diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-08-13 12:41:17 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-08-13 12:41:17 +0100 |
commit | 08e9a777ccfca2faaeb7a8968c35b74690b39946 (patch) | |
tree | 927a70b5e17523f3d40b19e1f51104196517714b /queue-3.16 | |
parent | 9257e547aff2138f98edd6a80274e2e7433867ad (diff) | |
download | linux-stable-queue-08e9a777ccfca2faaeb7a8968c35b74690b39946.tar.gz |
Release 3.16.72
Diffstat (limited to 'queue-3.16')
157 files changed, 0 insertions, 11841 deletions
diff --git a/queue-3.16/3c515-fix-integer-overflow-warning.patch b/queue-3.16/3c515-fix-integer-overflow-warning.patch deleted file mode 100644 index cb28daf4..00000000 --- a/queue-3.16/3c515-fix-integer-overflow-warning.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Arnd Bergmann <arnd@arndb.de> -Date: Tue, 19 Mar 2019 22:15:58 +0100 -Subject: 3c515: fix integer overflow warning - -commit fb6fafbc7de4a813bb5364358bbe27f71e62b24a upstream. - -clang points out a harmless signed integer overflow: - -drivers/net/ethernet/3com/3c515.c:1530:66: error: implicit conversion from 'int' to 'short' changes value from 32783 to -32753 [-Werror,-Wconstant-conversion] - new_mode = SetRxFilter | RxStation | RxMulticast | RxBroadcast | RxProm; - ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~ -drivers/net/ethernet/3com/3c515.c:1532:52: error: implicit conversion from 'int' to 'short' changes value from 32775 to -32761 [-Werror,-Wconstant-conversion] - new_mode = SetRxFilter | RxStation | RxMulticast | RxBroadcast; - ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ -drivers/net/ethernet/3com/3c515.c:1534:38: error: implicit conversion from 'int' to 'short' changes value from 32773 to -32763 [-Werror,-Wconstant-conversion] - new_mode = SetRxFilter | RxStation | RxBroadcast; - ~ ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ - -Make the variable unsigned to avoid the overflow. - -Fixes: Linux-2.1.128pre1 -Signed-off-by: Arnd Bergmann <arnd@arndb.de> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/3com/3c515.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/3com/3c515.c -+++ b/drivers/net/ethernet/3com/3c515.c -@@ -1524,7 +1524,7 @@ static void update_stats(int ioaddr, str - static void set_rx_mode(struct net_device *dev) - { - int ioaddr = dev->base_addr; -- short new_mode; -+ unsigned short new_mode; - - if (dev->flags & IFF_PROMISC) { - if (corkscrew_debug > 3) diff --git a/queue-3.16/acpica-namespace-remove-address-node-from-global-list-after-method.patch b/queue-3.16/acpica-namespace-remove-address-node-from-global-list-after-method.patch deleted file mode 100644 index d61f15f3..00000000 --- a/queue-3.16/acpica-namespace-remove-address-node-from-global-list-after-method.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Erik Schmauss <erik.schmauss@intel.com> -Date: Mon, 8 Apr 2019 13:42:26 -0700 -Subject: ACPICA: Namespace: remove address node from global list after method - termination - -commit c5781ffbbd4f742a58263458145fe7f0ac01d9e0 upstream. - -ACPICA commit b233720031a480abd438f2e9c643080929d144c3 - -ASL operation_regions declare a range of addresses that it uses. In a -perfect world, the range of addresses should be used exclusively by -the AML interpreter. The OS can use this information to decide which -drivers to load so that the AML interpreter and device drivers use -different regions of memory. - -During table load, the address information is added to a global -address range list. Each node in this list contains an address range -as well as a namespace node of the operation_region. This list is -deleted at ACPI shutdown. - -Unfortunately, ASL operation_regions can be declared inside of control -methods. Although this is not recommended, modern firmware contains -such code. New module level code changes unintentionally removed the -functionality of adding and removing nodes to the global address -range list. - -A few months ago, support for adding addresses has been re- -implemented. However, the removal of the address range list was -missed and resulted in some systems to crash due to the address list -containing bogus namespace nodes from operation_regions declared in -control methods. In order to fix the crash, this change removes -dynamic operation_regions after control method termination. - -Link: https://github.com/acpica/acpica/commit/b2337200 -Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475 -Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization") -Reported-by: Michael J Gruber <mjg@fedoraproject.org> -Signed-off-by: Erik Schmauss <erik.schmauss@intel.com> -Signed-off-by: Bob Moore <robert.moore@intel.com> -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/acpi/acpica/nsobject.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/acpi/acpica/nsobject.c -+++ b/drivers/acpi/acpica/nsobject.c -@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_n - } - } - -+ if (obj_desc->common.type == ACPI_TYPE_REGION) { -+ acpi_ut_remove_address_range(obj_desc->region.space_id, node); -+ } -+ - /* Clear the Node entry in all cases */ - - node->object = NULL; diff --git a/queue-3.16/afs-fix-storedata-op-marshalling.patch b/queue-3.16/afs-fix-storedata-op-marshalling.patch deleted file mode 100644 index fa34ac23..00000000 --- a/queue-3.16/afs-fix-storedata-op-marshalling.patch +++ /dev/null @@ -1,99 +0,0 @@ -From: David Howells <dhowells@redhat.com> -Date: Wed, 27 Mar 2019 22:48:02 +0000 -Subject: afs: Fix StoreData op marshalling - -commit 8c7ae38d1ce12a0eaeba655df8562552b3596c7f upstream. - -The marshalling of AFS.StoreData, AFS.StoreData64 and YFS.StoreData64 calls -generated by ->setattr() ops for the purpose of expanding a file is -incorrect due to older documentation incorrectly describing the way the RPC -'FileLength' parameter is meant to work. - -The older documentation says that this is the length the file is meant to -end up at the end of the operation; however, it was never implemented this -way in any of the servers, but rather the file is truncated down to this -before the write operation is effected, and never expanded to it (and, -indeed, it was renamed to 'TruncPos' in 2014). - -Fix this by setting the position parameter to the new file length and doing -a zero-lengh write there. - -The bug causes Xwayland to SIGBUS due to unexpected non-expansion of a file -it then mmaps. This can be tested by giving the following test program a -filename in an AFS directory: - - #include <stdio.h> - #include <stdlib.h> - #include <unistd.h> - #include <fcntl.h> - #include <sys/mman.h> - int main(int argc, char *argv[]) - { - char *p; - int fd; - if (argc != 2) { - fprintf(stderr, - "Format: test-trunc-mmap <file>\n"); - exit(2); - } - fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC); - if (fd < 0) { - perror(argv[1]); - exit(1); - } - if (ftruncate(fd, 0x140008) == -1) { - perror("ftruncate"); - exit(1); - } - p = mmap(NULL, 4096, PROT_READ | PROT_WRITE, - MAP_SHARED, fd, 0); - if (p == MAP_FAILED) { - perror("mmap"); - exit(1); - } - p[0] = 'a'; - if (munmap(p, 4096) < 0) { - perror("munmap"); - exit(1); - } - if (close(fd) < 0) { - perror("close"); - exit(1); - } - exit(0); - } - -Fixes: 31143d5d515e ("AFS: implement basic file write support") -Reported-by: Jonathan Billings <jsbillin@umich.edu> -Tested-by: Jonathan Billings <jsbillin@umich.edu> -Signed-off-by: David Howells <dhowells@redhat.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16: drop change in yfsclient.c] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/afs/fsclient.c | 6 +++--- - fs/afs/yfsclient.c | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - ---- a/fs/afs/fsclient.c -+++ b/fs/afs/fsclient.c -@@ -1382,8 +1382,8 @@ static int afs_fs_setattr_size64(struct - - xdr_encode_AFS_StoreStatus(&bp, attr); - -- *bp++ = 0; /* position of start of write */ -- *bp++ = 0; -+ *bp++ = htonl(attr->ia_size >> 32); /* position of start of write */ -+ *bp++ = htonl((u32) attr->ia_size); - *bp++ = 0; /* size of write */ - *bp++ = 0; - *bp++ = htonl(attr->ia_size >> 32); /* new file length */ -@@ -1433,7 +1433,7 @@ static int afs_fs_setattr_size(struct af - - xdr_encode_AFS_StoreStatus(&bp, attr); - -- *bp++ = 0; /* position of start of write */ -+ *bp++ = htonl(attr->ia_size); /* position of start of write */ - *bp++ = 0; /* size of write */ - *bp++ = htonl(attr->ia_size); /* new file length */ - diff --git a/queue-3.16/alsa-core-fix-card-races-between-register-and-disconnect.patch b/queue-3.16/alsa-core-fix-card-races-between-register-and-disconnect.patch deleted file mode 100644 index d3d8f653..00000000 --- a/queue-3.16/alsa-core-fix-card-races-between-register-and-disconnect.patch +++ /dev/null @@ -1,71 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Tue, 16 Apr 2019 17:06:33 +0200 -Subject: ALSA: core: Fix card races between register and disconnect - -commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream. - -There is a small race window in the card disconnection code that -allows the registration of another card with the very same card id. -This leads to a warning in procfs creation as caught by syzkaller. - -The problem is that we delete snd_cards and snd_cards_lock entries at -the very beginning of the disconnection procedure. This makes the -slot available to be assigned for another card object while the -disconnection procedure is being processed. Then it becomes possible -to issue a procfs registration with the existing file name although we -check the conflict beforehand. - -The fix is simply to move the snd_cards and snd_cards_lock clearances -at the end of the disconnection procedure. The references to these -entries are merely either from the global proc files like -/proc/asound/cards or from the card registration / disconnection, so -it should be fine to shift at the very end. - -Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/core/init.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - ---- a/sound/core/init.c -+++ b/sound/core/init.c -@@ -389,14 +389,7 @@ int snd_card_disconnect(struct snd_card - card->shutdown = 1; - spin_unlock(&card->files_lock); - -- /* phase 1: disable fops (user space) operations for ALSA API */ -- mutex_lock(&snd_card_mutex); -- snd_cards[card->number] = NULL; -- clear_bit(card->number, snd_cards_lock); -- mutex_unlock(&snd_card_mutex); -- -- /* phase 2: replace file->f_op with special dummy operations */ -- -+ /* replace file->f_op with special dummy operations */ - spin_lock(&card->files_lock); - list_for_each_entry(mfile, &card->files_list, list) { - /* it's critical part, use endless loop */ -@@ -412,7 +405,7 @@ int snd_card_disconnect(struct snd_card - } - spin_unlock(&card->files_lock); - -- /* phase 3: notify all connected devices about disconnection */ -+ /* notify all connected devices about disconnection */ - /* at this point, they cannot respond to any calls except release() */ - - #if IS_ENABLED(CONFIG_SND_MIXER_OSS) -@@ -430,6 +423,13 @@ int snd_card_disconnect(struct snd_card - device_del(&card->card_dev); - card->registered = false; - } -+ -+ /* disable fops (user space) operations for ALSA API */ -+ mutex_lock(&snd_card_mutex); -+ snd_cards[card->number] = NULL; -+ clear_bit(card->number, snd_cards_lock); -+ mutex_unlock(&snd_card_mutex); -+ - #ifdef CONFIG_PM - wake_up(&card->power_sleep); - #endif diff --git a/queue-3.16/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch b/queue-3.16/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch deleted file mode 100644 index 1641bec8..00000000 --- a/queue-3.16/alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Mon, 25 Mar 2019 10:38:58 +0100 -Subject: ALSA: pcm: Don't suspend stream in unrecoverable PCM state - -commit 113ce08109f8e3b091399e7cc32486df1cff48e7 upstream. - -Currently PCM core sets each opened stream forcibly to SUSPENDED state -via snd_pcm_suspend_all() call, and the user-space is responsible for -re-triggering the resume manually either via snd_pcm_resume() or -prepare call. The scheme works fine usually, but there are corner -cases where the stream can't be resumed by that call: the streams -still in OPEN state before finishing hw_params. When they are -suspended, user-space cannot perform resume or prepare because they -haven't been set up yet. The only possible recovery is to re-open the -device, which isn't nice at all. Similarly, when a stream is in -DISCONNECTED state, it makes no sense to change it to SUSPENDED -state. Ditto for in SETUP state; which you can re-prepare directly. - -So, this patch addresses these issues by filtering the PCM streams to -be suspended by checking the PCM state. When a stream is in either -OPEN, SETUP or DISCONNECTED as well as already SUSPENDED, the suspend -action is skipped. - -To be noted, this problem was originally reported for the PCM runtime -PM on HD-audio. And, the runtime PM problem itself was already -addressed (although not intended) by the code refactoring commits -3d21ef0b49f8 ("ALSA: pcm: Suspend streams globally via device type PM -ops") and 17bc4815de58 ("ALSA: pci: Remove superfluous -snd_pcm_suspend*() calls"). These commits eliminated the -snd_pcm_suspend*() calls from the runtime PM suspend callback code -path, hence the racy OPEN state won't appear while runtime PM. -(FWIW, the race window is between snd_pcm_open_substream() and the -first power up in azx_pcm_open().) - -Although the runtime PM issue was already "fixed", the same problem is -still present for the system PM, hence this patch is still needed. -And for stable trees, this patch alone should suffice for fixing the -runtime PM problem, too. - -Reported-and-tested-by: Jon Hunter <jonathanh@nvidia.com> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/core/pcm_native.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - ---- a/sound/core/pcm_native.c -+++ b/sound/core/pcm_native.c -@@ -1063,8 +1063,15 @@ static int snd_pcm_pause(struct snd_pcm_ - static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state) - { - struct snd_pcm_runtime *runtime = substream->runtime; -- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED) -+ switch (runtime->status->state) { -+ case SNDRV_PCM_STATE_SUSPENDED: - return -EBUSY; -+ /* unresumable PCM state; return -EBUSY for skipping suspend */ -+ case SNDRV_PCM_STATE_OPEN: -+ case SNDRV_PCM_STATE_SETUP: -+ case SNDRV_PCM_STATE_DISCONNECTED: -+ return -EBUSY; -+ } - runtime->trigger_master = substream; - return 0; - } diff --git a/queue-3.16/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch b/queue-3.16/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch deleted file mode 100644 index 3fc32c88..00000000 --- a/queue-3.16/alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch +++ /dev/null @@ -1,100 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Fri, 22 Mar 2019 16:00:54 +0100 -Subject: ALSA: pcm: Fix possible OOB access in PCM oss plugins - -commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 upstream. - -The PCM OSS emulation converts and transfers the data on the fly via -"plugins". The data is converted over the dynamically allocated -buffer for each plugin, and recently syzkaller caught OOB in this -flow. - -Although the bisection by syzbot pointed out to the commit -65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer -allocations"), this is merely a commit to replace vmalloc() with -kvmalloc(), hence it can't be the cause. The further debug action -revealed that this happens in the case where a slave PCM doesn't -support only the stereo channels while the OSS stream is set up for a -mono channel. Below is a brief explanation: - -At each OSS parameter change, the driver sets up the PCM hw_params -again in snd_pcm_oss_change_params_lock(). This is also the place -where plugins are created and local buffers are allocated. The -problem is that the plugins are created before the final hw_params is -determined. Namely, two snd_pcm_hw_param_near() calls for setting the -period size and periods may influence on the final result of channels, -rates, etc, too, while the current code has already created plugins -beforehand with the premature values. So, the plugin believes that -channels=1, while the actual I/O is with channels=2, which makes the -driver reading/writing over the allocated buffer size. - -The fix is simply to move the plugin allocation code after the final -hw_params call. - -Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com -Signed-off-by: Takashi Iwai <tiwai@suse.de> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/core/oss/pcm_oss.c | 43 ++++++++++++++++++++-------------------- - 1 file changed, 22 insertions(+), 21 deletions(-) - ---- a/sound/core/oss/pcm_oss.c -+++ b/sound/core/oss/pcm_oss.c -@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_loc - oss_frame_size = snd_pcm_format_physical_width(params_format(params)) * - params_channels(params) / 8; - -+ err = snd_pcm_oss_period_size(substream, params, sparams); -+ if (err < 0) -+ goto failure; -+ -+ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); -+ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); -+ if (err < 0) -+ goto failure; -+ -+ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, -+ runtime->oss.periods, NULL); -+ if (err < 0) -+ goto failure; -+ -+ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); -+ -+ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams); -+ if (err < 0) { -+ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); -+ goto failure; -+ } -+ - #ifdef CONFIG_SND_PCM_OSS_PLUGINS - snd_pcm_oss_plugin_clear(substream); - if (!direct) { -@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_loc - } - #endif - -- err = snd_pcm_oss_period_size(substream, params, sparams); -- if (err < 0) -- goto failure; -- -- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); -- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); -- if (err < 0) -- goto failure; -- -- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, -- runtime->oss.periods, NULL); -- if (err < 0) -- goto failure; -- -- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); -- -- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) { -- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); -- goto failure; -- } -- - memset(sw_params, 0, sizeof(*sw_params)); - if (runtime->oss.trigger) { - sw_params->start_threshold = 1; diff --git a/queue-3.16/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch b/queue-3.16/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch deleted file mode 100644 index 659976be..00000000 --- a/queue-3.16/alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Wed, 20 Mar 2019 16:15:24 -0500 -Subject: ALSA: rawmidi: Fix potential Spectre v1 vulnerability - -commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream. - -info->stream is indirectly controlled by user-space, hence leading to -a potential exploitation of the Spectre variant 1 vulnerability. - -This issue was detected with the help of Smatch: - -sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap) - -Fix this by sanitizing info->stream before using it to index -rmidi->streams. - -Notice that given that speculation windows are large, the policy is -to kill the speculation on the first load and not worry if it can be -completed with a dependent load/store [1]. - -[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ - -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/core/rawmidi.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/sound/core/rawmidi.c -+++ b/sound/core/rawmidi.c -@@ -29,6 +29,7 @@ - #include <linux/mutex.h> - #include <linux/module.h> - #include <linux/delay.h> -+#include <linux/nospec.h> - #include <sound/rawmidi.h> - #include <sound/info.h> - #include <sound/control.h> -@@ -601,6 +602,7 @@ static int __snd_rawmidi_info_select(str - return -ENXIO; - if (info->stream < 0 || info->stream > 1) - return -EINVAL; -+ info->stream = array_index_nospec(info->stream, 2); - pstr = &rmidi->streams[info->stream]; - if (pstr->substream_count == 0) - return -ENOENT; diff --git a/queue-3.16/alsa-seq-fix-oob-reads-from-strlcpy.patch b/queue-3.16/alsa-seq-fix-oob-reads-from-strlcpy.patch deleted file mode 100644 index b974015e..00000000 --- a/queue-3.16/alsa-seq-fix-oob-reads-from-strlcpy.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Zubin Mithra <zsm@chromium.org> -Date: Thu, 4 Apr 2019 14:33:55 -0700 -Subject: ALSA: seq: Fix OOB-reads from strlcpy - -commit 212ac181c158c09038c474ba68068be49caecebb upstream. - -When ioctl calls are made with non-null-terminated userspace strings, -strlcpy causes an OOB-read from within strlen. Fix by changing to use -strscpy instead. - -Signed-off-by: Zubin Mithra <zsm@chromium.org> -Reviewed-by: Guenter Roeck <groeck@chromium.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/core/seq/seq_clientmgr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info - - /* fill the info fields */ - if (client_info.name[0]) -- strlcpy(client->name, client_info.name, sizeof(client->name)); -+ strscpy(client->name, client_info.name, sizeof(client->name)); - - client->filter = client_info.filter; - client->event_lost = client_info.event_lost; -@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(st - /* set queue name */ - if (! info.name[0]) - snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); -- strlcpy(q->name, info.name, sizeof(q->name)); -+ strscpy(q->name, info.name, sizeof(q->name)); - queuefree(q); - - if (copy_to_user(arg, &info, sizeof(info))) -@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info( - queuefree(q); - return -EPERM; - } -- strlcpy(q->name, info.name, sizeof(q->name)); -+ strscpy(q->name, info.name, sizeof(q->name)); - queuefree(q); - - return 0; diff --git a/queue-3.16/alsa-seq-oss-fix-spectre-v1-vulnerability.patch b/queue-3.16/alsa-seq-oss-fix-spectre-v1-vulnerability.patch deleted file mode 100644 index bd8a68c5..00000000 --- a/queue-3.16/alsa-seq-oss-fix-spectre-v1-vulnerability.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Wed, 20 Mar 2019 18:42:01 -0500 -Subject: ALSA: seq: oss: Fix Spectre v1 vulnerability - -commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream. - -dev is indirectly controlled by user-space, hence leading to -a potential exploitation of the Spectre variant 1 vulnerability. - -This issue was detected with the help of Smatch: - -sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) - -Fix this by sanitizing dev before using it to index dp->synths. - -Notice that given that speculation windows are large, the policy is -to kill the speculation on the first load and not worry if it can be -completed with a dependent load/store [1]. - -[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ - -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/core/seq/oss/seq_oss_synth.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/sound/core/seq/oss/seq_oss_synth.c -+++ b/sound/core/seq/oss/seq_oss_synth.c -@@ -617,13 +617,14 @@ int - snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) - { - struct seq_oss_synth *rec; -+ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); - -- if (dev < 0 || dev >= dp->max_synthdev) -+ if (!info) - return -ENXIO; - -- if (dp->synths[dev].is_midi) { -+ if (info->is_midi) { - struct midi_info minf; -- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); -+ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); - inf->synth_type = SYNTH_TYPE_MIDI; - inf->synth_subtype = 0; - inf->nr_voices = 16; diff --git a/queue-3.16/arm-dts-pfla02-increase-phy-reset-duration.patch b/queue-3.16/arm-dts-pfla02-increase-phy-reset-duration.patch deleted file mode 100644 index 1fd84788..00000000 --- a/queue-3.16/arm-dts-pfla02-increase-phy-reset-duration.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Marco Felsch <m.felsch@pengutronix.de> -Date: Mon, 4 Mar 2019 11:49:40 +0100 -Subject: ARM: dts: pfla02: increase phy reset duration - -commit 032f85c9360fb1a08385c584c2c4ed114b33c260 upstream. - -Increase the reset duration to ensure correct phy functionality. The -reset duration is taken from barebox commit 52fdd510de ("ARM: dts: -pfla02: use long enough reset for ethernet phy"): - - Use a longer reset time for ethernet phy Micrel KSZ9031RNX. Otherwise a - small percentage of modules have 'transmission timeouts' errors like - - barebox@Phytec phyFLEX-i.MX6 Quad Carrier-Board:/ ifup eth0 - warning: No MAC address set. Using random address 7e:94:4d:02:f8:f3 - eth0: 1000Mbps full duplex link detected - eth0: transmission timeout - T eth0: transmission timeout - T eth0: transmission timeout - T eth0: transmission timeout - T eth0: transmission timeout - -Cc: Stefan Christ <s.christ@phytec.de> -Cc: Christian Hemp <c.hemp@phytec.de> -Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> -Fixes: 3180f956668e ("ARM: dts: Phytec imx6q pfla02 and pbab01 support") -Signed-off-by: Shawn Guo <shawnguo@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi -+++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi -@@ -302,6 +302,7 @@ - pinctrl-names = "default"; - pinctrl-0 = <&pinctrl_enet>; - phy-mode = "rgmii"; -+ phy-reset-duration = <10>; /* in msecs */ - phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>; - status = "disabled"; - }; diff --git a/queue-3.16/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch b/queue-3.16/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch deleted file mode 100644 index d0e5b927..00000000 --- a/queue-3.16/arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Kohji Okuno <okuno.kohji@jp.panasonic.com> -Date: Tue, 26 Feb 2019 11:34:13 +0900 -Subject: ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected - time - -commit 91740fc8242b4f260cfa4d4536d8551804777fae upstream. - -In the current cpuidle implementation for i.MX6q, the CPU that sets -'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always -the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of -"WAIT", if the other CPU wakes up and enters IDLE state of "WFI" -istead of "WAIT", this CPU can not wake up at expired time. - Because, in the case of "WFI", the CPU must be waked up by the local -timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer -is stopped, when all CPUs execute "wfi" instruction. As a result, the -local timer interrupt is not fired. - In this situation, this CPU will wake up by IRQ different from local -timer. (e.g. broacast timer) - -So, this fix changes CPU to return to 'WAIT_CLOCKED'. - -Signed-off-by: Kohji Okuno <okuno.kohji@jp.panasonic.com> -Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle") -Signed-off-by: Shawn Guo <shawnguo@kernel.org> -[bwh: Backported to 3.16: use imx6q_set_lpm() instead of imx6_set_lpm()] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm/mach-imx/cpuidle-imx6q.c | 27 ++++++++++----------------- - 1 file changed, 10 insertions(+), 17 deletions(-) - ---- a/arch/arm/mach-imx/cpuidle-imx6q.c -+++ b/arch/arm/mach-imx/cpuidle-imx6q.c -@@ -14,30 +14,23 @@ - #include "common.h" - #include "cpuidle.h" - --static atomic_t master = ATOMIC_INIT(0); --static DEFINE_SPINLOCK(master_lock); -+static int num_idle_cpus = 0; -+static DEFINE_SPINLOCK(cpuidle_lock); - - static int imx6q_enter_wait(struct cpuidle_device *dev, - struct cpuidle_driver *drv, int index) - { -- if (atomic_inc_return(&master) == num_online_cpus()) { -- /* -- * With this lock, we prevent other cpu to exit and enter -- * this function again and become the master. -- */ -- if (!spin_trylock(&master_lock)) -- goto idle; -+ spin_lock(&cpuidle_lock); -+ if (++num_idle_cpus == num_online_cpus()) - imx6q_set_lpm(WAIT_UNCLOCKED); -- cpu_do_idle(); -- imx6q_set_lpm(WAIT_CLOCKED); -- spin_unlock(&master_lock); -- goto done; -- } -+ spin_unlock(&cpuidle_lock); - --idle: - cpu_do_idle(); --done: -- atomic_dec(&master); -+ -+ spin_lock(&cpuidle_lock); -+ if (num_idle_cpus-- == num_online_cpus()) -+ imx6q_set_lpm(WAIT_CLOCKED); -+ spin_unlock(&cpuidle_lock); - - return index; - } diff --git a/queue-3.16/batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch b/queue-3.16/batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch deleted file mode 100644 index d0aa29ac..00000000 --- a/queue-3.16/batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Sven Eckelmann <sven@narfation.org> -Date: Sat, 23 Feb 2019 14:27:10 +0100 -Subject: batman-adv: Reduce claim hash refcnt only for removed entry - -commit 4ba104f468bbfc27362c393815d03aa18fb7a20f upstream. - -The batadv_hash_remove is a function which searches the hashtable for an -entry using a needle, a hashtable bucket selection function and a compare -function. It will lock the bucket list and delete an entry when the compare -function matches it with the needle. It returns the pointer to the -hlist_node which matches or NULL when no entry matches the needle. - -The batadv_bla_del_claim is not itself protected in anyway to avoid that -any other function is modifying the hashtable between the search for the -entry and the call to batadv_hash_remove. It can therefore happen that the -entry either doesn't exist anymore or an entry was deleted which is not the -same object as the needle. In such an situation, the reference counter (for -the reference stored in the hashtable) must not be reduced for the needle. -Instead the reference counter of the actually removed entry has to be -reduced. - -Otherwise the reference counter will underflow and the object might be -freed before all its references were dropped. The kref helpers reported -this problem as: - - refcount_t: underflow; use-after-free. - -Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") -Signed-off-by: Sven Eckelmann <sven@narfation.org> -Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> -[bwh: Backported to 3.16: keep using batadv_claim_free_ref()] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/batman-adv/bridge_loop_avoidance.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - ---- a/net/batman-adv/bridge_loop_avoidance.c -+++ b/net/batman-adv/bridge_loop_avoidance.c -@@ -677,6 +677,8 @@ static void batadv_bla_del_claim(struct - const uint8_t *mac, const unsigned short vid) - { - struct batadv_bla_claim search_claim, *claim; -+ struct batadv_bla_claim *claim_removed_entry; -+ struct hlist_node *claim_removed_node; - - ether_addr_copy(search_claim.addr, mac); - search_claim.vid = vid; -@@ -687,10 +689,18 @@ static void batadv_bla_del_claim(struct - batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n", - mac, BATADV_PRINT_VID(vid)); - -- batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim, -- batadv_choose_claim, claim); -- batadv_claim_free_ref(claim); /* reference from the hash is gone */ -+ claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash, -+ batadv_compare_claim, -+ batadv_choose_claim, claim); -+ if (!claim_removed_node) -+ goto free_claim; - -+ /* reference from the hash is gone */ -+ claim_removed_entry = hlist_entry(claim_removed_node, -+ struct batadv_bla_claim, hash_entry); -+ batadv_claim_free_ref(claim_removed_entry); -+ -+free_claim: - /* don't need the reference from hash_find() anymore */ - batadv_claim_free_ref(claim); - } diff --git a/queue-3.16/batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch b/queue-3.16/batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch deleted file mode 100644 index a272217b..00000000 --- a/queue-3.16/batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Sven Eckelmann <sven@narfation.org> -Date: Sat, 23 Feb 2019 14:27:10 +0100 -Subject: batman-adv: Reduce tt_global hash refcnt only for removed entry - -commit f131a56880d10932931e74773fb8702894a94a75 upstream. - -The batadv_hash_remove is a function which searches the hashtable for an -entry using a needle, a hashtable bucket selection function and a compare -function. It will lock the bucket list and delete an entry when the compare -function matches it with the needle. It returns the pointer to the -hlist_node which matches or NULL when no entry matches the needle. - -The batadv_tt_global_free is not itself protected in anyway to avoid that -any other function is modifying the hashtable between the search for the -entry and the call to batadv_hash_remove. It can therefore happen that the -entry either doesn't exist anymore or an entry was deleted which is not the -same object as the needle. In such an situation, the reference counter (for -the reference stored in the hashtable) must not be reduced for the needle. -Instead the reference counter of the actually removed entry has to be -reduced. - -Otherwise the reference counter will underflow and the object might be -freed before all its references were dropped. The kref helpers reported -this problem as: - - refcount_t: underflow; use-after-free. - -Fixes: 7683fdc1e886 ("batman-adv: protect the local and the global trans-tables with rcu") -Reported-by: Martin Weinelt <martin@linuxlounge.net> -Signed-off-by: Sven Eckelmann <sven@narfation.org> -Acked-by: Antonio Quartulli <a@unstable.cc> -Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/batman-adv/translation-table.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - ---- a/net/batman-adv/translation-table.c -+++ b/net/batman-adv/translation-table.c -@@ -483,14 +483,26 @@ static void batadv_tt_global_free(struct - struct batadv_tt_global_entry *tt_global, - const char *message) - { -+ struct batadv_tt_global_entry *tt_removed_entry; -+ struct hlist_node *tt_removed_node; -+ - batadv_dbg(BATADV_DBG_TT, bat_priv, - "Deleting global tt entry %pM (vid: %d): %s\n", - tt_global->common.addr, - BATADV_PRINT_VID(tt_global->common.vid), message); - -- batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt, -- batadv_choose_tt, &tt_global->common); -- batadv_tt_global_entry_free_ref(tt_global); -+ tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash, -+ batadv_compare_tt, -+ batadv_choose_tt, -+ &tt_global->common); -+ if (!tt_removed_node) -+ return; -+ -+ /* drop reference of remove hash entry */ -+ tt_removed_entry = hlist_entry(tt_removed_node, -+ struct batadv_tt_global_entry, -+ common.hash_entry); -+ batadv_tt_global_entry_free_ref(tt_removed_entry); - } - - /** diff --git a/queue-3.16/batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch b/queue-3.16/batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch deleted file mode 100644 index 088ec4cb..00000000 --- a/queue-3.16/batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Sven Eckelmann <sven@narfation.org> -Date: Sat, 23 Feb 2019 14:27:10 +0100 -Subject: batman-adv: Reduce tt_local hash refcnt only for removed entry - -commit 3d65b9accab4a7ed5038f6df403fbd5e298398c7 upstream. - -The batadv_hash_remove is a function which searches the hashtable for an -entry using a needle, a hashtable bucket selection function and a compare -function. It will lock the bucket list and delete an entry when the compare -function matches it with the needle. It returns the pointer to the -hlist_node which matches or NULL when no entry matches the needle. - -The batadv_tt_local_remove is not itself protected in anyway to avoid that -any other function is modifying the hashtable between the search for the -entry and the call to batadv_hash_remove. It can therefore happen that the -entry either doesn't exist anymore or an entry was deleted which is not the -same object as the needle. In such an situation, the reference counter (for -the reference stored in the hashtable) must not be reduced for the needle. -Instead the reference counter of the actually removed entry has to be -reduced. - -Otherwise the reference counter will underflow and the object might be -freed before all its references were dropped. The kref helpers reported -this problem as: - - refcount_t: underflow; use-after-free. - -Fixes: ef72706a0543 ("batman-adv: protect tt_local_entry from concurrent delete events") -Signed-off-by: Sven Eckelmann <sven@narfation.org> -Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/batman-adv/translation-table.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - ---- a/net/batman-adv/translation-table.c -+++ b/net/batman-adv/translation-table.c -@@ -1021,9 +1021,10 @@ uint16_t batadv_tt_local_remove(struct b - const uint8_t *addr, unsigned short vid, - const char *message, bool roaming) - { -+ struct batadv_tt_local_entry *tt_removed_entry; - struct batadv_tt_local_entry *tt_local_entry; - uint16_t flags, curr_flags = BATADV_NO_FLAGS; -- void *tt_entry_exists; -+ struct hlist_node *tt_removed_node; - - tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid); - if (!tt_local_entry) -@@ -1052,15 +1053,18 @@ uint16_t batadv_tt_local_remove(struct b - */ - batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL); - -- tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash, -+ tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash, - batadv_compare_tt, - batadv_choose_tt, - &tt_local_entry->common); -- if (!tt_entry_exists) -+ if (!tt_removed_node) - goto out; - -- /* extra call to free the local tt entry */ -- batadv_tt_local_entry_free_ref(tt_local_entry); -+ /* drop reference of remove hash entry */ -+ tt_removed_entry = hlist_entry(tt_removed_node, -+ struct batadv_tt_local_entry, -+ common.hash_entry); -+ batadv_tt_local_entry_free_ref(tt_removed_entry); - - out: - if (tt_local_entry) diff --git a/queue-3.16/block-do-not-leak-memory-in-bio_copy_user_iov.patch b/queue-3.16/block-do-not-leak-memory-in-bio_copy_user_iov.patch deleted file mode 100644 index ca40d77b..00000000 --- a/queue-3.16/block-do-not-leak-memory-in-bio_copy_user_iov.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com> -Date: Wed, 10 Apr 2019 16:27:51 -0400 -Subject: block: do not leak memory in bio_copy_user_iov() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925 upstream. - -When bio_add_pc_page() fails in bio_copy_user_iov() we should free -the page we just allocated otherwise we are leaking it. - -Cc: linux-block@vger.kernel.org -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com> -Signed-off-by: Jérôme Glisse <jglisse@redhat.com> -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - block/bio.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/block/bio.c -+++ b/block/bio.c -@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct req - } - } - -- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) -+ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) { -+ if (!map_data) -+ __free_page(page); - break; -+ } - - len -= bytes; - offset = 0; diff --git a/queue-3.16/bluetooth-hci_uart-check-for-missing-tty-operations.patch b/queue-3.16/bluetooth-hci_uart-check-for-missing-tty-operations.patch deleted file mode 100644 index 644ea892..00000000 --- a/queue-3.16/bluetooth-hci_uart-check-for-missing-tty-operations.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Vladis Dronov <vdronov@redhat.com> -Date: Tue, 30 Jul 2019 11:33:45 +0200 -Subject: Bluetooth: hci_uart: check for missing tty operations - -commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 upstream. - -Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() -functions which are called by the certain HCI UART protocols (hci_ath, -hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() -or directly. This leads to an execution at NULL and can be triggered by -an unprivileged user. Fix this by adding a helper function and a check -for the missing tty operations in the protocols code. - -This fixes CVE-2019-10207. The Fixes: lines list commits where calls to -tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART -protocols. - -Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 -Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com -Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") -Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") -Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") -Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") -Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") -Signed-off-by: Vladis Dronov <vdronov@redhat.com> -Signed-off-by: Marcel Holtmann <marcel@holtmann.org> -Reviewed-by: Yu-Chen, Cho <acho@suse.com> -Tested-by: Yu-Chen, Cho <acho@suse.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16: - - Only hci_ath is affected - - There is no serdev support] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/bluetooth/hci_ath.c -+++ b/drivers/bluetooth/hci_ath.c -@@ -112,6 +112,9 @@ static int ath_open(struct hci_uart *hu) - - BT_DBG("hu %p", hu); - -+ if (!hci_uart_has_flow_control(hu)) -+ return -EOPNOTSUPP; -+ - ath = kzalloc(sizeof(*ath), GFP_KERNEL); - if (!ath) - return -ENOMEM; ---- a/drivers/bluetooth/hci_ldisc.c -+++ b/drivers/bluetooth/hci_ldisc.c -@@ -261,6 +261,15 @@ static int hci_uart_send_frame(struct hc - return 0; - } - -+/* Check the underlying device or tty has flow control support */ -+bool hci_uart_has_flow_control(struct hci_uart *hu) -+{ -+ if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset) -+ return true; -+ -+ return false; -+} -+ - /* ------ LDISC part ------ */ - /* hci_uart_tty_open - * ---- a/drivers/bluetooth/hci_uart.h -+++ b/drivers/bluetooth/hci_uart.h -@@ -90,6 +90,7 @@ int hci_uart_register_proto(struct hci_u - int hci_uart_unregister_proto(struct hci_uart_proto *p); - int hci_uart_tx_wakeup(struct hci_uart *hu); - int hci_uart_init_ready(struct hci_uart *hu); -+bool hci_uart_has_flow_control(struct hci_uart *hu); - - #ifdef CONFIG_BT_HCIUART_H4 - int h4_init(void); diff --git a/queue-3.16/btrfs-correctly-validate-compression-type.patch b/queue-3.16/btrfs-correctly-validate-compression-type.patch deleted file mode 100644 index 9b50c33c..00000000 --- a/queue-3.16/btrfs-correctly-validate-compression-type.patch +++ /dev/null @@ -1,171 +0,0 @@ -From: Johannes Thumshirn <jthumshirn@suse.de> -Date: Thu, 6 Jun 2019 12:07:15 +0200 -Subject: btrfs: correctly validate compression type - -commit aa53e3bfac7205fb3a8815ac1c937fd6ed01b41e upstream. - -Nikolay reported the following KASAN splat when running btrfs/048: - -[ 1843.470920] ================================================================== -[ 1843.471971] BUG: KASAN: slab-out-of-bounds in strncmp+0x66/0xb0 -[ 1843.472775] Read of size 1 at addr ffff888111e369e2 by task btrfs/3979 - -[ 1843.473904] CPU: 3 PID: 3979 Comm: btrfs Not tainted 5.2.0-rc3-default #536 -[ 1843.475009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 -[ 1843.476322] Call Trace: -[ 1843.476674] dump_stack+0x7c/0xbb -[ 1843.477132] ? strncmp+0x66/0xb0 -[ 1843.477587] print_address_description+0x114/0x320 -[ 1843.478256] ? strncmp+0x66/0xb0 -[ 1843.478740] ? strncmp+0x66/0xb0 -[ 1843.479185] __kasan_report+0x14e/0x192 -[ 1843.479759] ? strncmp+0x66/0xb0 -[ 1843.480209] kasan_report+0xe/0x20 -[ 1843.480679] strncmp+0x66/0xb0 -[ 1843.481105] prop_compression_validate+0x24/0x70 -[ 1843.481798] btrfs_xattr_handler_set_prop+0x65/0x160 -[ 1843.482509] __vfs_setxattr+0x71/0x90 -[ 1843.483012] __vfs_setxattr_noperm+0x84/0x130 -[ 1843.483606] vfs_setxattr+0xac/0xb0 -[ 1843.484085] setxattr+0x18c/0x230 -[ 1843.484546] ? vfs_setxattr+0xb0/0xb0 -[ 1843.485048] ? __mod_node_page_state+0x1f/0xa0 -[ 1843.485672] ? _raw_spin_unlock+0x24/0x40 -[ 1843.486233] ? __handle_mm_fault+0x988/0x1290 -[ 1843.486823] ? lock_acquire+0xb4/0x1e0 -[ 1843.487330] ? lock_acquire+0xb4/0x1e0 -[ 1843.487842] ? mnt_want_write_file+0x3c/0x80 -[ 1843.488442] ? debug_lockdep_rcu_enabled+0x22/0x40 -[ 1843.489089] ? rcu_sync_lockdep_assert+0xe/0x70 -[ 1843.489707] ? __sb_start_write+0x158/0x200 -[ 1843.490278] ? mnt_want_write_file+0x3c/0x80 -[ 1843.490855] ? __mnt_want_write+0x98/0xe0 -[ 1843.491397] __x64_sys_fsetxattr+0xba/0xe0 -[ 1843.492201] ? trace_hardirqs_off_thunk+0x1a/0x1c -[ 1843.493201] do_syscall_64+0x6c/0x230 -[ 1843.493988] entry_SYSCALL_64_after_hwframe+0x49/0xbe -[ 1843.495041] RIP: 0033:0x7fa7a8a7707a -[ 1843.495819] Code: 48 8b 0d 21 de 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ee dd 2b 00 f7 d8 64 89 01 48 -[ 1843.499203] RSP: 002b:00007ffcb73bca38 EFLAGS: 00000202 ORIG_RAX: 00000000000000be -[ 1843.500210] RAX: ffffffffffffffda RBX: 00007ffcb73bda9d RCX: 00007fa7a8a7707a -[ 1843.501170] RDX: 00007ffcb73bda9d RSI: 00000000006dc050 RDI: 0000000000000003 -[ 1843.502152] RBP: 00000000006dc050 R08: 0000000000000000 R09: 0000000000000000 -[ 1843.503109] R10: 0000000000000002 R11: 0000000000000202 R12: 00007ffcb73bda91 -[ 1843.504055] R13: 0000000000000003 R14: 00007ffcb73bda82 R15: ffffffffffffffff - -[ 1843.505268] Allocated by task 3979: -[ 1843.505771] save_stack+0x19/0x80 -[ 1843.506211] __kasan_kmalloc.constprop.5+0xa0/0xd0 -[ 1843.506836] setxattr+0xeb/0x230 -[ 1843.507264] __x64_sys_fsetxattr+0xba/0xe0 -[ 1843.507886] do_syscall_64+0x6c/0x230 -[ 1843.508429] entry_SYSCALL_64_after_hwframe+0x49/0xbe - -[ 1843.509558] Freed by task 0: -[ 1843.510188] (stack is not available) - -[ 1843.511309] The buggy address belongs to the object at ffff888111e369e0 - which belongs to the cache kmalloc-8 of size 8 -[ 1843.514095] The buggy address is located 2 bytes inside of - 8-byte region [ffff888111e369e0, ffff888111e369e8) -[ 1843.516524] The buggy address belongs to the page: -[ 1843.517561] page:ffff88813f478d80 refcount:1 mapcount:0 mapping:ffff88811940c300 index:0xffff888111e373b8 compound_mapcount: 0 -[ 1843.519993] flags: 0x4404000010200(slab|head) -[ 1843.520951] raw: 0004404000010200 ffff88813f48b008 ffff888119403d50 ffff88811940c300 -[ 1843.522616] raw: ffff888111e373b8 000000000016000f 00000001ffffffff 0000000000000000 -[ 1843.524281] page dumped because: kasan: bad access detected - -[ 1843.525936] Memory state around the buggy address: -[ 1843.526975] ffff888111e36880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -[ 1843.528479] ffff888111e36900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -[ 1843.530138] >ffff888111e36980: fc fc fc fc fc fc fc fc fc fc fc fc 02 fc fc fc -[ 1843.531877] ^ -[ 1843.533287] ffff888111e36a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -[ 1843.534874] ffff888111e36a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -[ 1843.536468] ================================================================== - -This is caused by supplying a too short compression value ('lz') in the -test-case and comparing it to 'lzo' with strncmp() and a length of 3. -strncmp() read past the 'lz' when looking for the 'o' and thus caused an -out-of-bounds read. - -Introduce a new check 'btrfs_compress_is_valid_type()' which not only -checks the user-supplied value against known compression types, but also -employs checks for too short values. - -Reported-by: Nikolay Borisov <nborisov@suse.com> -Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set") -Reviewed-by: Nikolay Borisov <nborisov@suse.com> -Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> -Reviewed-by: David Sterba <dsterba@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -[bwh: Backported to 3.16: - - "zstd" is not supported - - Add definition of btrfs_compression_types[] - - Include compression.h in props.c - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/fs/btrfs/compression.c -+++ b/fs/btrfs/compression.c -@@ -42,6 +42,8 @@ - #include "extent_io.h" - #include "extent_map.h" - -+static const char* const btrfs_compress_types[] = { "", "zlib", "lzo" }; -+ - struct compressed_bio { - /* number of bios pending for this compressed extent */ - atomic_t pending_bios; -@@ -81,6 +83,22 @@ struct compressed_bio { - u32 sums; - }; - -+bool btrfs_compress_is_valid_type(const char *str, size_t len) -+{ -+ int i; -+ -+ for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) { -+ size_t comp_len = strlen(btrfs_compress_types[i]); -+ -+ if (len < comp_len) -+ continue; -+ -+ if (!strncmp(btrfs_compress_types[i], str, comp_len)) -+ return true; -+ } -+ return false; -+} -+ - static int btrfs_decompress_biovec(int type, struct page **pages_in, - u64 disk_start, struct bio_vec *bvec, - int vcnt, size_t srclen); ---- a/fs/btrfs/compression.h -+++ b/fs/btrfs/compression.h -@@ -80,4 +80,5 @@ struct btrfs_compress_op { - extern struct btrfs_compress_op btrfs_zlib_compress; - extern struct btrfs_compress_op btrfs_lzo_compress; - -+bool btrfs_compress_is_valid_type(const char *str, size_t len); - #endif ---- a/fs/btrfs/props.c -+++ b/fs/btrfs/props.c -@@ -22,6 +22,7 @@ - #include "hash.h" - #include "transaction.h" - #include "xattr.h" -+#include "compression.h" - - #define BTRFS_PROP_HANDLERS_HT_BITS 8 - static DEFINE_HASHTABLE(prop_handlers_ht, BTRFS_PROP_HANDLERS_HT_BITS); -@@ -378,9 +379,7 @@ int btrfs_subvol_inherit_props(struct bt - - static int prop_compression_validate(const char *value, size_t len) - { -- if (!strncmp("lzo", value, 3)) -- return 0; -- else if (!strncmp("zlib", value, 4)) -+ if (btrfs_compress_is_valid_type(value, len)) - return 0; - - return -EINVAL; diff --git a/queue-3.16/btrfs-prop-fix-vanished-compression-property-after-failed-set.patch b/queue-3.16/btrfs-prop-fix-vanished-compression-property-after-failed-set.patch deleted file mode 100644 index 22bc07fc..00000000 --- a/queue-3.16/btrfs-prop-fix-vanished-compression-property-after-failed-set.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Anand Jain <anand.jain@oracle.com> -Date: Tue, 2 Apr 2019 18:07:40 +0800 -Subject: btrfs: prop: fix vanished compression property after failed set - -commit 272e5326c7837697882ce3162029ba893059b616 upstream. - -The compression property resets to NULL, instead of the old value if we -fail to set the new compression parameter. - - $ btrfs prop get /btrfs compression - compression=lzo - $ btrfs prop set /btrfs compression zli - ERROR: failed to set compression for /btrfs: Invalid argument - $ btrfs prop get /btrfs compression - -This is because the compression property ->validate() is successful for -'zli' as the strncmp() used the length passed from the userspace. - -Fix it by using the expected string length in strncmp(). - -Fixes: 63541927c8d1 ("Btrfs: add support for inode properties") -Fixes: 5c1aab1dd544 ("btrfs: Add zstd support") -Reviewed-by: Nikolay Borisov <nborisov@suse.com> -Signed-off-by: Anand Jain <anand.jain@oracle.com> -Reviewed-by: David Sterba <dsterba@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -[bwh: Backported to 3.16: "zstd" is not supported] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/fs/btrfs/props.c -+++ b/fs/btrfs/props.c -@@ -378,9 +378,9 @@ int btrfs_subvol_inherit_props(struct bt - - static int prop_compression_validate(const char *value, size_t len) - { -- if (!strncmp("lzo", value, len)) -+ if (!strncmp("lzo", value, 3)) - return 0; -- else if (!strncmp("zlib", value, len)) -+ else if (!strncmp("zlib", value, 4)) - return 0; - - return -EINVAL; diff --git a/queue-3.16/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch b/queue-3.16/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch deleted file mode 100644 index b2aebd27..00000000 --- a/queue-3.16/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Jeff Layton <jlayton@kernel.org> -Date: Wed, 17 Apr 2019 12:58:28 -0400 -Subject: ceph: ensure d_name stability in ceph_dentry_hash() - -commit 76a495d666e5043ffc315695f8241f5e94a98849 upstream. - -Take the d_lock here to ensure that d_name doesn't change. - -Signed-off-by: Jeff Layton <jlayton@kernel.org> -Reviewed-by: "Yan, Zheng" <zyan@redhat.com> -Signed-off-by: Ilya Dryomov <idryomov@gmail.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ceph/dir.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/fs/ceph/dir.c -+++ b/fs/ceph/dir.c -@@ -1327,6 +1327,7 @@ void ceph_dentry_lru_del(struct dentry * - unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) - { - struct ceph_inode_info *dci = ceph_inode(dir); -+ unsigned hash; - - switch (dci->i_dir_layout.dl_dir_hash) { - case 0: /* for backward compat */ -@@ -1334,8 +1335,11 @@ unsigned ceph_dentry_hash(struct inode * - return dn->d_name.hash; - - default: -- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash, -+ spin_lock(&dn->d_lock); -+ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash, - dn->d_name.name, dn->d_name.len); -+ spin_unlock(&dn->d_lock); -+ return hash; - } - } - diff --git a/queue-3.16/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch b/queue-3.16/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch deleted file mode 100644 index 041148b4..00000000 --- a/queue-3.16/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Frank Sorenson <sorenson@redhat.com> -Date: Tue, 16 Apr 2019 08:37:27 -0500 -Subject: cifs: do not attempt cifs operation on smb2+ rename error - -commit 652727bbe1b17993636346716ae5867627793647 upstream. - -A path-based rename returning EBUSY will incorrectly try opening -the file with a cifs (NT Create AndX) operation on an smb2+ mount, -which causes the server to force a session close. - -If the mount is smb2+, skip the fallback. - -Signed-off-by: Frank Sorenson <sorenson@redhat.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/cifs/inode.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/fs/cifs/inode.c -+++ b/fs/cifs/inode.c -@@ -1627,6 +1627,10 @@ cifs_do_rename(const unsigned int xid, s - if (rc == 0 || rc != -EBUSY) - goto do_rename_exit; - -+ /* Don't fall back to using SMB on SMB 2+ mount */ -+ if (server->vals->protocol_id != 0) -+ goto do_rename_exit; -+ - /* open-file renames don't work across directories */ - if (to_dentry->d_parent != from_dentry->d_parent) - goto do_rename_exit; diff --git a/queue-3.16/cifs-fix-handle-leak-in-smb2_query_symlink.patch b/queue-3.16/cifs-fix-handle-leak-in-smb2_query_symlink.patch deleted file mode 100644 index 8cb98819..00000000 --- a/queue-3.16/cifs-fix-handle-leak-in-smb2_query_symlink.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Ronnie Sahlberg <lsahlber@redhat.com> -Date: Wed, 10 Apr 2019 07:47:22 +1000 -Subject: cifs: fix handle leak in smb2_query_symlink() - -commit e6d0fb7b34f264f72c33053558a360a6a734905e upstream. - -If we enter smb2_query_symlink() for something that is not a symlink -and where the SMB2_open() would succeed we would never end up -closing this handle and would thus leak a handle on the server. - -Fix this by immediately calling SMB2_close() on successfull open. - -Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/cifs/smb2ops.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fs/cifs/smb2ops.c -+++ b/fs/cifs/smb2ops.c -@@ -906,6 +906,8 @@ smb2_query_symlink(const unsigned int xi - - rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_buf); - -+ if (!rc) -+ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); - if (!rc || !err_buf) { - kfree(utf16_path); - return -ENOENT; diff --git a/queue-3.16/cifs-keep-fileinfo-handle-live-during-oplock-break.patch b/queue-3.16/cifs-keep-fileinfo-handle-live-during-oplock-break.patch deleted file mode 100644 index 002c713f..00000000 --- a/queue-3.16/cifs-keep-fileinfo-handle-live-during-oplock-break.patch +++ /dev/null @@ -1,174 +0,0 @@ -From: Aurelien Aptel <aaptel@suse.com> -Date: Fri, 29 Mar 2019 10:49:12 +0100 -Subject: CIFS: keep FileInfo handle live during oplock break - -commit b98749cac4a695f084a5ff076f4510b23e353ecd upstream. - -In the oplock break handler, writing pending changes from pages puts -the FileInfo handle. If the refcount reaches zero it closes the handle -and waits for any oplock break handler to return, thus causing a deadlock. - -To prevent this situation: - -* We add a wait flag to cifsFileInfo_put() to decide whether we should - wait for running/pending oplock break handlers - -* We keep an additionnal reference of the SMB FileInfo handle so that - for the rest of the handler putting the handle won't close it. - - The ref is bumped everytime we queue the handler via the - cifs_queue_oplock_break() helper. - - The ref is decremented at the end of the handler - -This bug was triggered by xfstest 464. - -Also important fix to address the various reports of -oops in smb2_push_mandatory_locks - -Signed-off-by: Aurelien Aptel <aaptel@suse.