diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-07-09 22:06:37 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-07-09 22:06:37 +0100 |
commit | 10ead6a05362236a200357541e7b5f6852ddaeab (patch) | |
tree | 0406f24ae9284c37f1d364ea876aaa80ecc751ca /queue-3.16 | |
parent | cbc660c8ba6d5e645e85e24d4e6e7f0ccd9d56fb (diff) | |
download | linux-stable-queue-10ead6a05362236a200357541e7b5f6852ddaeab.tar.gz |
Release 3.16.70
Diffstat (limited to 'queue-3.16')
130 files changed, 0 insertions, 8922 deletions
diff --git a/queue-3.16/9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch b/queue-3.16/9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch deleted file mode 100644 index a97c7358..00000000 --- a/queue-3.16/9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch +++ /dev/null @@ -1,314 +0,0 @@ -From: Hou Tao <houtao1@huawei.com> -Date: Thu, 24 Jan 2019 14:35:13 +0800 -Subject: 9p: use inode->i_lock to protect i_size_write() under 32-bit - -commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream. - -Use inode->i_lock to protect i_size_write(), else i_size_read() in -generic_fillattr() may loop infinitely in read_seqcount_begin() when -multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl() -simultaneously under 32-bit SMP environment, and a soft lockup will be -triggered as show below: - - watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217] - Modules linked in: - CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4 - Hardware name: Generic DT based system - PC is at generic_fillattr+0x104/0x108 - LR is at 0xec497f00 - pc : [<802b8898>] lr : [<ec497f00>] psr: 200c0013 - sp : ec497e20 ip : ed608030 fp : ec497e3c - r10: 00000000 r9 : ec497f00 r8 : ed608030 - r7 : ec497ebc r6 : ec497f00 r5 : ee5c1550 r4 : ee005780 - r3 : 0000052d r2 : 00000000 r1 : ec497f00 r0 : ed608030 - Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none - Control: 10c5387d Table: ac48006a DAC: 00000051 - CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4 - Hardware name: Generic DT based system - Backtrace: - [<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24) - [<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc) - [<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20) - [<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8) - [<801d0800>] (watchdog_timer_fn) from [<80198658>] (__hrtimer_run_queues+0x18c/0x380) - [<801984cc>] (__hrtimer_run_queues) from [<80198e60>] (hrtimer_run_queues+0xb8/0xf0) - [<80198da8>] (hrtimer_run_queues) from [<801973e8>] (run_local_timers+0x28/0x64) - [<801973c0>] (run_local_timers) from [<80197460>] (update_process_times+0x3c/0x6c) - [<80197424>] (update_process_times) from [<801ab2b8>] (tick_nohz_handler+0xe0/0x1bc) - [<801ab1d8>] (tick_nohz_handler) from [<80843050>] (arch_timer_handler_virt+0x38/0x48) - [<80843018>] (arch_timer_handler_virt) from [<80180a64>] (handle_percpu_devid_irq+0x8c/0x240) - [<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>] (generic_handle_irq+0x34/0x44) - [<8017abec>] (generic_handle_irq) from [<8017b344>] (__handle_domain_irq+0x6c/0xc4) - [<8017b2d8>] (__handle_domain_irq) from [<801022e0>] (gic_handle_irq+0x4c/0x88) - [<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98) - [<802b8794>] (generic_fillattr) from [<8056b284>] (v9fs_vfs_getattr_dotl+0x74/0xa4) - [<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>] (vfs_getattr_nosec+0x68/0x7c) - [<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48) - [<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec) - [<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78) - [<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28) - -[dominique.martinet@cea.fr: updated comment to not refer to a function -in another subsystem] -Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com -Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode->i_size directly.") -Reported-by: Xing Gaopeng <xingaopeng@huawei.com> -Signed-off-by: Hou Tao <houtao1@huawei.com> -Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/9p/v9fs_vfs.h | 23 +++++++++++++++++++++-- - fs/9p/vfs_file.c | 6 +++++- - fs/9p/vfs_inode.c | 23 +++++++++++------------ - fs/9p/vfs_inode_dotl.c | 27 ++++++++++++++------------- - fs/9p/vfs_super.c | 4 ++-- - 5 files changed, 53 insertions(+), 30 deletions(-) - ---- a/fs/9p/v9fs_vfs.h -+++ b/fs/9p/v9fs_vfs.h -@@ -40,6 +40,9 @@ - */ - #define P9_LOCK_TIMEOUT (30*HZ) - -+/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */ -+#define V9FS_STAT2INODE_KEEP_ISIZE 1 -+ - extern struct file_system_type v9fs_fs_type; - extern const struct address_space_operations v9fs_addr_operations; - extern const struct file_operations v9fs_file_operations; -@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_ - struct inode *inode, umode_t mode, dev_t); - void v9fs_evict_inode(struct inode *inode); - ino_t v9fs_qid2ino(struct p9_qid *qid); --void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *); --void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *); -+void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, -+ struct super_block *sb, unsigned int flags); -+void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, -+ unsigned int flags); - int v9fs_dir_release(struct inode *inode, struct file *filp); - int v9fs_file_open(struct inode *inode, struct file *file); - void v9fs_inode2stat(struct inode *inode, struct p9_wstat *stat); -@@ -87,4 +92,18 @@ static inline void v9fs_invalidate_inode - } - - int v9fs_open_to_dotl_flags(int flags); -+ -+static inline void v9fs_i_size_write(struct inode *inode, loff_t i_size) -+{ -+ /* -+ * 32-bit need the lock, concurrent updates could break the -+ * sequences and make i_size_read() loop forever. -+ * 64-bit updates are atomic and can skip the locking. -+ */ -+ if (sizeof(i_size) > sizeof(long)) -+ spin_lock(&inode->i_lock); -+ i_size_write(inode, i_size); -+ if (sizeof(i_size) > sizeof(long)) -+ spin_unlock(&inode->i_lock); -+} - #endif ---- a/fs/9p/vfs_file.c -+++ b/fs/9p/vfs_file.c -@@ -484,7 +484,11 @@ v9fs_file_write_internal(struct inode *i - i_size = i_size_read(inode); - if (*offset > i_size) { - inode_add_bytes(inode, *offset - i_size); -- i_size_write(inode, *offset); -+ /* -+ * Need to serialize against i_size_write() in -+ * v9fs_stat2inode() -+ */ -+ v9fs_i_size_write(inode, *offset); - } - } - if (n < 0) ---- a/fs/9p/vfs_inode.c -+++ b/fs/9p/vfs_inode.c -@@ -538,7 +538,7 @@ static struct inode *v9fs_qid_iget(struc - if (retval) - goto error; - -- v9fs_stat2inode(st, inode, sb); -+ v9fs_stat2inode(st, inode, sb, 0); - v9fs_cache_inode_get_cookie(inode); - unlock_new_inode(inode); - return inode; -@@ -1074,7 +1074,7 @@ v9fs_vfs_getattr(struct vfsmount *mnt, s - if (IS_ERR(st)) - return PTR_ERR(st); - -- v9fs_stat2inode(st, dentry->d_inode, dentry->d_inode->i_sb); -+ v9fs_stat2inode(st, dentry->d_inode, dentry->d_inode->i_sb, 0); - generic_fillattr(dentry->d_inode, stat); - - p9stat_free(st); -@@ -1152,12 +1152,13 @@ static int v9fs_vfs_setattr(struct dentr - * @stat: Plan 9 metadata (mistat) structure - * @inode: inode to populate - * @sb: superblock of filesystem -+ * @flags: control flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE) - * - */ - - void - v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, -- struct super_block *sb) -+ struct super_block *sb, unsigned int flags) - { - umode_t mode; - char ext[32]; -@@ -1198,10 +1199,11 @@ v9fs_stat2inode(struct p9_wstat *stat, s - mode = p9mode2perm(v9ses, stat); - mode |= inode->i_mode & ~S_IALLUGO; - inode->i_mode = mode; -- i_size_write(inode, stat->length); - -+ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE)) -+ v9fs_i_size_write(inode, stat->length); - /* not real number of blocks, but 512 byte ones ... */ -- inode->i_blocks = (i_size_read(inode) + 512 - 1) >> 9; -+ inode->i_blocks = (stat->length + 512 - 1) >> 9; - v9inode->cache_validity &= ~V9FS_INO_INVALID_ATTR; - } - -@@ -1465,9 +1467,9 @@ int v9fs_refresh_inode(struct p9_fid *fi - { - int umode; - dev_t rdev; -- loff_t i_size; - struct p9_wstat *st; - struct v9fs_session_info *v9ses; -+ unsigned int flags; - - v9ses = v9fs_inode2v9ses(inode); - st = p9_client_stat(fid); -@@ -1480,16 +1482,13 @@ int v9fs_refresh_inode(struct p9_fid *fi - if ((inode->i_mode & S_IFMT) != (umode & S_IFMT)) - goto out; - -- spin_lock(&inode->i_lock); - /* - * We don't want to refresh inode->i_size, - * because we may have cached data - */ -- i_size = inode->i_size; -- v9fs_stat2inode(st, inode, inode->i_sb); -- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) -- inode->i_size = i_size; -- spin_unlock(&inode->i_lock); -+ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ? -+ V9FS_STAT2INODE_KEEP_ISIZE : 0; -+ v9fs_stat2inode(st, inode, inode->i_sb, flags); - out: - p9stat_free(st); - kfree(st); ---- a/fs/9p/vfs_inode_dotl.c -+++ b/fs/9p/vfs_inode_dotl.c -@@ -143,7 +143,7 @@ static struct inode *v9fs_qid_iget_dotl( - if (retval) - goto error; - -- v9fs_stat2inode_dotl(st, inode); -+ v9fs_stat2inode_dotl(st, inode, 0); - v9fs_cache_inode_get_cookie(inode); - retval = v9fs_get_acl(inode, fid); - if (retval) -@@ -498,7 +498,7 @@ v9fs_vfs_getattr_dotl(struct vfsmount *m - if (IS_ERR(st)) - return PTR_ERR(st); - -- v9fs_stat2inode_dotl(st, dentry->d_inode); -+ v9fs_stat2inode_dotl(st, dentry->d_inode, 0); - generic_fillattr(dentry->d_inode, stat); - /* Change block size to what the server returned */ - stat->blksize = st->st_blksize; -@@ -609,11 +609,13 @@ int v9fs_vfs_setattr_dotl(struct dentry - * v9fs_stat2inode_dotl - populate an inode structure with stat info - * @stat: stat structure - * @inode: inode to populate -+ * @flags: ctrl flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE) - * - */ - - void --v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode) -+v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, -+ unsigned int flags) - { - umode_t mode; - struct v9fs_inode *v9inode = V9FS_I(inode); -@@ -633,7 +635,8 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl - mode |= inode->i_mode & ~S_IALLUGO; - inode->i_mode = mode; - -- i_size_write(inode, stat->st_size); -+ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE)) -+ v9fs_i_size_write(inode, stat->st_size); - inode->i_blocks = stat->st_blocks; - } else { - if (stat->st_result_mask & P9_STATS_ATIME) { -@@ -663,8 +666,9 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl - } - if (stat->st_result_mask & P9_STATS_RDEV) - inode->i_rdev = new_decode_dev(stat->st_rdev); -- if (stat->st_result_mask & P9_STATS_SIZE) -- i_size_write(inode, stat->st_size); -+ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) && -+ stat->st_result_mask & P9_STATS_SIZE) -+ v9fs_i_size_write(inode, stat->st_size); - if (stat->st_result_mask & P9_STATS_BLOCKS) - inode->i_blocks = stat->st_blocks; - } -@@ -946,9 +950,9 @@ ndset: - - int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode) - { -- loff_t i_size; - struct p9_stat_dotl *st; - struct v9fs_session_info *v9ses; -+ unsigned int flags; - - v9ses = v9fs_inode2v9ses(inode); - st = p9_client_getattr_dotl(fid, P9_STATS_ALL); -@@ -960,16 +964,13 @@ int v9fs_refresh_inode_dotl(struct p9_fi - if ((inode->i_mode & S_IFMT) != (st->st_mode & S_IFMT)) - goto out; - -- spin_lock(&inode->i_lock); - /* - * We don't want to refresh inode->i_size, - * because we may have cached data - */ -- i_size = inode->i_size; -- v9fs_stat2inode_dotl(st, inode); -- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) -- inode->i_size = i_size; -- spin_unlock(&inode->i_lock); -+ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ? -+ V9FS_STAT2INODE_KEEP_ISIZE : 0; -+ v9fs_stat2inode_dotl(st, inode, flags); - out: - kfree(st); - return 0; ---- a/fs/9p/vfs_super.c -+++ b/fs/9p/vfs_super.c -@@ -169,7 +169,7 @@ static struct dentry *v9fs_mount(struct - goto release_sb; - } - root->d_inode->i_ino = v9fs_qid2ino(&st->qid); -- v9fs_stat2inode_dotl(st, root->d_inode); -+ v9fs_stat2inode_dotl(st, root->d_inode, 0); - kfree(st); - } else { - struct p9_wstat *st = NULL; -@@ -180,7 +180,7 @@ static struct dentry *v9fs_mount(struct - } - - root->d_inode->i_ino = v9fs_qid2ino(&st->qid); -- v9fs_stat2inode(st, root->d_inode, sb); -+ v9fs_stat2inode(st, root->d_inode, sb, 0); - - p9stat_free(st); - kfree(st); diff --git a/queue-3.16/alsa-bebob-use-more-identical-mod_alias-for-saffire-pro-10-i-o.patch b/queue-3.16/alsa-bebob-use-more-identical-mod_alias-for-saffire-pro-10-i-o.patch deleted file mode 100644 index 82b322bf..00000000 --- a/queue-3.16/alsa-bebob-use-more-identical-mod_alias-for-saffire-pro-10-i-o.patch +++ /dev/null @@ -1,176 +0,0 @@ -From: Takashi Sakamoto <o-takashi@sakamocchi.jp> -Date: Tue, 26 Feb 2019 13:38:16 +0900 -Subject: ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O - against Liquid Saffire 56 - -commit 7dc661bd8d3261053b69e4e2d0050cd1ee540fc1 upstream. - -ALSA bebob driver has an entry for Focusrite Saffire Pro 10 I/O. The -entry matches vendor_id in root directory and model_id in unit -directory of configuration ROM for IEEE 1394 bus. - -On the other hand, configuration ROM of Focusrite Liquid Saffire 56 -has the same vendor_id and model_id. This device is an application of -TCAT Dice (TCD2220 a.k.a Dice Jr.) however ALSA bebob driver can be -bound to it randomly instead of ALSA dice driver. At present, drivers -in ALSA firewire stack can not handle this situation appropriately. - -This commit uses more identical mod_alias for Focusrite Saffire Pro 10 -I/O in ALSA bebob driver. - -$ python2 crpp < /sys/bus/firewire/devices/fw1/config_rom - ROM header and bus information block - ----------------------------------------------------------------- -400 042a829d bus_info_length 4, crc_length 42, crc 33437 -404 31333934 bus_name "1394" -408 f0649222 irmc 1, cmc 1, isc 1, bmc 1, pmc 0, cyc_clk_acc 100, - max_rec 9 (1024), max_rom 2, gen 2, spd 2 (S400) -40c 00130e01 company_id 00130e | -410 000606e0 device_id 01000606e0 | EUI-64 00130e01000606e0 - - root directory - ----------------------------------------------------------------- -414 0009d31c directory_length 9, crc 54044 -418 04000014 hardware version -41c 0c0083c0 node capabilities per IEEE 1394 -420 0300130e vendor -424 81000012 --> descriptor leaf at 46c -428 17000006 model -42c 81000016 --> descriptor leaf at 484 -430 130120c2 version -434 d1000002 --> unit directory at 43c -438 d4000006 --> dependent info directory at 450 - - unit directory at 43c - ----------------------------------------------------------------- -43c 0004707c directory_length 4, crc 28796 -440 1200a02d specifier id: 1394 TA -444 13010001 version: AV/C -448 17000006 model -44c 81000013 --> descriptor leaf at 498 - - dependent info directory at 450 - ----------------------------------------------------------------- -450 000637c7 directory_length 6, crc 14279 -454 120007f5 specifier id -458 13000001 version -45c 3affffc7 (immediate value) -460 3b100000 (immediate value) -464 3cffffc7 (immediate value) -468 3d600000 (immediate value) - - descriptor leaf at 46c - ----------------------------------------------------------------- -46c 00056f3b leaf_length 5, crc 28475 -470 00000000 textual descriptor -474 00000000 minimal ASCII -478 466f6375 "Focu" -47c 73726974 "srit" -480 65000000 "e" - - descriptor leaf at 484 - ----------------------------------------------------------------- -484 0004a165 leaf_length 4, crc 41317 -488 00000000 textual descriptor -48c 00000000 minimal ASCII -490 50726f31 "Pro1" -494 30494f00 "0IO" - - descriptor leaf at 498 - ----------------------------------------------------------------- -498 0004a165 leaf_length 4, crc 41317 -49c 00000000 textual descriptor -4a0 00000000 minimal ASCII -4a4 50726f31 "Pro1" -4a8 30494f00 "0IO" - -$ python2 crpp < /sys/bus/firewire/devices/fw1/config_rom - ROM header and bus information block - ----------------------------------------------------------------- -400 040442e4 bus_info_length 4, crc_length 4, crc 17124 -404 31333934 bus_name "1394" -408 e0ff8112 irmc 1, cmc 1, isc 1, bmc 0, pmc 0, cyc_clk_acc 255, - max_rec 8 (512), max_rom 1, gen 1, spd 2 (S400) -40c 00130e04 company_id 00130e | -410 018001e9 device_id 04018001e9 | EUI-64 00130e04018001e9 - - root directory - ----------------------------------------------------------------- -414 00065612 directory_length 6, crc 22034 -418 0300130e vendor -41c 8100000a --> descriptor leaf at 444 -420 17000006 model -424 8100000e --> descriptor leaf at 45c -428 0c0087c0 node capabilities per IEEE 1394 -42c d1000001 --> unit directory at 430 - - unit directory at 430 - ----------------------------------------------------------------- -430 000418a0 directory_length 4, crc 6304 -434 1200130e specifier id -438 13000001 version -43c 17000006 model -440 8100000f --> descriptor leaf at 47c - - descriptor leaf at 444 - ----------------------------------------------------------------- -444 00056f3b leaf_length 5, crc 28475 -448 00000000 textual descriptor -44c 00000000 minimal ASCII -450 466f6375 "Focu" -454 73726974 "srit" -458 65000000 "e" - - descriptor leaf at 45c - ----------------------------------------------------------------- -45c 000762c6 leaf_length 7, crc 25286 -460 00000000 textual descriptor -464 00000000 minimal ASCII -468 4c495155 "LIQU" -46c 49445f53 "ID_S" -470 41464649 "AFFI" -474 52455f35 "RE_5" -478 36000000 "6" - - descriptor leaf at 47c - ----------------------------------------------------------------- -47c 000762c6 leaf_length 7, crc 25286 -480 00000000 textual descriptor -484 00000000 minimal ASCII -488 4c495155 "LIQU" -48c 49445f53 "ID_S" -490 41464649 "AFFI" -494 52455f35 "RE_5" -498 36000000 "6" - -Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series") -Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/firewire/bebob/bebob.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - ---- a/sound/firewire/bebob/bebob.c -+++ b/sound/firewire/bebob/bebob.c -@@ -396,7 +396,19 @@ static const struct ieee1394_device_id b - /* Focusrite, SaffirePro 26 I/O */ - SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x00000003, &saffirepro_26_spec), - /* Focusrite, SaffirePro 10 I/O */ -- SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x00000006, &saffirepro_10_spec), -+ { -+ // The combination of vendor_id and model_id is the same as the -+ // same as the one of Liquid Saffire 56. -+ .match_flags = IEEE1394_MATCH_VENDOR_ID | -+ IEEE1394_MATCH_MODEL_ID | -+ IEEE1394_MATCH_SPECIFIER_ID | -+ IEEE1394_MATCH_VERSION, -+ .vendor_id = VEN_FOCUSRITE, -+ .model_id = 0x000006, -+ .specifier_id = 0x00a02d, -+ .version = 0x010001, -+ .driver_data = (kernel_ulong_t)&saffirepro_10_spec, -+ }, - /* Focusrite, Saffire(no label and LE) */ - SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, MODEL_FOCUSRITE_SAFFIRE_BOTH, - &saffire_spec), diff --git a/queue-3.16/applicom-fix-potential-spectre-v1-vulnerabilities.patch b/queue-3.16/applicom-fix-potential-spectre-v1-vulnerabilities.patch deleted file mode 100644 index feb5cf9e..00000000 --- a/queue-3.16/applicom-fix-potential-spectre-v1-vulnerabilities.patch +++ /dev/null @@ -1,100 +0,0 @@ -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Wed, 9 Jan 2019 16:05:10 -0600 -Subject: applicom: Fix potential Spectre v1 vulnerabilities - -commit d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c upstream. - -IndexCard is indirectly controlled by user-space, hence leading to -a potential exploitation of the Spectre variant 1 vulnerability. - -This issue was detected with the help of Smatch: - -drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r] -drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap) - -Fix this by sanitizing IndexCard before using it to index apbs. - -Notice that given that speculation windows are large, the policy is -to kill the speculation on the first load and not worry if it can be -completed with a dependent load/store [1]. - -[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ - -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/char/applicom.c | 35 ++++++++++++++++++++++++----------- - 1 file changed, 24 insertions(+), 11 deletions(-) - ---- a/drivers/char/applicom.c -+++ b/drivers/char/applicom.c -@@ -32,6 +32,7 @@ - #include <linux/wait.h> - #include <linux/init.h> - #include <linux/fs.h> -+#include <linux/nospec.h> - - #include <asm/io.h> - #include <asm/uaccess.h> -@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *fil - TicCard = st_loc.tic_des_from_pc; /* tic number to send */ - IndexCard = NumCard - 1; - -- if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO) -+ if (IndexCard >= MAX_BOARD) -+ return -EINVAL; -+ IndexCard = array_index_nospec(IndexCard, MAX_BOARD); -+ -+ if (!apbs[IndexCard].RamIO) - return -EINVAL; - - #ifdef DEBUG -@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file, - unsigned char IndexCard; - void __iomem *pmem; - int ret = 0; -+ static int warncount = 10; - volatile unsigned char byte_reset_it; - struct st_ram_io *adgl; - void __user *argp = (void __user *)arg; -@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file, - mutex_lock(&ac_mutex); - IndexCard = adgl->num_card-1; - -- if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) { -- static int warncount = 10; -- if (warncount) { -- printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1); -- warncount--; -- } -- kfree(adgl); -- mutex_unlock(&ac_mutex); -- return -EINVAL; -- } -+ if (cmd != 6 && IndexCard >= MAX_BOARD) -+ goto err; -+ IndexCard = array_index_nospec(IndexCard, MAX_BOARD); -+ -+ if (cmd != 6 && !apbs[IndexCard].RamIO) -+ goto err; - - switch (cmd) { - -@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file, - kfree(adgl); - mutex_unlock(&ac_mutex); - return 0; -+ -+err: -+ if (warncount) { -+ pr_warn("APPLICOM driver IOCTL, bad board number %d\n", -+ (int)IndexCard + 1); -+ warncount--; -+ } -+ kfree(adgl); -+ mutex_unlock(&ac_mutex); -+ return -EINVAL; -+ - } - diff --git a/queue-3.16/arm-s3c24xx-fix-boolean-expressions-in-osiris_dvs_notify.patch b/queue-3.16/arm-s3c24xx-fix-boolean-expressions-in-osiris_dvs_notify.patch deleted file mode 100644 index 7565d497..00000000 --- a/queue-3.16/arm-s3c24xx-fix-boolean-expressions-in-osiris_dvs_notify.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Thu, 3 Jan 2019 14:14:08 -0600 -Subject: ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify - -commit e2477233145f2156434afb799583bccd878f3e9f upstream. - -Fix boolean expressions by using logical AND operator '&&' instead of -bitwise operator '&'. - -This issue was detected with the help of Coccinelle. - -Fixes: 4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.") -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -[krzk: Fix -Wparentheses warning] -Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c -+++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c -@@ -70,16 +70,16 @@ static int osiris_dvs_notify(struct noti - - switch (val) { - case CPUFREQ_PRECHANGE: -- if (old_dvs & !new_dvs || -- cur_dvs & !new_dvs) { -+ if ((old_dvs && !new_dvs) || -+ (cur_dvs && !new_dvs)) { - pr_debug("%s: exiting dvs\n", __func__); - cur_dvs = false; - gpio_set_value(OSIRIS_GPIO_DVS, 1); - } - break; - case CPUFREQ_POSTCHANGE: -- if (!old_dvs & new_dvs || -- !cur_dvs & new_dvs) { -+ if ((!old_dvs && new_dvs) || -+ (!cur_dvs && new_dvs)) { - pr_debug("entering dvs\n"); - cur_dvs = true; - gpio_set_value(OSIRIS_GPIO_DVS, 0); diff --git a/queue-3.16/asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch b/queue-3.16/asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch deleted file mode 100644 index 6c32be92..00000000 --- a/queue-3.16/asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Tue, 19 Feb 2019 16:46:47 +0100 -Subject: ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() - -commit 2757970f6d0d0a112247600b23d38c0c728ceeb3 upstream. - -The node obtained from of_find_node_by_path() has to be unreferenced -after the use, but we forgot it for the root node. - -Fixes: f0fba2ad1b6b ("ASoC: multi-component - ASoC Multi-Component Support") -Cc: Timur Tabi <timur@kernel.org> -Cc: Nicolin Chen <nicoleotsuka@gmail.com> -Cc: Xiubo Li <Xiubo.Lee@gmail.com> -Cc: Fabio Estevam <festevam@gmail.com> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Acked-by: Nicolin Chen <nicoleotsuka@gmail.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -[bwh: Backported to 3.16: - - Move declaration of root to the top of the function as there is no - suitable block scope - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/sound/soc/fsl/fsl_ssi.c -+++ b/sound/soc/fsl/fsl_ssi.c -@@ -1229,6 +1229,7 @@ static int fsl_ssi_probe(struct platform - struct fsl_ssi_private *ssi_private; - int ret = 0; - struct device_node *np = pdev->dev.of_node; -+ struct device_node *root; - const struct of_device_id *of_id; - const char *p, *sprop; - const uint32_t *iprop; -@@ -1373,7 +1374,9 @@ static int fsl_ssi_probe(struct platform - * device tree. We also pass the address of the CPU DAI driver - * structure. - */ -- sprop = of_get_property(of_find_node_by_path("/"), "compatible", NULL); -+ root = of_find_node_by_path("/"); -+ sprop = of_get_property(root, "compatible", NULL); -+ of_node_put(root); - /* Sometimes the compatible name has a "fsl," prefix, so we strip it. */ - p = strrchr(sprop, ','); - if (p) diff --git a/queue-3.16/asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch b/queue-3.16/asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch deleted file mode 100644 index d7136ca6..00000000 --- a/queue-3.16/asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: "S.j. Wang" <shengjiu.wang@nxp.com> -Date: Mon, 18 Feb 2019 08:29:11 +0000 -Subject: ASoC: fsl_esai: fix register setting issue in RIGHT_J mode - -commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream. - -The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to -wrong register, correct it. - -Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver") -Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com> -Reviewed-by: Fabio Estevam <festevam@gmail.com> -Ackedy-by: Nicolin Chen <nicoleotsuka@gmail.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/soc/fsl/fsl_esai.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/sound/soc/fsl/fsl_esai.c -+++ b/sound/soc/fsl/fsl_esai.c -@@ -392,7 +392,8 @@ static int fsl_esai_set_dai_fmt(struct s - break; - case SND_SOC_DAIFMT_RIGHT_J: - /* Data on rising edge of bclk, frame high, right aligned */ -- xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA; -+ xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP; -+ xcr |= ESAI_xCR_xWA; - break; - case SND_SOC_DAIFMT_DSP_A: - /* Data on rising edge of bclk, frame high, 1clk before data */ -@@ -449,12 +450,12 @@ static int fsl_esai_set_dai_fmt(struct s - return -EINVAL; - } - -- mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR; -+ mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA; - regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr); - regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr); - - mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP | -- ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA; -+ ESAI_xCCR_xFSD | ESAI_xCCR_xCKD; - regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr); - regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr); - diff --git a/queue-3.16/asoc-imx-sgtl5000-put-of-nodes-if-finding-codec-fails.patch b/queue-3.16/asoc-imx-sgtl5000-put-of-nodes-if-finding-codec-fails.patch deleted file mode 100644 index 7f4483ec..00000000 --- a/queue-3.16/asoc-imx-sgtl5000-put-of-nodes-if-finding-codec-fails.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Stefan Agner <stefan@agner.ch> -Date: Fri, 18 Jan 2019 10:06:52 +0100 -Subject: ASoC: imx-sgtl5000: put of nodes if finding codec fails - -commit d9866572486802bc598a3e8576a5231378d190de upstream. - -Make sure to properly put the of node in case finding the codec -fails. - -Fixes: 81e8e4926167 ("ASoC: fsl: add sgtl5000 clock support for imx-sgtl5000") -Signed-off-by: Stefan Agner <stefan@agner.ch> -Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com> -Acked-by: Nicolin Chen <nicoleotsuka@gmail.com> -Reviewed-by: Fabio Estevam <festevam@gmail.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - sound/soc/fsl/imx-sgtl5000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/sound/soc/fsl/imx-sgtl5000.c -+++ b/sound/soc/fsl/imx-sgtl5000.c -@@ -118,7 +118,8 @@ static int imx_sgtl5000_probe(struct pla - codec_dev = of_find_i2c_device_by_node(codec_np); - if (!codec_dev) { - dev_err(&pdev->dev, "failed to find codec platform device\n"); -- return -EPROBE_DEFER; -+ ret = -EPROBE_DEFER; -+ goto fail; - } - - data = devm_kzalloc(&pdev->dev, sizeof(*data), GFP_KERNEL); diff --git a/queue-3.16/bcache-never-writeback-a-discard-operation.patch b/queue-3.16/bcache-never-writeback-a-discard-operation.patch deleted file mode 100644 index 85831d23..00000000 --- a/queue-3.16/bcache-never-writeback-a-discard-operation.patch +++ /dev/null @@ -1,129 +0,0 @@ -From: Daniel Axtens <dja@axtens.net> -Date: Sat, 9 Feb 2019 12:52:53 +0800 -Subject: bcache: never writeback a discard operation - -commit 9951379b0ca88c95876ad9778b9099e19a95d566 upstream. - -Some users see panics like the following when performing fstrim on a -bcached volume: - -[ 529.803060] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 -[ 530.183928] #PF error: [normal kernel read fault] -[ 530.412392] PGD 8000001f42163067 P4D 8000001f42163067 PUD 1f42168067 PMD 0 -[ 530.750887] Oops: 0000 [#1] SMP PTI -[ 530.920869] CPU: 10 PID: 4167 Comm: fstrim Kdump: loaded Not tainted 5.0.0-rc1+ #3 -[ 531.290204] Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 12/27/2015 -[ 531.693137] RIP: 0010:blk_queue_split+0x148/0x620 -[ 531.922205] Code: 60 38 89 55 a0 45 31 db 45 31 f6 45 31 c9 31 ff 89 4d 98 85 db 0f 84 7f 04 00 00 44 8b 6d 98 4c 89 ee 48 c1 e6 04 49 03 70 78 <8b> 46 08 44 8b 56 0c 48 -8b 16 44 29 e0 39 d8 48 89 55 a8 0f 47 c3 -[ 532.838634] RSP: 0018:ffffb9b708df39b0 EFLAGS: 00010246 -[ 533.093571] RAX: 00000000ffffffff RBX: 0000000000046000 RCX: 0000000000000000 -[ 533.441865] RDX: 0000000000000200 RSI: 0000000000000000 RDI: 0000000000000000 -[ 533.789922] RBP: ffffb9b708df3a48 R08: ffff940d3b3fdd20 R09: 0000000000000000 -[ 534.137512] R10: ffffb9b708df3958 R11: 0000000000000000 R12: 0000000000000000 -[ 534.485329] R13: 0000000000000000 R14: 0000000000000000 R15: ffff940d39212020 -[ 534.833319] FS: 00007efec26e3840(0000) GS:ffff940d1f480000(0000) knlGS:0000000000000000 -[ 535.224098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 535.504318] CR2: 0000000000000008 CR3: 0000001f4e256004 CR4: 00000000001606e0 -[ 535.851759] Call Trace: -[ 535.970308] ? mempool_alloc_slab+0x15/0x20 -[ 536.174152] ? bch_data_insert+0x42/0xd0 [bcache] -[ 536.403399] blk_mq_make_request+0x97/0x4f0 -[ 536.607036] generic_make_request+0x1e2/0x410 -[ 536.819164] submit_bio+0x73/0x150 -[ 536.980168] ? submit_bio+0x73/0x150 -[ 537.149731] ? bio_associate_blkg_from_css+0x3b/0x60 -[ 537.391595] ? _cond_resched+0x1a/0x50 -[ 537.573774] submit_bio_wait+0x59/0x90 -[ 537.756105] blkdev_issue_discard+0x80/0xd0 -[ 537.959590] ext4_trim_fs+0x4a9/0x9e0 -[ 538.137636] ? ext4_trim_fs+0x4a9/0x9e0 -[ 538.324087] ext4_ioctl+0xea4/0x1530 -[ 538.497712] ? _copy_to_user+0x2a/0x40 -[ 538.679632] do_vfs_ioctl+0xa6/0x600 -[ 538.853127] ? __do_sys_newfstat+0x44/0x70 -[ 539.051951] ksys_ioctl+0x6d/0x80 -[ 539.212785] __x64_sys_ioctl+0x1a/0x20 -[ 539.394918] do_syscall_64+0x5a/0x110 -[ 539.568674] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -We have observed it where both: -1) LVM/devmapper is involved (bcache backing device is LVM volume) and -2) writeback cache is involved (bcache cache_mode is writeback) - -On one machine, we can reliably reproduce it with: - - # echo writeback > /sys/block/bcache0/bcache/cache_mode - (not sure whether above line is required) - # mount /dev/bcache0 /test - # for i in {0..10}; do - file="$(mktemp /test/zero.XXX)" - dd if=/dev/zero of="$file" bs=1M count=256 - sync - rm $file - done - # fstrim -v /test - -Observing this with tracepoints on, we see the following writes: - -fstrim-18019 [022] .... 91107.302026: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 4260112 + 196352 hit 0 bypass 1 -fstrim-18019 [022] .... 91107.302050: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 4456464 + 262144 hit 0 bypass 1 -fstrim-18019 [022] .... 91107.302075: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 4718608 + 81920 hit 0 bypass 1 -fstrim-18019 [022] .... 91107.302094: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 5324816 + 180224 hit 0 bypass 1 -fstrim-18019 [022] .... 91107.302121: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 5505040 + 262144 hit 0 bypass 1 -fstrim-18019 [022] .... 91107.302145: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 5767184 + 81920 hit 0 bypass 1 -fstrim-18019 [022] .... 91107.308777: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0 DS 6373392 + 180224 hit 1 bypass 0 -<crash> - -Note the final one has different hit/bypass flags. - -This is because in should_writeback(), we were hitting a case where -the partial stripe condition was returning true and so -should_writeback() was returning true early. - -If that hadn't been the case, it would have hit the would_skip test, and -as would_skip == s->iop.bypass == true, should_writeback() would have -returned false. - -Looking at the git history from 'commit 72c270612bd3 ("bcache: Write out -full stripes")', it looks like the idea was to optimise for raid5/6: - - * If a stripe is already dirty, force writes to that stripe to - writeback mode - to help build up full stripes of dirty data - -To fix this issue, make sure that should_writeback() on a discard op -never returns true. - -More details of debugging: -https://www.spinics.net/lists/linux-bcache/msg06996.html - -Previous reports: - - https://bugzilla.kernel.org/show_bug.cgi?id=201051 - - https://bugzilla.kernel.org/show_bug.cgi?id=196103 - - https://www.spinics.net/lists/linux-bcache/msg06885.html - -(Coly Li: minor modification to follow maximum 75 chars per line rule) - -Cc: Kent Overstreet <koverstreet@google.com> -Fixes: 72c270612bd3 ("bcache: Write out full stripes") -Signed-off-by: Daniel Axtens <dja@axtens.net> -Signed-off-by: Coly Li <colyli@suse.de> -Signed-off-by: Jens Axboe <axboe@kernel.dk> -[bwh: Backported to 3.16: check REQ_DISCARD flag instead of calling bio_op()] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/md/bcache/writeback.h | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/md/bcache/writeback.h -+++ b/drivers/md/bcache/writeback.h -@@ -68,6 +68,9 @@ static inline bool should_writeback(stru - in_use > CUTOFF_WRITEBACK_SYNC) - return false; - -+ if (bio->bi_rw & REQ_DISCARD) -+ return false; -+ - if (dc->partial_stripes_expensive && - bcache_dev_stripe_dirty(dc, bio->bi_iter.bi_sector, - bio_sectors(bio))) diff --git a/queue-3.16/bcache-treat-stale-dirty-keys-as-bad-keys.patch b/queue-3.16/bcache-treat-stale-dirty-keys-as-bad-keys.patch deleted file mode 100644 index cd8c23a4..00000000 --- a/queue-3.16/bcache-treat-stale-dirty-keys-as-bad-keys.patch +++ /dev/null @@ -1,92 +0,0 @@ -From: Tang Junhui <tang.junhui.linux@gmail.com> -Date: Sat, 9 Feb 2019 12:52:58 +0800 -Subject: bcache: treat stale && dirty keys as bad keys - -commit 58ac323084ebf44f8470eeb8b82660f9d0ee3689 upstream. - -Stale && dirty keys can be produced in the follow way: -After writeback in write_dirty_finish(), dirty keys k1 will -replace by clean keys k2 -==>ret = bch_btree_insert(dc->disk.c, &keys, NULL, &w->key); -==>btree_insert_fn(struct btree_op *b_op, struct btree *b) -==>static int bch_btree_insert_node(struct btree *b, - struct btree_op *op, - struct keylist *insert_keys, - atomic_t *journal_ref, -Then two steps: -A) update k1 to k2 in btree node memory; - bch_btree_insert_keys(b, op, insert_keys, replace_key) -B) Write the bset(contains k2) to cache disk by a 30s delay work - bch_btree_leaf_dirty(b, journal_ref). -But before the 30s delay work write the bset to cache device, -these things happened: -A) GC works, and reclaim the bucket k2 point to; -B) Allocator works, and invalidate the bucket k2 point to, - and increase the gen of the bucket, and place it into free_inc - fifo; -C) Until now, the 30s delay work still does not finish work, - so in the disk, the key still is k1, it is dirty and stale - (its gen is smaller than the gen of the bucket). and then the - machine power off suddenly happens; -D) When the machine power on again, after the btree reconstruction, - the stale dirty key appear. - -In bch_extent_bad(), when expensive_debug_checks is off, it would -treat the dirty key as good even it is stale keys, and it would -cause bellow probelms: -A) In read_dirty() it would cause machine crash: - BUG_ON(ptr_stale(dc->disk.c, &w->key, 0)); -B) It could be worse when reads hits stale dirty keys, it would - read old incorrect data. - -This patch tolerate the existence of these stale && dirty keys, -and treat them as bad key in bch_extent_bad(). - -(Coly Li: fix indent which was modified by sender's email client) - -Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com> -Signed-off-by: Coly Li <colyli@suse.de> -Signed-off-by: Jens Axboe <axboe@kernel.dk> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/md/bcache/extents.