG_X86_64) && maxphyaddr == 52) + mask &= ~1ull; +-#endif + + kvm_mmu_set_mmio_spte_mask(mask); + } diff --git a/queue-3.16/zd1211rw-fix-storage-endpoint-lookup.patch b/queue-3.16/zd1211rw-fix-storage-endpoint-lookup.patch new file mode 100644 index 00000000..d1bdab6d --- /dev/null +++ b/queue-3.16/zd1211rw-fix-storage-endpoint-lookup.patch @@ -0,0 +1,33 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:44:26 +0100 +Subject: zd1211rw: fix storage endpoint lookup + +commit 2d68bb2687abb747558b933e80845ff31570a49c upstream. + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/zd1211rw/zd_usb.c ++++ b/drivers/net/wireless/zd1211rw/zd_usb.c +@@ -1272,7 +1272,7 @@ static void print_id(struct usb_device * + static int eject_installer(struct usb_interface *intf) + { + struct usb_device *udev = interface_to_usbdev(intf); +- struct usb_host_interface *iface_desc = &intf->altsetting[0]; ++ struct usb_host_interface *iface_desc = intf->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep; diff --git a/upstream-head b/upstream-head index f9213df2..bda8e6bb 100644 --- a/upstream-head +++ b/upstream-head @@ -1 +1 @@ -d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 +bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9 |