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/cifs/cifsglob.h | 2 ++ - fs/cifs/file.c | 30 +++++++++++++++++++++++++----- - fs/cifs/misc.c | 25 +++++++++++++++++++++++-- - fs/cifs/smb2misc.c | 6 +++--- - 4 files changed, 53 insertions(+), 10 deletions(-) - ---- a/fs/cifs/cifsglob.h -+++ b/fs/cifs/cifsglob.h -@@ -1092,6 +1092,7 @@ cifsFileInfo_get_locked(struct cifsFileI - } - - struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); -+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); - void cifsFileInfo_put(struct cifsFileInfo *cifs_file); - - #define CIFS_CACHE_READ_FLG 1 -@@ -1579,6 +1580,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock; - #endif /* CONFIG_CIFS_ACL */ - - void cifs_oplock_break(struct work_struct *work); -+void cifs_queue_oplock_break(struct cifsFileInfo *cfile); - - extern const struct slow_work_ops cifs_oplock_break_ops; - extern struct workqueue_struct *cifsiod_wq; ---- a/fs/cifs/file.c -+++ b/fs/cifs/file.c -@@ -359,13 +359,31 @@ cifsFileInfo_get(struct cifsFileInfo *ci - return cifs_file; - } - --/* -- * Release a reference on the file private data. This may involve closing -- * the filehandle out on the server. Must be called without holding -- * tcon->open_file_lock and cifs_file->file_info_lock. -+/** -+ * cifsFileInfo_put - release a reference of file priv data -+ * -+ * Always potentially wait for oplock handler. See _cifsFileInfo_put(). - */ - void cifsFileInfo_put(struct cifsFileInfo *cifs_file) - { -+ _cifsFileInfo_put(cifs_file, true); -+} -+ -+/** -+ * _cifsFileInfo_put - release a reference of file priv data -+ * -+ * This may involve closing the filehandle @cifs_file out on the -+ * server. Must be called without holding tcon->open_file_lock and -+ * cifs_file->file_info_lock. -+ * -+ * If @wait_for_oplock_handler is true and we are releasing the last -+ * reference, wait for any running oplock break handler of the file -+ * and cancel any pending one. If calling this function from the -+ * oplock break handler, you need to pass false. -+ * -+ */ -+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) -+{ - struct inode *inode = cifs_file->dentry->d_inode; - struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); - struct TCP_Server_Info *server = tcon->ses->server; -@@ -412,7 +430,8 @@ void cifsFileInfo_put(struct cifsFileInf - - spin_unlock(&tcon->open_file_lock); - -- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break); -+ oplock_break_cancelled = wait_oplock_handler ? -+ cancel_work_sync(&cifs_file->oplock_break) : false; - - if (!tcon->need_reconnect && !cifs_file->invalidHandle) { - struct TCP_Server_Info *server = tcon->ses->server; -@@ -3701,6 +3720,7 @@ void cifs_oplock_break(struct work_struc - cinode); - cifs_dbg(FYI, "Oplock release rc = %d\n", rc); - } -+ _cifsFileInfo_put(cfile, false /* do not wait for ourself */); - cifs_done_oplock_break(cinode); - } - ---- a/fs/cifs/misc.c -+++ b/fs/cifs/misc.c -@@ -477,8 +477,7 @@ is_valid_oplock_break(char *buffer, stru - CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, - &pCifsInode->flags); - -- queue_work(cifsoplockd_wq, -- &netfile->oplock_break); -+ cifs_queue_oplock_break(netfile); - netfile->oplock_break_cancelled = false; - - spin_unlock(&tcon->open_file_lock); -@@ -610,6 +609,28 @@ void cifs_put_writer(struct cifsInodeInf - spin_unlock(&cinode->writers_lock); - } - -+/** -+ * cifs_queue_oplock_break - queue the oplock break handler for cfile -+ * -+ * This function is called from the demultiplex thread when it -+ * receives an oplock break for @cfile. -+ * -+ * Assumes the tcon->open_file_lock is held. -+ * Assumes cfile->file_info_lock is NOT held. -+ */ -+void cifs_queue_oplock_break(struct cifsFileInfo *cfile) -+{ -+ /* -+ * Bump the handle refcount now while we hold the -+ * open_file_lock to enforce the validity of it for the oplock -+ * break handler. The matching put is done at the end of the -+ * handler. -+ */ -+ cifsFileInfo_get(cfile); -+ -+ queue_work(cifsoplockd_wq, &cfile->oplock_break); -+} -+ - void cifs_done_oplock_break(struct cifsInodeInfo *cinode) - { - clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); ---- a/fs/cifs/smb2misc.c -+++ b/fs/cifs/smb2misc.c -@@ -458,7 +458,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc - clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, - &cinode->flags); - -- queue_work(cifsoplockd_wq, &cfile->oplock_break); -+ cifs_queue_oplock_break(cfile); - kfree(lw); - return true; - } -@@ -602,8 +602,8 @@ smb2_is_valid_oplock_break(char *buffer, - CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, - &cinode->flags); - spin_unlock(&cfile->file_info_lock); -- queue_work(cifsoplockd_wq, -- &cfile->oplock_break); -+ -+ cifs_queue_oplock_break(cfile); - - spin_unlock(&tcon->open_file_lock); - spin_unlock(&cifs_tcp_ses_lock); diff --git a/queue-3.16/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-3.16/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch deleted file mode 100644 index 14397274..00000000 --- a/queue-3.16/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 19 Mar 2019 05:46:18 -0700 -Subject: dccp: do not use ipv6 header for ipv4 flow - -commit e0aa67709f89d08c8d8e5bdd9e0b649df61d0090 upstream. - -When a dual stack dccp listener accepts an ipv4 flow, -it should not attempt to use an ipv6 header or -inet6_iif() helper. - -Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/dccp/ipv6.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -491,8 +491,8 @@ static struct sock *dccp_v6_request_recv - newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; -- newnp->mcast_oif = inet6_iif(skb); -- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; -+ newnp->mcast_oif = inet_iif(skb); -+ newnp->mcast_hops = ip_hdr(skb)->ttl; - - /* - * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-3.16/dccp-fix-memleak-in-__feat_register_sp.patch b/queue-3.16/dccp-fix-memleak-in-__feat_register_sp.patch deleted file mode 100644 index f5ece16f..00000000 --- a/queue-3.16/dccp-fix-memleak-in-__feat_register_sp.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Mon, 1 Apr 2019 09:35:54 +0800 -Subject: dccp: Fix memleak in __feat_register_sp - -commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream. - -If dccp_feat_push_change fails, we forget free the mem -which is alloced by kmemdup in dccp_feat_clone_sp_val. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values") -Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/dccp/feat.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/net/dccp/feat.c -+++ b/net/dccp/feat.c -@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis - if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len)) - return -ENOMEM; - -- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval); -+ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) { -+ kfree(fval.sp.vec); -+ return -ENOMEM; -+ } -+ -+ return 0; - } - - /** diff --git a/queue-3.16/device_cgroup-fix-rcu-imbalance-in-error-case.patch b/queue-3.16/device_cgroup-fix-rcu-imbalance-in-error-case.patch deleted file mode 100644 index 4b0d9bf4..00000000 --- a/queue-3.16/device_cgroup-fix-rcu-imbalance-in-error-case.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Jann Horn <jannh@google.com> -Date: Tue, 19 Mar 2019 02:36:59 +0100 -Subject: device_cgroup: fix RCU imbalance in error case - -commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream. - -When dev_exception_add() returns an error (due to a failed memory -allocation), make sure that we move the RCU preemption count back to where -it was before we were called. We dropped the RCU read lock inside the loop -body, so we can't just "break". - -sparse complains about this, too: - -$ make -s C=2 security/device_cgroup.o -./include/linux/rcupdate.h:647:9: warning: context imbalance in -'propagate_exception' - unexpected unlock - -Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()") -Signed-off-by: Jann Horn <jannh@google.com> -Acked-by: Michal Hocko <mhocko@suse.com> -Signed-off-by: Tejun Heo <tj@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - security/device_cgroup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/security/device_cgroup.c -+++ b/security/device_cgroup.c -@@ -568,7 +568,7 @@ static int propagate_exception(struct de - devcg->behavior == DEVCG_DEFAULT_ALLOW) { - rc = dev_exception_add(devcg, ex); - if (rc) -- break; -+ return rc; - } else { - /* - * in the other possible cases: diff --git a/queue-3.16/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch b/queue-3.16/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch deleted file mode 100644 index b8a98ba4..00000000 --- a/queue-3.16/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch +++ /dev/null @@ -1,104 +0,0 @@ -From: Mike Snitzer <snitzer@redhat.com> -Date: Wed, 3 Apr 2019 12:23:11 -0400 -Subject: dm: disable DISCARD if the underlying storage no longer supports it - -commit bcb44433bba5eaff293888ef22ffa07f1f0347d6 upstream. - -Storage devices which report supporting discard commands like -WRITE_SAME_16 with unmap, but reject discard commands sent to the -storage device. This is a clear storage firmware bug but it doesn't -change the fact that should a program cause discards to be sent to a -multipath device layered on this buggy storage, all paths can end up -failed at the same time from the discards, causing possible I/O loss. - -The first discard to a path will fail with Illegal Request, Invalid -field in cdb, e.g.: - kernel: sd 8:0:8:19: [sdfn] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE - kernel: sd 8:0:8:19: [sdfn] tag#0 Sense Key : Illegal Request [current] - kernel: sd 8:0:8:19: [sdfn] tag#0 Add. Sense: Invalid field in cdb - kernel: sd 8:0:8:19: [sdfn] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 a0 08 00 00 00 80 00 00 00 - kernel: blk_update_request: critical target error, dev sdfn, sector 10487808 - -The SCSI layer converts this to the BLK_STS_TARGET error number, the sd -device disables its support for discard on this path, and because of the -BLK_STS_TARGET error multipath fails the discard without failing any -path or retrying down a different path. But subsequent discards can -cause path failures. Any discards sent to the path which already failed -a discard ends up failing with EIO from blk_cloned_rq_check_limits with -an "over max size limit" error since the discard limit was set to 0 by -the sd driver for the path. As the error is EIO, this now fails the -path and multipath tries to send the discard down the next path. This -cycle continues as discards are sent until all paths fail. - -Fix this by training DM core to disable DISCARD if the underlying -storage already did so. - -Also, fix branching in dm_done() and clone_endio() to reflect the -mutually exclussive nature of the IO operations in question. - -Reported-by: David Jeffery <djeffery@redhat.com> -Signed-off-by: Mike Snitzer <snitzer@redhat.com> -[bwh: Backported to 3.16: - - Keep using op & flag to check operation type - - Keep using bdev_get_queue() to find queue in clone_endio() - - WRITE_ZEROES is not handled - - Use queue_flag_clear() instead of blk_queue_flag_clear() - - Adjust filenames, context - - Declare disable_discard() static as its only user is in the same - source file] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -756,6 +756,15 @@ static void dec_pending(struct dm_io *io - } - } - -+static void disable_discard(struct mapped_device *md) -+{ -+ struct queue_limits *limits = dm_get_queue_limits(md); -+ -+ /* device doesn't really support DISCARD, disable it */ -+ limits->max_discard_sectors = 0; -+ queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue); -+} -+ - static void disable_write_same(struct mapped_device *md) - { - struct queue_limits *limits = dm_get_queue_limits(md); -@@ -792,9 +801,14 @@ static void clone_endio(struct bio *bio, - } - } - -- if (unlikely(r == -EREMOTEIO && (bio->bi_rw & REQ_WRITE_SAME) && -- !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors)) -- disable_write_same(md); -+ if (unlikely(r == -EREMOTEIO)) { -+ if (bio->bi_rw & REQ_DISCARD && -+ !bdev_get_queue(bio->bi_bdev)->limits.max_discard_sectors) -+ disable_discard(md); -+ else if (bio->bi_rw & REQ_WRITE_SAME && -+ !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors) -+ disable_write_same(md); -+ } - - free_tio(md, tio); - dec_pending(io, error); -@@ -996,9 +1010,14 @@ static void dm_done(struct request *clon - r = rq_end_io(tio->ti, clone, error, &tio->info); - } - -- if (unlikely(r == -EREMOTEIO && (clone->cmd_flags & REQ_WRITE_SAME) && -- !clone->q->limits.max_write_same_sectors)) -- disable_write_same(tio->md); -+ if (unlikely(r == -EREMOTEIO)) { -+ if (clone->cmd_flags & REQ_DISCARD && -+ !clone->q->limits.max_discard_sectors) -+ disable_discard(tio->md); -+ else if (clone->cmd_flags & REQ_WRITE_SAME && -+ !clone->q->limits.max_write_same_sectors) -+ disable_write_same(tio->md); -+ } - - if (r <= 0) - /* The target wants to complete the I/O */ diff --git a/queue-3.16/dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch b/queue-3.16/dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch deleted file mode 100644 index dfa8eeb7..00000000 --- a/queue-3.16/dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Ilya Dryomov <idryomov@gmail.com> -Date: Tue, 26 Mar 2019 20:20:58 +0100 -Subject: dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum - errors - -commit eb40c0acdc342b815d4d03ae6abb09e80c0f2988 upstream. - -Some devices don't use blk_integrity but still want stable pages -because they do their own checksumming. Examples include rbd and iSCSI -when data digests are negotiated. Stacking DM (and thus LVM) on top of -these devices results in sporadic checksum errors. - -Set BDI_CAP_STABLE_WRITES if any underlying device has it set. - -Signed-off-by: Ilya Dryomov <idryomov@gmail.com> -Signed-off-by: Mike Snitzer <snitzer@redhat.com> -[bwh: Backported to 3.16: request_queue::backing_dev_info is a struct - not a pointer] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/md/dm-table.c | 39 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 39 insertions(+) - ---- a/drivers/md/dm-table.c -+++ b/drivers/md/dm-table.c -@@ -1432,6 +1432,36 @@ static bool dm_table_supports_write_same - return true; - } - -+static int device_requires_stable_pages(struct dm_target *ti, -+ struct dm_dev *dev, sector_t start, -+ sector_t len, void *data) -+{ -+ struct request_queue *q = bdev_get_queue(dev->bdev); -+ -+ return q && bdi_cap_stable_pages_required(&q->backing_dev_info); -+} -+ -+/* -+ * If any underlying device requires stable pages, a table must require -+ * them as well. Only targets that support iterate_devices are considered: -+ * don't want error, zero, etc to require stable pages. -+ */ -+static bool dm_table_requires_stable_pages(struct dm_table *t) -+{ -+ struct dm_target *ti; -+ unsigned i; -+ -+ for (i = 0; i < dm_table_get_num_targets(t); i++) { -+ ti = dm_table_get_target(t, i); -+ -+ if (ti->type->iterate_devices && -+ ti->type->iterate_devices(ti, device_requires_stable_pages, NULL)) -+ return true; -+ } -+ -+ return false; -+} -+ - void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q, - struct queue_limits *limits) - { -@@ -1474,6 +1504,15 @@ void dm_table_set_restrictions(struct dm - dm_table_set_integrity(t); - - /* -+ * Some devices don't use blk_integrity but still want stable pages -+ * because they do their own checksumming. -+ */ -+ if (dm_table_requires_stable_pages(t)) -+ q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES; -+ else -+ q->backing_dev_info.capabilities &= ~BDI_CAP_STABLE_WRITES; -+ -+ /* - * Determine whether or not this queue's I/O timings contribute - * to the entropy pool, Only request-based targets use this. - * Clear QUEUE_FLAG_ADD_RANDOM if any underlying device does not diff --git a/queue-3.16/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch b/queue-3.16/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch deleted file mode 100644 index 4ce0bad5..00000000 --- a/queue-3.16/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Lukas Czerner <lczerner@redhat.com> -Date: Fri, 15 Mar 2019 00:15:32 -0400 -Subject: ext4: add missing brelse() in add_new_gdb_meta_bg() - -commit d64264d6218e6892edd832dc3a5a5857c2856c53 upstream. - -Currently in add_new_gdb_meta_bg() there is a missing brelse of gdb_bh -in case ext4_journal_get_write_access() fails. -Additionally kvfree() is missing in the same error path. Fix it by -moving the ext4_journal_get_write_access() before the ext4 sb update as -Ted suggested and release n_group_desc and gdb_bh in case it fails. - -Fixes: 61a9c11e5e7a ("ext4: add missing brelse() add_new_gdb_meta_bg()'s error path") -Signed-off-by: Lukas Czerner <lczerner@redhat.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext4/resize.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -908,11 +908,18 @@ static int add_new_gdb_meta_bg(struct su - memcpy(n_group_desc, o_group_desc, - EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *)); - n_group_desc[gdb_num] = gdb_bh; -+ -+ BUFFER_TRACE(gdb_bh, "get_write_access"); -+ err = ext4_journal_get_write_access(handle, gdb_bh); -+ if (err) { -+ kvfree(n_group_desc); -+ brelse(gdb_bh); -+ return err; -+ } -+ - EXT4_SB(sb)->s_group_desc = n_group_desc; - EXT4_SB(sb)->s_gdb_count++; - ext4_kvfree(o_group_desc); -- BUFFER_TRACE(gdb_bh, "get_write_access"); -- err = ext4_journal_get_write_access(handle, gdb_bh); - return err; - } - diff --git a/queue-3.16/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch b/queue-3.16/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch deleted file mode 100644 index af31e311..00000000 --- a/queue-3.16/ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Lukas Czerner <lczerner@redhat.com> -Date: Thu, 14 Mar 2019 23:20:25 -0400 -Subject: ext4: fix data corruption caused by unaligned direct AIO - -commit 372a03e01853f860560eade508794dd274e9b390 upstream. - -Ext4 needs to serialize unaligned direct AIO because the zeroing of -partial blocks of two competing unaligned AIOs can result in data -corruption. - -However it decides not to serialize if the potentially unaligned aio is -past i_size with the rationale that no pending writes are possible past -i_size. Unfortunately if the i_size is not block aligned and the second -unaligned write lands past i_size, but still into the same block, it has -the potential of corrupting the previous unaligned write to the same -block. - -This is (very simplified) reproducer from Frank - - // 41472 = (10 * 4096) + 512 - // 37376 = 41472 - 4096 - - ftruncate(fd, 41472); - io_prep_pwrite(iocbs[0], fd, buf[0], 4096, 37376); - io_prep_pwrite(iocbs[1], fd, buf[1], 4096, 41472); - - io_submit(io_ctx, 1, &iocbs[1]); - io_submit(io_ctx, 1, &iocbs[2]); - - io_getevents(io_ctx, 2, 2, events, NULL); - -Without this patch the 512B range from 40960 up to the start of the -second unaligned write (41472) is going to be zeroed overwriting the data -written by the first write. This is a data corruption. - -00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -* -00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 -* -0000a000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -* -0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 - -With this patch the data corruption is avoided because we will recognize -the unaligned_aio and wait for the unwritten extent conversion. - -00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -* -00009200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 -* -0000a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 -* -0000b200 - -Reported-by: Frank Sorenson <fsorenso@redhat.com> -Signed-off-by: Lukas Czerner <lczerner@redhat.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Fixes: e9e3bcecf44c ("ext4: serialize unaligned asynchronous DIO") -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext4/file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/ext4/file.c -+++ b/fs/ext4/file.c -@@ -79,7 +79,7 @@ ext4_unaligned_aio(struct inode *inode, - struct super_block *sb = inode->i_sb; - int blockmask = sb->s_blocksize - 1; - -- if (pos >= i_size_read(inode)) -+ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize)) - return 0; - - if ((pos | iov_iter_alignment(from)) & blockmask) diff --git a/queue-3.16/floppy-fix-div-by-zero-in-setup_format_params.patch b/queue-3.16/floppy-fix-div-by-zero-in-setup_format_params.patch deleted file mode 100644 index 636a0b16..00000000 --- a/queue-3.16/floppy-fix-div-by-zero-in-setup_format_params.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Denis Efremov <efremov@ispras.ru> -Date: Fri, 12 Jul 2019 21:55:20 +0300 -Subject: floppy: fix div-by-zero in setup_format_params - -commit f3554aeb991214cbfafd17d55e2bfddb50282e32 upstream. - -This fixes a divide by zero error in the setup_format_params function of -the floppy driver. - -Two consecutive ioctls can trigger the bug: The first one should set the -drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK -to become zero. Next, the floppy format operation should be called. - -A floppy disk is not required to be inserted. An unprivileged user -could trigger the bug if the device is accessible. - -The patch checks F_SECT_PER_TRACK for a non-zero value in the -set_geometry function. The proper check should involve a reasonable -upper limit for the .sect and .rate fields, but it could change the -UAPI. - -The patch also checks F_SECT_PER_TRACK in the setup_format_params, and -cancels the formatting operation in case of zero. - -The bug was found by syzkaller. - -Signed-off-by: Denis Efremov <efremov@ispras.ru> -Tested-by: Willy Tarreau <w@1wt.eu> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/block/floppy.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -2113,6 +2113,9 @@ static void setup_format_params(int trac - raw_cmd->kernel_data = floppy_track_buffer; - raw_cmd->length = 4 * F_SECT_PER_TRACK; - -+ if (!F_SECT_PER_TRACK) -+ return; -+ - /* allow for about 30ms for data transport per track */ - head_shift = (F_SECT_PER_TRACK + 5) / 6; - -@@ -3235,6 +3238,8 @@ static int set_geometry(unsigned int cmd - /* sanity checking for parameters. */ - if (g->sect <= 0 || - g->head <= 0 || -+ /* check for zero in F_SECT_PER_TRACK */ -+ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || - g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || - /* check if reserved bits are set */ - (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) diff --git a/queue-3.16/floppy-fix-invalid-pointer-dereference-in-drive_name.patch b/queue-3.16/floppy-fix-invalid-pointer-dereference-in-drive_name.patch deleted file mode 100644 index 8ad0684d..00000000 --- a/queue-3.16/floppy-fix-invalid-pointer-dereference-in-drive_name.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Denis Efremov <efremov@ispras.ru> -Date: Fri, 12 Jul 2019 21:55:22 +0300 -Subject: floppy: fix invalid pointer dereference in drive_name - -commit 9b04609b784027968348796a18f601aed9db3789 upstream. - -This fixes the invalid pointer dereference in the drive_name function of -the floppy driver. - -The native_format field of the struct floppy_drive_params is used as -floppy_type array index in the drive_name function. Thus, the field -should be checked the same way as the autodetect field. - -To trigger the bug, one could use a value out of range and set the drive -parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should -be used to call the drive_name. A floppy disk is not required to be -inserted. - -CAP_SYS_ADMIN is required to call FDSETDRVPRM. - -The patch adds the check for a value of the native_format field to be in -the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array -indices. - -The bug was found by syzkaller. - -Signed-off-by: Denis Efremov <efremov@ispras.ru> -Tested-by: Willy Tarreau <w@1wt.eu> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16: Drop changes in compat_setdrvprm(), as compat - ioctls go via fd_ioctl_locked() after translation in compat_ioctl.c.] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3383,7 +3383,8 @@ static int fd_getgeo(struct block_device - return 0; - } - --static bool valid_floppy_drive_params(const short autodetect[8]) -+static bool valid_floppy_drive_params(const short autodetect[8], -+ int native_format) - { - size_t floppy_type_size = ARRAY_SIZE(floppy_type); - size_t i = 0; -@@ -3394,6 +3395,9 @@ static bool valid_floppy_drive_params(co - return false; - } - -+ if (native_format < 0 || native_format >= floppy_type_size) -+ return false; -+ - return true; - } - -@@ -3523,7 +3527,8 @@ static int fd_locked_ioctl(struct block_ - SUPBOUND(size, strlen((const char *)outparam) + 1); - break; - case FDSETDRVPRM: -- if (!valid_floppy_drive_params(inparam.dp.autodetect)) -+ if (!valid_floppy_drive_params(inparam.dp.autodetect, -+ inparam.dp.native_format)) - return -EINVAL; - *UDP = inparam.dp; - break; diff --git a/queue-3.16/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/queue-3.16/floppy-fix-out-of-bounds-read-in-copy_buffer.patch deleted file mode 100644 index b396707a..00000000 --- a/queue-3.16/floppy-fix-out-of-bounds-read-in-copy_buffer.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Denis Efremov <efremov@ispras.ru> -Date: Fri, 12 Jul 2019 21:55:23 +0300 -Subject: floppy: fix out-of-bounds read in copy_buffer - -commit da99466ac243f15fbba65bd261bfc75ffa1532b6 upstream. - -This fixes a global out-of-bounds read access in the copy_buffer -function of the floppy driver. - -The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect -and head fields (unsigned int) of the floppy_drive structure are used to -compute the max_sector (int) in the make_raw_rw_request function. It is -possible to overflow the max_sector. Next, max_sector is passed to the -copy_buffer function and used in one of the memcpy calls. - -An unprivileged user could trigger the bug if the device is accessible, -but requires a floppy disk to be inserted. - -The patch adds the check for the .sect * .head multiplication for not -overflowing in the set_geometry function. - -The bug was found by syzkaller. - -Signed-off-by: Denis Efremov <efremov@ispras.ru> -Tested-by: Willy Tarreau <w@1wt.eu> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/block/floppy.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd - int cnt; - - /* sanity checking for parameters. */ -- if (g->sect <= 0 || -- g->head <= 0 || -+ if ((int)g->sect <= 0 || -+ (int)g->head <= 0 || -+ /* check for overflow in max_sector */ -+ (int)(g->sect * g->head) <= 0 || - /* check for zero in F_SECT_PER_TRACK */ - (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || - g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || diff --git a/queue-3.16/floppy-fix-out-of-bounds-read-in-next_valid_format.patch b/queue-3.16/floppy-fix-out-of-bounds-read-in-next_valid_format.patch deleted file mode 100644 index 12244b3a..00000000 --- a/queue-3.16/floppy-fix-out-of-bounds-read-in-next_valid_format.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Denis Efremov <efremov@ispras.ru> -Date: Fri, 12 Jul 2019 21:55:21 +0300 -Subject: floppy: fix out-of-bounds read in next_valid_format - -commit 5635f897ed83fd539df78e98ba69ee91592f9bb8 upstream. - -This fixes a global out-of-bounds read access in the next_valid_format -function of the floppy driver. - -The values from autodetect field of the struct floppy_drive_params are -used as indices for the floppy_type array in the next_valid_format -function 'floppy_type[DP->autodetect[probed_format]].sect'. - -To trigger the bug, one could use a value out of range and set the drive -parameters with the FDSETDRVPRM ioctl. A floppy disk is not required to -be inserted. - -CAP_SYS_ADMIN is required to call FDSETDRVPRM. - -The patch adds the check for values of the autodetect field to be in the -'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices. - -The bug was found by syzkaller. - -Signed-off-by: Denis Efremov <efremov@ispras.ru> -Tested-by: Willy Tarreau <w@1wt.eu> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16: Drop changes in compat_setdrvprm(), as compat - ioctls go via fd_ioctl_locked() after translation in compat_ioctl.c.] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3383,6 +3383,20 @@ static int fd_getgeo(struct block_device - return 0; - } - -+static bool valid_floppy_drive_params(const short autodetect[8]) -+{ -+ size_t floppy_type_size = ARRAY_SIZE(floppy_type); -+ size_t i = 0; -+ -+ for (i = 0; i < 8; ++i) { -+ if (autodetect[i] < 0 || -+ autodetect[i] >= floppy_type_size) -+ return false; -+ } -+ -+ return true; -+} -+ - static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, - unsigned long param) - { -@@ -3509,6 +3523,8 @@ static int fd_locked_ioctl(struct block_ - SUPBOUND(size, strlen((const char *)outparam) + 1); - break; - case FDSETDRVPRM: -+ if (!valid_floppy_drive_params(inparam.dp.autodetect)) -+ return -EINVAL; - *UDP = inparam.dp; - break; - case FDGETDRVPRM: diff --git a/queue-3.16/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch b/queue-3.16/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch deleted file mode 100644 index e8020f2c..00000000 --- a/queue-3.16/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch +++ /dev/null @@ -1,93 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Thu, 25 Apr 2019 22:24:05 -0700 -Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference - -commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream. - -Syzkaller report this: - - sysctl could not get directory: /net//bridge -12 - kasan: CONFIG_KASAN_INLINE enabled - kasan: GPF could be caused by NULL-ptr deref or user memory access - general protection fault: 0000 [#1] SMP KASAN PTI - CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 - RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline] - RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline] - RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline] - RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459 - Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48 - RSP: 0018:ffff8881bb507778 EFLAGS: 00010206 - RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a - RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568 - RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4 - R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558 - R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 - FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0 - DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - PKRU: 55555554 - Call Trace: - erase_entry fs/proc/proc_sysctl.c:178 [inline] - erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207 - start_unregistering fs/proc/proc_sysctl.c:331 [inline] - drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631 - get_subdir fs/proc/proc_sysctl.c:1022 [inline] - __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 - br_netfilter_init+0x68/0x1000 [br_netfilter] - do_one_initcall+0xbc/0x47d init/main.c:901 - do_init_module+0x1b5/0x547 kernel/module.c:3456 - load_module+0x6405/0x8c10 kernel/module.c:3804 - __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 - do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle - iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter] - Dumping ftrace buffer: - (ftrace buffer empty) - ---[ end trace 68741688d5fbfe85 ]--- - -commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer -dereference in put_links") forgot to handle start_unregistering() case, -while header->parent is NULL, it calls erase_header() and as seen in the -above syzkaller call trace, accessing &header->parent->root will trigger -a NULL pointer dereference. - -As that commit explained, there is also no need to call -start_unregistering() if header->parent is NULL. - -Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com -Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links") -Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Reported-by: Hulk Robot <hulkci@huawei.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Cc: Luis Chamberlain <mcgrof@kernel.org> -Cc: Alexey Dobriyan <adobriyan@gmail.com> -Cc: Al Viro <viro@zeniv.linux.org.uk> -Cc: "Eric W. Biederman" <ebiederm@xmission.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/proc/proc_sysctl.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/fs/proc/proc_sysctl.c -+++ b/fs/proc/proc_sysctl.c -@@ -1550,9 +1550,11 @@ static void drop_sysctl_table(struct ctl - if (--header->nreg) - return; - -- if (parent) -+ if (parent) { - put_links(header); -- start_unregistering(header); -+ start_unregistering(header); -+ } -+ - if (!--header->count) - kfree_rcu(header, rcu); - diff --git a/queue-3.16/fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch b/queue-3.16/fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch deleted file mode 100644 index ad54b069..00000000 --- a/queue-3.16/fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Thu, 28 Mar 2019 20:44:40 -0700 -Subject: fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links - -commit 23da9588037ecdd4901db76a5b79a42b529c4ec3 upstream. - -Syzkaller reports: - -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] SMP KASAN PTI -CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 -RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599 -Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91 -RSP: 0018:ffff8881d828f238 EFLAGS: 00010202 -RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267 -RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178 -RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259 -R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4 -R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000 -FS: 00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -PKRU: 55555554 -Call Trace: - drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629 - get_subdir fs/proc/proc_sysctl.c:1022 [inline] - __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 - br_netfilter_init+0xbc/0x1000 [br_netfilter] - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x462e99 -Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 -RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 -RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 -RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc -R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 -Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle - iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73] -Dumping ftrace buffer: - (ftrace buffer empty) ----[ end trace 770020de38961fd0 ]--- - -A new dir entry can be created in get_subdir and its 'header->parent' is -set to NULL. Only after insert_header success, it will be set to 'dir', -otherwise 'header->parent' is set to NULL and drop_sysctl_table is called. -However in err handling path of get_subdir, drop_sysctl_table also be -called on 'new->header' regardless its value of parent pointer. Then -put_links is called, which triggers NULL-ptr deref when access member of -header->parent. - -In fact we have multiple error paths which call drop_sysctl_table() there, -upon failure on insert_links() we also call drop_sysctl_table().And even -in the successful case on __register_sysctl_table() we still always call -drop_sysctl_table().This patch fix it. - -Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com -Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Reported-by: Hulk Robot <hulkci@huawei.com> -Acked-by: Luis Chamberlain <mcgrof@kernel.org> -Cc: Kees Cook <keescook@chromium.org> -Cc: Alexey Dobriyan <adobriyan@gmail.com> -Cc: Alexei Starovoitov <ast@kernel.org> -Cc: Daniel Borkmann <daniel@iogearbox.net> -Cc: Al Viro <viro@zeniv.linux.org.uk> -Cc: Eric W. Biederman <ebiederm@xmission.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/proc/proc_sysctl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/fs/proc/proc_sysctl.c -+++ b/fs/proc/proc_sysctl.c -@@ -1550,7 +1550,8 @@ static void drop_sysctl_table(struct ctl - if (--header->nreg) - return; - -- put_links(header); -+ if (parent) -+ put_links(header); - start_unregistering(header); - if (!--header->count) - kfree_rcu(header, rcu); diff --git a/queue-3.16/futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch b/queue-3.16/futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch deleted file mode 100644 index e78ec3ce..00000000 --- a/queue-3.16/futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Chen Jie <chenjie6@huawei.com> -Date: Fri, 15 Mar 2019 03:44:38 +0000 -Subject: futex: Ensure that futex address is aligned in handle_futex_death() - -commit 5a07168d8d89b00fe1760120714378175b3ef992 upstream. - -The futex code requires that the user space addresses of futexes are 32bit -aligned. sys_futex() checks this in futex_get_keys() but the robust list -code has no alignment check in place. - -As a consequence the kernel crashes on architectures with strict alignment -requirements in handle_futex_death() when trying to cmpxchg() on an -unaligned futex address which was retrieved from the robust list. - -[ tglx: Rewrote changelog, proper sizeof() based alignement check and add - comment ] - -Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core") -Signed-off-by: Chen Jie <chenjie6@huawei.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Cc: <dvhart@infradead.org> -Cc: <peterz@infradead.org> -Cc: <zengweilin@huawei.com> -Link: https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenjie6@huawei.com -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/futex.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -2909,6 +2909,10 @@ int handle_futex_death(u32 __user *uaddr - { - u32 uval, uninitialized_var(nval), mval; - -+ /* Futex address must be 32bit aligned */ -+ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0) -+ return -1; -+ - retry: - if (get_user(uval, uaddr)) - return -1; diff --git a/queue-3.16/gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch b/queue-3.16/gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch deleted file mode 100644 index 9583e274..00000000 --- a/queue-3.16/gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Axel Lin <axel.lin@ingics.com> -Date: Mon, 11 Mar 2019 21:29:37 +0800 -Subject: gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input - -commit c5bc6e526d3f217ed2cc3681d256dc4a2af4cc2b upstream. - -Current code test wrong value so it does not verify if the written -data is correctly read back. Fix it. -Also make it return -EPERM if read value does not match written bit, -just like it done for adnp_gpio_direction_output(). - -Fixes: 5e969a401a01 ("gpio: Add Avionic Design N-bit GPIO expander support") -Signed-off-by: Axel Lin <axel.lin@ingics.com> -Reviewed-by: Thierry Reding <thierry.reding@gmail.com> -Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/gpio/gpio-adnp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/gpio/gpio-adnp.c -+++ b/drivers/gpio/gpio-adnp.c -@@ -140,8 +140,10 @@ static int adnp_gpio_direction_input(str - if (err < 0) - goto out; - -- if (err & BIT(pos)) -- err = -EACCES; -+ if (value & BIT(pos)) { -+ err = -EPERM; -+ goto out; -+ } - - err = 0; - diff --git a/queue-3.16/ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch b/queue-3.16/ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch deleted file mode 100644 index 0d648b5f..00000000 --- a/queue-3.16/ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Jack Morgenstein <jackm@dev.mellanox.co.il> -Date: Wed, 6 Mar 2019 19:17:56 +0200 -Subject: IB/mlx4: Fix race condition between catas error reset and aliasguid - flows - -commit 587443e7773e150ae29e643ee8f41a1eed226565 upstream. - -Code review revealed a race condition which could allow the catas error -flow to interrupt the alias guid query post mechanism at random points. -Thiis is fixed by doing cancel_delayed_work_sync() instead of -cancel_delayed_work() during the alias guid mechanism destroy flow. - -Fixes: a0c64a17aba8 ("mlx4: Add alias_guid mechanism") -Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> -Signed-off-by: Leon Romanovsky <leonro@mellanox.com> -Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/infiniband/hw/mlx4/alias_GUID.c -+++ b/drivers/infiniband/hw/mlx4/alias_GUID.c -@@ -579,8 +579,8 @@ void mlx4_ib_destroy_alias_guid_service( - unsigned long flags; - - for (i = 0 ; i < dev->num_ports; i++) { -- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work); - det = &sriov->alias_guid.ports_guid[i]; -+ cancel_delayed_work_sync(&det->alias_guid_work); - spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags); - while (!list_empty(&det->cb_list)) { - cb_ctx = list_entry(det->cb_list.next, diff --git a/queue-3.16/iio-ad_sigma_delta-select-channel-when-reading-register.patch b/queue-3.16/iio-ad_sigma_delta-select-channel-when-reading-register.patch deleted file mode 100644 index 9d4096b4..00000000 --- a/queue-3.16/iio-ad_sigma_delta-select-channel-when-reading-register.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Dragos Bogdan <dragos.bogdan@analog.com> -Date: Tue, 19 Mar 2019 12:47:00 +0200 -Subject: iio: ad_sigma_delta: select channel when reading register - -commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream. - -The desired channel has to be selected in order to correctly fill the -buffer with the corresponding data. -The `ad_sd_write_reg()` already does this, but for the -`ad_sd_read_reg_raw()` this was omitted. - -Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices") -Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com> -Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iio/adc/ad_sigma_delta.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/iio/adc/ad_sigma_delta.c -+++ b/drivers/iio/adc/ad_sigma_delta.c -@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_ - if (sigma_delta->info->has_registers) { - data[0] = reg << sigma_delta->info->addr_shift; - data[0] |= sigma_delta->info->read_mask; -+ data[0] |= sigma_delta->comm; - spi_message_add_tail(&t[0], &m); - } - spi_message_add_tail(&t[1], &m); diff --git a/queue-3.16/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch b/queue-3.16/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch deleted file mode 100644 index 6a8571cd..00000000 --- a/queue-3.16/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Georg Ottinger <g.ottinger@abatec.at> -Date: Wed, 30 Jan 2019 14:42:02 +0100 -Subject: iio: adc: at91: disable adc channel interrupt in timeout case - -commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream. - -Having a brief look at at91_adc_read_raw() it is obvious that in the case -of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is -omitted. If 2 different channels are queried we can end up with a -situation where two interrupts are enabled, but only one interrupt is -cleared in the interrupt handler. Resulting in a interrupt loop and a -system hang. - -Signed-off-by: Georg Ottinger <g.ottinger@abatec.at> -Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iio/adc/at91_adc.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - ---- a/drivers/iio/adc/at91_adc.c -+++ b/drivers/iio/adc/at91_adc.c -@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_ - ret = wait_event_interruptible_timeout(st->wq_data_avail, - st->done, - msecs_to_jiffies(1000)); -- if (ret == 0) -- ret = -ETIMEDOUT; -- if (ret < 0) { -- mutex_unlock(&st->lock); -- return ret; -- } -- -- *val = st->last_value; - -+ /* Disable interrupts, regardless if adc conversion was -+ * successful or not -+ */ - at91_adc_writel(st, AT91_ADC_CHDR, - AT91_ADC_CH(chan->channel)); - at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); - -- st->last_value = 0; -- st->done = false; -+ if (ret > 0) { -+ /* a valid conversion took place */ -+ *val = st->last_value; -+ st->last_value = 0; -+ st->done = false; -+ ret = IIO_VAL_INT; -+ } else if (ret == 0) { -+ /* conversion timeout */ -+ dev_err(&idev->dev, "ADC Channel %d timeout.\n", -+ chan->channel); -+ ret = -ETIMEDOUT; -+ } -+ - mutex_unlock(&st->lock); -- return IIO_VAL_INT; -+ return ret; - - case IIO_CHAN_INFO_SCALE: - *val = st->vref_mv; diff --git a/queue-3.16/iio-core-fix-a-possible-circular-locking-dependency.patch b/queue-3.16/iio-core-fix-a-possible-circular-locking-dependency.patch deleted file mode 100644 index 85132092..00000000 --- a/queue-3.16/iio-core-fix-a-possible-circular-locking-dependency.patch +++ /dev/null @@ -1,149 +0,0 @@ -From: Fabrice Gasnier <fabrice.gasnier@st.com> -Date: Mon, 25 Mar 2019 14:01:23 +0100 -Subject: iio: core: fix a possible circular locking dependency - -commit 7f75591fc5a123929a29636834d1bcb8b5c9fee3 upstream. - -This fixes a possible circular locking dependency detected warning seen -with: -- CONFIG_PROVE_LOCKING=y -- consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc") - -When using the IIO consumer interface, e.g. iio_channel_get(), the consumer -device will likely call iio_read_channel_raw() or similar that rely on -'info_exist_lock' mutex. - -typically: -... - mutex_lock(&chan->indio_dev->info_exist_lock); - if (chan->indio_dev->info == NULL) { - ret = -ENODEV; - goto err_unlock; - } - ret = do_some_ops() -err_unlock: - mutex_unlock(&chan->indio_dev->info_exist_lock); - return ret; -... - -Same mutex is also hold in iio_device_unregister(). - -The following deadlock warning happens when: -- the consumer device has called an API like iio_read_channel_raw() - at least once. -- the consumer driver is unregistered, removed (unbind from sysfs) - -====================================================== -WARNING: possible circular locking dependency detected -4.19.24 #577 Not tainted ------------------------------------------------------- -sh/372 is trying to acquire lock: -(kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84 - -but task is already holding lock: -(&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60 - -which lock already depends on the new lock. - -the existing dependency chain (in reverse order) is: - --> #1 (&dev->info_exist_lock){+.+.}: - __mutex_lock+0x70/0xa3c - mutex_lock_nested+0x1c/0x24 - iio_read_channel_raw+0x1c/0x60 - iio_read_channel_info+0xa8/0xb0 - dev_attr_show+0x1c/0x48 - sysfs_kf_seq_show+0x84/0xec - seq_read+0x154/0x528 - __vfs_read+0x2c/0x15c - vfs_read+0x8c/0x110 - ksys_read+0x4c/0xac - ret_fast_syscall+0x0/0x28 - 0xbedefb60 - --> #0 (kn->count#30){++++}: - lock_acquire+0xd8/0x268 - __kernfs_remove+0x288/0x374 - kernfs_remove_by_name_ns+0x3c/0x84 - remove_files+0x34/0x78 - sysfs_remove_group+0x40/0x9c - sysfs_remove_groups+0x24/0x34 - device_remove_attrs+0x38/0x64 - device_del+0x11c/0x360 - cdev_device_del+0x14/0x2c - iio_device_unregister+0x24/0x60 - release_nodes+0x1bc/0x200 - device_release_driver_internal+0x1a0/0x230 - unbind_store+0x80/0x130 - kernfs_fop_write+0x100/0x1e4 - __vfs_write+0x2c/0x160 - vfs_write+0xa4/0x17c - ksys_write+0x4c/0xac - ret_fast_syscall+0x0/0x28 - 0xbe906840 - -other info that might help us debug this: - - Possible unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(&dev->info_exist_lock); - lock(kn->count#30); - lock(&dev->info_exist_lock); - lock(kn->count#30); - - *** DEADLOCK *** -... - -cdev_device_del() can be called without holding the lock. It should be safe -as info_exist_lock prevents kernelspace consumers to use the exported -routines during/after provider removal. cdev_device_del() is for userspace. - -Help to reproduce: -See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt -sysv { - compatible = "voltage-divider"; - io-channels = <&adc 0>; - output-ohms = <22>; - full-ohms = <222>; -}; - -First, go to iio:deviceX for the "voltage-divider", do one read: -$ cd /sys/bus/iio/devices/iio:deviceX -$ cat in_voltage0_raw - -Then, unbind the consumer driver. It triggers above deadlock warning. -$ cd /sys/bus/platform/drivers/iio-rescale/ -$ echo sysv > unbind - -Note I don't actually expect stable will pick this up all the -way back into IIO being in staging, but if's probably valid that -far back. - -Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com> -Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister") -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iio/industrialio-core.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/iio/industrialio-core.c -+++ b/drivers/iio/industrialio-core.c -@@ -1195,12 +1195,12 @@ EXPORT_SYMBOL(iio_device_register); - **/ - void iio_device_unregister(struct iio_dev *indio_dev) - { -- mutex_lock(&indio_dev->info_exist_lock); -- - device_del(&indio_dev->dev); - - if (indio_dev->chrdev.dev) - cdev_del(&indio_dev->chrdev); -+ -+ mutex_lock(&indio_dev->info_exist_lock); - iio_device_unregister_debugfs(indio_dev); - - iio_disable_all_buffers(indio_dev); diff --git a/queue-3.16/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch b/queue-3.16/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch deleted file mode 100644 index 22ca403d..00000000 --- a/queue-3.16/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Jean-Francois Dagenais <jeff.dagenais@gmail.com> -Date: Wed, 6 Mar 2019 15:56:06 -0500 -Subject: iio: dac: mcp4725: add missing powerdown bits in store eeprom - -commit 06003531502d06bc89d32528f6ec96bf978790f9 upstream. - -When issuing the write DAC register and write eeprom command, the two -powerdown bits (PD0 and PD1) are assumed by the chip to be present in -the bytes sent. Leaving them at 0 implies "powerdown disabled" which is -a different state that the current one. By adding the current state of -the powerdown in the i2c write, the chip will correctly power-on exactly -like as it is at the moment of store_eeprom call. - -This is documented in MCP4725's datasheet, FIGURE 6-2: "Write Commands -for DAC Input Register and EEPROM" and MCP4726's datasheet, FIGURE 6-3: -"Write All Memory Command". - -Signed-off-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com> -Acked-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iio/dac/mcp4725.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/iio/dac/mcp4725.c -+++ b/drivers/iio/dac/mcp4725.c -@@ -86,6 +86,7 @@ static ssize_t mcp4725_store_eeprom(stru - return 0; - - inoutbuf[0] = 0x60; /* write EEPROM */ -+ inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0; - inoutbuf[1] = data->dac_value >> 4; - inoutbuf[2] = (data->dac_value & 0xf) << 4; - diff --git a/queue-3.16/iio-fix-scan-mask-selection.patch b/queue-3.16/iio-fix-scan-mask-selection.patch deleted file mode 100644 index a7513c25..00000000 --- a/queue-3.16/iio-fix-scan-mask-selection.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Lars-Peter Clausen <lars@metafoo.de> -Date: Wed, 20 Feb 2019 17:11:32 +0200 -Subject: iio: Fix scan mask selection - -commit 20ea39ef9f2f911bd01c69519e7d69cfec79fde3 upstream. - -The trialmask is expected to have all bits set to 0 after allocation. -Currently kmalloc_array() is used which does not zero the memory and so -random bits are set. This results in random channels being enabled when -they shouldn't. Replace kmalloc_array() with kcalloc() which has the same -interface but zeros the memory. - -Note the fix is actually required earlier than the below fixes tag, but -will require a manual backport due to move from kmalloc to kmalloc_array. - -Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> -Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> -Fixes commit 057ac1acdfc4 ("iio: Use kmalloc_array() in iio_scan_mask_set()"). -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iio/industrialio-buffer.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - ---- a/drivers/iio/industrialio-buffer.c -+++ b/drivers/iio/industrialio-buffer.c -@@ -836,9 +836,8 @@ int iio_scan_mask_set(struct iio_dev *in - const unsigned long *mask; - unsigned long *trialmask; - -- trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), -- sizeof(*trialmask), -- GFP_KERNEL); -+ trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength), -+ sizeof(*trialmask), GFP_KERNEL); - if (trialmask == NULL) - return -ENOMEM; - if (!indio_dev->masklength) { diff --git a/queue-3.16/iio-use-kmalloc_array-in-iio_scan_mask_set.patch b/queue-3.16/iio-use-kmalloc_array-in-iio_scan_mask_set.patch deleted file mode 100644 index 7d3f2c9f..00000000 --- a/queue-3.16/iio-use-kmalloc_array-in-iio_scan_mask_set.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Markus Elfring <elfring@users.sourceforge.net> -Date: Fri, 23 Sep 2016 22:30:32 +0200 -Subject: iio: Use kmalloc_array() in iio_scan_mask_set() - -commit 057ac1acdfc4743f066fcefe359385cad00549eb upstream. - -A multiplication for the size determination of a memory allocation -indicated that an array data structure should be processed. -Thus use the corresponding function "kmalloc_array". - -This issue was detected by using the Coccinelle software. - -Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> -Signed-off-by: Jonathan Cameron <jic23@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iio/industrialio-buffer.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/iio/industrialio-buffer.c -+++ b/drivers/iio/industrialio-buffer.c -@@ -836,10 +836,9 @@ int iio_scan_mask_set(struct iio_dev *in - const unsigned long *mask; - unsigned long *trialmask; - -- trialmask = kmalloc(sizeof(*trialmask)* -- BITS_TO_LONGS(indio_dev->masklength), -- GFP_KERNEL); -- -+ trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), -+ sizeof(*trialmask), -+ GFP_KERNEL); - if (trialmask == NULL) - return -ENOMEM; - if (!indio_dev->masklength) { diff --git a/queue-3.16/inet-switch-ip-id-generator-to-siphash.patch b/queue-3.16/inet-switch-ip-id-generator-to-siphash.patch deleted file mode 100644 index aa9124b1..00000000 --- a/queue-3.16/inet-switch-ip-id-generator-to-siphash.patch +++ /dev/null @@ -1,144 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 27 Mar 2019 12:40:33 -0700 -Subject: inet: switch IP ID generator to siphash - -commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream. - -According to Amit Klein and Benny Pinkas, IP ID generation is too weak -and might be used by attackers. - -Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix()) -having 64bit key and Jenkins hash is risky. - -It is time to switch to siphash and its 128bit keys. - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Amit Klein <aksecurity@gmail.com> -Reported-by: Benny Pinkas <benny@pinkas.net> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/include/linux/siphash.h -+++ b/include/linux/siphash.h -@@ -19,6 +19,11 @@ typedef struct { - u64 key[2]; - } siphash_key_t; - -+static inline bool siphash_key_is_zero(const siphash_key_t *key) -+{ -+ return !(key->key[0] | key->key[1]); -+} -+ - u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); - #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS - u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); ---- a/include/net/netns/ipv4.h -+++ b/include/net/netns/ipv4.h -@@ -7,6 +7,7 @@ - - #include <linux/uidgid.h> - #include <net/inet_frag.h> -+#include <linux/siphash.h> - - struct tcpm_hash_bucket; - struct ctl_table_header; -@@ -98,5 +99,6 @@ struct netns_ipv4 { - #endif - #endif - atomic_t rt_genid; -+ siphash_key_t ip_id_key; - }; - #endif ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -486,15 +486,17 @@ EXPORT_SYMBOL(ip_idents_reserve); - - void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) - { -- static u32 ip_idents_hashrnd __read_mostly; - u32 hash, id; - -- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); -+ /* Note the following code is not safe, but this is okay. */ -+ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) -+ get_random_bytes(&net->ipv4.ip_id_key, -+ sizeof(net->ipv4.ip_id_key)); - -- hash = jhash_3words((__force u32)iph->daddr, -+ hash = siphash_3u32((__force u32)iph->daddr, - (__force u32)iph->saddr, -- iph->protocol ^ net_hash_mix(net), -- ip_idents_hashrnd); -+ iph->protocol, -+ &net->ipv4.ip_id_key); - id = ip_idents_reserve(hash, segs); - iph->id = htons(id); - } ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -9,14 +9,24 @@ - #include <net/addrconf.h> - #include <net/secure_seq.h> - --static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, -+static u32 __ipv6_select_ident(struct net *net, - struct in6_addr *dst, struct in6_addr *src) - { -+ const struct { -+ struct in6_addr dst; -+ struct in6_addr src; -+ } __aligned(SIPHASH_ALIGNMENT) combined = { -+ .dst = *dst, -+ .src = *src, -+ }; - u32 hash, id; - -- hash = __ipv6_addr_jhash(dst, hashrnd); -- hash = __ipv6_addr_jhash(src, hash); -- hash ^= net_hash_mix(net); -+ /* Note the following code is not safe, but this is okay. */ -+ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) -+ get_random_bytes(&net->ipv4.ip_id_key, -+ sizeof(net->ipv4.ip_id_key)); -+ -+ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); - - /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, - * set the hight order instead thus minimizing possible future -@@ -39,7 +49,6 @@ static u32 __ipv6_select_ident(struct ne - */ - void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) - { -- static u32 ip6_proxy_idents_hashrnd __read_mostly; - struct in6_addr buf[2]; - struct in6_addr *addrs; - u32 id; -@@ -51,11 +60,7 @@ void ipv6_proxy_select_ident(struct net - if (!addrs) - return; - -- net_get_random_once(&ip6_proxy_idents_hashrnd, -- sizeof(ip6_proxy_idents_hashrnd)); -- -- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, -- &addrs[1], &addrs[0]); -+ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]); - skb_shinfo(skb)->ip6_frag_id = htonl(id); - } - EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); -@@ -63,13 +68,9 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_iden - void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr, - struct rt6_info *rt) - { -- static u32 ip6_idents_hashrnd __read_mostly; - u32 id; - -- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); -- -- id = __ipv6_select_ident(net, ip6_idents_hashrnd, &rt->rt6i_dst.addr, -- &rt->rt6i_src.addr); -+ id = __ipv6_select_ident(net, &rt->rt6i_dst.addr, &rt->rt6i_src.addr); - fhdr->identification = htonl(id); - } - EXPORT_SYMBOL(ipv6_select_ident); diff --git a/queue-3.16/input-gtco-bounds-check-collection-indent-level.patch b/queue-3.16/input-gtco-bounds-check-collection-indent-level.patch deleted file mode 100644 index 38650de3..00000000 --- a/queue-3.16/input-gtco-bounds-check-collection-indent-level.