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - ---- a/drivers/md/bcache/extents.c -+++ b/drivers/md/bcache/extents.c -@@ -530,6 +530,7 @@ static bool bch_extent_bad(struct btree_ - struct btree *b = container_of(bk, struct btree, keys); - struct bucket *g; - unsigned i, stale; -+ char buf[80]; - - if (!KEY_PTRS(k) || - bch_extent_invalid(bk, k)) -@@ -539,20 +540,20 @@ static bool bch_extent_bad(struct btree_ - if (!ptr_available(b->c, k, i)) - return true; - -- if (!expensive_debug_checks(b->c) && KEY_DIRTY(k)) -- return false; -- - for (i = 0; i < KEY_PTRS(k); i++) { - g = PTR_BUCKET(b->c, k, i); - stale = ptr_stale(b->c, k, i); - -+ if (stale && KEY_DIRTY(k)) { -+ bch_extent_to_text(buf, sizeof(buf), k); -+ pr_info("stale dirty pointer, stale %u, key: %s", -+ stale, buf); -+ } -+ - btree_bug_on(stale > 96, b, - "key too stale: %i, need_gc %u", - stale, b->c->need_gc); - -- btree_bug_on(stale && KEY_DIRTY(k) && KEY_SIZE(k), -- b, "stale dirty pointer"); -- - if (stale) - return true; - diff --git a/queue-3.16/binder-replace-p-with-pk-for-stable.patch b/queue-3.16/binder-replace-p-with-pk-for-stable.patch deleted file mode 100644 index 6b238185..00000000 --- a/queue-3.16/binder-replace-p-with-pk-for-stable.patch +++ /dev/null @@ -1,143 +0,0 @@ -From: Ben Hutchings <ben.hutchings@codethink.co.uk> -Date: Wed, 29 May 2019 18:02:44 +0100 -Subject: binder: Replace "%p" with "%pK" for stable - -This was done as part of upstream commits fdfb4a99b6ab "8inder: -separate binder allocator structure from binder proc", 19c987241ca1 -"binder: separate out binder_alloc functions", and 7a4408c6bd3e -"binder: make sure accesses to proc/thread are safe". However, those -commits made lots of other changes that are not suitable for stable. - -Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/android/binder.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - ---- a/drivers/staging/android/binder.c -+++ b/drivers/staging/android/binder.c -@@ -473,7 +473,7 @@ static void binder_insert_free_buffer(st - new_buffer_size = binder_buffer_size(proc, new_buffer); - - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: add free buffer, size %zd, at %p\n", -+ "%d: add free buffer, size %zd, at %pK\n", - proc->pid, new_buffer_size, new_buffer); - - while (*p) { -@@ -552,7 +552,7 @@ static int binder_update_page_range(stru - struct mm_struct *mm; - - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: %s pages %p-%p\n", proc->pid, -+ "%d: %s pages %pK-%pK\n", proc->pid, - allocate ? "allocate" : "free", start, end); - - if (end <= start) -@@ -593,7 +593,7 @@ static int binder_update_page_range(stru - BUG_ON(*page); - *page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO); - if (*page == NULL) { -- pr_err("%d: binder_alloc_buf failed for page at %p\n", -+ pr_err("%d: binder_alloc_buf failed for page at %pK\n", - proc->pid, page_addr); - goto err_alloc_page_failed; - } -@@ -602,7 +602,7 @@ static int binder_update_page_range(stru - page_array_ptr = page; - ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr); - if (ret) { -- pr_err("%d: binder_alloc_buf failed to map page at %p in kernel\n", -+ pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n", - proc->pid, page_addr); - goto err_map_kernel_failed; - } -@@ -706,7 +706,7 @@ static struct binder_buffer *binder_allo - } - - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: binder_alloc_buf size %zd got buffer %p size %zd\n", -+ "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n", - proc->pid, size, buffer, buffer_size); - - has_page_addr = -@@ -736,7 +736,7 @@ static struct binder_buffer *binder_allo - binder_insert_free_buffer(proc, new_buffer); - } - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: binder_alloc_buf size %zd got %p\n", -+ "%d: binder_alloc_buf size %zd got %pK\n", - proc->pid, size, buffer); - buffer->data_size = data_size; - buffer->offsets_size = offsets_size; -@@ -776,7 +776,7 @@ static void binder_delete_free_buffer(st - if (buffer_end_page(prev) == buffer_end_page(buffer)) - free_page_end = 0; - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: merge free, buffer %p share page with %p\n", -+ "%d: merge free, buffer %pK share page with %pK\n", - proc->pid, buffer, prev); - } - -@@ -789,14 +789,14 @@ static void binder_delete_free_buffer(st - buffer_start_page(buffer)) - free_page_start = 0; - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: merge free, buffer %p share page with %p\n", -+ "%d: merge free, buffer %pK share page with %pK\n", - proc->pid, buffer, prev); - } - } - list_del(&buffer->entry); - if (free_page_start || free_page_end) { - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: merge free, buffer %p do not share page%s%s with %p or %p\n", -+ "%d: merge free, buffer %pK do not share page%s%s with %pK or %pK\n", - proc->pid, buffer, free_page_start ? "" : " end", - free_page_end ? "" : " start", prev, next); - binder_update_page_range(proc, 0, free_page_start ? -@@ -817,7 +817,7 @@ static void binder_free_buf(struct binde - ALIGN(buffer->offsets_size, sizeof(void *)); - - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%d: binder_free_buf %p size %zd buffer_size %zd\n", -+ "%d: binder_free_buf %pK size %zd buffer_size %zd\n", - proc->pid, buffer, size, buffer_size); - - BUG_ON(buffer->free); -@@ -2825,7 +2825,7 @@ static int binder_mmap(struct file *filp - #ifdef CONFIG_CPU_CACHE_VIPT - if (cache_is_vipt_aliasing()) { - while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) { -- pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); -+ pr_info("binder_mmap: %d %lx-%lx maps %pK bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer); - vma->vm_start += PAGE_SIZE; - } - } -@@ -3083,7 +3083,7 @@ static void binder_deferred_release(stru - - page_addr = proc->buffer + i * PAGE_SIZE; - binder_debug(BINDER_DEBUG_BUFFER_ALLOC, -- "%s: %d: page %d at %p not freed\n", -+ "%s: %d: page %d at %pK not freed\n", - __func__, proc->pid, i, page_addr); - unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE); - __free_page(proc->pages[i]); -@@ -3184,7 +3184,7 @@ static void print_binder_transaction(str - static void print_binder_buffer(struct seq_file *m, const char *prefix, - struct binder_buffer *buffer) - { -- seq_printf(m, "%s %d: %p size %zd:%zd %s\n", -+ seq_printf(m, "%s %d: %pK size %zd:%zd %s\n", - prefix, buffer->debug_id, buffer->data, - buffer->data_size, buffer->offsets_size, - buffer->transaction ? "active" : "delivered"); -@@ -3287,7 +3287,7 @@ static void print_binder_node(struct seq - - static void print_binder_ref(struct seq_file *m, struct binder_ref *ref) - { -- seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n", -+ seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n", - ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ", - ref->node->debug_id, ref->strong, ref->weak, ref->death); - } diff --git a/queue-3.16/btrfs-fix-corruption-reading-shared-and-compressed-extents-after.patch b/queue-3.16/btrfs-fix-corruption-reading-shared-and-compressed-extents-after.patch deleted file mode 100644 index f94c0ea6..00000000 --- a/queue-3.16/btrfs-fix-corruption-reading-shared-and-compressed-extents-after.patch +++ /dev/null @@ -1,114 +0,0 @@ -From: Filipe Manana <fdmanana@suse.com> -Date: Thu, 14 Feb 2019 15:17:20 +0000 -Subject: Btrfs: fix corruption reading shared and compressed extents after - hole punching - -commit 8e928218780e2f1cf2f5891c7575e8f0b284fcce upstream. - -In the past we had data corruption when reading compressed extents that -are shared within the same file and they are consecutive, this got fixed -by commit 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and -shared extents") and by commit 808f80b46790f ("Btrfs: update fix for read -corruption of compressed and shared extents"). However there was a case -that was missing in those fixes, which is when the shared and compressed -extents are referenced with a non-zero offset. The following shell script -creates a reproducer for this issue: - - #!/bin/bash - - mkfs.btrfs -f /dev/sdc &> /dev/null - mount -o compress /dev/sdc /mnt/sdc - - # Create a file with 3 consecutive compressed extents, each has an - # uncompressed size of 128Kb and a compressed size of 4Kb. - for ((i = 1; i <= 3; i++)); do - head -c 4096 /dev/zero - for ((j = 1; j <= 31; j++)); do - head -c 4096 /dev/zero | tr '\0' "\377" - done - done > /mnt/sdc/foobar - sync - - echo "Digest after file creation: $(md5sum /mnt/sdc/foobar)" - - # Clone the first extent into offsets 128K and 256K. - xfs_io -c "reflink /mnt/sdc/foobar 0 128K 128K" /mnt/sdc/foobar - xfs_io -c "reflink /mnt/sdc/foobar 0 256K 128K" /mnt/sdc/foobar - sync - - echo "Digest after cloning: $(md5sum /mnt/sdc/foobar)" - - # Punch holes into the regions that are already full of zeroes. - xfs_io -c "fpunch 0 4K" /mnt/sdc/foobar - xfs_io -c "fpunch 128K 4K" /mnt/sdc/foobar - xfs_io -c "fpunch 256K 4K" /mnt/sdc/foobar - sync - - echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)" - - echo "Dropping page cache..." - sysctl -q vm.drop_caches=1 - echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)" - - umount /dev/sdc - -When running the script we get the following output: - - Digest after file creation: 5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar - linked 131072/131072 bytes at offset 131072 - 128 KiB, 1 ops; 0.0033 sec (36.960 MiB/sec and 295.6830 ops/sec) - linked 131072/131072 bytes at offset 262144 - 128 KiB, 1 ops; 0.0015 sec (78.567 MiB/sec and 628.5355 ops/sec) - Digest after cloning: 5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar - Digest after hole punching: 5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar - Dropping page cache... - Digest after hole punching: fba694ae8664ed0c2e9ff8937e7f1484 /mnt/sdc/foobar - -This happens because after reading all the pages of the extent in the -range from 128K to 256K for example, we read the hole at offset 256K -and then when reading the page at offset 260K we don't submit the -existing bio, which is responsible for filling all the page in the -range 128K to 256K only, therefore adding the pages from range 260K -to 384K to the existing bio and submitting it after iterating over the -entire range. Once the bio completes, the uncompressed data fills only -the pages in the range 128K to 256K because there's no more data read -from disk, leaving the pages in the range 260K to 384K unfilled. It is -just a slightly different variant of what was solved by commit -005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared -extents"). - -Fix this by forcing a bio submit, during readpages(), whenever we find a -compressed extent map for a page that is different from the extent map -for the previous page or has a different starting offset (in case it's -the same compressed extent), instead of the extent map's original start -offset. - -A test case for fstests follows soon. - -Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org> -Fixes: 808f80b46790f ("Btrfs: update fix for read corruption of compressed and shared extents") -Fixes: 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared extents") -Tested-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org> -Signed-off-by: Filipe Manana <fdmanana@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/btrfs/extent_io.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/fs/btrfs/extent_io.c -+++ b/fs/btrfs/extent_io.c -@@ -2936,11 +2936,11 @@ static int __do_readpage(struct extent_i - */ - if (test_bit(EXTENT_FLAG_COMPRESSED, &em->flags) && - prev_em_start && *prev_em_start != (u64)-1 && -- *prev_em_start != em->orig_start) -+ *prev_em_start != em->start) - force_bio_submit = true; - - if (prev_em_start) -- *prev_em_start = em->orig_start; -+ *prev_em_start = em->start; - - free_extent_map(em); - em = NULL; diff --git a/queue-3.16/btrfs-init-csum_list-before-possible-free.patch b/queue-3.16/btrfs-init-csum_list-before-possible-free.patch deleted file mode 100644 index 162c4169..00000000 --- a/queue-3.16/btrfs-init-csum_list-before-possible-free.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Dan Robertson <dan@dlrobertson.com> -Date: Tue, 19 Feb 2019 02:56:43 +0000 -Subject: btrfs: init csum_list before possible free - -commit e49be14b8d80e23bb7c53d78c21717a474ade76b upstream. - -The scrub_ctx csum_list member must be initialized before scrub_free_ctx -is called. If the csum_list is not initialized beforehand, the -list_empty call in scrub_free_csums will result in a null deref if the -allocation fails in the for loop. - -Fixes: a2de733c78fa ("btrfs: scrub") -Reviewed-by: Nikolay Borisov <nborisov@suse.com> -Signed-off-by: Dan Robertson <dan@dlrobertson.com> -Reviewed-by: David Sterba <dsterba@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/btrfs/scrub.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/btrfs/scrub.c -+++ b/fs/btrfs/scrub.c -@@ -417,6 +417,7 @@ struct scrub_ctx *scrub_setup_ctx(struct - sctx->pages_per_rd_bio = pages_per_rd_bio; - sctx->curr = -1; - sctx->dev_root = dev->dev_root; -+ INIT_LIST_HEAD(&sctx->csum_list); - for (i = 0; i < SCRUB_BIOS_PER_SCTX; ++i) { - struct scrub_bio *sbio; - -@@ -444,7 +445,6 @@ struct scrub_ctx *scrub_setup_ctx(struct - atomic_set(&sctx->workers_pending, 0); - atomic_set(&sctx->cancel_req, 0); - sctx->csum_size = btrfs_super_csum_size(fs_info->super_copy); -- INIT_LIST_HEAD(&sctx->csum_list); - - spin_lock_init(&sctx->list_lock); - spin_lock_init(&sctx->stat_lock); diff --git a/queue-3.16/cdc-wdm-pass-return-value-of-recover_from_urb_loss.patch b/queue-3.16/cdc-wdm-pass-return-value-of-recover_from_urb_loss.patch deleted file mode 100644 index 4db7aed4..00000000 --- a/queue-3.16/cdc-wdm-pass-return-value-of-recover_from_urb_loss.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Mon, 18 Feb 2019 22:34:51 +0800 -Subject: cdc-wdm: pass return value of recover_from_urb_loss - -commit 0742a338f5b3446a26de551ad8273fb41b2787f2 upstream. - -'rv' is the correct return value, pass it upstream instead of 0 - -Fixes: 17d80d562fd7 ("USB: autosuspend for cdc-wdm") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/class/cdc-wdm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -1089,7 +1089,7 @@ static int wdm_post_reset(struct usb_int - rv = recover_from_urb_loss(desc); - mutex_unlock(&desc->wlock); - mutex_unlock(&desc->rlock); -- return 0; -+ return rv; - } - - static struct usb_driver wdm_driver = { diff --git a/queue-3.16/cifs-do-not-reset-lease-state-to-none-on-lease-break.patch b/queue-3.16/cifs-do-not-reset-lease-state-to-none-on-lease-break.patch deleted file mode 100644 index 57d60580..00000000 --- a/queue-3.16/cifs-do-not-reset-lease-state-to-none-on-lease-break.patch +++ /dev/null @@ -1,97 +0,0 @@ -From: Pavel Shilovsky <piastryyy@gmail.com> -Date: Wed, 13 Feb 2019 15:43:08 -0800 -Subject: CIFS: Do not reset lease state to NONE on lease break - -commit 7b9b9edb49ad377b1e06abf14354c227e9ac4b06 upstream. - -Currently on lease break the client sets a caching level twice: -when oplock is detected and when oplock is processed. While the -1st attempt sets the level to the value provided by the server, -the 2nd one resets the level to None unconditionally. -This happens because the oplock/lease processing code was changed -to avoid races between page cache flushes and oplock breaks. -The commit c11f1df5003d534 ("cifs: Wait for writebacks to complete -before attempting write.") fixed the races for oplocks but didn't -apply the same changes for leases resulting in overwriting the -server granted value to None. Fix this by properly processing -lease breaks. - -Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -[bwh: Backported to 3.16: drop change in smb311_operations] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/fs/cifs/smb2misc.c -+++ b/fs/cifs/smb2misc.c -@@ -420,7 +420,6 @@ smb2_tcon_has_lease(struct cifs_tcon *tc - __u8 lease_state; - struct list_head *tmp; - struct cifsFileInfo *cfile; -- struct TCP_Server_Info *server = tcon->ses->server; - struct cifs_pending_open *open; - struct cifsInodeInfo *cinode; - int ack_req = le32_to_cpu(rsp->Flags & -@@ -440,13 +439,25 @@ smb2_tcon_has_lease(struct cifs_tcon *tc - cifs_dbg(FYI, "lease key match, lease break 0x%d\n", - le32_to_cpu(rsp->NewLeaseState)); - -- server->ops->set_oplock_level(cinode, lease_state, 0, NULL); -- - if (ack_req) - cfile->oplock_break_cancelled = false; - else - cfile->oplock_break_cancelled = true; - -+ set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); -+ -+ /* -+ * Set or clear flags depending on the lease state being READ. -+ * HANDLE caching flag should be added when the client starts -+ * to defer closing remote file handles with HANDLE leases. -+ */ -+ if (lease_state & SMB2_LEASE_READ_CACHING_HE) -+ set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, -+ &cinode->flags); -+ else -+ clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, -+ &cinode->flags); -+ - queue_work(cifsoplockd_wq, &cfile->oplock_break); - kfree(lw); - return true; ---- a/fs/cifs/smb2ops.c -+++ b/fs/cifs/smb2ops.c -@@ -962,6 +962,15 @@ smb2_downgrade_oplock(struct TCP_Server_ - } - - static void -+smb21_downgrade_oplock(struct TCP_Server_Info *server, -+ struct cifsInodeInfo *cinode, bool set_level2) -+{ -+ server->ops->set_oplock_level(cinode, -+ set_level2 ? SMB2_LEASE_READ_CACHING_HE : -+ 0, 0, NULL); -+} -+ -+static void - smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, - unsigned int epoch, bool *purge_cache) - { -@@ -1253,7 +1262,7 @@ struct smb_version_operations smb21_oper - .print_stats = smb2_print_stats, - .is_oplock_break = smb2_is_valid_oplock_break, - .handle_cancelled_mid = smb2_handle_cancelled_mid, -- .downgrade_oplock = smb2_downgrade_oplock, -+ .downgrade_oplock = smb21_downgrade_oplock, - .need_neg = smb2_need_neg, - .negotiate = smb2_negotiate, - .negotiate_wsize = smb2_negotiate_wsize, -@@ -1331,7 +1340,7 @@ struct smb_version_operations smb30_oper - .dump_share_caps = smb2_dump_share_caps, - .is_oplock_break = smb2_is_valid_oplock_break, - .handle_cancelled_mid = smb2_handle_cancelled_mid, -- .downgrade_oplock = smb2_downgrade_oplock, -+ .downgrade_oplock = smb21_downgrade_oplock, - .need_neg = smb2_need_neg, - .negotiate = smb2_negotiate, - .negotiate_wsize = smb2_negotiate_wsize, diff --git a/queue-3.16/cifs-fix-read-after-write-for-files-with-read-caching.patch b/queue-3.16/cifs-fix-read-after-write-for-files-with-read-caching.patch deleted file mode 100644 index 39d27b38..00000000 --- a/queue-3.16/cifs-fix-read-after-write-for-files-with-read-caching.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Pavel Shilovsky <piastryyy@gmail.com> -Date: Mon, 4 Mar 2019 17:48:01 -0800 -Subject: CIFS: Fix read after write for files with read caching - -commit 6dfbd84684700cb58b34e8602c01c12f3d2595c8 upstream. - -When we have a READ lease for a file and have just issued a write -operation to the server we need to purge the cache and set oplock/lease -level to NONE to avoid reading stale data. Currently we do that -only if a write operation succedeed thus not covering cases when -a request was sent to the server but a negative error code was -returned later for some other reasons (e.g. -EIOCBQUEUED or -EINTR). -Fix this by turning off caching regardless of the error code being -returned. - -The patches fixes generic tests 075 and 112 from the xfs-tests. - -Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/cifs/file.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/fs/cifs/file.c -+++ b/fs/cifs/file.c -@@ -2661,14 +2661,16 @@ cifs_strict_writev(struct kiocb *iocb, s - * these pages but not on the region from pos to ppos+len-1. - */ - written = cifs_user_writev(iocb, from); -- if (written > 0 && CIFS_CACHE_READ(cinode)) { -+ if (CIFS_CACHE_READ(cinode)) { - /* -- * Windows 7 server can delay breaking level2 oplock if a write -- * request comes - break it on the client to prevent reading -- * an old data. -+ * We have read level caching and we have just sent a write -+ * request to the server thus making data in the cache stale. -+ * Zap the cache and set oplock/lease level to NONE to avoid -+ * reading stale data from the cache. All subsequent read -+ * operations will read new data from the server. - */ - cifs_zap_mapping(inode); -- cifs_dbg(FYI, "Set no oplock for inode=%p after a write operation\n", -+ cifs_dbg(FYI, "Set Oplock/Lease to NONE for inode=%p after write\n", - inode); - cinode->oplock = 0; - } diff --git a/queue-3.16/clk-armada-370-fix-refcount-leak-in-a370_clk_init.patch b/queue-3.16/clk-armada-370-fix-refcount-leak-in-a370_clk_init.patch deleted file mode 100644 index c74d9779..00000000 --- a/queue-3.16/clk-armada-370-fix-refcount-leak-in-a370_clk_init.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:36:58 -0500 -Subject: clk: armada-370: fix refcount leak in a370_clk_init() - -commit a3c24050bdf70c958a8d98c2823b66ea761e6a31 upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com> -Fixes: 07ad6836fa21 ("clk: mvebu: armada-370: maintain clock init order") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/clk/mvebu/armada-370.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/clk/mvebu/armada-370.c -+++ b/drivers/clk/mvebu/armada-370.c -@@ -168,8 +168,10 @@ static void __init a370_clk_init(struct - - mvebu_coreclk_setup(np, &a370_coreclks); - -- if (cgnp) -+ if (cgnp) { - mvebu_clk_gating_setup(cgnp, a370_gating_desc); -+ of_node_put(cgnp); -+ } - } - CLK_OF_DECLARE(a370_clk, "marvell,armada-370-core-clock", a370_clk_init); - diff --git a/queue-3.16/clk-armada-xp-fix-refcount-leak-in-axp_clk_init.patch b/queue-3.16/clk-armada-xp-fix-refcount-leak-in-axp_clk_init.patch deleted file mode 100644 index fd9ca047..00000000 --- a/queue-3.16/clk-armada-xp-fix-refcount-leak-in-axp_clk_init.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:42:26 -0500 -Subject: clk: armada-xp: fix refcount leak in axp_clk_init() - -commit db20a90a4b6745dad62753f8bd2f66afdd5abc84 upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com> -Fixes: 0a11a6ae9437 ("clk: mvebu: armada-xp: maintain clock init order") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/clk/mvebu/armada-xp.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/clk/mvebu/armada-xp.c -+++ b/drivers/clk/mvebu/armada-xp.c -@@ -202,7 +202,9 @@ static void __init axp_clk_init(struct d - - mvebu_coreclk_setup(np, &axp_coreclks); - -- if (cgnp) -+ if (cgnp) { - mvebu_clk_gating_setup(cgnp, axp_gating_desc); -+ of_node_put(cgnp); -+ } - } - CLK_OF_DECLARE(axp_clk, "marvell,armada-xp-core-clock", axp_clk_init); diff --git a/queue-3.16/clk-dove-fix-refcount-leak-in-dove_clk_init.patch b/queue-3.16/clk-dove-fix-refcount-leak-in-dove_clk_init.patch deleted file mode 100644 index de3ae218..00000000 --- a/queue-3.16/clk-dove-fix-refcount-leak-in-dove_clk_init.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:50:13 -0500 -Subject: clk: dove: fix refcount leak in dove_clk_init() - -commit 8d726c5128298386b907963033be93407b0c4275 upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com> -Fixes: 8f7fc5450b64 ("clk: mvebu: dove: maintain clock init order") -Fixes: 63b8d92c793f ("clk: add Dove PLL divider support for GPU, VMeta and AXI clocks") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -[bwh: Backported to 3.16: There is no ddnp variable here] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/clk/mvebu/dove.c -+++ b/drivers/clk/mvebu/dove.c -@@ -187,7 +187,9 @@ static void __init dove_clk_init(struct - - mvebu_coreclk_setup(np, &dove_coreclks); - -- if (cgnp) -+ if (cgnp) { - mvebu_clk_gating_setup(cgnp, dove_gating_desc); -+ of_node_put(cgnp); -+ } - } - CLK_OF_DECLARE(dove_clk, "marvell,dove-core-clock", dove_clk_init); diff --git a/queue-3.16/clk-highbank-fix-refcount-leak-in-hb_clk_init.patch b/queue-3.16/clk-highbank-fix-refcount-leak-in-hb_clk_init.patch deleted file mode 100644 index 4def8af3..00000000 --- a/queue-3.16/clk-highbank-fix-refcount-leak-in-hb_clk_init.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:10:01 -0500 -Subject: clk: highbank: fix refcount leak in hb_clk_init() - -commit 5eb8ba90958de1285120dae5d3a5d2b1a360b3b4 upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Fixes: 26cae166cff9 ("ARM: highbank: remove custom .init_time hook") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/clk/clk-highbank.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/clk/clk-highbank.c -+++ b/drivers/clk/clk-highbank.c -@@ -293,6 +293,7 @@ static __init struct clk *hb_clk_init(st - /* Map system registers */ - srnp = of_find_compatible_node(NULL, NULL, "calxeda,hb-sregs"); - hb_clk->reg = of_iomap(srnp, 0); -+ of_node_put(srnp); - BUG_ON(!hb_clk->reg); - hb_clk->reg += reg; - diff --git a/queue-3.16/clk-imx6q-fix-refcount-leak-in-imx6q_clocks_init.patch b/queue-3.16/clk-imx6q-fix-refcount-leak-in-imx6q_clocks_init.patch deleted file mode 100644 index 22af679b..00000000 --- a/queue-3.16/clk-imx6q-fix-refcount-leak-in-imx6q_clocks_init.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:53:00 -0500 -Subject: clk: imx6q: fix refcount leak in imx6q_clocks_init() - -commit c9ec1d8fef31b5fc9e90e99f9bd685db5caa7c5e upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Fixes: 2acd1b6f889c ("ARM: i.MX6: implement clocks using common clock framework") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm/mach-imx/clk-imx6q.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/arm/mach-imx/clk-imx6q.c -+++ b/arch/arm/mach-imx/clk-imx6q.c -@@ -157,6 +157,7 @@ static void __init imx6q_clocks_init(str - np = of_find_compatible_node(NULL, NULL, "fsl,imx6q-anatop"); - base = of_iomap(np, 0); - WARN_ON(!base); -+ of_node_put(np); - - /* Audio/video PLL post dividers do not work on i.MX6q revision 1.0 */ - if (cpu_is_imx6q() && imx_get_soc_revision() == IMX_CHIP_REVISION_1_0) { diff --git a/queue-3.16/clk-imx6sx-fix-refcount-leak-in-imx6sx_clocks_init.patch b/queue-3.16/clk-imx6sx-fix-refcount-leak-in-imx6sx_clocks_init.patch deleted file mode 100644 index c670b9a0..00000000 --- a/queue-3.16/clk-imx6sx-fix-refcount-leak-in-imx6sx_clocks_init.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:55:10 -0500 -Subject: clk: imx6sx: fix refcount leak in imx6sx_clocks_init() - -commit 1731e14fb30212dd8c1e9f8fc1af061e56498c55 upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Fixes: d55135689019 ("ARM: imx: add clock driver for imx6sx") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm/mach-imx/clk-imx6sx.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/arm/mach-imx/clk-imx6sx.c -+++ b/arch/arm/mach-imx/clk-imx6sx.c -@@ -143,6 +143,7 @@ static void __init imx6sx_clocks_init(st - np = of_find_compatible_node(NULL, NULL, "fsl,imx6sx-anatop"); - base = of_iomap(np, 0); - WARN_ON(!base); -+ of_node_put(np); - - /* type name parent_name base div_mask */ - clks[IMX6SX_CLK_PLL1_SYS] = imx_clk_pllv3(IMX_PLLV3_SYS, "pll1_sys", "osc", base, 0x7f); diff --git a/queue-3.16/clk-kirkwood-fix-refcount-leak-in-kirkwood_clk_init.patch b/queue-3.16/clk-kirkwood-fix-refcount-leak-in-kirkwood_clk_init.patch deleted file mode 100644 index ba3c2629..00000000 --- a/queue-3.16/clk-kirkwood-fix-refcount-leak-in-kirkwood_clk_init.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:40:19 -0500 -Subject: clk: kirkwood: fix refcount leak in kirkwood_clk_init() - -commit e7beeab9c61591cd0e690d8733d534c3f4278ff8 upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com> -Fixes: 58d516ae95cb ("clk: mvebu: kirkwood: maintain clock init order") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/clk/mvebu/kirkwood.c -+++ b/drivers/clk/mvebu/kirkwood.c -@@ -236,8 +236,11 @@ static void __init kirkwood_clk_init(str - else - mvebu_coreclk_setup(np, &kirkwood_coreclks); - -- if (cgnp) -+ if (cgnp) { - mvebu_clk_gating_setup(cgnp, kirkwood_gating_desc); -+ -+ of_node_put(cgnp); -+ } - } - CLK_OF_DECLARE(kirkwood_clk, "marvell,kirkwood-core-clock", - kirkwood_clk_init); diff --git a/queue-3.16/clk-samsung-exynos4-fix-refcount-leak-in-exynos4_get_xom.patch b/queue-3.16/clk-samsung-exynos4-fix-refcount-leak-in-exynos4_get_xom.patch deleted file mode 100644 index bcc9dc03..00000000 --- a/queue-3.16/clk-samsung-exynos4-fix-refcount-leak-in-exynos4_get_xom.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:32:15 -0500 -Subject: clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() - -commit cee82eb9532090cd1dc953e845d71f9b1445c84e upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Fixes: e062b571777f ("clk: exynos4: register clocks using common clock framework") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/clk/samsung/clk-exynos4.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/clk/samsung/clk-exynos4.c -+++ b/drivers/clk/samsung/clk-exynos4.c -@@ -1032,6 +1032,7 @@ static unsigned long exynos4_get_xom(voi - xom = readl(chipid_base + 8); - - iounmap(chipid_base); -+ of_node_put(np); - } - - return xom; diff --git a/queue-3.16/clk-socfpga-fix-refcount-leak.patch b/queue-3.16/clk-socfpga-fix-refcount-leak.patch deleted file mode 100644 index 121cc2a1..00000000 --- a/queue-3.16/clk-socfpga-fix-refcount-leak.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:29:02 -0500 -Subject: clk: socfpga: fix refcount leak - -commit 7f9705beeb3759e69165e7aff588f6488ff6c1ac upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Fixes: 5343325ff3dd ("clk: socfpga: add a clock driver for the Arria 10 platform") -Fixes: a30d27ed739b ("clk: socfpga: fix clock driver for 3.15") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -[bwh: Backported to 3.16: drop changes in clk-pll-a10.c] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/clk/socfpga/clk-pll.c -+++ b/drivers/clk/socfpga/clk-pll.c -@@ -102,6 +102,7 @@ static __init struct clk *__socfpga_pll_ - - clkmgr_np = of_find_compatible_node(NULL, NULL, "altr,clk-mgr"); - clk_mgr_base_addr = of_iomap(clkmgr_np, 0); -+ of_node_put(clkmgr_np); - BUG_ON(!clk_mgr_base_addr); - pll_clk->hw.reg = clk_mgr_base_addr + reg; - diff --git a/queue-3.16/clk-vf610-fix-refcount-leak-in-vf610_clocks_init.patch b/queue-3.16/clk-vf610-fix-refcount-leak-in-vf610_clocks_init.patch deleted file mode 100644 index c8a39fce..00000000 --- a/queue-3.16/clk-vf610-fix-refcount-leak-in-vf610_clocks_init.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Yangtao Li <tiny.windzz@gmail.com> -Date: Wed, 26 Dec 2018 08:59:36 -0500 -Subject: clk: vf610: fix refcount leak in vf610_clocks_init() - -commit 567177024e0313e4f0dcba7ba10c0732e50e655d upstream. - -The of_find_compatible_node() returns a node pointer with refcount -incremented, but there is the lack of use of the of_node_put() when -done. Add the missing of_node_put() to release the refcount. - -Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> -Fixes: 1f2c5fd5f048 ("ARM: imx: add VF610 clock support") -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm/mach-imx/clk-vf610.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/arm/mach-imx/clk-vf610.c -+++ b/arch/arm/mach-imx/clk-vf610.c -@@ -117,6 +117,7 @@ static void __init vf610_clocks_init(str - np = of_find_compatible_node(NULL, NULL, "fsl,vf610-anatop"); - anatop_base = of_iomap(np, 0); - BUG_ON(!anatop_base); -+ of_node_put(np); - - np = ccm_node; - ccm_base = of_iomap(np, 0); diff --git a/queue-3.16/clocksource-drivers-exynos_mct-fix-error-path-in-timer-resources.patch b/queue-3.16/clocksource-drivers-exynos_mct-fix-error-path-in-timer-resources.patch deleted file mode 100644 index 23d75f0a..00000000 --- a/queue-3.16/clocksource-drivers-exynos_mct-fix-error-path-in-timer-resources.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Marek Szyprowski <m.szyprowski@samsung.com> -Date: Thu, 18 Oct 2018 11:57:04 +0200 -Subject: clocksource/drivers/exynos_mct: Fix error path in timer resources - initialization - -commit b9307420196009cdf18bad55e762ac49fb9a80f4 upstream. - -While freeing interrupt handlers in error path, don't assume that all -requested interrupts are per-processor interrupts and properly release -standard interrupts too. - -Reported-by: Krzysztof Kozlowski <krzk@kernel.org> -Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier") -Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> -Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org> -Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com> -Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/clocksource/exynos_mct.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - ---- a/drivers/clocksource/exynos_mct.c -+++ b/drivers/clocksource/exynos_mct.c -@@ -558,7 +558,19 @@ static void __init exynos4_timer_resourc - return; - - out_irq: -- free_percpu_irq(mct_irqs[MCT_L0_IRQ], &percpu_mct_tick); -+ if (mct_int_type == MCT_INT_PPI) { -+ free_percpu_irq(mct_irqs[MCT_L0_IRQ], &percpu_mct_tick); -+ } else { -+ for_each_possible_cpu(cpu) { -+ struct mct_clock_event_device *pcpu_mevt = -+ per_cpu_ptr(&percpu_mct_tick, cpu); -+ -+ if (pcpu_mevt->evt.irq != -1) { -+ free_irq(pcpu_mevt->evt.irq, pcpu_mevt); -+ pcpu_mevt->evt.irq = -1; -+ } -+ } -+ } - } - - void __init mct_init(void __iomem *base, int irq_g0, int irq_l0, int irq_l1) diff --git a/queue-3.16/cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch b/queue-3.16/cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch deleted file mode 100644 index 04de6034..00000000 --- a/queue-3.16/cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Arnd Bergmann <arnd@arndb.de> -Date: Thu, 7 Mar 2019 11:22:41 +0100 -Subject: cpufreq: pxa2xx: remove incorrect __init annotation - -commit 9505b98ccddc454008ca7efff90044e3e857c827 upstream. - -pxa_cpufreq_init_voltages() is marked __init but usually inlined into -the non-__init pxa_cpufreq_init() function. When building with clang, -it can stay as a standalone function in a discarded section, and produce -this warning: - -WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the function pxa_cpufreq_init() to the function .init.text:pxa_cpufreq_init_voltages() -The function pxa_cpufreq_init() references -the function __init pxa_cpufreq_init_voltages(). -This is often because pxa_cpufreq_init lacks a __init -annotation or the annotation of pxa_cpufreq_init_voltages is wrong. - -Fixes: 50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()") -Signed-off-by: Arnd Bergmann <arnd@arndb.de> -Acked-by: Viresh Kumar <viresh.kumar@linaro.org> -Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> -Acked-by: Robert Jarzmik <robert.jarzmik@free.fr> -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/cpufreq/pxa2xx-cpufreq.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/cpufreq/pxa2xx-cpufreq.c -+++ b/drivers/cpufreq/pxa2xx-cpufreq.c -@@ -191,7 +191,7 @@ static int pxa_cpufreq_change_voltage(px - return ret; - } - --static void __init pxa_cpufreq_init_voltages(void) -+static void pxa_cpufreq_init_voltages(void) - { - vcc_core = regulator_get(NULL, "vcc_core"); - if (IS_ERR(vcc_core)) { -@@ -207,7 +207,7 @@ static int pxa_cpufreq_change_voltage(px - return 0; - } - --static void __init pxa_cpufreq_init_voltages(void) { } -+static void pxa_cpufreq_init_voltages(void) { } - #endif - - static void find_freq_tables(struct cpufreq_frequency_table **freq_table, diff --git a/queue-3.16/crypto-ahash-fix-another-early-termination-in-hash-walk.patch b/queue-3.16/crypto-ahash-fix-another-early-termination-in-hash-walk.patch deleted file mode 100644 index 9702e3d0..00000000 --- a/queue-3.16/crypto-ahash-fix-another-early-termination-in-hash-walk.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Eric Biggers <ebiggers@google.com> -Date: Thu, 31 Jan 2019 23:51:41 -0800 -Subject: crypto: ahash - fix another early termination in hash walk - -commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream. - -Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and -"michael_mic", fail the improved hash tests because they sometimes -produce the wrong digest. The bug is that in the case where a -scatterlist element crosses pages, not all the data is actually hashed -because the scatterlist walk terminates too early. This happens because -the 'nbytes' variable in crypto_hash_walk_done() is assigned the number -of bytes remaining in the page, then later interpreted as the number of -bytes remaining in the scatterlist element. Fix it. - -Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk") -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - crypto/ahash.