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Grant Hernandez <granthernandez@google.com> -Date: Sat, 13 Jul 2019 01:00:12 -0700 -Subject: Input: gtco - bounds check collection indent level - -commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. - -The GTCO tablet input driver configures itself from an HID report sent -via USB during the initial enumeration process. Some debugging messages -are generated during the parsing. A debugging message indentation -counter is not bounds checked, leading to the ability for a specially -crafted HID report to cause '-' and null bytes be written past the end -of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG -enabled, this code will not be optimized out. This was discovered -during code review after a previous syzkaller bug was found in this -driver. - -Signed-off-by: Grant Hernandez <granthernandez@google.com> -Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - ---- a/drivers/input/tablet/gtco.c -+++ b/drivers/input/tablet/gtco.c -@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com - - /* Max size of a single report */ - #define REPORT_MAX_SIZE 10 -+#define MAX_COLLECTION_LEVELS 10 - - - /* Bitmask whether pen is in range */ -@@ -224,8 +225,7 @@ static void parse_hid_report_descriptor( - char maintype = 'x'; - char globtype[12]; - int indent = 0; -- char indentstr[10] = ""; -- -+ char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; - - dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); - -@@ -351,6 +351,13 @@ static void parse_hid_report_descriptor( - case TAG_MAIN_COL_START: - maintype = 'S'; - -+ if (indent == MAX_COLLECTION_LEVELS) { -+ dev_err(ddev, "Collection level %d would exceed limit of %d\n", -+ indent + 1, -+ MAX_COLLECTION_LEVELS); -+ break; -+ } -+ - if (data == 0) { - dev_dbg(ddev, "======>>>>>> Physical\n"); - strcpy(globtype, "Physical"); -@@ -370,8 +377,15 @@ static void parse_hid_report_descriptor( - break; - - case TAG_MAIN_COL_END: -- dev_dbg(ddev, "<<<<<<======\n"); - maintype = 'E'; -+ -+ if (indent == 0) { -+ dev_err(ddev, "Collection level already at zero\n"); -+ break; -+ } -+ -+ dev_dbg(ddev, "<<<<<<======\n"); -+ - indent--; - for (x = 0; x < indent; x++) - indentstr[x] = '-'; diff --git a/queue-3.16/iommu-amd-set-exclusion-range-correctly.patch b/queue-3.16/iommu-amd-set-exclusion-range-correctly.patch deleted file mode 100644 index 1ae2201d..00000000 --- a/queue-3.16/iommu-amd-set-exclusion-range-correctly.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Joerg Roedel <jroedel@suse.de> -Date: Fri, 12 Apr 2019 12:50:31 +0200 -Subject: iommu/amd: Set exclusion range correctly - -commit 3c677d206210f53a4be972211066c0f1cd47fe12 upstream. - -The exlcusion range limit register needs to contain the -base-address of the last page that is part of the range, as -bits 0-11 of this register are treated as 0xfff by the -hardware for comparisons. - -So correctly set the exclusion range in the hardware to the -last page which is _in_ the range. - -Fixes: b2026aa2dce44 ('x86, AMD IOMMU: add functions for programming IOMMU MMIO space') -Signed-off-by: Joerg Roedel <jroedel@suse.de> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iommu/amd_iommu_init.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/iommu/amd_iommu_init.c -+++ b/drivers/iommu/amd_iommu_init.c -@@ -293,7 +293,7 @@ static void iommu_write_l2(struct amd_io - static void iommu_set_exclusion_range(struct amd_iommu *iommu) - { - u64 start = iommu->exclusion_start & PAGE_MASK; -- u64 limit = (start + iommu->exclusion_length) & PAGE_MASK; -+ u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK; - u64 entry; - - if (!iommu->exclusion_start) diff --git a/queue-3.16/iommu-vt-d-check-capability-before-disabling-protected-memory.patch b/queue-3.16/iommu-vt-d-check-capability-before-disabling-protected-memory.patch deleted file mode 100644 index fdde23a9..00000000 --- a/queue-3.16/iommu-vt-d-check-capability-before-disabling-protected-memory.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Lu Baolu <baolu.lu@linux.intel.com> -Date: Wed, 20 Mar 2019 09:58:33 +0800 -Subject: iommu/vt-d: Check capability before disabling protected memory - -commit 5bb71fc790a88d063507dc5d445ab8b14e845591 upstream. - -The spec states in 10.4.16 that the Protected Memory Enable -Register should be treated as read-only for implementations -not supporting protected memory regions (PLMR and PHMR fields -reported as Clear in the Capability register). - -Cc: Jacob Pan <jacob.jun.pan@linux.intel.com> -Cc: mark gross <mgross@intel.com> -Suggested-by: Ashok Raj <ashok.raj@intel.com> -Fixes: f8bab73515ca5 ("intel-iommu: PMEN support") -Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> -Signed-off-by: Joerg Roedel <jroedel@suse.de> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/iommu/intel-iommu.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -1394,6 +1394,9 @@ static void iommu_disable_protect_mem_re - u32 pmen; - unsigned long flags; - -+ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap)) -+ return; -+ - raw_spin_lock_irqsave(&iommu->register_lock, flags); - pmen = readl(iommu->reg + DMAR_PMEN_REG); - pmen &= ~DMA_PMEN_EPM; diff --git a/queue-3.16/ipv4-hash-net-ptr-into-fragmentation-bucket-selection.patch b/queue-3.16/ipv4-hash-net-ptr-into-fragmentation-bucket-selection.patch deleted file mode 100644 index 2cd74732..00000000 --- a/queue-3.16/ipv4-hash-net-ptr-into-fragmentation-bucket-selection.patch +++ /dev/null @@ -1,227 +0,0 @@ -From: Hannes Frederic Sowa <hannes@stressinduktion.org> -Date: Wed, 25 Mar 2015 17:07:44 +0100 -Subject: ipv4: hash net ptr into fragmentation bucket selection - -commit b6a7719aedd7e5c0f2df7641aa47386111682df4 upstream. - -As namespaces are sometimes used with overlapping ip address ranges, -we should also use the namespace as input to the hash to select the ip -fragmentation counter bucket. - -Cc: Eric Dumazet <edumazet@google.com> -Cc: Flavio Leitner <fbl@redhat.com> -Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ppp/pptp.c | 2 +- - include/net/ip.h | 12 +++++++----- - net/ipv4/igmp.c | 4 ++-- - net/ipv4/ip_output.c | 7 ++++--- - net/ipv4/ip_tunnel_core.c | 2 +- - net/ipv4/ipmr.c | 7 ++++--- - net/ipv4/raw.c | 2 +- - net/ipv4/route.c | 4 ++-- - net/ipv4/xfrm4_mode_tunnel.c | 2 +- - net/netfilter/ipvs/ip_vs_xmit.c | 5 +++-- - 10 files changed, 26 insertions(+), 21 deletions(-) - ---- a/drivers/net/ppp/pptp.c -+++ b/drivers/net/ppp/pptp.c -@@ -284,7 +284,7 @@ static int pptp_xmit(struct ppp_channel - nf_reset(skb); - - skb->ip_summed = CHECKSUM_NONE; -- ip_select_ident(skb, NULL); -+ ip_select_ident(sock_net(sk), skb, NULL); - ip_send_check(iph); - - ip_local_out(skb); ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -319,9 +319,10 @@ static inline unsigned int ip_skb_dst_mt - } - - u32 ip_idents_reserve(u32 hash, int segs); --void __ip_select_ident(struct iphdr *iph, int segs); -+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs); - --static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs) -+static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb, -+ struct sock *sk, int segs) - { - struct iphdr *iph = ip_hdr(skb); - -@@ -338,13 +339,14 @@ static inline void ip_select_ident_segs( - iph->id = 0; - } - } else { -- __ip_select_ident(iph, segs); -+ __ip_select_ident(net, iph, segs); - } - } - --static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk) -+static inline void ip_select_ident(struct net *net, struct sk_buff *skb, -+ struct sock *sk) - { -- ip_select_ident_segs(skb, sk, 1); -+ ip_select_ident_segs(net, skb, sk, 1); - } - - static inline __wsum inet_compute_pseudo(struct sk_buff *skb, int proto) ---- a/net/ipv4/igmp.c -+++ b/net/ipv4/igmp.c -@@ -395,7 +395,7 @@ static struct sk_buff *igmpv3_newpack(st - - pip->protocol = IPPROTO_IGMP; - pip->tot_len = 0; /* filled in later */ -- ip_select_ident(skb, NULL); -+ ip_select_ident(net, skb, NULL); - ((u8 *)&pip[1])[0] = IPOPT_RA; - ((u8 *)&pip[1])[1] = 4; - ((u8 *)&pip[1])[2] = 0; -@@ -739,7 +739,7 @@ static int igmp_send_report(struct in_de - iph->daddr = dst; - iph->saddr = fl4.saddr; - iph->protocol = IPPROTO_IGMP; -- ip_select_ident(skb, NULL); -+ ip_select_ident(net, skb, NULL); - ((u8 *)&iph[1])[0] = IPOPT_RA; - ((u8 *)&iph[1])[1] = 4; - ((u8 *)&iph[1])[2] = 0; ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -150,7 +150,7 @@ int ip_build_and_send_pkt(struct sk_buff - iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); - iph->saddr = saddr; - iph->protocol = sk->sk_protocol; -- ip_select_ident(skb, sk); -+ ip_select_ident(sock_net(sk), skb, sk); - - if (opt && opt->opt.optlen) { - iph->ihl += opt->opt.optlen>>2; -@@ -432,7 +432,8 @@ packet_routed: - ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0); - } - -- ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1); -+ ip_select_ident_segs(sock_net(sk), skb, sk, -+ skb_shinfo(skb)->gso_segs ?: 1); - - /* TODO : should we use skb->sk here instead of sk ? */ - skb->priority = sk->sk_priority; -@@ -1385,7 +1386,7 @@ struct sk_buff *__ip_make_skb(struct soc - iph->ttl = ttl; - iph->protocol = sk->sk_protocol; - ip_copy_addrs(iph, fl4); -- ip_select_ident(skb, sk); -+ ip_select_ident(net, skb, sk); - - if (opt) { - iph->ihl += opt->optlen>>2; ---- a/net/ipv4/ip_tunnel_core.c -+++ b/net/ipv4/ip_tunnel_core.c -@@ -74,7 +74,7 @@ int iptunnel_xmit(struct sock *sk, struc - iph->daddr = dst; - iph->saddr = src; - iph->ttl = ttl; -- __ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1); -+ __ip_select_ident(sock_net(sk), iph, skb_shinfo(skb)->gso_segs ?: 1); - - err = ip_local_out_sk(sk, skb); - if (unlikely(net_xmit_eval(err))) ---- a/net/ipv4/ipmr.c -+++ b/net/ipv4/ipmr.c -@@ -1647,7 +1647,8 @@ static struct notifier_block ip_mr_notif - * important for multicast video. - */ - --static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr) -+static void ip_encap(struct net *net, struct sk_buff *skb, -+ __be32 saddr, __be32 daddr) - { - struct iphdr *iph; - const struct iphdr *old_iph = ip_hdr(skb); -@@ -1666,7 +1667,7 @@ static void ip_encap(struct sk_buff *skb - iph->protocol = IPPROTO_IPIP; - iph->ihl = 5; - iph->tot_len = htons(skb->len); -- ip_select_ident(skb, NULL); -+ ip_select_ident(net, skb, NULL); - ip_send_check(iph); - - memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); -@@ -1763,7 +1764,7 @@ static void ipmr_queue_xmit(struct net * - * What do we do with netfilter? -- RR - */ - if (vif->flags & VIFF_TUNNEL) { -- ip_encap(skb, vif->local, vif->remote); -+ ip_encap(net, skb, vif->local, vif->remote); - /* FIXME: extra output firewall step used to be here. --RR */ - vif->dev->stats.tx_packets++; - vif->dev->stats.tx_bytes += skb->len; ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -399,7 +399,7 @@ static int raw_send_hdrinc(struct sock * - iph->check = 0; - iph->tot_len = htons(length); - if (!iph->id) -- ip_select_ident(skb, NULL); -+ ip_select_ident(net, skb, NULL); - - iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); - } ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -484,7 +484,7 @@ u32 ip_idents_reserve(u32 hash, int segs - } - EXPORT_SYMBOL(ip_idents_reserve); - --void __ip_select_ident(struct iphdr *iph, int segs) -+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs) - { - static u32 ip_idents_hashrnd __read_mostly; - u32 hash, id; -@@ -493,7 +493,7 @@ void __ip_select_ident(struct iphdr *iph - - hash = jhash_3words((__force u32)iph->daddr, - (__force u32)iph->saddr, -- iph->protocol, -+ iph->protocol ^ net_hash_mix(net), - ip_idents_hashrnd); - id = ip_idents_reserve(hash, segs); - iph->id = htons(id); ---- a/net/ipv4/xfrm4_mode_tunnel.c -+++ b/net/ipv4/xfrm4_mode_tunnel.c -@@ -63,7 +63,7 @@ static int xfrm4_mode_tunnel_output(stru - - top_iph->saddr = x->props.saddr.a4; - top_iph->daddr = x->id.daddr.a4; -- ip_select_ident(skb, NULL); -+ ip_select_ident(dev_net(dst->dev), skb, NULL); - - return 0; - } ---- a/net/netfilter/ipvs/ip_vs_xmit.c -+++ b/net/netfilter/ipvs/ip_vs_xmit.c -@@ -813,7 +813,8 @@ int - ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, - struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh) - { -- struct netns_ipvs *ipvs = net_ipvs(skb_net(skb)); -+ struct net *net = skb_net(skb); -+ struct netns_ipvs *ipvs = net_ipvs(net); - struct rtable *rt; /* Route to the other host */ - __be32 saddr; /* Source for tunnel */ - struct net_device *tdev; /* Device to other host */ -@@ -882,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, s - iph->daddr = cp->daddr.ip; - iph->saddr = saddr; - iph->ttl = old_iph->ttl; -- ip_select_ident(skb, NULL); -+ ip_select_ident(net, skb, NULL); - - /* Another hack: avoid icmp_send in ip_fragment */ - skb->ignore_df = 1; diff --git a/queue-3.16/ipv4-ip_tunnel-use-net-namespace-from-rtable-not-socket.patch b/queue-3.16/ipv4-ip_tunnel-use-net-namespace-from-rtable-not-socket.patch deleted file mode 100644 index a9c50cd2..00000000 --- a/queue-3.16/ipv4-ip_tunnel-use-net-namespace-from-rtable-not-socket.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Hannes Frederic Sowa <hannes@stressinduktion.org> -Date: Wed, 8 Apr 2015 17:01:22 +0200 -Subject: ipv4: ip_tunnel: use net namespace from rtable not socket - -commit 926a882f6916fd76b6f8ee858d45a2241c5e7999 upstream. - -The socket parameter might legally be NULL, thus sock_net is sometimes -causing a NULL pointer dereference. Using net_device pointer in dst_entry -is more reliable. - -Fixes: b6a7719aedd7e5c ("ipv4: hash net ptr into fragmentation bucket selection") -Reported-by: Rick Jones <rick.jones2@hp.com> -Cc: Rick Jones <rick.jones2@hp.com> -Cc: David S. Miller <davem@davemloft.net> -Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/ip_tunnel_core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/ipv4/ip_tunnel_core.c -+++ b/net/ipv4/ip_tunnel_core.c -@@ -74,7 +74,8 @@ int iptunnel_xmit(struct sock *sk, struc - iph->daddr = dst; - iph->saddr = src; - iph->ttl = ttl; -- __ip_select_ident(sock_net(sk), iph, skb_shinfo(skb)->gso_segs ?: 1); -+ __ip_select_ident(dev_net(rt->dst.dev), iph, -+ skb_shinfo(skb)->gso_segs ?: 1); - - err = ip_local_out_sk(sk, skb); - if (unlikely(net_xmit_eval(err))) diff --git a/queue-3.16/ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in.patch b/queue-3.16/ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in.patch deleted file mode 100644 index 7238b0b1..00000000 --- a/queue-3.16/ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Sabrina Dubroca <sd@queasysnail.net> -Date: Thu, 19 Mar 2015 11:22:32 +0100 -Subject: ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in - udp6_ufo_fragment - -commit 8e199dfd82ee097b522b00344af6448715d8ee0c upstream. - -Matt Grant reported frequent crashes in ipv6_select_ident when -udp6_ufo_fragment is called from openvswitch on a skb that doesn't -have a dst_entry set. - -ipv6_proxy_select_ident generates the frag_id without using the dst -associated with the skb. This approach was suggested by Vladislav -Yasevich. - -Fixes: 0508c07f5e0c ("ipv6: Select fragment id during UFO segmentation if not set.") -Cc: Vladislav Yasevich <vyasevic@redhat.com> -Reported-by: Matt Grant <matt@mattgrant.net.nz> -Tested-by: Matt Grant <matt@mattgrant.net.nz> -Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> -Acked-by: Vladislav Yasevich <vyasevic@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/udp_offload.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -124,11 +124,9 @@ static struct sk_buff *udp6_ufo_fragment - fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); - fptr->nexthdr = nexthdr; - fptr->reserved = 0; -- if (skb_shinfo(skb)->ip6_frag_id) -- fptr->identification = skb_shinfo(skb)->ip6_frag_id; -- else -- ipv6_select_ident(fptr, -- (struct rt6_info *)skb_dst(skb)); -+ if (!skb_shinfo(skb)->ip6_frag_id) -+ ipv6_proxy_select_ident(skb); -+ fptr->identification = skb_shinfo(skb)->ip6_frag_id; - - /* Fragment the skb. ipv6 header and the remaining fields of the - * fragment header are updated in ipv6_gso_segment() diff --git a/queue-3.16/ipv6-check-sk-sk_type-and-protocol-early-in-ip_mroute_set-getsockopt.patch b/queue-3.16/ipv6-check-sk-sk_type-and-protocol-early-in-ip_mroute_set-getsockopt.patch deleted file mode 100644 index 857e7287..00000000 --- a/queue-3.16/ipv6-check-sk-sk_type-and-protocol-early-in-ip_mroute_set-getsockopt.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Xin Long <lucien.xin@gmail.com> -Date: Fri, 24 Feb 2017 16:29:06 +0800 -Subject: ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt - -commit 99253eb750fda6a644d5188fb26c43bad8d5a745 upstream. - -Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed -the issue for ipv4 ipmr: - - ip_mroute_setsockopt() & ip_mroute_getsockopt() should not - access/set raw_sk(sk)->ipmr_table before making sure the socket - is a raw socket, and protocol is IGMP - -The same fix should be done for ipv6 ipmr as well. - -This patch can fix the panic caused by overwriting the same offset -as ipmr_table as in raw_sk(sk) when accessing other type's socket -by ip_mroute_setsockopt(). - -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/ip6mr.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -1662,6 +1662,10 @@ int ip6_mroute_setsockopt(struct sock *s - struct net *net = sock_net(sk); - struct mr6_table *mrt; - -+ if (sk->sk_type != SOCK_RAW || -+ inet_sk(sk)->inet_num != IPPROTO_ICMPV6) -+ return -EOPNOTSUPP; -+ - mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT); - if (mrt == NULL) - return -ENOENT; -@@ -1673,9 +1677,6 @@ int ip6_mroute_setsockopt(struct sock *s - - switch (optname) { - case MRT6_INIT: -- if (sk->sk_type != SOCK_RAW || -- inet_sk(sk)->inet_num != IPPROTO_ICMPV6) -- return -EOPNOTSUPP; - if (optlen < sizeof(int)) - return -EINVAL; - -@@ -1812,6 +1813,10 @@ int ip6_mroute_getsockopt(struct sock *s - struct net *net = sock_net(sk); - struct mr6_table *mrt; - -+ if (sk->sk_type != SOCK_RAW || -+ inet_sk(sk)->inet_num != IPPROTO_ICMPV6) -+ return -EOPNOTSUPP; -+ - mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT); - if (mrt == NULL) - return -ENOENT; diff --git a/queue-3.16/ipv6-fix-fragment-id-assignment-on-le-arches.patch b/queue-3.16/ipv6-fix-fragment-id-assignment-on-le-arches.patch deleted file mode 100644 index 7c117ecc..00000000 --- a/queue-3.16/ipv6-fix-fragment-id-assignment-on-le-arches.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Vlad Yasevich <vyasevich@gmail.com> -Date: Mon, 9 Feb 2015 09:38:20 -0500 -Subject: ipv6: Fix fragment id assignment on LE arches. - -commit 51f30770e50eb787200f30a79105e2615b379334 upstream. - -Recent commit: -0508c07f5e0c94f38afd5434e8b2a55b84553077 -Author: Vlad Yasevich <vyasevich@gmail.com> -Date: Tue Feb 3 16:36:15 2015 -0500 - - ipv6: Select fragment id during UFO segmentation if not set. - -Introduced a bug on LE in how ipv6 fragment id is assigned. -This was cought by nightly sparce check: - -Resolve the following sparce error: - net/ipv6/output_core.c:57:38: sparse: incorrect type in assignment - (different base types) - net/ipv6/output_core.c:57:38: expected restricted __be32 -[usertype] ip6_frag_id - net/ipv6/output_core.c:57:38: got unsigned int [unsigned] -[assigned] [usertype] id - -Fixes: 0508c07f5e0c9 (ipv6: Select fragment id during UFO segmentation if not set.) -Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/output_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -54,7 +54,7 @@ void ipv6_proxy_select_ident(struct sk_b - - id = __ipv6_select_ident(ip6_proxy_idents_hashrnd, - &addrs[1], &addrs[0]); -- skb_shinfo(skb)->ip6_frag_id = id; -+ skb_shinfo(skb)->ip6_frag_id = htonl(id); - } - EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); - diff --git a/queue-3.16/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch b/queue-3.16/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch deleted file mode 100644 index 30f22e59..00000000 --- a/queue-3.16/ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch +++ /dev/null @@ -1,149 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Sat, 27 Apr 2019 16:49:06 -0700 -Subject: ipv6/flowlabel: wait rcu grace period before put_pid() - -commit 6c0afef5fb0c27758f4d52b2210c61b6bd8b4470 upstream. - -syzbot was able to catch a use-after-free read in pid_nr_ns() [1] - -ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid -but fl_free() releases fl->owner.pid before rcu grace period is started. - -[1] - -BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407 -Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087 - -CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x172/0x1f0 lib/dump_stack.c:113 - print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 - kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 - __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 - pid_nr_ns+0x128/0x140 kernel/pid.c:407 - ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794 - seq_read+0xad3/0x1130 fs/seq_file.c:268 - proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227 - do_loop_readv_writev fs/read_write.c:701 [inline] - do_loop_readv_writev fs/read_write.c:688 [inline] - do_iter_read+0x4a9/0x660 fs/read_write.c:922 - vfs_readv+0xf0/0x160 fs/read_write.c:984 - kernel_readv fs/splice.c:358 [inline] - default_file_splice_read+0x475/0x890 fs/splice.c:413 - do_splice_to+0x12a/0x190 fs/splice.c:876 - splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953 - do_splice_direct+0x1da/0x2a0 fs/splice.c:1062 - do_sendfile+0x597/0xd00 fs/read_write.c:1443 - __do_sys_sendfile64 fs/read_write.c:1498 [inline] - __se_sys_sendfile64 fs/read_write.c:1490 [inline] - __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490 - do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x458da9 -Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 -RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9 -RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007 -RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 -R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4 -R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff - -Allocated by task 17543: - save_stack+0x45/0xd0 mm/kasan/common.c:75 - set_track mm/kasan/common.c:87 [inline] - __kasan_kmalloc mm/kasan/common.c:497 [inline] - __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 - kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505 - slab_post_alloc_hook mm/slab.h:437 [inline] - slab_alloc mm/slab.c:3393 [inline] - kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555 - alloc_pid+0x55/0x8f0 kernel/pid.c:168 - copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932 - copy_process kernel/fork.c:1709 [inline] - _do_fork+0x257/0xfd0 kernel/fork.c:2226 - __do_sys_clone kernel/fork.c:2333 [inline] - __se_sys_clone kernel/fork.c:2327 [inline] - __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327 - do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 7789: - save_stack+0x45/0xd0 mm/kasan/common.c:75 - set_track mm/kasan/common.c:87 [inline] - __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 - kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 - __cache_free mm/slab.c:3499 [inline] - kmem_cache_free+0x86/0x260 mm/slab.c:3765 - put_pid.part.0+0x111/0x150 kernel/pid.c:111 - put_pid+0x20/0x30 kernel/pid.c:105 - fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102 - ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152 - call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 - expire_timers kernel/time/timer.c:1362 [inline] - __run_timers kernel/time/timer.c:1681 [inline] - __run_timers kernel/time/timer.c:1649 [inline] - run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 - __do_softirq+0x266/0x95a kernel/softirq.c:293 - -The buggy address belongs to the object at ffff888094012a00 - which belongs to the cache pid_2 of size 88 -The buggy address is located 4 bytes inside of - 88-byte region [ffff888094012a00, ffff888094012a58) -The buggy address belongs to the page: -page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980 -flags: 0x1fffc0000000200(slab) -raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080 -raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc - ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc ->ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc - ^ - ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc - ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc - -Fixes: 4f82f45730c6 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Eric W. Biederman <ebiederm@xmission.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: Move the release_net() call too, not that it does - anything.] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/net/ipv6/ip6_flowlabel.c -+++ b/net/ipv6/ip6_flowlabel.c -@@ -94,16 +94,22 @@ static struct ip6_flowlabel *fl_lookup(s - return fl; - } - -+static void fl_free_rcu(struct rcu_head *head) -+{ -+ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); -+ -+ if (fl->share == IPV6_FL_S_PROCESS) -+ put_pid(fl->owner.pid); -+ release_net(fl->fl_net); -+ kfree(fl->opt); -+ kfree(fl); -+} -+ - - static void fl_free(struct ip6_flowlabel *fl) - { -- if (fl) { -- if (fl->share == IPV6_FL_S_PROCESS) -- put_pid(fl->owner.pid); -- release_net(fl->fl_net); -- kfree(fl->opt); -- kfree_rcu(fl, rcu); -- } -+ if (fl) -+ call_rcu(&fl->rcu, fl_free_rcu); - } - - static void fl_release(struct ip6_flowlabel *fl) diff --git a/queue-3.16/ipv6-hash-net-ptr-into-fragmentation-bucket-selection.patch b/queue-3.16/ipv6-hash-net-ptr-into-fragmentation-bucket-selection.patch deleted file mode 100644 index cf0d2bb1..00000000 --- a/queue-3.16/ipv6-hash-net-ptr-into-fragmentation-bucket-selection.patch +++ /dev/null @@ -1,138 +0,0 @@ -From: Hannes Frederic Sowa <hannes@stressinduktion.org> -Date: Wed, 25 Mar 2015 17:07:45 +0100 -Subject: ipv6: hash net ptr into fragmentation bucket selection - -commit 5a352dd0a3aac03b443c94828dfd7144261c8636 upstream. - -As namespaces are sometimes used with overlapping ip address ranges, -we should also use the namespace as input to the hash to select the ip -fragmentation counter bucket. - -Cc: Eric Dumazet <edumazet@google.com> -Cc: Flavio Leitner <fbl@redhat.com> -Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/net/ipv6.h | 5 +++-- - net/ipv6/ip6_output.c | 6 +++--- - net/ipv6/output_core.c | 14 ++++++++------ - net/ipv6/udp_offload.c | 4 ++-- - 4 files changed, 16 insertions(+), 13 deletions(-) - ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -688,8 +688,9 @@ static inline int ipv6_addr_diff(const s - return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); - } - --void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); --void ipv6_proxy_select_ident(struct sk_buff *skb); -+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr, -+ struct rt6_info *rt); -+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb); - - int ip6_dst_hoplimit(struct dst_entry *dst); - ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -632,7 +632,7 @@ int ip6_fragment(struct sk_buff *skb, in - skb_reset_network_header(skb); - memcpy(skb_network_header(skb), tmp_hdr, hlen); - -- ipv6_select_ident(fh, rt); -+ ipv6_select_ident(net, fh, rt); - fh->nexthdr = nexthdr; - fh->reserved = 0; - fh->frag_off = htons(IP6_MF); -@@ -785,7 +785,7 @@ slow_path: - fh->nexthdr = nexthdr; - fh->reserved = 0; - if (!frag_id) { -- ipv6_select_ident(fh, rt); -+ ipv6_select_ident(net, fh, rt); - frag_id = fh->identification; - } else - fh->identification = frag_id; -@@ -1079,7 +1079,7 @@ static inline int ip6_ufo_append_data(st - skb_shinfo(skb)->gso_size = (mtu - fragheaderlen - - sizeof(struct frag_hdr)) & ~7; - skb_shinfo(skb)->gso_type = SKB_GSO_UDP; -- ipv6_select_ident(&fhdr, rt); -+ ipv6_select_ident(sock_net(sk), &fhdr, rt); - skb_shinfo(skb)->ip6_frag_id = fhdr.identification; - - append: ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -9,13 +9,14 @@ - #include <net/addrconf.h> - #include <net/secure_seq.h> - --static u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, -- struct in6_addr *src) -+static u32 __ipv6_select_ident(struct net *net, u32 hashrnd, -+ struct in6_addr *dst, struct in6_addr *src) - { - u32 hash, id; - - hash = __ipv6_addr_jhash(dst, hashrnd); - hash = __ipv6_addr_jhash(src, hash); -+ hash ^= net_hash_mix(net); - - /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, - * set the hight order instead thus minimizing possible future -@@ -36,7 +37,7 @@ static u32 __ipv6_select_ident(u32 hashr - * - * The network header must be set before calling this. - */ --void ipv6_proxy_select_ident(struct sk_buff *skb) -+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb) - { - static u32 ip6_proxy_idents_hashrnd __read_mostly; - struct in6_addr buf[2]; -@@ -53,20 +54,21 @@ void ipv6_proxy_select_ident(struct sk_b - net_get_random_once(&ip6_proxy_idents_hashrnd, - sizeof(ip6_proxy_idents_hashrnd)); - -- id = __ipv6_select_ident(ip6_proxy_idents_hashrnd, -+ id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd, - &addrs[1], &addrs[0]); - skb_shinfo(skb)->ip6_frag_id = htonl(id); - } - EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); - --void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) -+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr, -+ struct rt6_info *rt) - { - static u32 ip6_idents_hashrnd __read_mostly; - u32 id; - - net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); - -- id = __ipv6_select_ident(ip6_idents_hashrnd, &rt->rt6i_dst.addr, -+ id = __ipv6_select_ident(net, ip6_idents_hashrnd, &rt->rt6i_dst.addr, - &rt->rt6i_src.addr); - fhdr->identification = htonl(id); - } ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -77,7 +77,7 @@ static struct sk_buff *udp6_ufo_fragment - - /* Set the IPv6 fragment id if not set yet */ - if (!skb_shinfo(skb)->ip6_frag_id) -- ipv6_proxy_select_ident(skb); -+ ipv6_proxy_select_ident(dev_net(skb->dev), skb); - - segs = NULL; - goto out; -@@ -125,7 +125,7 @@ static struct sk_buff *udp6_ufo_fragment - fptr->nexthdr = nexthdr; - fptr->reserved = 0; - if (!skb_shinfo(skb)->ip6_frag_id) -- ipv6_proxy_select_ident(skb); -+ ipv6_proxy_select_ident(dev_net(skb->dev), skb); - fptr->identification = skb_shinfo(skb)->ip6_frag_id; - - /* Fragment the skb. ipv6 header and the remaining fields of the diff --git a/queue-3.16/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch b/queue-3.16/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch deleted file mode 100644 index 62917ee8..00000000 --- a/queue-3.16/ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Willem de Bruijn <willemb@google.com> -Date: Thu, 25 Apr 2019 12:06:54 -0400 -Subject: ipv6: invert flowlabel sharing check in process and user mode - -commit 95c169251bf734aa555a1e8043e4d88ec97a04ec upstream. - -A request for a flowlabel fails in process or user exclusive mode must -fail if the caller pid or uid does not match. Invert the test. - -Previously, the test was unsafe wrt PID recycling, but indeed tested -for inequality: fl1->owner != fl->owner - -Fixes: 4f82f45730c68 ("net ip6 flowlabel: Make owner a union of struct pid* and kuid_t") -Signed-off-by: Willem de Bruijn <willemb@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/ip6_flowlabel.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/ipv6/ip6_flowlabel.c -+++ b/net/ipv6/ip6_flowlabel.c -@@ -630,9 +630,9 @@ recheck: - if (fl1->share == IPV6_FL_S_EXCL || - fl1->share != fl->share || - ((fl1->share == IPV6_FL_S_PROCESS) && -- (fl1->owner.pid == fl->owner.pid)) || -+ (fl1->owner.pid != fl->owner.pid)) || - ((fl1->share == IPV6_FL_S_USER) && -- uid_eq(fl1->owner.uid, fl->owner.uid))) -+ !uid_eq(fl1->owner.uid, fl->owner.uid))) - goto release; - - err = -ENOMEM; diff --git a/queue-3.16/ipv6-make-__ipv6_select_ident-static.patch b/queue-3.16/ipv6-make-__ipv6_select_ident-static.patch deleted file mode 100644 index 9b7b7de6..00000000 --- a/queue-3.16/ipv6-make-__ipv6_select_ident-static.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Vlad Yasevich <vyasevich@gmail.com> -Date: Mon, 9 Feb 2015 09:38:21 -0500 -Subject: ipv6: Make __ipv6_select_ident static - -commit 8381eacf5c3b35cf7755f4bc521c4d56d24c1cd9 upstream. - -Make __ipv6_select_ident() static as it isn't used outside -the file. - -Fixes: 0508c07f5e0c9 (ipv6: Select fragment id during UFO segmentation if not set.) -Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/net/ipv6.h | 2 -- - net/ipv6/output_core.c | 3 ++- - 2 files changed, 2 insertions(+), 3 deletions(-) - ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -688,8 +688,6 @@ static inline int ipv6_addr_diff(const s - return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); - } - --u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, -- struct in6_addr *src); - void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); - void ipv6_proxy_select_ident(struct sk_buff *skb); - ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -9,7 +9,8 @@ - #include <net/addrconf.h> - #include <net/secure_seq.h> - --u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, struct in6_addr *src) -+static u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, -+ struct in6_addr *src) - { - u32 hash, id; - diff --git a/queue-3.16/ipv6-select-fragment-id-during-ufo-segmentation-if-not-set.patch b/queue-3.16/ipv6-select-fragment-id-during-ufo-segmentation-if-not-set.patch deleted file mode 100644 index 9784355f..00000000 --- a/queue-3.16/ipv6-select-fragment-id-during-ufo-segmentation-if-not-set.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: Vlad Yasevich <vyasevich@gmail.com> -Date: Tue, 3 Feb 2015 16:36:15 -0500 -Subject: ipv6: Select fragment id during UFO segmentation if not set. - -commit 0508c07f5e0c94f38afd5434e8b2a55b84553077 upstream. - -If the IPv6 fragment id has not been set and we perform -fragmentation due to UFO, select a new fragment id. -We now consider a fragment id of 0 as unset and if id selection -process returns 0 (after all the pertrubations), we set it to -0x80000000, thus giving us ample space not to create collisions -with the next packet we may have to fragment. - -When doing UFO integrity checking, we also select the -fragment id if it has not be set yet. This is stored into -the skb_shinfo() thus allowing UFO to function correclty. - -This patch also removes duplicate fragment id generation code -and moves ipv6_select_ident() into the header as it may be -used during GSO. - -Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/net/ipv6.h | 3 +++ - net/ipv6/ip6_output.c | 14 -------------- - net/ipv6/output_core.c | 41 +++++++++++++++++++++++++++++++++++------ - net/ipv6/udp_offload.c | 10 +++++++++- - 4 files changed, 47 insertions(+), 21 deletions(-) - ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -688,6 +688,9 @@ static inline int ipv6_addr_diff(const s - return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); - } - -+u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, -+ struct in6_addr *src); -+void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); - void ipv6_proxy_select_ident(struct sk_buff *skb); - - int ip6_dst_hoplimit(struct dst_entry *dst); ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -538,20 +538,6 @@ static void ip6_copy_metadata(struct sk_ - skb_copy_secmark(to, from); - } - --static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) --{ -- static u32 ip6_idents_hashrnd __read_mostly; -- u32 hash, id; -- -- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); -- -- hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); -- hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); -- -- id = ip_idents_reserve(hash, 1); -- fhdr->identification = htonl(id); --} -- - int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) - { - struct sk_buff *frag; ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -9,6 +9,24 @@ - #include <net/addrconf.h> - #include <net/secure_seq.h> - -+u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, struct in6_addr *src) -+{ -+ u32 hash, id; -+ -+ hash = __ipv6_addr_jhash(dst, hashrnd); -+ hash = __ipv6_addr_jhash(src, hash); -+ -+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, -+ * set the hight order instead thus minimizing possible future -+ * collisions. -+ */ -+ id = ip_idents_reserve(hash, 1); -+ if (unlikely(!id)) -+ id = 1 << 31; -+ -+ return id; -+} -+ - /* This function exists only for tap drivers that must support broken - * clients requesting UFO without specifying an IPv6 fragment ID. - * -@@ -22,7 +40,7 @@ void ipv6_proxy_select_ident(struct sk_b - static u32 ip6_proxy_idents_hashrnd __read_mostly; - struct in6_addr buf[2]; - struct in6_addr *addrs; -- u32 hash, id; -+ u32 id; - - addrs = skb_header_pointer(skb, - skb_network_offset(skb) + -@@ -34,14 +52,25 @@ void ipv6_proxy_select_ident(struct sk_b - net_get_random_once(&ip6_proxy_idents_hashrnd, - sizeof(ip6_proxy_idents_hashrnd)); - -- hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd); -- hash = __ipv6_addr_jhash(&addrs[0], hash); -- -- id = ip_idents_reserve(hash, 1); -- skb_shinfo(skb)->ip6_frag_id = htonl(id); -+ id = __ipv6_select_ident(ip6_proxy_idents_hashrnd, -+ &addrs[1], &addrs[0]); -+ skb_shinfo(skb)->ip6_frag_id = id; - } - EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident); - -+void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) -+{ -+ static u32 ip6_idents_hashrnd __read_mostly; -+ u32 id; -+ -+ net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); -+ -+ id = __ipv6_select_ident(ip6_idents_hashrnd, &rt->rt6i_dst.addr, -+ &rt->rt6i_src.addr); -+ fhdr->identification = htonl(id); -+} -+EXPORT_SYMBOL(ipv6_select_ident); -+ - int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - { - unsigned int offset = sizeof(struct ipv6hdr); ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -75,6 +75,10 @@ static struct sk_buff *udp6_ufo_fragment - - skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss); - -+ /* Set the IPv6 fragment id if not set yet */ -+ if (!skb_shinfo(skb)->ip6_frag_id) -+ ipv6_proxy_select_ident(skb); -+ - segs = NULL; - goto out; - } -@@ -120,7 +124,11 @@ static struct sk_buff *udp6_ufo_fragment - fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen); - fptr->nexthdr = nexthdr; - fptr->reserved = 0; -- fptr->identification = skb_shinfo(skb)->ip6_frag_id; -+ if (skb_shinfo(skb)->ip6_frag_id) -+ fptr->identification = skb_shinfo(skb)->ip6_frag_id; -+ else -+ ipv6_select_ident(fptr, -+ (struct rt6_info *)skb_dst(skb)); - - /* Fragment the skb. ipv6 header and the remaining fields of the - * fragment header are updated in ipv6_gso_segment() diff --git a/queue-3.16/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch b/queue-3.16/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch deleted file mode 100644 index aee61df9..00000000 --- a/queue-3.16/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Masami Hiramatsu <mhiramat@kernel.org> -Date: Sun, 24 Feb 2019 01:50:20 +0900 -Subject: kprobes: Mark ftrace mcount handler functions nokprobe - -commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream. - -Mark ftrace mcount handler functions nokprobe since -probing on these functions with kretprobe pushes -return address incorrectly on kretprobe shadow stack. - -Reported-by: Francis Deslauriers <francis.deslauriers@efficios.com> -Tested-by: Andrea Righi <righi.andrea@gmail.com> -Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> -Acked-by: Steven Rostedt <rostedt@goodmis.org> -Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16: there is no ftrace_ops_assist_func()] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/kernel/trace/ftrace.c -+++ b/kernel/trace/ftrace.c -@@ -32,6 +32,7 @@ - #include <linux/list.h> - #include <linux/hash.h> - #include <linux/rcupdate.h> -+#include <linux/kprobes.h> - - #include <trace/events/sched.h> - -@@ -4508,7 +4509,7 @@ static struct ftrace_ops control_ops = { - INIT_OPS_HASH(control_ops) - }; - --static inline void -+static nokprobe_inline void - __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, - struct ftrace_ops *ignored, struct pt_regs *regs) - { -@@ -4561,11 +4562,13 @@ static void ftrace_ops_list_func(unsigne - { - __ftrace_ops_list_func(ip, parent_ip, NULL, regs); - } -+NOKPROBE_SYMBOL(ftrace_ops_list_func); - #else - static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) - { - __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); - } -+NOKPROBE_SYMBOL(ftrace_ops_no_ops); - #endif - - static void clear_ftrace_swapper(void) diff --git a/queue-3.16/kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch b/queue-3.16/kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch deleted file mode 100644 index b0a4d858..00000000 --- a/queue-3.16/kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch +++ /dev/null @@ -1,138 +0,0 @@ -From: Ben Gardon <bgardon@google.com> -Date: Mon, 8 Apr 2019 11:07:30 -0700 -Subject: kvm: mmu: Fix overflow on kvm mmu page limit calculation - -commit bc8a3d8925a8fa09fa550e0da115d95851ce33c6 upstream. - -KVM bases its memory usage limits on the total number of guest pages -across all memslots. However, those limits, and the calculations to -produce them, use 32 bit unsigned integers. This can result in overflow -if a VM has more guest pages that can be represented by a u32. As a -result of this overflow, KVM can use a low limit on the number of MMU -pages it will allocate. This makes KVM unable to map all of guest memory -at once, prompting spurious faults. - -Tested: Ran all kvm-unit-tests on an Intel Haswell machine. This patch - introduced no new failures. - -Signed-off-by: Ben Gardon <bgardon@google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/include/asm/kvm_host.h | 12 ++++++------ - arch/x86/kvm/mmu.c | 13 ++++++------- - arch/x86/kvm/mmu.h | 2 +- - arch/x86/kvm/x86.c | 4 ++-- - 4 files changed, 15 insertions(+), 16 deletions(-) - ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -88,7 +88,7 @@ static inline gfn_t gfn_to_index(gfn_t g - #define IOPL_SHIFT 12 - - #define KVM_PERMILLE_MMU_PAGES 20 --#define KVM_MIN_ALLOC_MMU_PAGES 64 -+#define KVM_MIN_ALLOC_MMU_PAGES 64UL - #define KVM_MMU_HASH_SHIFT 10 - #define KVM_NUM_MMU_PAGES (1 << KVM_MMU_HASH_SHIFT) - #define KVM_MIN_FREE_MMU_PAGES 5 -@@ -552,9 +552,9 @@ struct kvm_apic_map { - }; - - struct kvm_arch { -- unsigned int n_used_mmu_pages; -- unsigned int n_requested_mmu_pages; -- unsigned int n_max_mmu_pages; -+ unsigned long n_used_mmu_pages; -+ unsigned long n_requested_mmu_pages; -+ unsigned long n_max_mmu_pages; - unsigned int indirect_shadow_pages; - unsigned long mmu_valid_gen; - struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES]; -@@ -810,8 +810,8 @@ void kvm_mmu_write_protect_pt_masked(str - gfn_t gfn_offset, unsigned long mask); - void kvm_mmu_zap_all(struct kvm *kvm); - void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm); --unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm); --void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages); -+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm); -+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long kvm_nr_mmu_pages); - - int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3); - ---- a/arch/x86/kvm/mmu.c -+++ b/arch/x86/kvm/mmu.c -@@ -1492,7 +1492,7 @@ static int is_empty_shadow_page(u64 *spt - * aggregate version in order to make the slab shrinker - * faster - */ --static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr) -+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr) - { - kvm->arch.n_used_mmu_pages += nr; - percpu_counter_add(&kvm_total_used_mmu_pages, nr); -@@ -2207,7 +2207,7 @@ static bool prepare_zap_oldest_mmu_page( - * Changing the number of mmu pages allocated to the vm - * Note: if goal_nr_mmu_pages is too small, you will get dead lock - */ --void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages) -+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages) - { - LIST_HEAD(invalid_list); - -@@ -4505,10 +4505,10 @@ nomem: - /* - * Caculate mmu pages needed for kvm. - */ --unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm) -+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm) - { -- unsigned int nr_mmu_pages; -- unsigned int nr_pages = 0; -+ unsigned long nr_mmu_pages; -+ unsigned long nr_pages = 0; - struct kvm_memslots *slots; - struct kvm_memory_slot *memslot; - -@@ -4518,8 +4518,7 @@ unsigned int kvm_mmu_calculate_mmu_pages - nr_pages += memslot->npages; - - nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000; -- nr_mmu_pages = max(nr_mmu_pages, -- (unsigned int) KVM_MIN_ALLOC_MMU_PAGES); -+ nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES); - - return nr_mmu_pages; - } ---- a/arch/x86/kvm/mmu.h -+++ b/arch/x86/kvm/mmu.h -@@ -81,7 +81,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_ - bool execonly); - bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu); - --static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm) -+static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm) - { - if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages) - return kvm->arch.n_max_mmu_pages - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -3529,7 +3529,7 @@ static int kvm_vm_ioctl_set_identity_map - } - - static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm, -- u32 kvm_nr_mmu_pages) -+ unsigned long kvm_nr_mmu_pages) - { - if (kvm_nr_mmu_pages < KVM_MIN_ALLOC_MMU_PAGES) - return -EINVAL; -@@ -3543,7 +3543,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages - return 0; - } - --static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm) -+static unsigned long kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm) - { - return kvm->arch.n_max_mmu_pages; - } diff --git a/queue-3.16/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch b/queue-3.16/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch deleted file mode 100644 index da01bde6..00000000 --- a/queue-3.16/kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Sean Christopherson <sean.j.christopherson@intel.com> -Date: Fri, 15 Feb 2019 12:48:39 -0800 -Subject: KVM: Reject device ioctls from processes other than the VM's creator - -commit ddba91801aeb5c160b660caed1800eb3aef403f8 upstream. - -KVM's API requires thats ioctls must be issued from the same process -that created the VM. In other words, userspace can play games with a -VM's file descriptors, e.g. fork(), SCM_RIGHTS, etc..., but only the -creator can do anything useful. Explicitly reject device ioctls that -are issued by a process other than the VM's creator, and update KVM's -API documentation to extend its requirements to device ioctls. - -Fixes: 852b6d57dc7f ("kvm: add device control API") -Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - Documentation/virtual/kvm/api.txt | 16 +++++++++++----- - virt/kvm/kvm_main.c | 3 +++ - 2 files changed, 14 insertions(+), 5 deletions(-) - ---- a/Documentation/virtual/kvm/api.txt -+++ b/Documentation/virtual/kvm/api.txt -@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong - - - VM ioctls: These query and set attributes that affect an entire virtual - machine, for example memory layout. In addition a VM ioctl is used to -- create virtual cpus (vcpus). -+ create virtual cpus (vcpus) and devices. - - Only run VM ioctls from the same process (address space) that was used - to create the VM. -@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong - Only run vcpu ioctls from the same thread that was used to create the - vcpu. - -+ - device ioctls: These query and set attributes that control the operation -+ of a single device. -+ -+ device ioctls must be issued from the same process (address space) that -+ was used to create the VM. - - 2. File descriptors - ------------------- -@@ -32,10 +37,11 @@ The kvm API is centered around file desc - open("/dev/kvm") obtains a handle to the kvm subsystem; this handle - can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this - handle will create a VM file descriptor which can be used to issue VM --ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu --and return a file descriptor pointing to it. Finally, ioctls on a vcpu --fd can be used to control the vcpu, including the important task of --actually running guest code. -+ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will -+create a virtual cpu or device and return a file descriptor pointing to -+the new resource. Finally, ioctls on a vcpu or device fd can be used -+to control the vcpu or device. For vcpus, this includes the important -+task of actually running guest code. - - In general file descriptors can be migrated among processes by means - of fork() and the SCM_RIGHTS facility of unix domain socket. These ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -2240,6 +2240,9 @@ static long kvm_device_ioctl(struct file - { - struct kvm_device *dev = filp->private_data; - -+ if (dev->kvm->mm != current->mm) -+ return -EIO; -+ - switch (ioctl) { - case KVM_SET_DEVICE_ATTR: - return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg); diff --git a/queue-3.16/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch b/queue-3.16/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch deleted file mode 100644 index 454aa962..00000000 --- a/queue-3.16/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch +++ /dev/null @@ -1,124 +0,0 @@ -From: Sean Christopherson <sean.j.christopherson@intel.com> -Date: Thu, 7 Mar 2019 15:43:02 -0800 -Subject: KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts - -commit 0cf9135b773bf32fba9dd8e6699c1b331ee4b749 upstream. - -The CPUID flag ARCH_CAPABILITIES is unconditioinally exposed to host -userspace for all x86 hosts, i.e. KVM advertises ARCH_CAPABILITIES -regardless of hardware support under the pretense that KVM fully -emulates MSR_IA32_ARCH_CAPABILITIES. Unfortunately, only VMX hosts -handle accesses to MSR_IA32_ARCH_CAPABILITIES (despite KVM_GET_MSRS -also reporting MSR_IA32_ARCH_CAPABILITIES for all hosts). - -Move the MSR_IA32_ARCH_CAPABILITIES handling to common x86 code so -that it's emulated on AMD hosts. - -Fixes: 1eaafe91a0df4 ("kvm: x86: IA32_ARCH_CAPABILITIES is always supported") -Reported-by: Xiaoyao Li <xiaoyao.li@linux.intel.com> -Cc: Jim Mattson <jmattson@google.com> -Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -[bwh: Backported to 3.16: - - Keep using guest_cpuid_has_arch_capabilities() to check the CPUID - - Keep using rdmsrl() to get the initial value of IA32_ARCH_CAPABILITIES - - Adjust filenames, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/include/asm/kvm_host.h | 1 + - arch/x86/kvm/vmx.c | 13 ------------- - arch/x86/kvm/x86.c | 12 ++++++++++++ - 4 files changed, 13 insertions(+), 14 deletions(-) - ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -363,6 +363,7 @@ struct kvm_vcpu_arch { - int mp_state; - u64 ia32_misc_enable_msr; - bool tpr_access_reporting; -+ u64 arch_capabilities; - - /* - * Paging state of the vcpu ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -433,7 +433,6 @@ struct vcpu_vmx { - u64 msr_guest_kernel_gs_base; - #endif - -- u64 arch_capabilities; - u64 spec_ctrl; - - u32 vm_entry_controls_shadow; -@@ -2481,12 +2480,6 @@ static int vmx_get_msr(struct kvm_vcpu * - - msr_info->data = to_vmx(vcpu)->spec_ctrl; - break; -- case MSR_IA32_ARCH_CAPABILITIES: -- if (!msr_info->host_initiated && -- !guest_cpuid_has_arch_capabilities(vcpu)) -- return 1; -- msr_info->data = to_vmx(vcpu)->arch_capabilities; -- break; - case MSR_IA32_SYSENTER_CS: - msr_info->data = vmcs_read32(GUEST_SYSENTER_CS); - break; -@@ -2636,11 +2629,6 @@ static int vmx_set_msr(struct kvm_vcpu * - vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD, - MSR_TYPE_W); - break; -- case MSR_IA32_ARCH_CAPABILITIES: -- if (!msr_info->host_initiated) -- return 1; -- vmx->arch_capabilities = data; -- break; - case MSR_IA32_CR_PAT: - if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) { - if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) -@@ -4583,9 +4571,6 @@ static int vmx_vcpu_setup(struct vcpu_vm - ++vmx->nmsrs; - } - -- if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) -- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities); -- - vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl); - - /* 22.2.1, 20.8.1 */ ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -2089,6 +2089,11 @@ int kvm_set_msr_common(struct kvm_vcpu * - case MSR_F15H_EX_CFG: - break; - -+ case MSR_IA32_ARCH_CAPABILITIES: -+ if (!msr_info->host_initiated) -+ return 1; -+ vcpu->arch.arch_capabilities = data; -+ break; - case MSR_EFER: - return set_efer(vcpu, data); - case MSR_K7_HWCR: -@@ -2479,6 +2484,12 @@ int kvm_get_msr_common(struct kvm_vcpu * - case MSR_IA32_UCODE_REV: - msr_info->data = 0x100000000ULL; - break; -+ case MSR_IA32_ARCH_CAPABILITIES: -+ if (!msr_info->host_initiated && -+ !guest_cpuid_has_arch_capabilities(vcpu)) -+ return 1; -+ msr_info->data = vcpu->arch.arch_capabilities; -+ break; - case MSR_MTRRcap: - msr_info->data = 0x500 | KVM_NR_VAR_MTRR; - break; -@@ -6957,6 +6968,9 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu - { - int r; - -+ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) -+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, -+ vcpu->arch.arch_capabilities); - vcpu->arch.mtrr_state.have_fixed = 1; - r = vcpu_load(vcpu); - if (r) diff --git a/queue-3.16/kvm-x86-ia32_arch_capabilities-is-always-supported.patch b/queue-3.16/kvm-x86-ia32_arch_capabilities-is-always-supported.patch deleted file mode 100644 index 6063202b..00000000 --- a/queue-3.16/kvm-x86-ia32_arch_capabilities-is-always-supported.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Jim Mattson <jmattson@google.com> -Date: Wed, 9 May 2018 14:29:35 -0700 -Subject: kvm: x86: IA32_ARCH_CAPABILITIES is always supported -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 1eaafe91a0df4157521b6417b3dd8430bf5f52f0 upstream. - -If there is a possibility that a VM may migrate to a Skylake host, -then the hypervisor should report IA32_ARCH_CAPABILITIES.RSBA[bit 2] -as being set (future work, of course). This implies that -CPUID.(EAX=7,ECX=0):EDX.ARCH_CAPABILITIES[bit 29] should be -set. Therefore, kvm should report this CPUID bit as being supported -whether or not the host supports it. Userspace is still free to clear -the bit if it chooses. - -For more information on RSBA, see Intel's white paper, "Retpoline: A -Branch Target Injection Mitigation" (Document Number 337131-001), -currently available at https://bugzilla.kernel.org/show_bug.cgi?id=199511. - -Since the IA32_ARCH_CAPABILITIES MSR is emulated in kvm, there is no -dependency on hardware support for this feature. - -Signed-off-by: Jim Mattson <jmattson@google.com> -Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Fixes: 28c1c9fabf48 ("KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES") -Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kvm/cpuid.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -395,6 +395,11 @@ static inline int __do_cpuid_ent(struct - entry->ebx |= F(TSC_ADJUST); - entry->edx &= kvm_cpuid_7_0_edx_x86_features; - cpuid_mask(&entry->edx, 10); -+ /* -+ * We emulate ARCH_CAPABILITIES in software even -+ * if the host doesn't support it. -+ */ -+ entry->edx |= F(ARCH_CAPABILITIES); - } else { - entry->ebx = 0; - entry->edx = 0; diff --git a/queue-3.16/l2ip-fix-possible-use-after-free.patch b/queue-3.16/l2ip-fix-possible-use-after-free.patch deleted file mode 100644 index 3396aecd..00000000 --- a/queue-3.16/l2ip-fix-possible-use-after-free.patch +++ /dev/null @@ -1,80 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 30 Apr 2019 06:27:58 -0700 -Subject: l2ip: fix possible use-after-free - -commit a622b40035d16196bf19b2b33b854862595245fc upstream. - -Before taking a refcount on a rcu protected structure, -we need to make sure the refcount is not zero. - -syzbot reported : - -refcount_t: increment on 0; use-after-free. -WARNING: CPU: 1 PID: 23533 at lib/refcount.c:156 refcount_inc_checked lib/refcount.c:156 [inline] -WARNING: CPU: 1 PID: 23533 at lib/refcount.c:156 refcount_inc_checked+0x61/0x70 lib/refcount.c:154 -Kernel panic - not syncing: panic_on_warn set ... -CPU: 1 PID: 23533 Comm: syz-executor.2 Not tainted 5.1.0-rc7+ #93 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x172/0x1f0 lib/dump_stack.c:113 - panic+0x2cb/0x65c kernel/panic.c:214 - __warn.cold+0x20/0x45 kernel/panic.c:571 - report_bug+0x263/0x2b0 lib/bug.c:186 - fixup_bug arch/x86/kernel/traps.c:179 [inline] - fixup_bug arch/x86/kernel/traps.c:174 [inline] - do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 - do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 - invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 -RIP: 0010:refcount_inc_checked lib/refcount.c:156 [inline] -RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:154 -Code: 1d 98 2b 2a 06 31 ff 89 de e8 db 2c 40 fe 84 db 75 dd e8 92 2b 40 fe 48 c7 c7 20 7a a1 87 c6 05 78 2b 2a 06 01 e8 7d d9 12 fe <0f> 0b eb c1 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 -RSP: 0018:ffff888069f0fba8 EFLAGS: 00010286 -RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 -RDX: 000000000000f353 RSI: ffffffff815afcb6 RDI: ffffed100d3e1f67 -RBP: ffff888069f0fbb8 R08: ffff88809b1845c0 R09: ffffed1015d23ef1 -R10: ffffed1015d23ef0 R11: ffff8880ae91f787 R12: ffff8880a8f26968 -R13: 0000000000000004 R14: dffffc0000000000 R15: ffff8880a49a6440 - l2tp_tunnel_inc_refcount net/l2tp/l2tp_core.h:240 [inline] - l2tp_tunnel_get+0x250/0x580 net/l2tp/l2tp_core.c:173 - pppol2tp_connect+0xc00/0x1c70 net/l2tp/l2tp_ppp.c:702 - __sys_connect+0x266/0x330 net/socket.c:1808 - __do_sys_connect net/socket.c:1819 [inline] - __se_sys_connect net/socket.c:1816 [inline] - __x64_sys_connect+0x73/0xb0 net/socket.c:1816 - -Fixes: 54652eb12c1b ("l2tp: hold tunnel while looking up sessions in l2tp_netlink") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Cc: Guillaume Nault <g.nault@alphalink.fr> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: use atomic not refcount API] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/l2tp/l2tp_core.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -217,8 +217,8 @@ struct l2tp_tunnel *l2tp_tunnel_get(cons - - rcu_read_lock_bh(); - list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { -- if (tunnel->tunnel_id == tunnel_id) { -- l2tp_tunnel_inc_refcount(tunnel); -+ if (tunnel->tunnel_id == tunnel_id && -+ atomic_inc_not_zero(&tunnel->ref_count)) { - rcu_read_unlock_bh(); - - return tunnel; -@@ -238,8 +238,8 @@ struct l2tp_tunnel *l2tp_tunnel_get_nth( - - rcu_read_lock_bh(); - list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { -- if (++count > nth) { -- l2tp_tunnel_inc_refcount(tunnel); -+ if (++count > nth && -+ atomic_inc_not_zero(&tunnel->ref_count)) { - rcu_read_unlock_bh(); - return tunnel; - } diff --git a/queue-3.16/l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch b/queue-3.16/l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch deleted file mode 100644 index 89c39c77..00000000 --- a/queue-3.16/l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 23 Apr 2019 09:43:26 -0700 -Subject: l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() - -commit c1c477217882c610a2ba0268f5faf36c9c092528 upstream. - -Canonical way to fetch sk_user_data from an encap_rcv() handler called -from UDP stack in rcu protected section is to use rcu_dereference_sk_user_data(), -otherwise compiler might read it multiple times. - -Fixes: d00fa9adc528 ("il2tp: fix races with tunnel socket close") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: James Chapman <jchapman@katalix.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/l2tp/l2tp_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -997,7 +997,7 @@ int l2tp_udp_encap_recv(struct sock *sk, - { - struct l2tp_tunnel *tunnel; - -- tunnel = l2tp_tunnel(sk); -+ tunnel = rcu_dereference_sk_user_data(sk); - if (tunnel == NULL) - goto pass_up; - diff --git a/queue-3.16/lib-string.c-implement-a-basic-bcmp.patch b/queue-3.16/lib-string.c-implement-a-basic-bcmp.patch deleted file mode 100644 index 5ccaa6b3..00000000 --- a/queue-3.16/lib-string.c-implement-a-basic-bcmp.patch +++ /dev/null @@ -1,102 +0,0 @@ -From: Nick Desaulniers <ndesaulniers@google.com> -Date: Fri, 5 Apr 2019 18:38:45 -0700 -Subject: lib/string.c: implement a basic bcmp - -commit 5f074f3e192f10c9fade898b9b3b8812e3d83342 upstream. - -A recent optimization in Clang (r355672) lowers comparisons of the -return value of memcmp against zero to comparisons of the return value -of bcmp against zero. This helps some platforms that implement bcmp -more efficiently than memcmp. glibc simply aliases bcmp to memcmp, but -an optimized implementation is in the works. - -This results in linkage failures for all targets with Clang due to the -undefined symbol. For now, just implement bcmp as a tailcail to memcmp -to unbreak the build. This routine can be further optimized in the -future. - -Other ideas discussed: - - * A weak alias was discussed, but breaks for architectures that define - their own implementations of memcmp since aliases to declarations are - not permitted (only definitions). Arch-specific memcmp - implementations typically declare memcmp in C headers, but implement - them in assembly. - - * -ffreestanding also is used sporadically throughout the kernel. - - * -fno-builtin-bcmp doesn't work when doing LTO. - -Link: https://bugs.llvm.org/show_bug.cgi?id=41035 -Link: https://code.woboq.org/userspace/glibc/string/memcmp.c.html#bcmp -Link: https://github.com/llvm/llvm-project/commit/8e16d73346f8091461319a7dfc4ddd18eedcff13 -Link: https://github.com/ClangBuiltLinux/linux/issues/416 -Link: http://lkml.kernel.org/r/20190313211335.165605-1-ndesaulniers@google.com -Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> -Reported-by: Nathan Chancellor <natechancellor@gmail.com> -Reported-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> -Suggested-by: Arnd Bergmann <arnd@arndb.de> -Suggested-by: James Y Knight <jyknight@google.com> -Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com> -Suggested-by: Nathan Chancellor <natechancellor@gmail.com> -Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> -Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> -Tested-by: Nathan Chancellor <natechancellor@gmail.com> -Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com> -Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> -Cc: David Laight <David.Laight@ACULAB.COM> -Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> -Cc: Namhyung Kim <namhyung@kernel.org> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> -Cc: Dan Williams <dan.j.williams@intel.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/linux/string.h | 3 +++ - lib/string.c | 20 ++++++++++++++++++++ - 2 files changed, 23 insertions(+) - ---- a/include/linux/string.h -+++ b/include/linux/string.h -@@ -113,6 +113,9 @@ extern void * memscan(void *,int,__kerne - #ifndef __HAVE_ARCH_MEMCMP - extern int memcmp(const void *,const void *,__kernel_size_t); - #endif -+#ifndef __HAVE_ARCH_BCMP -+extern int bcmp(const void *,const void *,__kernel_size_t); -+#endif - #ifndef __HAVE_ARCH_MEMCHR - extern void * memchr(const void *,int,__kernel_size_t); - #endif ---- a/lib/string.c -+++ b/lib/string.c -@@ -776,6 +776,26 @@ __visible int memcmp(const void *cs, con - EXPORT_SYMBOL(memcmp); - #endif - -+#ifndef __HAVE_ARCH_BCMP -+/** -+ * bcmp - returns 0 if and only if the buffers have identical contents. -+ * @a: pointer to first buffer. -+ * @b: pointer to second buffer. -+ * @len: size of buffers. -+ * -+ * The sign or magnitude of a non-zero return value has no particular -+ * meaning, and architectures may implement their own more efficient bcmp(). So -+ * while this particular implementation is a simple (tail) call to memcmp, do -+ * not rely on anything but whether the return value is zero or non-zero. -+ */ -+#undef bcmp -+int bcmp(const void *a, const void *b, size_t len) -+{ -+ return memcmp(a, b, len); -+} -+EXPORT_SYMBOL(bcmp); -+#endif -+ - #ifndef __HAVE_ARCH_MEMSCAN - /** - * memscan - Find a character in an area of memory. diff --git a/queue-3.16/locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch b/queue-3.16/locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch deleted file mode 100644 index 1d230e3c..00000000 --- a/queue-3.16/locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Frederic Weisbecker <frederic@kernel.org> -Date: Mon, 6 Nov 2017 16:01:17 +0100 -Subject: locking/lockdep: Add IRQs disabled/enabled assertion APIs: - lockdep_assert_irqs_enabled()/disabled() - -commit f54bb2ec02c839f6bfe3e8d438cd93d30b4809dd upstream. - -Checking whether IRQs are enabled or disabled is a very common sanity -check, however not free of overhead especially on fastpath where such -assertion is very common. - -Lockdep is a good host for such concurrency correctness check and it -even already tracks down IRQs disablement state. Just reuse its -machinery. This will allow us to get rid of the flags pop and check -overhead from fast path when kernel is built for production. - -Suggested-by: Peter Zijlstra <peterz@infradead.org> -Signed-off-by: Frederic Weisbecker <frederic@kernel.org> -Acked-by: Thomas Gleixner <tglx@linutronix.de> -Cc: David S . Miller <davem@davemloft.net> -Cc: Lai Jiangshan <jiangshanlai@gmail.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> -Cc: Tejun Heo <tj@kernel.org> -Link: http://lkml.kernel.org/r/1509980490-4285-2-git-send-email-frederic@kernel.org -Signed-off-by: Ingo Molnar <mingo@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/linux/lockdep.h | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/include/linux/lockdep.h -+++ b/include/linux/lockdep.h -@@ -525,9 +525,24 @@ do { \ - lock_acquire(&(lock)->dep_map, 0, 0, 1, 1, NULL, _THIS_IP_); \ - lock_release(&(lock)->dep_map, 0, _THIS_IP_); \ - } while (0) -+ -+#define lockdep_assert_irqs_enabled() do { \ -+ WARN_ONCE(debug_locks && !current->lockdep_recursion && \ -+ !current->hardirqs_enabled, \ -+ "IRQs not enabled as expected\n"); \ -+ } while (0) -+ -+#define lockdep_assert_irqs_disabled() do { \ -+ WARN_ONCE(debug_locks && !current->lockdep_recursion && \ -+ current->hardirqs_enabled, \ -+ "IRQs not disabled as expected\n"); \ -+ } while (0) -+ - #else - # define might_lock(lock) do { } while (0) - # define might_lock_read(lock) do { } while (0) -+# define lockdep_assert_irqs_enabled() do { } while (0) -+# define lockdep_assert_irqs_disabled() do { } while (0) - #endif - - #ifdef CONFIG_PROVE_RCU diff --git a/queue-3.16/mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch b/queue-3.16/mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch deleted file mode 100644 index ddccf795..00000000 --- a/queue-3.16/mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Johannes Berg <johannes.berg@intel.com> -Date: Mon, 15 Apr 2019 11:39:33 +0200 -Subject: mac80211: don't attempt to rename ERR_PTR() debugfs dirs - -commit 517879147493a5e1df6b89a50f708f1133fcaddb upstream. - -We need to dereference the directory to get its parent to -be able to rename it, so it's clearly not safe to try to -do this with ERR_PTR() pointers. Skip in this case. - -It seems that this is most likely what was causing the -report by syzbot, but I'm not entirely sure as it didn't -come with a reproducer this time. - -Reported-by: syzbot+4ece1a28b8f4730547c9@syzkaller.appspotmail.com -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/mac80211/debugfs_netdev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/mac80211/debugfs_netdev.c -+++ b/net/mac80211/debugfs_netdev.c -@@ -735,7 +735,7 @@ void ieee80211_debugfs_rename_netdev(str - - dir = sdata->vif.debugfs_dir; - -- if (!dir) -+ if (IS_ERR_OR_NULL(dir)) - return; - - sprintf(buf, "netdev:%s", sdata->name); diff --git a/queue-3.16/mac8390-fix-mmio-access-size-probe.patch b/queue-3.16/mac8390-fix-mmio-access-size-probe.patch deleted file mode 100644 index 90de2cef..00000000 --- a/queue-3.16/mac8390-fix-mmio-access-size-probe.patch +++ /dev/null @@ -1,71 +0,0 @@ -From: Finn Thain <fthain@telegraphics.com.au> -Date: Sat, 16 Mar 2019 14:21:19 +1100 -Subject: mac8390: Fix mmio access size probe - -commit bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb upstream. - -The bug that Stan reported is as follows. After a restart, a 16-bit NIC -may be incorrectly identified as a 32-bit NIC and stop working. - -mac8390 slot.E: Memory length resource not found, probing -mac8390 slot.E: Farallon EtherMac II-C (type farallon) -mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access. - -The bug never arises after a cold start and only intermittently after a -warm start. (I didn't investigate why the bug is intermittent.) - -It turns out that memcpy_toio() is deprecated and memcmp_withio() also -has issues. Replacing these calls with mmio accessors fixes the problem. - -Reported-and-tested-by: Stan Johnson <userm57@yahoo.com> -Fixes: 2964db0f5904 ("m68k: Mac DP8390 update") -Signed-off-by: Finn Thain <fthain@telegraphics.com.au> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/8390/mac8390.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - ---- a/drivers/net/ethernet/8390/mac8390.c -+++ b/drivers/net/ethernet/8390/mac8390.c -@@ -153,8 +153,6 @@ static void dayna_block_input(struct net - static void dayna_block_output(struct net_device *dev, int count, - const unsigned char *buf, int start_page); - --#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) -- - /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ - static void slow_sane_get_8390_hdr(struct net_device *dev, - struct e8390_pkt_hdr *hdr, int ring_page); -@@ -241,19 +239,26 @@ static enum mac8390_type __init mac8390_ - - static enum mac8390_access __init mac8390_testio(volatile unsigned long membase) - { -- unsigned long outdata = 0xA5A0B5B0; -- unsigned long indata = 0x00000000; -+ u32 outdata = 0xA5A0B5B0; -+ u32 indata = 0; -+ - /* Try writing 32 bits */ -- memcpy_toio((void __iomem *)membase, &outdata, 4); -- /* Now compare them */ -- if (memcmp_withio(&outdata, membase, 4) == 0) -+ nubus_writel(outdata, membase); -+ /* Now read it back */ -+ indata = nubus_readl(membase); -+ if (outdata == indata) - return ACCESS_32; -+ -+ outdata = 0xC5C0D5D0; -+ indata = 0; -+ - /* Write 16 bit output */ - word_memcpy_tocard(membase, &outdata, 4); - /* Now read it back */ - word_memcpy_fromcard(&indata, membase, 4); - if (outdata == indata) - return ACCESS_16; -+ - return ACCESS_UNKNOWN; - } - diff --git a/queue-3.16/mips-scall64-o32-fix-indirect-syscall-number-load.patch b/queue-3.16/mips-scall64-o32-fix-indirect-syscall-number-load.patch deleted file mode 100644 index 1465d5ec..00000000 --- a/queue-3.16/mips-scall64-o32-fix-indirect-syscall-number-load.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Aurelien Jarno <aurelien@aurel32.net> -Date: Tue, 9 Apr 2019 16:53:55 +0200 -Subject: MIPS: scall64-o32: Fix indirect syscall number load -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 79b4a9cf0e2ea8203ce777c8d5cfa86c71eae86e upstream. - -Commit 4c21b8fd8f14 (MIPS: seccomp: Handle indirect system calls (o32)) -added indirect syscall detection for O32 processes running on MIPS64, -but it did not work correctly for big endian kernel/processes. The -reason is that the syscall number is loaded from ARG1 using the lw -instruction while this is a 64-bit value, so zero is loaded instead of -the syscall number. - -Fix the code by using the ld instruction instead. When running a 32-bit -processes on a 64 bit CPU, the values are properly sign-extended, so it -ensures the value passed to syscall_trace_enter is correct. - -Recent systemd versions with seccomp enabled whitelist the getpid -syscall for their internal processes (e.g. systemd-journald), but call -it through syscall(SYS_getpid). This fix therefore allows O32 big endian -systems with a 64-bit kernel to run recent systemd versions. - -Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> -Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> -Signed-off-by: Paul Burton <paul.burton@mips.com> -Cc: Ralf Baechle <ralf@linux-mips.org> -Cc: James Hogan <jhogan@kernel.org> -Cc: linux-mips@vger.kernel.org -Cc: linux-kernel@vger.kernel.org -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/mips/kernel/scall64-o32.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/mips/kernel/scall64-o32.S -+++ b/arch/mips/kernel/scall64-o32.S -@@ -124,7 +124,7 @@ trace_a_syscall: - subu t1, v0, __NR_O32_Linux - move a1, v0 - bnez t1, 1f /* __NR_syscall at offset 0 */ -- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ -+ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ - .set pop - - 1: jal syscall_trace_enter diff --git a/queue-3.16/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch b/queue-3.16/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch deleted file mode 100644 index 833281ec..00000000 --- a/queue-3.16/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch +++ /dev/null @@ -1,148 +0,0 @@ -From: Igor Redko <redkoi@virtuozzo.com> -Date: Thu, 17 Mar 2016 14:19:05 -0700 -Subject: mm/page_alloc.c: calculate 'available' memory in a separate function - -commit d02bd27bd33dd7e8d22594cd568b81be0cb584cd upstream. - -Add a new field, VIRTIO_BALLOON_S_AVAIL, to virtio_balloon memory -statistics protocol, corresponding to 'Available' in /proc/meminfo. - -It indicates to the hypervisor how big the balloon can be inflated -without pushing the guest system to swap. This metric would be very -useful in VM orchestration software to improve memory management of -different VMs under overcommit. - -This patch (of 2): - -Factor out calculation of the available memory counter into a separate -exportable function, in order to be able to use it in other parts of the -kernel. - -In particular, it appears a relevant metric to report to the hypervisor -via virtio-balloon statistics interface (in a followup patch). - -Signed-off-by: Igor Redko <redkoi@virtuozzo.com> -Signed-off-by: Denis V. Lunev <den@openvz.org> -Reviewed-by: Roman Kagan <rkagan@virtuozzo.com> -Cc: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16 as dependency of commit a1078e821b60 - "xen: let alloc_xenballooned_pages() fail if not enough memory free"] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/proc/meminfo.c | 31 +------------------------------ - include/linux/mm.h | 1 + - mm/page_alloc.c | 43 +++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 45 insertions(+), 30 deletions(-) - ---- a/fs/proc/meminfo.c -+++ b/fs/proc/meminfo.c -@@ -27,10 +27,7 @@ static int meminfo_proc_show(struct seq_ - struct vmalloc_info vmi; - long cached; - long available; -- unsigned long pagecache; -- unsigned long wmark_low = 0; - unsigned long pages[NR_LRU_LISTS]; -- struct zone *zone; - int lru; - - /* -@@ -51,33 +48,7 @@ static int meminfo_proc_show(struct seq_ - for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++) - pages[lru] = global_page_state(NR_LRU_BASE + lru); - -- for_each_zone(zone) -- wmark_low += zone->watermark[WMARK_LOW]; -- -- /* -- * Estimate the amount of memory available for userspace allocations, -- * without causing swapping. -- */ -- available = i.freeram - totalreserve_pages; -- -- /* -- * Not all the page cache can be freed, otherwise the system will -- * start swapping. Assume at least half of the page cache, or the -- * low watermark worth of cache, needs to stay. -- */ -- pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE]; -- pagecache -= min(pagecache / 2, wmark_low); -- available += pagecache; -- -- /* -- * Part of the reclaimable slab consists of items that are in use, -- * and cannot be freed. Cap this estimate at the low watermark. -- */ -- available += global_page_state(NR_SLAB_RECLAIMABLE) - -- min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low); -- -- if (available < 0) -- available = 0; -+ available = si_mem_available(); - - /* - * Tagged format, for easy grepping and expansion. ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -1699,6 +1699,7 @@ extern int __meminit init_per_zone_wmark - extern void mem_init(void); - extern void __init mmap_init(void); - extern void show_mem(unsigned int flags); -+extern long si_mem_available(void); - extern void si_meminfo(struct sysinfo * val); - extern void si_meminfo_node(struct sysinfo *val, int nid); - ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -3072,6 +3072,49 @@ static inline void show_node(struct zone - printk("Node %d ", zone_to_nid(zone)); - } - -+long si_mem_available(void) -+{ -+ long available; -+ unsigned long pagecache; -+ unsigned long wmark_low = 0; -+ unsigned long pages[NR_LRU_LISTS]; -+ struct zone *zone; -+ int lru; -+ -+ for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++) -+ pages[lru] = global_page_state(NR_LRU_BASE + lru); -+ -+ for_each_zone(zone) -+ wmark_low += zone->watermark[WMARK_LOW]; -+ -+ /* -+ * Estimate the amount of memory available for userspace allocations, -+ * without causing swapping. -+ */ -+ available = global_page_state(NR_FREE_PAGES) - totalreserve_pages; -+ -+ /* -+ * Not all the page cache can be freed, otherwise the system will -+ * start swapping. Assume at least half of the page cache, or the -+ * low watermark worth of cache, needs to stay. -+ */ -+ pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE]; -+ pagecache -= min(pagecache / 2, wmark_low); -+ available += pagecache; -+ -+ /* -+ * Part of the reclaimable slab consists of items that are in use, -+ * and cannot be freed. Cap this estimate at the low watermark. -+ */ -+ available += global_page_state(NR_SLAB_RECLAIMABLE) - -+ min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low); -+ -+ if (available < 0) -+ available = 0; -+ return available; -+} -+EXPORT_SYMBOL_GPL(si_mem_available); -+ - void si_meminfo(struct sysinfo *val) - { - val->totalram = totalram_pages; diff --git a/queue-3.16/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch b/queue-3.16/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch deleted file mode 100644 index ee648b0d..00000000 --- a/queue-3.16/mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> -Date: Thu, 18 Apr 2019 17:50:20 -0700 -Subject: mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y - CONFIG_SMP=n - -commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream. - -Commit 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly") -depends on skipping vmstat entries with empty name introduced in -7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in -/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change -semantics of nr_indirectly_reclaimable_bytes"). - -So skipping no longer works and /proc/vmstat has misformatted lines " 0". - -This patch simply shows debug counters "nr_tlb_remote_*" for UP. - -Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz -Fixes: 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly") -Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> -Acked-by: Vlastimil Babka <vbabka@suse.cz> -Cc: Roman Gushchin <guro@fb.com> -Cc: Jann Horn <jannh@google.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - mm/vmstat.c | 5 ----- - 1 file changed, 5 deletions(-) - ---- a/mm/vmstat.c -+++ b/mm/vmstat.c -@@ -861,13 +861,8 @@ const char * const vmstat_text[] = { - "thp_zero_page_alloc_failed", - #endif - #ifdef CONFIG_DEBUG_TLBFLUSH --#ifdef CONFIG_SMP - "nr_tlb_remote_flush", - "nr_tlb_remote_flush_received", --#else -- "", /* nr_tlb_remote_flush */ -- "", /* nr_tlb_remote_flush_received */ --#endif /* CONFIG_SMP */ - "nr_tlb_local_flush_all", - "nr_tlb_local_flush_one", - #endif /* CONFIG_DEBUG_TLBFLUSH */ diff --git a/queue-3.16/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch b/queue-3.16/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch deleted file mode 100644 index 972e6480..00000000 --- a/queue-3.16/mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Liu Jian <liujian56@huawei.com> -Date: Sun, 3 Mar 2019 15:04:18 +0800 -Subject: mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer - -commit d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b upstream. - -In function do_write_buffer(), in the for loop, there is a case -chip_ready() returns 1 while chip_good() returns 0, so it never -break the loop. -To fix this, chip_good() is enough and it should timeout if it stay -bad for a while. - -Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value") -Signed-off-by: Yi Huaijie <yihuaijie@huawei.com> -Signed-off-by: Liu Jian <liujian56@huawei.com> -Reviewed-by: Tokunori Ikegami <ikegami_to@yahoo.co.jp> -Signed-off-by: Richard Weinberger <richard@nod.at> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/mtd/chips/cfi_cmdset_0002.c -+++ b/drivers/mtd/chips/cfi_cmdset_0002.c -@@ -1538,7 +1538,11 @@ static int __xipram do_write_buffer(stru - continue; - } - -- if (time_after(jiffies, timeo) && !chip_ready(map, adr)) -+ /* -+ * We check "time_after" and "!chip_good" before checking "chip_good" to avoid -+ * the failure due to scheduling. -+ */ -+ if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) - break; - - if (chip_good(map, adr, datum)) { diff --git a/queue-3.16/net-bridge-multicast-use-rcu-to-access-port-list-from.patch b/queue-3.16/net-bridge-multicast-use-rcu-to-access-port-list-from.patch deleted file mode 100644 index 9b502604..00000000 --- a/queue-3.16/net-bridge-multicast-use-rcu-to-access-port-list-from.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Date: Thu, 11 Apr 2019 15:08:25 +0300 -Subject: net: bridge: multicast: use rcu to access port list from - br_multicast_start_querier - -commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 upstream. - -br_multicast_start_querier() walks over the port list but it can be -called from a timer with only multicast_lock held which doesn't protect -the port list, so use RCU to walk over it. - -Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires") -Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/bridge/br_multicast.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -2036,7 +2036,8 @@ static void br_multicast_start_querier(s - - __br_multicast_open(br, query); - -- list_for_each_entry(port, &br->port_list, list) { -+ rcu_read_lock(); -+ list_for_each_entry_rcu(port, &br->port_list, list) { - if (port->state == BR_STATE_DISABLED || - port->state == BR_STATE_BLOCKING) - continue; -@@ -2048,6 +2049,7 @@ static void br_multicast_start_querier(s - br_multicast_enable(&port->ip6_own_query); - #endif - } -+ rcu_read_unlock(); - } - - int br_multicast_toggle(struct net_bridge *br, unsigned long val) diff --git a/queue-3.16/net-mac8390-use-standard-memcpy_-from-to-io.patch b/queue-3.16/net-mac8390-use-standard-memcpy_-from-to-io.patch deleted file mode 100644 index b4d8b199..00000000 --- a/queue-3.16/net-mac8390-use-standard-memcpy_-from-to-io.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Geert Uytterhoeven <geert@linux-m68k.org> -Date: Tue, 26 Jun 2018 20:32:22 +0200 -Subject: net: mac8390: Use standard memcpy_{from,to}io() - -commit 4042cd756e193f49469d31a23d5b85c4dca2a3b6 upstream. - -The mac8390 driver defines its own variants of memcpy_fromio() and -memcpy_toio(), using similar implementations, but different function -signatures. - -Remove the custom definitions of memcpy_fromio() and memcpy_toio(), and -adjust all callers to the standard signatures. - -Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> -Acked-by: David S. Miller <davem@davemloft.net> -Acked-by: Greg Ungerer <gerg@linux-m68k.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/8390/mac8390.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - ---- a/drivers/net/ethernet/8390/mac8390.c -+++ b/drivers/net/ethernet/8390/mac8390.c -@@ -153,9 +153,6 @@ static void dayna_block_input(struct net - static void dayna_block_output(struct net_device *dev, int count, - const unsigned char *buf, int start_page); - --#define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c)) --#define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c)) -- - #define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) - - /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ -@@ -247,7 +244,7 @@ static enum mac8390_access __init mac839 - unsigned long outdata = 0xA5A0B5B0; - unsigned long indata = 0x00000000; - /* Try writing 32 bits */ -- memcpy_toio(membase, &outdata, 4); -+ memcpy_toio((void __iomem *)membase, &outdata, 4); - /* Now compare them */ - if (memcmp_withio(&outdata, membase, 4) == 0) - return ACCESS_32; -@@ -742,7 +739,7 @@ static void sane_get_8390_hdr(struct net - struct e8390_pkt_hdr *hdr, int ring_page) - { - unsigned long hdr_start = (ring_page - WD_START_PG)<<8; -- memcpy_fromio(hdr, dev->mem_start + hdr_start, 4); -+ memcpy_fromio(hdr, (void __iomem *)dev->mem_start + hdr_start, 4); - /* Fix endianness */ - hdr->count = swab16(hdr->count); - } -@@ -756,13 +753,16 @@ static void sane_block_input(struct net_ - if (xfer_start + count > ei_status.rmem_end) { - /* We must wrap the input move. */ - int semi_count = ei_status.rmem_end - xfer_start; -- memcpy_fromio(skb->data, dev->mem_start + xfer_base, -+ memcpy_fromio(skb->data, -+ (void __iomem *)dev->mem_start + xfer_base, - semi_count); - count -= semi_count; -- memcpy_fromio(skb->data + semi_count, ei_status.rmem_start, -- count); -+ memcpy_fromio(skb->data + semi_count, -+ (void __iomem *)ei_status.rmem_start, count); - } else { -- memcpy_fromio(skb->data, dev->mem_start + xfer_base, count); -+ memcpy_fromio(skb->data, -+ (void __iomem *)dev->mem_start + xfer_base, -+ count); - } - } - -@@ -771,7 +771,7 @@ static void sane_block_output(struct net - { - long shmem = (start_page - WD_START_PG)<<8; - -- memcpy_toio(dev->mem_start + shmem, buf, count); -+ memcpy_toio((void __iomem *)dev->mem_start + shmem, buf, count); - } - - /* dayna block input/output */ diff --git a/queue-3.16/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch b/queue-3.16/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch deleted file mode 100644 index a56eee60..00000000 --- a/queue-3.16/net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Heiner Kallweit <hkallweit1@gmail.com> -Date: Fri, 22 Mar 2019 20:00:20 +0100 -Subject: net: phy: don't clear BMCR in genphy_soft_reset - -commit d29f5aa0bc0c321e1b9e4658a2a7e08e885da52a upstream. - -So far we effectively clear the BMCR register. Some PHY's can deal -with this (e.g. because they reset BMCR to a default as part of a -soft-reset) whilst on others this causes issues because e.g. the -autoneg bit is cleared. Marvell is an example, see also thread [0]. -So let's be a little bit more gentle and leave all bits we're not -interested in as-is. This change is needed for PHY drivers to -properly deal with the original patch. - -[0] https://marc.info/?t=155264050700001&r=1&w=2 - -Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset") -Tested-by: Phil Reid <preid@electromag.com.au> -Tested-by: liweihang <liweihang@hisilicon.com> -Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> -Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: open-code phy_set_bits()] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/net/phy/phy_device.c -+++ b/drivers/net/phy/phy_device.c -@@ -1072,7 +1072,10 @@ int genphy_soft_reset(struct phy_device - { - int ret; - -- ret = phy_write(phydev, MII_BMCR, BMCR_RESET); -+ ret = phy_read(phydev, MII_BMCR); -+ if (ret < 0) -+ return ret; -+ ret = phy_write(phydev, MII_BMCR, ret | BMCR_RESET); - if (ret < 0) - return ret; - diff --git a/queue-3.16/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch b/queue-3.16/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch deleted file mode 100644 index dabf0353..00000000 --- a/queue-3.16/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch +++ /dev/null @@ -1,177 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 24 Apr 2019 05:35:00 -0700 -Subject: net/rose: fix unbound loop in rose_loopback_timer() - -commit 0453c682459583910d611a96de928f4442205493 upstream. - -This patch adds a limit on the number of skbs that fuzzers can queue -into loopback_queue. 1000 packets for rose loopback seems more than enough. - -Then, since we now have multiple cpus in most linux hosts, -we also need to limit the number of skbs rose_loopback_timer() -can dequeue at each round. - -rose_loopback_queue() can be drop-monitor friendly, calling -consume_skb() or kfree_skb() appropriately. - -Finally, use mod_timer() instead of del_timer() + add_timer() - -syzbot report was : - -rcu: INFO: rcu_preempt self-detected stall on CPU -rcu: 0-...!: (10499 ticks this GP) idle=536/1/0x4000000000000002 softirq=103291/103291 fqs=34 -rcu: (t=10500 jiffies g=140321 q=323) -rcu: rcu_preempt kthread starved for 10426 jiffies! g140321 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=1 -rcu: RCU grace-period kthread stack dump: -rcu_preempt I29168 10 2 0x80000000 -Call Trace: - context_switch kernel/sched/core.c:2877 [inline] - __schedule+0x813/0x1cc0 kernel/sched/core.c:3518 - schedule+0x92/0x180 kernel/sched/core.c:3562 - schedule_timeout+0x4db/0xfd0 kernel/time/timer.c:1803 - rcu_gp_fqs_loop kernel/rcu/tree.c:1971 [inline] - rcu_gp_kthread+0x962/0x17b0 kernel/rcu/tree.c:2128 - kthread+0x357/0x430 kernel/kthread.c:253 - ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 -NMI backtrace for cpu 0 -CPU: 0 PID: 7632 Comm: kworker/0:4 Not tainted 5.1.0-rc5+ #172 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Workqueue: events iterate_cleanup_work -Call Trace: - <IRQ> - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x172/0x1f0 lib/dump_stack.c:113 - nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101 - nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62 - arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 - trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] - rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1223 - print_cpu_stall kernel/rcu/tree.c:1360 [inline] - check_cpu_stall kernel/rcu/tree.c:1434 [inline] - rcu_pending kernel/rcu/tree.c:3103 [inline] - rcu_sched_clock_irq.cold+0x500/0xa4a kernel/rcu/tree.c:2544 - update_process_times+0x32/0x80 kernel/time/timer.c:1635 - tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161 - tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271 - __run_hrtimer kernel/time/hrtimer.c:1389 [inline] - __hrtimer_run_queues+0x33e/0xde0 kernel/time/hrtimer.c:1451 - hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509 - local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] - smp_apic_timer_interrupt+0x120/0x570 arch/x86/kernel/apic/apic.c:1060 - apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 -RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:95 -Code: 89 25 b4 6e ec 08 41 bc f4 ff ff ff e8 cd 5d ea ff 48 c7 05 9e 6e ec 08 00 00 00 00 e9 a4 e9 ff ff 90 90 90 90 90 90 90 90 90 <55> 48 89 e5 48 8b 75 08 65 48 8b 04 25 00 ee 01 00 65 8b 15 c8 60 -RSP: 0018:ffff8880ae807ce0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 -RAX: ffff88806fd40640 RBX: dffffc0000000000 RCX: ffffffff863fbc56 -RDX: 0000000000000100 RSI: ffffffff863fbc1d RDI: ffff88808cf94228 -RBP: ffff8880ae807d10 R08: ffff88806fd40640 R09: ffffed1015d00f8b -R10: ffffed1015d00f8a R11: 0000000000000003 R12: ffff88808cf941c0 -R13: 00000000fffff034 R14: ffff8882166cd840 R15: 0000000000000000 - rose_loopback_timer+0x30d/0x3f0 net/rose/rose_loopback.c:91 - call_timer_fn+0x190/0x720 kernel/time/timer.c:1325 - expire_timers kernel/time/timer.c:1362 [inline] - __run_timers kernel/time/timer.c:1681 [inline] - __run_timers kernel/time/timer.c:1649 [inline] - run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694 - __do_softirq+0x266/0x95a kernel/softirq.c:293 - do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027 - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: Also move assignments to - loopback_timer.{data,function} into rose_loopback_init(), done upstream - in commit 4966babd904d "net/rose: Convert timers to use timer_setup()".] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/rose/rose_loopback.c | 27 ++++++++++++++++----------- - 1 file changed, 16 insertions(+), 11 deletions(-) - ---- a/net/rose/rose_loopback.c -+++ b/net/rose/rose_loopback.c -@@ -16,15 +16,19 @@ - #include <linux/init.h> - - static struct sk_buff_head loopback_queue; -+#define ROSE_LOOPBACK_LIMIT 1000 - static struct timer_list loopback_timer; - - static void rose_set_loopback_timer(void); -+static void rose_loopback_timer(unsigned long); - - void rose_loopback_init(void) - { - skb_queue_head_init(&loopback_queue); - - init_timer(&loopback_timer); -+ loopback_timer.data = 0; -+ loopback_timer.function = &rose_loopback_timer; - } - - static int rose_loopback_running(void) -@@ -34,33 +38,27 @@ static int rose_loopback_running(void) - - int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh) - { -- struct sk_buff *skbn; -+ struct sk_buff *skbn = NULL; - -- skbn = skb_clone(skb, GFP_ATOMIC); -+ if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT) -+ skbn = skb_clone(skb, GFP_ATOMIC); - -- kfree_skb(skb); -- -- if (skbn != NULL) { -+ if (skbn) { -+ consume_skb(skb); - skb_queue_tail(&loopback_queue, skbn); - - if (!rose_loopback_running()) - rose_set_loopback_timer(); -+ } else { -+ kfree_skb(skb); - } - - return 1; - } - --static void rose_loopback_timer(unsigned long); -- - static void rose_set_loopback_timer(void) - { -- del_timer(&loopback_timer); -- -- loopback_timer.data = 0; -- loopback_timer.function = &rose_loopback_timer; -- loopback_timer.expires = jiffies + 10; -- -- add_timer(&loopback_timer); -+ mod_timer(&loopback_timer, jiffies + 10); - } - - static void rose_loopback_timer(unsigned long param) -@@ -71,8 +69,12 @@ static void rose_loopback_timer(unsigned - struct sock *sk; - unsigned short frametype; - unsigned int lci_i, lci_o; -+ int count; - -- while ((skb = skb_dequeue(&loopback_queue)) != NULL) { -+ for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) { -+ skb = skb_dequeue(&loopback_queue); -+ if (!skb) -+ return; - if (skb->len < ROSE_MIN_LEN) { - kfree_skb(skb); - continue; -@@ -109,6 +111,8 @@ static void rose_loopback_timer(unsigned - kfree_skb(skb); - } - } -+ if (!skb_queue_empty(&loopback_queue)) -+ mod_timer(&loopback_timer, jiffies + 1); - } - - void __exit rose_loopback_clear(void) diff --git a/queue-3.16/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch b/queue-3.16/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch deleted file mode 100644 index 2114c3f0..00000000 --- a/queue-3.16/net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Tue, 19 Mar 2019 10:16:53 +0800 -Subject: net-sysfs: call dev_hold if kobject_init_and_add success - -commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e upstream. - -In netdev_queue_add_kobject and rx_queue_add_kobject, -if sysfs_create_group failed, kobject_put will call -netdev_queue_release to decrease dev refcont, however -dev_hold has not be called. So we will see this while -unregistering dev: - -unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 - -Reported-by: Hulk Robot <hulkci@huawei.com> -Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/core/net-sysfs.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/net/core/net-sysfs.c -+++ b/net/core/net-sysfs.c -@@ -788,6 +788,8 @@ static int rx_queue_add_kobject(struct n - if (error) - return error; - -+ dev_hold(queue->dev); -+ - if (net->sysfs_rx_queue_group) { - error = sysfs_create_group(kobj, net->sysfs_rx_queue_group); - if (error) { -@@ -797,7 +799,6 @@ static int rx_queue_add_kobject(struct n - } - - kobject_uevent(kobj, KOBJ_ADD); -- dev_hold(queue->dev); - - return error; - } -@@ -1146,6 +1147,8 @@ static int netdev_queue_add_kobject(stru - if (error) - return error; - -+ dev_hold(queue->dev); -+ - #ifdef CONFIG_BQL - error = sysfs_create_group(kobj, &dql_group); - if (error) { -@@ -1155,7 +1158,6 @@ static int netdev_queue_add_kobject(stru - #endif - - kobject_uevent(kobj, KOBJ_ADD); -- dev_hold(queue->dev); - - return 0; - } diff --git a/queue-3.16/netfilter-bridge-set-skb-transport_header-before-entering.patch b/queue-3.16/netfilter-bridge-set-skb-transport_header-before-entering.patch deleted file mode 100644 index a6311583..00000000 --- a/queue-3.16/netfilter-bridge-set-skb-transport_header-before-entering.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Xin Long <lucien.xin@gmail.com> -Date: Wed, 13 Mar 2019 16:33:29 +0800 -Subject: netfilter: bridge: set skb transport_header before entering - NF_INET_PRE_ROUTING - -commit e166e4fdaced850bee3d5ee12a5740258fb30587 upstream. - -Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"), -skb->transport_header has been always set before entering INET -netfilter. This patch is to set skb->transport_header for bridge -before entering INET netfilter by bridge-nf-call-iptables. - -It also fixes an issue that sctp_error() couldn't compute a right -csum due to unset skb->transport_header. - -Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") -Reported-by: Li Shuang <shuali@redhat.com> -Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Acked-by: Neil Horman <nhorman@tuxdriver.com> -Acked-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> -[bwh: Backported to 3.16: adjust filenames, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/net/bridge/br_netfilter.c -+++ b/net/bridge/br_netfilter.c -@@ -659,6 +659,8 @@ static unsigned int br_nf_pre_routing_ip - return NF_DROP; - - skb->protocol = htons(ETH_P_IPV6); -+ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); -+ - NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, - br_nf_pre_routing_finish_ipv6); - -@@ -715,6 +717,7 @@ static unsigned int br_nf_pre_routing(co - return NF_DROP; - store_orig_dstaddr(skb); - skb->protocol = htons(ETH_P_IP); -+ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; - - NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, - br_nf_pre_routing_finish); diff --git a/queue-3.16/netfilter-ctnetlink-don-t-use-conntrack-expect-object-addresses-as.patch b/queue-3.16/netfilter-ctnetlink-don-t-use-conntrack-expect-object-addresses-as.patch deleted file mode 100644 index d34f35b7..00000000 --- a/queue-3.16/netfilter-ctnetlink-don-t-use-conntrack-expect-object-addresses-as.patch +++ /dev/null @@ -1,173 +0,0 @@ -From: Florian Westphal <fw@strlen.de> -Date: Mon, 1 Apr 2019 13:08:54 +0200 -Subject: netfilter: ctnetlink: don't use conntrack/expect object addresses as - id - -commit 3c79107631db1f7fd32cf3f7368e4672004a3010 upstream. - -else, we leak the addresses to userspace via ctnetlink events -and dumps. - -Compute an ID on demand based on the immutable parts of nf_conn struct. - -Another advantage compared to using an address is that there is no -immediate re-use of the same ID in case the conntrack entry is freed and -reallocated again immediately. - -Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID") -Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID") -Signed-off-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> -[bwh: Backported to 3.16: - - Include <net/netns/hash.h> in nf_conntrack_core.c - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/include/net/netfilter/nf_conntrack.h -+++ b/include/net/netfilter/nf_conntrack.h -@@ -289,6 +289,8 @@ void init_nf_conntrack_hash_rnd(void); - - void nf_conntrack_tmpl_insert(struct net *net, struct nf_conn *tmpl); - -+u32 nf_ct_get_id(const struct nf_conn *ct); -+ - #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count) - #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count) - ---- a/net/netfilter/nf_conntrack_core.c -+++ b/net/netfilter/nf_conntrack_core.c -@@ -23,6 +23,7 @@ - #include <linux/slab.h> - #include <linux/random.h> - #include <linux/jhash.h> -+#include <linux/siphash.h> - #include <linux/err.h> - #include <linux/percpu.h> - #include <linux/moduleparam.h> -@@ -52,6 +53,7 @@ - #include <net/netfilter/nf_nat.h> - #include <net/netfilter/nf_nat_core.h> - #include <net/netfilter/nf_nat_helper.h> -+#include <net/netns/hash.h> - - #define NF_CONNTRACK_VERSION "0.5.0" - -@@ -232,6 +234,40 @@ nf_ct_invert_tuple(struct nf_conntrack_t - } - EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); - -+/* Generate a almost-unique pseudo-id for a given conntrack. -+ * -+ * intentionally doesn't re-use any of the seeds used for hash -+ * table location, we assume id gets exposed to userspace. -+ * -+ * Following nf_conn items do not change throughout lifetime -+ * of the nf_conn after it has been committed to main hash table: -+ * -+ * 1. nf_conn address -+ * 2. nf_conn->ext address -+ * 3. nf_conn->master address (normally NULL) -+ * 4. tuple -+ * 5. the associated net namespace -+ */ -+u32 nf_ct_get_id(const struct nf_conn *ct) -+{ -+ static __read_mostly siphash_key_t ct_id_seed; -+ unsigned long a, b, c, d; -+ -+ net_get_random_once(&ct_id_seed, sizeof(ct_id_seed)); -+ -+ a = (unsigned long)ct; -+ b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct)); -+ c = (unsigned long)ct->ext; -+ d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash), -+ &ct_id_seed); -+#ifdef CONFIG_64BIT -+ return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed); -+#else -+ return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed); -+#endif -+} -+EXPORT_SYMBOL_GPL(nf_ct_get_id); -+ - static void - clean_from_lists(struct nf_conn *ct) - { ---- a/net/netfilter/nf_conntrack_netlink.c -+++ b/net/netfilter/nf_conntrack_netlink.c -@@ -29,6 +29,7 @@ - #include <linux/spinlock.h> - #include <linux/interrupt.h> - #include <linux/slab.h> -+#include <linux/siphash.h> - - #include <linux/netfilter.h> - #include <net/netlink.h> -@@ -435,7 +436,9 @@ ctnetlink_dump_ct_seq_adj(struct sk_buff - static inline int - ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) - { -- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) -+ __be32 id = (__force __be32)nf_ct_get_id(ct); -+ -+ if (nla_put_be32(skb, CTA_ID, id)) - goto nla_put_failure; - return 0; - -@@ -1047,8 +1050,9 @@ ctnetlink_del_conntrack(struct sock *ctn - ct = nf_ct_tuplehash_to_ctrack(h); - - if (cda[CTA_ID]) { -- u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); -- if (id != (u32)(unsigned long)ct) { -+ __be32 id = nla_get_be32(cda[CTA_ID]); -+ -+ if (id != (__force __be32)nf_ct_get_id(ct)) { - nf_ct_put(ct); - return -ENOENT; - } -@@ -2321,6 +2325,25 @@ nla_put_failure: - - static const union nf_inet_addr any_addr; - -+static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) -+{ -+ static __read_mostly siphash_key_t exp_id_seed; -+ unsigned long a, b, c, d; -+ -+ net_get_random_once(&exp_id_seed, sizeof(exp_id_seed)); -+ -+ a = (unsigned long)exp; -+ b = (unsigned long)exp->helper; -+ c = (unsigned long)exp->master; -+ d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed); -+ -+#ifdef CONFIG_64BIT -+ return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed); -+#else -+ return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed); -+#endif -+} -+ - static int - ctnetlink_exp_dump_expect(struct sk_buff *skb, - const struct nf_conntrack_expect *exp) -@@ -2368,7 +2391,7 @@ ctnetlink_exp_dump_expect(struct sk_buff - } - #endif - if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || -- nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || -+ nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) || - nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || - nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) - goto nla_put_failure; -@@ -2664,7 +2687,8 @@ ctnetlink_get_expect(struct sock *ctnl, - - if (cda[CTA_EXPECT_ID]) { - __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); -- if (ntohl(id) != (u32)(unsigned long)exp) { -+ -+ if (id != nf_expect_get_id(exp)) { - nf_ct_expect_put(exp); - return -ENOENT; - } diff --git a/queue-3.16/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch b/queue-3.16/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch deleted file mode 100644 index 9b80978d..00000000 --- a/queue-3.16/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Florian Westphal <fw@strlen.de> -Date: Mon, 15 Apr 2019 00:43:00 +0200 -Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON - -commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream. - -It means userspace gave us a ruleset where there is some other -data after the ebtables target but before the beginning of the next rule. - -Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") -Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com -Signed-off-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/bridge/netfilter/ebtables.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/bridge/netfilter/ebtables.c -+++ b/net/bridge/netfilter/ebtables.c -@@ -2011,7 +2011,8 @@ static int ebt_size_mwt(struct compat_eb - if (match_kern) - match_kern->match_size = ret; - -- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) -+ /* rule should have no remaining data after target */ -+ if (type == EBT_COMPAT_TARGET && size_left) - return -EINVAL; - - match32 = (struct compat_ebt_entry_mwt *) buf; diff --git a/queue-3.16/nfs-fix-mount-umount-race-in-nlmclnt.patch b/queue-3.16/nfs-fix-mount-umount-race-in-nlmclnt.patch deleted file mode 100644 index 3473cc3a..00000000 --- a/queue-3.16/nfs-fix-mount-umount-race-in-nlmclnt.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: NeilBrown <neilb@suse.com> -Date: Tue, 19 Mar 2019 11:33:24 +1100 -Subject: NFS: fix mount/umount race in nlmclnt. - -commit 4a9be28c45bf02fa0436808bb6c0baeba30e120e upstream. - -If the last NFSv3 unmount from a given host races with a mount from the -same host, we can destroy an nlm_host that is still in use. - -Specifically nlmclnt_lookup_host() can increment h_count on -an nlm_host that nlmclnt_release_host() has just successfully called -refcount_dec_and_test() on. -Once nlmclnt_lookup_host() drops the mutex, nlm_destroy_host_lock() -will be called to destroy the nlmclnt which is now in use again. - -The cause of the problem is that the dec_and_test happens outside the -locked region. This is easily fixed by using -refcount_dec_and_mutex_lock(). - -Fixes: 8ea6ecc8b075 ("lockd: Create client-side nlm_host cache") -Signed-off-by: NeilBrown <neilb@suse.com> -Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> -[bwh: Backported to 3.16: use atomic instead of refcount API] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/lockd/host.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/fs/lockd/host.c -+++ b/fs/lockd/host.c -@@ -288,12 +288,11 @@ void nlmclnt_release_host(struct nlm_hos - - WARN_ON_ONCE(host->h_server); - -- if (atomic_dec_and_test(&host->h_count)) { -+ if (atomic_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) { - WARN_ON_ONCE(!list_empty(&host->h_lockowners)); - WARN_ON_ONCE(!list_empty(&host->h_granted)); - WARN_ON_ONCE(!list_empty(&host->h_reclaim)); - -- mutex_lock(&nlm_host_mutex); - nlm_destroy_host_locked(host); - mutex_unlock(&nlm_host_mutex); - } diff --git a/queue-3.16/packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch b/queue-3.16/packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch deleted file mode 100644 index 20cd8f05..00000000 --- a/queue-3.16/packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Willem de Bruijn <willemb@google.com> -Date: Mon, 29 Apr 2019 11:46:55 -0400 -Subject: packet: in recvmsg msg_name return at least sizeof sockaddr_ll - -commit b2cf86e1563e33a14a1c69b3e508d15dc12f804c upstream. - -Packet send checks that msg_name is at least sizeof sockaddr_ll. -Packet recv must return at least this length, so that its output -can be passed unmodified to packet send. - -This ceased to be true since adding support for lladdr longer than -sll_addr. Since, the return value uses true address length. - -Always return at least sizeof sockaddr_ll, even if address length -is shorter. Zero the padding bytes. - -Change v1->v2: do not overwrite zeroed padding again. use copy_len. - -Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") -Suggested-by: David Laight <David.Laight@aculab.com> -Signed-off-by: Willem de Bruijn <willemb@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/packet/af_packet.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3027,19 +3027,28 @@ static int packet_recvmsg(struct kiocb * - sock_recv_ts_and_drops(msg, sk, skb); - - if (msg->msg_name) { -+ int copy_len; -+ - /* If the address length field is there to be filled - * in, we fill it in now. - */ - if (sock->type == SOCK_PACKET) { - __sockaddr_check_size(sizeof(struct sockaddr_pkt)); - msg->msg_namelen = sizeof(struct sockaddr_pkt); -+ copy_len = msg->msg_namelen; - } else { - struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; - msg->msg_namelen = sll->sll_halen + - offsetof(struct sockaddr_ll, sll_addr); -+ copy_len = msg->msg_namelen; -+ if (msg->msg_namelen < sizeof(struct sockaddr_ll)) { -+ memset(msg->msg_name + -+ offsetof(struct sockaddr_ll, sll_addr), -+ 0, sizeof(sll->sll_addr)); -+ msg->msg_namelen = sizeof(struct sockaddr_ll); -+ } - } -- memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, -- msg->msg_namelen); -+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); - } - - if (pkt_sk(sk)->auxdata) { diff --git a/queue-3.16/packet-validate-msg_namelen-in-send-directly.patch b/queue-3.16/packet-validate-msg_namelen-in-send-directly.patch deleted file mode 100644 index cd6aa3bb..00000000 --- a/queue-3.16/packet-validate-msg_namelen-in-send-directly.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Willem de Bruijn <willemb@google.com> -Date: Mon, 29 Apr 2019 11:53:18 -0400 -Subject: packet: validate msg_namelen in send directly - -commit 486efdc8f6ce802b27e15921d2353cc740c55451 upstream. - -Packet sockets in datagram mode take a destination address. Verify its -length before passing to dev_hard_header. - -Prior to 2.6.14-rc3, the send code ignored sll_halen. This is -established behavior. Directly compare msg_namelen to dev->addr_len. - -Change v1->v2: initialize addr in all paths - -Fixes: 6b8d95f1795c4 ("packet: validate address length if non-zero") -Suggested-by: David Laight <David.Laight@aculab.com> -Signed-off-by: Willem de Bruijn <willemb@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/packet/af_packet.c | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2278,8 +2278,8 @@ static int tpacket_snd(struct packet_soc - void *ph; - DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); - bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); -+ unsigned char *addr = NULL; - int tp_len, size_max; -- unsigned char *addr; - int len_sum = 0; - int status = TP_STATUS_AVAILABLE; - int hlen, tlen; -@@ -2289,7 +2289,6 @@ static int tpacket_snd(struct packet_soc - if (likely(saddr == NULL)) { - dev = packet_cached_dev_get(po); - proto = po->num; -- addr = NULL; - } else { - err = -EINVAL; - if (msg->msg_namelen < sizeof(struct sockaddr_ll)) -@@ -2299,10 +2298,13 @@ static int tpacket_snd(struct packet_soc - sll_addr))) - goto out; - proto = saddr->sll_protocol; -- addr = saddr->sll_halen ? saddr->sll_addr : NULL; - dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); -- if (addr && dev && saddr->sll_halen < dev->addr_len) -- goto out_put; -+ if (po->sk.sk_socket->type == SOCK_DGRAM) { -+ if (dev && msg->msg_namelen < dev->addr_len + -+ offsetof(struct sockaddr_ll, sll_addr)) -+ goto out_put; -+ addr = saddr->sll_addr; -+ } - } - - err = -ENXIO; -@@ -2435,7 +2437,7 @@ static int packet_snd(struct socket *soc - struct sk_buff *skb; - struct net_device *dev; - __be16 proto; -- unsigned char *addr; -+ unsigned char *addr = NULL; - int err, reserve = 0; - struct virtio_net_hdr vnet_hdr = { 0 }; - int offset = 0; -@@ -2453,7 +2455,6 @@ static int packet_snd(struct socket *soc - if (likely(saddr == NULL)) { - dev = packet_cached_dev_get(po); - proto = po->num; -- addr = NULL; - } else { - err = -EINVAL; - if (msg->msg_namelen < sizeof(struct sockaddr_ll)) -@@ -2461,10 +2462,13 @@ static int packet_snd(struct socket *soc - if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) - goto out; - proto = saddr->sll_protocol; -- addr = saddr->sll_halen ? saddr->sll_addr : NULL; - dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); -- if (addr && dev && saddr->sll_halen < dev->addr_len) -- goto out_unlock; -+ if (sock->type == SOCK_DGRAM) { -+ if (dev && msg->msg_namelen < dev->addr_len + -+ offsetof(struct sockaddr_ll, sll_addr)) -+ goto out_unlock; -+ addr = saddr->sll_addr; -+ } - } - - err = -ENXIO; diff --git a/queue-3.16/pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch b/queue-3.16/pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch deleted file mode 100644 index e72fb22f..00000000 --- a/queue-3.16/pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Andre Przywara <andre.przywara@arm.com> -Date: Fri, 5 Apr 2019 16:20:47 +0100 -Subject: PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller - -commit 9cde402a59770a0669d895399c13407f63d7d209 upstream. - -There is a Marvell 88SE9170 PCIe SATA controller I found on a board here. -Some quick testing with the ARM SMMU enabled reveals that it suffers from -the same requester ID mixup problems as the other Marvell chips listed -already. - -Add the PCI vendor/device ID to the list of chips which need the -workaround. - -Signed-off-by: Andre Przywara <andre.przywara@arm.com> -Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/pci/quirks.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -3514,6 +3514,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M - /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, - quirk_dma_func1_alias); -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170, -+ quirk_dma_func1_alias); - /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172, - quirk_dma_func1_alias); diff --git a/queue-3.16/perf-core-restore-mmap-record-type-correctly.patch b/queue-3.16/perf-core-restore-mmap-record-type-correctly.patch deleted file mode 100644 index ee9d3e40..00000000 --- a/queue-3.16/perf-core-restore-mmap-record-type-correctly.