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -84,17 +84,17 @@ static int hash_walk_new_entry(struct cr - int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) - { - unsigned int alignmask = walk->alignmask; -- unsigned int nbytes = walk->entrylen; - - walk->data -= walk->offset; - -- if (nbytes && walk->offset & alignmask && !err) { -- walk->offset = ALIGN(walk->offset, alignmask + 1); -- nbytes = min(nbytes, -- ((unsigned int)(PAGE_SIZE)) - walk->offset); -- walk->entrylen -= nbytes; -+ if (walk->entrylen && (walk->offset & alignmask) && !err) { -+ unsigned int nbytes; - -+ walk->offset = ALIGN(walk->offset, alignmask + 1); -+ nbytes = min(walk->entrylen, -+ (unsigned int)(PAGE_SIZE - walk->offset)); - if (nbytes) { -+ walk->entrylen -= nbytes; - walk->data += walk->offset; - return nbytes; - } -@@ -114,7 +114,7 @@ int crypto_hash_walk_done(struct crypto_ - if (err) - return err; - -- if (nbytes) { -+ if (walk->entrylen) { - walk->offset = 0; - walk->pg++; - return hash_walk_next(walk); diff --git a/queue-3.16/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch b/queue-3.16/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch deleted file mode 100644 index af092176..00000000 --- a/queue-3.16/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Ard Biesheuvel <ard.biesheuvel@linaro.org> -Date: Thu, 24 Jan 2019 17:33:45 +0100 -Subject: crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling - -commit eaf46edf6ea89675bd36245369c8de5063a0272c upstream. - -The NEON MAC calculation routine fails to handle the case correctly -where there is some data in the buffer, and the input fills it up -exactly. In this case, we enter the loop at the end with w8 == 0, -while a negative value is assumed, and so the loop carries on until -the increment of the 32-bit counter wraps around, which is quite -obviously wrong. - -So omit the loop altogether in this case, and exit right away. - -Reported-by: Eric Biggers <ebiggers@kernel.org> -Fixes: a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...") -Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/arm64/crypto/aes-ce-ccm-core.S | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/arch/arm64/crypto/aes-ce-ccm-core.S -+++ b/arch/arm64/crypto/aes-ce-ccm-core.S -@@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data) - beq 10f - ext v0.16b, v0.16b, v0.16b, #1 /* rotate out the mac bytes */ - b 7b --8: mov w7, w8 -+8: cbz w8, 91f -+ mov w7, w8 - add w8, w8, #16 - 9: ext v1.16b, v1.16b, v1.16b, #1 - adds w7, w7, #1 - bne 9b -- eor v0.16b, v0.16b, v1.16b -+91: eor v0.16b, v0.16b, v1.16b - st1 {v0.16b}, [x0] - 10: str w8, [x3] - ret diff --git a/queue-3.16/crypto-hash-set-crypto_tfm_need_key-if-setkey-fails.patch b/queue-3.16/crypto-hash-set-crypto_tfm_need_key-if-setkey-fails.patch deleted file mode 100644 index ae6287f6..00000000 --- a/queue-3.16/crypto-hash-set-crypto_tfm_need_key-if-setkey-fails.patch +++ /dev/null @@ -1,143 +0,0 @@ -From: Eric Biggers <ebiggers@google.com> -Date: Sun, 6 Jan 2019 18:47:42 -0800 -Subject: crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails - -commit ba7d7433a0e998c902132bd47330e355a1eaa894 upstream. - -Some algorithms have a ->setkey() method that is not atomic, in the -sense that setting a key can fail after changes were already made to the -tfm context. In this case, if a key was already set the tfm can end up -in a state that corresponds to neither the old key nor the new key. - -It's not feasible to make all ->setkey() methods atomic, especially ones -that have to key multiple sub-tfms. Therefore, make the crypto API set -CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a -key, to prevent the tfm from being used until a new key is set. - -Note: we can't set CRYPTO_TFM_NEED_KEY for OPTIONAL_KEY algorithms, so -->setkey() for those must nevertheless be atomic. That's fine for now -since only the crc32 and crc32c algorithms set OPTIONAL_KEY, and it's -not intended that OPTIONAL_KEY be used much. - -[Cc stable mainly because when introducing the NEED_KEY flag I changed - AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG - previously didn't have this problem. So these "incompletely keyed" - states became theoretically accessible via AF_ALG -- though, the - opportunities for causing real mischief seem pretty limited.] - -Fixes: 9fa68f620041 ("crypto: hash - prevent using keyed hashes without setting key") -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - crypto/ahash.c | 28 +++++++++++++++++++--------- - crypto/shash.c | 18 +++++++++++++----- - 2 files changed, 32 insertions(+), 14 deletions(-) - ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -200,6 +200,21 @@ static int ahash_setkey_unaligned(struct - return ret; - } - -+static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key, -+ unsigned int keylen) -+{ -+ return -ENOSYS; -+} -+ -+static void ahash_set_needkey(struct crypto_ahash *tfm) -+{ -+ const struct hash_alg_common *alg = crypto_hash_alg_common(tfm); -+ -+ if (tfm->setkey != ahash_nosetkey && -+ !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) -+ crypto_ahash_set_flags(tfm, CRYPTO_TFM_NEED_KEY); -+} -+ - int crypto_ahash_setkey(struct crypto_ahash *tfm, const u8 *key, - unsigned int keylen) - { -@@ -211,20 +226,16 @@ int crypto_ahash_setkey(struct crypto_ah - else - err = tfm->setkey(tfm, key, keylen); - -- if (err) -+ if (unlikely(err)) { -+ ahash_set_needkey(tfm); - return err; -+ } - - crypto_ahash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY); - return 0; - } - EXPORT_SYMBOL_GPL(crypto_ahash_setkey); - --static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key, -- unsigned int keylen) --{ -- return -ENOSYS; --} -- - static inline unsigned int ahash_align_buffer_size(unsigned len, - unsigned long mask) - { -@@ -493,8 +504,7 @@ static int crypto_ahash_init_tfm(struct - - if (alg->setkey) { - hash->setkey = alg->setkey; -- if (!(alg->halg.base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) -- crypto_ahash_set_flags(hash, CRYPTO_TFM_NEED_KEY); -+ ahash_set_needkey(hash); - } - if (alg->export) - hash->export = alg->export; ---- a/crypto/shash.c -+++ b/crypto/shash.c -@@ -52,6 +52,13 @@ static int shash_setkey_unaligned(struct - return err; - } - -+static void shash_set_needkey(struct crypto_shash *tfm, struct shash_alg *alg) -+{ -+ if (crypto_shash_alg_has_setkey(alg) && -+ !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) -+ crypto_shash_set_flags(tfm, CRYPTO_TFM_NEED_KEY); -+} -+ - int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key, - unsigned int keylen) - { -@@ -64,8 +71,10 @@ int crypto_shash_setkey(struct crypto_sh - else - err = shash->setkey(tfm, key, keylen); - -- if (err) -+ if (unlikely(err)) { -+ shash_set_needkey(tfm, shash); - return err; -+ } - - crypto_shash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY); - return 0; -@@ -367,7 +376,8 @@ int crypto_init_shash_ops_async(struct c - crt->final = shash_async_final; - crt->finup = shash_async_finup; - crt->digest = shash_async_digest; -- crt->setkey = shash_async_setkey; -+ if (crypto_shash_alg_has_setkey(alg)) -+ crt->setkey = shash_async_setkey; - - crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) & - CRYPTO_TFM_NEED_KEY); -@@ -534,9 +544,7 @@ static int crypto_shash_init_tfm(struct - - hash->descsize = alg->descsize; - -- if (crypto_shash_alg_has_setkey(alg) && -- !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) -- crypto_shash_set_flags(hash, CRYPTO_TFM_NEED_KEY); -+ shash_set_needkey(hash, alg); - - return 0; - } diff --git a/queue-3.16/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch b/queue-3.16/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch deleted file mode 100644 index 0fd6c223..00000000 --- a/queue-3.16/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch +++ /dev/null @@ -1,89 +0,0 @@ -From: Eric Biggers <ebiggers@google.com> -Date: Thu, 3 Jan 2019 20:16:13 -0800 -Subject: crypto: pcbc - remove bogus memcpy()s with src == dest - -commit 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream. - -The memcpy()s in the PCBC implementation use walk->iv as both the source -and destination, which has undefined behavior. These memcpy()'s are -actually unneeded, because walk->iv is already used to hold the previous -plaintext block XOR'd with the previous ciphertext block. Thus, -walk->iv is already updated to its final value. - -So remove the broken and unnecessary memcpy()s. - -Fixes: 91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template") -Cc: David Howells <dhowells@redhat.com> -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - crypto/pcbc.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - ---- a/crypto/pcbc.c -+++ b/crypto/pcbc.c -@@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(s - unsigned int nbytes = walk->nbytes; - u8 *src = walk->src.virt.addr; - u8 *dst = walk->dst.virt.addr; -- u8 *iv = walk->iv; -+ u8 * const iv = walk->iv; - - do { - crypto_xor(iv, src, bsize); -@@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(s - int bsize = crypto_cipher_blocksize(tfm); - unsigned int nbytes = walk->nbytes; - u8 *src = walk->src.virt.addr; -- u8 *iv = walk->iv; -+ u8 * const iv = walk->iv; - u8 tmpbuf[bsize]; - - do { -@@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(s - src += bsize; - } while ((nbytes -= bsize) >= bsize); - -- memcpy(walk->iv, iv, bsize); -- - return nbytes; - } - -@@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(s - unsigned int nbytes = walk->nbytes; - u8 *src = walk->src.virt.addr; - u8 *dst = walk->dst.virt.addr; -- u8 *iv = walk->iv; -+ u8 * const iv = walk->iv; - - do { - fn(crypto_cipher_tfm(tfm), dst, src); -@@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(s - dst += bsize; - } while ((nbytes -= bsize) >= bsize); - -- memcpy(walk->iv, iv, bsize); -- - return nbytes; - } - -@@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(s - int bsize = crypto_cipher_blocksize(tfm); - unsigned int nbytes = walk->nbytes; - u8 *src = walk->src.virt.addr; -- u8 *iv = walk->iv; -+ u8 * const iv = walk->iv; - u8 tmpbuf[bsize]; - - do { -@@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(s - src += bsize; - } while ((nbytes -= bsize) >= bsize); - -- memcpy(walk->iv, iv, bsize); -- - return nbytes; - } - diff --git a/queue-3.16/crypto-testmgr-skip-crc32c-context-test-for-ahash-algorithms.patch b/queue-3.16/crypto-testmgr-skip-crc32c-context-test-for-ahash-algorithms.patch deleted file mode 100644 index 095a416a..00000000 --- a/queue-3.16/crypto-testmgr-skip-crc32c-context-test-for-ahash-algorithms.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Eric Biggers <ebiggers@google.com> -Date: Wed, 23 Jan 2019 20:57:35 -0800 -Subject: crypto: testmgr - skip crc32c context test for ahash algorithms - -commit eb5e6730db98fcc4b51148b4a819fa4bf864ae54 upstream. - -Instantiating "cryptd(crc32c)" causes a crypto self-test failure because -the crypto_alloc_shash() in alg_test_crc32c() fails. This is because -cryptd(crc32c) is an ahash algorithm, not a shash algorithm; so it can -only be accessed through the ahash API, unlike shash algorithms which -can be accessed through both the ahash and shash APIs. - -As the test is testing the shash descriptor format which is only -applicable to shash algorithms, skip it for ahash algorithms. - -(Note that it's still important to fix crypto self-test failures even - for weird algorithm instantiations like cryptd(crc32c) that no one - would really use; in fips_enabled mode unprivileged users can use them - to panic the kernel, and also they prevent treating a crypto self-test - failure as a bug when fuzzing the kernel.) - -Fixes: 8e3ee85e68c5 ("crypto: crc32c - Test descriptor context format") -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - crypto/testmgr.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - ---- a/crypto/testmgr.c -+++ b/crypto/testmgr.c -@@ -1655,14 +1655,21 @@ static int alg_test_crc32c(const struct - - err = alg_test_hash(desc, driver, type, mask); - if (err) -- goto out; -+ return err; - - tfm = crypto_alloc_shash(driver, type, mask); - if (IS_ERR(tfm)) { -+ if (PTR_ERR(tfm) == -ENOENT) { -+ /* -+ * This crc32c implementation is only available through -+ * ahash API, not the shash API, so the remaining part -+ * of the test is not applicable to it. -+ */ -+ return 0; -+ } - printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: " - "%ld\n", driver, PTR_ERR(tfm)); -- err = PTR_ERR(tfm); -- goto out; -+ return PTR_ERR(tfm); - } - - do { -@@ -1691,7 +1698,6 @@ static int alg_test_crc32c(const struct - - crypto_free_shash(tfm); - --out: - return err; - } - diff --git a/queue-3.16/crypto-tgr192-fix-unaligned-memory-access.patch b/queue-3.16/crypto-tgr192-fix-unaligned-memory-access.patch deleted file mode 100644 index b4b34d16..00000000 --- a/queue-3.16/crypto-tgr192-fix-unaligned-memory-access.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Eric Biggers <ebiggers@google.com> -Date: Thu, 10 Jan 2019 12:17:58 -0800 -Subject: crypto: tgr192 - fix unaligned memory access - -commit f990f7fb58ac8ac9a43316f09a48cff1a49dda42 upstream. - -Fix an unaligned memory access in tgr192_transform() by using the -unaligned access helpers. - -Fixes: 06ace7a9bafe ("[CRYPTO] Use standard byte order macros wherever possible") -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - crypto/tgr192.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/crypto/tgr192.c -+++ b/crypto/tgr192.c -@@ -25,8 +25,9 @@ - #include <linux/init.h> - #include <linux/module.h> - #include <linux/mm.h> --#include <asm/byteorder.h> - #include <linux/types.h> -+#include <asm/byteorder.h> -+#include <asm/unaligned.h> - - #define TGR192_DIGEST_SIZE 24 - #define TGR160_DIGEST_SIZE 20 -@@ -468,10 +469,9 @@ static void tgr192_transform(struct tgr1 - u64 a, b, c, aa, bb, cc; - u64 x[8]; - int i; -- const __le64 *ptr = (const __le64 *)data; - - for (i = 0; i < 8; i++) -- x[i] = le64_to_cpu(ptr[i]); -+ x[i] = get_unaligned_le64(data + i * sizeof(__le64)); - - /* save */ - a = aa = tctx->a; diff --git a/queue-3.16/devres-always-use-dev_name-in-devm_ioremap_resource.patch b/queue-3.16/devres-always-use-dev_name-in-devm_ioremap_resource.patch deleted file mode 100644 index 0b6677fa..00000000 --- a/queue-3.16/devres-always-use-dev_name-in-devm_ioremap_resource.patch +++ /dev/null @@ -1,96 +0,0 @@ -From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> -Date: Tue, 29 Jan 2019 13:56:19 +0300 -Subject: devres: always use dev_name() in devm_ioremap_resource() - -commit 8d84b18f5678d3adfdb9375dfb0d968da2dc753d upstream. - -devm_ioremap_resource() prefers calling devm_request_mem_region() with a -resource name instead of a device name -- this looks pretty iff a resource -name isn't specified via a device tree with a "reg-names" property (in this -case, a resource name is set to a device node's full name), but if it is, -it doesn't really scale since these names are only unique to a given device -node, not globally; so, looking at the output of 'cat /proc/iomem', you do -not have an idea which memory region belongs to which device (see "dirmap", -"regs", and "wbuf" lines below): - -08000000-0bffffff : dirmap -48000000-bfffffff : System RAM - 48000000-48007fff : reserved - 48080000-48b0ffff : Kernel code - 48b10000-48b8ffff : reserved - 48b90000-48c7afff : Kernel data - bc6a4000-bcbfffff : reserved - bcc0f000-bebfffff : reserved - bec0e000-bec0efff : reserved - bec11000-bec11fff : reserved - bec12000-bec14fff : reserved - bec15000-bfffffff : reserved -e6050000-e605004f : gpio@e6050000 -e6051000-e605104f : gpio@e6051000 -e6052000-e605204f : gpio@e6052000 -e6053000-e605304f : gpio@e6053000 -e6054000-e605404f : gpio@e6054000 -e6055000-e605504f : gpio@e6055000 -e6060000-e606050b : pin-controller@e6060000 -e6e60000-e6e6003f : e6e60000.serial -e7400000-e7400fff : ethernet@e7400000 -ee200000-ee2001ff : regs -ee208000-ee2080ff : wbuf - -I think that devm_request_mem_region() should be called with dev_name() -despite the region names won't look as pretty as before (however, we gain -more consistency with e.g. the serial driver: - -08000000-0bffffff : ee200000.rpc -48000000-bfffffff : System RAM - 48000000-48007fff : reserved - 48080000-48b0ffff : Kernel code - 48b10000-48b8ffff : reserved - 48b90000-48c7afff : Kernel data - bc6a4000-bcbfffff : reserved - bcc0f000-bebfffff : reserved - bec0e000-bec0efff : reserved - bec11000-bec11fff : reserved - bec12000-bec14fff : reserved - bec15000-bfffffff : reserved -e6050000-e605004f : e6050000.gpio -e6051000-e605104f : e6051000.gpio -e6052000-e605204f : e6052000.gpio -e6053000-e605304f : e6053000.gpio -e6054000-e605404f : e6054000.gpio -e6055000-e605504f : e6055000.gpio -e6060000-e606050b : e6060000.pin-controller -e6e60000-e6e6003f : e6e60000.serial -e7400000-e7400fff : e7400000.ethernet -ee200000-ee2001ff : ee200000.rpc -ee208000-ee2080ff : ee200000.rpc - -Fixes: 72f8c0bfa0de ("lib: devres: add convenience function to remap a resource") -Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - lib/devres.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/lib/devres.c -+++ b/lib/devres.c -@@ -109,7 +109,6 @@ EXPORT_SYMBOL(devm_iounmap); - void __iomem *devm_ioremap_resource(struct device *dev, struct resource *res) - { - resource_size_t size; -- const char *name; - void __iomem *dest_ptr; - - BUG_ON(!dev); -@@ -120,9 +119,8 @@ void __iomem *devm_ioremap_resource(stru - } - - size = resource_size(res); -- name = res->name ?: dev_name(dev); - -- if (!devm_request_mem_region(dev, res->start, size, name)) { -+ if (!devm_request_mem_region(dev, res->start, size, dev_name(dev))) { - dev_err(dev, "can't request region for resource %pR\n", res); - return IOMEM_ERR_PTR(-EBUSY); - } diff --git a/queue-3.16/drm-fix-error-handling-in-drm_legacy_addctx.patch b/queue-3.16/drm-fix-error-handling-in-drm_legacy_addctx.patch deleted file mode 100644 index 851a46c9..00000000 --- a/queue-3.16/drm-fix-error-handling-in-drm_legacy_addctx.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Sat, 29 Dec 2018 10:49:07 +0800 -Subject: drm: Fix error handling in drm_legacy_addctx - -commit c39191feed4540fed98badeb484833dcf659bb96 upstream. - -'ctx->handle' is unsigned, it never less than zero. -This patch use int 'tmp_handle' to handle the err condition. - -Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> -Link: https://patchwork.freedesktop.org/patch/msgid/20181229024907.12852-1-yuehaibing@huawei.com -[bwh: Backported to 3.16: We only have the "legacy" driver type here] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/gpu/drm/drm_context.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - ---- a/drivers/gpu/drm/drm_context.c -+++ b/drivers/gpu/drm/drm_context.c -@@ -309,19 +309,22 @@ int drm_addctx(struct drm_device *dev, v - { - struct drm_ctx_list *ctx_entry; - struct drm_ctx *ctx = data; -+ int tmp_handle; - -- ctx->handle = drm_ctxbitmap_next(dev); -- if (ctx->handle == DRM_KERNEL_CONTEXT) { -+ tmp_handle = drm_ctxbitmap_next(dev); -+ if (tmp_handle == DRM_KERNEL_CONTEXT) { - /* Skip kernel's context and get a new one. */ -- ctx->handle = drm_ctxbitmap_next(dev); -+ tmp_handle = drm_ctxbitmap_next(dev); - } -- DRM_DEBUG("%d\n", ctx->handle); -- if (ctx->handle < 0) { -+ DRM_DEBUG("%d\n", tmp_handle); -+ if (tmp_handle < 0) { - DRM_DEBUG("Not enough free contexts.\n"); - /* Should this return -EBUSY instead? */ -- return -ENOMEM; -+ return tmp_handle; - } - -+ ctx->handle = tmp_handle; -+ - ctx_entry = kmalloc(sizeof(*ctx_entry), GFP_KERNEL); - if (!ctx_entry) { - DRM_DEBUG("out of memory\n"); diff --git a/queue-3.16/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch b/queue-3.16/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch deleted file mode 100644 index 61f6a0c5..00000000 --- a/queue-3.16/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Fri, 15 Feb 2019 14:29:26 -0600 -Subject: drm/radeon/evergreen_cs: fix missing break in switch statement - -commit cc5034a5d293dd620484d1d836aa16c6764a1c8c upstream. - -Add missing break statement in order to prevent the code from falling -through to case CB_TARGET_MASK. - -This bug was found thanks to the ongoing efforts to enable --Wimplicit-fallthrough. - -Fixes: dd220a00e8bd ("drm/radeon/kms: add support for streamout v7") -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -Signed-off-by: Alex Deucher <alexander.deucher@amd.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/gpu/drm/radeon/evergreen_cs.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/gpu/drm/radeon/evergreen_cs.c -+++ b/drivers/gpu/drm/radeon/evergreen_cs.c -@@ -1318,6 +1318,7 @@ static int evergreen_cs_check_reg(struct - return -EINVAL; - } - ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); -+ break; - case CB_TARGET_MASK: - track->cb_target_mask = radeon_get_ib_value(p, idx); - track->cb_dirty = true; diff --git a/queue-3.16/ext2-fix-underflow-in-ext2_max_size.patch b/queue-3.16/ext2-fix-underflow-in-ext2_max_size.patch deleted file mode 100644 index e170e774..00000000 --- a/queue-3.16/ext2-fix-underflow-in-ext2_max_size.patch +++ /dev/null @@ -1,93 +0,0 @@ -From: Jan Kara <jack@suse.cz> -Date: Tue, 29 Jan 2019 17:17:24 +0100 -Subject: ext2: Fix underflow in ext2_max_size() - -commit 1c2d14212b15a60300a2d4f6364753e87394c521 upstream. - -When ext2 filesystem is created with 64k block size, ext2_max_size() -will return value less than 0. Also, we cannot write any file in this fs -since the sb->maxbytes is less than 0. The core of the problem is that -the size of block index tree for such large block size is more than -i_blocks can carry. So fix the computation to count with this -possibility. - -File size limits computed with the new function for the full range of -possible block sizes look like: - -bits file_size -10 17247252480 -11 275415851008 -12 2196873666560 -13 2197948973056 -14 2198486220800 -15 2198754754560 -16 2198888906752 - -Reported-by: yangerkun <yangerkun@huawei.com> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext2/super.c | 39 +++++++++++++++++++++++++-------------- - 1 file changed, 25 insertions(+), 14 deletions(-) - ---- a/fs/ext2/super.c -+++ b/fs/ext2/super.c -@@ -701,7 +701,8 @@ static loff_t ext2_max_size(int bits) - { - loff_t res = EXT2_NDIR_BLOCKS; - int meta_blocks; -- loff_t upper_limit; -+ unsigned int upper_limit; -+ unsigned int ppb = 1 << (bits-2); - - /* This is calculated to be the largest file size for a - * dense, file such that the total number of -@@ -715,24 +716,34 @@ static loff_t ext2_max_size(int bits) - /* total blocks in file system block size */ - upper_limit >>= (bits - 9); - -- -- /* indirect blocks */ -- meta_blocks = 1; -- /* double indirect blocks */ -- meta_blocks += 1 + (1LL << (bits-2)); -- /* tripple indirect blocks */ -- meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2))); -- -- upper_limit -= meta_blocks; -- upper_limit <<= bits; -- -+ /* Compute how many blocks we can address by block tree */ - res += 1LL << (bits-2); - res += 1LL << (2*(bits-2)); - res += 1LL << (3*(bits-2)); -+ /* Does block tree limit file size? */ -+ if (res < upper_limit) -+ goto check_lfs; -+ -+ res = upper_limit; -+ /* How many metadata blocks are needed for addressing upper_limit? */ -+ upper_limit -= EXT2_NDIR_BLOCKS; -+ /* indirect blocks */ -+ meta_blocks = 1; -+ upper_limit -= ppb; -+ /* double indirect blocks */ -+ if (upper_limit < ppb * ppb) { -+ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb); -+ res -= meta_blocks; -+ goto check_lfs; -+ } -+ meta_blocks += 1 + ppb; -+ upper_limit -= ppb * ppb; -+ /* tripple indirect blocks for the rest */ -+ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) + -+ DIV_ROUND_UP(upper_limit, ppb*ppb); -+ res -= meta_blocks; -+check_lfs: - res <<= bits; -- if (res > upper_limit) -- res = upper_limit; -- - if (res > MAX_LFS_FILESIZE) - res = MAX_LFS_FILESIZE; - diff --git a/queue-3.16/ext4-add-mask-of-ext4-flags-to-swap.patch b/queue-3.16/ext4-add-mask-of-ext4-flags-to-swap.patch deleted file mode 100644 index a5e484da..00000000 --- a/queue-3.16/ext4-add-mask-of-ext4-flags-to-swap.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: yangerkun <yangerkun@huawei.com> -Date: Mon, 11 Feb 2019 00:35:06 -0500 -Subject: ext4: add mask of ext4 flags to swap - -commit abdc644e8cbac2e9b19763680e5a7cf9bab2bee7 upstream. - -The reason is that while swapping two inode, we swap the flags too. -Some flags such as EXT4_JOURNAL_DATA_FL can really confuse the things -since we're not resetting the address operations structure. The -simplest way to keep things sane is to restrict the flags that can be -swapped. - -Signed-off-by: yangerkun <yangerkun@huawei.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext4/ext4.h | 3 +++ - fs/ext4/ioctl.c | 6 +++++- - 2 files changed, 8 insertions(+), 1 deletion(-) - ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -405,6 +405,9 @@ struct flex_groups { - /* Flags that are appropriate for non-directories/regular files. */ - #define EXT4_OTHER_FLMASK (EXT4_NODUMP_FL | EXT4_NOATIME_FL) - -+/* The only flags that should be swapped */ -+#define EXT4_FL_SHOULD_SWAP (EXT4_HUGE_FILE_FL | EXT4_EXTENTS_FL) -+ - /* Mask out flags that are inappropriate for the given type of inode. */ - static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags) - { ---- a/fs/ext4/ioctl.c -+++ b/fs/ext4/ioctl.c -@@ -61,6 +61,7 @@ static void swap_inode_data(struct inode - loff_t isize; - struct ext4_inode_info *ei1; - struct ext4_inode_info *ei2; -+ unsigned long tmp; - - ei1 = EXT4_I(inode1); - ei2 = EXT4_I(inode2); -@@ -71,7 +72,10 @@ static void swap_inode_data(struct inode - memswap(&inode1->i_mtime, &inode2->i_mtime, sizeof(inode1->i_mtime)); - - memswap(ei1->i_data, ei2->i_data, sizeof(ei1->i_data)); -- memswap(&ei1->i_flags, &ei2->i_flags, sizeof(ei1->i_flags)); -+ tmp = ei1->i_flags & EXT4_FL_SHOULD_SWAP; -+ ei1->i_flags = (ei2->i_flags & EXT4_FL_SHOULD_SWAP) | -+ (ei1->i_flags & ~EXT4_FL_SHOULD_SWAP); -+ ei2->i_flags = tmp | (ei2->i_flags & ~EXT4_FL_SHOULD_SWAP); - memswap(&ei1->i_disksize, &ei2->i_disksize, sizeof(ei1->i_disksize)); - ext4_es_remove_extent(inode1, 0, EXT_MAX_BLOCKS); - ext4_es_remove_extent(inode2, 0, EXT_MAX_BLOCKS); diff --git a/queue-3.16/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch b/queue-3.16/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch deleted file mode 100644 index 3a6a448f..00000000 --- a/queue-3.16/ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: yangerkun <yangerkun@huawei.com> -Date: Mon, 11 Feb 2019 00:02:05 -0500 -Subject: ext4: fix check of inode in swap_inode_boot_loader - -commit 67a11611e1a5211f6569044fbf8150875764d1d0 upstream. - -Before really do swap between inode and boot inode, something need to -check to avoid invalid or not permitted operation, like does this inode -has inline data. But the condition check should be protected by inode -lock to avoid change while swapping. Also some other condition will not -change between swapping, but there has no problem to do this under inode -lock. - -Signed-off-by: yangerkun <yangerkun@huawei.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -[bwh: Backported to 3.16: There's no support or test for filesytem encryption] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext4/ioctl.c | 22 +++++++++++++--------- - 1 file changed, 13 insertions(+), 9 deletions(-) - ---- a/fs/ext4/ioctl.c -+++ b/fs/ext4/ioctl.c -@@ -118,15 +118,6 @@ static long swap_inode_boot_loader(struc - struct ext4_inode_info *ei_bl; - struct ext4_sb_info *sbi = EXT4_SB(sb); - -- if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) || -- IS_SWAPFILE(inode) || -- ext4_has_inline_data(inode)) -- return -EINVAL; -- -- if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) || -- !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) -- return -EPERM; -- - inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); - if (IS_ERR(inode_bl)) - return PTR_ERR(inode_bl); -@@ -139,6 +130,19 @@ static long swap_inode_boot_loader(struc - * that only 1 swap_inode_boot_loader is running. */ - lock_two_nondirectories(inode, inode_bl); - -+ if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) || -+ IS_SWAPFILE(inode) || -+ ext4_has_inline_data(inode)) { -+ err = -EINVAL; -+ goto journal_err_out; -+ } -+ -+ if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) || -+ !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) { -+ err = -EPERM; -+ goto journal_err_out; -+ } -+ - /* Wait for all existing dio workers */ - ext4_inode_block_unlocked_dio(inode); - ext4_inode_block_unlocked_dio(inode_bl); diff --git a/queue-3.16/ext4-fix-crash-during-online-resizing.patch b/queue-3.16/ext4-fix-crash-during-online-resizing.patch deleted file mode 100644 index 059f9ae9..00000000 --- a/queue-3.16/ext4-fix-crash-during-online-resizing.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Jan Kara <jack@suse.cz> -Date: Mon, 11 Feb 2019 13:30:32 -0500 -Subject: ext4: fix crash during online resizing - -commit f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 upstream. - -When computing maximum size of filesystem possible with given number of -group descriptor blocks, we forget to include s_first_data_block into -the number of blocks. Thus for filesystems with non-zero -s_first_data_block it can happen that computed maximum filesystem size -is actually lower than current filesystem size which confuses the code -and eventually leads to a BUG_ON in ext4_alloc_group_tables() hitting on -flex_gd->count == 0. The problem can be reproduced like: - -truncate -s 100g /tmp/image -mkfs.ext4 -b 1024 -E resize=262144 /tmp/image 32768 -mount -t ext4 -o loop /tmp/image /mnt -resize2fs /dev/loop0 262145 -resize2fs /dev/loop0 300000 - -Fix the problem by properly including s_first_data_block into the -computed number of filesystem blocks. - -Fixes: 1c6bd7173d66 "ext4: convert file system to meta_bg if needed..." -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext4/resize.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/fs/ext4/resize.c -+++ b/fs/ext4/resize.c -@@ -1931,7 +1931,8 @@ retry: - le16_to_cpu(es->s_reserved_gdt_blocks); - n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb); - n_blocks_count = (ext4_fsblk_t)n_group * -- EXT4_BLOCKS_PER_GROUP(sb); -+ EXT4_BLOCKS_PER_GROUP(sb) + -+ le32_to_cpu(es->s_first_data_block); - n_group--; /* set to last group number */ - } - diff --git a/queue-3.16/ext4-update-quota-information-while-swapping-boot-loader-inode.patch b/queue-3.16/ext4-update-quota-information-while-swapping-boot-loader-inode.patch deleted file mode 100644 index 1eddecc3..00000000 --- a/queue-3.16/ext4-update-quota-information-while-swapping-boot-loader-inode.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: yangerkun <yangerkun@huawei.com> -Date: Mon, 11 Feb 2019 00:14:02 -0500 -Subject: ext4: update quota information while swapping boot loader inode - -commit aa507b5faf38784defe49f5e64605ac3c4425e26 upstream. - -While do swap between two inode, they swap i_data without update -quota information. Also, swap_inode_boot_loader can do "revert" -somtimes, so update the quota while all operations has been finished. - -Signed-off-by: yangerkun <yangerkun@huawei.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -[bwh: Backported to 3.16: - - Include <linux/quotaops.h> - - dquot_initialize() does not return an erro - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/fs/ext4/ioctl.c -+++ b/fs/ext4/ioctl.c -@@ -14,6 +14,7 @@ - #include <linux/compat.h> - #include <linux/mount.h> - #include <linux/file.h> -+#include <linux/quotaops.h> - #include <asm/uaccess.h> - #include "ext4_jbd2.h" - #include "ext4.h" -@@ -66,9 +67,6 @@ static void swap_inode_data(struct inode - - memswap(&inode1->i_version, &inode2->i_version, - sizeof(inode1->i_version)); -- memswap(&inode1->i_blocks, &inode2->i_blocks, -- sizeof(inode1->i_blocks)); -- memswap(&inode1->i_bytes, &inode2->i_bytes, sizeof(inode1->i_bytes)); - memswap(&inode1->i_atime, &inode2->i_atime, sizeof(inode1->i_atime)); - memswap(&inode1->i_mtime, &inode2->i_mtime, sizeof(inode1->i_mtime)); - -@@ -117,6 +115,9 @@ static long swap_inode_boot_loader(struc - struct inode *inode_bl; - struct ext4_inode_info *ei_bl; - struct ext4_sb_info *sbi = EXT4_SB(sb); -+ qsize_t size, size_bl, diff; -+ blkcnt_t blocks; -+ unsigned short bytes; - - inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); - if (IS_ERR(inode_bl)) -@@ -179,6 +180,11 @@ static long swap_inode_boot_loader(struc - memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data)); - } - -+ dquot_initialize(inode); -+ -+ size = (qsize_t)(inode->i_blocks) * (1 << 9) + inode->i_bytes; -+ size_bl = (qsize_t)(inode_bl->i_blocks) * (1 << 9) + inode_bl->i_bytes; -+ diff = size - size_bl; - swap_inode_data(inode, inode_bl); - - inode->i_ctime = inode_bl->i_ctime = ext4_current_time(inode); -@@ -194,24 +200,46 @@ static long swap_inode_boot_loader(struc - - err = ext4_mark_inode_dirty(handle, inode); - if (err < 0) { -+ /* No need to update quota information. */ - ext4_warning(inode->i_sb, - "couldn't mark inode #%lu dirty (err %d)", - inode->i_ino, err); - /* Revert all changes: */ - swap_inode_data(inode, inode_bl); - ext4_mark_inode_dirty(handle, inode); -- } else { -- err = ext4_mark_inode_dirty(handle, inode_bl); -- if (err < 0) { -- ext4_warning(inode_bl->i_sb, -- "couldn't mark inode #%lu dirty (err %d)", -- inode_bl->i_ino, err); -- /* Revert all changes: */ -- swap_inode_data(inode, inode_bl); -- ext4_mark_inode_dirty(handle, inode); -- ext4_mark_inode_dirty(handle, inode_bl); -- } -+ goto err_out1; - } -+ -+ blocks = inode_bl->i_blocks; -+ bytes = inode_bl->i_bytes; -+ inode_bl->i_blocks = inode->i_blocks; -+ inode_bl->i_bytes = inode->i_bytes; -+ err = ext4_mark_inode_dirty(handle, inode_bl); -+ if (err < 0) { -+ /* No need to update quota information. */ -+ ext4_warning(inode_bl->i_sb, -+ "couldn't mark inode #%lu dirty (err %d)", -+ inode_bl->i_ino, err); -+ goto revert; -+ } -+ -+ /* Bootloader inode should not be counted into quota information. */ -+ if (diff > 0) -+ dquot_free_space(inode, diff); -+ else -+ err = dquot_alloc_space(inode, -1 * diff); -+ -+ if (err < 0) { -+revert: -+ /* Revert all changes: */ -+ inode_bl->i_blocks = blocks; -+ inode_bl->i_bytes = bytes; -+ swap_inode_data(inode, inode_bl); -+ ext4_mark_inode_dirty(handle, inode); -+ ext4_mark_inode_dirty(handle, inode_bl); -+ } -+ -+err_out1: - ext4_journal_stop(handle); - ext4_double_up_write_data_sem(inode, inode_bl); - diff --git a/queue-3.16/fs-nfs-fix-nfs_parse_devname-to-not-modify-it-s-argument.patch b/queue-3.16/fs-nfs-fix-nfs_parse_devname-to-not-modify-it-s-argument.patch deleted file mode 100644 index 74e7e374..00000000 --- a/queue-3.16/fs-nfs-fix-nfs_parse_devname-to-not-modify-it-s-argument.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Wed, 30 Jan 2019 07:58:38 -0600 -Subject: fs/nfs: Fix nfs_parse_devname to not modify it's argument - -commit 40cc394be1aa18848b8757e03bd8ed23281f572e upstream. - -In the rare and unsupported case of a hostname list nfs_parse_devname -will modify dev_name. There is no need to modify dev_name as the all -that is being computed is the length of the hostname, so the computed -length can just be shorted. - -Fixes: dc04589827f7 ("NFS: Use common device name parsing logic for NFSv4 and NFSv2/v3") -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> -Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/nfs/super.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/nfs/super.c -+++ b/fs/nfs/super.c -@@ -1893,7 +1893,7 @@ static int nfs_parse_devname(const char - /* kill possible hostname list: not supported */ - comma = strchr(dev_name, ','); - if (comma != NULL && comma < end) -- *comma = 0; -+ len = comma - dev_name; - } - - if (len > maxnamlen) diff --git a/queue-3.16/fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch b/queue-3.16/fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch deleted file mode 100644 index dc725ad7..00000000 --- a/queue-3.16/fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch +++ /dev/null @@ -1,661 +0,0 @@ -From: Kirill Smelkov <kirr@nexedi.com> -Date: Sun, 09 Jun 2019 14:39:51 +0000 -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf-8 -Subject: fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock -Content-Transfer-Encoding: 8bit - -commit 10dce8af34226d90fa56746a934f8da5dcdba3df upstream. - -[ while porting to 3.16 xenbus conflict was trivially resolved in a way - that actually fixes /proc/xen/xenbus deadlock introduced in 3.14, - because original upstream commit 581d21a2d02a to fix xenbus deadlock - was not included into 3.16 . ] - -Commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") added -locking for file.f_pos access and in particular made concurrent read and -write not possible - now both those functions take f_pos lock for the -whole run, and so if e.g. a read is blocked waiting for data, write will -deadlock waiting for that read to complete. - -This caused regression for stream-like files where previously read and -write could run simultaneously, but after that patch could not do so -anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes -to /proc/xen/xenbus") which fixes such regression for particular case of -/proc/xen/xenbus. - -The patch that added f_pos lock in 2014 did so to guarantee POSIX thread -safety for read/write/lseek and added the locking to file descriptors of -all regular files. In 2014 that thread-safety problem was not new as it -was already discussed earlier in 2006. - -However even though 2006'th version of Linus's patch was adding f_pos -locking "only for files that are marked seekable with FMODE_LSEEK (thus -avoiding the stream-like objects like pipes and sockets)", the 2014 -version - the one that actually made it into the tree as 9c225f2655e3 - -is doing so irregardless of whether a file is seekable or not. - -See - - https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/ - https://lwn.net/Articles/180387 - https://lwn.net/Articles/180396 - -for historic context. - -The reason that it did so is, probably, that there are many files that -are marked non-seekable, but e.g. their read implementation actually -depends on knowing current position to correctly handle the read. Some -examples: - - kernel/power/user.c snapshot_read - fs/debugfs/file.c u32_array_read - fs/fuse/control.c fuse_conn_waiting_read + ... - drivers/hwmon/asus_atk0110.c atk_debugfs_ggrp_read - arch/s390/hypfs/inode.c hypfs_read_iter - ... - -Despite that, many nonseekable_open users implement read and write with -pure stream semantics - they don't depend on passed ppos at all. And for -those cases where read could wait for something inside, it creates a -situation similar to xenbus - the write could be never made to go until -read is done, and read is waiting for some, potentially external, event, -for potentially unbounded time -> deadlock. - -Besides xenbus, there are 14 such places in the kernel that I've found -with semantic patch (see below): - - drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write() - drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write() - drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write() - drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write() - net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write() - drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write() - drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write() - drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write() - net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write() - drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write() - drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write() - drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write() - drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write() - drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write() - -In addition to the cases above another regression caused by f_pos -locking is that now FUSE filesystems that implement open with -FOPEN_NONSEEKABLE flag, can no longer implement bidirectional -stream-like files - for the same reason as above e.g. read can deadlock -write locking on file.f_pos in the kernel. - -FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f715 ("fuse: -implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp -in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and -write routines not depending on current position at all, and with both -read and write being potentially blocking operations: - -See - - https://github.com/libfuse/osspd - https://lwn.net/Articles/308445 - - https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406 - https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477 - https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510 - -Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as -"somewhat pipe-like files ..." with read handler not using offset. -However that test implements only read without write and cannot exercise -the deadlock scenario: - - https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131 - https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163 - https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216 - -I've actually hit the read vs write deadlock for real while implementing -my FUSE filesystem where there is /head/watch file, for which open -creates separate bidirectional socket-like stream in between filesystem -and its user with both read and write being later performed -simultaneously. And there it is semantically not easy to split the -stream into two separate read-only and write-only channels: - - https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169 - -Let's fix this regression. The plan is: - -1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS - - doing so would break many in-kernel nonseekable_open users which - actually use ppos in read/write handlers. - -2. Add stream_open() to kernel to open stream-like non-seekable file - descriptors. Read and write on such file descriptors would never use - nor change ppos. And with that property on stream-like files read and - write will be running without taking f_pos lock - i.e. read and write - could be running simultaneously. - -3. With semantic patch search and convert to stream_open all in-kernel - nonseekable_open users for which read and write actually do not - depend on ppos and where there is no other methods in file_operations - which assume @offset access. - -4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via - steam_open if that bit is present in filesystem open reply. - - It was tempting to change fs/fuse/ open handler to use stream_open - instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but - grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE, - and in particular GVFS which actually uses offset in its read and - write handlers - - https://codesearch.debian.net/search?q=-%3Enonseekable+%3D - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481 - - so if we would do such a change it will break a real user. - -5. Add stream_open and FOPEN_STREAM handling to stable kernels starting - from v3.14+ (the kernel where 9c225f2655 first appeared). - - This will allow to patch OSSPD and other FUSE filesystems that - provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE - in their open handler and this way avoid the deadlock on all kernel - versions. This should work because fs/fuse/ ignores unknown open - flags returned from a filesystem and so passing FOPEN_STREAM to a - kernel that is not aware of this flag cannot hurt. In turn the kernel - that is not aware of FOPEN_STREAM will be < v3.14 where just - FOPEN_NONSEEKABLE is sufficient to implement streams without read vs - write deadlock. - -This patch adds stream_open, converts /proc/xen/xenbus to it and adds -semantic patch to automatically locate in-kernel places that are either -required to be converted due to read vs write deadlock, or that are just -safe to be converted because read and write do not use ppos and there -are no other funky methods in file_operations. - -Regarding semantic patch I've verified each generated change manually - -that it is correct to convert - and each other nonseekable_open instance -left - that it is either not correct to convert there, or that it is not -converted due to current stream_open.cocci limitations. - -The script also does not convert files that should be valid to convert, -but that currently have .llseek = noop_llseek or generic_file_llseek for -unknown reason despite file being opened with nonseekable_open (e.g. -drivers/input/mousedev.c) - -Cc: Michael Kerrisk <mtk.manpages@gmail.com> -Cc: Yongzhi Pan <panyongzhi@gmail.com> -Cc: Jonathan Corbet <corbet@lwn.net> -Cc: David Vrabel <david.vrabel@citrix.com> -Cc: Juergen Gross <jgross@suse.com> -Cc: Miklos Szeredi <miklos@szeredi.hu> -Cc: Tejun Heo <tj@kernel.org> -Cc: Kirill Tkhai <ktkhai@virtuozzo.com> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: Christoph Hellwig <hch@lst.de> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Cc: Julia Lawall <Julia.Lawall@lip6.fr> -Cc: Nikolaus Rath <Nikolaus@rath.org> -Cc: Han-Wen Nienhuys <hanwen@google.com> -Signed-off-by: Kirill Smelkov <kirr@nexedi.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[ backport to 3.16: actually fixed deadlock on /proc/xen/xenbus as 581d21a2d02a was not backported to 3.16 ] -Signed-off-by: Kirill Smelkov <kirr@nexedi.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- - fs/open.c | 18 ++ - fs/read_write.c | 5 +- - include/linux/fs.h | 4 + - scripts/coccinelle/api/stream_open.cocci | 363 +++++++++++++++++++++++ - 5 files changed, 389 insertions(+), 3 deletions(-) - create mode 100644 scripts/coccinelle/api/stream_open.cocci - -diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c -index 6bd06f9d737d..3126bcafb555 100644 ---- a/drivers/xen/xenbus/xenbus_dev_frontend.c -+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c -@@ -533,7 +533,7 @@ static int xenbus_file_open(struct inode *inode, struct file *filp) - if (xen_store_evtchn == 0) - return -ENOENT; - -- nonseekable_open(inode, filp); -+ stream_open(inode, filp); - - u = kzalloc(sizeof(*u), GFP_KERNEL); - if (u == NULL) -diff --git a/fs/open.c b/fs/open.c -index fc44237e4a2e..c4949a39726a 100644 ---- a/fs/open.c -+++ b/fs/open.c -@@ -1104,3 +1104,21 @@ int nonseekable_open(struct inode *inode, struct file *filp) - } - - EXPORT_SYMBOL(nonseekable_open); -+ -+/* -+ * stream_open is used by subsystems that want stream-like file descriptors. -+ * Such file descriptors are not seekable and don't have notion of position -+ * (file.f_pos is always 0). Contrary to file descriptors of other regular -+ * files, .read() and .write() can run simultaneously. -+ * -+ * stream_open never fails and is marked to return int so that it could be -+ * directly used as file_operations.open . -+ */ -+int stream_open(struct inode *inode, struct file *filp) -+{ -+ filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS); -+ filp->f_mode |= FMODE_STREAM; -+ return 0; -+} -+ -+EXPORT_SYMBOL(stream_open); -diff --git a/fs/read_write.c b/fs/read_write.c -index 07053752c148..c3b99ff5da0d 100644 ---- a/fs/read_write.c -+++ b/fs/read_write.c -@@ -549,12 +549,13 @@ EXPORT_SYMBOL(vfs_write); - - static inline loff_t file_pos_read(struct file *file) - { -- return file->f_pos; -+ return file->f_mode & FMODE_STREAM ? 0 : file->f_pos; - } - - static inline void file_pos_write(struct file *file, loff_t pos) - { -- file->f_pos = pos; -+ if ((file->f_mode & FMODE_STREAM) == 0) -+ file->f_pos = pos; - } - - SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) -diff --git a/include/linux/fs.h b/include/linux/fs.h -index 461e82373ebd..49ca7649e5b5 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -133,6 +133,9 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset, - /* Has write method(s) */ - #define FMODE_CAN_WRITE ((__force fmode_t)0x40000) - -+/* File is stream-like */ -+#define FMODE_STREAM ((__force fmode_t)0x200000) -+ - /* File was opened by fanotify and shouldn't generate fanotify events */ - #define FMODE_NONOTIFY ((__force fmode_t)0x1000000) - -@@ -2472,6 +2475,7 @@ extern loff_t fixed_size_llseek(struct file *file, loff_t offset, - int whence, loff_t size); - extern int generic_file_open(struct inode * inode, struct file * filp); - extern int nonseekable_open(struct inode * inode, struct file * filp); -+extern int stream_open(struct inode * inode, struct file * filp); - - #ifdef CONFIG_FS_XIP - extern ssize_t xip_file_read(struct file *filp, char __user *buf, size_t len, -diff --git a/scripts/coccinelle/api/stream_open.cocci b/scripts/coccinelle/api/stream_open.cocci -new file mode 100644 -index 000000000000..350145da7669 ---- /dev/null -+++ b/scripts/coccinelle/api/stream_open.cocci -@@ -0,0 +1,363 @@ -+// SPDX-License-Identifier: GPL-2.0 -+// Author: Kirill Smelkov (kirr@nexedi.com) -+// -+// Search for stream-like files that are using nonseekable_open and convert -+// them to stream_open. A stream-like file is a file that does not use ppos in -+// its read and write. Rationale for the conversion is to avoid deadlock in -+// between read and write. -+ -+virtual report -+virtual patch -+virtual explain // explain decisions in the patch (SPFLAGS="-D explain") -+ -+// stream-like reader & writer - ones that do not depend on f_pos. -+@ stream_reader @ -+identifier readstream, ppos; -+identifier f, buf, len; -+type loff_t; -+@@ -+ ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos) -+ { -+ ... when != ppos -+ } -+ -+@ stream_writer @ -+identifier writestream, ppos; -+identifier f, buf, len; -+type loff_t; -+@@ -+ ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos) -+ { -+ ... when != ppos -+ } -+ -+ -+// a function that blocks -+@ blocks @ -+identifier block_f; -+identifier wait_event =~ "^wait_event_.*"; -+@@ -+ block_f(...) { -+ ... when exists -+ wait_event(...) -+ ... when exists -+ } -+ -+// stream_reader that can block inside. -+// -+// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait()) -+// XXX currently reader_blocks supports only direct and 1-level indirect cases. -+@ reader_blocks_direct @ -+identifier stream_reader.readstream; -+identifier wait_event =~ "^wait_event_.*"; -+@@ -+ readstream(...) -+ { -+ ... when exists -+ wait_event(...) -+ ... when exists -+ } -+ -+@ reader_blocks_1 @ -+identifier stream_reader.readstream; -+identifier blocks.block_f; -+@@ -+ readstream(...) -+ { -+ ... when exists -+ block_f(...) -+ ... when exists -+ } -+ -+@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @ -+identifier stream_reader.readstream; -+@@ -+ readstream(...) { -+ ... -+ } -+ -+ -+// file_operations + whether they have _any_ .read, .write, .llseek ... at all. -+// -+// XXX add support for file_operations xxx[N] = ... (sound/core/pcm_native.c) -+@ fops0 @ -+identifier fops; -+@@ -+ struct file_operations fops = { -+ ... -+ }; -+ -+@ has_read @ -+identifier fops0.fops; -+identifier read_f; -+@@ -+ struct file_operations fops = { -+ .read = read_f, -+ }; -+ -+@ has_read_iter @ -+identifier fops0.fops; -+identifier read_iter_f; -+@@ -+ struct file_operations fops = { -+ .read_iter = read_iter_f, -+ }; -+ -+@ has_write @ -+identifier fops0.fops; -+identifier write_f; -+@@ -+ struct file_operations fops = { -+ .write = write_f, -+ }; -+ -+@ has_write_iter @ -+identifier fops0.fops; -+identifier write_iter_f; -+@@ -+ struct file_operations fops = { -+ .write_iter = write_iter_f, -+ }; -+ -+@ has_llseek @ -+identifier fops0.fops; -+identifier llseek_f; -+@@ -+ struct file_operations fops = { -+ .llseek = llseek_f, -+ }; -+ -+@ has_no_llseek @ -+identifier fops0.fops; -+@@ -+ struct file_operations fops = { -+ .llseek = no_llseek, -+ }; -+ -+@ has_mmap @ -+identifier fops0.fops; -+identifier mmap_f; -+@@ -+ struct file_operations fops = { -+ .mmap = mmap_f, -+ }; -+ -+@ has_copy_file_range @ -+identifier fops0.fops; -+identifier copy_file_range_f; -+@@ -+ struct file_operations fops = { -+ .copy_file_range = copy_file_range_f, -+ }; -+ -+@ has_remap_file_range @ -+identifier fops0.fops; -+identifier remap_file_range_f; -+@@ -+ struct file_operations fops = { -+ .remap_file_range = remap_file_range_f, -+ }; -+ -+@ has_splice_read @ -+identifier fops0.fops; -+identifier splice_read_f; -+@@ -+ struct file_operations fops = { -+ .splice_read = splice_read_f, -+ }; -+ -+@ has_splice_write @ -+identifier fops0.fops; -+identifier splice_write_f; -+@@ -+ struct file_operations fops = { -+ .splice_write = splice_write_f, -+ }; -+ -+ -+// file_operations that is candidate for stream_open conversion - it does not -+// use mmap and other methods that assume @offset access to file. -+// -+// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now. -+// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops". -+@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @ -+identifier fops0.fops; -+@@ -+ struct file_operations fops = { -+ }; -+ -+ -+// ---- conversions ---- -+ -+// XXX .open = nonseekable_open -> .open = stream_open -+// XXX .open = func -> openfunc -> nonseekable_open -+ -+// read & write -+// -+// if both are used in the same file_operations together with an opener - -+// under that conditions we can use stream_open instead of nonseekable_open. -+@ fops_rw depends on maybe_stream @ -+identifier fops0.fops, openfunc; -+identifier stream_reader.readstream; -+identifier stream_writer.writestream; -+@@ -+ struct file_operations fops = { -+ .open = openfunc, -+ .read = readstream, -+ .write = writestream, -+ }; -+ -+@ report_rw depends on report @ -+identifier fops_rw.openfunc; -+position p1; -+@@ -+ openfunc(...) { -+ <... -+ nonseekable_open@p1 -+ ...> -+ } -+ -+@ script:python depends on report && reader_blocks @ -+fops << fops0.fops; -+p << report_rw.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,)) -+ -+@ script:python depends on report && !reader_blocks @ -+fops << fops0.fops; -+p << report_rw.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) -+ -+ -+@ explain_rw_deadlocked depends on explain && reader_blocks @ -+identifier fops_rw.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* read & write (was deadlock) */ -+ ...> -+ } -+ -+ -+@ explain_rw_nodeadlock depends on explain && !reader_blocks @ -+identifier fops_rw.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* read & write (no direct deadlock) */ -+ ...> -+ } -+ -+@ patch_rw depends on patch @ -+identifier fops_rw.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ stream_open -+ ...> -+ } -+ -+ -+// read, but not write -+@ fops_r depends on maybe_stream && !has_write @ -+identifier fops0.fops, openfunc; -+identifier stream_reader.readstream; -+@@ -+ struct file_operations fops = { -+ .open = openfunc, -+ .read = readstream, -+ }; -+ -+@ report_r depends on report @ -+identifier fops_r.openfunc; -+position p1; -+@@ -+ openfunc(...) { -+ <... -+ nonseekable_open@p1 -+ ...> -+ } -+ -+@ script:python depends on report @ -+fops << fops0.fops; -+p << report_r.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) -+ -+@ explain_r depends on explain @ -+identifier fops_r.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* read only */ -+ ...> -+ } -+ -+@ patch_r depends on patch @ -+identifier fops_r.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ stream_open -+ ...> -+ } -+ -+ -+// write, but not read -+@ fops_w depends on maybe_stream && !has_read @ -+identifier fops0.fops, openfunc; -+identifier stream_writer.writestream; -+@@ -+ struct file_operations fops = { -+ .open = openfunc, -+ .write = writestream, -+ }; -+ -+@ report_w depends on report @ -+identifier fops_w.openfunc; -+position p1; -+@@ -+ openfunc(...) { -+ <... -+ nonseekable_open@p1 -+ ...> -+ } -+ -+@ script:python depends on report @ -+fops << fops0.fops; -+p << report_w.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) -+ -+@ explain_w depends on explain @ -+identifier fops_w.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* write only */ -+ ...> -+ } -+ -+@ patch_w depends on patch @ -+identifier fops_w.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ stream_open -+ ...> -+ } -+ -+ -+// no read, no write - don't change anything diff --git a/queue-3.16/fuse-add-fopen_stream-to-use-stream_open.patch b/queue-3.16/fuse-add-fopen_stream-to-use-stream_open.patch deleted file mode 100644 index 9471d52b..00000000 --- a/queue-3.16/fuse-add-fopen_stream-to-use-stream_open.patch +++ /dev/null @@ -1,89 +0,0 @@ -From: Kirill Smelkov <kirr@nexedi.com> -Date: Sun, 09 Jun 2019 14:39:10 +0000 -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf-8 -Subject: fuse: Add FOPEN_STREAM to use stream_open() -Content-Transfer-Encoding: 8bit - -commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream. - -Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per -POSIX") files opened even via nonseekable_open gate read and write via lock -and do not allow them to be run simultaneously. This can create read vs -write deadlock if a filesystem is trying to implement a socket-like file -which is intended to be simultaneously used for both read and write from -filesystem client. See commit 10dce8af3422 ("fs: stream_open - opener for -stream-like files so that read and write can run simultaneously without -deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock -on writes to /proc/xen/xenbus") for a similar deadlock example on -/proc/xen/xenbus. - -To avoid such deadlock it was tempting to adjust fuse_finish_open to use -stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, -but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE, -and in particular GVFS which actually uses offset in its read and write -handlers - - https://codesearch.debian.net/search?q=-%3Enonseekable+%3D - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481 - -so if we would do such a change it will break a real user. - -Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the -opened handler is having stream-like semantics; does not use file position -and thus the kernel is free to issue simultaneous read and write request on -opened file handle. - -This patch together with stream_open() should be added to stable kernels -starting from v3.14+. This will allow to patch OSSPD and other FUSE -filesystems that provide stream-like files to return FOPEN_STREAM | -FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all -kernel versions. This should work because fuse_finish_open ignores unknown -open flags returned from a filesystem and so passing FOPEN_STREAM to a -kernel that is not aware of this flag cannot hurt. In turn the kernel that -is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE -is sufficient to implement streams without read vs write deadlock. - -Cc: stable@vger.kernel.org # v3.14+ -Signed-off-by: Kirill Smelkov <kirr@nexedi.com> -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/fuse/file.c | 4 +++- - include/uapi/linux/fuse.h | 2 ++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index bc8f5de48fd9..69e471b042a6 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -214,7 +214,9 @@ void fuse_finish_open(struct inode *inode, struct file *file) - file->f_op = &fuse_direct_io_file_operations; - if (!(ff->open_flags & FOPEN_KEEP_CACHE)) - invalidate_inode_pages2(inode->i_mapping); -- if (ff->open_flags & FOPEN_NONSEEKABLE) -+ if (ff->open_flags & FOPEN_STREAM) -+ stream_open(inode, file); -+ else if (ff->open_flags & FOPEN_NONSEEKABLE) - nonseekable_open(inode, file); - if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) { - struct fuse_inode *fi = get_fuse_inode(inode); -diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h -index 25084a052a1e..cff91b018953 100644 ---- a/include/uapi/linux/fuse.h -+++ b/include/uapi/linux/fuse.h -@@ -205,10 +205,12 @@ struct fuse_file_lock { - * FOPEN_DIRECT_IO: bypass page cache for this open file - * FOPEN_KEEP_CACHE: don't invalidate the data cache on open - * FOPEN_NONSEEKABLE: the file is not seekable -+ * FOPEN_STREAM: the file is stream-like (no file position at all) - */ - #define FOPEN_DIRECT_IO (1 << 0) - #define FOPEN_KEEP_CACHE (1 << 1) - #define FOPEN_NONSEEKABLE (1 << 2) -+#define FOPEN_STREAM (1 << 4) - - /** - * INIT request/reply flags diff --git a/queue-3.16/gro_cells-make-sure-device-is-up-in-gro_cells_receive.patch b/queue-3.16/gro_cells-make-sure-device-is-up-in-gro_cells_receive.patch deleted file mode 100644 index e081fd5d..00000000 --- a/queue-3.16/gro_cells-make-sure-device-is-up-in-gro_cells_receive.patch +++ /dev/null @@ -1,125 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Sun, 10 Mar 2019 10:39:37 -0700 -Subject: gro_cells: make sure device is up in gro_cells_receive() - -commit 2a5ff07a0eb945f291e361aa6f6becca8340ba46 upstream. - -We keep receiving syzbot reports [1] that show that tunnels do not play -the rcu/IFF_UP rules properly. - -At device dismantle phase, gro_cells_destroy() will be called -only after a full rcu grace period is observed after IFF_UP -has been cleared. - -This means that IFF_UP needs to be tested before queueing packets -into netif_rx() or gro_cells. - -This patch implements the test in gro_cells_receive() because -too many callers do not seem to bother enough. - -[1] -BUG: unable to handle kernel paging request at fffff4ca0b9ffffe -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP KASAN -CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Workqueue: netns cleanup_net -RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline] -RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline] -RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline] -RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline] -RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78 -Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03 -RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02 -RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe -RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0 -RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645 -R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000 -R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75 -kobject: 'loop2' (000000004bd7d84a): kobject_uevent_env -FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0 -Call Trace: -kobject: 'loop2' (000000004bd7d84a): fill_kobj_path: path = '/devices/virtual/block/loop2' - ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010 - netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970 - rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116 - ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124 - vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495 - ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156 - cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551 - process_one_work+0x98e/0x1790 kernel/workqueue.c:2173 - worker_thread+0x98/0xe40 kernel/workqueue.c:2319 - kthread+0x357/0x430 kernel/kthread.c:246 - ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 -Modules linked in: -CR2: fffff4ca0b9ffffe - [ end trace 513fc9c1338d1cb3 ] -RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline] -RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline] -RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline] -RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline] -RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78 -Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03 -RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02 -RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe -RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0 -RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645 -R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000 -kobject: 'loop3' (00000000e4ee57a6): kobject_uevent_env -R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75 -FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0 - -Fixes: c9e6bc644e55 ("net: add gro_cells infrastructure") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: - - Adjust filename, context - - Return type is void] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/net/gro_cells.h | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - ---- a/include/net/gro_cells.h -+++ b/include/net/gro_cells.h -@@ -20,18 +20,23 @@ static inline void gro_cells_receive(str - struct gro_cell *cell = gcells->cells; - struct net_device *dev = skb->dev; - -+ rcu_read_lock(); -+ if (unlikely(!(dev->flags & IFF_UP))) -+ goto drop; -+ - if (!cell || skb_cloned(skb) || !(dev->features & NETIF_F_GRO)) { - netif_rx(skb); -- return; -+ goto unlock; - } - - if (skb_rx_queue_recorded(skb)) - cell += skb_get_rx_queue(skb) & gcells->gro_cells_mask; - - if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) { -+drop: - atomic_long_inc(&dev->rx_dropped); - kfree_skb(skb); -- return; -+ goto unlock; - } - - /* We run in BH context */ -@@ -42,6 +47,9 @@ static inline void gro_cells_receive(str - napi_schedule(&cell->napi); - - spin_unlock(&cell->napi_skbs.lock); -+ -+unlock: -+ rcu_read_unlock(); - } - - /* called unser BH context */ diff --git a/queue-3.16/hpet-fix-missing-character-in-the-__setup-code-of.patch b/queue-3.16/hpet-fix-missing-character-in-the-__setup-code-of.patch deleted file mode 100644 index 7ad6fe43..00000000 --- a/queue-3.16/hpet-fix-missing-character-in-the-__setup-code-of.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Buland Singh <bsingh@redhat.com> -Date: Thu, 20 Dec 2018 17:35:24 +0530 -Subject: hpet: Fix missing '=' character in the __setup() code of - hpet_mmap_enable - -commit 24d48a61f2666630da130cc2ec2e526eacf229e3 upstream. - -Commit '3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for -user processes")' introduced a new kernel command line parameter hpet_mmap, -that is required to expose the memory map of the HPET registers to -user-space. Unfortunately the kernel command line parameter 'hpet_mmap' is -broken and never takes effect due to missing '=' character in the __setup() -code of hpet_mmap_enable. - -Before this patch: - -dmesg output with the kernel command line parameter hpet_mmap=1 - -[ 0.204152] HPET mmap disabled - -dmesg output with the kernel command line parameter hpet_mmap=0 - -[ 0.204192] HPET mmap disabled - -After this patch: - -dmesg output with the kernel command line parameter hpet_mmap=1 - -[ 0.203945] HPET mmap enabled - -dmesg output with the kernel command line parameter hpet_mmap=0 - -[ 0.204652] HPET mmap disabled - -Fixes: 3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user processes") -Signed-off-by: Buland Singh <bsingh@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/char/hpet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/char/hpet.c -+++ b/drivers/char/hpet.c -@@ -377,7 +377,7 @@ static __init int hpet_mmap_enable(char - pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled"); - return 1; - } --__setup("hpet_mmap", hpet_mmap_enable); -+__setup("hpet_mmap=", hpet_mmap_enable); - - static int hpet_mmap(struct file *file, struct vm_area_struct *vma) - { diff --git a/queue-3.16/ib-usnic-fix-out-of-bounds-index-check-in-query-pkey.patch b/queue-3.16/ib-usnic-fix-out-of-bounds-index-check-in-query-pkey.patch deleted file mode 100644 index 12c07d74..00000000 --- a/queue-3.16/ib-usnic-fix-out-of-bounds-index-check-in-query-pkey.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Gal Pressman <galpress@amazon.com> -Date: Mon, 7 Jan 2019 17:27:54 +0200 -Subject: IB/usnic: Fix out of bounds index check in query pkey - -commit 4959d5da5737dd804255c75b8cea0a2929ce279a upstream. - -The pkey table size is one element, index should be tested for > 0 instead -of > 1. - -Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") -Signed-off-by: Gal Pressman <galpress@amazon.com> -Acked-by: Parvi Kaustubhi <pkaustub@cisco.com> -Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c -+++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c -@@ -410,7 +410,7 @@ int usnic_ib_query_gid(struct ib_device - int usnic_ib_query_pkey(struct ib_device *ibdev, u8 port, u16 index, - u16 *pkey) - { -- if (index > 1) -+ if (index > 0) - return -EINVAL; - - *pkey = 0xffff; diff --git a/queue-3.16/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch b/queue-3.16/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch deleted file mode 100644 index 25d2dc35..00000000 --- a/queue-3.16/ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Ido Schimmel <idosch@mellanox.com> -Date: Sun, 3 Mar 2019 07:34:57 +0000 -Subject: ip6mr: Do not call __IP6_INC_STATS() from preemptible context - -commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf upstream. - -Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from -improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot -assume preemption is disabled when incrementing the counter and -accessing a per-CPU variable. - -Preemption can be enabled when we add a route in process context that -corresponds to packets stored in the unresolved queue, which are then -forwarded using this route [1]. - -Fix this by using IP6_INC_STATS() which takes care of disabling -preemption on architectures where it is needed. - -[1] -[ 157.451447] BUG: using __this_cpu_add() in preemptible [00000000] code: smcrouted/2314 -[ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0 -[ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336 -[ 157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016 -[ 157.460461] Call Trace: -[ 157.460486] dump_stack+0xf9/0x1be -[ 157.460553] check_preemption_disabled+0x1d6/0x200 -[ 157.460576] ip6mr_forward2+0x73e/0x10e0 -[ 157.460705] ip6_mr_forward+0x9a0/0x1510 -[ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00 -[ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0 -[ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060 -[ 157.462013] ipv6_setsockopt+0x90/0x110 -[ 157.462036] rawv6_setsockopt+0x4a/0x120 -[ 157.462058] __sys_setsockopt+0x16b/0x340 -[ 157.462198] __x64_sys_setsockopt+0xbf/0x160 -[ 157.462220] do_syscall_64+0x14d/0x610 -[ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().") -Signed-off-by: Ido Schimmel <idosch@mellanox.com> -Reported-by: Amit Cohen <amitc@mellanox.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv6/ip6mr.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/net/ipv6/ip6mr.c -+++ b/net/ipv6/ip6mr.c -@@ -1984,10 +1984,10 @@ int ip6mr_compat_ioctl(struct sock *sk, - - static inline int ip6mr_forward2_finish(struct sk_buff *skb) - { -- IP6_INC_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), -- IPSTATS_MIB_OUTFORWDATAGRAMS); -- IP6_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), -- IPSTATS_MIB_OUTOCTETS, skb->len); -+ IP6_INC_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), -+ IPSTATS_MIB_OUTFORWDATAGRAMS); -+ IP6_ADD_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), -+ IPSTATS_MIB_OUTOCTETS, skb->len); - return dst_output(skb); - } - diff --git a/queue-3.16/irqchip-brcmstb-l2-use-_irqsave-locking-variants-in-non-interrupt.patch b/queue-3.16/irqchip-brcmstb-l2-use-_irqsave-locking-variants-in-non-interrupt.patch deleted file mode 100644 index 6253d8b6..00000000 --- a/queue-3.16/irqchip-brcmstb-l2-use-_irqsave-locking-variants-in-non-interrupt.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Doug Berger <opendmb@gmail.com> -Date: Wed, 20 Feb 2019 14:15:28 -0800 -Subject: irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt - code - -commit 33517881ede742107f416533b8c3e4abc56763da upstream. - -Using the irq_gc_lock/irq_gc_unlock functions in the suspend and -resume functions creates the opportunity for a deadlock during -suspend, resume, and shutdown. Using the irq_gc_lock_irqsave/ -irq_gc_unlock_irqrestore variants prevents this possible deadlock. - -Fixes: 7f646e92766e2 ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller") -Signed-off-by: Doug Berger <opendmb@gmail.com> -Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> -[maz: tidied up $SUBJECT] -Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/irqchip/irq-brcmstb-l2.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/drivers/irqchip/irq-brcmstb-l2.c -+++ b/drivers/irqchip/irq-brcmstb-l2.c -@@ -82,8 +82,9 @@ static void brcmstb_l2_intc_suspend(stru - { - struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); - struct brcmstb_l2_intc_data *b = gc->private; -+ unsigned long flags; - -- irq_gc_lock(gc); -+ irq_gc_lock_irqsave(gc, flags); - /* Save the current mask */ - b->saved_mask = __raw_readl(b->base + CPU_MASK_STATUS); - -@@ -92,22 +93,23 @@ static void brcmstb_l2_intc_suspend(stru - __raw_writel(~gc->wake_active, b->base + CPU_MASK_SET); - __raw_writel(gc->wake_active, b->base + CPU_MASK_CLEAR); - } -- irq_gc_unlock(gc); -+ irq_gc_unlock_irqrestore(gc, flags); - } - - static void brcmstb_l2_intc_resume(struct irq_data *d) - { - struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); - struct brcmstb_l2_intc_data *b = gc->private; -+ unsigned long flags; - -- irq_gc_lock(gc); -+ irq_gc_lock_irqsave(gc, flags); - /* Clear unmasked non-wakeup interrupts */ - __raw_writel(~b->saved_mask & ~gc->wake_active, b->base + CPU_CLEAR); - - /* Restore the saved mask */ - __raw_writel(b->saved_mask, b->base + CPU_MASK_SET); - __raw_writel(~b->saved_mask, b->base + CPU_MASK_CLEAR); -- irq_gc_unlock(gc); -+ irq_gc_unlock_irqrestore(gc, flags); - } - - int __init brcmstb_l2_intc_of_init(struct device_node *np, diff --git a/queue-3.16/iscsi_ibft-fix-missing-break-in-switch-statement.patch b/queue-3.16/iscsi_ibft-fix-missing-break-in-switch-statement.patch deleted file mode 100644 index 96b8ccb9..00000000 --- a/queue-3.16/iscsi_ibft-fix-missing-break-in-switch-statement.