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Stephane Eranian <eranian@google.com> -Date: Thu, 7 Mar 2019 10:52:33 -0800 -Subject: perf/core: Restore mmap record type correctly - -commit d9c1bb2f6a2157b38e8eb63af437cb22701d31ee upstream. - -On mmap(), perf_events generates a RECORD_MMAP record and then checks -which events are interested in this record. There are currently 2 -versions of mmap records: RECORD_MMAP and RECORD_MMAP2. MMAP2 is larger. -The event configuration controls which version the user level tool -accepts. - -If the event->attr.mmap2=1 field then MMAP2 record is returned. The -perf_event_mmap_output() takes care of this. It checks attr->mmap2 and -corrects the record fields before putting it in the sampling buffer of -the event. At the end the function restores the modified MMAP record -fields. - -The problem is that the function restores the size but not the type. -Thus, if a subsequent event only accepts MMAP type, then it would -instead receive an MMAP2 record with a size of MMAP record. - -This patch fixes the problem by restoring the record type on exit. - -Signed-off-by: Stephane Eranian <eranian@google.com> -Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: Andi Kleen <ak@linux.intel.com> -Cc: Jiri Olsa <jolsa@redhat.com> -Cc: Kan Liang <kan.liang@linux.intel.com> -Fixes: 13d7a2410fa6 ("perf: Add attr->mmap2 attribute to an event") -Link: http://lkml.kernel.org/r/20190307185233.225521-1-eranian@google.com -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/events/core.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -5445,6 +5445,7 @@ static void perf_event_mmap_output(struc - struct perf_output_handle handle; - struct perf_sample_data sample; - int size = mmap_event->event_id.header.size; -+ u32 type = mmap_event->event_id.header.type; - int ret; - - if (!perf_event_mmap_match(event, data)) -@@ -5488,6 +5489,7 @@ static void perf_event_mmap_output(struc - perf_output_end(&handle); - out: - mmap_event->event_id.header.size = size; -+ mmap_event->event_id.header.type = type; - } - - static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) diff --git a/queue-3.16/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch b/queue-3.16/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch deleted file mode 100644 index decf8c30..00000000 --- a/queue-3.16/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Changbin Du <changbin.du@gmail.com> -Date: Sat, 16 Mar 2019 16:05:56 +0800 -Subject: perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() - -commit d982b33133284fa7efa0e52ae06b88f9be3ea764 upstream. - - ================================================================= - ==20875==ERROR: LeakSanitizer: detected memory leaks - - Direct leak of 1160 byte(s) in 1 object(s) allocated from: - #0 0x7f1b6fc84138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) - #1 0x55bd50005599 in zalloc util/util.h:23 - #2 0x55bd500068f5 in perf_evsel__newtp_idx util/evsel.c:327 - #3 0x55bd4ff810fc in perf_evsel__newtp /home/work/linux/tools/perf/util/evsel.h:216 - #4 0x55bd4ff81608 in test__perf_evsel__tp_sched_test tests/evsel-tp-sched.c:69 - #5 0x55bd4ff528e6 in run_test tests/builtin-test.c:358 - #6 0x55bd4ff52baf in test_and_print tests/builtin-test.c:388 - #7 0x55bd4ff543fe in __cmd_test tests/builtin-test.c:583 - #8 0x55bd4ff5572f in cmd_test tests/builtin-test.c:722 - #9 0x55bd4ffc4087 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 - #10 0x55bd4ffc45c6 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 - #11 0x55bd4ffc49ca in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 - #12 0x55bd4ffc5138 in main /home/changbin/work/linux/tools/perf/perf.c:520 - #13 0x7f1b6e34809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) - - Indirect leak of 19 byte(s) in 1 object(s) allocated from: - #0 0x7f1b6fc83f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) - #1 0x7f1b6e3ac30f in vasprintf (/lib/x86_64-linux-gnu/libc.so.6+0x8830f) - -Signed-off-by: Changbin Du <changbin.du@gmail.com> -Reviewed-by: Jiri Olsa <jolsa@kernel.org> -Cc: Alexei Starovoitov <ast@kernel.org> -Cc: Daniel Borkmann <daniel@iogearbox.net> -Cc: Namhyung Kim <namhyung@kernel.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Steven Rostedt (VMware) <rostedt@goodmis.org> -Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields") -Link: http://lkml.kernel.org/r/20190316080556.3075-17-changbin.du@gmail.com -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - tools/perf/tests/evsel-tp-sched.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/tools/perf/tests/evsel-tp-sched.c -+++ b/tools/perf/tests/evsel-tp-sched.c -@@ -77,5 +77,6 @@ int test__perf_evsel__tp_sched_test(void - if (perf_evsel__test_field(evsel, "target_cpu", 4, true)) - ret = -1; - -+ perf_evsel__delete(evsel); - return ret; - } diff --git a/queue-3.16/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch b/queue-3.16/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch deleted file mode 100644 index 3819335d..00000000 --- a/queue-3.16/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: Michael Neuling <mikey@neuling.org> -Date: Fri, 19 Jul 2019 15:05:02 +1000 -Subject: powerpc/tm: Fix oops on sigreturn on systems without TM - -commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream. - -On systems like P9 powernv where we have no TM (or P8 booted with -ppc_tm=off), userspace can construct a signal context which still has -the MSR TS bits set. The kernel tries to restore this context which -results in the following crash: - - Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033 - Oops: Unrecoverable exception, sig: 6 [#1] - LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries - Modules linked in: - CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69 - NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000 - REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8) - MSR: 8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]> CR: 42004242 XER: 00000000 - CFAR: c0000000000022e0 IRQMASK: 0 - GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669 - GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8 - GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 - GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000 - GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420 - GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000 - GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000 - GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728 - NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80 - LR [00007fffb2d67e48] 0x7fffb2d67e48 - Call Trace: - Instruction dump: - e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00 - e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18 - -The problem is the signal code assumes TM is enabled when -CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as -with P9 powernv or if `ppc_tm=off` is used on P8. - -This means any local user can crash the system. - -Fix the problem by returning a bad stack frame to the user if they try -to set the MSR TS bits with sigreturn() on systems where TM is not -supported. - -Found with sigfuz kernel selftest on P9. - -This fixes CVE-2019-13648. - -Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") -Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com> -Signed-off-by: Michael Neuling <mikey@neuling.org> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/kernel/signal_32.c | 3 +++ - arch/powerpc/kernel/signal_64.c | 5 +++++ - 2 files changed, 8 insertions(+) - ---- a/arch/powerpc/kernel/signal_32.c -+++ b/arch/powerpc/kernel/signal_32.c -@@ -1274,6 +1274,9 @@ long sys_rt_sigreturn(int r3, int r4, in - goto bad; - - if (MSR_TM_ACTIVE(msr_hi<<32)) { -+ /* Trying to start TM on non TM system */ -+ if (!cpu_has_feature(CPU_FTR_TM)) -+ goto bad; - /* We only recheckpoint on return if we're - * transaction. - */ ---- a/arch/powerpc/kernel/signal_64.c -+++ b/arch/powerpc/kernel/signal_64.c -@@ -702,6 +702,11 @@ int sys_rt_sigreturn(unsigned long r3, u - if (MSR_TM_ACTIVE(msr)) { - /* We recheckpoint on return. */ - struct ucontext __user *uc_transact; -+ -+ /* Trying to start TM on non TM system */ -+ if (!cpu_has_feature(CPU_FTR_TM)) -+ goto badframe; -+ - if (__get_user(uc_transact, &uc->uc_link)) - goto badframe; - if (restore_tm_sigcontexts(regs, &uc->uc_mcontext, diff --git a/queue-3.16/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch b/queue-3.16/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch deleted file mode 100644 index 44ba0865..00000000 --- a/queue-3.16/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Christophe Leroy <christophe.leroy@c-s.fr> -Date: Thu, 4 Apr 2019 12:20:05 +0000 -Subject: powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 - -commit dd9a994fc68d196a052b73747e3366c57d14a09e upstream. - -Commit b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC -inconsistencies across Y2038") changed the type of wtom_clock_sec -to s64 on PPC64. Therefore, VDSO32 needs to read it with a 4 bytes -shift in order to retrieve the lower part of it. - -Fixes: b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038") -Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de> -Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/kernel/vdso32/gettimeofday.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/powerpc/kernel/vdso32/gettimeofday.S -+++ b/arch/powerpc/kernel/vdso32/gettimeofday.S -@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime) - * can be used, r7 contains NSEC_PER_SEC. - */ - -- lwz r5,WTOM_CLOCK_SEC(r9) -+ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9) - lwz r6,WTOM_CLOCK_NSEC(r9) - - /* We now have our offset in r5,r6. We create a fake dependency diff --git a/queue-3.16/powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch b/queue-3.16/powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch deleted file mode 100644 index 9c9532de..00000000 --- a/queue-3.16/powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch +++ /dev/null @@ -1,117 +0,0 @@ -From: Michael Ellerman <mpe@ellerman.id.au> -Date: Thu, 14 Mar 2019 00:14:38 +1100 -Subject: powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 - -commit b5b4453e7912f056da1ca7572574cada32ecb60c upstream. - -Jakub Drnec reported: - Setting the realtime clock can sometimes make the monotonic clock go - back by over a hundred years. Decreasing the realtime clock across - the y2k38 threshold is one reliable way to reproduce. Allegedly this - can also happen just by running ntpd, I have not managed to - reproduce that other than booting with rtc at >2038 and then running - ntp. When this happens, anything with timers (e.g. openjdk) breaks - rather badly. - -And included a test case (slightly edited for brevity): - #define _POSIX_C_SOURCE 199309L - #include <stdio.h> - #include <time.h> - #include <stdlib.h> - #include <unistd.h> - - long get_time(void) { - struct timespec tp; - clock_gettime(CLOCK_MONOTONIC, &tp); - return tp.tv_sec + tp.tv_nsec / 1000000000; - } - - int main(void) { - long last = get_time(); - while(1) { - long now = get_time(); - if (now < last) { - printf("clock went backwards by %ld seconds!\n", last - now); - } - last = now; - sleep(1); - } - return 0; - } - -Which when run concurrently with: - # date -s 2040-1-1 - # date -s 2037-1-1 - -Will detect the clock going backward. - -The root cause is that wtom_clock_sec in struct vdso_data is only a -32-bit signed value, even though we set its value to be equal to -tk->wall_to_monotonic.tv_sec which is 64-bits. - -Because the monotonic clock starts at zero when the system boots the -wall_to_montonic.tv_sec offset is negative for current and future -dates. Currently on a freshly booted system the offset will be in the -vicinity of negative 1.5 billion seconds. - -However if the wall clock is set past the Y2038 boundary, the offset -from wall to monotonic becomes less than negative 2^31, and no longer -fits in 32-bits. When that value is assigned to wtom_clock_sec it is -truncated and becomes positive, causing the VDSO assembly code to -calculate CLOCK_MONOTONIC incorrectly. - -That causes CLOCK_MONOTONIC to jump ahead by ~4 billion seconds which -it is not meant to do. Worse, if the time is then set back before the -Y2038 boundary CLOCK_MONOTONIC will jump backward. - -We can fix it simply by storing the full 64-bit offset in the -vdso_data, and using that in the VDSO assembly code. We also shuffle -some of the fields in vdso_data to avoid creating a hole. - -The original commit that added the CLOCK_MONOTONIC support to the VDSO -did actually use a 64-bit value for wtom_clock_sec, see commit -a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to -32 bits kernel") (Nov 2005). However just 3 days later it was -converted to 32-bits in commit 0c37ec2aa88b ("[PATCH] powerpc: vdso -fixes (take #2)"), and the bug has existed since then AFAICS. - -Fixes: 0c37ec2aa88b ("[PATCH] powerpc: vdso fixes (take #2)") -Link: http://lkml.kernel.org/r/HaC.ZfES.62bwlnvAvMP.1STMMj@seznam.cz -Reported-by: Jakub Drnec <jaydee@email.cz> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -[bwh: Backported to 3.16: CLOCK_MONOTONIC_COARSE is not handled by - this vDSO] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/include/asm/vdso_datapage.h | 8 ++++---- - arch/powerpc/kernel/vdso64/gettimeofday.S | 4 ++-- - 2 files changed, 6 insertions(+), 6 deletions(-) - ---- a/arch/powerpc/include/asm/vdso_datapage.h -+++ b/arch/powerpc/include/asm/vdso_datapage.h -@@ -82,10 +82,10 @@ struct vdso_data { - __u32 icache_block_size; /* L1 i-cache block size */ - __u32 dcache_log_block_size; /* L1 d-cache log block size */ - __u32 icache_log_block_size; /* L1 i-cache log block size */ -- __s32 wtom_clock_sec; /* Wall to monotonic clock */ -- __s32 wtom_clock_nsec; -- struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ -- __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */ -+ __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */ -+ __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec */ -+ __s64 wtom_clock_sec; /* Wall to monotonic clock sec */ -+ struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ - __u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */ - __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */ - }; ---- a/arch/powerpc/kernel/vdso64/gettimeofday.S -+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S -@@ -85,7 +85,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime) - * At this point, r4,r5 contain our sec/nsec values. - */ - -- lwa r6,WTOM_CLOCK_SEC(r3) -+ ld r6,WTOM_CLOCK_SEC(r3) - lwa r9,WTOM_CLOCK_NSEC(r3) - - /* We now have our result in r6,r9. We create a fake dependency diff --git a/queue-3.16/proc-meminfo-estimate-available-memory-more-conservatively.patch b/queue-3.16/proc-meminfo-estimate-available-memory-more-conservatively.patch deleted file mode 100644 index 1c732756..00000000 --- a/queue-3.16/proc-meminfo-estimate-available-memory-more-conservatively.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Johannes Weiner <hannes@cmpxchg.org> -Date: Thu, 14 Jan 2016 15:20:18 -0800 -Subject: proc: meminfo: estimate available memory more conservatively - -commit 84ad5802a33a4964a49b8f7d24d80a214a096b19 upstream. - -The MemAvailable item in /proc/meminfo is to give users a hint of how -much memory is allocatable without causing swapping, so it excludes the -zones' low watermarks as unavailable to userspace. - -However, for a userspace allocation, kswapd will actually reclaim until -the free pages hit a combination of the high watermark and the page -allocator's lowmem protection that keeps a certain amount of DMA and -DMA32 memory from userspace as well. - -Subtract the full amount we know to be unavailable to userspace from the -number of free pages when calculating MemAvailable. - -Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> -Cc: Rik van Riel <riel@redhat.com> -Cc: Mel Gorman <mgorman@suse.de> -Acked-by: Michal Hocko <mhocko@suse.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/proc/meminfo.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - ---- a/fs/proc/meminfo.c -+++ b/fs/proc/meminfo.c -@@ -57,11 +57,8 @@ static int meminfo_proc_show(struct seq_ - /* - * Estimate the amount of memory available for userspace allocations, - * without causing swapping. -- * -- * Free memory cannot be taken below the low watermark, before the -- * system starts swapping. - */ -- available = i.freeram - wmark_low; -+ available = i.freeram - totalreserve_pages; - - /* - * Not all the page cache can be freed, otherwise the system will diff --git a/queue-3.16/revert-drivers-net-ipv6-select-ipv6-fragment-idents-for-virtio-ufo.patch b/queue-3.16/revert-drivers-net-ipv6-select-ipv6-fragment-idents-for-virtio-ufo.patch deleted file mode 100644 index e16d5f51..00000000 --- a/queue-3.16/revert-drivers-net-ipv6-select-ipv6-fragment-idents-for-virtio-ufo.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Vlad Yasevich <vyasevich@gmail.com> -Date: Tue, 3 Feb 2015 16:36:16 -0500 -Subject: Revert "drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO - packets" - -commit 72f6510745592c87f612f62ae4f16bb002934df4 upstream. - -This reverts commit 5188cd44c55db3e92cd9e77a40b5baa7ed4340f7. - -Now that GSO layer can track if fragment id has been selected -and can allocate one if necessary, we don't need to do this in -tap and macvtap. This reverts most of the code and only keeps -the new ipv6 fragment id generation function that is still needed. - -Fixes: 3d0ad09412ff (drivers/net: Disable UFO through virtio) -Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/macvtap.c | 3 --- - drivers/net/tun.c | 6 +----- - 2 files changed, 1 insertion(+), 8 deletions(-) - ---- a/drivers/net/macvtap.c -+++ b/drivers/net/macvtap.c -@@ -16,7 +16,6 @@ - #include <linux/idr.h> - #include <linux/fs.h> - --#include <net/ipv6.h> - #include <net/net_namespace.h> - #include <net/rtnetlink.h> - #include <net/sock.h> -@@ -571,8 +570,6 @@ static int macvtap_skb_from_vnet_hdr(str - break; - case VIRTIO_NET_HDR_GSO_UDP: - gso_type = SKB_GSO_UDP; -- if (skb->protocol == htons(ETH_P_IPV6)) -- ipv6_proxy_select_ident(skb); - break; - default: - return -EINVAL; ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -65,7 +65,6 @@ - #include <linux/nsproxy.h> - #include <linux/virtio_net.h> - #include <linux/rcupdate.h> --#include <net/ipv6.h> - #include <net/net_namespace.h> - #include <net/netns/generic.h> - #include <net/rtnetlink.h> -@@ -1143,8 +1142,6 @@ static ssize_t tun_get_user(struct tun_s - break; - } - -- skb_reset_network_header(skb); -- - if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) { - pr_debug("GSO!\n"); - switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { -@@ -1156,8 +1153,6 @@ static ssize_t tun_get_user(struct tun_s - break; - case VIRTIO_NET_HDR_GSO_UDP: - skb_shinfo(skb)->gso_type = SKB_GSO_UDP; -- if (skb->protocol == htons(ETH_P_IPV6)) -- ipv6_proxy_select_ident(skb); - break; - default: - tun->dev->stats.rx_frame_errors++; -@@ -1187,6 +1182,7 @@ static ssize_t tun_get_user(struct tun_s - skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG; - } - -+ skb_reset_network_header(skb); - skb_probe_transport_header(skb, 0); - - rxhash = skb_get_hash(skb); diff --git a/queue-3.16/revert-inet-update-the-ip-id-generation-algorithm-to-higher-standards.patch b/queue-3.16/revert-inet-update-the-ip-id-generation-algorithm-to-higher-standards.patch deleted file mode 100644 index 8e1b59d7..00000000 --- a/queue-3.16/revert-inet-update-the-ip-id-generation-algorithm-to-higher-standards.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Ben Hutchings <ben@decadent.org.uk> -Date: Fri, 09 Aug 2019 20:09:49 +0100 -Subject: Revert "inet: update the IP ID generation algorithm to higher standards." - -This reverts commit 8b197d3ce585d6777197e0633d71e5af7d98cb35, which -was a stable-specific improvement to IP ID selection. I will apply -the upstream changes instead. - -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -487,15 +487,13 @@ EXPORT_SYMBOL(ip_idents_reserve); - void __ip_select_ident(struct iphdr *iph, int segs) - { - static u32 ip_idents_hashrnd __read_mostly; -- static u32 ip_idents_hashrnd_extra __read_mostly; - u32 hash, id; - - net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); -- net_get_random_once(&ip_idents_hashrnd_extra, sizeof(ip_idents_hashrnd_extra)); - - hash = jhash_3words((__force u32)iph->daddr, - (__force u32)iph->saddr, -- iph->protocol ^ ip_idents_hashrnd_extra, -+ iph->protocol, - ip_idents_hashrnd); - id = ip_idents_reserve(hash, segs); - iph->id = htons(id); ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -541,15 +541,12 @@ static void ip6_copy_metadata(struct sk_ - static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - { - static u32 ip6_idents_hashrnd __read_mostly; -- static u32 ip6_idents_hashrnd_extra __read_mostly; - u32 hash, id; - - net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); -- net_get_random_once(&ip6_idents_hashrnd_extra, sizeof(ip6_idents_hashrnd_extra)); - - hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); - hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); -- hash = jhash_1word(hash, ip6_idents_hashrnd_extra); - - id = ip_idents_reserve(hash, 1); - fhdr->identification = htonl(id); diff --git a/queue-3.16/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch b/queue-3.16/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch deleted file mode 100644 index 4224833f..00000000 --- a/queue-3.16/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: Vijayakumar Durai <vijayakumar.durai1@vivint.com> -Date: Wed, 27 Mar 2019 11:03:17 +0100 -Subject: rt2x00: do not increment sequence number while re-transmitting - -commit 746ba11f170603bf1eaade817553a6c2e9135bbe upstream. - -Currently rt2x00 devices retransmit the management frames with -incremented sequence number if hardware is assigning the sequence. - -This is HW bug fixed already for non-QOS data frames, but it should -be fixed for management frames except beacon. - -Without fix retransmitted frames have wrong SN: - - AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1 - AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1 - AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1 - -With the fix SN stays correctly the same: - - 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C - 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C - 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C - -Signed-off-by: Vijayakumar Durai <vijayakumar.durai1@vivint.com> -[sgruszka: simplify code, change comments and changelog] -Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -[bwh: Backported to 3.16: adjust filenames, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/wireless/rt2x00/rt2x00.h | 1 - - drivers/net/wireless/rt2x00/rt2x00mac.c | 10 ---------- - drivers/net/wireless/rt2x00/rt2x00queue.c | 15 +++++++++------ - 3 files changed, 9 insertions(+), 17 deletions(-) - ---- a/drivers/net/wireless/rt2x00/rt2x00.h -+++ b/drivers/net/wireless/rt2x00/rt2x00.h -@@ -666,7 +666,6 @@ enum rt2x00_state_flags { - CONFIG_CHANNEL_HT40, - CONFIG_POWERSAVING, - CONFIG_HT_DISABLED, -- CONFIG_QOS_DISABLED, - - /* - * Mark we currently are sequentially reading TX_STA_FIFO register ---- a/drivers/net/wireless/rt2x00/rt2x00mac.c -+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c -@@ -682,19 +682,9 @@ void rt2x00mac_bss_info_changed(struct i - rt2x00dev->intf_associated--; - - rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated); -- -- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); - } - - /* -- * Check for access point which do not support 802.11e . We have to -- * generate data frames sequence number in S/W for such AP, because -- * of H/W bug. -- */ -- if (changes & BSS_CHANGED_QOS && !bss_conf->qos) -- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); -- -- /* - * When the erp information has changed, we should perform - * additional configuration steps. For all other changes we are done. - */ ---- a/drivers/net/wireless/rt2x00/rt2x00queue.c -+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c -@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descri - if (!test_bit(REQUIRE_SW_SEQNO, &rt2x00dev->cap_flags)) { - /* - * rt2800 has a H/W (or F/W) bug, device incorrectly increase -- * seqno on retransmited data (non-QOS) frames. To workaround -- * the problem let's generate seqno in software if QOS is -- * disabled. -+ * seqno on retransmitted data (non-QOS) and management frames. -+ * To workaround the problem let's generate seqno in software. -+ * Except for beacons which are transmitted periodically by H/W -+ * hence hardware has to assign seqno for them. - */ -- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags)) -- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); -- else -+ if (ieee80211_is_beacon(hdr->frame_control)) { -+ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); - /* H/W will generate sequence number */ - return; -+ } -+ -+ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); - } - - /* diff --git a/queue-3.16/sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch b/queue-3.16/sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch deleted file mode 100644 index 191823cb..00000000 --- a/queue-3.16/sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: Mel Gorman <mgorman@techsingularity.net> -Date: Tue, 19 Mar 2019 12:36:10 +0000 -Subject: sched/fair: Do not re-read ->h_load_next during hierarchical load - calculation - -commit 0e9f02450da07fc7b1346c8c32c771555173e397 upstream. - -A NULL pointer dereference bug was reported on a distribution kernel but -the same issue should be present on mainline kernel. It occured on s390 -but should not be arch-specific. A partial oops looks like: - - Unable to handle kernel pointer dereference in virtual kernel address space - ... - Call Trace: - ... - try_to_wake_up+0xfc/0x450 - vhost_poll_wakeup+0x3a/0x50 [vhost] - __wake_up_common+0xbc/0x178 - __wake_up_common_lock+0x9e/0x160 - __wake_up_sync_key+0x4e/0x60 - sock_def_readable+0x5e/0x98 - -The bug hits any time between 1 hour to 3 days. The dereference occurs -in update_cfs_rq_h_load when accumulating h_load. The problem is that -cfq_rq->h_load_next is not protected by any locking and can be updated -by parallel calls to task_h_load. Depending on the compiler, code may be -generated that re-reads cfq_rq->h_load_next after the check for NULL and -then oops when reading se->avg.load_avg. The dissassembly showed that it -was possible to reread h_load_next after the check for NULL. - -While this does not appear to be an issue for later compilers, it's still -an accident if the correct code is generated. Full locking in this path -would have high overhead so this patch uses READ_ONCE to read h_load_next -only once and check for NULL before dereferencing. It was confirmed that -there were no further oops after 10 days of testing. - -As Peter pointed out, it is also necessary to use WRITE_ONCE() to avoid any -potential problems with store tearing. - -Signed-off-by: Mel Gorman <mgorman@techsingularity.net> -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Mike Galbraith <efault@gmx.de> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Fixes: 685207963be9 ("sched: Move h_load calculation to task_h_load()") -Link: https://lkml.kernel.org/r/20190319123610.nsivgf3mjbjjesxb@techsingularity.net -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16: use ACCESS_ONCE()] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/sched/fair.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -5487,10 +5487,10 @@ static void update_cfs_rq_h_load(struct - if (cfs_rq->last_h_load_update == now) - return; - -- cfs_rq->h_load_next = NULL; -+ ACCESS_ONCE(cfs_rq->h_load_next) = NULL; - for_each_sched_entity(se) { - cfs_rq = cfs_rq_of(se); -- cfs_rq->h_load_next = se; -+ ACCESS_ONCE(cfs_rq->h_load_next) = se; - if (cfs_rq->last_h_load_update == now) - break; - } -@@ -5500,7 +5500,7 @@ static void update_cfs_rq_h_load(struct - cfs_rq->last_h_load_update = now; - } - -- while ((se = cfs_rq->h_load_next) != NULL) { -+ while ((se = ACCESS_ONCE(cfs_rq->h_load_next)) != NULL) { - load = cfs_rq->h_load; - load = div64_ul(load * se->avg.load_avg_contrib, - cfs_rq->runnable_load_avg + 1); diff --git a/queue-3.16/sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch b/queue-3.16/sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch deleted file mode 100644 index d687169f..00000000 --- a/queue-3.16/sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch +++ /dev/null @@ -1,96 +0,0 @@ -From: Phil Auld <pauld@redhat.com> -Date: Tue, 19 Mar 2019 09:00:05 -0400 -Subject: sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup - -commit 2e8e19226398db8265a8e675fcc0118b9e80c9e8 upstream. - -With extremely short cfs_period_us setting on a parent task group with a large -number of children the for loop in sched_cfs_period_timer() can run until the -watchdog fires. There is no guarantee that the call to hrtimer_forward_now() -will ever return 0. The large number of children can make -do_sched_cfs_period_timer() take longer than the period. - - NMI watchdog: Watchdog detected hard LOCKUP on cpu 24 - RIP: 0010:tg_nop+0x0/0x10 - <IRQ> - walk_tg_tree_from+0x29/0xb0 - unthrottle_cfs_rq+0xe0/0x1a0 - distribute_cfs_runtime+0xd3/0xf0 - sched_cfs_period_timer+0xcb/0x160 - ? sched_cfs_slack_timer+0xd0/0xd0 - __hrtimer_run_queues+0xfb/0x270 - hrtimer_interrupt+0x122/0x270 - smp_apic_timer_interrupt+0x6a/0x140 - apic_timer_interrupt+0xf/0x20 - </IRQ> - -To prevent this we add protection to the loop that detects when the loop has run -too many times and scales the period and quota up, proportionally, so that the timer -can complete before then next period expires. This preserves the relative runtime -quota while preventing the hard lockup. - -A warning is issued reporting this state and the new values. - -Signed-off-by: Phil Auld <pauld@redhat.com> -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: Anton Blanchard <anton@ozlabs.org> -Cc: Ben Segall <bsegall@google.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Link: https://lkml.kernel.org/r/20190319130005.25492-1-pauld@redhat.com -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/sched/fair.c | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -3704,6 +3704,8 @@ static enum hrtimer_restart sched_cfs_sl - return HRTIMER_NORESTART; - } - -+extern const u64 max_cfs_quota_period; -+ - static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) - { - struct cfs_bandwidth *cfs_b = -@@ -3711,6 +3713,7 @@ static enum hrtimer_restart sched_cfs_pe - ktime_t now; - int overrun; - int idle = 0; -+ int count = 0; - - raw_spin_lock(&cfs_b->lock); - for (;;) { -@@ -3720,6 +3723,28 @@ static enum hrtimer_restart sched_cfs_pe - if (!overrun) - break; - -+ if (++count > 3) { -+ u64 new, old = ktime_to_ns(cfs_b->period); -+ -+ new = (old * 147) / 128; /* ~115% */ -+ new = min(new, max_cfs_quota_period); -+ -+ cfs_b->period = ns_to_ktime(new); -+ -+ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */ -+ cfs_b->quota *= new; -+ cfs_b->quota = div64_u64(cfs_b->quota, old); -+ -+ pr_warn_ratelimited( -+ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n", -+ smp_processor_id(), -+ div_u64(new, NSEC_PER_USEC), -+ div_u64(cfs_b->quota, NSEC_PER_USEC)); -+ -+ /* reset count so we don't come right back in here */ -+ count = 0; -+ } -+ - idle = do_sched_cfs_period_timer(cfs_b, overrun); - } - raw_spin_unlock(&cfs_b->lock); diff --git a/queue-3.16/sched-numa-fix-a-possible-divide-by-zero.patch b/queue-3.16/sched-numa-fix-a-possible-divide-by-zero.patch deleted file mode 100644 index ce0bc020..00000000 --- a/queue-3.16/sched-numa-fix-a-possible-divide-by-zero.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Xie XiuQi <xiexiuqi@huawei.com> -Date: Sat, 20 Apr 2019 16:34:16 +0800 -Subject: sched/numa: Fix a possible divide-by-zero - -commit a860fa7b96e1a1c974556327aa1aee852d434c21 upstream. - -sched_clock_cpu() may not be consistent between CPUs. If a task -migrates to another CPU, then se.exec_start is set to that CPU's -rq_clock_task() by update_stats_curr_start(). Specifically, the new -value might be before the old value due to clock skew. - -So then if in numa_get_avg_runtime() the expression: - - 'now - p->last_task_numa_placement' - -ends up as -1, then the divider '*period + 1' in task_numa_placement() -is 0 and things go bang. Similar to update_curr(), check if time goes -backwards to avoid this. - -[ peterz: Wrote new changelog. ] -[ mingo: Tweaked the code comment. ] - -Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com> -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: cj.chengjian@huawei.com -Link: http://lkml.kernel.org/r/20190425080016.GX11158@hirez.programming.kicks-ass.net -Signed-off-by: Ingo Molnar <mingo@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/sched/fair.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -1503,6 +1503,10 @@ static u64 numa_get_avg_runtime(struct t - if (p->last_task_numa_placement) { - delta = runtime - p->last_sum_exec_runtime; - *period = now - p->last_task_numa_placement; -+ -+ /* Avoid time going backwards, prevent potential divide error: */ -+ if (unlikely((s64)*period < 0)) -+ *period = 0; - } else { - delta = p->se.avg.runnable_avg_sum; - *period = p->se.avg.runnable_avg_period; diff --git a/queue-3.16/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch b/queue-3.16/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch deleted file mode 100644 index 190be44a..00000000 --- a/queue-3.16/scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Jason Yan <yanaijie@huawei.com> -Date: Tue, 25 Sep 2018 10:56:54 +0800 -Subject: scsi: libsas: fix a race condition when smp task timeout - -commit b90cd6f2b905905fb42671009dc0e27c310a16ae upstream. - -When the lldd is processing the complete sas task in interrupt and set the -task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be -triggered at the same time. And smp_task_timedout() will complete the task -wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed -before lldd end the interrupt process. Thus a use-after-free will happen. - -Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not -set. And remove the check of the return value of the del_timer(). Once the -LLDD sets DONE, it must call task->done(), which will call -smp_task_done()->complete() and the task will be completed and freed -correctly. - -Reported-by: chenxiang <chenxiang66@hisilicon.com> -Signed-off-by: Jason Yan <yanaijie@huawei.com> -CC: John Garry <john.garry@huawei.com> -CC: Johannes Thumshirn <jthumshirn@suse.de> -CC: Ewan Milne <emilne@redhat.com> -CC: Christoph Hellwig <hch@lst.de> -CC: Tomas Henzl <thenzl@redhat.com> -CC: Dan Williams <dan.j.williams@intel.com> -CC: Hannes Reinecke <hare@suse.com> -Reviewed-by: Hannes Reinecke <hare@suse.com> -Reviewed-by: John Garry <john.garry@huawei.com> -Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/scsi/libsas/sas_expander.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - ---- a/drivers/scsi/libsas/sas_expander.c -+++ b/drivers/scsi/libsas/sas_expander.c -@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned l - unsigned long flags; - - spin_lock_irqsave(&task->task_state_lock, flags); -- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) -+ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { - task->task_state_flags |= SAS_TASK_STATE_ABORTED; -+ complete(&task->slow_task->completion); -+ } - spin_unlock_irqrestore(&task->task_state_lock, flags); -- -- complete(&task->slow_task->completion); - } - - static void smp_task_done(struct sas_task *task) - { -- if (!del_timer(&task->slow_task->timer)) -- return; -+ del_timer(&task->slow_task->timer); - complete(&task->slow_task->completion); - } - diff --git a/queue-3.16/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch b/queue-3.16/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch deleted file mode 100644 index 91a1cbf6..00000000 --- a/queue-3.16/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Steffen Maier <maier@linux.ibm.com> -Date: Tue, 26 Mar 2019 14:36:58 +0100 -Subject: scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host - -commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream. - -An already deleted SCSI device can exist on the Scsi_Host and remain there -because something still holds a reference. A new SCSI device with the same -H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created. When -we try to unblock an rport, we still find the deleted SCSI device and -return early because the zfcp_scsi_dev of that SCSI device is not -ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if -the new proper SCSI device would be in good state. - -Therefore, skip deleted SCSI devices when iterating the sdevs of the shost. -[cf. __scsi_device_lookup{_by_target}() or scsi_device_get()] - -The following abbreviated trace sequence can indicate such problem: - -Area : REC -Tag : ersfs_3 -LUN : 0x4045400300000000 -WWPN : 0x50050763031bd327 -LUN status : 0x40000000 not ZFCP_STATUS_COMMON_UNBLOCKED -Ready count : n not incremented yet -Running count : 0x00000000 -ERP want : 0x01 -ERP need : 0xc1 ZFCP_ERP_ACTION_NONE - -Area : REC -Tag : ersfs_3 -LUN : 0x4045400300000000 -WWPN : 0x50050763031bd327 -LUN status : 0x41000000 -Ready count : n+1 -Running count : 0x00000000 -ERP want : 0x01 -ERP need : 0x01 - -... - -Area : REC -Level : 4 only with increased trace level -Tag : ertru_l -LUN : 0x4045400300000000 -WWPN : 0x50050763031bd327 -LUN status : 0x40000000 -Request ID : 0x0000000000000000 -ERP status : 0x01800000 -ERP step : 0x1000 -ERP action : 0x01 -ERP count : 0x00 - -NOT followed by a trace record with tag "scpaddy" -for WWPN 0x50050763031bd327. - -Signed-off-by: Steffen Maier <maier@linux.ibm.com> -Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") -Reviewed-by: Jens Remus <jremus@linux.ibm.com> -Reviewed-by: Benjamin Block <bblock@linux.ibm.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/s390/scsi/zfcp_erp.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/s390/scsi/zfcp_erp.c -+++ b/drivers/s390/scsi/zfcp_erp.c -@@ -1313,6 +1313,9 @@ static void zfcp_erp_try_rport_unblock(s - struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); - int lun_status; - -+ if (sdev->sdev_state == SDEV_DEL || -+ sdev->sdev_state == SDEV_CANCEL) -+ continue; - if (zsdev->port != port) - continue; - /* LUN under port of interest */ diff --git a/queue-3.16/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch b/queue-3.16/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch deleted file mode 100644 index 694c1af9..00000000 --- a/queue-3.16/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: Steffen Maier <maier@linux.ibm.com> -Date: Tue, 26 Mar 2019 14:36:59 +0100 -Subject: scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV - FCP devices - -commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream. - -Suppose more than one non-NPIV FCP device is active on the same channel. -Send I/O to storage and have some of the pending I/O run into a SCSI -command timeout, e.g. due to bit errors on the fibre. Now the error -situation stops. However, we saw FCP requests continue to timeout in the -channel. The abort will be successful, but the subsequent TUR fails. -Scsi_eh starts. The LUN reset fails. The target reset fails. The host -reset only did an FCP device recovery. However, for non-NPIV FCP devices, -this does not close and reopen ports on the SAN-side if other non-NPIV FCP -device(s) share the same open ports. - -In order to resolve the continuing FCP request timeouts, we need to -explicitly close and reopen ports on the SAN-side. - -This was missing since the beginning of zfcp in v2.6.0 history commit -ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter."). - -Note: The FSF requests for forced port reopen could run into FSF request -timeouts due to other reasons. This would trigger an internal FCP device -recovery. Pending forced port reopen recoveries would get dismissed. So -some ports might not get fully reopened during this host reset handler. -However, subsequent I/O would trigger the above described escalation and -eventually all ports would be forced reopen to resolve any continuing FCP -request timeouts due to earlier bit errors. - -Signed-off-by: Steffen Maier <maier@linux.ibm.com> -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Reviewed-by: Jens Remus <jremus@linux.ibm.com> -Reviewed-by: Benjamin Block <bblock@linux.ibm.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/s390/scsi/zfcp_erp.c | 14 ++++++++++++++ - drivers/s390/scsi/zfcp_ext.h | 2 ++ - drivers/s390/scsi/zfcp_scsi.c | 4 ++++ - 3 files changed, 20 insertions(+) - ---- a/drivers/s390/scsi/zfcp_erp.c -+++ b/drivers/s390/scsi/zfcp_erp.c -@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(st - add_timer(&erp_action->timer); - } - -+void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, -+ int clear, char *dbftag) -+{ -+ unsigned long flags; -+ struct zfcp_port *port; -+ -+ write_lock_irqsave(&adapter->erp_lock, flags); -+ read_lock(&adapter->port_list_lock); -+ list_for_each_entry(port, &adapter->port_list, list) -+ _zfcp_erp_port_forced_reopen(port, clear, dbftag); -+ read_unlock(&adapter->port_list_lock); -+ write_unlock_irqrestore(&adapter->erp_lock, flags); -+} -+ - static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter, - int clear, char *id) - { ---- a/drivers/s390/scsi/zfcp_ext.h -+++ b/drivers/s390/scsi/zfcp_ext.h -@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(s - extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *); - extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *); - extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *); -+extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, -+ int clear, char *dbftag); - extern void zfcp_erp_set_lun_status(struct scsi_device *, u32); - extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32); - extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *); ---- a/drivers/s390/scsi/zfcp_scsi.c -+++ b/drivers/s390/scsi/zfcp_scsi.c -@@ -347,6 +347,10 @@ static int zfcp_scsi_eh_host_reset_handl - struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; - int ret = SUCCESS, fc_ret; - -+ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) { -+ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p"); -+ zfcp_erp_wait(adapter); -+ } - zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); - zfcp_erp_wait(adapter); - fc_ret = fc_block_scsi_eh(scpnt); diff --git a/queue-3.16/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch b/queue-3.16/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch deleted file mode 100644 index 4e16f943..00000000 --- a/queue-3.16/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Xin Long <lucien.xin@gmail.com> -Date: Mon, 18 Mar 2019 19:47:00 +0800 -Subject: sctp: get sctphdr by offset in sctp_compute_cksum - -commit 273160ffc6b993c7c91627f5a84799c66dfe4dee upstream. - -sctp_hdr(skb) only works when skb->transport_header is set properly. - -But in Netfilter, skb->transport_header for ipv6 is not guaranteed -to be right value for sctphdr. It would cause to fail to check the -checksum for sctp packets. - -So fix it by using offset, which is always right in all places. - -v1->v2: - - Fix the changelog. - -Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") -Reported-by: Li Shuang <shuali@redhat.com> -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/net/sctp/checksum.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/include/net/sctp/checksum.h -+++ b/include/net/sctp/checksum.h -@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(_ - static inline __le32 sctp_compute_cksum(const struct sk_buff *skb, - unsigned int offset) - { -- struct sctphdr *sh = sctp_hdr(skb); -+ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset); - const struct skb_checksum_ops ops = { - .update = sctp_csum_update, - .combine = sctp_csum_combine, diff --git a/queue-3.16/serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch b/queue-3.16/serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch deleted file mode 100644 index da9af751..00000000 --- a/queue-3.16/serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Aditya Pakki <pakki001@umn.edu> -Date: Mon, 18 Mar 2019 18:44:14 -0500 -Subject: serial: max310x: Fix to avoid potential NULL pointer dereference - -commit 3a10e3dd52e80b9a97a3346020024d17b2c272d6 upstream. - -of_match_device can return a NULL pointer when matching device is not -found. This patch avoids a scenario causing NULL pointer derefernce. - -Signed-off-by: Aditya Pakki <pakki001@umn.edu> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/max310x.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/tty/serial/max310x.c -+++ b/drivers/tty/serial/max310x.c -@@ -1324,6 +1324,8 @@ static int max310x_spi_probe(struct spi_ - if (spi->dev.of_node) { - const struct of_device_id *of_id = - of_match_device(max310x_dt_ids, &spi->dev); -+ if (!of_id) -+ return -ENODEV; - - devtype = (struct max310x_devtype *)of_id->data; - } else { diff --git a/queue-3.16/serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch b/queue-3.16/serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch deleted file mode 100644 index b54a12ca..00000000 --- a/queue-3.16/serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Hoan Nguyen An <na-hoan@jinso.co.jp> -Date: Mon, 18 Mar 2019 18:26:32 +0900 -Subject: serial: sh-sci: Fix setting SCSCR_TIE while transferring data - -commit 93bcefd4c6bad4c69dbc4edcd3fbf774b24d930d upstream. - -We disable transmission interrupt (clear SCSCR_TIE) after all data has been transmitted -(if uart_circ_empty(xmit)). While transmitting, if the data is still in the tty buffer, -re-enable the SCSCR_TIE bit, which was done at sci_start_tx(). -This is unnecessary processing, wasting CPU operation if the data transmission length is large. -And further, transmit end, FIFO empty bits disabling have also been performed in the step above. - -Signed-off-by: Hoan Nguyen An <na-hoan@jinso.co.jp> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/sh-sci.c | 12 +----------- - 1 file changed, 1 insertion(+), 11 deletions(-) - ---- a/drivers/tty/serial/sh-sci.c -+++ b/drivers/tty/serial/sh-sci.c -@@ -633,19 +633,9 @@ static void sci_transmit_chars(struct ua - - if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) - uart_write_wakeup(port); -- if (uart_circ_empty(xmit)) { -+ if (uart_circ_empty(xmit)) - sci_stop_tx(port); -- } else { -- ctrl = serial_port_in(port, SCSCR); - -- if (port->type != PORT_SCI) { -- serial_port_in(port, SCxSR); /* Dummy read */ -- serial_port_out(port, SCxSR, SCxSR_TDxE_CLEAR(port)); -- } -- -- ctrl |= SCSCR_TIE; -- serial_port_out(port, SCSCR, ctrl); -- } - } - - /* On SH3, SCIF may read end-of-break as a space->mark char */ diff --git a/queue-3.16/series b/queue-3.16/series deleted file mode 100644 index 71ee2769..00000000 --- a/queue-3.16/series +++ /dev/null @@ -1,156 +0,0 @@ -ipv6-check-sk-sk_type-and-protocol-early-in-ip_mroute_set-getsockopt.patch -xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch -staging-iio-meter-fixed-typo.patch -iio-use-kmalloc_array-in-iio_scan_mask_set.patch -iio-fix-scan-mask-selection.patch -iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch -perf-core-restore-mmap-record-type-correctly.patch -ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch -ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch -xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch -iio-dac-mcp4725-add-missing-powerdown-bits-in-store-eeprom.patch -ib-mlx4-fix-race-condition-between-catas-error-reset-and-aliasguid.patch -staging-speakup_soft-fix-alternate-speech-with-other-synths.patch -powerpc-vdso64-fix-clock_monotonic-inconsistencies-across-y2038.patch -netfilter-bridge-set-skb-transport_header-before-entering.patch -udf-fix-crash-on-io-error-during-truncate.patch -net-mac8390-use-standard-memcpy_-from-to-io.patch -mac8390-fix-mmio-access-size-probe.patch -sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch -nfs-fix-mount-umount-race-in-nlmclnt.patch -arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected.patch -usb-serial-ftdi_sio-add-additional-novatech-products.patch -serial-max310x-fix-to-avoid-potential-null-pointer-dereference.patch -tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch -tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch -serial-sh-sci-fix-setting-scscr_tie-while-transferring-data.patch -device_cgroup-fix-rcu-imbalance-in-error-case.patch -perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp_sched_test.patch -net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch -tcp-do-not-use-ipv6-header-for-ipv4-flow.patch -dccp-do-not-use-ipv6-header-for-ipv4-flow.patch -3c515-fix-integer-overflow-warning.patch -arm-dts-pfla02-increase-phy-reset-duration.patch -usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch -staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch -alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch -alsa-seq-oss-fix-spectre-v1-vulnerability.patch -iommu-vt-d-check-capability-before-disabling-protected-memory.patch -futex-ensure-that-futex-address-is-aligned-in-handle_futex_death.patch -alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch -gpio-adnp-fix-testing-wrong-value-in-adnp_gpio_direction_input.patch -xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch -iio-ad_sigma_delta-select-channel-when-reading-register.patch -batman-adv-reduce-claim-hash-refcnt-only-for-removed-entry.patch -batman-adv-reduce-tt_local-hash-refcnt-only-for-removed-entry.patch -batman-adv-reduce-tt_global-hash-refcnt-only-for-removed-entry.patch -alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch -net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch -scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch -scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv.patch -usb-serial-cp210x-add-new-device-id.patch -afs-fix-storedata-op-marshalling.patch -kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch -kvm-x86-ia32_arch_capabilities-is-always-supported.patch -kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch -fs-proc-proc_sysctl.c-fix-null-pointer-dereference-in-put_links.patch -iio-core-fix-a-possible-circular-locking-dependency.patch -dm-table-propagate-bdi_cap_stable_writes-to-fix-sporadic-checksum.patch -dccp-fix-memleak-in-__feat_register_sp.patch -xfrm4-fix-header-checks-in-_decode_session4.patch -xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch -xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch -sched-fair-do-not-re-read-h_load_next-during-hierarchical-load.patch -btrfs-prop-fix-vanished-compression-property-after-failed-set.patch -btrfs-correctly-validate-compression-type.patch -xtensa-fix-return_address.patch -dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch -mtd-cfi-fix-deadloop-in-cfi_cmdset_0002.c-do_write_buffer.patch -xen-prevent-buffer-overflow-in-privcmd-ioctl.patch -alsa-seq-fix-oob-reads-from-strlcpy.patch -pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch -sunrpc-don-t-mark-uninitialised-items-as-valid.patch -lib-string.c-implement-a-basic-bcmp.patch -xsysace-fix-error-handling-in-ace_setup.patch -powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch -acpica-namespace-remove-address-node-from-global-list-after-method.patch -block-do-not-leak-memory-in-bio_copy_user_iov.patch -net-bridge-multicast-use-rcu-to-access-port-list-from.patch -iommu-amd-set-exclusion-range-correctly.patch -rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch -vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch -locking-lockdep-add-irqs-disabled-enabled-assertion-apis.patch -x86-speculation-prevent-deadlock-on-ssb_state-lock.patch -mips-scall64-o32-fix-indirect-syscall-number-load.patch -usb-core-fix-unterminated-string-returned-by-usb_string.patch -staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch -staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch -kvm-mmu-fix-overflow-on-kvm-mmu-page-limit-calculation.patch -tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch -cifs-fix-handle-leak-in-smb2_query_symlink.patch -cifs-keep-fileinfo-handle-live-during-oplock-break.patch -sched-fair-limit-sched_cfs_period_timer-loop-to-avoid-hard-lockup.patch -alsa-core-fix-card-races-between-register-and-disconnect.patch -tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch -x86-kprobes-verify-stack-frame-on-kretprobe.patch -kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch -x86-kprobes-avoid-kretprobe-recursion-bug.patch -mm-vmstat.c-fix-proc-vmstat-format-for-config_debug_tlbflush-y.patch -usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch -team-fix-possible-recursive-locking-when-add-slaves.patch -netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch -mac80211-don-t-attempt-to-rename-err_ptr-debugfs-dirs.patch -ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch -cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch -net-rose-fix-unbound-loop-in-rose_loopback_timer.patch -usb-yurex-fix-protection-fault-after-device-removal.patch -usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch -usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch -sched-numa-fix-a-possible-divide-by-zero.patch -l2tp-use-rcu_dereference_sk_user_data-in-l2tp_udp_encap_recv.patch -trace-fix-preempt_enable_no_resched-abuse.patch -fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch -slip-make-slhc_free-silently-accept-an-error-pointer.patch -ipv6-invert-flowlabel-sharing-check-in-process-and-user-mode.patch -ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch -l2ip-fix-possible-use-after-free.patch -packet-in-recvmsg-msg_name-return-at-least-sizeof-sockaddr_ll.patch -packet-validate-msg_namelen-in-send-directly.patch -ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch -x86-cpufeatures-renumber-word-7.patch -x86-asm-entry-64-disentangle-error_entry-exit-gsbase-ebx-usermode.patch -x86-entry-64-really-create-an-error-entry-from-usermode-code-path.patch -x86-entry-64-fix-context-tracking-state-warning-when-load_gs_index.patch -x86-speculation-prepare-entry-code-for-spectre-v1-swapgs-mitigations.patch -x86-speculation-enable-spectre-v1-swapgs-mitigations.patch -x86-entry-64-use-jmp-instead-of-jmpq.patch -x86-speculation-swapgs-exclude-atoms-from-speculation-through-swapgs.patch -vhost-net-set-packet-weight-of-tx-polling-to-2-vq-size.patch -vhost_net-use-packet-weight-for-rx-handler-too.patch -vhost_net-introduce-vhost_exceeds_weight.patch -vhost-introduce-vhost_exceeds_weight.patch -vhost_net-fix-possible-infinite-loop.patch -vhost-scsi-add-weight-support.patch -bluetooth-hci_uart-check-for-missing-tty-operations.patch -input-gtco-bounds-check-collection-indent-level.patch -powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch -floppy-fix-div-by-zero-in-setup_format_params.patch -floppy-fix-out-of-bounds-read-in-next_valid_format.patch -floppy-fix-invalid-pointer-dereference-in-drive_name.patch -floppy-fix-out-of-bounds-read-in-copy_buffer.patch -proc-meminfo-estimate-available-memory-more-conservatively.patch -mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch -xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch -revert-inet-update-the-ip-id-generation-algorithm-to-higher-standards.patch -ipv6-select-fragment-id-during-ufo-segmentation-if-not-set.patch -revert-drivers-net-ipv6-select-ipv6-fragment-idents-for-virtio-ufo.patch -ipv6-fix-fragment-id-assignment-on-le-arches.patch -ipv6-make-__ipv6_select_ident-static.patch -ipv6-call-ipv6_proxy_select_ident-instead-of-ipv6_select_ident-in.patch -ipv4-hash-net-ptr-into-fragmentation-bucket-selection.patch -ipv4-ip_tunnel-use-net-namespace-from-rtable-not-socket.patch -ipv6-hash-net-ptr-into-fragmentation-bucket-selection.patch -siphash-add-cryptographically-secure-prf.patch -inet-switch-ip-id-generator-to-siphash.patch -netfilter-ctnetlink-don-t-use-conntrack-expect-object-addresses-as.patch -scsi-libsas-fix-a-race-condition-when-smp-task-timeout.patch diff --git a/queue-3.16/siphash-add-cryptographically-secure-prf.patch b/queue-3.16/siphash-add-cryptographically-secure-prf.patch deleted file mode 100644 index 54147e8d..00000000 --- a/queue-3.16/siphash-add-cryptographically-secure-prf.patch +++ /dev/null @@ -1,681 +0,0 @@ -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Sun, 8 Jan 2017 13:54:00 +0100 -Subject: siphash: add cryptographically secure PRF - -commit 2c956a60778cbb6a27e0c7a8a52a91378c90e1d1 upstream. - -SipHash is a 64-bit keyed hash function that is actually a -cryptographically secure PRF, like HMAC. Except SipHash is super fast, -and is meant to be used as a hashtable keyed lookup function, or as a -general PRF for short input use cases, such as sequence numbers or RNG -chaining. - -For the first usage: - -There are a variety of attacks known as "hashtable poisoning" in which an -attacker forms some data such that the hash of that data will be the -same, and then preceeds to fill up all entries of a hashbucket. This is -a realistic and well-known denial-of-service vector. Currently -hashtables use jhash, which is fast but not secure, and some kind of -rotating key scheme (or none at all, which isn't good). SipHash is meant -as a replacement for jhash in these cases. - -There are a modicum of places in the kernel that are vulnerable to -hashtable poisoning attacks, either via userspace vectors or network -vectors, and there's not a reliable mechanism inside