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> -Date: Mon, 11 Feb 2019 12:43:23 -0600 -Subject: iscsi_ibft: Fix missing break in switch statement - -commit df997abeebadaa4824271009e2d2b526a70a11cb upstream. - -Add missing break statement in order to prevent the code from falling -through to case ISCSI_BOOT_TGT_NAME, which is unnecessary. - -This bug was found thanks to the ongoing efforts to enable --Wimplicit-fallthrough. - -Fixes: b33a84a38477 ("ibft: convert iscsi_ibft module to iscsi boot lib") -Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> -Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/firmware/iscsi_ibft.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/firmware/iscsi_ibft.c -+++ b/drivers/firmware/iscsi_ibft.c -@@ -503,6 +503,7 @@ static umode_t __init ibft_check_tgt_for - case ISCSI_BOOT_TGT_NIC_ASSOC: - case ISCSI_BOOT_TGT_CHAP_TYPE: - rc = S_IRUGO; -+ break; - case ISCSI_BOOT_TGT_NAME: - if (tgt->tgt_name_len) - rc = S_IRUGO; diff --git a/queue-3.16/it-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape-twice.patch b/queue-3.16/it-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape-twice.patch deleted file mode 100644 index 4afb2950..00000000 --- a/queue-3.16/it-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape-twice.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Xiao Ni <xni@redhat.com> -Date: Fri, 8 Mar 2019 23:52:05 +0800 -Subject: It's wrong to add len to sector_nr in raid10 reshape twice - -commit b761dcf1217760a42f7897c31dcb649f59b2333e upstream. - -In reshape_request it already adds len to sector_nr already. It's wrong to add len to -sector_nr again after adding pages to bio. If there is bad block it can't copy one chunk -at a time, it needs to goto read_more. Now the sector_nr is wrong. It can cause data -corruption. - -Signed-off-by: Xiao Ni <xni@redhat.com> -Signed-off-by: Song Liu <songliubraving@fb.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/md/raid10.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -4506,7 +4506,6 @@ bio_full: - atomic_inc(&r10_bio->remaining); - read_bio->bi_next = NULL; - generic_make_request(read_bio); -- sector_nr += nr_sectors; - sectors_done += nr_sectors; - if (sector_nr <= last) - goto read_more; diff --git a/queue-3.16/jbd2-clear-dirty-flag-when-revoking-a-buffer-from-an-older.patch b/queue-3.16/jbd2-clear-dirty-flag-when-revoking-a-buffer-from-an-older.patch deleted file mode 100644 index 83490859..00000000 --- a/queue-3.16/jbd2-clear-dirty-flag-when-revoking-a-buffer-from-an-older.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: "zhangyi (F)" <yi.zhang@huawei.com> -Date: Sun, 10 Feb 2019 23:23:04 -0500 -Subject: jbd2: clear dirty flag when revoking a buffer from an older - transaction - -commit 904cdbd41d749a476863a0ca41f6f396774f26e4 upstream. - -Now, we capture a data corruption problem on ext4 while we're truncating -an extent index block. Imaging that if we are revoking a buffer which -has been journaled by the committing transaction, the buffer's jbddirty -flag will not be cleared in jbd2_journal_forget(), so the commit code -will set the buffer dirty flag again after refile the buffer. - -fsx kjournald2 - jbd2_journal_commit_transaction -jbd2_journal_revoke commit phase 1~5... - jbd2_journal_forget - belongs to older transaction commit phase 6 - jbddirty not clear __jbd2_journal_refile_buffer - __jbd2_journal_unfile_buffer - test_clear_buffer_jbddirty - mark_buffer_dirty - -Finally, if the freed extent index block was allocated again as data -block by some other files, it may corrupt the file data after writing -cached pages later, such as during unmount time. (In general, -clean_bdev_aliases() related helpers should be invoked after -re-allocation to prevent the above corruption, but unfortunately we -missed it when zeroout the head of extra extent blocks in -ext4_ext_handle_unwritten_extents()). - -This patch mark buffer as freed and set j_next_transaction to the new -transaction when it already belongs to the committing transaction in -jbd2_journal_forget(), so that commit code knows it should clear dirty -bits when it is done with the buffer. - -This problem can be reproduced by xfstests generic/455 easily with -seeds (3246 3247 3248 3249). - -Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Reviewed-by: Jan Kara <jack@suse.cz> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/jbd2/transaction.c | 17 ++++++++++++----- - 1 file changed, 12 insertions(+), 5 deletions(-) - ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1479,14 +1479,21 @@ int jbd2_journal_forget (handle_t *handl - /* However, if the buffer is still owned by a prior - * (committing) transaction, we can't drop it yet... */ - JBUFFER_TRACE(jh, "belongs to older transaction"); -- /* ... but we CAN drop it from the new transaction if we -- * have also modified it since the original commit. */ -+ /* ... but we CAN drop it from the new transaction through -+ * marking the buffer as freed and set j_next_transaction to -+ * the new transaction, so that not only the commit code -+ * knows it should clear dirty bits when it is done with the -+ * buffer, but also the buffer can be checkpointed only -+ * after the new transaction commits. */ - -- if (jh->b_next_transaction) { -- J_ASSERT(jh->b_next_transaction == transaction); -+ set_buffer_freed(bh); -+ -+ if (!jh->b_next_transaction) { - spin_lock(&journal->j_list_lock); -- jh->b_next_transaction = NULL; -+ jh->b_next_transaction = transaction; - spin_unlock(&journal->j_list_lock); -+ } else { -+ J_ASSERT(jh->b_next_transaction == transaction); - - /* - * only drop a reference if this transaction modified diff --git a/queue-3.16/kernel-sysctl.c-add-missing-range-check-in.patch b/queue-3.16/kernel-sysctl.c-add-missing-range-check-in.patch deleted file mode 100644 index 7a20eeb3..00000000 --- a/queue-3.16/kernel-sysctl.c-add-missing-range-check-in.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Zev Weiss <zev@bewilderbeest.net> -Date: Mon, 11 Mar 2019 23:28:02 -0700 -Subject: kernel/sysctl.c: add missing range check in - do_proc_dointvec_minmax_conv - -commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream. - -This bug has apparently existed since the introduction of this function -in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git, -"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of -neighbour sysctls."). - -As a minimal fix we can simply duplicate the corresponding check in -do_proc_dointvec_conv(). - -Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net -Signed-off-by: Zev Weiss <zev@bewilderbeest.net> -Cc: Brendan Higgins <brendanhiggins@google.com> -Cc: Iurii Zaikin <yzaikin@google.com> -Cc: Kees Cook <keescook@chromium.org> -Cc: Luis Chamberlain <mcgrof@kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/sysctl.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -2179,7 +2179,16 @@ static int do_proc_dointvec_minmax_conv( - { - struct do_proc_dointvec_minmax_conv_param *param = data; - if (write) { -- int val = *negp ? -*lvalp : *lvalp; -+ int val; -+ if (*negp) { -+ if (*lvalp > (unsigned long) INT_MAX + 1) -+ return -EINVAL; -+ val = -*lvalp; -+ } else { -+ if (*lvalp > (unsigned long) INT_MAX) -+ return -EINVAL; -+ val = *lvalp; -+ } - if ((param->min && *param->min > val) || - (param->max && *param->max < val)) - return -EINVAL; diff --git a/queue-3.16/kvm-x86-mmu-do-not-cache-mmio-accesses-while-memslots-are-in-flux.patch b/queue-3.16/kvm-x86-mmu-do-not-cache-mmio-accesses-while-memslots-are-in-flux.patch deleted file mode 100644 index 33ec4097..00000000 --- a/queue-3.16/kvm-x86-mmu-do-not-cache-mmio-accesses-while-memslots-are-in-flux.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Sean Christopherson <sean.j.christopherson@intel.com> -Date: Tue, 5 Feb 2019 13:01:13 -0800 -Subject: KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux - -commit ddfd1730fd829743e41213e32ccc8b4aa6dc8325 upstream. - -When installing new memslots, KVM sets bit 0 of the generation number to -indicate that an update is in-progress. Until the update is complete, -there are no guarantees as to whether a vCPU will see the old or the new -memslots. Explicity prevent caching MMIO accesses so as to avoid using -an access cached from the old memslots after the new memslots have been -installed. - -Note that it is unclear whether or not disabling caching during the -update window is strictly necessary as there is no definitive -documentation as to what ordering guarantees KVM provides with respect -to updating memslots. That being said, the MMIO spte code does not -allow reusing sptes created while an update is in-progress, and the -associated documentation explicitly states: - - We do not want to use an MMIO sptes created with an odd generation - number, ... If KVM is unlucky and creates an MMIO spte while the - low bit is 1, the next access to the spte will always be a cache miss. - -At the very least, disabling the per-vCPU MMIO cache during updates will -make its behavior consistent with the MMIO spte behavior and -documentation. - -Fixes: 56f17dd3fbc4 ("kvm: x86: fix stale mmio cache bug") -Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -[ -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/x86/kvm/x86.h | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/arch/x86/kvm/x86.h -+++ b/arch/x86/kvm/x86.h -@@ -75,10 +75,15 @@ static inline u32 bit(int bitno) - static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu, - gva_t gva, gfn_t gfn, unsigned access) - { -+ u64 gen = kvm_memslots(vcpu->kvm)->generation; -+ -+ if (unlikely(gen & 1)) -+ return; -+ - vcpu->arch.mmio_gva = gva & PAGE_MASK; - vcpu->arch.access = access; - vcpu->arch.mmio_gfn = gfn; -- vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation; -+ vcpu->arch.mmio_gen = gen; - } - - static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu) diff --git a/queue-3.16/l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch b/queue-3.16/l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch deleted file mode 100644 index cee5d853..00000000 --- a/queue-3.16/l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 12 Mar 2019 06:50:11 -0700 -Subject: l2tp: fix infoleak in l2tp_ip6_recvmsg() - -commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 upstream. - -Back in 2013 Hannes took care of most of such leaks in commit -bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") - -But the bug in l2tp_ip6_recvmsg() has not been fixed. - -syzbot report : - -BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 -CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x173/0x1d0 lib/dump_stack.c:113 - kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600 - kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694 - kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 - _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 - copy_to_user include/linux/uaccess.h:174 [inline] - move_addr_to_user+0x311/0x570 net/socket.c:227 - ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283 - do_recvmmsg+0x646/0x10c0 net/socket.c:2390 - __sys_recvmmsg net/socket.c:2469 [inline] - __do_sys_recvmmsg net/socket.c:2492 [inline] - __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485 - __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485 - do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 - entry_SYSCALL_64_after_hwframe+0x63/0xe7 -RIP: 0033:0x445819 -Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b -RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819 -RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003 -RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c -R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf - -Local variable description: ----addr@___sys_recvmsg -Variable was created at: - ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244 - do_recvmmsg+0x646/0x10c0 net/socket.c:2390 - -Bytes 0-31 of 32 are uninitialized -Memory access of size 32 starts at ffff8880ae62fbb0 -Data copied to user address 0000000020000000 - -Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/l2tp/l2tp_ip6.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/net/l2tp/l2tp_ip6.c -+++ b/net/l2tp/l2tp_ip6.c -@@ -664,9 +664,6 @@ static int l2tp_ip6_recvmsg(struct kiocb - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*lsa); -- - if (flags & MSG_ERRQUEUE) - return ipv6_recv_error(sk, msg, len, addr_len); - -@@ -696,6 +693,7 @@ static int l2tp_ip6_recvmsg(struct kiocb - lsa->l2tp_conn_id = 0; - if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) - lsa->l2tp_scope_id = IP6CB(skb)->iif; -+ *addr_len = sizeof(*lsa); - } - - if (np->rxopt.all) diff --git a/queue-3.16/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch b/queue-3.16/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch deleted file mode 100644 index d4d3b1ee..00000000 --- a/queue-3.16/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Michal Kazior <michal@plume.com> -Date: Mon, 11 Feb 2019 10:29:27 +0100 -Subject: leds: lp55xx: fix null deref on firmware load failure - -commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c upstream. - -I've stumbled upon a kernel crash and the logs -pointed me towards the lp5562 driver: - -> <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2 -> <4>[306013.894990] lp5562 0-0030: Falling back to user helper -> ... -> <3>[306073.924886] lp5562 0-0030: firmware request failed -> <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000 -> <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58 -> <4>[306074.255539] LR is at release_firmware+0x6c/0x138 -> ... - -After taking a look I noticed firmware_release() -could be called with either NULL or a dangling -pointer. - -Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface") -Signed-off-by: Michal Kazior <michal@plume.com> -Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/leds/leds-lp55xx-common.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/leds/leds-lp55xx-common.c -+++ b/drivers/leds/leds-lp55xx-common.c -@@ -214,7 +214,7 @@ static void lp55xx_firmware_loaded(const - - if (!fw) { - dev_err(dev, "firmware request failed\n"); -- goto out; -+ return; - } - - /* handling firmware data is chip dependent */ -@@ -227,9 +227,9 @@ static void lp55xx_firmware_loaded(const - - mutex_unlock(&chip->lock); - --out: - /* firmware should be released for other channel use */ - release_firmware(chip->fw); -+ chip->fw = NULL; - } - - static int lp55xx_request_firmware(struct lp55xx_chip *chip) diff --git a/queue-3.16/lib-div64.c-off-by-one-in-shift.patch b/queue-3.16/lib-div64.c-off-by-one-in-shift.patch deleted file mode 100644 index 1f69f370..00000000 --- a/queue-3.16/lib-div64.c-off-by-one-in-shift.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Stanislaw Gruszka <sgruszka@redhat.com> -Date: Thu, 7 Mar 2019 16:28:18 -0800 -Subject: lib/div64.c: off by one in shift - -commit cdc94a37493135e355dfc0b0e086d84e3eadb50d upstream. - -fls counts bits starting from 1 to 32 (returns 0 for zero argument). If -we add 1 we shift right one bit more and loose precision from divisor, -what cause function incorect results with some numbers. - -Corrected code was tested in user-space, see bugzilla: - https://bugzilla.kernel.org/show_bug.cgi?id=202391 - -Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgruszka@redhat.com -Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms") -Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> -Reported-by: Siarhei Volkau <lis8215@gmail.com> -Tested-by: Siarhei Volkau <lis8215@gmail.com> -Acked-by: Oleg Nesterov <oleg@redhat.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - lib/div64.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/lib/div64.c -+++ b/lib/div64.c -@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divi - quot = div_u64_rem(dividend, divisor, &rem32); - *remainder = rem32; - } else { -- int n = 1 + fls(high); -+ int n = fls(high); - quot = div_u64(dividend >> n, divisor >> n); - - if (quot != 0) -@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor) - if (high == 0) { - quot = div_u64(dividend, divisor); - } else { -- int n = 1 + fls(high); -+ int n = fls(high); - quot = div_u64(dividend >> n, divisor >> n); - - if (quot != 0) diff --git a/queue-3.16/libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch b/queue-3.16/libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch deleted file mode 100644 index 3d930c60..00000000 --- a/queue-3.16/libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Lubomir Rintel <lkundrak@v3.sk> -Date: Sun, 10 Feb 2019 20:47:49 +0100 -Subject: libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer - -commit 607076a904c435f2677fadaadd4af546279db68b upstream. - -It doesn't make sense and the USB core warns on each submit of such -URB, easily flooding the message buffer with tracebacks. - -Analogous issue was fixed in regular libertas driver in commit 6528d8804780 -("libertas: don't set URB_ZERO_PACKET on IN USB transfer"). - -Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> -Reviewed-by: Steve deRosier <derosier@cal-sierra.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/wireless/libertas_tf/if_usb.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/drivers/net/wireless/libertas_tf/if_usb.c -+++ b/drivers/net/wireless/libertas_tf/if_usb.c -@@ -440,8 +440,6 @@ static int __if_usb_submit_rx_urb(struct - skb_tail_pointer(skb), - MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, cardp); - -- cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET; -- - lbtf_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n", - cardp->rx_urb); - ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC); diff --git a/queue-3.16/m68k-add-ffreestanding-to-cflags.patch b/queue-3.16/m68k-add-ffreestanding-to-cflags.patch deleted file mode 100644 index f75c94b9..00000000 --- a/queue-3.16/m68k-add-ffreestanding-to-cflags.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Finn Thain <fthain@telegraphics.com.au> -Date: Wed, 16 Jan 2019 16:23:24 +1100 -Subject: m68k: Add -ffreestanding to CFLAGS - -commit 28713169d879b67be2ef2f84dcf54905de238294 upstream. - -This patch fixes a build failure when using GCC 8.1: - -/usr/bin/ld: block/partitions/ldm.o: in function `ldm_parse_tocblock': -block/partitions/ldm.c:153: undefined reference to `strcmp' - -This is caused by a new optimization which effectively replaces a -strncmp() call with a strcmp() call. This affects a number of strncmp() -call sites in the kernel. - -The entire class of optimizations is avoided with -fno-builtin, which -gets enabled by -ffreestanding. This may avoid possible future build -failures in case new optimizations appear in future compilers. - -I haven't done any performance measurements with this patch but I did -count the function calls in a defconfig build. For example, there are now -23 more sprintf() calls and 39 fewer strcpy() calls. The effect on the -other libc functions is smaller. - -If this harms performance we can tackle that regression by optimizing -the call sites, ideally using semantic patches. That way, clang and ICC -builds might benfit too. - -Reference: https://marc.info/?l=linux-m68k&m=154514816222244&w=2 -Signed-off-by: Finn Thain <fthain@telegraphics.com.au> -Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/m68k/Makefile | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/arch/m68k/Makefile -+++ b/arch/m68k/Makefile -@@ -59,7 +59,10 @@ cpuflags-$(CONFIG_M5206e) := $(call cc-o - cpuflags-$(CONFIG_M5206) := $(call cc-option,-mcpu=5206,-m5200) - - KBUILD_AFLAGS += $(cpuflags-y) --KBUILD_CFLAGS += $(cpuflags-y) -pipe -+KBUILD_CFLAGS += $(cpuflags-y) -+ -+KBUILD_CFLAGS += -pipe -ffreestanding -+ - ifdef CONFIG_MMU - # without -fno-strength-reduce the 53c7xx.c driver fails ;-( - KBUILD_CFLAGS += -fno-strength-reduce -ffixed-a2 diff --git a/queue-3.16/md-fix-failed-allocation-of-md_register_thread.patch b/queue-3.16/md-fix-failed-allocation-of-md_register_thread.patch deleted file mode 100644 index d51d065d..00000000 --- a/queue-3.16/md-fix-failed-allocation-of-md_register_thread.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Aditya Pakki <pakki001@umn.edu> -Date: Mon, 4 Mar 2019 16:48:54 -0600 -Subject: md: Fix failed allocation of md_register_thread - -commit e406f12dde1a8375d77ea02d91f313fb1a9c6aec upstream. - -mddev->sync_thread can be set to NULL on kzalloc failure downstream. -The patch checks for such a scenario and frees allocated resources. - -Committer node: - -Added similar fix to raid5.c, as suggested by Guoqing. - -Acked-by: Guoqing Jiang <gqjiang@suse.com> -Signed-off-by: Aditya Pakki <pakki001@umn.edu> -Signed-off-by: Song Liu <songliubraving@fb.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/md/raid10.c | 2 ++ - drivers/md/raid5.c | 2 ++ - 2 files changed, 4 insertions(+) - ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -3820,6 +3820,8 @@ static int run(struct mddev *mddev) - set_bit(MD_RECOVERY_RUNNING, &mddev->recovery); - mddev->sync_thread = md_register_thread(md_do_sync, mddev, - "reshape"); -+ if (!mddev->sync_thread) -+ goto out_free_conf; - } - - return 0; ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -6180,6 +6180,8 @@ static int run(struct mddev *mddev) - set_bit(MD_RECOVERY_RUNNING, &mddev->recovery); - mddev->sync_thread = md_register_thread(md_do_sync, mddev, - "reshape"); -+ if (!mddev->sync_thread) -+ goto abort; - } - - diff --git a/queue-3.16/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt-enumeration.patch b/queue-3.16/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt-enumeration.patch deleted file mode 100644 index 7f3515fc..00000000 --- a/queue-3.16/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt-enumeration.patch +++ /dev/null @@ -1,80 +0,0 @@ -From: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com> -Date: Sat, 29 Dec 2018 10:46:01 -0500 -Subject: media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration - -commit 49710c32cd9d6626a77c9f5f978a5f58cb536b35 upstream. - -Previously when doing format enumeration, it was returning all - formats supported by driver, even if they're not supported by hw. -Add missing check for fmt_ver_flag, so it'll be fixed and only those - supported by hw will be returned. Similar thing is already done - in s5p_jpeg_find_format. - -It was found by using v4l2-compliance tool and checking result - of VIDIOC_ENUM_FMT/FRAMESIZES/FRAMEINTERVALS test -and using v4l2-ctl to get list of all supported formats. - -Tested on s5pv210-galaxys (Samsung i9000 phone). - -Fixes: bb677f3ac434 ("[media] Exynos4 JPEG codec v4l2 driver") - -Signed-off-by: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com> -Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com> -[hverkuil-cisco@xs4all.nl: fix a few alignment issues] -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/media/platform/s5p-jpeg/jpeg-core.c | 19 +++++++++++-------- - 1 file changed, 11 insertions(+), 8 deletions(-) - ---- a/drivers/media/platform/s5p-jpeg/jpeg-core.c -+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c -@@ -859,13 +859,16 @@ static int s5p_jpeg_querycap(struct file - return 0; - } - --static int enum_fmt(struct s5p_jpeg_fmt *sjpeg_formats, int n, -+static int enum_fmt(struct s5p_jpeg_ctx *ctx, -+ struct s5p_jpeg_fmt *sjpeg_formats, int n, - struct v4l2_fmtdesc *f, u32 type) - { - int i, num = 0; -+ unsigned int fmt_ver_flag = ctx->jpeg->variant->fmt_ver_flag; - - for (i = 0; i < n; ++i) { -- if (sjpeg_formats[i].flags & type) { -+ if (sjpeg_formats[i].flags & type && -+ sjpeg_formats[i].flags & fmt_ver_flag) { - /* index-th format of type type found ? */ - if (num == f->index) - break; -@@ -891,11 +894,11 @@ static int s5p_jpeg_enum_fmt_vid_cap(str - struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); - - if (ctx->mode == S5P_JPEG_ENCODE) -- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, -+ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, - SJPEG_FMT_FLAG_ENC_CAPTURE); - -- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, -- SJPEG_FMT_FLAG_DEC_CAPTURE); -+ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, -+ SJPEG_FMT_FLAG_DEC_CAPTURE); - } - - static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, -@@ -904,11 +907,11 @@ static int s5p_jpeg_enum_fmt_vid_out(str - struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); - - if (ctx->mode == S5P_JPEG_ENCODE) -- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, -+ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, - SJPEG_FMT_FLAG_ENC_OUTPUT); - -- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, -- SJPEG_FMT_FLAG_DEC_OUTPUT); -+ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, -+ SJPEG_FMT_FLAG_DEC_OUTPUT); - } - - static struct s5p_jpeg_q_data *get_q_data(struct s5p_jpeg_ctx *ctx, diff --git a/queue-3.16/media-s5p-jpeg-correct-step-and-max-values-for.patch b/queue-3.16/media-s5p-jpeg-correct-step-and-max-values-for.patch deleted file mode 100644 index cea9516b..00000000 --- a/queue-3.16/media-s5p-jpeg-correct-step-and-max-values-for.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com> -Date: Wed, 9 Jan 2019 13:00:41 -0500 -Subject: media: s5p-jpeg: Correct step and max values for - V4L2_CID_JPEG_RESTART_INTERVAL - -commit 19c624c6b29e244c418f8b44a711cbf5e82e3cd4 upstream. - -This commit corrects max and step values for v4l2 control for -V4L2_CID_JPEG_RESTART_INTERVAL. Max should be 0xffff and step should be 1. -It was found by using v4l2-compliance tool and checking result of -VIDIOC_QUERY_EXT_CTRL/QUERYMENU test. -Previously it was complaining that step was bigger than difference -between max and min. - -Fixes: 15f4bc3b1f42 ("[media] s5p-jpeg: Add JPEG controls support") - -Signed-off-by: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com> -Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com> -Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com> -Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/media/platform/s5p-jpeg/jpeg-core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/media/platform/s5p-jpeg/jpeg-core.c -+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c -@@ -1363,7 +1363,7 @@ static int s5p_jpeg_controls_create(stru - - v4l2_ctrl_new_std(&ctx->ctrl_handler, &s5p_jpeg_ctrl_ops, - V4L2_CID_JPEG_RESTART_INTERVAL, -- 0, 3, 0xffff, 0); -+ 0, 0xffff, 1, 0); - if (ctx->jpeg->variant->version == SJPEG_S5P) - mask = ~0x06; /* 422, 420 */ - } diff --git a/queue-3.16/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of.patch b/queue-3.16/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of.patch deleted file mode 100644 index ab77cb7f..00000000 --- a/queue-3.16/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Sakari Ailus <sakari.ailus@linux.intel.com> -Date: Wed, 30 Jan 2019 05:09:41 -0500 -Subject: media: uvcvideo: Avoid NULL pointer dereference at the end of - streaming - -commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream. - -The UVC video driver converts the timestamp from hardware specific unit -to one known by the kernel at the time when the buffer is dequeued. This -is fine in general, but the streamoff operation consists of the -following steps (among other things): - -1. uvc_video_clock_cleanup --- the hardware clock sample array is - released and the pointer to the array is set to NULL, - -2. buffers in active state are returned to the user and - -3. buf_finish callback is called on buffers that are prepared. - buf_finish includes calling uvc_video_clock_update that accesses the - hardware clock sample array. - -The above is serialised by a queue specific mutex. Address the problem -by skipping the clock conversion if the hardware clock sample array is -already released. - -Fixes: 9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel") - -Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com> -Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com> -Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> -Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/media/usb/uvc/uvc_video.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/media/usb/uvc/uvc_video.c -+++ b/drivers/media/usb/uvc/uvc_video.c -@@ -627,6 +627,14 @@ void uvc_video_clock_update(struct uvc_s - u32 rem; - u64 y; - -+ /* -+ * We will get called from __vb2_queue_cancel() if there are buffers -+ * done but not dequeued by the user, but the sample array has already -+ * been released at that time. Just bail out in that case. -+ */ -+ if (!clock->samples) -+ return; -+ - spin_lock_irqsave(&clock->lock, flags); - - if (clock->count < clock->size) diff --git a/queue-3.16/media-uvcvideo-fix-type-check-leading-to-overflow.patch b/queue-3.16/media-uvcvideo-fix-type-check-leading-to-overflow.patch deleted file mode 100644 index ba90b286..00000000 --- a/queue-3.16/media-uvcvideo-fix-type-check-leading-to-overflow.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Alistair Strachan <astrachan@google.com> -Date: Tue, 18 Dec 2018 20:32:48 -0500 -Subject: media: uvcvideo: Fix 'type' check leading to overflow - -commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream. - -When initially testing the Camera Terminal Descriptor wTerminalType -field (buffer[4]), no mask is used. Later in the function, the MSB is -overloaded to store the descriptor subtype, and so a mask of 0x7fff -is used to check the type. - -If a descriptor is specially crafted to set this overloaded bit in the -original wTerminalType field, the initial type check will fail (falling -through, without adjusting the buffer size), but the later type checks -will pass, assuming the buffer has been made suitably large, causing an -overflow. - -Avoid this problem by checking for the MSB in the wTerminalType field. -If the bit is set, assume the descriptor is bad, and abort parsing it. - -Originally reported here: -https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 -A similar (non-compiling) patch was provided at that time. - -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: Alistair Strachan <astrachan@google.com> -Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/media/usb/uvc/uvc_driver.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - ---- a/drivers/media/usb/uvc/uvc_driver.c -+++ b/drivers/media/usb/uvc/uvc_driver.c -@@ -977,11 +977,19 @@ static int uvc_parse_standard_control(st - return -EINVAL; - } - -- /* Make sure the terminal type MSB is not null, otherwise it -- * could be confused with a unit. -+ /* -+ * Reject invalid terminal types that would cause issues: -+ * -+ * - The high byte must be non-zero, otherwise it would be -+ * confused with a unit. -+ * -+ * - Bit 15 must be 0, as we use it internally as a terminal -+ * direction flag. -+ * -+ * Other unknown types are accepted. - */ - type = get_unaligned_le16(&buffer[4]); -- if ((type & 0xff00) == 0) { -+ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { - uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " - "interface %d INPUT_TERMINAL %d has invalid " - "type 0x%04x, skipping\n", udev->devnum, diff --git a/queue-3.16/media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch b/queue-3.16/media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch deleted file mode 100644 index 9ab3932e..00000000 --- a/queue-3.16/media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Jacopo Mondi <jacopo+renesas@jmondi.org> -Date: Fri, 29 Dec 2017 07:22:26 -0500 -Subject: media: v4l2: i2c: ov7670: Fix PLL bypass register values - -commit 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 upstream. - -The following commits: -commit f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675") -commit 04ee6d92047e ("[media] media: ov7670: add possibility to bypass pll for ov7675") -introduced the ability to bypass PLL multiplier and use input clock (xvclk) -as pixel clock output frequency for ov7675 sensor. - -PLL is bypassed using register DBLV[7:6], according to ov7670 and ov7675 -sensor manuals. Macros used to set DBLV register seem wrong in the -driver, as their values do not match what reported in the datasheet. - -Fix by changing DBLV_* macros to use bits [7:6] and set bits [3:0] to -default 0x0a reserved value (according to datasheets). - -While at there, remove a write to DBLV register in -"ov7675_set_framerate()" that over-writes the previous one to the same -register that takes "info->pll_bypass" flag into account instead of setting PLL -multiplier to 4x unconditionally. - -And, while at there, since "info->pll_bypass" is only used in -set/get_framerate() functions used by ov7675 only, it is not necessary -to check for the device id at probe time to make sure that when using -ov7670 "info->pll_bypass" is set to false. - -Fixes: f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675") - -Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org> -Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/media/i2c/ov7670.c | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - ---- a/drivers/media/i2c/ov7670.c -+++ b/drivers/media/i2c/ov7670.c -@@ -167,10 +167,10 @@ MODULE_PARM_DESC(debug, "Debug level (0- - #define REG_GFIX 0x69 /* Fix gain control */ - - #define REG_DBLV 0x6b /* PLL control an debugging */ --#define DBLV_BYPASS 0x00 /* Bypass PLL */ --#define DBLV_X4 0x01 /* clock x4 */ --#define DBLV_X6 0x10 /* clock x6 */ --#define DBLV_X8 0x11 /* clock x8 */ -+#define DBLV_BYPASS 0x0a /* Bypass PLL */ -+#define DBLV_X4 0x4a /* clock x4 */ -+#define DBLV_X6 0x8a /* clock x6 */ -+#define DBLV_X8 0xca /* clock x8 */ - - #define REG_REG76 0x76 /* OV's name */ - #define R76_BLKPCOR 0x80 /* Black pixel correction enable */ -@@ -845,7 +845,7 @@ static int ov7675_set_framerate(struct v - if (ret < 0) - return ret; - -- return ov7670_write(sd, REG_DBLV, DBLV_X4); -+ return 0; - } - - static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd, -@@ -1552,11 +1552,7 @@ static int ov7670_probe(struct i2c_clien - if (config->clock_speed) - info->clock_speed = config->clock_speed; - -- /* -- * It should be allowed for ov7670 too when it is migrated to -- * the new frame rate formula. -- */ -- if (config->pll_bypass && id->driver_data != MODEL_OV7670) -+ if (config->pll_bypass) - info->pll_bypass = true; - - if (config->pclk_hb_disable) diff --git a/queue-3.16/mm-fix-potential-data-race-in-sys_swapon.patch b/queue-3.16/mm-fix-potential-data-race-in-sys_swapon.patch deleted file mode 100644 index a744ba4b..00000000 --- a/queue-3.16/mm-fix-potential-data-race-in-sys_swapon.patch +++ /dev/null @@ -1,102 +0,0 @@ -From: Hugh Dickins <hughd@google.com> -Date: Mon, 17 Aug 2015 17:34:27 -0700 -Subject: mm: fix potential data race in SyS_swapon - -commit 6f179af88f60b32c2855e7f3e16ea8e336a7043f upstream. - -While running KernelThreadSanitizer (ktsan) on upstream kernel with -trinity, we got a few reports from SyS_swapon, here is one of them: - -Read of size 8 by thread T307 (K7621): - [< inlined >] SyS_swapon+0x3c0/0x1850 SYSC_swapon mm/swapfile.c:2395 - [<ffffffff812242c0>] SyS_swapon+0x3c0/0x1850 mm/swapfile.c:2345 - [<ffffffff81e97c8a>] ia32_do_call+0x1b/0x25 - -Looks like the swap_lock should be taken when iterating through the -swap_info array on lines 2392 - 2401: q->swap_file may be reset to -NULL by another thread before it is dereferenced for f_mapping. - -But why is that iteration needed at all? Doesn't the claim_swapfile() -which follows do all that is needed to check for a duplicate entry - -FMODE_EXCL on a bdev, testing IS_SWAPFILE under i_mutex on a regfile? - -Well, not quite: bd_may_claim() allows the same "holder" to claim the -bdev again, so we do need to use a different holder than "sys_swapon"; -and we should not replace appropriate -EBUSY by inappropriate -EINVAL. - -Index i was reused in a cpu loop further down: renamed cpu there. - -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: Hugh Dickins <hughd@google.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - mm/swapfile.c | 25 +++++++------------------ - 1 file changed, 7 insertions(+), 18 deletions(-) - ---- a/mm/swapfile.c -+++ b/mm/swapfile.c -@@ -2144,11 +2144,10 @@ static int claim_swapfile(struct swap_in - if (S_ISBLK(inode->i_mode)) { - p->bdev = bdgrab(I_BDEV(inode)); - error = blkdev_get(p->bdev, -- FMODE_READ | FMODE_WRITE | FMODE_EXCL, -- sys_swapon); -+ FMODE_READ | FMODE_WRITE | FMODE_EXCL, p); - if (error < 0) { - p->bdev = NULL; -- return -EINVAL; -+ return error; - } - p->old_block_size = block_size(p->bdev); - error = set_blocksize(p->bdev, PAGE_SIZE); -@@ -2365,7 +2364,6 @@ SYSCALL_DEFINE2(swapon, const char __use - struct filename *name; - struct file *swap_file = NULL; - struct address_space *mapping; -- int i; - int prio; - int error; - union swap_header *swap_header; -@@ -2405,19 +2403,8 @@ SYSCALL_DEFINE2(swapon, const char __use - - p->swap_file = swap_file; - mapping = swap_file->f_mapping; -- -- for (i = 0; i < nr_swapfiles; i++) { -- struct swap_info_struct *q = swap_info[i]; -- -- if (q == p || !q->swap_file) -- continue; -- if (mapping == q->swap_file->f_mapping) { -- error = -EBUSY; -- goto bad_swap; -- } -- } -- - inode = mapping->host; -+ - /* If S_ISREG(inode->i_mode) will do mutex_lock(&inode->i_mutex); */ - error = claim_swapfile(p, inode); - if (unlikely(error)) -@@ -2450,6 +2437,8 @@ SYSCALL_DEFINE2(swapon, const char __use - goto bad_swap; - } - if (p->bdev && blk_queue_nonrot(bdev_get_queue(p->bdev))) { -+ int cpu; -+ - p->flags |= SWP_SOLIDSTATE; - /* - * select a random position to start with to help wear leveling -@@ -2468,9 +2457,9 @@ SYSCALL_DEFINE2(swapon, const char __use - error = -ENOMEM; - goto bad_swap; - } -- for_each_possible_cpu(i) { -+ for_each_possible_cpu(cpu) { - struct percpu_cluster *cluster; -- cluster = per_cpu_ptr(p->percpu_cluster, i); -+ cluster = per_cpu_ptr(p->percpu_cluster, cpu); - cluster_set_null(&cluster->index); - } - } diff --git a/queue-3.16/mm-swap-bounds-check-swap_info-array-accesses-to-avoid-null-derefs.patch b/queue-3.16/mm-swap-bounds-check-swap_info-array-accesses-to-avoid-null-derefs.patch deleted file mode 100644 index 1894c120..00000000 --- a/queue-3.16/mm-swap-bounds-check-swap_info-array-accesses-to-avoid-null-derefs.patch +++ /dev/null @@ -1,229 +0,0 @@ -From: Daniel Jordan <daniel.m.jordan@oracle.com> -Date: Tue, 5 Mar 2019 15:48:19 -0800 -Subject: mm, swap: bounds check swap_info array accesses to avoid NULL derefs - -commit c10d38cc8d3e43f946b6c2bf4602c86791587f30 upstream. - -Dan Carpenter reports a potential NULL dereference in -get_swap_page_of_type: - - Smatch complains that the NULL checks on "si" aren't consistent. This - seems like a real bug because we have not ensured that the type is - valid and so "si" can be NULL. - -Add the missing check for NULL, taking care to use a read barrier to -ensure CPU1 observes CPU0's updates in the correct order: - - CPU0 CPU1 - alloc_swap_info() if (type >= nr_swapfiles) - swap_info[type] = p /* handle invalid entry */ - smp_wmb() smp_rmb() - ++nr_swapfiles p = swap_info[type] - -Without smp_rmb, CPU1 might observe CPU0's write to nr_swapfiles before -CPU0's write to swap_info[type] and read NULL from swap_info[type]. - -Ying Huang noticed other places in swapfile.c don't order these reads -properly. Introduce swap_type_to_swap_info to encourage correct usage. - -Use READ_ONCE and WRITE_ONCE to follow the Linux Kernel Memory Model -(see tools/memory-model/Documentation/explanation.txt). - -This ordering need not be enforced in places where swap_lock is held -(e.g. si_swapinfo) because swap_lock serializes updates to nr_swapfiles -and the swap_info array. - -Link: http://lkml.kernel.org/r/20190131024410.29859-1-daniel.m.jordan@oracle.com -Fixes: ec8acf20afb8 ("swap: add per-partition lock for swapfile") -Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com> -Reported-by: Dan Carpenter <dan.carpenter@oracle.com> -Suggested-by: "Huang, Ying" <ying.huang@intel.com> -Reviewed-by: Andrea Parri <andrea.parri@amarulasolutions.com> -Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> -Cc: Alan Stern <stern@rowland.harvard.edu> -Cc: Andi Kleen <ak@linux.intel.com> -Cc: Dave Hansen <dave.hansen@linux.intel.com> -Cc: Omar Sandoval <osandov@fb.com> -Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> -Cc: Shaohua Li <shli@kernel.org> -Cc: Stephen Rothwell <sfr@canb.auug.org.au> -Cc: Tejun Heo <tj@kernel.org> -Cc: Will Deacon <will.deacon@arm.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16: - - Add swp_swap_info(), as done in upstream commit 0bcac06f27d7 - "mm, swap: skip swapcache for swapin of synchronous device" - - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE() - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/include/linux/swap.h -+++ b/include/linux/swap.h -@@ -451,6 +451,7 @@ extern sector_t map_swap_page(struct pag - extern sector_t swapdev_block(int, pgoff_t); - extern int page_swapcount(struct page *); - extern struct swap_info_struct *page_swap_info(struct page *); -+extern struct swap_info_struct *swp_swap_info(swp_entry_t entry); - extern int reuse_swap_page(struct page *); - extern int try_to_free_swap(struct page *); - struct backing_dev_info; ---- a/mm/swapfile.c -+++ b/mm/swapfile.c -@@ -86,6 +86,15 @@ static DECLARE_WAIT_QUEUE_HEAD(proc_poll - /* Activity counter to indicate that a swapon or swapoff has occurred */ - static atomic_t proc_poll_event = ATOMIC_INIT(0); - -+static struct swap_info_struct *swap_type_to_swap_info(int type) -+{ -+ if (type >= ACCESS_ONCE(nr_swapfiles)) -+ return NULL; -+ -+ smp_rmb(); /* Pairs with smp_wmb in alloc_swap_info. */ -+ return ACCESS_ONCE(swap_info[type]); -+} -+ - static inline unsigned char swap_count(unsigned char ent) - { - return ent & ~SWAP_HAS_CACHE; /* may include COUNT_CONTINUED flag */ -@@ -703,12 +712,14 @@ noswap: - /* The only caller of this function is now suspend routine */ - swp_entry_t get_swap_page_of_type(int type) - { -- struct swap_info_struct *si; -+ struct swap_info_struct *si = swap_type_to_swap_info(type); - pgoff_t offset; - -- si = swap_info[type]; -+ if (!si) -+ goto fail; -+ - spin_lock(&si->lock); -- if (si && (si->flags & SWP_WRITEOK)) { -+ if (si->flags & SWP_WRITEOK) { - atomic_long_dec(&nr_swap_pages); - /* This is called for allocating swap entry, not cache */ - offset = scan_swap_map(si, 1); -@@ -719,6 +730,7 @@ swp_entry_t get_swap_page_of_type(int ty - atomic_long_inc(&nr_swap_pages); - } - spin_unlock(&si->lock); -+fail: - return (swp_entry_t) {0}; - } - -@@ -730,9 +742,9 @@ static struct swap_info_struct *swap_inf - if (!entry.val) - goto out; - type = swp_type(entry); -- if (type >= nr_swapfiles) -+ p = swap_type_to_swap_info(type); -+ if (!p) - goto bad_nofile; -- p = swap_info[type]; - if (!(p->flags & SWP_USED)) - goto bad_device; - offset = swp_offset(entry); -@@ -1037,10 +1049,9 @@ int swap_type_of(dev_t device, sector_t - sector_t swapdev_block(int type, pgoff_t offset) - { - struct block_device *bdev; -+ struct swap_info_struct *si = swap_type_to_swap_info(type); - -- if ((unsigned int)type >= nr_swapfiles) -- return 0; -- if (!(swap_info[type]->flags & SWP_WRITEOK)) -+ if (!si || !(si->flags & SWP_WRITEOK)) - return 0; - return map_swap_entry(swp_entry(type, offset), &bdev); - } -@@ -1584,7 +1595,7 @@ static sector_t map_swap_entry(swp_entry - struct swap_extent *se; - pgoff_t offset; - -- sis = swap_info[swp_type(entry)]; -+ sis = swp_swap_info(entry); - *bdev = sis->bdev; - - offset = swp_offset(entry); -@@ -1982,9 +1993,7 @@ static void *swap_start(struct seq_file - if (!l) - return SEQ_START_TOKEN; - -- for (type = 0; type < nr_swapfiles; type++) { -- smp_rmb(); /* read nr_swapfiles before swap_info[type] */ -- si = swap_info[type]; -+ for (type = 0; (si = swap_type_to_swap_info(type)); type++) { - if (!(si->flags & SWP_USED) || !si->swap_map) - continue; - if (!--l) -@@ -2004,9 +2013,7 @@ static void *swap_next(struct seq_file * - else - type = si->type + 1; - -- for (; type < nr_swapfiles; type++) { -- smp_rmb(); /* read nr_swapfiles before swap_info[type] */ -- si = swap_info[type]; -+ for (; (si = swap_type_to_swap_info(type)); type++) { - if (!(si->flags & SWP_USED) || !si->swap_map) - continue; - ++*pos; -@@ -2111,14 +2118,14 @@ static struct swap_info_struct *alloc_sw - } - if (type >= nr_swapfiles) { - p->type = type; -- swap_info[type] = p; -+ ACCESS_ONCE(swap_info[type]) = p; - /* - * Write swap_info[type] before nr_swapfiles, in case a - * racing procfs swap_start() or swap_next() is reading them. - * (We never shrink nr_swapfiles, we never free this entry.) - */ - smp_wmb(); -- nr_swapfiles++; -+ ACCESS_ONCE(nr_swapfiles) = nr_swapfiles + 1; - } else { - kfree(p); - p = swap_info[type]; -@@ -2598,7 +2605,7 @@ void si_swapinfo(struct sysinfo *val) - static int __swap_duplicate(swp_entry_t entry, unsigned char usage) - { - struct swap_info_struct *p; -- unsigned long offset, type; -+ unsigned long offset; - unsigned char count; - unsigned char has_cache; - int err = -EINVAL; -@@ -2606,10 +2613,10 @@ static int __swap_duplicate(swp_entry_t - if (non_swap_entry(entry)) - goto out; - -- type = swp_type(entry); -- if (type >= nr_swapfiles) -+ p = swp_swap_info(entry); -+ if (!p) - goto bad_file; -- p = swap_info[type]; -+ - offset = swp_offset(entry); - - spin_lock(&p->lock); -@@ -2704,11 +2711,16 @@ int swapcache_prepare(swp_entry_t entry) - return __swap_duplicate(entry, SWAP_HAS_CACHE); - } - -+struct swap_info_struct *swp_swap_info(swp_entry_t entry) -+{ -+ return swap_type_to_swap_info(swp_type(entry)); -+} -+ - struct swap_info_struct *page_swap_info(struct page *page) - { -- swp_entry_t swap = { .val = page_private(page) }; -+ swp_entry_t entry = { .val = page_private(page) }; - BUG_ON(!PageSwapCache(page)); -- return swap_info[swp_type(swap)]; -+ return swp_swap_info(entry); - } - - /* diff --git a/queue-3.16/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch b/queue-3.16/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch deleted file mode 100644 index b4ffef34..00000000 --- a/queue-3.16/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Roman Penyaev <rpenyaev@suse.de> -Date: Tue, 5 Mar 2019 15:43:20 -0800 -Subject: mm/vmalloc: fix size check for remap_vmalloc_range_partial() - -commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream. - -When VM_NO_GUARD is not set area->size includes adjacent guard page, -thus for correct size checking get_vm_area_size() should be used, but -not area->size. - -This fixes possible kernel oops when userspace tries to mmap an area on -1 page bigger than was allocated by vmalloc_user() call: the size check -inside remap_vmalloc_range_partial() accounts non-existing guard page -also, so check successfully passes but vmalloc_to_page() returns NULL -(guard page does not physically exist). - -The following code pattern example should trigger an oops: - - static int oops_mmap(struct file *file, struct vm_area_struct *vma) - { - void *mem; - - mem = vmalloc_user(4096); - BUG_ON(!mem); - /* Do not care about mem leak */ - - return remap_vmalloc_range(vma, mem, 0); - } - -And userspace simply mmaps size + PAGE_SIZE: - - mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0); - -Possible candidates for oops which do not have any explicit size -checks: - - *** drivers/media/usb/stkwebcam/stk-webcam.c: - v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0); - -Or the following one: - - *** drivers/video/fbdev/core/fbmem.c - static int - fb_mmap(struct file *file, struct vm_area_struct * vma) - ... - res = fb->fb_mmap(info, vma); - -Where fb_mmap callback calls remap_vmalloc_range() directly without any -explicit checks: - - *** drivers/video/fbdev/vfb.c - static int vfb_mmap(struct fb_info *info, - struct vm_area_struct *vma) - { - return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff); - } - -Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de -Signed-off-by: Roman Penyaev <rpenyaev@suse.de> -Acked-by: Michal Hocko <mhocko@suse.com> -Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> -Cc: Joe Perches <joe@perches.com> -Cc: "Luis R. Rodriguez" <mcgrof@kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - mm/vmalloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/mm/vmalloc.c -+++ b/mm/vmalloc.c -@@ -2141,7 +2141,7 @@ int remap_vmalloc_range_partial(struct v - if (!(area->flags & VM_USERMAP)) - return -EINVAL; - -- if (kaddr + size > area->addr + area->size) -+ if (kaddr + size > area->addr + get_vm_area_size(area)) - return -EINVAL; - - do { diff --git a/queue-3.16/mmc-omap-fix-the-maximum-timeout-setting.patch b/queue-3.16/mmc-omap-fix-the-maximum-timeout-setting.patch deleted file mode 100644 index 9c8c4562..00000000 --- a/queue-3.16/mmc-omap-fix-the-maximum-timeout-setting.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Aaro Koskinen <aaro.koskinen@iki.fi> -Date: Sun, 3 Feb 2019 00:14:33 +0200 -Subject: mmc: omap: fix the maximum timeout setting - -commit a6327b5e57fdc679c842588c3be046c0b39cc127 upstream. - -When running OMAP1 kernel on QEMU, MMC access is annoyingly noisy: - - MMC: CTO of 0xff and 0xfe cannot be used! - MMC: CTO of 0xff and 0xfe cannot be used! - MMC: CTO of 0xff and 0xfe cannot be used! - [ad inf.] - -Emulator warnings appear to be valid. The TI document SPRU680 [1] -("OMAP5910 Dual-Core Processor MultiMedia Card/Secure Data Memory Card -(MMC/SD) Reference Guide") page 36 states that the maximum timeout is 253 -cycles and "0xff and 0xfe cannot be used". - -Fix by using 0xfd as the maximum timeout. - -Tested using QEMU 2.5 (Siemens SX1 machine, OMAP310), and also checked on -real hardware using Palm TE (OMAP310), Nokia 770 (OMAP1710) and Nokia N810 -(OMAP2420) that MMC works as before. - -[1] http://www.ti.com/lit/ug/spru680/spru680.pdf - -Fixes: 730c9b7e6630f ("[MMC] Add OMAP MMC host driver") -Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> -Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/mmc/host/omap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/mmc/host/omap.c -+++ b/drivers/mmc/host/omap.c -@@ -921,7 +921,7 @@ static inline void set_cmd_timeout(struc - reg &= ~(1 << 5); - OMAP_MMC_WRITE(host, SDIO, reg); - /* Set maximum timeout */ -- OMAP_MMC_WRITE(host, CTO, 0xff); -+ OMAP_MMC_WRITE(host, CTO, 0xfd); - } - - static inline void set_data_timeout(struct mmc_omap_host *host, struct mmc_request *req) diff --git a/queue-3.16/mtd-docg3-don-t-leak-docg3-bbt-in-error-path.patch b/queue-3.16/mtd-docg3-don-t-leak-docg3-bbt-in-error-path.patch deleted file mode 100644 index 7a3bd578..00000000 --- a/queue-3.16/mtd-docg3-don-t-leak-docg3-bbt-in-error-path.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Richard Weinberger <richard@nod.at> -Date: Mon, 1 Jun 2015 23:10:52 +0200 -Subject: mtd: docg3: Don't leak docg3->bbt in error path - -commit 45c2ebd702a468d5037cf16aa4f8ea8d67776f6a upstream. - -Signed-off-by: Richard Weinberger <richard@nod.at> -Signed-off-by: Brian Norris <computersforpeace@gmail.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/mtd/devices/docg3.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/mtd/devices/docg3.c -+++ b/drivers/mtd/devices/docg3.c -@@ -1907,7 +1907,7 @@ doc_probe_device(struct docg3_cascade *c - - ret = 0; - if (chip_id != (u16)(~chip_id_inv)) { -- goto nomem3; -+ goto nomem4; - } - - switch (chip_id) { -@@ -1917,7 +1917,7 @@ doc_probe_device(struct docg3_cascade *c - break; - default: - doc_err("Chip id %04x is not a DiskOnChip G3 chip\n", chip_id); -- goto nomem3; -+ goto nomem4; - } - - doc_set_driver_info(chip_id, mtd); -@@ -1926,6 +1926,8 @@ doc_probe_device(struct docg3_cascade *c - doc_reload_bbt(docg3); - return mtd; - -+nomem4: -+ kfree(docg3->bbt); - nomem3: - kfree(mtd); - nomem2: diff --git a/queue-3.16/mtd-docg3-fix-kasprintf-usage.patch b/queue-3.16/mtd-docg3-fix-kasprintf-usage.patch deleted file mode 100644 index 0bad5c8a..00000000 --- a/queue-3.16/mtd-docg3-fix-kasprintf-usage.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Richard Weinberger <richard@nod.at> -Date: Mon, 1 Jun 2015 23:10:53 +0200 -Subject: mtd: docg3: Fix kasprintf() usage - -commit 0eb8618bd07533f423fed47399a0d6387bfe7cac upstream. - -kasprintf() does a dynamic memory allocation and can fail. -We have to handle that case. - -Signed-off-by: Richard Weinberger <richard@nod.at> -Signed-off-by: Brian Norris <computersforpeace@gmail.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/mtd/devices/docg3.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/drivers/mtd/devices/docg3.c -+++ b/drivers/mtd/devices/docg3.c -@@ -1822,7 +1822,7 @@ static void __exit doc_dbg_unregister(st - * @chip_id: The chip ID of the supported chip - * @mtd: The structure to fill - */ --static void __init doc_set_driver_info(int chip_id, struct mtd_info *mtd) -+static int __init doc_set_driver_info(int chip_id, struct mtd_info *mtd) - { - struct docg3 *docg3 = mtd->priv; - int cfg; -@@ -1835,6 +1835,8 @@ static void __init doc_set_driver_info(i - case DOC_CHIPID_G3: - mtd->name = kasprintf(GFP_KERNEL, "docg3.%d", - docg3->device_id); -+ if (!mtd->name) -+ return -ENOMEM; - docg3->max_block = 2047; - break; - } -@@ -1857,6 +1859,8 @@ static void __init doc_set_driver_info(i - mtd->_block_isbad = doc_block_isbad; - mtd->ecclayout = &docg3_oobinfo; - mtd->ecc_strength = DOC_ECC_BCH_T; -+ -+ return 0; - } - - /** -@@ -1920,7 +1924,9 @@ doc_probe_device(struct docg3_cascade *c - goto nomem4; - } - -- doc_set_driver_info(chip_id, mtd); -+ ret = doc_set_driver_info(chip_id, mtd); -+ if (ret) -+ goto nomem4; - - doc_hamming_ecc_init(docg3, DOC_LAYOUT_OOB_PAGEINFO_SZ); - doc_reload_bbt(docg3); diff --git a/queue-3.16/mtd-docg3-fix-passing-zero-to-ptr_err-warning-in-doc_probe_device.patch b/queue-3.16/mtd-docg3-fix-passing-zero-to-ptr_err-warning-in-doc_probe_device.patch deleted file mode 100644 index f6937614..00000000 --- a/queue-3.16/mtd-docg3-fix-passing-zero-to-ptr_err-warning-in-doc_probe_device.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Wed, 23 Jan 2019 14:58:27 +0800 -Subject: mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device - -commit 32937a82f36c7bbe08db4052de94bc7ade4e3c51 upstream. - -Fix a static code checker warning: -drivers/mtd/devices/docg3.c:1875 - doc_probe_device() warn: passing zero to 'ERR_PTR' - -Fixes: ae9d4934b2d7 ("mtd: docg3: add multiple floor support") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Acked-by: Robert Jarzmik <robert.jarzmik@free.fr> -Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/mtd/devices/docg3.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/mtd/devices/docg3.c -+++ b/drivers/mtd/devices/docg3.c -@@ -1939,7 +1939,7 @@ nomem3: - nomem2: - kfree(docg3); - nomem1: -- return ERR_PTR(ret); -+ return ret ? ERR_PTR(ret) : NULL; - } - - /** diff --git a/queue-3.16/mwifiex-abort-at-too-short-bss-descriptor-element.patch b/queue-3.16/mwifiex-abort-at-too-short-bss-descriptor-element.patch deleted file mode 100644 index 6a81a7a5..00000000 --- a/queue-3.16/mwifiex-abort-at-too-short-bss-descriptor-element.patch +++ /dev/null @@ -1,85 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Wed, 29 May 2019 14:52:20 +0200 -Subject: mwifiex: Abort at too short BSS descriptor element - -commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. - -Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that -the source descriptor entries contain the enough size for each type -and performs copying without checking the source size. This may lead -to read over boundary. - -Fix this by putting the source size check in appropriate places. - -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/wireless/mwifiex/scan.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/drivers/net/wireless/mwifiex/scan.c -+++ b/drivers/net/wireless/mwifiex/scan.c -@@ -1193,6 +1193,8 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_FH_PARAMS: -+ if (element_len + 2 < sizeof(*fh_param_set)) -+ return -EINVAL; - fh_param_set = - (struct ieee_types_fh_param_set *) current_ptr; - memcpy(&bss_entry->phy_param_set.fh_param_set, -@@ -1201,6 +1203,8 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_DS_PARAMS: -+ if (element_len + 2 < sizeof(*ds_param_set)) -+ return -EINVAL; - ds_param_set = - (struct ieee_types_ds_param_set *) current_ptr; - -@@ -1212,6 +1216,8 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_CF_PARAMS: -+ if (element_len + 2 < sizeof(*cf_param_set)) -+ return -EINVAL; - cf_param_set = - (struct ieee_types_cf_param_set *) current_ptr; - memcpy(&bss_entry->ss_param_set.cf_param_set, -@@ -1220,6 +1226,8 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_IBSS_PARAMS: -+ if (element_len + 2 < sizeof(*ibss_param_set)) -+ return -EINVAL; - ibss_param_set = - (struct ieee_types_ibss_param_set *) - current_ptr; -@@ -1229,10 +1237,14 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_ERP_INFO: -+ if (!element_len) -+ return -EINVAL; - bss_entry->erp_flags = *(current_ptr + 2); - break; - - case WLAN_EID_PWR_CONSTRAINT: -+ if (!element_len) -+ return -EINVAL; - bss_entry->local_constraint = *(current_ptr + 2); - bss_entry->sensed_11h = true; - break; -@@ -1272,6 +1284,9 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_VENDOR_SPECIFIC: -+ if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) -+ return -EINVAL; -+ - vendor_ie = (struct ieee_types_vendor_specific *) - current_ptr; - - diff --git a/queue-3.16/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/queue-3.16/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch deleted file mode 100644 index b24e4dd3..00000000 --- a/queue-3.16/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch +++ /dev/null @@ -1,99 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Fri, 31 May 2019 15:18:41 +0200 -Subject: mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() - -commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream. - -A few places in mwifiex_uap_parse_tail_ies() perform memcpy() -unconditionally, which may lead to either buffer overflow or read over -boundary. - -This patch addresses the issues by checking the read size and the -destination size at each place more properly. Along with the fixes, -the patch cleans up the code slightly by introducing a temporary -variable for the token size, and unifies the error path with the -standard goto statement. - -Reported-by: huangwen <huangwen@venustech.com.cn> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -[bwh: Backported to 3.16: - - The tail IEs are parsed in mwifiex_set_mgmt_ies, which looks for two - specific IEs rather than looping - - Check IE length against tail length after calling - cfg80211_find_vendor_ie(), but not after cfg80211_find_ie() since that - already does it - - On error, return without calling mwifiex_set_mgmt_beacon_data_ies() - - Drop inapplicable change to WMM IE handling - - Adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/wireless/mwifiex/ie.c | 47 +++++++++++++++-------- - 1 file changed, 31 insertions(+), 16 deletions(-) - ---- a/drivers/net/wireless/mwifiex/ie.c -+++ b/drivers/net/wireless/mwifiex/ie.c -@@ -328,6 +328,8 @@ int mwifiex_set_mgmt_ies(struct mwifiex_ - struct ieee_types_header *rsn_ie, *wpa_ie = NULL; - u16 rsn_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; - const u8 *vendor_ie; -+ unsigned int token_len; -+ int err = 0; - - if (info->tail && info->tail_len) { - gen_ie = kzalloc(sizeof(struct mwifiex_ie), GFP_KERNEL); -@@ -341,8 +343,13 @@ int mwifiex_set_mgmt_ies(struct mwifiex_ - rsn_ie = (void *)cfg80211_find_ie(WLAN_EID_RSN, - info->tail, info->tail_len); - if (rsn_ie) { -- memcpy(gen_ie->ie_buffer, rsn_ie, rsn_ie->len + 2); -- ie_len = rsn_ie->len + 2; -+ token_len = rsn_ie->len + 2; -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, rsn_ie, token_len); -+ ie_len += token_len; - gen_ie->ie_length = cpu_to_le16(ie_len); - } - -@@ -352,9 +359,15 @@ int mwifiex_set_mgmt_ies(struct mwifiex_ - info->tail_len); - if (vendor_ie) { - wpa_ie = (struct ieee_types_header *)vendor_ie; -- memcpy(gen_ie->ie_buffer + ie_len, -- wpa_ie, wpa_ie->len + 2); -- ie_len += wpa_ie->len + 2; -+ token_len = wpa_ie->len + 2; -+ if (token_len > -+ info->tail + info->tail_len - (u8 *)wpa_ie || -+ ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, wpa_ie, token_len); -+ ie_len += token_len; - gen_ie->ie_length = cpu_to_le16(ie_len); - } - -@@ -362,13 +375,16 @@ int mwifiex_set_mgmt_ies(struct mwifiex_ - if (mwifiex_update_uap_custom_ie(priv, gen_ie, &rsn_idx, - NULL, NULL, - NULL, NULL)) { -- kfree(gen_ie); -- return -1; -+ err = -EINVAL; -+ goto out; - } - priv->rsn_idx = rsn_idx; - } - -+ out: - kfree(gen_ie); -+ if (err) -+ return err; - } - - return mwifiex_set_mgmt_beacon_data_ies(priv, info); - diff --git a/queue-3.16/mwifiex-fix-possible-buffer-overflows-at-parsing-bss-descriptor.patch b/queue-3.16/mwifiex-fix-possible-buffer-overflows-at-parsing-bss-descriptor.patch deleted file mode 100644 index 90527ed1..00000000 --- a/queue-3.16/mwifiex-fix-possible-buffer-overflows-at-parsing-bss-descriptor.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Wed, 29 May 2019 14:52:19 +0200 -Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor - -commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 upstream. - -mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in -a couple places without checking the destination size. Since the -source is given from user-space, this may trigger a heap buffer -overflow. - -Fix it by putting the length check before performing memcpy(). - -This fix addresses CVE-2019-3846. - -Reported-by: huangwen <huangwen@venustech.com.cn> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/wireless/mwifiex/scan.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/net/wireless/mwifiex/scan.c -+++ b/drivers/net/wireless/mwifiex/scan.c -@@ -1171,6 +1171,8 @@ int mwifiex_update_bss_desc_with_ie(stru - } - switch (element_id) { - case WLAN_EID_SSID: -+ if (element_len > IEEE80211_MAX_SSID_LEN) -+ return -EINVAL; - bss_entry->ssid.ssid_len = element_len; - memcpy(bss_entry->ssid.ssid, (current_ptr + 2), - element_len); -@@ -1180,6 +1182,8 @@ int mwifiex_update_bss_desc_with_ie(stru - break; - - case WLAN_EID_SUPP_RATES: -+ if (element_len > MWIFIEX_SUPPORTED_RATES) -+ return -EINVAL; - memcpy(bss_entry->data_rates, current_ptr + 2, - element_len); - memcpy(bss_entry->supported_rates, current_ptr + 2, - diff --git a/queue-3.16/net-hsr-fix-possible-crash-in-add_timer.patch b/queue-3.16/net-hsr-fix-possible-crash-in-add_timer.patch deleted file mode 100644 index 5f2af90e..00000000 --- a/queue-3.16/net-hsr-fix-possible-crash-in-add_timer.patch +++ /dev/null @@ -1,129 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 7 Mar 2019 09:36:33 -0800 -Subject: net/hsr: fix possible crash in add_timer() - -commit 1e027960edfaa6a43f9ca31081729b716598112b upstream. - -syzbot found another add_timer() issue, this time in net/hsr [1] - -Let's use mod_timer() which is safe. - -[1] -kernel BUG at kernel/time/timer.c:1136! -invalid opcode: 0000 [#1] PREEMPT SMP KASAN -CPU: 0 PID: 15909 Comm: syz-executor.3 Not tainted 5.0.0+ #97 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -kobject: 'loop2' (00000000f5629718): kobject_uevent_env -RIP: 0010:add_timer kernel/time/timer.c:1136 [inline] -RIP: 0010:add_timer+0x654/0xbe0 kernel/time/timer.c:1134 -Code: 0f 94 c5 31 ff 44 89 ee e8 09 61 0f 00 45 84 ed 0f 84 77 fd ff ff e8 bb 5f 0f 00 e8 07 10 a0 ff e9 68 fd ff ff e8 ac 5f 0f 00 <0f> 0b e8 a5 5f 0f 00 0f 0b e8 9e 5f 0f 00 4c 89 b5 58 ff ff ff e9 -RSP: 0018:ffff8880656eeca0 EFLAGS: 00010246 -kobject: 'loop2' (00000000f5629718): fill_kobj_path: path = '/devices/virtual/block/loop2' -RAX: 0000000000040000 RBX: 1ffff1100caddd9a RCX: ffffc9000c436000 -RDX: 0000000000040000 RSI: ffffffff816056c4 RDI: ffff88806a2f6cc8 -RBP: ffff8880656eed58 R08: ffff888067f4a300 R09: ffff888067f4abc8 -R10: 0000000000000000 R11: 0000000000000000 R12: ffff88806a2f6cc0 -R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880656eed30 -FS: 00007fc2019bf700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000000738000 CR3: 0000000067e8e000 CR4: 00000000001406f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - hsr_check_announce net/hsr/hsr_device.c:99 [inline] - hsr_check_carrier_and_operstate+0x567/0x6f0 net/hsr/hsr_device.c:120 - hsr_netdev_notify+0x297/0xa00 net/hsr/hsr_main.c:51 - notifier_call_chain+0xc7/0x240 kernel/notifier.c:93 - __raw_notifier_call_chain kernel/notifier.c:394 [inline] - raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401 - call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739 - call_netdevice_notifiers_extack net/core/dev.c:1751 [inline] - call_netdevice_notifiers net/core/dev.c:1765 [inline] - dev_open net/core/dev.c:1436 [inline] - dev_open+0x143/0x160 net/core/dev.c:1424 - team_port_add drivers/net/team/team.c:1203 [inline] - team_add_slave+0xa07/0x15d0 drivers/net/team/team.c:1933 - do_set_master net/core/rtnetlink.c:2358 [inline] - do_set_master+0x1d4/0x230 net/core/rtnetlink.c:2332 - do_setlink+0x966/0x3510 net/core/rtnetlink.c:2493 - rtnl_setlink+0x271/0x3b0 net/core/rtnetlink.c:2747 - rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192 - netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485 - rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210 - netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] - netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336 - netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925 - sock_sendmsg_nosec net/socket.c:622 [inline] - sock_sendmsg+0xdd/0x130 net/socket.c:632 - sock_write_iter+0x27c/0x3e0 net/socket.c:923 - call_write_iter include/linux/fs.h:1869 [inline] - do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680 - do_iter_write fs/read_write.c:956 [inline] - do_iter_write+0x184/0x610 fs/read_write.c:937 - vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001 - do_writev+0xf6/0x290 fs/read_write.c:1036 - __do_sys_writev fs/read_write.c:1109 [inline] - __se_sys_writev fs/read_write.c:1106 [inline] - __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106 - do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x457f29 -Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007fc2019bec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 -RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29 -RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000003 -RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc2019bf6d4 -R13: 00000000004c4a60 R14: 00000000004dd218 R15: 00000000ffffffff - -Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Cc: Arvid Brodin <arvid.brodin@alten.se> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/hsr/hsr_device.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - ---- a/net/hsr/hsr_device.c -+++ b/net/hsr/hsr_device.c -@@ -78,9 +78,8 @@ void hsr_check_announce(struct net_devic - if ((hsr_dev->operstate == IF_OPER_UP) && (old_operstate != IF_OPER_UP)) { - /* Went up */ - hsr_priv->announce_count = 0; -- hsr_priv->announce_timer.expires = jiffies + -- msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL); -- add_timer(&hsr_priv->announce_timer); -+ mod_timer(&hsr_priv->announce_timer, -+ jiffies + msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL)); - } - - if ((hsr_dev->operstate != IF_OPER_UP) && (old_operstate == IF_OPER_UP)) -@@ -361,6 +360,7 @@ out: - static void hsr_announce(unsigned long data) - { - struct hsr_priv *hsr_priv; -+ unsigned long interval; - - hsr_priv = (struct hsr_priv *) data; - -@@ -372,14 +372,12 @@ static void hsr_announce(unsigned long d - } - - if (hsr_priv->announce_count < 3) -- hsr_priv->announce_timer.expires = jiffies + -- msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL); -+ interval = msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL); - else -- hsr_priv->announce_timer.expires = jiffies + -- msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL); -+ interval = msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL); - - if (is_admin_up(hsr_priv->dev)) -- add_timer(&hsr_priv->announce_timer); -+ mod_timer(&hsr_priv->announce_timer, jiffies + interval); - } - - diff --git a/queue-3.16/net-mlx4_core-fix-locking-in-sriov-mode-when-switching-between.patch b/queue-3.16/net-mlx4_core-fix-locking-in-sriov-mode-when-switching-between.patch deleted file mode 100644 index 4e52b112..00000000 --- a/queue-3.16/net-mlx4_core-fix-locking-in-sriov-mode-when-switching-between.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Jack Morgenstein <jackm@dev.mellanox.co.il> -Date: Tue, 12 Mar 2019 17:05:48 +0200 -Subject: net/mlx4_core: Fix locking in SRIOV mode when switching between - events and polling - -commit c07d27927f2f2e96fcd27bb9fb330c9ea65612d0 upstream. - -In procedures mlx4_cmd_use_events() and mlx4_cmd_use_polling(), we need to -guarantee that there are no FW commands in progress on the comm channel -(for VFs) or wrapped FW commands (on the PF) when SRIOV is active. - -We do this by also taking the slave_cmd_mutex when SRIOV is active. - -This is especially important when switching from event to polling, since we -free the command-context array during the switch. If there are FW commands -in progress (e.g., waiting for a completion event), the completion event -handler will access freed memory. - -Since the decision to use comm_wait or comm_poll is taken before grabbing -the event_sem/poll_sem in mlx4_comm_cmd_wait/poll, we must take the -slave_cmd_mutex as well (to guarantee that the decision to use events or -polling and the call to the appropriate cmd function are atomic). - -Fixes: a7e1f04905e5 ("net/mlx4_core: Fix deadlock when switching between polling and event fw commands") -Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> -Signed-off-by: Tariq Toukan <tariqt@mellanox.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/mellanox/mlx4/cmd.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/net/ethernet/mellanox/mlx4/cmd.c -+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c -@@ -2196,6 +2196,8 @@ int mlx4_cmd_use_events(struct mlx4_dev - if (!priv->cmd.context) - return -ENOMEM; - -+ if (mlx4_is_mfunc(dev)) -+ mutex_lock(&priv->cmd.slave_cmd_mutex); - down_write(&priv->cmd.switch_sem); - for (i = 0; i < priv->cmd.max_cmds; ++i) { - priv->cmd.context[i].token = i; -@@ -2217,6 +2219,8 @@ int mlx4_cmd_use_events(struct mlx4_dev - down(&priv->cmd.poll_sem); - priv->cmd.use_events = 1; - up_write(&priv->cmd.switch_sem); -+ if (mlx4_is_mfunc(dev)) -+ mutex_unlock(&priv->cmd.slave_cmd_mutex); - - return err; - } -@@ -2229,6 +2233,8 @@ void mlx4_cmd_use_polling(struct mlx4_de - struct mlx4_priv *priv = mlx4_priv(dev); - int i; - -+ if (mlx4_is_mfunc(dev)) -+ mutex_lock(&priv->cmd.slave_cmd_mutex); - down_write(&priv->cmd.switch_sem); - priv->cmd.use_events = 0; - -@@ -2239,6 +2245,8 @@ void mlx4_cmd_use_polling(struct mlx4_de - - up(&priv->cmd.poll_sem); - up_write(&priv->cmd.switch_sem); -+ if (mlx4_is_mfunc(dev)) -+ mutex_unlock(&priv->cmd.slave_cmd_mutex); - } - - struct mlx4_cmd_mailbox *mlx4_alloc_cmd_mailbox(struct mlx4_dev *dev) diff --git a/queue-3.16/net-mlx4_core-fix-qp-mtt-size-calculation.patch b/queue-3.16/net-mlx4_core-fix-qp-mtt-size-calculation.patch deleted file mode 100644 index 6a51eebe..00000000 --- a/queue-3.16/net-mlx4_core-fix-qp-mtt-size-calculation.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Jack Morgenstein <jackm@dev.mellanox.co.il> -Date: Tue, 12 Mar 2019 17:05:49 +0200 -Subject: net/mlx4_core: Fix qp mtt size calculation - -commit 8511a653e9250ef36b95803c375a7be0e2edb628 upstream. - -Calculation of qp mtt size (in function mlx4_RST2INIT_wrapper) -ultimately depends on function roundup_pow_of_two. - -If the amount of memory required by the QP is less than one page, -roundup_pow_of_two is called with argument zero. In this case, the -roundup_pow_of_two result is undefined. - -Calling roundup_pow_of_two with a zero argument resulted in the -following stack trace: - -UBSAN: Undefined behaviour in ./include/linux/log2.h:61:13 -shift exponent 64 is too large for 64-bit type 'long unsigned int' -CPU: 4 PID: 26939 Comm: rping Tainted: G OE 4.19.0-rc1 -Hardware name: Supermicro X9DR3-F/X9DR3-F, BIOS 3.2a 07/09/2015 -Call Trace: -dump_stack+0x9a/0xeb -ubsan_epilogue+0x9/0x7c -__ubsan_handle_shift_out_of_bounds+0x254/0x29d -? __ubsan_handle_load_invalid_value+0x180/0x180 -? debug_show_all_locks+0x310/0x310 -? sched_clock+0x5/0x10 -? sched_clock+0x5/0x10 -? sched_clock_cpu+0x18/0x260 -? find_held_lock+0x35/0x1e0 -? mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core] -mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core] - -Fix this by explicitly testing for zero, and returning one if the -argument is zero (assuming that the next higher power of 2 in this case -should be one). - -Fixes: c82e9aa0a8bc ("mlx4_core: resource tracking for HCA resources used by guests") -Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> -Signed-off-by: Tariq Toukan <tariqt@mellanox.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c -+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c -@@ -2460,13 +2460,13 @@ static int qp_get_mtt_size(struct mlx4_q - int total_pages; - int total_mem; - int page_offset = (be32_to_cpu(qpc->params2) >> 6) & 0x3f; -+ int tot; - - sq_size = 1 << (log_sq_size + log_sq_sride + 4); - rq_size = (srq|rss|xrc) ? 0 : (1 << (log_rq_size + log_rq_stride + 4)); - total_mem = sq_size + rq_size; -- total_pages = -- roundup_pow_of_two((total_mem + (page_offset << 6)) >> -- page_shift); -+ tot = (total_mem + (page_offset << 6)) >> page_shift; -+ total_pages = !tot ? 1 : roundup_pow_of_two(tot); - - return total_pages; - } diff --git a/queue-3.16/net-sh_eth-fix-a-missing-check-of-of_get_phy_mode.patch b/queue-3.16/net-sh_eth-fix-a-missing-check-of-of_get_phy_mode.patch deleted file mode 100644 index 6d953cef..00000000 --- a/queue-3.16/net-sh_eth-fix-a-missing-check-of-of_get_phy_mode.