the kernel at the -moment to fix it. The first step toward fixing these issues is actually -getting a secure primitive into the kernel for developers to use. Then -we can, bit by bit, port things over to it as deemed appropriate. - -While SipHash is extremely fast for a cryptographically secure function, -it is likely a bit slower than the insecure jhash, and so replacements -will be evaluated on a case-by-case basis based on whether or not the -difference in speed is negligible and whether or not the current jhash usage -poses a real security risk. - -For the second usage: - -A few places in the kernel are using MD5 or SHA1 for creating secure -sequence numbers, syn cookies, port numbers, or fast random numbers. -SipHash is a faster and more fitting, and more secure replacement for MD5 -in those situations. Replacing MD5 and SHA1 with SipHash for these uses is -obvious and straight-forward, and so is submitted along with this patch -series. There shouldn't be much of a debate over its efficacy. - -Dozens of languages are already using this internally for their hash -tables and PRFs. Some of the BSDs already use this in their kernels. -SipHash is a widely known high-speed solution to a widely known set of -problems, and it's time we catch-up. - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> -Reviewed-by: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Eric Biggers <ebiggers3@gmail.com> -Cc: David Laight <David.Laight@aculab.com> -Cc: Eric Dumazet <eric.dumazet@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - Documentation/siphash.txt | 100 ++++++++++++++++ - MAINTAINERS | 7 ++ - include/linux/siphash.h | 85 ++++++++++++++ - lib/Kconfig.debug | 6 +- - lib/Makefile | 5 +- - lib/siphash.c | 232 ++++++++++++++++++++++++++++++++++++++ - lib/test_siphash.c | 131 +++++++++++++++++++++ - 7 files changed, 561 insertions(+), 5 deletions(-) - create mode 100644 Documentation/siphash.txt - create mode 100644 include/linux/siphash.h - create mode 100644 lib/siphash.c - create mode 100644 lib/test_siphash.c - ---- /dev/null -+++ b/Documentation/siphash.txt -@@ -0,0 +1,100 @@ -+ SipHash - a short input PRF -+----------------------------------------------- -+Written by Jason A. Donenfeld <jason@zx2c4.com> -+ -+SipHash is a cryptographically secure PRF -- a keyed hash function -- that -+performs very well for short inputs, hence the name. It was designed by -+cryptographers Daniel J. Bernstein and Jean-Philippe Aumasson. It is intended -+as a replacement for some uses of: `jhash`, `md5_transform`, `sha_transform`, -+and so forth. -+ -+SipHash takes a secret key filled with randomly generated numbers and either -+an input buffer or several input integers. It spits out an integer that is -+indistinguishable from random. You may then use that integer as part of secure -+sequence numbers, secure cookies, or mask it off for use in a hash table. -+ -+1. Generating a key -+ -+Keys should always be generated from a cryptographically secure source of -+random numbers, either using get_random_bytes or get_random_once: -+ -+siphash_key_t key; -+get_random_bytes(&key, sizeof(key)); -+ -+If you're not deriving your key from here, you're doing it wrong. -+ -+2. Using the functions -+ -+There are two variants of the function, one that takes a list of integers, and -+one that takes a buffer: -+ -+u64 siphash(const void *data, size_t len, const siphash_key_t *key); -+ -+And: -+ -+u64 siphash_1u64(u64, const siphash_key_t *key); -+u64 siphash_2u64(u64, u64, const siphash_key_t *key); -+u64 siphash_3u64(u64, u64, u64, const siphash_key_t *key); -+u64 siphash_4u64(u64, u64, u64, u64, const siphash_key_t *key); -+u64 siphash_1u32(u32, const siphash_key_t *key); -+u64 siphash_2u32(u32, u32, const siphash_key_t *key); -+u64 siphash_3u32(u32, u32, u32, const siphash_key_t *key); -+u64 siphash_4u32(u32, u32, u32, u32, const siphash_key_t *key); -+ -+If you pass the generic siphash function something of a constant length, it -+will constant fold at compile-time and automatically choose one of the -+optimized functions. -+ -+3. Hashtable key function usage: -+ -+struct some_hashtable { -+ DECLARE_HASHTABLE(hashtable, 8); -+ siphash_key_t key; -+}; -+ -+void init_hashtable(struct some_hashtable *table) -+{ -+ get_random_bytes(&table->key, sizeof(table->key)); -+} -+ -+static inline hlist_head *some_hashtable_bucket(struct some_hashtable *table, struct interesting_input *input) -+{ -+ return &table->hashtable[siphash(input, sizeof(*input), &table->key) & (HASH_SIZE(table->hashtable) - 1)]; -+} -+ -+You may then iterate like usual over the returned hash bucket. -+ -+4. Security -+ -+SipHash has a very high security margin, with its 128-bit key. So long as the -+key is kept secret, it is impossible for an attacker to guess the outputs of -+the function, even if being able to observe many outputs, since 2^128 outputs -+is significant. -+ -+Linux implements the "2-4" variant of SipHash. -+ -+5. Struct-passing Pitfalls -+ -+Often times the XuY functions will not be large enough, and instead you'll -+want to pass a pre-filled struct to siphash. When doing this, it's important -+to always ensure the struct has no padding holes. The easiest way to do this -+is to simply arrange the members of the struct in descending order of size, -+and to use offsetendof() instead of sizeof() for getting the size. For -+performance reasons, if possible, it's probably a good thing to align the -+struct to the right boundary. Here's an example: -+ -+const struct { -+ struct in6_addr saddr; -+ u32 counter; -+ u16 dport; -+} __aligned(SIPHASH_ALIGNMENT) combined = { -+ .saddr = *(struct in6_addr *)saddr, -+ .counter = counter, -+ .dport = dport -+}; -+u64 h = siphash(&combined, offsetofend(typeof(combined), dport), &secret); -+ -+6. Resources -+ -+Read the SipHash paper if you're interested in learning more: -+https://131002.net/siphash/siphash.pdf ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -8188,6 +8188,13 @@ F: arch/arm/mach-s3c24xx/mach-bast.c - F: arch/arm/mach-s3c24xx/bast-ide.c - F: arch/arm/mach-s3c24xx/bast-irq.c - -+SIPHASH PRF ROUTINES -+M: Jason A. Donenfeld <Jason@zx2c4.com> -+S: Maintained -+F: lib/siphash.c -+F: lib/test_siphash.c -+F: include/linux/siphash.h -+ - TI DAVINCI MACHINE SUPPORT - M: Sekhar Nori <nsekhar@ti.com> - M: Kevin Hilman <khilman@deeprootsystems.com> ---- /dev/null -+++ b/include/linux/siphash.h -@@ -0,0 +1,85 @@ -+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. -+ * -+ * This file is provided under a dual BSD/GPLv2 license. -+ * -+ * SipHash: a fast short-input PRF -+ * https://131002.net/siphash/ -+ * -+ * This implementation is specifically for SipHash2-4. -+ */ -+ -+#ifndef _LINUX_SIPHASH_H -+#define _LINUX_SIPHASH_H -+ -+#include <linux/types.h> -+#include <linux/kernel.h> -+ -+#define SIPHASH_ALIGNMENT __alignof__(u64) -+typedef struct { -+ u64 key[2]; -+} siphash_key_t; -+ -+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key); -+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS -+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key); -+#endif -+ -+u64 siphash_1u64(const u64 a, const siphash_key_t *key); -+u64 siphash_2u64(const u64 a, const u64 b, const siphash_key_t *key); -+u64 siphash_3u64(const u64 a, const u64 b, const u64 c, -+ const siphash_key_t *key); -+u64 siphash_4u64(const u64 a, const u64 b, const u64 c, const u64 d, -+ const siphash_key_t *key); -+u64 siphash_1u32(const u32 a, const siphash_key_t *key); -+u64 siphash_3u32(const u32 a, const u32 b, const u32 c, -+ const siphash_key_t *key); -+ -+static inline u64 siphash_2u32(const u32 a, const u32 b, -+ const siphash_key_t *key) -+{ -+ return siphash_1u64((u64)b << 32 | a, key); -+} -+static inline u64 siphash_4u32(const u32 a, const u32 b, const u32 c, -+ const u32 d, const siphash_key_t *key) -+{ -+ return siphash_2u64((u64)b << 32 | a, (u64)d << 32 | c, key); -+} -+ -+ -+static inline u64 ___siphash_aligned(const __le64 *data, size_t len, -+ const siphash_key_t *key) -+{ -+ if (__builtin_constant_p(len) && len == 4) -+ return siphash_1u32(le32_to_cpup((const __le32 *)data), key); -+ if (__builtin_constant_p(len) && len == 8) -+ return siphash_1u64(le64_to_cpu(data[0]), key); -+ if (__builtin_constant_p(len) && len == 16) -+ return siphash_2u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]), -+ key); -+ if (__builtin_constant_p(len) && len == 24) -+ return siphash_3u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]), -+ le64_to_cpu(data[2]), key); -+ if (__builtin_constant_p(len) && len == 32) -+ return siphash_4u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]), -+ le64_to_cpu(data[2]), le64_to_cpu(data[3]), -+ key); -+ return __siphash_aligned(data, len, key); -+} -+ -+/** -+ * siphash - compute 64-bit siphash PRF value -+ * @data: buffer to hash -+ * @size: size of @data -+ * @key: the siphash key -+ */ -+static inline u64 siphash(const void *data, size_t len, -+ const siphash_key_t *key) -+{ -+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS -+ if (!IS_ALIGNED((unsigned long)data, SIPHASH_ALIGNMENT)) -+ return __siphash_unaligned(data, len, key); -+#endif -+ return ___siphash_aligned(data, len, key); -+} -+ -+#endif /* _LINUX_SIPHASH_H */ ---- a/lib/Kconfig.debug -+++ b/lib/Kconfig.debug -@@ -1550,6 +1550,16 @@ config TEST_STRING_HELPERS - config TEST_KSTRTOX - tristate "Test kstrto*() family of functions at runtime" - -+config TEST_HASH -+ tristate "Perform selftest on hash functions" -+ default n -+ help -+ Enable this option to test the kernel's siphash (<linux/siphash.h>) -+ hash functions on boot (or module load). -+ -+ This is intended to help people writing architecture-specific -+ optimized versions. If unsure, say N. -+ - endmenu # runtime tests - - config PROVIDE_OHCI1394_DMA_INIT ---- a/lib/Makefile -+++ b/lib/Makefile -@@ -26,10 +26,11 @@ obj-y += bcd.o div64.o sort.o parser.o h - bust_spinlocks.o hexdump.o kasprintf.o bitmap.o scatterlist.o \ - gcd.o lcm.o list_sort.o uuid.o flex_array.o iovec.o clz_ctz.o \ - bsearch.o find_last_bit.o find_next_bit.o llist.o memweight.o kfifo.o \ -- percpu-refcount.o percpu_ida.o hash.o -+ percpu-refcount.o percpu_ida.o hash.o siphash.o - obj-y += string_helpers.o - obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o - obj-y += kstrtox.o -+obj-$(CONFIG_TEST_HASH) += test_siphash.o - obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o - obj-$(CONFIG_TEST_MODULE) += test_module.o - obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o ---- /dev/null -+++ b/lib/siphash.c -@@ -0,0 +1,232 @@ -+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. -+ * -+ * This file is provided under a dual BSD/GPLv2 license. -+ * -+ * SipHash: a fast short-input PRF -+ * https://131002.net/siphash/ -+ * -+ * This implementation is specifically for SipHash2-4. -+ */ -+ -+#include <linux/siphash.h> -+#include <asm/unaligned.h> -+ -+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64 -+#include <linux/dcache.h> -+#include <asm/word-at-a-time.h> -+#endif -+ -+#define SIPROUND \ -+ do { \ -+ v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \ -+ v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \ -+ v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \ -+ v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \ -+ } while (0) -+ -+#define PREAMBLE(len) \ -+ u64 v0 = 0x736f6d6570736575ULL; \ -+ u64 v1 = 0x646f72616e646f6dULL; \ -+ u64 v2 = 0x6c7967656e657261ULL; \ -+ u64 v3 = 0x7465646279746573ULL; \ -+ u64 b = ((u64)(len)) << 56; \ -+ v3 ^= key->key[1]; \ -+ v2 ^= key->key[0]; \ -+ v1 ^= key->key[1]; \ -+ v0 ^= key->key[0]; -+ -+#define POSTAMBLE \ -+ v3 ^= b; \ -+ SIPROUND; \ -+ SIPROUND; \ -+ v0 ^= b; \ -+ v2 ^= 0xff; \ -+ SIPROUND; \ -+ SIPROUND; \ -+ SIPROUND; \ -+ SIPROUND; \ -+ return (v0 ^ v1) ^ (v2 ^ v3); -+ -+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key) -+{ -+ const u8 *end = data + len - (len % sizeof(u64)); -+ const u8 left = len & (sizeof(u64) - 1); -+ u64 m; -+ PREAMBLE(len) -+ for (; data != end; data += sizeof(u64)) { -+ m = le64_to_cpup(data); -+ v3 ^= m; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= m; -+ } -+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64 -+ if (left) -+ b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) & -+ bytemask_from_count(left))); -+#else -+ switch (left) { -+ case 7: b |= ((u64)end[6]) << 48; -+ case 6: b |= ((u64)end[5]) << 40; -+ case 5: b |= ((u64)end[4]) << 32; -+ case 4: b |= le32_to_cpup(data); break; -+ case 3: b |= ((u64)end[2]) << 16; -+ case 2: b |= le16_to_cpup(data); break; -+ case 1: b |= end[0]; -+ } -+#endif -+ POSTAMBLE -+} -+EXPORT_SYMBOL(__siphash_aligned); -+ -+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS -+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key) -+{ -+ const u8 *end = data + len - (len % sizeof(u64)); -+ const u8 left = len & (sizeof(u64) - 1); -+ u64 m; -+ PREAMBLE(len) -+ for (; data != end; data += sizeof(u64)) { -+ m = get_unaligned_le64(data); -+ v3 ^= m; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= m; -+ } -+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64 -+ if (left) -+ b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) & -+ bytemask_from_count(left))); -+#else -+ switch (left) { -+ case 7: b |= ((u64)end[6]) << 48; -+ case 6: b |= ((u64)end[5]) << 40; -+ case 5: b |= ((u64)end[4]) << 32; -+ case 4: b |= get_unaligned_le32(end); break; -+ case 3: b |= ((u64)end[2]) << 16; -+ case 2: b |= get_unaligned_le16(end); break; -+ case 1: b |= end[0]; -+ } -+#endif -+ POSTAMBLE -+} -+EXPORT_SYMBOL(__siphash_unaligned); -+#endif -+ -+/** -+ * siphash_1u64 - compute 64-bit siphash PRF value of a u64 -+ * @first: first u64 -+ * @key: the siphash key -+ */ -+u64 siphash_1u64(const u64 first, const siphash_key_t *key) -+{ -+ PREAMBLE(8) -+ v3 ^= first; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= first; -+ POSTAMBLE -+} -+EXPORT_SYMBOL(siphash_1u64); -+ -+/** -+ * siphash_2u64 - compute 64-bit siphash PRF value of 2 u64 -+ * @first: first u64 -+ * @second: second u64 -+ * @key: the siphash key -+ */ -+u64 siphash_2u64(const u64 first, const u64 second, const siphash_key_t *key) -+{ -+ PREAMBLE(16) -+ v3 ^= first; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= first; -+ v3 ^= second; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= second; -+ POSTAMBLE -+} -+EXPORT_SYMBOL(siphash_2u64); -+ -+/** -+ * siphash_3u64 - compute 64-bit siphash PRF value of 3 u64 -+ * @first: first u64 -+ * @second: second u64 -+ * @third: third u64 -+ * @key: the siphash key -+ */ -+u64 siphash_3u64(const u64 first, const u64 second, const u64 third, -+ const siphash_key_t *key) -+{ -+ PREAMBLE(24) -+ v3 ^= first; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= first; -+ v3 ^= second; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= second; -+ v3 ^= third; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= third; -+ POSTAMBLE -+} -+EXPORT_SYMBOL(siphash_3u64); -+ -+/** -+ * siphash_4u64 - compute 64-bit siphash PRF value of 4 u64 -+ * @first: first u64 -+ * @second: second u64 -+ * @third: third u64 -+ * @forth: forth u64 -+ * @key: the siphash key -+ */ -+u64 siphash_4u64(const u64 first, const u64 second, const u64 third, -+ const u64 forth, const siphash_key_t *key) -+{ -+ PREAMBLE(32) -+ v3 ^= first; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= first; -+ v3 ^= second; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= second; -+ v3 ^= third; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= third; -+ v3 ^= forth; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= forth; -+ POSTAMBLE -+} -+EXPORT_SYMBOL(siphash_4u64); -+ -+u64 siphash_1u32(const u32 first, const siphash_key_t *key) -+{ -+ PREAMBLE(4) -+ b |= first; -+ POSTAMBLE -+} -+EXPORT_SYMBOL(siphash_1u32); -+ -+u64 siphash_3u32(const u32 first, const u32 second, const u32 third, -+ const siphash_key_t *key) -+{ -+ u64 combined = (u64)second << 32 | first; -+ PREAMBLE(12) -+ v3 ^= combined; -+ SIPROUND; -+ SIPROUND; -+ v0 ^= combined; -+ b |= third; -+ POSTAMBLE -+} -+EXPORT_SYMBOL(siphash_3u32); ---- /dev/null -+++ b/lib/test_siphash.c -@@ -0,0 +1,131 @@ -+/* Test cases for siphash.c -+ * -+ * Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. -+ * -+ * This file is provided under a dual BSD/GPLv2 license. -+ * -+ * SipHash: a fast short-input PRF -+ * https://131002.net/siphash/ -+ * -+ * This implementation is specifically for SipHash2-4. -+ */ -+ -+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -+ -+#include <linux/siphash.h> -+#include <linux/kernel.h> -+#include <linux/string.h> -+#include <linux/errno.h> -+#include <linux/module.h> -+ -+/* Test vectors taken from official reference source available at: -+ * https://131002.net/siphash/siphash24.c -+ */ -+ -+static const siphash_key_t test_key_siphash = -+ {{ 0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL }}; -+ -+static const u64 test_vectors_siphash[64] = { -+ 0x726fdb47dd0e0e31ULL, 0x74f839c593dc67fdULL, 0x0d6c8009d9a94f5aULL, -+ 0x85676696d7fb7e2dULL, 0xcf2794e0277187b7ULL, 0x18765564cd99a68dULL, -+ 0xcbc9466e58fee3ceULL, 0xab0200f58b01d137ULL, 0x93f5f5799a932462ULL, -+ 0x9e0082df0ba9e4b0ULL, 0x7a5dbbc594ddb9f3ULL, 0xf4b32f46226bada7ULL, -+ 0x751e8fbc860ee5fbULL, 0x14ea5627c0843d90ULL, 0xf723ca908e7af2eeULL, -+ 0xa129ca6149be45e5ULL, 0x3f2acc7f57c29bdbULL, 0x699ae9f52cbe4794ULL, -+ 0x4bc1b3f0968dd39cULL, 0xbb6dc91da77961bdULL, 0xbed65cf21aa2ee98ULL, -+ 0xd0f2cbb02e3b67c7ULL, 0x93536795e3a33e88ULL, 0xa80c038ccd5ccec8ULL, -+ 0xb8ad50c6f649af94ULL, 0xbce192de8a85b8eaULL, 0x17d835b85bbb15f3ULL, -+ 0x2f2e6163076bcfadULL, 0xde4daaaca71dc9a5ULL, 0xa6a2506687956571ULL, -+ 0xad87a3535c49ef28ULL, 0x32d892fad841c342ULL, 0x7127512f72f27cceULL, -+ 0xa7f32346f95978e3ULL, 0x12e0b01abb051238ULL, 0x15e034d40fa197aeULL, -+ 0x314dffbe0815a3b4ULL, 0x027990f029623981ULL, 0xcadcd4e59ef40c4dULL, -+ 0x9abfd8766a33735cULL, 0x0e3ea96b5304a7d0ULL, 0xad0c42d6fc585992ULL, -+ 0x187306c89bc215a9ULL, 0xd4a60abcf3792b95ULL, 0xf935451de4f21df2ULL, -+ 0xa9538f0419755787ULL, 0xdb9acddff56ca510ULL, 0xd06c98cd5c0975ebULL, -+ 0xe612a3cb9ecba951ULL, 0xc766e62cfcadaf96ULL, 0xee64435a9752fe72ULL, -+ 0xa192d576b245165aULL, 0x0a8787bf8ecb74b2ULL, 0x81b3e73d20b49b6fULL, -+ 0x7fa8220ba3b2eceaULL, 0x245731c13ca42499ULL, 0xb78dbfaf3a8d83bdULL, -+ 0xea1ad565322a1a0bULL, 0x60e61c23a3795013ULL, 0x6606d7e446282b93ULL, -+ 0x6ca4ecb15c5f91e1ULL, 0x9f626da15c9625f3ULL, 0xe51b38608ef25f57ULL, -+ 0x958a324ceb064572ULL -+}; -+ -+static int __init siphash_test_init(void) -+{ -+ u8 in[64] __aligned(SIPHASH_ALIGNMENT); -+ u8 in_unaligned[65] __aligned(SIPHASH_ALIGNMENT); -+ u8 i; -+ int ret = 0; -+ -+ for (i = 0; i < 64; ++i) { -+ in[i] = i; -+ in_unaligned[i + 1] = i; -+ if (siphash(in, i, &test_key_siphash) != -+ test_vectors_siphash[i]) { -+ pr_info("siphash self-test aligned %u: FAIL\n", i + 1); -+ ret = -EINVAL; -+ } -+ if (siphash(in_unaligned + 1, i, &test_key_siphash) != -+ test_vectors_siphash[i]) { -+ pr_info("siphash self-test unaligned %u: FAIL\n", i + 1); -+ ret = -EINVAL; -+ } -+ } -+ if (siphash_1u64(0x0706050403020100ULL, &test_key_siphash) != -+ test_vectors_siphash[8]) { -+ pr_info("siphash self-test 1u64: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_2u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL, -+ &test_key_siphash) != test_vectors_siphash[16]) { -+ pr_info("siphash self-test 2u64: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_3u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL, -+ 0x1716151413121110ULL, &test_key_siphash) != -+ test_vectors_siphash[24]) { -+ pr_info("siphash self-test 3u64: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_4u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL, -+ 0x1716151413121110ULL, 0x1f1e1d1c1b1a1918ULL, -+ &test_key_siphash) != test_vectors_siphash[32]) { -+ pr_info("siphash self-test 4u64: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_1u32(0x03020100U, &test_key_siphash) != -+ test_vectors_siphash[4]) { -+ pr_info("siphash self-test 1u32: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_2u32(0x03020100U, 0x07060504U, &test_key_siphash) != -+ test_vectors_siphash[8]) { -+ pr_info("siphash self-test 2u32: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_3u32(0x03020100U, 0x07060504U, -+ 0x0b0a0908U, &test_key_siphash) != -+ test_vectors_siphash[12]) { -+ pr_info("siphash self-test 3u32: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (siphash_4u32(0x03020100U, 0x07060504U, -+ 0x0b0a0908U, 0x0f0e0d0cU, &test_key_siphash) != -+ test_vectors_siphash[16]) { -+ pr_info("siphash self-test 4u32: FAIL\n"); -+ ret = -EINVAL; -+ } -+ if (!ret) -+ pr_info("self-tests: pass\n"); -+ return ret; -+} -+ -+static void __exit siphash_test_exit(void) -+{ -+} -+ -+module_init(siphash_test_init); -+module_exit(siphash_test_exit); -+ -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>"); -+MODULE_LICENSE("Dual BSD/GPL"); diff --git a/queue-3.16/slip-make-slhc_free-silently-accept-an-error-pointer.patch b/queue-3.16/slip-make-slhc_free-silently-accept-an-error-pointer.patch deleted file mode 100644 index 10641db2..00000000 --- a/queue-3.16/slip-make-slhc_free-silently-accept-an-error-pointer.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Linus Torvalds <torvalds@linux-foundation.org> -Date: Thu, 25 Apr 2019 16:13:58 -0700 -Subject: slip: make slhc_free() silently accept an error pointer - -commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream. - -This way, slhc_free() accepts what slhc_init() returns, whether that is -an error or not. - -In particular, the pattern in sl_alloc_bufs() is - - slcomp = slhc_init(16, 16); - ... - slhc_free(slcomp); - -for the error handling path, and rather than complicate that code, just -make it ok to always free what was returned by the init function. - -That's what the code used to do before commit 4ab42d78e37a ("ppp, slip: -Validate VJ compression slot parameters completely") when slhc_init() -just returned NULL for the error case, with no actual indication of the -details of the error. - -Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com -Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") -Acked-by: Ben Hutchings <ben@decadent.org.uk> -Cc: David Miller <davem@davemloft.net> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/slip/slhc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/slip/slhc.c -+++ b/drivers/net/slip/slhc.c -@@ -153,7 +153,7 @@ out_fail: - void - slhc_free(struct slcompress *comp) - { -- if ( comp == NULLSLCOMPR ) -+ if ( IS_ERR_OR_NULL(comp) ) - return; - - if ( comp->tstate != NULLSLSTATE ) diff --git a/queue-3.16/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch b/queue-3.16/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch deleted file mode 100644 index a31ebca3..00000000 --- a/queue-3.16/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Ian Abbott <abbotti@mev.co.uk> -Date: Mon, 15 Apr 2019 12:52:30 +0100 -Subject: staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf - -commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream. - -`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to -allocate RX and TX buffers for USB transfers. It allocates -`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the -allocation of `devpriv->usb_tx_buf` fails, it frees -`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an -error. Later, `vmk80xx_detach()` will be called from the core comedi -module code to clean up. `vmk80xx_detach()` also frees both -`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but -`devpriv->usb_rx_buf` may have already been freed, leading to a -double-free error. Fix it by removing the call to -`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying -on `vmk80xx_detach()` to free the memory. - -Signed-off-by: Ian Abbott <abbotti@mev.co.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/comedi/drivers/vmk80xx.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/drivers/staging/comedi/drivers/vmk80xx.c -+++ b/drivers/staging/comedi/drivers/vmk80xx.c -@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(str - - size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); - devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); -- if (!devpriv->usb_tx_buf) { -- kfree(devpriv->usb_rx_buf); -+ if (!devpriv->usb_tx_buf) - return -ENOMEM; -- } - - return 0; - } diff --git a/queue-3.16/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch b/queue-3.16/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch deleted file mode 100644 index 619a55c5..00000000 --- a/queue-3.16/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch +++ /dev/null @@ -1,105 +0,0 @@ -From: Ian Abbott <abbotti@mev.co.uk> -Date: Mon, 15 Apr 2019 12:10:14 +0100 -Subject: staging: comedi: vmk80xx: Fix use of uninitialized semaphore - -commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream. - -If `vmk80xx_auto_attach()` returns an error, the core comedi module code -will call `vmk80xx_detach()` to clean up. If `vmk80xx_auto_attach()` -successfully allocated the comedi device private data, -`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained -in the private data has been initialized and uses it. Unfortunately, -there are a couple of places where `vmk80xx_auto_attach()` can return an -error after allocating the device private data but before initializing -the semaphore, so this assumption is invalid. Fix it by initializing -the semaphore just after allocating the private data in -`vmk80xx_auto_attach()` before any other errors can be returned. - -I believe this was the cause of the following syzbot crash report -<https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>: - -usb 1-1: config 0 has no interface number 0 -usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d -usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 -usb 1-1: config 0 descriptor?? -vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device. -INFO: trying to register non-static key. -the code is fine but needs lockdep annotation. -turning off the locking correctness validator. -CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Workqueue: usb_hub_wq hub_event -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0xe8/0x16e lib/dump_stack.c:113 - assign_lock_key kernel/locking/lockdep.c:786 [inline] - register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 - __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 - lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 - __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] - _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 - down+0x12/0x80 kernel/locking/semaphore.c:58 - vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829 - comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 - comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 - comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] - comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 - comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] - comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 - comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 - usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 - really_probe+0x2da/0xb10 drivers/base/dd.c:509 - driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 - __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 - bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 - __device_attach+0x223/0x3a0 drivers/base/dd.c:844 - bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 - device_add+0xad2/0x16e0 drivers/base/core.c:2106 - usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 - generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 - usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 - really_probe+0x2da/0xb10 drivers/base/dd.c:509 - driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 - __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 - bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 - __device_attach+0x223/0x3a0 drivers/base/dd.c:844 - bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 - device_add+0xad2/0x16e0 drivers/base/core.c:2106 - usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 - hub_port_connect drivers/usb/core/hub.c:5089 [inline] - hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] - port_event drivers/usb/core/hub.c:5350 [inline] - hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 - process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 - worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 - kthread+0x313/0x420 kernel/kthread.c:253 - ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 - -Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com -Signed-off-by: Ian Abbott <abbotti@mev.co.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/comedi/drivers/vmk80xx.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/staging/comedi/drivers/vmk80xx.c -+++ b/drivers/staging/comedi/drivers/vmk80xx.c -@@ -872,6 +872,8 @@ static int vmk80xx_auto_attach(struct co - - devpriv->model = boardinfo->model; - -+ sema_init(&devpriv->limit_sem, 8); -+ - ret = vmk80xx_find_usb_endpoints(dev); - if (ret) - return ret; -@@ -880,8 +882,6 @@ static int vmk80xx_auto_attach(struct co - if (ret) - return ret; - -- sema_init(&devpriv->limit_sem, 8); -- - usb_set_intfdata(intf, devpriv); - - if (devpriv->model == VMK8061_MODEL) { diff --git a/queue-3.16/staging-iio-meter-fixed-typo.patch b/queue-3.16/staging-iio-meter-fixed-typo.patch deleted file mode 100644 index a115fe45..00000000 --- a/queue-3.16/staging-iio-meter-fixed-typo.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Leonard Pollak <leonardp@tr-host.de> -Date: Wed, 13 Feb 2019 11:19:52 +0100 -Subject: Staging: iio: meter: fixed typo - -commit 0a8a29be499cbb67df79370aaf5109085509feb8 upstream. - -This patch fixes an obvious typo, which will cause erroneously returning the Peak -Voltage instead of the Peak Current. - -Signed-off-by: Leonard Pollak <leonardp@tr-host.de> -Acked-by: Michael Hennerich <michael.hennerich@analog.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/meter/ade7854.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/staging/iio/meter/ade7854.c -+++ b/drivers/staging/iio/meter/ade7854.c -@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(S_IWUSR | S_IR - static IIO_DEV_ATTR_IPEAK(S_IWUSR | S_IRUGO, - ade7854_read_32bit, - ade7854_write_32bit, -- ADE7854_VPEAK); -+ ADE7854_IPEAK); - static IIO_DEV_ATTR_APHCAL(S_IWUSR | S_IRUGO, - ade7854_read_16bit, - ade7854_write_16bit, diff --git a/queue-3.16/staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch b/queue-3.16/staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch deleted file mode 100644 index dca7f856..00000000 --- a/queue-3.16/staging-rtl8712-uninitialized-memory-in-read_bbreg_hdl.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Thu, 21 Mar 2019 09:26:38 +0300 -Subject: staging: rtl8712: uninitialized memory in read_bbreg_hdl() - -commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e upstream. - -Colin King reported a bug in read_bbreg_hdl(): - - memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); - -The problem is that "val" is uninitialized. - -This code is obviously not useful, but so far as I can tell -"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful -either. For now the easiest fix is to just call r8712_free_cmd_obj() -and return. - -Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") -Reported-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/rtl8712/rtl8712_cmd.c | 10 +--------- - drivers/staging/rtl8712/rtl8712_cmd.h | 2 +- - 2 files changed, 2 insertions(+), 10 deletions(-) - ---- a/drivers/staging/rtl8712/rtl8712_cmd.c -+++ b/drivers/staging/rtl8712/rtl8712_cmd.c -@@ -155,19 +155,11 @@ static u8 write_macreg_hdl(struct _adapt - - static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) - { -- u32 val; -- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); - struct readBB_parm *prdbbparm; - struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; - - prdbbparm = (struct readBB_parm *)pcmd->parmbuf; -- if (pcmd->rsp && pcmd->rspsz > 0) -- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); -- pcmd_callback = cmd_callback[pcmd->cmdcode].callback; -- if (pcmd_callback == NULL) -- r8712_free_cmd_obj(pcmd); -- else -- pcmd_callback(padapter, pcmd); -+ r8712_free_cmd_obj(pcmd); - return H2C_SUCCESS; - } - ---- a/drivers/staging/rtl8712/rtl8712_cmd.h -+++ b/drivers/staging/rtl8712/rtl8712_cmd.h -@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd { - static struct _cmd_callback cmd_callback[] = { - {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/ - {GEN_CMD_CODE(_Write_MACREG), NULL}, -- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback}, -+ {GEN_CMD_CODE(_Read_BBREG), NULL}, - {GEN_CMD_CODE(_Write_BBREG), NULL}, - {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback}, - {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/ diff --git a/queue-3.16/staging-speakup_soft-fix-alternate-speech-with-other-synths.patch b/queue-3.16/staging-speakup_soft-fix-alternate-speech-with-other-synths.patch deleted file mode 100644 index 4b09b377..00000000 --- a/queue-3.16/staging-speakup_soft-fix-alternate-speech-with-other-synths.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Samuel Thibault <samuel.thibault@ens-lyon.org> -Date: Thu, 7 Mar 2019 23:06:57 +0100 -Subject: staging: speakup_soft: Fix alternate speech with other synths - -commit 45ac7b31bc6c4af885cc5b5d6c534c15bcbe7643 upstream. - -When switching from speakup_soft to another synth, speakup_soft would -keep calling synth_buffer_getc() from softsynthx_read. - -Let's thus make synth.c export the knowledge of the current synth, so -that speakup_soft can determine whether it should be running. - -speakup_soft also needs to set itself alive, otherwise the switch would -let it remain silent. - -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: - - There's no Unicode support - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/staging/speakup/speakup_soft.c -+++ b/drivers/staging/speakup/speakup_soft.c -@@ -213,10 +213,13 @@ static ssize_t softsynth_read(struct fil - DEFINE_WAIT(wait); - - spin_lock_irqsave(&speakup_info.spinlock, flags); -+ synth_soft.alive = 1; - while (1) { - prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE); -- if (!synth_buffer_empty() || speakup_info.flushing) -- break; -+ if (synth_current() == &synth_soft) { -+ if (!synth_buffer_empty() || speakup_info.flushing) -+ break; -+ } - spin_unlock_irqrestore(&speakup_info.spinlock, flags); - if (fp->f_flags & O_NONBLOCK) { - finish_wait(&speakup_event, &wait); -@@ -234,6 +237,8 @@ static ssize_t softsynth_read(struct fil - cp = buf; - init = get_initstring(); - while (chars_sent < count) { -+ if (synth_current() != &synth_soft) -+ break; - if (speakup_info.flushing) { - speakup_info.flushing = 0; - ch = '\x18'; -@@ -286,7 +291,8 @@ static unsigned int softsynth_poll(struc - poll_wait(fp, &speakup_event, wait); - - spin_lock_irqsave(&speakup_info.spinlock, flags); -- if (!synth_buffer_empty() || speakup_info.flushing) -+ if (synth_current() == &synth_soft && -+ (!synth_buffer_empty() || speakup_info.flushing)) - ret = POLLIN | POLLRDNORM; - spin_unlock_irqrestore(&speakup_info.spinlock, flags); - return ret; ---- a/drivers/staging/speakup/spk_priv.h -+++ b/drivers/staging/speakup/spk_priv.h -@@ -72,6 +72,7 @@ extern int synth_request_region(u_long, - extern int synth_release_region(u_long, u_long); - extern int synth_add(struct spk_synth *in_synth); - extern void synth_remove(struct spk_synth *in_synth); -+struct spk_synth *synth_current(void); - - extern struct speakup_info_t speakup_info; - ---- a/drivers/staging/speakup/synth.c -+++ b/drivers/staging/speakup/synth.c -@@ -475,4 +475,10 @@ void synth_remove(struct spk_synth *in_s - } - EXPORT_SYMBOL_GPL(synth_remove); - -+struct spk_synth *synth_current(void) -+{ -+ return synth; -+} -+EXPORT_SYMBOL_GPL(synth_current); -+ - short spk_punc_masks[] = { 0, SOME, MOST, PUNC, PUNC|B_SYM }; diff --git a/queue-3.16/sunrpc-don-t-mark-uninitialised-items-as-valid.patch b/queue-3.16/sunrpc-don-t-mark-uninitialised-items-as-valid.patch deleted file mode 100644 index 4d8fb944..00000000 --- a/queue-3.16/sunrpc-don-t-mark-uninitialised-items-as-valid.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: NeilBrown <neilb@suse.com> -Date: Fri, 5 Apr 2019 11:34:40 +1100 -Subject: sunrpc: don't mark uninitialised items as VALID. - -commit d58431eacb226222430940134d97bfd72f292fcd upstream. - -A recent commit added a call to cache_fresh_locked() -when an expired item was found. -The call sets the CACHE_VALID flag, so it is important -that the item actually is valid. -There are two ways it could be valid: -1/ If ->update has been called to fill in relevant content -2/ if CACHE_NEGATIVE is set, to say that content doesn't exist. - -An expired item that is waiting for an update will be neither. -Setting CACHE_VALID will mean that a subsequent call to cache_put() -will be likely to dereference uninitialised pointers. - -So we must make sure the item is valid, and we already have code to do -that in try_to_negate_entry(). This takes the hash lock and so cannot -be used directly, so take out the two lines that we need and use them. - -Now cache_fresh_locked() is certain to be called only on -a valid item. - -Fixes: 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued request") -Signed-off-by: NeilBrown <neilb@suse.com> -Signed-off-by: J. Bruce Fields <bfields@redhat.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/sunrpc/cache.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/sunrpc/cache.c -+++ b/net/sunrpc/cache.c -@@ -50,6 +50,7 @@ static void cache_init(struct cache_head - h->last_refresh = now; - } - -+static inline int cache_is_valid(struct cache_head *h); - static void cache_fresh_locked(struct cache_head *head, time_t expiry); - static void cache_fresh_unlocked(struct cache_head *head, - struct cache_detail *detail); -@@ -98,6 +99,8 @@ struct cache_head *sunrpc_cache_lookup(s - *hp = tmp->next; - tmp->next = NULL; - detail->entries --; -+ if (cache_is_valid(tmp) == -EAGAIN) -+ set_bit(CACHE_NEGATIVE, &tmp->flags); - cache_fresh_locked(tmp, 0); - freeme = tmp; - break; diff --git a/queue-3.16/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-3.16/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch deleted file mode 100644 index d867c5e2..00000000 --- a/queue-3.16/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 19 Mar 2019 05:45:35 -0700 -Subject: tcp: do not use ipv6 header for ipv4 flow - -commit 89e4130939a20304f4059ab72179da81f5347528 upstream. - -When a dual stack tcp listener accepts an ipv4 flow, -it should not attempt to use an ipv6 header or tcp_v6_iif() helper. - -Fixes: 1397ed35f22d ("ipv6: add flowinfo for tcp6 pkt_options for all cases") -Fixes: df3687ffc665 ("ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET") -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/tcp_ipv6.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1183,11 +1183,11 @@ static struct sock *tcp_v6_syn_recv_sock - newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; - newnp->opt = NULL; -- newnp->mcast_oif = inet6_iif(skb); -- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; -- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); -+ newnp->mcast_oif = inet_iif(skb); -+ newnp->mcast_hops = ip_hdr(skb)->ttl; -+ newnp->rcv_flowinfo = 0; - if (np->repflow) -- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); -+ newnp->flow_label = 0; - - /* - * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-3.16/team-fix-possible-recursive-locking-when-add-slaves.patch b/queue-3.16/team-fix-possible-recursive-locking-when-add-slaves.patch deleted file mode 100644 index 7720e734..00000000 --- a/queue-3.16/team-fix-possible-recursive-locking-when-add-slaves.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Hangbin Liu <liuhangbin@gmail.com> -Date: Fri, 19 Apr 2019 14:31:00 +0800 -Subject: team: fix possible recursive locking when add slaves - -commit 925b0c841e066b488cc3a60272472b2c56300704 upstream. - -If we add a bond device which is already the master of the team interface, -we will hold the team->lock in team_add_slave() first and then request the -lock in team_set_mac_address() again. The functions are called like: - -- team_add_slave() - - team_port_add() - - team_port_enter() - - team_modeop_port_enter() - - __set_port_dev_addr() - - dev_set_mac_address() - - bond_set_mac_address() - - dev_set_mac_address() - - team_set_mac_address - -Although team_upper_dev_link() would check the upper devices but it is -called too late. Fix it by adding a checking before processing the slave. - -v2: Do not split the string in netdev_err() - -Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") -Acked-by: Jiri Pirko <jiri@mellanox.com> -Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: netlink doesn't support extack] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/net/team/team.c -+++ b/drivers/net/team/team.c -@@ -1116,6 +1116,12 @@ static int team_port_add(struct team *te - return -EINVAL; - } - -+ if (netdev_has_upper_dev(dev, port_dev)) { -+ netdev_err(dev, "Device %s is already an upper device of the team interface\n", -+ portname); -+ return -EBUSY; -+ } -+ - if (port_dev->features & NETIF_F_VLAN_CHALLENGED && - vlan_uses_dev(dev)) { - netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n", diff --git a/queue-3.16/tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch b/queue-3.16/tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch deleted file mode 100644 index c829fc41..00000000 --- a/queue-3.16/tipc-set-sysctl_tipc_rmem-and-named_timeout-right-range.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Jie Liu <liujie165@huawei.com> -Date: Tue, 16 Apr 2019 13:10:09 +0800 -Subject: tipc: set sysctl_tipc_rmem and named_timeout right range - -commit 4bcd4ec1017205644a2697bccbc3b5143f522f5f upstream. - -We find that sysctl_tipc_rmem and named_timeout do not have the right minimum -setting. sysctl_tipc_rmem should be larger than zero, like sysctl_tcp_rmem. -And named_timeout as a timeout setting should be not less than zero. - -Fixes: cc79dd1ba9c10 ("tipc: change socket buffer overflow control to respect sk_rcvbuf") -Fixes: a5325ae5b8bff ("tipc: add name distributor resiliency queue") -Signed-off-by: Jie Liu <liujie165@huawei.com> -Reported-by: Qiang Ning <ningqiang1@huawei.com> -Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com> -Reviewed-by: Miaohe Lin <linmiaohe@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: only the tipc_rmem sysctl exists here] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/net/tipc/sysctl.c -+++ b/net/tipc/sysctl.c -@@ -37,6 +37,7 @@ - - #include <linux/sysctl.h> - -+static int one = 1; - static struct ctl_table_header *tipc_ctl_hdr; - - static struct ctl_table tipc_table[] = { -@@ -45,7 +46,8 @@ static struct ctl_table tipc_table[] = { - .data = &sysctl_tipc_rmem, - .maxlen = sizeof(sysctl_tipc_rmem), - .mode = 0644, -- .proc_handler = proc_dointvec, -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &one, - }, - {} - }; diff --git a/queue-3.16/tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch b/queue-3.16/tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch deleted file mode 100644 index bb73e656..00000000 --- a/queue-3.16/tools-lib-traceevent-fix-missing-equality-check-for-strcmp.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Rikard Falkeborn <rikard.falkeborn@gmail.com> -Date: Tue, 9 Apr 2019 11:15:29 +0200 -Subject: tools lib traceevent: Fix missing equality check for strcmp - -commit f32c2877bcb068a718bb70094cd59ccc29d4d082 upstream. - -There was a missing comparison with 0 when checking if type is "s64" or -"u64". Therefore, the body of the if-statement was entered if "type" was -"u64" or not "s64", which made the first strcmp() redundant since if -type is "u64", it's not "s64". - -If type is "s64", the body of the if-statement is not entered but since -the remainder of the function consists of if-statements which will not -be entered if type is "s64", we will just return "val", which is -correct, albeit at the cost of a few more calls to strcmp(), i.e., it -will behave just as if the if-statement was entered. - -If type is neither "s64" or "u64", the body of the if-statement will be -entered incorrectly and "val" returned. This means that any type that is -checked after "s64" and "u64" is handled the same way as "s64" and -"u64", i.e., the limiting of "val" to fit in for example "s8" is never -reached. - -This was introduced in the kernel tree when the sources were copied from -trace-cmd in commit f7d82350e597 ("tools/events: Add files to create -libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei -("Implement typecasting in parser") when the function was introduced, -i.e., it has always behaved the wrong way. - -Detected by cppcheck. - -Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com> -Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com> -Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") -Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - tools/lib/traceevent/event-parse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/lib/traceevent/event-parse.c -+++ b/tools/lib/traceevent/event-parse.c -@@ -2065,7 +2065,7 @@ eval_type_str(unsigned long long val, co - return val & 0xffffffff; - - if (strcmp(type, "u64") == 0 || -- strcmp(type, "s64")) -+ strcmp(type, "s64") == 0) - return val; - - if (strcmp(type, "s8") == 0) diff --git a/queue-3.16/trace-fix-preempt_enable_no_resched-abuse.patch b/queue-3.16/trace-fix-preempt_enable_no_resched-abuse.patch deleted file mode 100644 index 8fa1bf2f..00000000 --- a/queue-3.16/trace-fix-preempt_enable_no_resched-abuse.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Peter Zijlstra <peterz@infradead.org> -Date: Tue, 23 Apr 2019 22:03:18 +0200 -Subject: trace: Fix preempt_enable_no_resched() abuse - -commit d6097c9e4454adf1f8f2c9547c2fa6060d55d952 upstream. - -Unless the very next line is schedule(), or implies it, one must not use -preempt_enable_no_resched(). It can cause a preemption to go missing and -thereby cause arbitrary delays, breaking the PREEMPT=y invariant. - -Link: http://lkml.kernel.org/r/20190423200318.GY14281@hirez.programming.kicks-ass.net - -Cc: Waiman Long <longman@redhat.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: Will Deacon <will.deacon@arm.com> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: the arch/x86 maintainers <x86@kernel.org> -Cc: Davidlohr Bueso <dave@stgolabs.net> -Cc: Tim Chen <tim.c.chen@linux.intel.com> -Cc: huang ying <huang.ying.caritas@gmail.com> -Cc: Roman Gushchin <guro@fb.com> -Cc: Alexei Starovoitov <ast@kernel.org> -Cc: Daniel Borkmann <daniel@iogearbox.net> -Fixes: 2c2d7329d8af ("tracing/ftrace: use preempt_enable_no_resched_notrace in ring_buffer_time_stamp()") -Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/trace/ring_buffer.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -729,7 +729,7 @@ u64 ring_buffer_time_stamp(struct ring_b - - preempt_disable_notrace(); - time = rb_time_stamp(buffer); -- preempt_enable_no_resched_notrace(); -+ preempt_enable_notrace(); - - return time; - } diff --git a/queue-3.16/tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch b/queue-3.16/tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch deleted file mode 100644 index 705ad71f..00000000 --- a/queue-3.16/tty-atmel_serial-fix-a-potential-null-pointer-dereference.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Kangjie Lu <kjlu@umn.edu> -Date: Fri, 15 Mar 2019 12:16:06 -0500 -Subject: tty: atmel_serial: fix a potential NULL pointer dereference - -commit c85be041065c0be8bc48eda4c45e0319caf1d0e5 upstream. - -In case dmaengine_prep_dma_cyclic fails, the fix returns a proper -error code to avoid NULL pointer dereference. - -Signed-off-by: Kangjie Lu <kjlu@umn.edu> -Fixes: 34df42f59a60 ("serial: at91: add rx dma support") -Acked-by: Richard Genoud <richard.genoud@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/atmel_serial.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/tty/serial/atmel_serial.c -+++ b/drivers/tty/serial/atmel_serial.c -@@ -1045,6 +1045,10 @@ static int atmel_prepare_rx_dma(struct u - sg_dma_len(&atmel_port->sg_rx)/2, - DMA_DEV_TO_MEM, - DMA_PREP_INTERRUPT); -+ if (!desc) { -+ dev_err(port->dev, "Preparing DMA cyclic failed\n"); -+ goto chan_err; -+ } - desc->callback = atmel_complete_rx_dma; - desc->callback_param = port; - atmel_port->desc_rx = desc; diff --git a/queue-3.16/tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch b/queue-3.16/tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch deleted file mode 100644 index df1266d4..00000000 --- a/queue-3.16/tty-mxs-auart-fix-a-potential-null-pointer-dereference.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Kangjie Lu <kjlu@umn.edu> -Date: Thu, 14 Mar 2019 02:21:51 -0500 -Subject: tty: mxs-auart: fix a potential NULL pointer dereference - -commit 6734330654dac550f12e932996b868c6d0dcb421 upstream. - -In case ioremap fails, the fix returns -ENOMEM to avoid NULL -pointer dereferences. -Multiple places use port.membase. - -Signed-off-by: Kangjie Lu <kjlu@umn.edu> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: There is no out_disable_clks label, so goto - out_free_clk on error] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/mxs-auart.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/tty/serial/mxs-auart.c -+++ b/drivers/tty/serial/mxs-auart.c -@@ -1075,6 +1075,10 @@ static int mxs_auart_probe(struct platfo - - s->port.mapbase = r->start; - s->port.membase = ioremap(r->start, resource_size(r)); -+ if (!s->port.membase) { -+ ret = -ENOMEM; -+ goto out_free_clk; -+ } - s->port.ops = &mxs_auart_ops; - s->port.iotype = UPIO_MEM; - s->port.fifosize = MXS_AUART_FIFO_SIZE; diff --git a/queue-3.16/udf-fix-crash-on-io-error-during-truncate.patch b/queue-3.16/udf-fix-crash-on-io-error-during-truncate.patch deleted file mode 100644 index 9e5c93fd..00000000 --- a/queue-3.16/udf-fix-crash-on-io-error-during-truncate.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Jan Kara <jack@suse.cz> -Date: Mon, 11 Mar 2019 15:04:18 +0100 -Subject: udf: Fix crash on IO error during truncate - -commit d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 upstream. - -When truncate(2) hits IO error when reading indirect extent block the -code just bugs with: - -kernel BUG at linux-4.15.0/fs/udf/truncate.c:249! -... - -Fix the problem by bailing out cleanly in case of IO error. - -Reported-by: jean-luc malet <jeanluc.malet@gmail.com> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/udf/truncate.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/udf/truncate.c -+++ b/fs/udf/truncate.c -@@ -261,6 +261,9 @@ void udf_truncate_extents(struct inode * - epos.block = eloc; - epos.bh = udf_tread(sb, - udf_get_lb_pblock(sb, &eloc, 0)); -+ /* Error reading indirect block? */ -+ if (!epos.bh) -+ return; - if (elen) - indirect_ext_len = - (elen + sb->s_blocksize - 1) >> diff --git a/queue-3.16/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch b/queue-3.16/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch deleted file mode 100644 index c7f077e8..00000000 --- a/queue-3.16/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-flavour.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Al Viro <viro@zeniv.linux.org.uk> -Date: Wed, 1 May 2019 22:46:11 -0400 -Subject: ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour - -commit 4e9036042fedaffcd868d7f7aa948756c48c637d upstream. - -To choose whether to pick the GID from the old (16bit) or new (32bit) -field, we should check if the old gid field is set to 0xffff. Mainline -checks the old *UID* field instead - cut'n'paste from the corresponding -code in ufs_get_inode_uid(). - -Fixes: 252e211e90ce -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ufs/util.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/ufs/util.h -+++ b/fs/ufs/util.h -@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb - case UFS_UID_44BSD: - return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid); - case UFS_UID_EFT: -- if (inode->ui_u1.oldids.ui_suid == 0xFFFF) -+ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF) - return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid); - /* Fall through */ - default: diff --git a/queue-3.16/usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch b/queue-3.16/usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch deleted file mode 100644 index f2b55030..00000000 --- a/queue-3.16/usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch +++ /dev/null @@ -1,217 +0,0 @@ -From: Alan Stern <stern@rowland.harvard.edu> -Date: Fri, 19 Apr 2019 13:52:38 -0400 -Subject: USB: core: Fix bug caused by duplicate interface PM usage counter - -commit c2b71462d294cf517a0bc6e4fd6424d7cee5596f upstream. - -The syzkaller fuzzer reported a bug in the USB hub driver which turned -out to be caused by a negative runtime-PM usage counter. This allowed -a hub to be runtime suspended at a time when the driver did not expect -it. The symptom is a WARNING issued because the hub's status URB is -submitted while it is already active: - - URB 0000000031fb463e submitted while active - WARNING: CPU: 0 PID: 2917 at drivers/usb/core/urb.c:363 - -The negative runtime-PM usage count was caused by an unfortunate -design decision made when runtime PM was first implemented for USB. -At that time, USB class drivers were allowed to unbind from their -interfaces without balancing the usage counter (i.e., leaving it with -a positive count). The core code would take care of setting the -counter back to 0 before allowing another driver to bind to the -interface. - -Later on when runtime PM was implemented for the entire kernel, the -opposite decision was made: Drivers were required to balance their -runtime-PM get and put calls. In order to maintain backward -compatibility, however, the USB subsystem adapted to the new -implementation by keeping an independent usage counter for each -interface and using it to automatically adjust the normal usage -counter back to 0 whenever a driver was unbound. - -This approach involves duplicating information, but what is worse, it -doesn't work properly in cases where a USB class driver delays -decrementing the usage counter until after the driver's disconnect() -routine has returned and the counter has been adjusted back to 0. -Doing so would cause the usage counter to become negative. There's -even a warning about this in the USB power management documentation! - -As it happens, this is exactly what the hub driver does. The -kick_hub_wq() routine increments the runtime-PM usage counter, and the -corresponding decrement is carried out by hub_event() in the context -of the hub_wq work-queue thread. This work routine may sometimes run -after the driver has been unbound from its interface, and when it does -it causes the usage counter to go negative. - -It is not possible for hub_disconnect() to wait for a pending -hub_event() call to finish, because hub_disconnect() is called with -the device lock held and hub_event() acquires that lock. The only -feasible fix is to reverse the original design decision: remove the -duplicate interface-specific usage counter and require USB drivers to -balance their runtime PM gets and puts. As far as I know, all -existing drivers currently do this. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-and-tested-by: syzbot+7634edaea4d0b341c625@syzkaller.appspotmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: - - Adjust documentation filename - - Don't add ReST markup in documentation - - Update use of pm_usage_cnt in poseidon driver, which has been - removed upstream] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/Documentation/usb/power-management.txt -+++ b/Documentation/usb/power-management.txt -@@ -345,11 +345,15 @@ autosuspend the interface's device. Whe - then the interface is considered to be idle, and the kernel may - autosuspend the device. - --Drivers need not be concerned about balancing changes to the usage --counter; the USB core will undo any remaining "get"s when a driver --is unbound from its interface. As a corollary, drivers must not call --any of the usb_autopm_* functions after their disconnect() routine has --returned. -+Drivers must be careful to balance their overall changes to the usage -+counter. Unbalanced "get"s will remain in effect when a driver is -+unbound from its interface, preventing the device from going into -+runtime suspend should the interface be bound to a driver again. On -+the other hand, drivers are allowed to achieve this balance by calling -+the usb_autopm_* functions even after their disconnect routine -+has returned -- say from within a work-queue routine -- provided they -+retain an active reference to the interface (via usb_get_intf and -+usb_put_intf). - - Drivers using the async routines are responsible for their own - synchronization and mutual exclusion. ---- a/drivers/usb/core/driver.c -+++ b/drivers/usb/core/driver.c -@@ -483,11 +483,6 @@ static int usb_unbind_interface(struct d - pm_runtime_disable(dev); - pm_runtime_set_suspended(dev); - -- /* Undo any residual pm_autopm_get_interface_* calls */ -- for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r) -- usb_autopm_put_interface_no_suspend(intf); -- atomic_set(&intf->pm_usage_cnt, 0); -- - if (!error) - usb_autosuspend_device(udev); - -@@ -1638,7 +1633,6 @@ void usb_autopm_put_interface(struct usb - int status; - - usb_mark_last_busy(udev); -- atomic_dec(&intf->pm_usage_cnt); - status = pm_runtime_put_sync(&intf->dev); - dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", - __func__, atomic_read(&intf->dev.power.usage_count), -@@ -1667,7 +1661,6 @@ void usb_autopm_put_interface_async(stru - int status; - - usb_mark_last_busy(udev); -- atomic_dec(&intf->pm_usage_cnt); - status = pm_runtime_put(&intf->dev); - dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", - __func__, atomic_read(&intf->dev.power.usage_count), -@@ -1689,7 +1682,6 @@ void usb_autopm_put_interface_no_suspend - struct usb_device *udev = interface_to_usbdev(intf); - - usb_mark_last_busy(udev); -- atomic_dec(&intf->pm_usage_cnt); - pm_runtime_put_noidle(&intf->dev); - } - EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend); -@@ -1720,8 +1712,6 @@ int usb_autopm_get_interface(struct usb_ - status = pm_runtime_get_sync(&intf->dev); - if (status < 0) - pm_runtime_put_sync(&intf->dev); -- else -- atomic_inc(&intf->pm_usage_cnt); - dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", - __func__, atomic_read(&intf->dev.power.usage_count), - status); -@@ -1755,8 +1745,6 @@ int usb_autopm_get_interface_async(struc - status = pm_runtime_get(&intf->dev); - if (status < 0 && status != -EINPROGRESS) - pm_runtime_put_noidle(&intf->dev); -- else -- atomic_inc(&intf->pm_usage_cnt); - dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", - __func__, atomic_read(&intf->dev.power.usage_count), - status); -@@ -1780,7 +1768,6 @@ void usb_autopm_get_interface_no_resume( - struct usb_device *udev = interface_to_usbdev(intf); - - usb_mark_last_busy(udev); -- atomic_inc(&intf->pm_usage_cnt); - pm_runtime_get_noresume(&intf->dev); - } - EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume); ---- a/drivers/usb/storage/realtek_cr.c -+++ b/drivers/usb/storage/realtek_cr.c -@@ -767,18 +767,16 @@ static void rts51x_suspend_timer_fn(unsi - break; - case RTS51X_STAT_IDLE: - case RTS51X_STAT_SS: -- usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n", -- atomic_read(&us->pusb_intf->pm_usage_cnt), -+ usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n", - atomic_read(&us->pusb_intf->dev.power.usage_count)); - -- if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) { -+ if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) { - usb_stor_dbg(us, "Ready to enter SS state\n"); - rts51x_set_stat(chip, RTS51X_STAT_SS); - /* ignore mass storage interface's children */ - pm_suspend_ignore_children(&us->pusb_intf->dev, true); - usb_autopm_put_interface_async(us->pusb_intf); -- usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n", -- atomic_read(&us->pusb_intf->pm_usage_cnt), -+ usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n", - atomic_read(&us->pusb_intf->dev.power.usage_count)); - } - break; -@@ -811,11 +809,10 @@ static void rts51x_invoke_transport(stru - int ret; - - if (working_scsi(srb)) { -- usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n", -- atomic_read(&us->pusb_intf->pm_usage_cnt), -+ usb_stor_dbg(us, "working scsi, power.usage:%d\n", - atomic_read(&us->pusb_intf->dev.power.usage_count)); - -- if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) { -+ if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) { - ret = usb_autopm_get_interface(us->pusb_intf); - usb_stor_dbg(us, "working scsi, ret=%d\n", ret); - } ---- a/include/linux/usb.h -+++ b/include/linux/usb.h -@@ -125,7 +125,6 @@ enum usb_interface_condition { - * @dev: driver model's view of this device - * @usb_dev: if an interface is bound to the USB major, this will point - * to the sysfs representation for that device. -- * @pm_usage_cnt: PM usage counter for this interface - * @reset_ws: Used for scheduling resets from atomic context. - * @reset_running: set to 1 if the interface is currently running a - * queued reset so that usb_cancel_queued_reset() doesn't try to -@@ -186,7 +185,6 @@ struct usb_interface { - - struct device dev; /* interface specific device info */ - struct device *usb_dev; -- atomic_t pm_usage_cnt; /* usage counter for autosuspend */ - struct work_struct reset_ws; /* for resets in atomic context */ - }; - #define to_usb_interface(d) container_of(d, struct usb_interface, dev) ---- a/drivers/media/usb/tlg2300/pd-common.h -+++ b/drivers/media/usb/tlg2300/pd-common.h -@@ -257,7 +257,7 @@ void set_debug_mode(struct video_device - #else - #define in_hibernation(pd) (0) - #endif --#define get_pm_count(p) (atomic_read(&(p)->interface->pm_usage_cnt)) -+#define get_pm_count(p) (atomic_read(&(p)->interface->dev.power.usage_count)) - - #define log(a, ...) printk(KERN_DEBUG "\t[ %s : %.3d ] "a"\n", \ - __func__, __LINE__, ## __VA_ARGS__) diff --git a/queue-3.16/usb-core-fix-unterminated-string-returned-by-usb_string.patch b/queue-3.16/usb-core-fix-unterminated-string-returned-by-usb_string.patch deleted file mode 100644 index 3387c977..00000000 --- a/queue-3.16/usb-core-fix-unterminated-string-returned-by-usb_string.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Alan Stern <stern@rowland.harvard.edu> -Date: Mon, 15 Apr 2019 11:51:38 -0400 -Subject: USB: core: Fix unterminated string returned by usb_string() - -commit c01c348ecdc66085e44912c97368809612231520 upstream. - -Some drivers (such as the vub300 MMC driver) expect usb_string() to -return a properly NUL-terminated string, even when an error occurs. -(In fact, vub300's probe routine doesn't bother to check the return -code from usb_string().) When the driver goes on to use an -unterminated string, it leads to kernel errors such as -stack-out-of-bounds, as found by the syzkaller USB fuzzer. - -An out-of-range string index argument is not at all unlikely, given -that some devices don't provide string descriptors and therefore list -0 as the value for their string indexes. This patch makes -usb_string() return a properly terminated empty string along with the --EINVAL error code when an out-of-range index is encountered. - -And since a USB string index is a single-byte value, indexes >= 256 -are just as invalid as values of 0 or below. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-by: syzbot+b75b85111c10b8d680f1@syzkaller.appspotmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/core/message.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/usb/core/message.c -+++ b/drivers/usb/core/message.c -@@ -822,9 +822,11 @@ int usb_string(struct usb_device *dev, i - - if (dev->state == USB_STATE_SUSPENDED) - return -EHOSTUNREACH; -- if (size <= 0 || !buf || !index) -+ if (size <= 0 || !buf) - return -EINVAL; - buf[0] = 0; -+ if (index <= 0 || index >= 256) -+ return -EINVAL; - tbuf = kmalloc(256, GFP_NOIO); - if (!tbuf) - return -ENOMEM; diff --git a/queue-3.16/usb-serial-cp210x-add-new-device-id.patch b/queue-3.16/usb-serial-cp210x-add-new-device-id.patch deleted file mode 100644 index 1d39e906..00000000 --- a/queue-3.16/usb-serial-cp210x-add-new-device-id.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Date: Wed, 27 Mar 2019 10:11:14 +0900 -Subject: USB: serial: cp210x: add new device id - -commit a595ecdd5f60b2d93863cebb07eec7f935839b54 upstream. - -Lorenz Messtechnik has a device that is controlled by the cp210x driver, -so add the device id to the driver. The device id was provided by -Silicon-Labs for the devices from this vendor. - -Reported-by: Uli <t9cpu@web.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/serial/cp210x.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -76,6 +76,7 @@ static const struct usb_device_id id_tab - { USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */ - { USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */ - { USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */ -+ { USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */ - { USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */ - { USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */ - { USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */ diff --git a/queue-3.16/usb-serial-ftdi_sio-add-additional-novatech-products.patch b/queue-3.16/usb-serial-ftdi_sio-add-additional-novatech-products.patch deleted file mode 100644 index 7358173f..00000000 --- a/queue-3.16/usb-serial-ftdi_sio-add-additional-novatech-products.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: George McCollister <george.mccollister@gmail.com> -Date: Tue, 5 Mar 2019 16:05:03 -0600 -Subject: USB: serial: ftdi_sio: add additional NovaTech products - -commit 422c2537ba9d42320f8ab6573940269f87095320 upstream. - -Add PIDs for the NovaTech OrionLX+ and Orion I/O so they can be -automatically detected. - -Signed-off-by: George McCollister <george.mccollister@gmail.com> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/serial/ftdi_sio.c | 2 ++ - drivers/usb/serial/ftdi_sio_ids.h | 4 +++- - 2 files changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -617,6 +617,8 @@ static const struct usb_device_id id_tab - .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, - { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), - .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, -+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, -+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, - { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, - { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, - { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, ---- a/drivers/usb/serial/ftdi_sio_ids.h -+++ b/drivers/usb/serial/ftdi_sio_ids.h -@@ -566,7 +566,9 @@ - /* - * NovaTech product ids (FTDI_VID) - */ --#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ -+#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ -+#define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ -+#define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ - - /* - * Synapse Wireless product ids (FTDI_VID) diff --git a/queue-3.16/usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch b/queue-3.16/usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch deleted file mode 100644 index edb355c7..00000000 --- a/queue-3.16/usb-serial-mos7720-fix-mos_parport-refcount-imbalance-on-error.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Lin Yi <teroincn@163.com> -Date: Wed, 20 Mar 2019 19:04:56 +0800 -Subject: USB: serial: mos7720: fix mos_parport refcount imbalance on error - path - -commit 2908b076f5198d231de62713cb2b633a3a4b95ac upstream. - -The write_parport_reg_nonblock() helper takes a reference to the struct -mos_parport, but failed to release it in a couple of error paths after -allocation failures, leading to a memory leak. - -Johan said that move the kref_get() and mos_parport assignment to the -end of urbtrack initialisation is a better way, so move it. and -mos_parport do not used until urbtrack initialisation. - -Signed-off-by: Lin Yi <teroincn@163.com> -Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/serial/mos7720.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/usb/serial/mos7720.c -+++ b/drivers/usb/serial/mos7720.c -@@ -362,8 +362,6 @@ static int write_parport_reg_nonblock(st - if (!urbtrack) - return -ENOMEM; - -- kref_get(&mos_parport->ref_count); -- urbtrack->mos_parport = mos_parport; - urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC); - if (!urbtrack->urb) { - kfree(urbtrack); -@@ -384,6 +382,8 @@ static int write_parport_reg_nonblock(st - usb_sndctrlpipe(usbdev, 0), - (unsigned char *)urbtrack->setup, - NULL, 0, async_complete, urbtrack); -+ kref_get(&mos_parport->ref_count); -+ urbtrack->mos_parport = mos_parport; - kref_init(&urbtrack->ref_count); - INIT_LIST_HEAD(&urbtrack->urblist_entry); - diff --git a/queue-3.16/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch b/queue-3.16/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch deleted file mode 100644 index e6e1d246..00000000 --- a/queue-3.16/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Malte Leip <malte@leip.net> -Date: Sun, 14 Apr 2019 12:00:12 +0200 -Subject: usb: usbip: fix isoc packet num validation in get_pipe - -commit c409ca3be3c6ff3a1eeb303b191184e80d412862 upstream. - -Change the validation of number_of_packets in get_pipe to compare the -number of packets to a fixed maximum number of packets allowed, set to -be 1024. This number was chosen due to it being used by other drivers as -well, for example drivers/usb/host/uhci-q.c - -Background/reason: -The get_pipe function in stub_rx.c validates the number of packets in -isochronous mode and aborts with an error if that number is too large, -in order to prevent malicious input from possibly triggering large -memory allocations. This was previously done by checking whether -pdu->u.cmd_submit.number_of_packets is bigger than the number of packets -that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes -if all except possibly the last packet had maximum length, given by -usb_endpoint_maxp(epd) * usb_endpoint_maxp_mult(epd). This leads to an -error if URBs with packets shorter than the maximum possible length are -submitted, which is allowed according to -Documentation/driver-api/usb/URB.rst and occurs for example with the -snd-usb-audio driver. - -Fixes: c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") -Signed-off-by: Malte Leip <malte@leip.net> -Acked-by: Shuah Khan <skhan@linuxfoundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust filenames] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/usbip/stub_rx.c | 12 +++--------- - drivers/staging/usbip/usbip_common.h | 7 +++++++ - 2 files changed, 10 insertions(+), 9 deletions(-) - ---- a/drivers/staging/usbip/stub_rx.c -+++ b/drivers/staging/usbip/stub_rx.c -@@ -375,16 +375,10 @@ static int get_pipe(struct stub_device * - } - - if (usb_endpoint_xfer_isoc(epd)) { -- /* validate packet size and number of packets */ -- unsigned int maxp, packets, bytes; -- -- maxp = usb_endpoint_maxp(epd); -- maxp *= usb_endpoint_maxp_mult(epd); -- bytes = pdu->u.cmd_submit.transfer_buffer_length; -- packets = DIV_ROUND_UP(bytes, maxp); -- -+ /* validate number of packets */ - if (pdu->u.cmd_submit.number_of_packets < 0 || -- pdu->u.cmd_submit.number_of_packets > packets) { -+ pdu->u.cmd_submit.number_of_packets > -+ USBIP_MAX_ISO_PACKETS) { - dev_err(&sdev->udev->dev, - "CMD_SUBMIT: isoc invalid num packets %d\n", - pdu->u.cmd_submit.number_of_packets); ---- a/drivers/staging/usbip/usbip_common.h -+++ b/drivers/staging/usbip/usbip_common.h -@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_ - #define USBIP_DIR_OUT 0x00 - #define USBIP_DIR_IN 0x01 - -+/* -+ * Arbitrary limit for the maximum number of isochronous packets in an URB, -+ * compare for example the uhci_submit_isochronous function in -+ * drivers/usb/host/uhci-q.c -+ */ -+#define USBIP_MAX_ISO_PACKETS 1024 -+ - /** - * struct usbip_header_basic - data pertinent to every request - * @command: the usbip request type diff --git a/queue-3.16/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch b/queue-3.16/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch deleted file mode 100644 index f54928d6..00000000 --- a/queue-3.16/usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Alan Stern <stern@rowland.harvard.edu> -Date: Mon, 22 Apr 2019 11:16:04 -0400 -Subject: USB: w1 ds2490: Fix bug caused by improper use of altsetting array - -commit c114944d7d67f24e71562fcfc18d550ab787e4d4 upstream. - -The syzkaller USB fuzzer spotted a slab-out-of-bounds bug in the -ds2490 driver. This bug is caused by improper use of the altsetting -array in the usb_interface structure (the array's entries are not -always stored in numerical order), combined with a naive assumption -that all interfaces probed by the driver will have the expected number -of altsettings. - -The bug can be fixed by replacing references to the possibly -non-existent intf->altsetting[alt] entry with the guaranteed-to-exist -intf->cur_altsetting entry. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-and-tested-by: syzbot+d65f673b847a1a96cdba@syzkaller.appspotmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/w1/masters/ds2490.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/w1/masters/ds2490.c -+++ b/drivers/w1/masters/ds2490.c -@@ -1041,15 +1041,15 @@ static int ds_probe(struct usb_interface - /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */ - alt = 3; - err = usb_set_interface(dev->udev, -- intf->altsetting[alt].desc.bInterfaceNumber, alt); -+ intf->cur_altsetting->desc.bInterfaceNumber, alt); - if (err) { - dev_err(&dev->udev->dev, "Failed to set alternative setting %d " - "for %d interface: err=%d.\n", alt, -- intf->altsetting[alt].desc.bInterfaceNumber, err); -+ intf->cur_altsetting->desc.bInterfaceNumber, err); - goto err_out_clear; - } - -- iface_desc = &intf->altsetting[alt]; -+ iface_desc = intf->cur_altsetting; - if (iface_desc->desc.bNumEndpoints != NUM_EP-1) { - printk(KERN_INFO "Num endpoints=%d. It is not DS9490R.\n", iface_desc->desc.bNumEndpoints); - err = -EINVAL; diff --git a/queue-3.16/usb-yurex-fix-protection-fault-after-device-removal.patch b/queue-3.16/usb-yurex-fix-protection-fault-after-device-removal.patch deleted file mode 100644 index e73ade2a..00000000 --- a/queue-3.16/usb-yurex-fix-protection-fault-after-device-removal.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Alan Stern <stern@rowland.harvard.edu> -Date: Tue, 23 Apr 2019 14:48:29 -0400 -Subject: USB: yurex: Fix protection fault after device removal - -commit ef61eb43ada6c1d6b94668f0f514e4c268093ff3 upstream. - -The syzkaller USB fuzzer found a general-protection-fault bug in the -yurex driver. The fault occurs when a device has been unplugged; the -driver's interrupt-URB handler logs an error message referring to the -device by name, after the device has been unregistered and its name -deallocated. - -This problem is caused by the fact that the interrupt URB isn't -cancelled until the driver's private data structure is released, which -can happen long after the device is gone. The cure is to make sure -that the interrupt URB is killed before yurex_disconnect() returns; -this is exactly the sort of thing that usb_poison_urb() was meant for. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-and-tested-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/misc/yurex.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/misc/yurex.c -+++ b/drivers/usb/misc/yurex.c -@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_ - usb_deregister_dev(interface, &yurex_class); - - /* prevent more I/O from starting */ -+ usb_poison_urb(dev->urb); - mutex_lock(&dev->io_mutex); - dev->interface = NULL; - mutex_unlock(&dev->io_mutex); diff --git a/queue-3.16/vhost-introduce-vhost_exceeds_weight.patch b/queue-3.16/vhost-introduce-vhost_exceeds_weight.patch deleted file mode 100644 index ca708d8b..00000000 --- a/queue-3.16/vhost-introduce-vhost_exceeds_weight.patch +++ /dev/null @@ -1,153 +0,0 @@ -From: Jason Wang <jasowang@redhat.com> -Date: Fri, 17 May 2019 00:29:49 -0400 -Subject: vhost: introduce vhost_exceeds_weight() - -commit e82b9b0727ff6d665fff2d326162b460dded554d upstream. - -We used to have vhost_exceeds_weight() for vhost-net to: - -- prevent vhost kthread from hogging the cpu -- balance the time spent between TX and RX - -This function could be useful for vsock and scsi as well. So move it -to vhost.c. Device must specify a weight which counts the number of -requests, or it can also specific a byte_weight which counts the -number of bytes that has been processed. - -Signed-off-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -[bwh: Backported to 3.16: - - Drop changes to vhost_vsock - - In vhost_net, both Tx modes are handled in one loop in handle_tx() - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -335,12 +335,6 @@ static void vhost_zerocopy_callback(stru - rcu_read_unlock_bh(); - } - --static bool vhost_exceeds_weight(int pkts, int total_len) --{ -- return total_len >= VHOST_NET_WEIGHT || -- pkts >= VHOST_NET_PKT_WEIGHT; --} -- - /* Expects to be always run from workqueue - which acts as - * read-size critical section for our kind of RCU. */ - static void handle_tx(struct vhost_net *net) -@@ -463,10 +457,8 @@ static void handle_tx(struct vhost_net * - vhost_zerocopy_signal_used(net, vq); - total_len += len; - vhost_net_tx_packet(net); -- if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) { -- vhost_poll_queue(&vq->poll); -+ if (vhost_exceeds_weight(vq, ++sent_pkts, total_len)) - break; -- } - } - out: - mutex_unlock(&vq->mutex); -@@ -673,10 +665,8 @@ static void handle_rx(struct vhost_net * - if (unlikely(vq_log)) - vhost_log_write(vq, vq_log, log, vhost_len); - total_len += vhost_len; -- if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) { -- vhost_poll_queue(&vq->poll); -+ if (unlikely(vhost_exceeds_weight(vq, ++recv_pkts, total_len))) - break; -- } - } - out: - mutex_unlock(&vq->mutex); -@@ -746,7 +736,8 @@ static int vhost_net_open(struct inode * - n->vqs[i].vhost_hlen = 0; - n->vqs[i].sock_hlen = 0; - } -- vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX); -+ vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX, -+ VHOST_NET_WEIGHT, VHOST_NET_PKT_WEIGHT); - - vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev); - vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev); ---- a/drivers/vhost/scsi.c -+++ b/drivers/vhost/scsi.c -@@ -60,6 +60,12 @@ - #define TCM_VHOST_PREALLOC_UPAGES 2048 - #define TCM_VHOST_PREALLOC_PROT_SGLS 512 - -+/* Max number of requests before requeueing the job. -+ * Using this limit prevents one virtqueue from starving others with -+ * request. -+ */ -+#define VHOST_SCSI_WEIGHT 256 -+ - struct vhost_scsi_inflight { - /* Wait for the flush operation to finish */ - struct completion comp; -@@ -1576,7 +1582,8 @@ static int vhost_scsi_open(struct inode - vqs[i] = &vs->vqs[i].vq; - vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick; - } -- vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ); -+ vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ, -+ VHOST_SCSI_WEIGHT, 0); - - tcm_vhost_init_inflight(vs, NULL); - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -292,8 +292,24 @@ static void vhost_dev_free_iovecs(struct - vhost_vq_free_iovecs(dev->vqs[i]); - } - -+bool vhost_exceeds_weight(struct vhost_virtqueue *vq, -+ int pkts, int total_len) -+{ -+ struct vhost_dev *dev = vq->dev; -+ -+ if ((dev->byte_weight && total_len >= dev->byte_weight) || -+ pkts >= dev->weight) { -+ vhost_poll_queue(&vq->poll); -+ return true; -+ } -+ -+ return false; -+} -+EXPORT_SYMBOL_GPL(vhost_exceeds_weight); -+ - void vhost_dev_init(struct vhost_dev *dev, -- struct vhost_virtqueue **vqs, int nvqs) -+ struct vhost_virtqueue **vqs, int nvqs, -+ int weight, int byte_weight) - { - struct vhost_virtqueue *vq; - int i; -@@ -308,6 +324,8 @@ void vhost_dev_init(struct vhost_dev *de - spin_lock_init(&dev->work_lock); - INIT_LIST_HEAD(&dev->work_list); - dev->worker = NULL; -+ dev->weight = weight; -+ dev->byte_weight = byte_weight; - - for (i = 0; i < dev->nvqs; ++i) { - vq = dev->vqs[i]; ---- a/drivers/vhost/vhost.h -+++ b/drivers/vhost/vhost.h -@@ -123,9 +123,13 @@ struct vhost_dev { - spinlock_t work_lock; - struct list_head work_list; - struct task_struct *worker; -+ int weight; -+ int byte_weight; - }; - --void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs); -+bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len); -+void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, -+ int nvqs, int weight, int byte_weight); - long vhost_dev_set_owner(struct vhost_dev *dev); - bool vhost_dev_has_owner(struct vhost_dev *dev); - long vhost_dev_check_owner(struct vhost_dev *); diff --git a/queue-3.16/vhost-net-set-packet-weight-of-tx-polling-to-2-vq-size.patch b/queue-3.16/vhost-net-set-packet-weight-of-tx-polling-to-2-vq-size.patch deleted file mode 100644 index 218de524..00000000 --- a/queue-3.16/vhost-net-set-packet-weight-of-tx-polling-to-2-vq-size.patch +++ /dev/null @@ -1,132 +0,0 @@ -From: =?UTF-8?q?haibinzhang=28=E5=BC=A0=E6=B5=B7=E6=96=8C=29?= - <haibinzhang@tencent.com> -Date: Mon, 9 Apr 2018 07:22:17 +0000 -Subject: vhost-net: set packet weight of tx polling to 2 * vq size - -commit a2ac99905f1ea8b15997a6ec39af69aa28a3653b upstream. - -handle_tx will delay rx for tens or even hundreds of milliseconds when tx busy -polling udp packets with small length(e.g. 1byte udp payload), because setting -VHOST_NET_WEIGHT takes into account only sent-bytes but no single packet length. - -Ping-Latencies shown below were tested between two Virtual Machines using -netperf (UDP_STREAM, len=1), and then another machine pinged the client: - -vq size=256 -Packet-Weight Ping-Latencies(millisecond) - min avg max -Origin 3.319 18.489 57.303 -64 1.643 2.021 2.552 -128 1.825 2.600 3.224 -256 1.997 2.710 4.295 -512 1.860 3.171 4.631 -1024 2.002 4.173 9.056 -2048 2.257 5.650 9.688 -4096 2.093 8.508 15.943 - -vq size=512 -Packet-Weight Ping-Latencies(millisecond) - min avg max -Origin 6.537 29.177 66.245 -64 2.798 3.614 4.403 -128 2.861 3.820 4.775 -256 3.008 4.018 4.807 -512 3.254 4.523 5.824 -1024 3.079 5.335 7.747 -2048 3.944 8.201 12.762 -4096 4.158 11.057 19.985 - -Seems pretty consistent, a small dip at 2 VQ sizes. -Ring size is a hint from device about a burst size it can tolerate. Based on -benchmarks, set the weight to 2 * vq size. - -To evaluate this change, another tests were done using netperf(RR, TX) between -two machines with Intel(R) Xeon(R) Gold 6133 CPU @ 2.50GHz, and vq size was -tweaked through qemu. Results shown below does not show obvious changes. - -vq size=256 TCP_RR vq size=512 TCP_RR -size/sessions/+thu%/+normalize% size/sessions/+thu%/+normalize% - 1/ 1/ -7%/ -2% 1/ 1/ 0%/ -2% - 1/ 4/ +1%/ 0% 1/ 4/ +1%/ 0% - 1/ 8/ +1%/ -2% 1/ 8/ 0%/ +1% - 64/ 1/ -6%/ 0% 64/ 1/ +7%/ +3% - 64/ 4/ 0%/ +2% 64/ 4/ -1%/ +1% - 64/ 8/ 0%/ 0% 64/ 8/ -1%/ -2% - 256/ 1/ -3%/ -4% 256/ 1/ -4%/ -2% - 256/ 4/ +3%/ +4% 256/ 4/ +1%/ +2% - 256/ 8/ +2%/ 0% 256/ 8/ +1%/ -1% - -vq size=256 UDP_RR vq size=512 UDP_RR -size/sessions/+thu%/+normalize% size/sessions/+thu%/+normalize% - 1/ 1/ -5%/ +1% 1/ 1/ -3%/ -2% - 1/ 4/ +4%/ +1% 1/ 4/ -2%/ +2% - 1/ 8/ -1%/ -1% 1/ 8/ -1%/ 0% - 64/ 1/ -2%/ -3% 64/ 1/ +1%/ +1% - 64/ 4/ -5%/ -1% 64/ 4/ +2%/ 0% - 64/ 8/ 0%/ -1% 64/ 8/ -2%/ +1% - 256/ 1/ +7%/ +1% 256/ 1/ -7%/ 0% - 256/ 4/ +1%/ +1% 256/ 4/ -3%/ -4% - 256/ 8/ +2%/ +2% 256/ 8/ +1%/ +1% - -vq size=256 TCP_STREAM vq size=512 TCP_STREAM -size/sessions/+thu%/+normalize% size/sessions/+thu%/+normalize% - 64/ 1/ 0%/ -3% 64/ 1/ 0%/ 0% - 64/ 4/ +3%/ -1% 64/ 4/ -2%/ +4% - 64/ 8/ +9%/ -4% 64/ 8/ -1%/ +2% - 256/ 1/ +1%/ -4% 256/ 1/ +1%/ +1% - 256/ 4/ -1%/ -1% 256/ 4/ -3%/ 0% - 256/ 8/ +7%/ +5% 256/ 8/ -3%/ 0% - 512/ 1/ +1%/ 0% 512/ 1/ -1%/ -1% - 512/ 4/ +1%/ -1% 512/ 4/ 0%/ 0% - 512/ 8/ +7%/ -5% 512/ 8/ +6%/ -1% -1024/ 1/ 0%/ -1% 1024/ 1/ 0%/ +1% -1024/ 4/ +3%/ 0% 1024/ 4/ +1%/ 0% -1024/ 8/ +8%/ +5% 1024/ 8/ -1%/ 0% -2048/ 1/ +2%/ +2% 2048/ 1/ -1%/ 0% -2048/ 4/ +1%/ 0% 2048/ 4/ 0%/ -1% -2048/ 8/ -2%/ 0% 2048/ 8/ 5%/ -1% -4096/ 1/ -2%/ 0% 4096/ 1/ -2%/ 0% -4096/ 4/ +2%/ 0% 4096/ 4/ 0%/ 0% -4096/ 8/ +9%/ -2% 4096/ 8/ -5%/ -1% - -Acked-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Haibin Zhang <haibinzhang@tencent.com> -Signed-off-by: Yunfang Tai <yunfangtai@tencent.com> -Signed-off-by: Lidong Chen <lidongchen@tencent.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/vhost/net.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -39,6 +39,10 @@ MODULE_PARM_DESC(experimental_zcopytx, " - * Using this limit prevents one virtqueue from starving others. */ - #define VHOST_NET_WEIGHT 0x80000 - -+/* Max number of packets transferred before requeueing the job. -+ * Using this limit prevents one virtqueue from starving rx. */ -+#define VHOST_NET_PKT_WEIGHT(vq) ((vq)->num * 2) -+ - /* MAX number of TX used buffers for outstanding zerocopy */ - #define VHOST_MAX_PEND 128 - #define VHOST_GOODCOPY_LEN 256 -@@ -351,6 +355,7 @@ static void handle_tx(struct vhost_net * - struct socket *sock; - struct vhost_net_ubuf_ref *uninitialized_var(ubufs); - bool zcopy, zcopy_used; -+ int sent_pkts = 0; - - mutex_lock(&vq->mutex); - sock = vq->private_data; -@@ -450,7 +455,8 @@ static void handle_tx(struct vhost_net * - vhost_zerocopy_signal_used(net, vq); - total_len += len; - vhost_net_tx_packet(net); -- if (unlikely(total_len >= VHOST_NET_WEIGHT)) { -+ if (unlikely(total_len >= VHOST_NET_WEIGHT) || -+ unlikely(++sent_pkts >= VHOST_NET_PKT_WEIGHT(vq))) { - vhost_poll_queue(&vq->poll); - break; - } diff --git a/queue-3.16/vhost-scsi-add-weight-support.patch b/queue-3.16/vhost-scsi-add-weight-support.patch deleted file mode 100644 index 09201cf8..00000000 --- a/queue-3.16/vhost-scsi-add-weight-support.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Jason Wang <jasowang@redhat.com> -Date: Fri, 17 May 2019 00:29:52 -0400 -Subject: vhost: scsi: add weight support - -commit c1ea02f15ab5efb3e93fc3144d895410bf79fcf2 upstream. - -This patch will check the weight and exit the loop if we exceeds the -weight. This is useful for preventing scsi kthread from hogging cpu -which is guest triggerable. - -This addresses CVE-2019-3900. - -Cc: Paolo Bonzini <pbonzini@redhat.com> -Cc: Stefan Hajnoczi <stefanha@redhat.com> -Fixes: 057cbf49a1f0 ("tcm_vhost: Initial merge for vhost level target fabric driver") -Signed-off-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> -[bwh: Backported to 3.16: - - Drop changes in vhost_scsi_ctl_handle_vq() - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/vhost/scsi.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/drivers/vhost/scsi.c -+++ b/drivers/vhost/scsi.c -@@ -998,7 +998,7 @@ vhost_scsi_handle_vq(struct vhost_scsi * - u64 tag; - u32 exp_data_len, data_first, data_num, data_direction, prot_first; - unsigned out, in, i; -- int head, ret, data_niov, prot_niov, prot_bytes; -+ int head, ret, data_niov, prot_niov, prot_bytes, c = 0; - size_t req_size; - u16 lun; - u8 *target, *lunp, task_attr; -@@ -1016,7 +1016,7 @@ vhost_scsi_handle_vq(struct vhost_scsi * - - vhost_disable_notify(&vs->dev, vq); - -- for (;;) { -+ do { - head = vhost_get_vq_desc(vq, vq->iov, - ARRAY_SIZE(vq->iov), &out, &in, - NULL, NULL); -@@ -1219,7 +1219,7 @@ vhost_scsi_handle_vq(struct vhost_scsi * - */ - INIT_WORK(&cmd->work, tcm_vhost_submission_work); - queue_work(tcm_vhost_workqueue, &cmd->work); -- } -+ } while (likely(!vhost_exceeds_weight(vq, ++c, 0))); - - mutex_unlock(&vq->mutex); - return; diff --git a/queue-3.16/vhost_net-fix-possible-infinite-loop.patch b/queue-3.16/vhost_net-fix-possible-infinite-loop.patch deleted file mode 100644 index e2881c62..00000000 --- a/queue-3.16/vhost_net-fix-possible-infinite-loop.patch +++ /dev/null @@ -1,108 +0,0 @@ -From: Jason Wang <jasowang@redhat.com> -Date: Fri, 17 May 2019 00:29:50 -0400 -Subject: vhost_net: fix possible infinite loop - -commit e2412c07f8f3040593dfb88207865a3cd58680c0 upstream. - -When the rx buffer is too small for a packet, we will discard the vq -descriptor and retry it for the next packet: - -while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, - &busyloop_intr))) { -... - /* On overrun, truncate and discard */ - if (unlikely(headcount > UIO_MAXIOV)) { - iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); - err = sock->ops->recvmsg(sock, &msg, - 1, MSG_DONTWAIT | MSG_TRUNC); - pr_debug("Discarded rx packet: len %zd\n", sock_len); - continue; - } -... -} - -This makes it possible to trigger a infinite while..continue loop -through the co-opreation of two VMs like: - -1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the - vhost process as much as possible e.g using indirect descriptors or - other. -2) Malicious VM2 generate packets to VM1 as fast as possible - -Fixing this by checking against weight at the end of RX and TX -loop. This also eliminate other similar cases when: - -- userspace is consuming the packets in the meanwhile -- theoretical TOCTOU attack if guest moving avail index back and forth - to hit the continue after vhost find guest just add new buffers - -This addresses CVE-2019-3900. - -Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") -Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") -Signed-off-by: Jason Wang <jasowang@redhat.com> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -[bwh: Backported to 3.16: - - Both Tx modes are handled in one loop in handle_tx() - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/vhost/net.c | 29 +++++++++++++---------------- - 1 file changed, 13 insertions(+), 16 deletions(-) - ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -369,7 +369,7 @@ static void handle_tx(struct vhost_net * - hdr_size = nvq->vhost_hlen; - zcopy = nvq->ubufs; - -- for (;;) { -+ do { - /* Release DMAs done buffers first */ - if (zcopy) - vhost_zerocopy_signal_used(net, vq); -@@ -457,9 +457,7 @@ static void handle_tx(struct vhost_net * - vhost_zerocopy_signal_used(net, vq); - total_len += len; - vhost_net_tx_packet(net); -- if (vhost_exceeds_weight(vq, ++sent_pkts, total_len)) -- break; -- } -+ } while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len))); - out: - mutex_unlock(&vq->mutex); - } -@@ -595,7 +593,10 @@ static void handle_rx(struct vhost_net * - vq->log : NULL; - mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF); - -- while ((sock_len = peek_head_len(sock->sk))) { -+ do { -+ sock_len = peek_head_len(sock->sk); -+ if (!sock_len) -+ break; - sock_len += sock_hlen; - vhost_len = sock_len + vhost_hlen; - headcount = get_rx_bufs(vq, vq->heads, vhost_len, -@@ -665,9 +666,8 @@ static void handle_rx(struct vhost_net * - if (unlikely(vq_log)) - vhost_log_write(vq, vq_log, log, vhost_len); - total_len += vhost_len; -- if (unlikely(vhost_exceeds_weight(vq, ++recv_pkts, total_len))) -- break; -- } -+ } while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len))); -+ - out: - mutex_unlock(&vq->mutex); - } -@@ -737,7 +737,7 @@ static int vhost_net_open(struct inode * - n->vqs[i].sock_hlen = 0; - } - vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX, -- VHOST_NET_WEIGHT, VHOST_NET_PKT_WEIGHT); -+ VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT); - - vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev); - vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev); diff --git a/queue-3.16/vhost_net-introduce-vhost_exceeds_weight.patch b/queue-3.16/vhost_net-introduce-vhost_exceeds_weight.patch deleted file mode 100644 index e7c5a01e..00000000 --- a/queue-3.16/vhost_net-introduce-vhost_exceeds_weight.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Jason Wang <jasowang@redhat.com> -Date: Fri, 20 Jul 2018 08:15:15 +0800 -Subject: vhost_net: introduce vhost_exceeds_weight() - -commit 272f35cba53d088085e5952fd81d7a133ab90789 upstream. - -Signed-off-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -335,6 +335,12 @@ static void vhost_zerocopy_callback(stru - rcu_read_unlock_bh(); - } - -+static bool vhost_exceeds_weight(int pkts, int total_len) -+{ -+ return total_len >= VHOST_NET_WEIGHT || -+ pkts >= VHOST_NET_PKT_WEIGHT; -+} -+ - /* Expects to be always run from workqueue - which acts as - * read-size critical section for our kind of RCU. */ - static void handle_tx(struct vhost_net *net) -@@ -457,8 +463,7 @@ static void handle_tx(struct vhost_net * - vhost_zerocopy_signal_used(net, vq); - total_len += len; - vhost_net_tx_packet(net); -- if (unlikely(total_len >= VHOST_NET_WEIGHT) || -- unlikely(++sent_pkts >= VHOST_NET_PKT_WEIGHT)) { -+ if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) { - vhost_poll_queue(&vq->poll); - break; - } -@@ -668,8 +673,7 @@ static void handle_rx(struct vhost_net * - if (unlikely(vq_log)) - vhost_log_write(vq, vq_log, log, vhost_len); - total_len += vhost_len; -- if (unlikely(total_len >= VHOST_NET_WEIGHT) || -- unlikely(++recv_pkts >= VHOST_NET_PKT_WEIGHT)) { -+ if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) { - vhost_poll_queue(&vq->poll); - break; - } diff --git a/queue-3.16/vhost_net-use-packet-weight-for-rx-handler-too.patch b/queue-3.16/vhost_net-use-packet-weight-for-rx-handler-too.patch deleted file mode 100644 index b425ccf1..00000000 --- a/queue-3.16/vhost_net-use-packet-weight-for-rx-handler-too.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: Paolo Abeni <pabeni@redhat.com> -Date: Tue, 24 Apr 2018 10:34:36 +0200 -Subject: vhost_net: use packet weight for rx handler, too - -commit db688c24eada63b1efe6d0d7d835e5c3bdd71fd3 upstream. - -Similar to commit a2ac99905f1e ("vhost-net: set packet weight of -tx polling to 2 * vq size"), we need a packet-based limit for -handler_rx, too - elsewhere, under rx flood with small packets, -tx can be delayed for a very long time, even without busypolling. - -The pkt limit applied to handle_rx must be the same applied by -handle_tx, or we will get unfair scheduling between rx and tx. -Tying such limit to the queue length makes it less effective for -large queue length values and can introduce large process -scheduler latencies, so a constant valued is used - likewise -the existing bytes limit. - -The selected limit has been validated with PVP[1] performance -test with different queue sizes: - -queue size 256 512 1024 - -baseline 366 354 362 -weight 128 715 723 670 -weight 256 740 745 733 -weight 512 600 460 583 -weight 1024 423 427 418 - -A packet weight of 256 gives peek performances in under all the -tested scenarios. - -No measurable regression in unidirectional performance tests has -been detected. - -[1] https://developers.redhat.com/blog/2017/06/05/measuring-and-comparing-open-vswitch-performance/ - -Signed-off-by: Paolo Abeni <pabeni@redhat.com> -Acked-by: Jason Wang <jasowang@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/vhost/net.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -40,8 +40,10 @@ MODULE_PARM_DESC(experimental_zcopytx, " - #define VHOST_NET_WEIGHT 0x80000 - - /* Max number of packets transferred before requeueing the job. -- * Using this limit prevents one virtqueue from starving rx. */ --#define VHOST_NET_PKT_WEIGHT(vq) ((vq)->num * 2) -+ * Using this limit prevents one virtqueue from starving others with small -+ * pkts. -+ */ -+#define VHOST_NET_PKT_WEIGHT 256 - - /* MAX number of TX used buffers for outstanding zerocopy */ - #define VHOST_MAX_PEND 128 -@@ -456,7 +458,7 @@ static void handle_tx(struct vhost_net * - total_len += len; - vhost_net_tx_packet(net); - if (unlikely(total_len >= VHOST_NET_WEIGHT) || -- unlikely(++sent_pkts >= VHOST_NET_PKT_WEIGHT(vq))) { -+ unlikely(++sent_pkts >= VHOST_NET_PKT_WEIGHT)) { - vhost_poll_queue(&vq->poll); - break; - } -@@ -581,6 +583,7 @@ static void handle_rx(struct vhost_net * - size_t vhost_hlen, sock_hlen; - size_t vhost_len, sock_len; - struct socket *sock; -+ int recv_pkts = 0; - - mutex_lock(&vq->mutex); - sock = vq->private_data; -@@ -665,7 +668,8 @@ static void handle_rx(struct vhost_net * - if (unlikely(vq_log)) - vhost_log_write(vq, vq_log, log, vhost_len); - total_len += vhost_len; -- if (unlikely(total_len >= VHOST_NET_WEIGHT)) { -+ if (unlikely(total_len >= VHOST_NET_WEIGHT) || -+ unlikely(++recv_pkts >= VHOST_NET_PKT_WEIGHT)) { - vhost_poll_queue(&vq->poll); - break; - } diff --git a/queue-3.16/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch b/queue-3.16/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch deleted file mode 100644 index 928c12b3..00000000 --- a/queue-3.16/vxge-fix-return-of-a-free-d-memblock-on-a-failed-dma-mapping.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Colin Ian King <colin.king@canonical.com> -Date: Fri, 12 Apr 2019 14:45:12 +0100 -Subject: vxge: fix return of a free'd memblock on a failed dma mapping - -commit 0a2c34f18c94b596562bf3d019fceab998b8b584 upstream. - -Currently if a pci dma mapping failure is detected a free'd -memblock address is returned rather than a NULL (that indicates -an error). Fix this by ensuring NULL is returned on this error case. - -Addresses-Coverity: ("Use after free") -Fixes: 528f727279ae ("vxge: code cleanup and reorganization") -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/neterion/vxge/vxge-config.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/ethernet/neterion/vxge/vxge-config.c -+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c -@@ -2381,6 +2381,7 @@ static void *__vxge_hw_blockpool_malloc( - vxge_os_dma_free(devh->pdev, memblock, - &dma_object->acc_handle); - status = VXGE_HW_ERR_OUT_OF_MEMORY; -+ memblock = NULL; - goto exit; - } - diff --git a/queue-3.16/x86-asm-entry-64-disentangle-error_entry-exit-gsbase-ebx-usermode.patch b/queue-3.16/x86-asm-entry-64-disentangle-error_entry-exit-gsbase-ebx-usermode.patch deleted file mode 100644 index 4b39ec04..00000000 --- a/queue-3.16/x86-asm-entry-64-disentangle-error_entry-exit-gsbase-ebx-usermode.patch +++ /dev/null @@ -1,98 +0,0 @@ -From: Andy Lutomirski <luto@kernel.org> -Date: Tue, 9 Jun 2015 12:36:01 -0700 -Subject: x86/asm/entry/64: Disentangle error_entry/exit gsbase/ebx/usermode - code - -commit 539f5113650068ba221197f190267ab727296ef5 upstream. - -The error_entry/error_exit code to handle gsbase and whether we -return to user mdoe was a mess: - - - error_sti was misnamed. In particular, it did not enable interrupts. - - - Error handling for gs_change was hopelessly tangled the normal - usermode path. Separate it out. This saves a branch in normal - entries from kernel mode. - - - The comments were bad. - -Fix it up. As a nice side effect, there's now a code path that -happens on error entries from user mode. We'll use it soon. - -Signed-off-by: Andy Lutomirski <luto@kernel.org> -Cc: Andrew Morton <akpm@linux-foundation.org> -Cc: Andy Lutomirski <luto@amacapital.net> -Cc: Borislav Petkov <bp@alien8.de> -Cc: Brian Gerst <brgerst@gmail.com> -Cc: Denys Vlasenko <dvlasenk@redhat.com> -Cc: H. Peter Anvin <hpa@zytor.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Link: http://lkml.kernel.org/r/f1be898ab93360169fb845ab85185948832209ee.1433878454.git.luto@kernel.org -[ Prettified it, clarified comments some more. ] -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16 as dependency of commit 18ec54fdd6d1 - "x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations": - - We do not use %ebx as a flag since we already have a backport of commit - b3681dd548d0 "x86/entry/64: Remove %ebx handling from error_entry/exit", - so don't add the comments about that - - Adjust filename, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/arch/x86/kernel/entry_64.S -+++ b/arch/x86/kernel/entry_64.S -@@ -1446,9 +1446,11 @@ ENTRY(error_entry) - SWITCH_KERNEL_CR3 - testl $3,CS+8(%rsp) - je error_kernelspace --error_swapgs: -+ -+ /* We entered from user mode */ - SWAPGS --error_sti: -+ -+error_entry_done: - TRACE_IRQS_OFF - ret - -@@ -1466,8 +1468,15 @@ error_kernelspace: - cmpq %rax,RIP+8(%rsp) - je bstep_iret - cmpq $gs_change,RIP+8(%rsp) -- je error_swapgs -- jmp error_sti -+ jne error_entry_done -+ -+ /* -+ * hack: gs_change can fail with user gsbase. If this happens, fix up -+ * gsbase and proceed. We'll fix up the exception and land in -+ * gs_change's error handler with kernel gsbase. -+ */ -+ SWAPGS -+ jmp error_entry_done - - bstep_iret: - /* Fix truncated RIP */ -@@ -1475,11 +1484,20 @@ bstep_iret: - /* fall through */ - - error_bad_iret: -+ /* -+ * We came from an IRET to user mode, so we have user gsbase. -+ * Switch to kernel gsbase: -+ */ - SWAPGS -+ -+ /* -+ * Pretend that the exception came from user mode: set up pt_regs -+ * as if we faulted immediately after IRET. -+ */ - mov %rsp,%rdi - call fixup_bad_iret - mov %rax,%rsp -- jmp error_sti -+ jmp error_entry_done - CFI_ENDPROC - END(error_entry) - diff --git a/queue-3.16/x86-cpufeatures-renumber-word-7.patch b/queue-3.16/x86-cpufeatures-renumber-word-7.patch deleted file mode 100644 index a0cefe0c..00000000 --- a/queue-3.16/x86-cpufeatures-renumber-word-7.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Ben Hutchings <ben@decadent.org.uk> -Date: Thu, 08 Aug 2019 20:11:40 +0100 -Subject: x86: cpufeatures: Renumber feature word 7 - -Use the same bit numbers for all features that are also present in -4.4.y and 4.9.y, to make further backports slightly easier. - -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -177,29 +177,32 @@ - #define X86_FEATURE_ARAT ( 7*32+ 1) /* Always Running APIC Timer */ - #define X86_FEATURE_CPB ( 7*32+ 2) /* AMD Core Performance Boost */ - #define X86_FEATURE_EPB ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */ --#define X86_FEATURE_XSAVEOPT ( 7*32+ 4) /* Optimized Xsave */ -+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+4) /* Effectively INVPCID && CR4.PCIDE=1 */ - #define X86_FEATURE_PLN ( 7*32+ 5) /* Intel Power Limit Notification */ - #define X86_FEATURE_PTS ( 7*32+ 6) /* Intel Package Thermal Status */ - #define X86_FEATURE_DTHERM ( 7*32+ 7) /* Digital Thermal Sensor */ - #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ - #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ --#define X86_FEATURE_INVPCID_SINGLE ( 7*32+10) /* Effectively INVPCID && CR4.PCIDE=1 */ --#define X86_FEATURE_RSB_CTXSW ( 7*32+11) /* "" Fill RSB on context switches */ --#define X86_FEATURE_USE_IBPB ( 7*32+12) /* "" Indirect Branch Prediction Barrier enabled */ --#define X86_FEATURE_USE_IBRS_FW ( 7*32+13) /* "" Use IBRS during runtime firmware calls */ --#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+14) /* "" Disable Speculative Store Bypass. */ --#define X86_FEATURE_LS_CFG_SSBD ( 7*32+15) /* "" AMD SSBD implementation */ --#define X86_FEATURE_IBRS ( 7*32+16) /* Indirect Branch Restricted Speculation */ --#define X86_FEATURE_IBPB ( 7*32+17) /* Indirect Branch Prediction Barrier */ --#define X86_FEATURE_STIBP ( 7*32+18) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+19) /* "" MSR SPEC_CTRL is implemented */ --#define X86_FEATURE_SSBD ( 7*32+20) /* Speculative Store Bypass Disable */ --#define X86_FEATURE_ZEN ( 7*32+21) /* "" CPU is AMD family 0x17 (Zen) */ --#define X86_FEATURE_L1TF_PTEINV ( 7*32+22) /* "" L1TF workaround PTE inversion */ --#define X86_FEATURE_IBRS_ENHANCED ( 7*32+23) /* Enhanced IBRS */ --#define X86_FEATURE_RETPOLINE ( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */ --#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */ --/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */ -+ -+#define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ -+#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ -+ -+#define X86_FEATURE_XSAVEOPT ( 7*32+15) /* Optimized Xsave */ -+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ -+#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ -+ -+#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ -+ -+#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ -+#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ -+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ -+#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ -+#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ -+#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ -+#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ -+#define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ -+#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */ - - /* Virtualization flags: Linux defined, word 8 */ diff --git a/queue-3.16/x86-entry-64-fix-context-tracking-state-warning-when-load_gs_index.patch b/queue-3.16/x86-entry-64-fix-context-tracking-state-warning-when-load_gs_index.patch deleted file mode 100644 index 2c6030ca..00000000 --- a/queue-3.16/x86-entry-64-fix-context-tracking-state-warning-when-load_gs_index.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Wanpeng Li <wanpeng.li@hotmail.com> -Date: Fri, 30 Sep 2016 09:01:06 +0800 -Subject: x86/entry/64: Fix context tracking state warning when load_gs_index - fails - -commit 2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc upstream. - -This warning: - - WARNING: CPU: 0 PID: 3331 at arch/x86/entry/common.c:45 enter_from_user_mode+0x32/0x50 - CPU: 0 PID: 3331 Comm: ldt_gdt_64 Not tainted 4.8.0-rc7+ #13 - Call Trace: - dump_stack+0x99/0xd0 - __warn+0xd1/0xf0 - warn_slowpath_null+0x1d/0x20 - enter_from_user_mode+0x32/0x50 - error_entry+0x6d/0xc0 - ? general_protection+0x12/0x30 - ? native_load_gs_index+0xd/0x20 - ? do_set_thread_area+0x19c/0x1f0 - SyS_set_thread_area+0x24/0x30 - do_int80_syscall_32+0x7c/0x220 - entry_INT80_compat+0x38/0x50 - -... can be reproduced by running the GS testcase of the ldt_gdt test unit in -the x86 selftests. - -do_int80_syscall_32() will call enter_form_user_mode() to convert context -tracking state from user state to kernel state. The load_gs_index() call -can fail with user gsbase, gsbase will be fixed up and proceed if this -happen. - -However, enter_from_user_mode() will be called again in the fixed up path -though it is context tracking kernel state currently. - -This patch fixes it by just fixing up gsbase and telling lockdep that IRQs -are off once load_gs_index() failed with user gsbase. - -Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> -Acked-by: Andy Lutomirski <luto@kernel.org> -Cc: Borislav Petkov <bp@alien8.de> -Cc: Brian Gerst <brgerst@gmail.com> -Cc: Denys Vlasenko <dvlasenk@redhat.com> -Cc: H. Peter Anvin <hpa@zytor.com> -Cc: Josh Poimboeuf <jpoimboe@redhat.com> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Link: http://lkml.kernel.org/r/1475197266-3440-1-git-send-email-wanpeng.li@hotmail.com -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16 as dependency of commit 18ec54fdd6d1 - "x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations": - - Adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kernel/entry_64.S | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/x86/kernel/entry_64.S -+++ b/arch/x86/kernel/entry_64.S -@@ -1447,7 +1447,6 @@ ENTRY(error_entry) - testl $3,CS+8(%rsp) - jz .Lerror_kernelspace - --.Lerror_entry_from_usermode_swapgs: - /* - * We entered from user mode or we're pretending to have entered - * from user mode due to an IRET fault. -@@ -1480,7 +1479,8 @@ ENTRY(error_entry) - * gsbase and proceed. We'll fix up the exception and land in - * gs_change's error handler with kernel gsbase. - */ -- jmp .Lerror_entry_from_usermode_swapgs -+ SWAPGS -+ jmp .Lerror_entry_done - - .Lbstep_iret: - /* Fix truncated RIP */ diff --git a/queue-3.16/x86-entry-64-really-create-an-error-entry-from-usermode-code-path.patch b/queue-3.16/x86-entry-64-really-create-an-error-entry-from-usermode-code-path.patch deleted file mode 100644 index 67eca7b9..00000000 --- a/queue-3.16/x86-entry-64-really-create-an-error-entry-from-usermode-code-path.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: Andy Lutomirski <luto@kernel.org> -Date: Fri, 3 Jul 2015 12:44:27 -0700 -Subject: x86/entry/64: Really create an error-entry-from-usermode code path - -commit cb6f64ed5a04036eef07e70b57dd5dd78f2fbcef upstream. - -In 539f51136500 ("x86/asm/entry/64: Disentangle error_entry/exit -gsbase/ebx/usermode code"), I arranged the code slightly wrong --- IRET faults would skip the code path that was intended to -execute on all error entries from user mode. Fix it up. - -While we're at it, make all the labels in error_entry local. - -This does not fix a bug, but we'll need it, and it slightly -shrinks the code. - -Signed-off-by: Andy Lutomirski <luto@kernel.org> -Cc: Andy Lutomirski <luto@amacapital.net> -Cc: Borislav Petkov <bp@alien8.de> -Cc: Brian Gerst <brgerst@gmail.com> -Cc: Denys Vlasenko <dvlasenk@redhat.com> -Cc: Denys Vlasenko <vda.linux@googlemail.com> -Cc: Frederic Weisbecker <fweisbec@gmail.com> -Cc: H. Peter Anvin <hpa@zytor.com> -Cc: Kees Cook <keescook@chromium.org> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Oleg Nesterov <oleg@redhat.com> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Rik van Riel <riel@redhat.com> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: paulmck@linux.vnet.ibm.com -Link: http://lkml.kernel.org/r/91e17891e49fa3d61357eadc451529ad48143ee1.1435952415.git.luto@kernel.org -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16 as dependency of commit 18ec54fdd6d1 - "x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations": - - Adjust filename, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kernel/entry_64.S | 28 ++++++++++++++++------------ - 1 file changed, 16 insertions(+), 12 deletions(-) - ---- a/arch/x86/kernel/entry_64.S -+++ b/arch/x86/kernel/entry_64.S -@@ -1445,12 +1445,17 @@ ENTRY(error_entry) - */ - SWITCH_KERNEL_CR3 - testl $3,CS+8(%rsp) -- je error_kernelspace -+ jz .Lerror_kernelspace - -- /* We entered from user mode */ -+.Lerror_entry_from_usermode_swapgs: -+ /* -+ * We entered from user mode or we're pretending to have entered -+ * from user mode due to an IRET fault. -+ */ - SWAPGS - --error_entry_done: -+.Lerror_entry_from_usermode_after_swapgs: -+.Lerror_entry_done: - TRACE_IRQS_OFF - ret - -@@ -1460,30 +1465,29 @@ error_entry_done: - * truncated RIP for IRET exceptions returning to compat mode. Check - * for these here too. - */ --error_kernelspace: -+.Lerror_kernelspace: - leaq native_irq_return_iret(%rip),%rcx - cmpq %rcx,RIP+8(%rsp) -- je error_bad_iret -+ je .Lerror_bad_iret - movl %ecx,%eax /* zero extend */ - cmpq %rax,RIP+8(%rsp) -- je bstep_iret -+ je .Lbstep_iret - cmpq $gs_change,RIP+8(%rsp) -- jne error_entry_done -+ jne .Lerror_entry_done - - /* - * hack: gs_change can fail with user gsbase. If this happens, fix up - * gsbase and proceed. We'll fix up the exception and land in - * gs_change's error handler with kernel gsbase. - */ -- SWAPGS -- jmp error_entry_done -+ jmp .Lerror_entry_from_usermode_swapgs - --bstep_iret: -+.Lbstep_iret: - /* Fix truncated RIP */ - movq %rcx,RIP+8(%rsp) - /* fall through */ - --error_bad_iret: -+.Lerror_bad_iret: - /* - * We came from an IRET to user mode, so we have user gsbase. - * Switch to kernel gsbase: -@@ -1497,7 +1501,7 @@ error_bad_iret: - mov %rsp,%rdi - call fixup_bad_iret - mov %rax,%rsp -- jmp error_entry_done -+ jmp .Lerror_entry_from_usermode_after_swapgs - CFI_ENDPROC - END(error_entry) - diff --git a/queue-3.16/x86-entry-64-use-jmp-instead-of-jmpq.patch b/queue-3.16/x86-entry-64-use-jmp-instead-of-jmpq.patch deleted file mode 100644 index 4b2420ff..00000000 --- a/queue-3.16/x86-entry-64-use-jmp-instead-of-jmpq.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Josh Poimboeuf <jpoimboe@redhat.com> -Date: Mon, 15 Jul 2019 11:51:39 -0500 -Subject: x86/entry/64: Use JMP instead of JMPQ - -commit 64dbc122b20f75183d8822618c24f85144a5a94d upstream. - -Somehow the swapgs mitigation entry code patch ended up with a JMPQ -instruction instead of JMP, where only the short jump is needed. Some -assembler versions apparently fail to optimize JMPQ into a two-byte JMP -when possible, instead always using a 7-byte JMP with relocation. For -some reason that makes the entry code explode with a #GP during boot. - -Change it back to "JMP" as originally intended. - -Fixes: 18ec54fdd6d1 ("x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations") -Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -[bwh: Backported to 3.16: adjust filename, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kernel/entry_64.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/x86/kernel/entry_64.S -+++ b/arch/x86/kernel/entry_64.S -@@ -267,7 +267,7 @@ ENDPROC(native_usergs_sysret64) - SWAPGS - FENCE_SWAPGS_USER_ENTRY - SWITCH_KERNEL_CR3 -- jmpq 2f -+ jmp 2f - 1: - FENCE_SWAPGS_KERNEL_ENTRY - 2: diff --git a/queue-3.16/x86-kprobes-avoid-kretprobe-recursion-bug.patch b/queue-3.16/x86-kprobes-avoid-kretprobe-recursion-bug.patch deleted file mode 100644 index 13db4768..00000000 --- a/queue-3.16/x86-kprobes-avoid-kretprobe-recursion-bug.patch +++ /dev/null @@ -1,103 +0,0 @@ -From: Masami Hiramatsu <mhiramat@kernel.org> -Date: Sun, 24 Feb 2019 01:50:49 +0900 -Subject: x86/kprobes: Avoid kretprobe recursion bug - -commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 upstream. - -Avoid kretprobe recursion loop bg by setting a dummy -kprobes to current_kprobe per-CPU variable. - -This bug has been introduced with the asm-coded trampoline -code, since previously it used another kprobe for hooking -the function return placeholder (which only has a nop) and -trampoline handler was called from that kprobe. - -This revives the old lost kprobe again. - -With this fix, we don't see deadlock anymore. - -And you can see that all inner-called kretprobe are skipped. - - event_1 235 0 - event_2 19375 19612 - -The 1st column is recorded count and the 2nd is missed count. -Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed) -(some difference are here because the counter is racy) - -Reported-by: Andrea Righi <righi.andrea@gmail.com> -Tested-by: Andrea Righi <righi.andrea@gmail.com> -Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> -Acked-by: Steven Rostedt <rostedt@goodmis.org> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster") -Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox -Signed-off-by: Ingo Molnar <mingo@kernel.