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Kangjie Lu <kjlu@umn.edu> -Date: Tue, 12 Mar 2019 02:43:18 -0500 -Subject: net: sh_eth: fix a missing check of of_get_phy_mode - -commit 035a14e71f27eefa50087963b94cbdb3580d08bf upstream. - -of_get_phy_mode may fail and return a negative error code; -the fix checks the return value of of_get_phy_mode and -returns NULL of it fails. - -Fixes: b356e978e92f ("sh_eth: add device tree support") -Signed-off-by: Kangjie Lu <kjlu@umn.edu> -Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> -Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> -Tested-by: Geert Uytterhoeven <geert+renesas@glider.be> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ethernet/renesas/sh_eth.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/net/ethernet/renesas/sh_eth.c -+++ b/drivers/net/ethernet/renesas/sh_eth.c -@@ -2712,12 +2712,16 @@ static struct sh_eth_plat_data *sh_eth_p - struct device_node *np = dev->of_node; - struct sh_eth_plat_data *pdata; - const char *mac_addr; -+ int ret; - - pdata = devm_kzalloc(dev, sizeof(*pdata), GFP_KERNEL); - if (!pdata) - return NULL; - -- pdata->phy_interface = of_get_phy_mode(np); -+ ret = of_get_phy_mode(np); -+ if (ret < 0) -+ return NULL; -+ pdata->phy_interface = ret; - - mac_addr = of_get_mac_address(np); - if (mac_addr) diff --git a/queue-3.16/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch b/queue-3.16/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch deleted file mode 100644 index c7a8d662..00000000 --- a/queue-3.16/net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Sat, 2 Mar 2019 10:34:55 +0800 -Subject: net-sysfs: Fix mem leak in netdev_register_kobject - -commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab upstream. - -syzkaller report this: -BUG: memory leak -unreferenced object 0xffff88837a71a500 (size 256): - comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s) - hex dump (first 32 bytes): - 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... - ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ........ ....... - backtrace: - [<00000000db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751 - [<00000000dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516 - [<00000000e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline] - [<00000000e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883 - [<000000001b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline] - [<000000001b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690 - [<0000000079b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705 - [<00000000de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline] - [<00000000de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline] - [<00000000de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710 - [<000000007ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 - [<00000000db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe - [<00000000115be9bb>] 0xffffffffffffffff - -It should call kset_unregister to free 'dev->queues_kset' -in error path of register_queue_kobjects, otherwise will cause a mem leak. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: net_device pointer is called "net", confusingly] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/core/net-sysfs.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/core/net-sysfs.c -+++ b/net/core/net-sysfs.c -@@ -1219,6 +1219,9 @@ static int register_queue_kobjects(struc - error: - netdev_queue_update_kobjects(net, txq, 0); - net_rx_queue_update_kobjects(net, rxq, 0); -+#ifdef CONFIG_SYSFS -+ kset_unregister(net->queues_kset); -+#endif - return error; - } - diff --git a/queue-3.16/netns-provide-pure-entropy-for-net_hash_mix.patch b/queue-3.16/netns-provide-pure-entropy-for-net_hash_mix.patch deleted file mode 100644 index de522941..00000000 --- a/queue-3.16/netns-provide-pure-entropy-for-net_hash_mix.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 27 Mar 2019 08:21:30 -0700 -Subject: netns: provide pure entropy for net_hash_mix() - -commit 355b98553789b646ed97ad801a619ff898471b92 upstream. - -net_hash_mix() currently uses kernel address of a struct net, -and is used in many places that could be used to reveal this -address to a patient attacker, thus defeating KASLR, for -the typical case (initial net namespace, &init_net is -not dynamically allocated) - -I believe the original implementation tried to avoid spending -too many cycles in this function, but security comes first. - -Also provide entropy regardless of CONFIG_NET_NS. - -Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Amit Klein <aksecurity@gmail.com> -Reported-by: Benny Pinkas <benny@pinkas.net> -Cc: Pavel Emelyanov <xemul@openvz.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/include/net/net_namespace.h -+++ b/include/net/net_namespace.h -@@ -54,6 +54,8 @@ struct net { - #endif - spinlock_t rules_mod_lock; - -+ u32 hash_mix; -+ - struct list_head list; /* list of network namespaces */ - struct list_head cleanup_list; /* namespaces on death row */ - struct list_head exit_list; /* Use only net_mutex */ ---- a/include/net/netns/hash.h -+++ b/include/net/netns/hash.h -@@ -1,21 +1,10 @@ - #ifndef __NET_NS_HASH_H__ - #define __NET_NS_HASH_H__ - --#include <asm/cache.h> -+#include <net/net_namespace.h> - --struct net; -- --static inline unsigned int net_hash_mix(struct net *net) -+static inline u32 net_hash_mix(const struct net *net) - { --#ifdef CONFIG_NET_NS -- /* -- * shift this right to eliminate bits, that are -- * always zeroed -- */ -- -- return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT); --#else -- return 0; --#endif -+ return net->hash_mix; - } - #endif ---- a/net/core/net_namespace.c -+++ b/net/core/net_namespace.c -@@ -156,6 +156,7 @@ static __net_init int setup_net(struct n - - atomic_set(&net->count, 1); - atomic_set(&net->passive, 1); -+ get_random_bytes(&net->hash_mix, sizeof(u32)); - net->dev_base_seq = 1; - net->user_ns = user_ns; - diff --git a/queue-3.16/nfsd-fix-memory-corruption-caused-by-readdir.patch b/queue-3.16/nfsd-fix-memory-corruption-caused-by-readdir.patch deleted file mode 100644 index f4b55d0e..00000000 --- a/queue-3.16/nfsd-fix-memory-corruption-caused-by-readdir.patch +++ /dev/null @@ -1,93 +0,0 @@ -From: NeilBrown <neilb@suse.com> -Date: Mon, 4 Mar 2019 14:08:22 +1100 -Subject: nfsd: fix memory corruption caused by readdir - -commit b602345da6cbb135ba68cf042df8ec9a73da7981 upstream. - -If the result of an NFSv3 readdir{,plus} request results in the -"offset" on one entry having to be split across 2 pages, and is sized -so that the next directory entry doesn't fit in the requested size, -then memory corruption can happen. - -When encode_entry() is called after encoding the last entry that fits, -it notices that ->offset and ->offset1 are set, and so stores the -offset value in the two pages as required. It clears ->offset1 but -*does not* clear ->offset. - -Normally this omission doesn't matter as encode_entry_baggage() will -be called, and will set ->offset to a suitable value (not on a page -boundary). -But in the case where cd->buflen < elen and nfserr_toosmall is -returned, ->offset is not reset. - -This means that nfsd3proc_readdirplus will see ->offset with a value 4 -bytes before the end of a page, and ->offset1 set to NULL. -It will try to write 8bytes to ->offset. -If we are lucky, the next page will be read-only, and the system will - BUG: unable to handle kernel paging request at... - -If we are unlucky, some innocent page will have the first 4 bytes -corrupted. - -nfsd3proc_readdir() doesn't even check for ->offset1, it just blindly -writes 8 bytes to the offset wherever it is. - -Fix this by clearing ->offset after it is used, and copying the -->offset handling code from nfsd3_proc_readdirplus into -nfsd3_proc_readdir. - -(Note that the commit hash in the Fixes tag is from the 'history' - tree - this bug predates git). - -Fixes: 0b1d57cf7654 ("[PATCH] kNFSd: Fix nfs3 dentry encoding") -Fixes-URL: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0b1d57cf7654 -Signed-off-by: NeilBrown <neilb@suse.com> -Signed-off-by: J. Bruce Fields <bfields@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/nfsd/nfs3proc.c | 16 ++++++++++++++-- - fs/nfsd/nfs3xdr.c | 1 + - 2 files changed, 15 insertions(+), 2 deletions(-) - ---- a/fs/nfsd/nfs3proc.c -+++ b/fs/nfsd/nfs3proc.c -@@ -440,8 +440,19 @@ nfsd3_proc_readdir(struct svc_rqst *rqst - &resp->common, nfs3svc_encode_entry); - memcpy(resp->verf, argp->verf, 8); - resp->count = resp->buffer - argp->buffer; -- if (resp->offset) -- xdr_encode_hyper(resp->offset, argp->cookie); -+ if (resp->offset) { -+ loff_t offset = argp->cookie; -+ -+ if (unlikely(resp->offset1)) { -+ /* we ended up with offset on a page boundary */ -+ *resp->offset = htonl(offset >> 32); -+ *resp->offset1 = htonl(offset & 0xffffffff); -+ resp->offset1 = NULL; -+ } else { -+ xdr_encode_hyper(resp->offset, offset); -+ } -+ resp->offset = NULL; -+ } - - RETURN_STATUS(nfserr); - } -@@ -501,6 +512,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * - } else { - xdr_encode_hyper(resp->offset, offset); - } -+ resp->offset = NULL; - } - - RETURN_STATUS(nfserr); ---- a/fs/nfsd/nfs3xdr.c -+++ b/fs/nfsd/nfs3xdr.c -@@ -909,6 +909,7 @@ encode_entry(struct readdir_cd *ccd, con - } else { - xdr_encode_hyper(cd->offset, offset64); - } -+ cd->offset = NULL; - } - - /* diff --git a/queue-3.16/nfsv4.1-reinitialise-sequence-results-before-retransmitting-a.patch b/queue-3.16/nfsv4.1-reinitialise-sequence-results-before-retransmitting-a.patch deleted file mode 100644 index a2179230..00000000 --- a/queue-3.16/nfsv4.1-reinitialise-sequence-results-before-retransmitting-a.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Trond Myklebust <trond.myklebust@hammerspace.com> -Date: Fri, 1 Mar 2019 12:13:34 -0500 -Subject: NFSv4.1: Reinitialise sequence results before retransmitting a - request - -commit c1dffe0bf7f9c3d57d9f237a7cb2a81e62babd2b upstream. - -If we have to retransmit a request, we should ensure that we reinitialise -the sequence results structure, since in the event of a signal -we need to treat the request as if it had not been sent. - -Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/nfs/nfs4proc.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -694,6 +694,13 @@ static int nfs4_sequence_done(struct rpc - return nfs41_sequence_done(task, res); - } - -+static void nfs41_sequence_res_init(struct nfs4_sequence_res *res) -+{ -+ res->sr_timestamp = jiffies; -+ res->sr_status_flags = 0; -+ res->sr_status = 1; -+} -+ - int nfs41_setup_sequence(struct nfs4_session *session, - struct nfs4_sequence_args *args, - struct nfs4_sequence_res *res, -@@ -735,15 +742,9 @@ int nfs41_setup_sequence(struct nfs4_ses - slot->slot_nr, slot->seq_nr); - - res->sr_slot = slot; -- res->sr_timestamp = jiffies; -- res->sr_status_flags = 0; -- /* -- * sr_status is only set in decode_sequence, and so will remain -- * set to 1 if an rpc level failure occurs. -- */ -- res->sr_status = 1; - trace_nfs4_setup_sequence(session, args); - out_success: -+ nfs41_sequence_res_init(res); - rpc_call_start(task); - return 0; - out_sleep: diff --git a/queue-3.16/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch b/queue-3.16/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch deleted file mode 100644 index 058fb0de..00000000 --- a/queue-3.16/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: QiaoChong <qiaochong@loongson.cn> -Date: Sat, 9 Feb 2019 20:59:07 +0000 -Subject: parport_pc: fix find_superio io compare code, should use equal test. - -commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream. - -In the original code before 181bf1e815a2 the loop was continuing until -it finds the first matching superios[i].io and p->base. -But after 181bf1e815a2 the logic changed and the loop now returns the -pointer to the first mismatched array element which is then used in -get_superio_dma() and get_superio_irq() and thus returning the wrong -value. -Fix the condition so that it now returns the correct pointer. - -Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for") -Cc: Alan Cox <alan@linux.intel.com> -Signed-off-by: QiaoChong <qiaochong@loongson.cn> -[rewrite the commit message] -Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/parport/parport_pc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/parport/parport_pc.c -+++ b/drivers/parport/parport_pc.c -@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super - { - int i; - for (i = 0; i < NR_SUPERIOS; i++) -- if (superios[i].io != p->base) -+ if (superios[i].io == p->base) - return &superios[i]; - return NULL; - } diff --git a/queue-3.16/perf-header-fix-wrong-node-write-in-numa_topology-feature.patch b/queue-3.16/perf-header-fix-wrong-node-write-in-numa_topology-feature.patch deleted file mode 100644 index 06dcb98e..00000000 --- a/queue-3.16/perf-header-fix-wrong-node-write-in-numa_topology-feature.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Jiri Olsa <jolsa@kernel.org> -Date: Tue, 19 Feb 2019 10:58:12 +0100 -Subject: perf header: Fix wrong node write in NUMA_TOPOLOGY feature - -commit b00ccb27f97367d89e2d7b419ed198b0985be55d upstream. - -We are currently passing the node index instead of the real node number. - -Signed-off-by: Jiri Olsa <jolsa@kernel.org> -Acked-by: Namhyung Kim <namhyung@kernel.org> -Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> -Cc: Peter Zijlstra <peterz@infradead.org> -Fixes: fbe96f29ce4b ("perf tools: Make perf.data more self-descriptive (v8)" -Link: http://lkml.kernel.org/r/20190219095815.15931-2-jolsa@kernel.org -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - tools/perf/util/header.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/perf/util/header.c -+++ b/tools/perf/util/header.c -@@ -1009,7 +1009,7 @@ static int write_numa_topology(int fd, s - if (ret < 0) - break; - -- ret = write_topo_node(fd, i); -+ ret = write_topo_node(fd, j); - if (ret < 0) - break; - } diff --git a/queue-3.16/pinctrl-sh-pfc-r8a7778-fix-hspi-pin-numbers-and-names.patch b/queue-3.16/pinctrl-sh-pfc-r8a7778-fix-hspi-pin-numbers-and-names.patch deleted file mode 100644 index 3a3dc98e..00000000 --- a/queue-3.16/pinctrl-sh-pfc-r8a7778-fix-hspi-pin-numbers-and-names.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Geert Uytterhoeven <geert+renesas@glider.be> -Date: Wed, 16 Jan 2019 11:48:53 +0100 -Subject: pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names - -commit 8e32e881947be98abaa917157fefc4a3319e90af upstream. - -When declaring the HSPI RX1_B and TX1_B pins, two mistakes were made: - - the rows and columns in the BGA pin matrix, from which the pin - numbers are derived, were exchanged, - - it was not taken into account that pin row labelling skips - characters I, O, Q, and S. - -Fix the order, and the corresponding pin names. - -Notes: - - The actual values of the pin numbers don't really matter (they just - have to be unique), so the wrong order didn't have any impact, - - Changing the names of the pins is user-visible, but there are no - users in (upstream) DTS files. - -Fixes: 4f82e3ee724f1712 ("sh-pfc: Support pins not associated with a GPIO port") -Fixes: 09cc76a95802e87d ("sh-pfc: r8a7778: add HSPI pin groups") -Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> -Reviewed-by: Simon Horman <horms+renesas@verge.net.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/pinctrl/sh-pfc/pfc-r8a7778.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/pinctrl/sh-pfc/pfc-r8a7778.c -+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7778.c -@@ -1265,8 +1265,8 @@ static const struct sh_pfc_pin pinmux_pi - - /* Pins not associated with a GPIO port */ - SH_PFC_PIN_NAMED(3, 20, C20), -- SH_PFC_PIN_NAMED(20, 1, T1), -- SH_PFC_PIN_NAMED(25, 2, Y2), -+ SH_PFC_PIN_NAMED(1, 20, A20), -+ SH_PFC_PIN_NAMED(2, 25, B25), - }; - - /* - macro */ -@@ -1401,7 +1401,7 @@ HSPI_PFC_DAT(hspi1_a, HSPI_CLK1_A, HSPI - HSPI_RX1_A, HSPI_TX1_A); - - HSPI_PFC_PIN(hspi1_b, RCAR_GP_PIN(0, 27), RCAR_GP_PIN(0, 26), -- PIN_NUMBER(20, 1), PIN_NUMBER(25, 2)); -+ PIN_NUMBER(1, 20), PIN_NUMBER(2, 25)); - HSPI_PFC_DAT(hspi1_b, HSPI_CLK1_B, HSPI_CS1_B, - HSPI_RX1_B, HSPI_TX1_B); - diff --git a/queue-3.16/pinctrl-sh-pfc-r8a7791-fix-scifb2_data_c-pin-group.patch b/queue-3.16/pinctrl-sh-pfc-r8a7791-fix-scifb2_data_c-pin-group.patch deleted file mode 100644 index 1d1c32f9..00000000 --- a/queue-3.16/pinctrl-sh-pfc-r8a7791-fix-scifb2_data_c-pin-group.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Geert Uytterhoeven <geert+renesas@glider.be> -Date: Wed, 23 Jan 2019 17:07:43 +0100 -Subject: pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group - -commit a4b0350047f1b10207e25e72d7cd3f7826e93769 upstream. - -The entry for "scifb2_data_c" in the SCIFB2 pin group array contains a -typo, thus the group cannot be selected. - -Fixes: 5088451962389924 ("pinctrl: sh-pfc: r8a7791 PFC support") -Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> -Reviewed-by: Simon Horman <horms+renesas@verge.net.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c -+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c -@@ -4433,7 +4433,7 @@ static const char * const scifb2_groups[ - "scifb2_data_b", - "scifb2_clk_b", - "scifb2_ctrl_b", -- "scifb0_data_c", -+ "scifb2_data_c", - "scifb2_clk_c", - "scifb2_data_d", - }; diff --git a/queue-3.16/pinctrl-sh-pfc-sh73a0-fix-fsic_spdif-pin-groups.patch b/queue-3.16/pinctrl-sh-pfc-sh73a0-fix-fsic_spdif-pin-groups.patch deleted file mode 100644 index 25049bbb..00000000 --- a/queue-3.16/pinctrl-sh-pfc-sh73a0-fix-fsic_spdif-pin-groups.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Geert Uytterhoeven <geert+renesas@glider.be> -Date: Wed, 23 Jan 2019 16:51:21 +0100 -Subject: pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups - -commit 0e6e448bdcf896d001a289a6112a704542d51516 upstream. - -There are two pin groups for the FSIC SPDIF signal, but the FSIC pin -group array lists only one, and it refers to a nonexistent group. - -Fixes: 2ecd4154c906b7d6 ("sh-pfc: sh73a0: Add FSI pin groups and functions") -Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> -Reviewed-by: Simon Horman <horms+renesas@verge.net.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/pinctrl/sh-pfc/pfc-sh73a0.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/pinctrl/sh-pfc/pfc-sh73a0.c -+++ b/drivers/pinctrl/sh-pfc/pfc-sh73a0.c -@@ -2899,7 +2899,8 @@ static const char * const fsic_groups[] - "fsic_sclk_out", - "fsic_data_in", - "fsic_data_out", -- "fsic_spdif", -+ "fsic_spdif_0", -+ "fsic_spdif_1", - }; - - static const char * const fsid_groups[] = { diff --git a/queue-3.16/powerpc-32-clear-on-stack-exception-marker-upon-exception-return.patch b/queue-3.16/powerpc-32-clear-on-stack-exception-marker-upon-exception-return.patch deleted file mode 100644 index b9e71482..00000000 --- a/queue-3.16/powerpc-32-clear-on-stack-exception-marker-upon-exception-return.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Christophe Leroy <christophe.leroy@c-s.fr> -Date: Wed, 27 Feb 2019 11:45:30 +0000 -Subject: powerpc/32: Clear on-stack exception marker upon exception return - -commit 9580b71b5a7863c24a9bd18bcd2ad759b86b1eff upstream. - -Clear the on-stack STACK_FRAME_REGS_MARKER on exception exit in order -to avoid confusing stacktrace like the one below. - - Call Trace: - [c0e9dca0] [c01c42a0] print_address_description+0x64/0x2bc (unreliable) - [c0e9dcd0] [c01c4684] kasan_report+0xfc/0x180 - [c0e9dd10] [c0895130] memchr+0x24/0x74 - [c0e9dd30] [c00a9e38] msg_print_text+0x124/0x574 - [c0e9dde0] [c00ab710] console_unlock+0x114/0x4f8 - [c0e9de40] [c00adc60] vprintk_emit+0x188/0x1c4 - --- interrupt: c0e9df00 at 0x400f330 - LR = init_stack+0x1f00/0x2000 - [c0e9de80] [c00ae3c4] printk+0xa8/0xcc (unreliable) - [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108 - [c0e9df50] [c0c15434] start_kernel+0x310/0x488 - [c0e9dff0] [00003484] 0x3484 - -With this patch the trace becomes: - - Call Trace: - [c0e9dca0] [c01c42c0] print_address_description+0x64/0x2bc (unreliable) - [c0e9dcd0] [c01c46a4] kasan_report+0xfc/0x180 - [c0e9dd10] [c0895150] memchr+0x24/0x74 - [c0e9dd30] [c00a9e58] msg_print_text+0x124/0x574 - [c0e9dde0] [c00ab730] console_unlock+0x114/0x4f8 - [c0e9de40] [c00adc80] vprintk_emit+0x188/0x1c4 - [c0e9de80] [c00ae3e4] printk+0xa8/0xcc - [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108 - [c0e9df50] [c0c15434] start_kernel+0x310/0x488 - [c0e9dff0] [00003484] 0x3484 - -Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/kernel/entry_32.S | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/arch/powerpc/kernel/entry_32.S -+++ b/arch/powerpc/kernel/entry_32.S -@@ -757,6 +757,9 @@ fast_exception_return: - mtcr r10 - lwz r10,_LINK(r11) - mtlr r10 -+ /* Clear the exception_marker on the stack to avoid confusing stacktrace */ -+ li r10, 0 -+ stw r10, 8(r11) - REST_GPR(10, r11) - mtspr SPRN_SRR1,r9 - mtspr SPRN_SRR0,r12 -@@ -987,6 +990,9 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRE - mtcrf 0xFF,r10 - mtlr r11 - -+ /* Clear the exception_marker on the stack to avoid confusing stacktrace */ -+ li r10, 0 -+ stw r10, 8(r1) - /* - * Once we put values in SRR0 and SRR1, we are in a state - * where exceptions are not recoverable, since taking an -@@ -1024,6 +1030,9 @@ exc_exit_restart_end: - mtlr r11 - lwz r10,_CCR(r1) - mtcrf 0xff,r10 -+ /* Clear the exception_marker on the stack to avoid confusing stacktrace */ -+ li r10, 0 -+ stw r10, 8(r1) - REST_2GPRS(9, r1) - .globl exc_exit_restart - exc_exit_restart: diff --git a/queue-3.16/powerpc-83xx-also-save-restore-sprg4-7-during-suspend.patch b/queue-3.16/powerpc-83xx-also-save-restore-sprg4-7-during-suspend.patch deleted file mode 100644 index 7e5759b2..00000000 --- a/queue-3.16/powerpc-83xx-also-save-restore-sprg4-7-during-suspend.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Christophe Leroy <christophe.leroy@c-s.fr> -Date: Fri, 25 Jan 2019 12:03:55 +0000 -Subject: powerpc/83xx: Also save/restore SPRG4-7 during suspend - -commit 36da5ff0bea2dc67298150ead8d8471575c54c7d upstream. - -The 83xx has 8 SPRG registers and uses at least SPRG4 -for DTLB handling LRU. - -Fixes: 2319f1239592 ("powerpc/mm: e300c2/c3/c4 TLB errata workaround") -Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/platforms/83xx/suspend-asm.S | 34 ++++++++++++++++++----- - 1 file changed, 27 insertions(+), 7 deletions(-) - ---- a/arch/powerpc/platforms/83xx/suspend-asm.S -+++ b/arch/powerpc/platforms/83xx/suspend-asm.S -@@ -26,13 +26,13 @@ - #define SS_MSR 0x74 - #define SS_SDR1 0x78 - #define SS_LR 0x7c --#define SS_SPRG 0x80 /* 4 SPRGs */ --#define SS_DBAT 0x90 /* 8 DBATs */ --#define SS_IBAT 0xd0 /* 8 IBATs */ --#define SS_TB 0x110 --#define SS_CR 0x118 --#define SS_GPREG 0x11c /* r12-r31 */ --#define STATE_SAVE_SIZE 0x16c -+#define SS_SPRG 0x80 /* 8 SPRGs */ -+#define SS_DBAT 0xa0 /* 8 DBATs */ -+#define SS_IBAT 0xe0 /* 8 IBATs */ -+#define SS_TB 0x120 -+#define SS_CR 0x128 -+#define SS_GPREG 0x12c /* r12-r31 */ -+#define STATE_SAVE_SIZE 0x17c - - .section .data - .align 5 -@@ -103,6 +103,16 @@ _GLOBAL(mpc83xx_enter_deep_sleep) - stw r7, SS_SPRG+12(r3) - stw r8, SS_SDR1(r3) - -+ mfspr r4, SPRN_SPRG4 -+ mfspr r5, SPRN_SPRG5 -+ mfspr r6, SPRN_SPRG6 -+ mfspr r7, SPRN_SPRG7 -+ -+ stw r4, SS_SPRG+16(r3) -+ stw r5, SS_SPRG+20(r3) -+ stw r6, SS_SPRG+24(r3) -+ stw r7, SS_SPRG+28(r3) -+ - mfspr r4, SPRN_DBAT0U - mfspr r5, SPRN_DBAT0L - mfspr r6, SPRN_DBAT1U -@@ -493,6 +503,16 @@ mpc83xx_deep_resume: - mtspr SPRN_IBAT7U, r6 - mtspr SPRN_IBAT7L, r7 - -+ lwz r4, SS_SPRG+16(r3) -+ lwz r5, SS_SPRG+20(r3) -+ lwz r6, SS_SPRG+24(r3) -+ lwz r7, SS_SPRG+28(r3) -+ -+ mtspr SPRN_SPRG4, r4 -+ mtspr SPRN_SPRG5, r5 -+ mtspr SPRN_SPRG6, r6 -+ mtspr SPRN_SPRG7, r7 -+ - lwz r4, SS_SPRG+0(r3) - lwz r5, SS_SPRG+4(r3) - lwz r6, SS_SPRG+8(r3) diff --git a/queue-3.16/powerpc-irq-drop-arch_early_irq_init.patch b/queue-3.16/powerpc-irq-drop-arch_early_irq_init.patch deleted file mode 100644 index b9ed28c8..00000000 --- a/queue-3.16/powerpc-irq-drop-arch_early_irq_init.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Christophe Leroy <christophe.leroy@c-s.fr> -Date: Tue, 8 Jan 2019 11:37:19 +0000 -Subject: powerpc/irq: drop arch_early_irq_init() - -commit 607ea5090b3fb61fea1d0bc5278e6c1d40ab5bd6 upstream. - -arch_early_irq_init() does nothing different than the weak -arch_early_irq_init() in kernel/softirq.c - -Fixes: 089fb442f301 ("powerpc: Use ARCH_IRQ_INIT_FLAGS") -Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> -Acked-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/kernel/irq.c | 5 ----- - 1 file changed, 5 deletions(-) - ---- a/arch/powerpc/kernel/irq.c -+++ b/arch/powerpc/kernel/irq.c -@@ -662,11 +662,6 @@ int irq_choose_cpu(const struct cpumask - } - #endif - --int arch_early_irq_init(void) --{ -- return 0; --} -- - #ifdef CONFIG_PPC64 - static int __init setup_noirqdistrib(char *str) - { diff --git a/queue-3.16/powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area.patch b/queue-3.16/powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area.patch deleted file mode 100644 index 825e6655..00000000 --- a/queue-3.16/powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com> -Date: Tue, 26 Feb 2019 10:09:35 +0530 -Subject: powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area - topdown search - -commit 3b4d07d2674f6b4a9281031f99d1f7efd325b16d upstream. - -When doing top-down search the low_limit is not PAGE_SIZE but rather -max(PAGE_SIZE, mmap_min_addr). This handle cases in which mmap_min_addr > -PAGE_SIZE. - -Fixes: fba2369e6ceb ("mm: use vm_unmapped_area() on powerpc architecture") -Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com> -Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/mm/slice.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/arch/powerpc/mm/slice.c -+++ b/arch/powerpc/mm/slice.c -@@ -30,6 +30,7 @@ - #include <linux/err.h> - #include <linux/spinlock.h> - #include <linux/export.h> -+#include <linux/security.h> - #include <asm/mman.h> - #include <asm/mmu.h> - #include <asm/spu.h> -@@ -313,6 +314,7 @@ static unsigned long slice_find_area_top - int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT); - unsigned long addr, found, prev; - struct vm_unmapped_area_info info; -+ unsigned long min_addr = max(PAGE_SIZE, mmap_min_addr); - - info.flags = VM_UNMAPPED_AREA_TOPDOWN; - info.length = len; -@@ -320,7 +322,7 @@ static unsigned long slice_find_area_top - info.align_offset = 0; - - addr = mm->mmap_base; -- while (addr > PAGE_SIZE) { -+ while (addr > min_addr) { - info.high_limit = addr; - if (!slice_scan_available(addr - 1, available, 0, &addr)) - continue; -@@ -332,8 +334,8 @@ static unsigned long slice_find_area_top - * Check if we need to reduce the range, or if we can - * extend it to cover the previous available slice. - */ -- if (addr < PAGE_SIZE) -- addr = PAGE_SIZE; -+ if (addr < min_addr) -+ addr = min_addr; - else if (slice_scan_available(addr - 1, available, 0, &prev)) { - addr = prev; - goto prev_slice; -@@ -415,7 +417,7 @@ unsigned long slice_get_unmapped_area(un - addr = _ALIGN_UP(addr, 1ul << pshift); - slice_dbg(" aligned addr=%lx\n", addr); - /* Ignore hint if it's too large or overlaps a VMA */ -- if (addr > mm->task_size - len || -+ if (addr > mm->task_size - len || addr < mmap_min_addr || - !slice_area_is_free(mm, addr, len)) - addr = 0; - } diff --git a/queue-3.16/powerpc-powernv-make-opal-log-only-readable-by-root.patch b/queue-3.16/powerpc-powernv-make-opal-log-only-readable-by-root.patch deleted file mode 100644 index 30dfac3f..00000000 --- a/queue-3.16/powerpc-powernv-make-opal-log-only-readable-by-root.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Jordan Niethe <jniethe5@gmail.com> -Date: Wed, 27 Feb 2019 14:02:29 +1100 -Subject: powerpc/powernv: Make opal log only readable by root - -commit 7b62f9bd2246b7d3d086e571397c14ba52645ef1 upstream. - -Currently the opal log is globally readable. It is kernel policy to -limit the visibility of physical addresses / kernel pointers to root. -Given this and the fact the opal log may contain this information it -would be better to limit the readability to root. - -Fixes: bfc36894a48b ("powerpc/powernv: Add OPAL message log interface") -Signed-off-by: Jordan Niethe <jniethe5@gmail.com> -Reviewed-by: Stewart Smith <stewart@linux.ibm.com> -Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/platforms/powernv/opal-msglog.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/powerpc/platforms/powernv/opal-msglog.c -+++ b/arch/powerpc/platforms/powernv/opal-msglog.c -@@ -92,7 +92,7 @@ out: - } - - static struct bin_attribute opal_msglog_attr = { -- .attr = {.name = "msglog", .mode = 0444}, -+ .attr = {.name = "msglog", .mode = 0400}, - .read = opal_msglog_read - }; - diff --git a/queue-3.16/powerpc-wii-properly-disable-use-of-bats-when-requested.patch b/queue-3.16/powerpc-wii-properly-disable-use-of-bats-when-requested.patch deleted file mode 100644 index 3524bda3..00000000 --- a/queue-3.16/powerpc-wii-properly-disable-use-of-bats-when-requested.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Christophe Leroy <christophe.leroy@c-s.fr> -Date: Thu, 21 Feb 2019 19:08:37 +0000 -Subject: powerpc/wii: properly disable use of BATs when requested. - -commit 6d183ca8baec983dc4208ca45ece3c36763df912 upstream. - -'nobats' kernel parameter or some options like CONFIG_DEBUG_PAGEALLOC -deny the use of BATS for mapping memory. - -This patch makes sure that the specific wii RAM mapping function -takes it into account as well. - -Fixes: de32400dd26e ("wii: use both mem1 and mem2 as ram") -Reviewed-by: Jonathan Neuschafer <j.neuschaefer@gmx.net> -Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - arch/powerpc/platforms/embedded6xx/wii.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/arch/powerpc/platforms/embedded6xx/wii.c -+++ b/arch/powerpc/platforms/embedded6xx/wii.c -@@ -104,6 +104,10 @@ unsigned long __init wii_mmu_mapin_mem2( - /* MEM2 64MB@0x10000000 */ - delta = wii_hole_start + wii_hole_size; - size = top - delta; -+ -+ if (__map_without_bats) -+ return delta; -+ - for (bl = 128<<10; bl < max_size; bl <<= 1) { - if (bl * 2 > size) - break; diff --git a/queue-3.16/pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch b/queue-3.16/pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch deleted file mode 100644 index c22d357f..00000000 --- a/queue-3.16/pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Xin Long <lucien.xin@gmail.com> -Date: Wed, 13 Mar 2019 17:00:48 +0800 -Subject: pptp: dst_release sk_dst_cache in pptp_sock_destruct - -commit 9417d81f4f8adfe20a12dd1fadf73a618cbd945d upstream. - -sk_setup_caps() is called to set sk->sk_dst_cache in pptp_connect, -so we have to dst_release(sk->sk_dst_cache) in pptp_sock_destruct, -otherwise, the dst refcnt will leak. - -It can be reproduced by this syz log: - - r1 = socket$pptp(0x18, 0x1, 0x2) - bind$pptp(r1, &(0x7f0000000100)={0x18, 0x2, {0x0, @local}}, 0x1e) - connect$pptp(r1, &(0x7f0000000000)={0x18, 0x2, {0x3, @remote}}, 0x1e) - -Consecutive dmesg warnings will occur: - - unregister_netdevice: waiting for lo to become free. Usage count = 1 - -v1->v2: - - use rcu_dereference_protected() instead of rcu_dereference_check(), - as suggested by Eric. - -Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") -Reported-by: Xiumei Mu <xmu@redhat.com> -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/net/ppp/pptp.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/ppp/pptp.c -+++ b/drivers/net/ppp/pptp.c -@@ -579,6 +579,7 @@ static void pptp_sock_destruct(struct so - pppox_unbind_sock(sk); - } - skb_queue_purge(&sk->sk_receive_queue); -+ dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1)); - } - - static int pptp_create(struct net *net, struct socket *sock) diff --git a/queue-3.16/rcu-do-rcu-gp-kthread-self-wakeup-from-softirq-and-interrupt.patch b/queue-3.16/rcu-do-rcu-gp-kthread-self-wakeup-from-softirq-and-interrupt.patch deleted file mode 100644 index 167968eb..00000000 --- a/queue-3.16/rcu-do-rcu-gp-kthread-self-wakeup-from-softirq-and-interrupt.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: "Zhang, Jun" <jun.zhang@intel.com> -Date: Tue, 18 Dec 2018 06:55:01 -0800 -Subject: rcu: Do RCU GP kthread self-wakeup from softirq and interrupt - -commit 1d1f898df6586c5ea9aeaf349f13089c6fa37903 upstream. - -The rcu_gp_kthread_wake() function is invoked when it might be necessary -to wake the RCU grace-period kthread. Because self-wakeups are normally -a useless waste of CPU cycles, if rcu_gp_kthread_wake() is invoked from -this kthread, it naturally refuses to do the wakeup. - -Unfortunately, natural though it might be, this heuristic fails when -rcu_gp_kthread_wake() is invoked from an interrupt or softirq handler -that interrupted the grace-period kthread just after the final check of -the wait-event condition but just before the schedule() call. In this -case, a wakeup is required, even though the call to rcu_gp_kthread_wake() -is within the RCU grace-period kthread's context. Failing to provide -this wakeup can result in grace periods failing to start, which in turn -results in out-of-memory conditions. - -This race window is quite narrow, but it actually did happen during real -testing. It would of course need to be fixed even if it was strictly -theoretical in nature. - -This patch does not Cc stable because it does not apply cleanly to -earlier kernel versions. - -Fixes: 48a7639ce80c ("rcu: Make callers awaken grace-period kthread") -Reported-by: "He, Bo" <bo.he@intel.com> -Co-developed-by: "Zhang, Jun" <jun.zhang@intel.com> -Co-developed-by: "He, Bo" <bo.he@intel.com> -Co-developed-by: "xiao, jin" <jin.xiao@intel.com> -Co-developed-by: Bai, Jie A <jie.a.bai@intel.com> -Signed-off: "Zhang, Jun" <jun.zhang@intel.com> -Signed-off: "He, Bo" <bo.he@intel.com> -Signed-off: "xiao, jin" <jin.xiao@intel.com> -Signed-off: Bai, Jie A <jie.a.bai@intel.com> -Signed-off-by: "Zhang, Jun" <jun.zhang@intel.com> -[ paulmck: Switch from !in_softirq() to "!in_interrupt() && - !in_serving_softirq() to avoid redundant wakeups and to also handle the - interrupt-handler scenario as well as the softirq-handler scenario that - actually occurred in testing. ] -Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com> -Link: https://lkml.kernel.org/r/CD6925E8781EFD4D8E11882D20FC406D52A11F61@SHSMSX104.ccr.corp.intel.com -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - kernel/rcu/tree.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - ---- a/kernel/rcu/tree.c -+++ b/kernel/rcu/tree.c -@@ -1384,15 +1384,23 @@ static int rcu_future_gp_cleanup(struct - } - - /* -- * Awaken the grace-period kthread for the specified flavor of RCU. -- * Don't do a self-awaken, and don't bother awakening when there is -- * nothing for the grace-period kthread to do (as in several CPUs -- * raced to awaken, and we lost), and finally don't try to awaken -- * a kthread that has not yet been created. -+ * Awaken the grace-period kthread. Don't do a self-awaken (unless in -+ * an interrupt or softirq handler), and don't bother awakening when there -+ * is nothing for the grace-period kthread to do (as in several CPUs raced -+ * to awaken, and we lost), and finally don't try to awaken a kthread that -+ * has not yet been created. If all those checks are passed, track some -+ * debug information and awaken. -+ * -+ * So why do the self-wakeup when in an interrupt or softirq handler -+ * in the grace-period kthread's context? Because the kthread might have -+ * been interrupted just as it was going to sleep, and just after the final -+ * pre-sleep check of the awaken condition. In this case, a wakeup really -+ * is required, and is therefore supplied. - */ - static void rcu_gp_kthread_wake(struct rcu_state *rsp) - { -- if (current == rsp->gp_kthread || -+ if ((current == rsp->gp_kthread && -+ !in_interrupt() && !in_serving_softirq()) || - !ACCESS_ONCE(rsp->gp_flags) || - !rsp->gp_kthread) - return; diff --git a/queue-3.16/rdma-ocrdma-fix-out-of-bounds-index-check-in-query-pkey.patch b/queue-3.16/rdma-ocrdma-fix-out-of-bounds-index-check-in-query-pkey.patch deleted file mode 100644 index 2b185fb2..00000000 --- a/queue-3.16/rdma-ocrdma-fix-out-of-bounds-index-check-in-query-pkey.