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kernel/kprobes/core.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - ---- a/arch/x86/kernel/kprobes/core.c -+++ b/arch/x86/kernel/kprobes/core.c -@@ -686,11 +686,16 @@ static void __used kretprobe_trampoline_ - NOKPROBE_SYMBOL(kretprobe_trampoline_holder); - NOKPROBE_SYMBOL(kretprobe_trampoline); - -+static struct kprobe kretprobe_kprobe = { -+ .addr = (void *)kretprobe_trampoline, -+}; -+ - /* - * Called from kretprobe_trampoline - */ - __visible __used void *trampoline_handler(struct pt_regs *regs) - { -+ struct kprobe_ctlblk *kcb; - struct kretprobe_instance *ri = NULL; - struct hlist_head *head, empty_rp; - struct hlist_node *tmp; -@@ -700,6 +705,17 @@ __visible __used void *trampoline_handle - void *frame_pointer; - bool skipped = false; - -+ preempt_disable(); -+ -+ /* -+ * Set a dummy kprobe for avoiding kretprobe recursion. -+ * Since kretprobe never run in kprobe handler, kprobe must not -+ * be running at this point. -+ */ -+ kcb = get_kprobe_ctlblk(); -+ __this_cpu_write(current_kprobe, &kretprobe_kprobe); -+ kcb->kprobe_status = KPROBE_HIT_ACTIVE; -+ - INIT_HLIST_HEAD(&empty_rp); - kretprobe_hash_lock(current, &head, &flags); - /* fixup registers */ -@@ -775,10 +791,9 @@ __visible __used void *trampoline_handle - orig_ret_address = (unsigned long)ri->ret_addr; - if (ri->rp && ri->rp->handler) { - __this_cpu_write(current_kprobe, &ri->rp->kp); -- get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE; - ri->ret_addr = correct_ret_addr; - ri->rp->handler(ri, regs); -- __this_cpu_write(current_kprobe, NULL); -+ __this_cpu_write(current_kprobe, &kretprobe_kprobe); - } - - recycle_rp_inst(ri, &empty_rp); -@@ -794,6 +809,9 @@ __visible __used void *trampoline_handle - - kretprobe_hash_unlock(current, &flags); - -+ __this_cpu_write(current_kprobe, NULL); -+ preempt_enable(); -+ - hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { - hlist_del(&ri->hlist); - kfree(ri); diff --git a/queue-3.16/x86-kprobes-verify-stack-frame-on-kretprobe.patch b/queue-3.16/x86-kprobes-verify-stack-frame-on-kretprobe.patch deleted file mode 100644 index 8b554e54..00000000 --- a/queue-3.16/x86-kprobes-verify-stack-frame-on-kretprobe.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Masami Hiramatsu <mhiramat@kernel.org> -Date: Sun, 24 Feb 2019 01:49:52 +0900 -Subject: x86/kprobes: Verify stack frame on kretprobe - -commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream. - -Verify the stack frame pointer on kretprobe trampoline handler, -If the stack frame pointer does not match, it skips the wrong -entry and tries to find correct one. - -This can happen if user puts the kretprobe on the function -which can be used in the path of ftrace user-function call. -Such functions should not be probed, so this adds a warning -message that reports which function should be blacklisted. - -Tested-by: Andrea Righi <righi.andrea@gmail.com> -Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> -Acked-by: Steven Rostedt <rostedt@goodmis.org> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox -Signed-off-by: Ingo Molnar <mingo@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++ - include/linux/kprobes.h | 1 + - 2 files changed, 27 insertions(+) - ---- a/arch/x86/kernel/kprobes/core.c -+++ b/arch/x86/kernel/kprobes/core.c -@@ -494,6 +494,7 @@ void arch_prepare_kretprobe(struct kretp - unsigned long *sara = stack_addr(regs); - - ri->ret_addr = (kprobe_opcode_t *) *sara; -+ ri->fp = sara; - - /* Replace the return addr with trampoline addr */ - *sara = (unsigned long) &kretprobe_trampoline; -@@ -696,15 +697,21 @@ __visible __used void *trampoline_handle - unsigned long flags, orig_ret_address = 0; - unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; - kprobe_opcode_t *correct_ret_addr = NULL; -+ void *frame_pointer; -+ bool skipped = false; - - INIT_HLIST_HEAD(&empty_rp); - kretprobe_hash_lock(current, &head, &flags); - /* fixup registers */ - #ifdef CONFIG_X86_64 - regs->cs = __KERNEL_CS; -+ /* On x86-64, we use pt_regs->sp for return address holder. */ -+ frame_pointer = ®s->sp; - #else - regs->cs = __KERNEL_CS | get_kernel_rpl(); - regs->gs = 0; -+ /* On x86-32, we use pt_regs->flags for return address holder. */ -+ frame_pointer = ®s->flags; - #endif - regs->ip = trampoline_address; - regs->orig_ax = ~0UL; -@@ -726,8 +733,25 @@ __visible __used void *trampoline_handle - if (ri->task != current) - /* another task is sharing our hash bucket */ - continue; -+ /* -+ * Return probes must be pushed on this hash list correct -+ * order (same as return order) so that it can be poped -+ * correctly. However, if we find it is pushed it incorrect -+ * order, this means we find a function which should not be -+ * probed, because the wrong order entry is pushed on the -+ * path of processing other kretprobe itself. -+ */ -+ if (ri->fp != frame_pointer) { -+ if (!skipped) -+ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); -+ skipped = true; -+ continue; -+ } - - orig_ret_address = (unsigned long)ri->ret_addr; -+ if (skipped) -+ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", -+ ri->rp->kp.addr); - - if (orig_ret_address != trampoline_address) - /* -@@ -745,6 +769,8 @@ __visible __used void *trampoline_handle - if (ri->task != current) - /* another task is sharing our hash bucket */ - continue; -+ if (ri->fp != frame_pointer) -+ continue; - - orig_ret_address = (unsigned long)ri->ret_addr; - if (ri->rp && ri->rp->handler) { ---- a/include/linux/kprobes.h -+++ b/include/linux/kprobes.h -@@ -197,6 +197,7 @@ struct kretprobe_instance { - struct kretprobe *rp; - kprobe_opcode_t *ret_addr; - struct task_struct *task; -+ void *fp; - char data[0]; - }; - diff --git a/queue-3.16/x86-speculation-enable-spectre-v1-swapgs-mitigations.patch b/queue-3.16/x86-speculation-enable-spectre-v1-swapgs-mitigations.patch deleted file mode 100644 index c294cfb0..00000000 --- a/queue-3.16/x86-speculation-enable-spectre-v1-swapgs-mitigations.patch +++ /dev/null @@ -1,259 +0,0 @@ -From: Josh Poimboeuf <jpoimboe@redhat.com> -Date: Mon, 8 Jul 2019 11:52:26 -0500 -Subject: x86/speculation: Enable Spectre v1 swapgs mitigations - -commit a2059825986a1c8143fd6698774fa9d83733bb11 upstream. - -The previous commit added macro calls in the entry code which mitigate the -Spectre v1 swapgs issue if the X86_FEATURE_FENCE_SWAPGS_* features are -enabled. Enable those features where applicable. - -The mitigations may be disabled with "nospectre_v1" or "mitigations=off". - -There are different features which can affect the risk of attack: - -- When FSGSBASE is enabled, unprivileged users are able to place any - value in GS, using the wrgsbase instruction. This means they can - write a GS value which points to any value in kernel space, which can - be useful with the following gadget in an interrupt/exception/NMI - handler: - - if (coming from user space) - swapgs - mov %gs:<percpu_offset>, %reg1 - // dependent load or store based on the value of %reg - // for example: mov %(reg1), %reg2 - - If an interrupt is coming from user space, and the entry code - speculatively skips the swapgs (due to user branch mistraining), it - may speculatively execute the GS-based load and a subsequent dependent - load or store, exposing the kernel data to an L1 side channel leak. - - Note that, on Intel, a similar attack exists in the above gadget when - coming from kernel space, if the swapgs gets speculatively executed to - switch back to the user GS. On AMD, this variant isn't possible - because swapgs is serializing with respect to future GS-based - accesses. - - NOTE: The FSGSBASE patch set hasn't been merged yet, so the above case - doesn't exist quite yet. - -- When FSGSBASE is disabled, the issue is mitigated somewhat because - unprivileged users must use prctl(ARCH_SET_GS) to set GS, which - restricts GS values to user space addresses only. That means the - gadget would need an additional step, since the target kernel address - needs to be read from user space first. Something like: - - if (coming from user space) - swapgs - mov %gs:<percpu_offset>, %reg1 - mov (%reg1), %reg2 - // dependent load or store based on the value of %reg2 - // for example: mov %(reg2), %reg3 - - It's difficult to audit for this gadget in all the handlers, so while - there are no known instances of it, it's entirely possible that it - exists somewhere (or could be introduced in the future). Without - tooling to analyze all such code paths, consider it vulnerable. - - Effects of SMAP on the !FSGSBASE case: - - - If SMAP is enabled, and the CPU reports RDCL_NO (i.e., not - susceptible to Meltdown), the kernel is prevented from speculatively - reading user space memory, even L1 cached values. This effectively - disables the !FSGSBASE attack vector. - - - If SMAP is enabled, but the CPU *is* susceptible to Meltdown, SMAP - still prevents the kernel from speculatively reading user space - memory. But it does *not* prevent the kernel from reading the - user value from L1, if it has already been cached. This is probably - only a small hurdle for an attacker to overcome. - -Thanks to Dave Hansen for contributing the speculative_smap() function. - -Thanks to Andrew Cooper for providing the inside scoop on whether swapgs -is serializing on AMD. - -[ tglx: Fixed the USER fence decision and polished the comment as suggested - by Dave Hansen ] - -Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: Dave Hansen <dave.hansen@intel.com> -[bwh: Backported to 3.16: - - Check for X86_FEATURE_KAISER instead of X86_FEATURE_PTI - - mitigations= parameter is x86-only here - - powerpc doesn't have Spectre mitigations - - Don't use __ro_after_init - - Adjust filename, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -1917,6 +1917,7 @@ bytes respectively. Such letter suffixes - improves system performance, but it may also - expose users to several CPU vulnerabilities. - Equivalent to: nopti [X86] -+ nospectre_v1 [X86] - nospectre_v2 [X86] - spectre_v2_user=off [X86] - spec_store_bypass_disable=off [X86] -@@ -2215,6 +2216,10 @@ bytes respectively. Such letter suffixes - register save and restore. The kernel will only save - legacy floating-point registers on task switch. - -+ nospectre_v1 [X86] Disable mitigations for Spectre Variant 1 -+ (bounds check bypass). With this option data leaks are -+ possible in the system. -+ - nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 - (indirect branch prediction) vulnerability. System may - allow data leaks with this option, which is equivalent ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -30,6 +30,7 @@ - #include <asm/intel-family.h> - #include <asm/e820.h> - -+static void __init spectre_v1_select_mitigation(void); - static void __init spectre_v2_select_mitigation(void); - static void __init ssb_select_mitigation(void); - static void __init l1tf_select_mitigation(void); -@@ -148,17 +149,11 @@ void __init check_bugs(void) - if (boot_cpu_has(X86_FEATURE_STIBP)) - x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; - -- /* Select the proper spectre mitigation before patching alternatives */ -+ /* Select the proper CPU mitigations before patching alternatives: */ -+ spectre_v1_select_mitigation(); - spectre_v2_select_mitigation(); -- -- /* -- * Select proper mitigation for any exposure to the Speculative Store -- * Bypass vulnerability. -- */ - ssb_select_mitigation(); -- - l1tf_select_mitigation(); -- - mds_select_mitigation(); - - arch_smt_update(); -@@ -318,6 +313,108 @@ static int __init mds_cmdline(char *str) - early_param("mds", mds_cmdline); - - #undef pr_fmt -+#define pr_fmt(fmt) "Spectre V1 : " fmt -+ -+enum spectre_v1_mitigation { -+ SPECTRE_V1_MITIGATION_NONE, -+ SPECTRE_V1_MITIGATION_AUTO, -+}; -+ -+static enum spectre_v1_mitigation spectre_v1_mitigation = -+ SPECTRE_V1_MITIGATION_AUTO; -+ -+static const char * const spectre_v1_strings[] = { -+ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers", -+ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", -+}; -+ -+static bool is_swapgs_serializing(void) -+{ -+ /* -+ * Technically, swapgs isn't serializing on AMD (despite it previously -+ * being documented as such in the APM). But according to AMD, %gs is -+ * updated non-speculatively, and the issuing of %gs-relative memory -+ * operands will be blocked until the %gs update completes, which is -+ * good enough for our purposes. -+ */ -+ return boot_cpu_data.x86_vendor == X86_VENDOR_AMD; -+} -+ -+/* -+ * Does SMAP provide full mitigation against speculative kernel access to -+ * userspace? -+ */ -+static bool smap_works_speculatively(void) -+{ -+ if (!boot_cpu_has(X86_FEATURE_SMAP)) -+ return false; -+ -+ /* -+ * On CPUs which are vulnerable to Meltdown, SMAP does not -+ * prevent speculative access to user data in the L1 cache. -+ * Consider SMAP to be non-functional as a mitigation on these -+ * CPUs. -+ */ -+ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN)) -+ return false; -+ -+ return true; -+} -+ -+static void __init spectre_v1_select_mitigation(void) -+{ -+ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) { -+ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; -+ return; -+ } -+ -+ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) { -+ /* -+ * With Spectre v1, a user can speculatively control either -+ * path of a conditional swapgs with a user-controlled GS -+ * value. The mitigation is to add lfences to both code paths. -+ * -+ * If FSGSBASE is enabled, the user can put a kernel address in -+ * GS, in which case SMAP provides no protection. -+ * -+ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the -+ * FSGSBASE enablement patches have been merged. ] -+ * -+ * If FSGSBASE is disabled, the user can only put a user space -+ * address in GS. That makes an attack harder, but still -+ * possible if there's no SMAP protection. -+ */ -+ if (!smap_works_speculatively()) { -+ /* -+ * Mitigation can be provided from SWAPGS itself or -+ * PTI as the CR3 write in the Meltdown mitigation -+ * is serializing. -+ * -+ * If neither is there, mitigate with an LFENCE. -+ */ -+ if (!is_swapgs_serializing() && !boot_cpu_has(X86_FEATURE_KAISER)) -+ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); -+ -+ /* -+ * Enable lfences in the kernel entry (non-swapgs) -+ * paths, to prevent user entry from speculatively -+ * skipping swapgs. -+ */ -+ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL); -+ } -+ } -+ -+ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]); -+} -+ -+static int __init nospectre_v1_cmdline(char *str) -+{ -+ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; -+ return 0; -+} -+early_param("nospectre_v1", nospectre_v1_cmdline); -+ -+#undef pr_fmt - #define pr_fmt(fmt) "Spectre V2 : " fmt - - static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; -@@ -1210,7 +1307,7 @@ static ssize_t cpu_show_common(struct de - break; - - case X86_BUG_SPECTRE_V1: -- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -+ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); - - case X86_BUG_SPECTRE_V2: - return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], diff --git a/queue-3.16/x86-speculation-prepare-entry-code-for-spectre-v1-swapgs-mitigations.patch b/queue-3.16/x86-speculation-prepare-entry-code-for-spectre-v1-swapgs-mitigations.patch deleted file mode 100644 index eec0e5b8..00000000 --- a/queue-3.16/x86-speculation-prepare-entry-code-for-spectre-v1-swapgs-mitigations.patch +++ /dev/null @@ -1,213 +0,0 @@ -From: Josh Poimboeuf <jpoimboe@redhat.com> -Date: Mon, 8 Jul 2019 11:52:25 -0500 -Subject: x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations - -commit 18ec54fdd6d18d92025af097cd042a75cf0ea24c upstream. - -Spectre v1 isn't only about array bounds checks. It can affect any -conditional checks. The kernel entry code interrupt, exception, and NMI -handlers all have conditional swapgs checks. Those may be problematic in -the context of Spectre v1, as kernel code can speculatively run with a user -GS. - -For example: - - if (coming from user space) - swapgs - mov %gs:<percpu_offset>, %reg - mov (%reg), %reg1 - -When coming from user space, the CPU can speculatively skip the swapgs, and -then do a speculative percpu load using the user GS value. So the user can -speculatively force a read of any kernel value. If a gadget exists which -uses the percpu value as an address in another load/store, then the -contents of the kernel value may become visible via an L1 side channel -attack. - -A similar attack exists when coming from kernel space. The CPU can -speculatively do the swapgs, causing the user GS to get used for the rest -of the speculative window. - -The mitigation is similar to a traditional Spectre v1 mitigation, except: - - a) index masking isn't possible; because the index (percpu offset) - isn't user-controlled; and - - b) an lfence is needed in both the "from user" swapgs path and the - "from kernel" non-swapgs path (because of the two attacks described - above). - -The user entry swapgs paths already have SWITCH_TO_KERNEL_CR3, which has a -CR3 write when PTI is enabled. Since CR3 writes are serializing, the -lfences can be skipped in those cases. - -On the other hand, the kernel entry swapgs paths don't depend on PTI. - -To avoid unnecessary lfences for the user entry case, create two separate -features for alternative patching: - - X86_FEATURE_FENCE_SWAPGS_USER - X86_FEATURE_FENCE_SWAPGS_KERNEL - -Use these features in entry code to patch in lfences where needed. - -The features aren't enabled yet, so there's no functional change. - -Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: Dave Hansen <dave.hansen@intel.com> -[bwh: Backported to 3.16: - - Assign the CPU feature bits from word 7 - - Add FENCE_SWAPGS_KERNEL_ENTRY to NMI entry, since it does not - use paranoid_entry - - Add a return after .Lerror_entry_from_usermode_after_swapgs, done - upstream by commit f10750536fa7 "x86/entry/64: Fix irqflag tracing wrt - context tracking" - - Include <asm/cpufeatures.h> in calling.h - - Adjust filenames, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/arch/x86/include/asm/calling.h -+++ b/arch/x86/include/asm/calling.h -@@ -47,6 +47,7 @@ For 32-bit we have the following convent - */ - - #include <asm/dwarf2.h> -+#include <asm/cpufeatures.h> - - #ifdef CONFIG_X86_64 - -@@ -195,6 +196,23 @@ For 32-bit we have the following convent - .byte 0xf1 - .endm - -+/* -+ * Mitigate Spectre v1 for conditional swapgs code paths. -+ * -+ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to -+ * prevent a speculative swapgs when coming from kernel space. -+ * -+ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path, -+ * to prevent the swapgs from getting speculatively skipped when coming from -+ * user space. -+ */ -+.macro FENCE_SWAPGS_USER_ENTRY -+ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER -+.endm -+.macro FENCE_SWAPGS_KERNEL_ENTRY -+ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL -+.endm -+ - #else /* CONFIG_X86_64 */ - - /* ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -183,7 +183,8 @@ - #define X86_FEATURE_DTHERM ( 7*32+ 7) /* Digital Thermal Sensor */ - #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ - #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ -- -+#define X86_FEATURE_FENCE_SWAPGS_USER ( 7*32+10) /* "" LFENCE in user entry SWAPGS path */ -+#define X86_FEATURE_FENCE_SWAPGS_KERNEL ( 7*32+11) /* "" LFENCE in kernel entry SWAPGS path */ - #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ - #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ - ---- a/arch/x86/kernel/entry_64.S -+++ b/arch/x86/kernel/entry_64.S -@@ -265,14 +265,19 @@ ENDPROC(native_usergs_sysret64) - testl $3, CS-RBP(%rsi) - je 1f - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - SWITCH_KERNEL_CR3 -+ jmpq 2f -+1: -+ FENCE_SWAPGS_KERNEL_ENTRY -+2: - /* - * irq_count is used to check if a CPU is already on an interrupt stack - * or not. While this is essentially redundant with preempt_count it is - * a little cheaper to use a separate counter in the PDA (short of - * moving irq_enter into assembly, which would be too much work) - */ --1: incl PER_CPU_VAR(irq_count) -+ incl PER_CPU_VAR(irq_count) - cmovzq PER_CPU_VAR(irq_stack_ptr),%rsp - CFI_DEF_CFA_REGISTER rsi - -@@ -337,6 +342,13 @@ ENTRY(save_paranoid) - movq %rax, %cr3 - 2: - #endif -+ /* -+ * The above doesn't do an unconditional CR3 write, even in the PTI -+ * case. So do an lfence to prevent GS speculation, regardless of -+ * whether PTI is enabled. -+ */ -+ FENCE_SWAPGS_KERNEL_ENTRY -+ - ret - CFI_ENDPROC - END(save_paranoid) -@@ -1452,8 +1464,19 @@ ENTRY(error_entry) - * from user mode due to an IRET fault. - */ - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - - .Lerror_entry_from_usermode_after_swapgs: -+ /* -+ * We need to tell lockdep that IRQs are off. We can't do this until -+ * we fix gsbase, and we should do it before enter_from_user_mode -+ * (which can take locks). -+ */ -+ TRACE_IRQS_OFF -+ ret -+ -+.Lerror_entry_done_lfence: -+ FENCE_SWAPGS_KERNEL_ENTRY - .Lerror_entry_done: - TRACE_IRQS_OFF - ret -@@ -1472,7 +1495,7 @@ ENTRY(error_entry) - cmpq %rax,RIP+8(%rsp) - je .Lbstep_iret - cmpq $gs_change,RIP+8(%rsp) -- jne .Lerror_entry_done -+ jne .Lerror_entry_done_lfence - - /* - * hack: gs_change can fail with user gsbase. If this happens, fix up -@@ -1480,6 +1503,7 @@ ENTRY(error_entry) - * gs_change's error handler with kernel gsbase. - */ - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - jmp .Lerror_entry_done - - .Lbstep_iret: -@@ -1493,6 +1517,7 @@ ENTRY(error_entry) - * Switch to kernel gsbase: - */ - SWAPGS -+ FENCE_SWAPGS_USER_ENTRY - - /* - * Pretend that the exception came from user mode: set up pt_regs -@@ -1601,6 +1626,7 @@ ENTRY(nmi) - * to switch CR3 here. - */ - cld -+ FENCE_SWAPGS_USER_ENTRY - movq %rsp, %rdx - movq PER_CPU_VAR(kernel_stack), %rsp - addq $KERNEL_STACK_OFFSET, %rsp -@@ -1646,6 +1672,7 @@ ENTRY(nmi) - movq %rax, %cr3 - 2: - #endif -+ FENCE_SWAPGS_KERNEL_ENTRY - call do_nmi - - #ifdef CONFIG_PAGE_TABLE_ISOLATION diff --git a/queue-3.16/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch b/queue-3.16/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch deleted file mode 100644 index f836d1a7..00000000 --- a/queue-3.16/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Thomas Gleixner <tglx@linutronix.de> -Date: Sun, 14 Apr 2019 19:51:06 +0200 -Subject: x86/speculation: Prevent deadlock on ssb_state::lock - -commit 2f5fb19341883bb6e37da351bc3700489d8506a7 upstream. - -Mikhail reported a lockdep splat related to the AMD specific ssb_state -lock: - - CPU0 CPU1 - lock(&st->lock); - local_irq_disable(); - lock(&(&sighand->siglock)->rlock); - lock(&st->lock); - <Interrupt> - lock(&(&sighand->siglock)->rlock); - - *** DEADLOCK *** - -The connection between sighand->siglock and st->lock comes through seccomp, -which takes st->lock while holding sighand->siglock. - -Make sure interrupts are disabled when __speculation_ctrl_update() is -invoked via prctl() -> speculation_ctrl_update(). Add a lockdep assert to -catch future offenders. - -Fixes: 1f50ddb4f418 ("x86/speculation: Handle HT correctly on AMD") -Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> -Cc: Thomas Lendacky <thomas.lendacky@amd.com> -Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1904141948200.4917@nanos.tec.linutronix.de -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kernel/process.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -351,6 +351,8 @@ static __always_inline void __speculatio - u64 msr = x86_spec_ctrl_base; - bool updmsr = false; - -+ lockdep_assert_irqs_disabled(); -+ - /* - * If TIF_SSBD is different, select the proper mitigation - * method. Note that if SSBD mitigation is disabled or permanentely -@@ -402,10 +404,12 @@ static unsigned long speculation_ctrl_up - - void speculation_ctrl_update(unsigned long tif) - { -+ unsigned long flags; -+ - /* Forced update. Make sure all relevant TIF flags are different */ -- preempt_disable(); -+ local_irq_save(flags); - __speculation_ctrl_update(~tif, tif); -- preempt_enable(); -+ local_irq_restore(flags); - } - - /* Called from seccomp/prctl update */ diff --git a/queue-3.16/x86-speculation-swapgs-exclude-atoms-from-speculation-through-swapgs.patch b/queue-3.16/x86-speculation-swapgs-exclude-atoms-from-speculation-through-swapgs.patch deleted file mode 100644 index 6ae296f0..00000000 --- a/queue-3.16/x86-speculation-swapgs-exclude-atoms-from-speculation-through-swapgs.patch +++ /dev/null @@ -1,152 +0,0 @@ -From: Thomas Gleixner <tglx@linutronix.de> -Date: Wed, 17 Jul 2019 21:18:59 +0200 -Subject: x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS - -commit f36cf386e3fec258a341d446915862eded3e13d8 upstream. - -Intel provided the following information: - - On all current Atom processors, instructions that use a segment register - value (e.g. a load or store) will not speculatively execute before the - last writer of that segment retires. Thus they will not use a - speculatively written segment value. - -That means on ATOMs there is no speculation through SWAPGS, so the SWAPGS -entry paths can be excluded from the extra LFENCE if PTI is disabled. - -Create a separate bug flag for the through SWAPGS speculation and mark all -out-of-order ATOMs and AMD/HYGON CPUs as not affected. The in-order ATOMs -are excluded from the whole mitigation mess anyway. - -Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: Tyler Hicks <tyhicks@canonical.com> -Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> -[bwh: Backported to 3.16: - - There's no whitelist entry (or any support) for Hygon CPUs - - Use the next available X86_BUG number - - Adjust context, indentation] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/kernel/cpu/bugs.c | 18 +++---------- - arch/x86/kernel/cpu/common.c | 42 +++++++++++++++++++----------- - 3 files changed, 32 insertions(+), 29 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -278,5 +278,6 @@ - #define X86_BUG_L1TF X86_BUG(9) /* CPU is affected by L1 Terminal Fault */ - #define X86_BUG_MDS X86_BUG(10) /* CPU is affected by Microarchitectural data sampling */ - #define X86_BUG_MSBDS_ONLY X86_BUG(11) /* CPU is only affected by the MSDBS variant of BUG_MDS */ -+#define X86_BUG_SWAPGS X86_BUG(12) /* CPU is affected by speculation through SWAPGS */ - - #endif /* _ASM_X86_CPUFEATURES_H */ ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -328,18 +328,6 @@ static const char * const spectre_v1_str - [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", - }; - --static bool is_swapgs_serializing(void) --{ -- /* -- * Technically, swapgs isn't serializing on AMD (despite it previously -- * being documented as such in the APM). But according to AMD, %gs is -- * updated non-speculatively, and the issuing of %gs-relative memory -- * operands will be blocked until the %gs update completes, which is -- * good enough for our purposes. -- */ -- return boot_cpu_data.x86_vendor == X86_VENDOR_AMD; --} -- - /* - * Does SMAP provide full mitigation against speculative kernel access to - * userspace? -@@ -390,9 +378,11 @@ static void __init spectre_v1_select_mit - * PTI as the CR3 write in the Meltdown mitigation - * is serializing. - * -- * If neither is there, mitigate with an LFENCE. -+ * If neither is there, mitigate with an LFENCE to -+ * stop speculation through swapgs. - */ -- if (!is_swapgs_serializing() && !boot_cpu_has(X86_FEATURE_KAISER)) -+ if (boot_cpu_has_bug(X86_BUG_SWAPGS) && -+ !boot_cpu_has(X86_FEATURE_KAISER)) - setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); - - /* ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -813,6 +813,7 @@ static void identify_cpu_without_cpuid(s - #define NO_L1TF BIT(3) - #define NO_MDS BIT(4) - #define MSBDS_ONLY BIT(5) -+#define NO_SWAPGS BIT(6) - - #define VULNWL(_vendor, _family, _model, _whitelist) \ - { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } -@@ -836,29 +837,37 @@ static const __initconst struct x86_cpu_ - VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), - VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), - -- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY), -- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), -+ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), - - VULNWL_INTEL(CORE_YONAH, NO_SSB), - -- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY), -+ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS), - -- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF), -- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF), -+ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS), -+ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS), -+ -+ /* -+ * Technically, swapgs isn't serializing on AMD (despite it previously -+ * being documented as such in the APM). But according to AMD, %gs is -+ * updated non-speculatively, and the issuing of %gs-relative memory -+ * operands will be blocked until the %gs update completes, which is -+ * good enough for our purposes. -+ */ - - /* AMD Family 0xf - 0x12 */ -- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS), -+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), -+ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), -+ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), -+ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), - - /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ -- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS), -+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS), - {} - }; - -@@ -895,6 +904,9 @@ static void __init cpu_set_bug_bits(stru - setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); - } - -+ if (!cpu_matches(NO_SWAPGS)) -+ setup_force_cpu_bug(X86_BUG_SWAPGS); -+ - if (cpu_matches(NO_MELTDOWN)) - return; - diff --git a/queue-3.16/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch b/queue-3.16/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch deleted file mode 100644 index 263d3820..00000000 --- a/queue-3.16/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Juergen Gross <jgross@suse.com> -Date: Wed, 19 Jun 2019 11:00:56 +0200 -Subject: xen: let alloc_xenballooned_pages() fail if not enough memory free - -commit a1078e821b605813b63bf6bca414a85f804d5c66 upstream. - -Instead of trying to allocate pages with GFP_USER in -add_ballooned_pages() check the available free memory via -si_mem_available(). GFP_USER is far less limiting memory exhaustion -than the test via si_mem_available(). - -This will avoid dom0 running out of memory due to excessive foreign -page mappings especially on ARM and on x86 in PVH mode, as those don't -have a pre-ballooned area which can be used for foreign mappings. - -As the normal ballooning suffers from the same problem don't balloon -down more than si_mem_available() pages in one iteration. At the same -time limit the default maximum number of retries. - -This is part of XSA-300. - -Signed-off-by: Juergen Gross <jgross@suse.com> -[bwh: Backported to 3.16: adjust context, indentation] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/xen/balloon.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - ---- a/drivers/xen/balloon.c -+++ b/drivers/xen/balloon.c -@@ -502,8 +502,15 @@ static void balloon_process(struct work_ - state = reserve_additional_memory(credit); - } - -- if (credit < 0) -- state = decrease_reservation(-credit, GFP_BALLOON); -+ if (credit < 0) { -+ long n_pages; -+ -+ n_pages = min(-credit, si_mem_available()); -+ state = decrease_reservation(n_pages, GFP_BALLOON); -+ if (state == BP_DONE && n_pages != -credit && -+ n_pages < totalreserve_pages) -+ state = BP_EAGAIN; -+ } - - state = update_schedule(state); - -@@ -561,6 +568,9 @@ int alloc_xenballooned_pages(int nr_page - enum bp_state st; - if (page) - balloon_append(page); -+ if (si_mem_available() < nr_pages) -+ return -ENOMEM; -+ - st = decrease_reservation(nr_pages - pgno, - highmem ? GFP_HIGHUSER : GFP_USER); - if (st != BP_DONE) -@@ -692,7 +702,7 @@ static int __init balloon_init(void) - balloon_stats.schedule_delay = 1; - balloon_stats.max_schedule_delay = 32; - balloon_stats.retry_count = 1; -- balloon_stats.max_retry_count = RETRY_UNLIMITED; -+ balloon_stats.max_retry_count = 4; - - #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG - balloon_stats.hotplug_pages = 0; diff --git a/queue-3.16/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch b/queue-3.16/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch deleted file mode 100644 index c4d176a2..00000000 --- a/queue-3.16/xen-prevent-buffer-overflow-in-privcmd-ioctl.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Thu, 4 Apr 2019 18:12:17 +0300 -Subject: xen: Prevent buffer overflow in privcmd ioctl - -commit 42d8644bd77dd2d747e004e367cb0c895a606f39 upstream. - -The "call" variable comes from the user in privcmd_ioctl_hypercall(). -It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32) -elements. We need to put an upper bound on it to prevent an out of -bounds access. - -Fixes: 1246ae0bb992 ("xen: add variable hypercall caller") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> -Signed-off-by: Juergen Gross <jgross@suse.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/include/asm/xen/hypercall.h | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/arch/x86/include/asm/xen/hypercall.h -+++ b/arch/x86/include/asm/xen/hypercall.h -@@ -215,6 +215,9 @@ privcmd_call(unsigned call, - __HYPERCALL_DECLS; - __HYPERCALL_5ARG(a1, a2, a3, a4, a5); - -+ if (call >= PAGE_SIZE / sizeof(hypercall_page[0])) -+ return -EINVAL; -+ - stac(); - asm volatile(CALL_NOSPEC - : __HYPERCALL_5PARAM diff --git a/queue-3.16/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch b/queue-3.16/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch deleted file mode 100644 index 8f94c0e8..00000000 --- a/queue-3.16/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfrm_policy_unlink.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Thu, 28 Feb 2019 15:18:59 +0800 -Subject: xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink - -commit b805d78d300bcf2c83d6df7da0c818b0fee41427 upstream. - -UBSAN report this: - -UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 -index 6 is out of range for type 'unsigned int [6]' -CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 - 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4 - 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80 - ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8 -Call Trace: - <IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline] - <IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51 - [<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 - [<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382 - [<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289 - [<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309 - [<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243 - [<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144 - [<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline] - [<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401 - [<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273 - [<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline] - [<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391 - [<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline] - [<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926 - [<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735 - <EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52 - [<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline] - [<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446 - [<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437 - [<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92 - [<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline] - [<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline] - [<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299 - [<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245 - -The issue is triggered as this: - -xfrm_add_policy - -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX - //In my case, the index is 0x6E6BB6, so it pass the check. - -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer - -->xfrm_policy_insert - --> __xfrm_policy_link //use the orgin dir, in my case is 2 - --> xfrm_gen_index //generate policy index, there is 0x6E6BB6 - -then xfrm_policy_timer be fired - -xfrm_policy_timer - --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6 - --> xfrm_policy_delete - --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access - -Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is -valid, to fix the issue. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/xfrm/xfrm_user.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -1255,7 +1255,7 @@ static int verify_newpolicy_info(struct - ret = verify_policy_dir(p->dir); - if (ret) - return ret; -- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir)) -+ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) - return -EINVAL; - - return 0; diff --git a/queue-3.16/xfrm4-fix-header-checks-in-_decode_session4.patch b/queue-3.16/xfrm4-fix-header-checks-in-_decode_session4.patch deleted file mode 100644 index 695af0f4..00000000 --- a/queue-3.16/xfrm4-fix-header-checks-in-_decode_session4.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Steffen Klassert <steffen.klassert@secunet.com> -Date: Fri, 23 Oct 2015 07:31:23 +0200 -Subject: xfrm4: Fix header checks in _decode_session4. - -commit 1a14f1e5550a341f76e5c8f596e9b5f8a886dfbc upstream. - -We skip the header informations if the data pointer points -already behind the header in question for some protocols. -This is because we call pskb_may_pull with a negative value -converted to unsigened int from pskb_may_pull in this case. -Skipping the header informations can lead to incorrect policy -lookups, so fix it by a check of the data pointer position -before we call pskb_may_pull. - -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/xfrm4_policy.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/ipv4/xfrm4_policy.c -+++ b/net/ipv4/xfrm4_policy.c -@@ -131,7 +131,8 @@ _decode_session4(struct sk_buff *skb, st - break; - - case IPPROTO_ICMP: -- if (pskb_may_pull(skb, xprth + 2 - skb->data)) { -+ if (xprth + 2 < skb->data || -+ pskb_may_pull(skb, xprth + 2 - skb->data)) { - u8 *icmp = xprth; - - fl4->fl4_icmp_type = icmp[0]; -@@ -140,7 +141,8 @@ _decode_session4(struct sk_buff *skb, st - break; - - case IPPROTO_ESP: -- if (pskb_may_pull(skb, xprth + 4 - skb->data)) { -+ if (xprth + 4 < skb->data || -+ pskb_may_pull(skb, xprth + 4 - skb->data)) { - __be32 *ehdr = (__be32 *)xprth; - - fl4->fl4_ipsec_spi = ehdr[0]; -@@ -148,7 +150,8 @@ _decode_session4(struct sk_buff *skb, st - break; - - case IPPROTO_AH: -- if (pskb_may_pull(skb, xprth + 8 - skb->data)) { -+ if (xprth + 8 < skb->data || -+ pskb_may_pull(skb, xprth + 8 - skb->data)) { - __be32 *ah_hdr = (__be32 *)xprth; - - fl4->fl4_ipsec_spi = ah_hdr[1]; -@@ -156,7 +159,8 @@ _decode_session4(struct sk_buff *skb, st - break; - - case IPPROTO_COMP: -- if (pskb_may_pull(skb, xprth + 4 - skb->data)) { -+ if (xprth + 4 < skb->data || -+ pskb_may_pull(skb, xprth + 4 - skb->data)) { - __be16 *ipcomp_hdr = (__be16 *)xprth; - - fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); -@@ -164,7 +168,8 @@ _decode_session4(struct sk_buff *skb, st - break; - - case IPPROTO_GRE: -- if (pskb_may_pull(skb, xprth + 12 - skb->data)) { -+ if (xprth + 12 < skb->data || -+ pskb_may_pull(skb, xprth + 12 - skb->data)) { - __be16 *greflags = (__be16 *)xprth; - __be32 *gre_hdr = (__be32 *)xprth; - diff --git a/queue-3.16/xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch b/queue-3.16/xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch deleted file mode 100644 index 2a20ddb0..00000000 --- a/queue-3.16/xfrm4-fix-uninitialized-memory-read-in-_decode_session4.patch +++ /dev/null @@ -1,109 +0,0 @@ -From: Steffen Klassert <steffen.klassert@secunet.com> -Date: Tue, 26 Feb 2019 07:04:50 +0100 -Subject: xfrm4: Fix uninitialized memory read in _decode_session4 - -commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 upstream. - -We currently don't reload pointers pointing into skb header -after doing pskb_may_pull() in _decode_session4(). So in case -pskb_may_pull() changed the pointers, we read from random -memory. Fix this by putting all the needed infos on the -stack, so that we don't need to access the header pointers -after doing pskb_may_pull(). - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/xfrm4_policy.c | 24 +++++++++++++----------- - 1 file changed, 13 insertions(+), 11 deletions(-) - ---- a/net/ipv4/xfrm4_policy.c -+++ b/net/ipv4/xfrm4_policy.c -@@ -103,7 +103,8 @@ static void - _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) - { - const struct iphdr *iph = ip_hdr(skb); -- u8 *xprth = skb_network_header(skb) + iph->ihl * 4; -+ int ihl = iph->ihl; -+ u8 *xprth = skb_network_header(skb) + ihl * 4; - struct flowi4 *fl4 = &fl->u.ip4; - int oif = 0; - -@@ -114,6 +115,11 @@ _decode_session4(struct sk_buff *skb, st - fl4->flowi4_mark = skb->mark; - fl4->flowi4_oif = reverse ? skb->skb_iif : oif; - -+ fl4->flowi4_proto = iph->protocol; -+ fl4->daddr = reverse ? iph->saddr : iph->daddr; -+ fl4->saddr = reverse ? iph->daddr : iph->saddr; -+ fl4->flowi4_tos = iph->tos; -+ - if (!ip_is_fragment(iph)) { - switch (iph->protocol) { - case IPPROTO_UDP: -@@ -125,7 +131,7 @@ _decode_session4(struct sk_buff *skb, st - pskb_may_pull(skb, xprth + 4 - skb->data)) { - __be16 *ports; - -- xprth = skb_network_header(skb) + iph->ihl * 4; -+ xprth = skb_network_header(skb) + ihl * 4; - ports = (__be16 *)xprth; - - fl4->fl4_sport = ports[!!reverse]; -@@ -138,7 +144,7 @@ _decode_session4(struct sk_buff *skb, st - pskb_may_pull(skb, xprth + 2 - skb->data)) { - u8 *icmp; - -- xprth = skb_network_header(skb) + iph->ihl * 4; -+ xprth = skb_network_header(skb) + ihl * 4; - icmp = xprth; - - fl4->fl4_icmp_type = icmp[0]; -@@ -151,7 +157,7 @@ _decode_session4(struct sk_buff *skb, st - pskb_may_pull(skb, xprth + 4 - skb->data)) { - __be32 *ehdr; - -- xprth = skb_network_header(skb) + iph->ihl * 4; -+ xprth = skb_network_header(skb) + ihl * 4; - ehdr = (__be32 *)xprth; - - fl4->fl4_ipsec_spi = ehdr[0]; -@@ -163,7 +169,7 @@ _decode_session4(struct sk_buff *skb, st - pskb_may_pull(skb, xprth + 8 - skb->data)) { - __be32 *ah_hdr; - -- xprth = skb_network_header(skb) + iph->ihl * 4; -+ xprth = skb_network_header(skb) + ihl * 4; - ah_hdr = (__be32 *)xprth; - - fl4->fl4_ipsec_spi = ah_hdr[1]; -@@ -175,7 +181,7 @@ _decode_session4(struct sk_buff *skb, st - pskb_may_pull(skb, xprth + 4 - skb->data)) { - __be16 *ipcomp_hdr; - -- xprth = skb_network_header(skb) + iph->ihl * 4; -+ xprth = skb_network_header(skb) + ihl * 4; - ipcomp_hdr = (__be16 *)xprth; - - fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); -@@ -188,7 +194,7 @@ _decode_session4(struct sk_buff *skb, st - __be16 *greflags; - __be32 *gre_hdr; - -- xprth = skb_network_header(skb) + iph->ihl * 4; -+ xprth = skb_network_header(skb) + ihl * 4; - greflags = (__be16 *)xprth; - gre_hdr = (__be32 *)xprth; - -@@ -205,10 +211,6 @@ _decode_session4(struct sk_buff *skb, st - break; - } - } -- fl4->flowi4_proto = iph->protocol; -- fl4->daddr = reverse ? iph->saddr : iph->daddr; -- fl4->saddr = reverse ? iph->daddr : iph->saddr; -- fl4->flowi4_tos = iph->tos; - } - - static inline int xfrm4_garbage_collect(struct dst_ops *ops) diff --git a/queue-3.16/xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch b/queue-3.16/xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch deleted file mode 100644 index e76ed28e..00000000 --- a/queue-3.16/xfrm4-reload-skb-header-pointers-after-calling-pskb_may_pull.patch +++ /dev/null @@ -1,92 +0,0 @@ -From: Steffen Klassert <steffen.klassert@secunet.com> -Date: Fri, 23 Oct 2015 07:32:39 +0200 -Subject: xfrm4: Reload skb header pointers after calling pskb_may_pull. - -commit ea673a4d3a337184f3c314dcc6300bf02f39e077 upstream. - -A call to pskb_may_pull may change the pointers into the packet, -so reload the pointers after the call. - -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/xfrm4_policy.c | 33 ++++++++++++++++++++++++++------- - 1 file changed, 26 insertions(+), 7 deletions(-) - ---- a/net/ipv4/xfrm4_policy.c -+++ b/net/ipv4/xfrm4_policy.c -@@ -123,7 +123,10 @@ _decode_session4(struct sk_buff *skb, st - case IPPROTO_DCCP: - if (xprth + 4 < skb->data || - pskb_may_pull(skb, xprth + 4 - skb->data)) { -- __be16 *ports = (__be16 *)xprth; -+ __be16 *ports; -+ -+ xprth = skb_network_header(skb) + iph->ihl * 4; -+ ports = (__be16 *)xprth; - - fl4->fl4_sport = ports[!!reverse]; - fl4->fl4_dport = ports[!reverse]; -@@ -133,7 +136,10 @@ _decode_session4(struct sk_buff *skb, st - case IPPROTO_ICMP: - if (xprth + 2 < skb->data || - pskb_may_pull(skb, xprth + 2 - skb->data)) { -- u8 *icmp = xprth; -+ u8 *icmp; -+ -+ xprth = skb_network_header(skb) + iph->ihl * 4; -+ icmp = xprth; - - fl4->fl4_icmp_type = icmp[0]; - fl4->fl4_icmp_code = icmp[1]; -@@ -143,7 +149,10 @@ _decode_session4(struct sk_buff *skb, st - case IPPROTO_ESP: - if (xprth + 4 < skb->data || - pskb_may_pull(skb, xprth + 4 - skb->data)) { -- __be32 *ehdr = (__be32 *)xprth; -+ __be32 *ehdr; -+ -+ xprth = skb_network_header(skb) + iph->ihl * 4; -+ ehdr = (__be32 *)xprth; - - fl4->fl4_ipsec_spi = ehdr[0]; - } -@@ -152,7 +161,10 @@ _decode_session4(struct sk_buff *skb, st - case IPPROTO_AH: - if (xprth + 8 < skb->data || - pskb_may_pull(skb, xprth + 8 - skb->data)) { -- __be32 *ah_hdr = (__be32 *)xprth; -+ __be32 *ah_hdr; -+ -+ xprth = skb_network_header(skb) + iph->ihl * 4; -+ ah_hdr = (__be32 *)xprth; - - fl4->fl4_ipsec_spi = ah_hdr[1]; - } -@@ -161,7 +173,10 @@ _decode_session4(struct sk_buff *skb, st - case IPPROTO_COMP: - if (xprth + 4 < skb->data || - pskb_may_pull(skb, xprth + 4 - skb->data)) { -- __be16 *ipcomp_hdr = (__be16 *)xprth; -+ __be16 *ipcomp_hdr; -+ -+ xprth = skb_network_header(skb) + iph->ihl * 4; -+ ipcomp_hdr = (__be16 *)xprth; - - fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); - } -@@ -170,8 +185,12 @@ _decode_session4(struct sk_buff *skb, st - case IPPROTO_GRE: - if (xprth + 12 < skb->data || - pskb_may_pull(skb, xprth + 12 - skb->data)) { -- __be16 *greflags = (__be16 *)xprth; -- __be32 *gre_hdr = (__be32 *)xprth; -+ __be16 *greflags; -+ __be32 *gre_hdr; -+ -+ xprth = skb_network_header(skb) + iph->ihl * 4; -+ greflags = (__be16 *)xprth; -+ gre_hdr = (__be32 *)xprth; - - if (greflags[0] & GRE_KEY) { - if (greflags[0] & GRE_CSUM) diff --git a/queue-3.16/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch b/queue-3.16/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch deleted file mode 100644 index fa0e6d3c..00000000 --- a/queue-3.16/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm6_tunnel-module.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Su Yanjun <suyj.fnst@cn.fujitsu.com> -Date: Thu, 14 Mar 2019 14:59:42 +0800 -Subject: xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module - -commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 upstream. - -When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly -frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the -xfrm6_tunnel_spi, so need to wait it. - -Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion") -Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/xfrm6_tunnel.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/net/ipv6/xfrm6_tunnel.c -+++ b/net/ipv6/xfrm6_tunnel.c -@@ -390,6 +390,10 @@ static void __exit xfrm6_tunnel_fini(voi - xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); - xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); - unregister_pernet_subsys(&xfrm6_tunnel_net_ops); -+ /* Someone maybe has gotten the xfrm6_tunnel_spi. -+ * So need to wait it. -+ */ -+ rcu_barrier(); - kmem_cache_destroy(xfrm6_tunnel_spi_kmem); - } - diff --git a/queue-3.16/xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch b/queue-3.16/xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch deleted file mode 100644 index ec135c8e..00000000 --- a/queue-3.16/xhci-don-t-let-usb3-ports-stuck-in-polling-state-prevent-suspend.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: Mathias Nyman <mathias.nyman@linux.intel.com> -Date: Fri, 22 Mar 2019 17:50:17 +0200 -Subject: xhci: Don't let USB3 ports stuck in polling state prevent suspend - -commit d92f2c59cc2cbca6bfb2cc54882b58ba76b15fd4 upstream. - -Commit 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect -change or polling state is detected") was intended to prevent ports that -were still link training from being forced to U3 suspend state mid -enumeration. -This solved enumeration issues for devices with slow link training. - -Turns out some devices are stuck in the link training/polling state, -and thus that patch will prevent suspend completely for these devices. -This is seen with USB3 card readers in some MacBooks. - -Instead of preventing suspend, give some time to complete the link -training. On successful training the port will end up as connected -and enabled. -If port instead is stuck in link training the bus suspend will continue -suspending after 360ms (10 * 36ms) timeout (tPollingLFPSTimeout). - -Original patch was sent to stable, this one should go there as well - -Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected") -Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/host/xhci-hub.c | 19 ++++++++++++------- - drivers/usb/host/xhci.h | 8 ++++++++ - 2 files changed, 20 insertions(+), 7 deletions(-) - ---- a/drivers/usb/host/xhci-hub.c -+++ b/drivers/usb/host/xhci-hub.c -@@ -1199,20 +1199,25 @@ int xhci_bus_suspend(struct usb_hcd *hcd - port_index = max_ports; - while (port_index--) { - u32 t1, t2; -- -+ int retries = 10; -+retry: - t1 = readl(port_array[port_index]); - t2 = xhci_port_state_to_neutral(t1); - portsc_buf[port_index] = 0; - -- /* Bail out if a USB3 port has a new device in link training */ -- if ((hcd->speed >= HCD_USB3) && -+ /* -+ * Give a USB3 port in link training time to finish, but don't -+ * prevent suspend as port might be stuck -+ */ -+ if ((hcd->speed >= HCD_USB3) && retries-- && - (t1 & PORT_PLS_MASK) == XDEV_POLLING) { -- bus_state->bus_suspended = 0; - spin_unlock_irqrestore(&xhci->lock, flags); -- xhci_dbg(xhci, "Bus suspend bailout, port in polling\n"); -- return -EBUSY; -+ msleep(XHCI_PORT_POLLING_LFPS_TIME); -+ spin_lock_irqsave(&xhci->lock, flags); -+ xhci_dbg(xhci, "port %d polling in bus suspend, waiting\n", -+ port_index); -+ goto retry; - } -- - /* suspend ports in U0, or bail out for new connect changes */ - if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) { - if ((t1 & PORT_CSC) && wake_enabled) { ---- a/drivers/usb/host/xhci.h -+++ b/drivers/usb/host/xhci.h -@@ -413,6 +413,14 @@ struct xhci_op_regs { - */ - #define XHCI_DEFAULT_BESL 4 - -+/* -+ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports -+ * to complete link training. usually link trainig completes much faster -+ * so check status 10 times with 36ms sleep in places we need to wait for -+ * polling to complete. -+ */ -+#define XHCI_PORT_POLLING_LFPS_TIME 36 -+ - /** - * struct xhci_intr_reg - Interrupt Register Set - * @irq_pending: IMAN - Interrupt Management Register. Used to enable diff --git a/queue-3.16/xsysace-fix-error-handling-in-ace_setup.patch b/queue-3.16/xsysace-fix-error-handling-in-ace_setup.patch deleted file mode 100644 index 208a5893..00000000 --- a/queue-3.16/xsysace-fix-error-handling-in-ace_setup.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: Guenter Roeck <linux@roeck-us.net> -Date: Tue, 19 Feb 2019 08:49:56 -0800 -Subject: xsysace: Fix error handling in ace_setup - -commit 47b16820c490149c2923e8474048f2c6e7557cab upstream. - -If xace hardware reports a bad version number, the error handling code -in ace_setup() calls put_disk(), followed by queue cleanup. However, since -the disk data structure has the queue pointer set, put_disk() also -cleans and releases the queue. This results in blk_cleanup_queue() -accessing an already released data structure, which in turn may result -in a crash such as the following. - -[ 10.681671] BUG: Kernel NULL pointer dereference at 0x00000040 -[ 10.681826] Faulting instruction address: 0xc0431480 -[ 10.682072] Oops: Kernel access of bad area, sig: 11 [#1] -[ 10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440 -[ 10.682387] Modules linked in: -[ 10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G W 5.0.0-rc6-next-20190218+ #2 -[ 10.682733] NIP: c0431480 LR: c043147c CTR: c0422ad8 -[ 10.682863] REGS: cf82fbe0 TRAP: 0300 Tainted: G W (5.0.0-rc6-next-20190218+) -[ 10.683065] MSR: 00029000 <CE,EE,ME> CR: 22000222 XER: 00000000 -[ 10.683236] DEAR: 00000040 ESR: 00000000 -[ 10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000 -[ 10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000 -[ 10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000 -[ 10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800 -[ 10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114 -[ 10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114 -[ 10.684602] Call Trace: -[ 10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable) -[ 10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c -[ 10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68 -[ 10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c -[ 10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508 -[ 10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8 -[ 10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c -[ 10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464 -[ 10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4 -[ 10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc -[ 10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0 -[ 10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234 -[ 10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c -[ 10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac -[ 10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330 -[ 10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478 -[ 10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114 -[ 10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c -[ 10.687349] Instruction dump: -[ 10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008 -[ 10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008 -[ 10.688056] ---[ end trace 13c9ff51d41b9d40 ]--- - -Fix the problem by setting the disk queue pointer to NULL before calling -put_disk(). A more comprehensive fix might be to rearrange the code -to check the hardware version before initializing data structures, -but I don't know if this would have undesirable side effects, and -it would increase the complexity of backporting the fix to older kernels. - -Fixes: 74489a91dd43a ("Add support for Xilinx SystemACE CompactFlash interface") -Acked-by: Michal Simek <michal.simek@xilinx.com> -Signed-off-by: Guenter Roeck <linux@roeck-us.net> -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/block/xsysace.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/block/xsysace.c -+++ b/drivers/block/xsysace.c -@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device * - return 0; - - err_read: -+ /* prevent double queue cleanup */ -+ ace->gd->queue = NULL; - put_disk(ace->gd); - err_alloc_disk: - blk_cleanup_queue(ace->queue); diff --git a/queue-3.16/xtensa-fix-return_address.patch b/queue-3.16/xtensa-fix-return_address.patch deleted file mode 100644 index 2ed7678f..00000000 --- a/queue-3.16/xtensa-fix-return_address.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Max Filippov <jcmvbkbc@gmail.com> -Date: Thu, 4 Apr 2019 11:08:40 -0700 -Subject: xtensa: fix return_address - -commit ada770b1e74a77fff2d5f539bf6c42c25f4784db upstream. - -return_address returns the address that is one level higher in the call -stack than requested in its argument, because level 0 corresponds to its -caller's return address. Use requested level as the number of stack -frames to skip. - -This fixes the address reported by might_sleep and friends. - -Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/xtensa/kernel/stacktrace.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/arch/xtensa/kernel/stacktrace.c -+++ b/arch/xtensa/kernel/stacktrace.c -@@ -107,10 +107,14 @@ static int return_address_cb(struct stac - return 1; - } - -+/* -+ * level == 0 is for the return address from the caller of this function, -+ * not from this function itself. -+ */ - unsigned long return_address(unsigned level) - { - struct return_addr_data r = { -- .skip = level + 1, -+ .skip = level, - }; - walk_stackframe(stack_pointer(NULL), return_address_cb, &r); - return r.addr; |