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Gal Pressman <galpress@amazon.com> -Date: Mon, 7 Jan 2019 17:27:55 +0200 -Subject: RDMA/ocrdma: Fix out of bounds index check in query pkey - -commit b188940796c7be31c1b8c25a9a0e0842c2e7a49e upstream. - -The pkey table size is one element, index should be tested for > 0 instead -of > 1. - -Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter") -Signed-off-by: Gal Pressman <galpress@amazon.com> -Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c -+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c -@@ -39,7 +39,7 @@ - - int ocrdma_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey) - { -- if (index > 1) -+ if (index > 0) - return -EINVAL; - - *pkey = 0xffff; diff --git a/queue-3.16/regulator-wm831x-dcdc-fix-list-of-wm831x_dcdc_ilim-from-ma-to-ua.patch b/queue-3.16/regulator-wm831x-dcdc-fix-list-of-wm831x_dcdc_ilim-from-ma-to-ua.patch deleted file mode 100644 index 78175b01..00000000 --- a/queue-3.16/regulator-wm831x-dcdc-fix-list-of-wm831x_dcdc_ilim-from-ma-to-ua.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Axel Lin <axel.lin@ingics.com> -Date: Sun, 24 Feb 2019 21:16:51 +0800 -Subject: regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA - -commit c25d47888f0fb3d836d68322d4aea2caf31a75a6 upstream. - -The wm831x_dcdc_ilim entries needs to be uA because it is used to compare -with min_uA and max_uA. -While at it also make the array const and change to use unsigned int. - -Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support") -Signed-off-by: Axel Lin <axel.lin@ingics.com> -Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/regulator/wm831x-dcdc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/regulator/wm831x-dcdc.c -+++ b/drivers/regulator/wm831x-dcdc.c -@@ -327,8 +327,8 @@ static int wm831x_buckv_get_voltage_sel( - } - - /* Current limit options */ --static u16 wm831x_dcdc_ilim[] = { -- 125, 250, 375, 500, 625, 750, 875, 1000 -+static const unsigned int wm831x_dcdc_ilim[] = { -+ 125000, 250000, 375000, 500000, 625000, 750000, 875000, 1000000 - }; - - static int wm831x_buckv_set_current_limit(struct regulator_dev *rdev, diff --git a/queue-3.16/route-set-the-deleted-fnhe-fnhe_daddr-to-0-in-ip_del_fnhe-to-fix-a.patch b/queue-3.16/route-set-the-deleted-fnhe-fnhe_daddr-to-0-in-ip_del_fnhe-to-fix-a.patch deleted file mode 100644 index 29f423fc..00000000 --- a/queue-3.16/route-set-the-deleted-fnhe-fnhe_daddr-to-0-in-ip_del_fnhe-to-fix-a.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Xin Long <lucien.xin@gmail.com> -Date: Fri, 8 Mar 2019 14:50:54 +0800 -Subject: route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a - race - -commit ee60ad219f5c7c4fb2f047f88037770063ef785f upstream. - -The race occurs in __mkroute_output() when 2 threads lookup a dst: - - CPU A CPU B - find_exception() - find_exception() [fnhe expires] - ip_del_fnhe() [fnhe is deleted] - rt_bind_exception() - -In rt_bind_exception() it will bind a deleted fnhe with the new dst, and -this dst will get no chance to be freed. It causes a dev defcnt leak and -consecutive dmesg warnings: - - unregister_netdevice: waiting for ethX to become free. Usage count = 1 - -Especially thanks Jon to identify the issue. - -This patch fixes it by setting fnhe_daddr to 0 in ip_del_fnhe() to stop -binding the deleted fnhe with a new dst when checking fnhe's fnhe_daddr -and daddr in rt_bind_exception(). - -It works as both ip_del_fnhe() and rt_bind_exception() are protected by -fnhe_lock and the fhne is freed by kfree_rcu(). - -Fixes: deed49df7390 ("route: check and remove route cache when we get route") -Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Reviewed-by: David Ahern <dsahern@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/route.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -1279,6 +1279,10 @@ static void ip_del_fnhe(struct fib_nh *n - if (fnhe->fnhe_daddr == daddr) { - rcu_assign_pointer(*fnhe_p, rcu_dereference_protected( - fnhe->fnhe_next, lockdep_is_held(&fnhe_lock))); -+ /* set fnhe_daddr to 0 to ensure it won't bind with -+ * new dsts in rt_bind_exception(). -+ */ -+ fnhe->fnhe_daddr = 0; - fnhe_flush_routes(fnhe); - kfree_rcu(fnhe, rcu); - break; diff --git a/queue-3.16/rtc-88pm80x-fix-unintended-sign-extension.patch b/queue-3.16/rtc-88pm80x-fix-unintended-sign-extension.patch deleted file mode 100644 index e1081d46..00000000 --- a/queue-3.16/rtc-88pm80x-fix-unintended-sign-extension.patch +++ /dev/null @@ -1,85 +0,0 @@ -From: Colin Ian King <colin.king@canonical.com> -Date: Wed, 6 Feb 2019 10:08:11 +0000 -Subject: rtc: 88pm80x: fix unintended sign extension - -commit fb0b322537a831b5b0cb948c56f8f958ce493d3a upstream. - -Shifting a u8 by 24 will cause the value to be promoted to an integer. If -the top bit of the u8 is set then the following conversion to an unsigned -long will sign extend the value causing the upper 32 bits to be set in -the result. - -Fix this by casting the u8 value to an unsigned long before the shift. - -Detected by CoverityScan, CID#714646-714649 ("Unintended sign extension") - -Fixes: 2985c29c1964 ("rtc: Add rtc support to 88PM80X PMIC") -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/rtc/rtc-88pm80x.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - ---- a/drivers/rtc/rtc-88pm80x.c -+++ b/drivers/rtc/rtc-88pm80x.c -@@ -116,12 +116,14 @@ static int pm80x_rtc_read_time(struct de - unsigned char buf[4]; - unsigned long ticks, base, data; - regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4); -- base = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]); - - /* load 32-bit read-only counter */ - regmap_raw_read(info->map, PM800_RTC_COUNTER1, buf, 4); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - ticks = base + data; - dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); -@@ -144,7 +146,8 @@ static int pm80x_rtc_set_time(struct dev - - /* load 32-bit read-only counter */ - regmap_raw_read(info->map, PM800_RTC_COUNTER1, buf, 4); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - base = ticks - data; - dev_dbg(info->dev, "set base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); -@@ -165,11 +168,13 @@ static int pm80x_rtc_read_alarm(struct d - int ret; - - regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4); -- base = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]); - - regmap_raw_read(info->map, PM800_RTC_EXPIRE1_1, buf, 4); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - ticks = base + data; - dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); -@@ -192,12 +197,14 @@ static int pm80x_rtc_set_alarm(struct de - regmap_update_bits(info->map, PM800_RTC_CONTROL, PM800_ALARM1_EN, 0); - - regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4); -- base = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]); - - /* load 32-bit read-only counter */ - regmap_raw_read(info->map, PM800_RTC_COUNTER1, buf, 4); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - ticks = base + data; - dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); diff --git a/queue-3.16/rtc-88pm860x-fix-unintended-sign-extension.patch b/queue-3.16/rtc-88pm860x-fix-unintended-sign-extension.patch deleted file mode 100644 index 3efa5b0c..00000000 --- a/queue-3.16/rtc-88pm860x-fix-unintended-sign-extension.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Colin Ian King <colin.king@canonical.com> -Date: Wed, 6 Feb 2019 09:50:53 +0000 -Subject: rtc: 88pm860x: fix unintended sign extension - -commit dc9e47160626cdb58d5c39a4f43dcfdb27a5c004 upstream. - -Shifting a u8 by 24 will cause the value to be promoted to an integer. If -the top bit of the u8 is set then the following conversion to an unsigned -long will sign extend the value causing the upper 32 bits to be set in -the result. - -Fix this by casting the u8 value to an unsigned long before the shift. - -Detected by CoverityScan, CID#144925-144928 ("Unintended sign extension") - -Fixes: 008b30408c40 ("mfd: Add rtc support to 88pm860x") -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/rtc/rtc-88pm860x.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - ---- a/drivers/rtc/rtc-88pm860x.c -+++ b/drivers/rtc/rtc-88pm860x.c -@@ -115,11 +115,13 @@ static int pm860x_rtc_read_time(struct d - pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf); - dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1], - buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]); -- base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7]; -+ base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) | -+ (buf[5] << 8) | buf[7]; - - /* load 32-bit read-only counter */ - pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - ticks = base + data; - dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); -@@ -145,7 +147,8 @@ static int pm860x_rtc_set_time(struct de - - /* load 32-bit read-only counter */ - pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - base = ticks - data; - dev_dbg(info->dev, "set base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); -@@ -170,10 +173,12 @@ static int pm860x_rtc_read_alarm(struct - pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf); - dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1], - buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]); -- base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7]; -+ base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) | -+ (buf[5] << 8) | buf[7]; - - pm860x_bulk_read(info->i2c, PM8607_RTC_EXPIRE1, 4, buf); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - ticks = base + data; - dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); -@@ -198,11 +203,13 @@ static int pm860x_rtc_set_alarm(struct d - pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf); - dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1], - buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]); -- base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7]; -+ base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) | -+ (buf[5] << 8) | buf[7]; - - /* load 32-bit read-only counter */ - pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf); -- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - ticks = base + data; - dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", - base, data, ticks); diff --git a/queue-3.16/rtc-ds1672-fix-unintended-sign-extension.patch b/queue-3.16/rtc-ds1672-fix-unintended-sign-extension.patch deleted file mode 100644 index 3835f04e..00000000 --- a/queue-3.16/rtc-ds1672-fix-unintended-sign-extension.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Colin Ian King <colin.king@canonical.com> -Date: Tue, 5 Feb 2019 18:04:49 +0000 -Subject: rtc: ds1672: fix unintended sign extension - -commit f0c04c276739ed8acbb41b4868e942a55b128dca upstream. - -Shifting a u8 by 24 will cause the value to be promoted to an integer. If -the top bit of the u8 is set then the following conversion to an unsigned -long will sign extend the value causing the upper 32 bits to be set in -the result. - -Fix this by casting the u8 value to an unsigned long before the shift. - -Detected by CoverityScan, CID#138801 ("Unintended sign extension") - -Fixes: edf1aaa31fc5 ("[PATCH] RTC subsystem: DS1672 driver") -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/rtc/rtc-ds1672.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/rtc/rtc-ds1672.c -+++ b/drivers/rtc/rtc-ds1672.c -@@ -60,7 +60,8 @@ static int ds1672_get_datetime(struct i2 - "%s: raw read data - counters=%02x,%02x,%02x,%02x\n", - __func__, buf[0], buf[1], buf[2], buf[3]); - -- time = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; -+ time = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | -+ (buf[1] << 8) | buf[0]; - - rtc_time_to_tm(time, tm); - diff --git a/queue-3.16/rtc-pm8xxx-fix-unintended-sign-extension.patch b/queue-3.16/rtc-pm8xxx-fix-unintended-sign-extension.patch deleted file mode 100644 index a1bc90bb..00000000 --- a/queue-3.16/rtc-pm8xxx-fix-unintended-sign-extension.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Colin Ian King <colin.king@canonical.com> -Date: Wed, 6 Feb 2019 10:31:02 +0000 -Subject: rtc: pm8xxx: fix unintended sign extension - -commit e42280886018c6f77f0a90190f7cba344b0df3e0 upstream. - -Shifting a u8 by 24 will cause the value to be promoted to an integer. If -the top bit of the u8 is set then the following conversion to an unsigned -long will sign extend the value causing the upper 32 bits to be set in -the result. - -Fix this by casting the u8 value to an unsigned long before the shift. - -Detected by CoverityScan, CID#1309693 ("Unintended sign extension") - -Fixes: 9a9a54ad7aa2 ("drivers/rtc: add support for Qualcomm PMIC8xxx RTC") -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/rtc/rtc-pm8xxx.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/rtc/rtc-pm8xxx.c -+++ b/drivers/rtc/rtc-pm8xxx.c -@@ -175,7 +175,8 @@ static int pm8xxx_rtc_read_time(struct d - } - } - -- secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24); -+ secs = value[0] | (value[1] << 8) | (value[2] << 16) | -+ ((unsigned long)value[3] << 24); - - rtc_time_to_tm(secs, tm); - -@@ -253,7 +254,8 @@ static int pm8xxx_rtc_read_alarm(struct - return rc; - } - -- secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24); -+ secs = value[0] | (value[1] << 8) | (value[2] << 16) | -+ ((unsigned long)value[3] << 24); - - rtc_time_to_tm(secs, &alarm->time); - diff --git a/queue-3.16/s390-virtio-handle-find-on-invalid-queue-gracefully.patch b/queue-3.16/s390-virtio-handle-find-on-invalid-queue-gracefully.patch deleted file mode 100644 index 8106958c..00000000 --- a/queue-3.16/s390-virtio-handle-find-on-invalid-queue-gracefully.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Halil Pasic <pasic@linux.ibm.com> -Date: Mon, 21 Jan 2019 13:19:43 +0100 -Subject: s390/virtio: handle find on invalid queue gracefully - -commit 3438b2c039b4bf26881786a1f3450f016d66ad11 upstream. - -A queue with a capacity of zero is clearly not a valid virtio queue. -Some emulators report zero queue size if queried with an invalid queue -index. Instead of crashing in this case let us just return -ENOENT. To -make that work properly, let us fix the notifier cleanup logic as well. - -Signed-off-by: Halil Pasic <pasic@linux.ibm.com> -Signed-off-by: Cornelia Huck <cohuck@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/s390/kvm/virtio_ccw.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/s390/kvm/virtio_ccw.c -+++ b/drivers/s390/kvm/virtio_ccw.c -@@ -258,6 +258,8 @@ static void virtio_ccw_drop_indicators(s - { - struct virtio_ccw_vq_info *info; - -+ if (!vcdev->airq_info) -+ return; - list_for_each_entry(info, &vcdev->virtqueues, node) - drop_airq_indicator(info->vq, vcdev->airq_info); - } -@@ -386,7 +388,7 @@ static int virtio_ccw_read_vq_conf(struc - ccw->count = sizeof(struct vq_config_block); - ccw->cda = (__u32)(unsigned long)(vcdev->config_block); - ccw_io_helper(vcdev, ccw, VIRTIO_CCW_DOING_READ_VQ_CONF); -- return vcdev->config_block->num; -+ return vcdev->config_block->num ?: -ENOENT; - } - - static void virtio_ccw_del_vq(struct virtqueue *vq, struct ccw1 *ccw) diff --git a/queue-3.16/scsi-target-iscsi-avoid-iscsit_release_commands_from_conn.patch b/queue-3.16/scsi-target-iscsi-avoid-iscsit_release_commands_from_conn.patch deleted file mode 100644 index e495ec41..00000000 --- a/queue-3.16/scsi-target-iscsi-avoid-iscsit_release_commands_from_conn.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Bart Van Assche <bvanassche@acm.org> -Date: Fri, 25 Jan 2019 10:34:56 -0800 -Subject: scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() - deadlock - -commit 32e36bfbcf31452a854263e7c7f32fbefc4b44d8 upstream. - -When using SCSI passthrough in combination with the iSCSI target driver -then cmd->t_state_lock may be obtained from interrupt context. Hence, all -code that obtains cmd->t_state_lock from thread context must disable -interrupts first. This patch avoids that lockdep reports the following: - -WARNING: inconsistent lock state -4.18.0-dbg+ #1 Not tainted --------------------------------- -inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. -iscsi_ttx/1800 [HC1[1]:SC0[2]:HE0:SE0] takes: -000000006e7b0ceb (&(&cmd->t_state_lock)->rlock){?...}, at: target_complete_cmd+0x47/0x2c0 [target_core_mod] -{HARDIRQ-ON-W} state was registered at: - lock_acquire+0xd2/0x260 - _raw_spin_lock+0x32/0x50 - iscsit_close_connection+0x97e/0x1020 [iscsi_target_mod] - iscsit_take_action_for_connection_exit+0x108/0x200 [iscsi_target_mod] - iscsi_target_rx_thread+0x180/0x190 [iscsi_target_mod] - kthread+0x1cf/0x1f0 - ret_from_fork+0x24/0x30 -irq event stamp: 1281 -hardirqs last enabled at (1279): [<ffffffff970ade79>] __local_bh_enable_ip+0xa9/0x160 -hardirqs last disabled at (1281): [<ffffffff97a008a5>] interrupt_entry+0xb5/0xd0 -softirqs last enabled at (1278): [<ffffffff977cd9a1>] lock_sock_nested+0x51/0xc0 -softirqs last disabled at (1280): [<ffffffffc07a6e04>] ip6_finish_output2+0x124/0xe40 [ipv6] - -other info that might help us debug this: -Possible unsafe locking scenario: - - CPU0 - ---- - lock(&(&cmd->t_state_lock)->rlock); - <Interrupt> - lock(&(&cmd->t_state_lock)->rlock); - ---- a/drivers/target/iscsi/iscsi_target.c -+++ b/drivers/target/iscsi/iscsi_target.c -@@ -4201,9 +4201,9 @@ static void iscsit_release_commands_from - struct se_cmd *se_cmd = &cmd->se_cmd; - - if (se_cmd->se_tfo != NULL) { -- spin_lock(&se_cmd->t_state_lock); -+ spin_lock_irq(&se_cmd->t_state_lock); - se_cmd->transport_state |= CMD_T_FABRIC_STOP; -- spin_unlock(&se_cmd->t_state_lock); -+ spin_unlock_irq(&se_cmd->t_state_lock); - } - } - spin_unlock_bh(&conn->cmd_lock); diff --git a/queue-3.16/scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch b/queue-3.16/scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch deleted file mode 100644 index 1f4c5a6e..00000000 --- a/queue-3.16/scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Felipe Franciosi <felipe@nutanix.com> -Date: Wed, 27 Feb 2019 16:10:34 +0000 -Subject: scsi: virtio_scsi: don't send sc payload with tmfs - -commit 3722e6a52174d7c3a00e6f5efd006ca093f346c1 upstream. - -The virtio scsi spec defines struct virtio_scsi_ctrl_tmf as a set of -device-readable records and a single device-writable response entry: - - struct virtio_scsi_ctrl_tmf - { - // Device-readable part - le32 type; - le32 subtype; - u8 lun[8]; - le64 id; - // Device-writable part - u8 response; - } - -The above should be organised as two descriptor entries (or potentially -more if using VIRTIO_F_ANY_LAYOUT), but without any extra data after "le64 -id" or after "u8 response". - -The Linux driver doesn't respect that, with virtscsi_abort() and -virtscsi_device_reset() setting cmd->sc before calling virtscsi_tmf(). It -results in the original scsi command payload (or writable buffers) added to -the tmf. - -This fixes the problem by leaving cmd->sc zeroed out, which makes -virtscsi_kick_cmd() add the tmf to the control vq without any payload. - -Signed-off-by: Felipe Franciosi <felipe@nutanix.com> -Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/scsi/virtio_scsi.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/drivers/scsi/virtio_scsi.c -+++ b/drivers/scsi/virtio_scsi.c -@@ -631,7 +631,6 @@ static int virtscsi_device_reset(struct - return FAILED; - - memset(cmd, 0, sizeof(*cmd)); -- cmd->sc = sc; - cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){ - .type = VIRTIO_SCSI_T_TMF, - .subtype = VIRTIO_SCSI_T_TMF_LOGICAL_UNIT_RESET, -@@ -654,7 +653,6 @@ static int virtscsi_abort(struct scsi_cm - return FAILED; - - memset(cmd, 0, sizeof(*cmd)); -- cmd->sc = sc; - cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){ - .type = VIRTIO_SCSI_T_TMF, - .subtype = VIRTIO_SCSI_T_TMF_ABORT_TASK, diff --git a/queue-3.16/security-selinux-pass-flags-arg-to-avc_audit-and.patch b/queue-3.16/security-selinux-pass-flags-arg-to-avc_audit-and.patch deleted file mode 100644 index eeaad4e5..00000000 --- a/queue-3.16/security-selinux-pass-flags-arg-to-avc_audit-and.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: NeilBrown <neilb@suse.de> -Date: Mon, 23 Mar 2015 13:37:39 +1100 -Subject: security/selinux: pass 'flags' arg to avc_audit() and - avc_has_perm_flags() - -commit 7b20ea2579238f5e0da4bc93276c1b63c960c9ef upstream. - -This allows MAY_NOT_BLOCK to be passed, in RCU-walk mode, through -the new avc_has_perm_flags() to avc_audit() and thence the slow_avc_audit. - -Signed-off-by: NeilBrown <neilb@suse.de> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -[bwh: Backported to 3.16 as dependency of commit 3a28cff3bd4b - "selinux: avoid silent denials in permissive mode under RCU walk"] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - security/selinux/avc.c | 18 +++++++++++++++++- - security/selinux/hooks.c | 2 +- - security/selinux/include/avc.h | 9 +++++++-- - 3 files changed, 25 insertions(+), 4 deletions(-) - ---- a/security/selinux/avc.c -+++ b/security/selinux/avc.c -@@ -768,7 +768,23 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 - - rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); - -- rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); -+ rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0); -+ if (rc2) -+ return rc2; -+ return rc; -+} -+ -+int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, -+ u32 requested, struct common_audit_data *auditdata, -+ int flags) -+{ -+ struct av_decision avd; -+ int rc, rc2; -+ -+ rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); -+ -+ rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, -+ auditdata, flags); - if (rc2) - return rc2; - return rc; ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1569,7 +1569,7 @@ static int cred_has_capability(const str - - rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); - if (audit == SECURITY_CAP_AUDIT) { -- int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); -+ int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); - if (rc2) - return rc2; - } ---- a/security/selinux/include/avc.h -+++ b/security/selinux/include/avc.h -@@ -130,7 +130,8 @@ static inline int avc_audit(u32 ssid, u3 - u16 tclass, u32 requested, - struct av_decision *avd, - int result, -- struct common_audit_data *a) -+ struct common_audit_data *a, -+ int flags) - { - u32 audited, denied; - audited = avc_audit_required(requested, avd, result, 0, &denied); -@@ -138,7 +139,7 @@ static inline int avc_audit(u32 ssid, u3 - return 0; - return slow_avc_audit(ssid, tsid, tclass, - requested, audited, denied, result, -- a, 0); -+ a, flags); - } - - #define AVC_STRICT 1 /* Ignore permissive mode. */ -@@ -150,6 +151,10 @@ int avc_has_perm_noaudit(u32 ssid, u32 t - int avc_has_perm(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct common_audit_data *auditdata); -+int avc_has_perm_flags(u32 ssid, u32 tsid, -+ u16 tclass, u32 requested, -+ struct common_audit_data *auditdata, -+ int flags); - - u32 avc_policy_seqno(void); - diff --git a/queue-3.16/selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch b/queue-3.16/selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch deleted file mode 100644 index e80cbca1..00000000 --- a/queue-3.16/selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: Stephen Smalley <sds@tycho.nsa.gov> -Date: Wed, 12 Dec 2018 10:10:55 -0500 -Subject: selinux: avoid silent denials in permissive mode under RCU walk - -commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream. - -commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") -results in no audit messages at all if in permissive mode because the -cache is updated during the rcu walk and thus no denial occurs on -the subsequent ref walk. Fix this by not updating the cache when -performing a non-blocking permission check. This only affects search -and symlink read checks during rcu walk. - -Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") -Reported-by: BMK <bmktuwien@gmail.com> -Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> -Signed-off-by: Paul Moore <paul@paul-moore.com> -[bwh: Backported to 3.16: - - Add flags parameter to avc_update_node(), done upstream in commit - fa1aa143ac4a "selinux: extended permissions for ioctls" - - Adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/security/selinux/avc.c -+++ b/security/selinux/avc.c -@@ -528,6 +528,7 @@ static inline int avc_sidcmp(u32 x, u32 - * @perms : Permission mask bits - * @ssid,@tsid,@tclass : identifier of an AVC entry - * @seqno : sequence number when decision was made -+ * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0. - * - * if a valid AVC entry doesn't exist,this function returns -ENOENT. - * if kmalloc() called internal returns NULL, this function returns -ENOMEM. -@@ -535,7 +536,7 @@ static inline int avc_sidcmp(u32 x, u32 - * will release later by RCU. - */ - static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass, -- u32 seqno) -+ u32 seqno, unsigned int flags) - { - int hvalue, rc = 0; - unsigned long flag; -@@ -543,6 +544,23 @@ static int avc_update_node(u32 event, u3 - struct hlist_head *head; - spinlock_t *lock; - -+ /* -+ * If we are in a non-blocking code path, e.g. VFS RCU walk, -+ * then we must not add permissions to a cache entry -+ * because we cannot safely audit the denial. Otherwise, -+ * during the subsequent blocking retry (e.g. VFS ref walk), we -+ * will find the permissions already granted in the cache entry -+ * and won't audit anything at all, leading to silent denials in -+ * permissive mode that only appear when in enforcing mode. -+ * -+ * See the corresponding handling in slow_avc_audit(), and the -+ * logic in selinux_inode_follow_link and selinux_inode_permission -+ * for the VFS MAY_NOT_BLOCK flag, which is transliterated into -+ * AVC_NONBLOCKING for avc_has_perm_noaudit(). -+ */ -+ if (flags & AVC_NONBLOCKING) -+ return 0; -+ - node = avc_alloc_node(); - if (!node) { - rc = -ENOMEM; -@@ -690,7 +708,7 @@ static noinline int avc_denied(u32 ssid, - return -EACCES; - - avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, -- tsid, tclass, avd->seqno); -+ tsid, tclass, avd->seqno, flags); - return 0; - } - -@@ -701,7 +719,7 @@ static noinline int avc_denied(u32 ssid, - * @tsid: target security identifier - * @tclass: target security class - * @requested: requested permissions, interpreted based on @tclass -- * @flags: AVC_STRICT or 0 -+ * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0 - * @avd: access vector decisions - * - * Check the AVC to determine whether the @requested permissions are granted -@@ -781,7 +799,9 @@ int avc_has_perm_flags(u32 ssid, u32 tsi - struct av_decision avd; - int rc, rc2; - -- rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); -+ rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, -+ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, -+ &avd); - - rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, - auditdata, flags); ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -2818,7 +2818,9 @@ static int selinux_inode_permission(stru - sid = cred_sid(cred); - isec = inode->i_security; - -- rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); -+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, -+ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, -+ &avd); - audited = avc_audit_required(perms, &avd, rc, - from_access ? FILE__AUDIT_ACCESS : 0, - &denied); ---- a/security/selinux/include/avc.h -+++ b/security/selinux/include/avc.h -@@ -143,6 +143,7 @@ static inline int avc_audit(u32 ssid, u3 - } - - #define AVC_STRICT 1 /* Ignore permissive mode. */ -+#define AVC_NONBLOCKING 4 /* non blocking */ - int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - unsigned flags, diff --git a/queue-3.16/serial-8250_of-assume-reg-shift-of-2-for-mrvl-mmp-uart.patch b/queue-3.16/serial-8250_of-assume-reg-shift-of-2-for-mrvl-mmp-uart.patch deleted file mode 100644 index c3606508..00000000 --- a/queue-3.16/serial-8250_of-assume-reg-shift-of-2-for-mrvl-mmp-uart.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Lubomir Rintel <lkundrak@v3.sk> -Date: Sun, 24 Feb 2019 13:00:53 +0100 -Subject: serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart - -commit f4817843e39ce78aace0195a57d4e8500a65a898 upstream. - -There are two other drivers that bind to mrvl,mmp-uart and both of them -assume register shift of 2 bits. There are device trees that lack the -property and rely on that assumption. - -If this driver wins the race to bind to those devices, it should behave -the same as the older deprecated driver. - -Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust filename] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/of_serial.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/tty/serial/of_serial.c -+++ b/drivers/tty/serial/of_serial.c -@@ -93,6 +93,10 @@ static int of_platform_serial_setup(stru - if (of_property_read_u32(np, "reg-offset", &prop) == 0) - port->mapbase += prop; - -+ /* Compatibility with the deprecated pxa driver and 8250_pxa drivers. */ -+ if (of_device_is_compatible(np, "mrvl,mmp-uart")) -+ port->regshift = 2; -+ - /* Check for registers offset within the devices address range */ - if (of_property_read_u32(np, "reg-shift", &prop) == 0) - port->regshift = prop; diff --git a/queue-3.16/serial-8250_pci-fix-number-of-ports-for-acces-serial-cards.patch b/queue-3.16/serial-8250_pci-fix-number-of-ports-for-acces-serial-cards.patch deleted file mode 100644 index bbdda734..00000000 --- a/queue-3.16/serial-8250_pci-fix-number-of-ports-for-acces-serial-cards.patch +++ /dev/null @@ -1,135 +0,0 @@ -From: Jay Dolan <jay.dolan@accesio.com> -Date: Tue, 12 Feb 2019 21:43:11 -0800 -Subject: serial: 8250_pci: Fix number of ports for ACCES serial cards - -commit b896b03bc7fce43a07012cc6bf5e2ab2fddf3364 upstream. - -Have the correct number of ports created for ACCES serial cards. Two port -cards show up as four ports, and four port cards show up as eight. - -Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards") -Signed-off-by: Jay Dolan <jay.dolan@accesio.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/8250/8250_pci.c | 36 +++++++++++++++--------------- - 1 file changed, 18 insertions(+), 18 deletions(-) - ---- a/drivers/tty/serial/8250/8250_pci.c -+++ b/drivers/tty/serial/8250/8250_pci.c -@@ -4943,10 +4943,10 @@ static struct pci_device_id serial_pci_t - */ - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, -@@ -4955,10 +4955,10 @@ static struct pci_device_id serial_pci_t - pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, -@@ -4967,10 +4967,10 @@ static struct pci_device_id serial_pci_t - pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, -@@ -4979,13 +4979,13 @@ static struct pci_device_id serial_pci_t - pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7951 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, -@@ -4994,16 +4994,16 @@ static struct pci_device_id serial_pci_t - pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, -@@ -5012,13 +5012,13 @@ static struct pci_device_id serial_pci_t - pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7954 }, -+ pbn_pericom_PI7C9X7952 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7958 }, -+ pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7958 }, -+ pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7958 }, -@@ -5027,19 +5027,19 @@ static struct pci_device_id serial_pci_t - pbn_pericom_PI7C9X7958 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7958 }, -+ pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7958 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7958 }, -+ pbn_pericom_PI7C9X7954 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7958 }, - { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, - PCI_ANY_ID, PCI_ANY_ID, 0, 0, -- pbn_pericom_PI7C9X7958 }, -+ pbn_pericom_PI7C9X7954 }, - /* - * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke) - */ diff --git a/queue-3.16/serial-8250_pci-have-acces-cards-that-use-the-four-port-pericom.patch b/queue-3.16/serial-8250_pci-have-acces-cards-that-use-the-four-port-pericom.patch deleted file mode 100644 index 799835d5..00000000 --- a/queue-3.16/serial-8250_pci-have-acces-cards-that-use-the-four-port-pericom.patch +++ /dev/null @@ -1,132 +0,0 @@ -From: Jay Dolan <jay.dolan@accesio.com> -Date: Tue, 12 Feb 2019 21:43:12 -0800 -Subject: serial: 8250_pci: Have ACCES cards that use the four port Pericom - PI7C9X7954 chip use the pci_pericom_setup() - -commit 78d3820b9bd39028727c6aab7297b63c093db343 upstream. - -The four port Pericom chips have the fourth port at the wrong address. -Make use of quirk to fix it. - -Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards") -Signed-off-by: Jay Dolan <jay.dolan@accesio.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/serial/8250/8250_pci.c | 105 +++++++++++++++++++++++++++++ - 1 file changed, 105 insertions(+) - ---- a/drivers/tty/serial/8250/8250_pci.c -+++ b/drivers/tty/serial/8250/8250_pci.c -@@ -2183,6 +2183,111 @@ static struct pci_serial_quirk pci_seria - .setup = pci_default_setup, - .exit = pci_plx9050_exit, - }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, -+ { -+ .vendor = PCI_VENDOR_ID_ACCESIO, -+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, -+ .subvendor = PCI_ANY_ID, -+ .subdevice = PCI_ANY_ID, -+ .setup = pci_pericom_setup, -+ }, - /* - * SBS Technologies, Inc., PMC-OCTALPRO 232 - */ diff --git a/queue-3.16/series b/queue-3.16/series deleted file mode 100644 index cc7f2a88..00000000 --- a/queue-3.16/series +++ /dev/null @@ -1,129 +0,0 @@ -staging-iio-adt7316-fix-register-and-bit-definitions.patch -staging-iio-adt7316-invert-the-logic-of-the-check-for-an-ldac-pin.patch -staging-iio-adt7316-allow-adt751x-to-use-internal-vref-for-all.patch -clk-highbank-fix-refcount-leak-in-hb_clk_init.patch -clk-socfpga-fix-refcount-leak.patch -clk-samsung-exynos4-fix-refcount-leak-in-exynos4_get_xom.patch -clk-imx6q-fix-refcount-leak-in-imx6q_clocks_init.patch -clk-imx6sx-fix-refcount-leak-in-imx6sx_clocks_init.patch -clk-vf610-fix-refcount-leak-in-vf610_clocks_init.patch -clk-armada-370-fix-refcount-leak-in-a370_clk_init.patch -clk-kirkwood-fix-refcount-leak-in-kirkwood_clk_init.patch -clk-armada-xp-fix-refcount-leak-in-axp_clk_init.patch -clk-dove-fix-refcount-leak-in-dove_clk_init.patch -staging-iio-adt7316-fix-dac_bits-assignment.patch -staging-iio-adt7316-fix-handling-of-dac-high-resolution-option.patch -staging-iio-adt7316-fix-the-dac-read-calculation.patch -staging-iio-adt7316-fix-the-dac-write-calculation.patch -drm-fix-error-handling-in-drm_legacy_addctx.patch -arm-s3c24xx-fix-boolean-expressions-in-osiris_dvs_notify.patch -ib-usnic-fix-out-of-bounds-index-check-in-query-pkey.patch -rdma-ocrdma-fix-out-of-bounds-index-check-in-query-pkey.patch -security-selinux-pass-flags-arg-to-avc_audit-and.patch -selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch -crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch -powerpc-irq-drop-arch_early_irq_init.patch -media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt-enumeration.patch -media-s5p-jpeg-correct-step-and-max-values-for.patch -media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch -crypto-hash-set-crypto_tfm_need_key-if-setkey-fails.patch -crypto-tgr192-fix-unaligned-memory-access.patch -asoc-imx-sgtl5000-put-of-nodes-if-finding-codec-fails.patch -m68k-add-ffreestanding-to-cflags.patch -pinctrl-sh-pfc-r8a7778-fix-hspi-pin-numbers-and-names.patch -hpet-fix-missing-character-in-the-__setup-code-of.patch -applicom-fix-potential-spectre-v1-vulnerabilities.patch -rcu-do-rcu-gp-kthread-self-wakeup-from-softirq-and-interrupt.patch -mtd-docg3-don-t-leak-docg3-bbt-in-error-path.patch -mtd-docg3-fix-kasprintf-usage.patch -mtd-docg3-fix-passing-zero-to-ptr_err-warning-in-doc_probe_device.patch -tty-ipwireless-fix-potential-null-pointer-dereference.patch -ext2-fix-underflow-in-ext2_max_size.patch -devres-always-use-dev_name-in-devm_ioremap_resource.patch -crypto-testmgr-skip-crc32c-context-test-for-ahash-algorithms.patch -crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch -splice-don-t-merge-into-linked-buffers.patch -scsi-target-iscsi-avoid-iscsit_release_commands_from_conn.patch -rtc-ds1672-fix-unintended-sign-extension.patch -usb-serial-cp210x-add-id-for-ingenico-3070.patch -media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of.patch -crypto-ahash-fix-another-early-termination-in-hash-walk.patch -rtc-88pm860x-fix-unintended-sign-extension.patch -rtc-88pm80x-fix-unintended-sign-extension.patch -rtc-pm8xxx-fix-unintended-sign-extension.patch -bcache-never-writeback-a-discard-operation.patch -bcache-treat-stale-dirty-keys-as-bad-keys.patch -jbd2-clear-dirty-flag-when-revoking-a-buffer-from-an-older.patch -ext4-fix-check-of-inode-in-swap_inode_boot_loader.patch -ext4-update-quota-information-while-swapping-boot-loader-inode.patch -ext4-add-mask-of-ext4-flags-to-swap.patch -parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch -pinctrl-sh-pfc-r8a7791-fix-scifb2_data_c-pin-group.patch -pinctrl-sh-pfc-sh73a0-fix-fsic_spdif-pin-groups.patch -ext4-fix-crash-during-online-resizing.patch -iscsi_ibft-fix-missing-break-in-switch-statement.patch -tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-incomplete.patch -tpm-fix-off-by-one-when-reading-binary_bios_measurements.patch -serial-8250_pci-fix-number-of-ports-for-acces-serial-cards.patch -serial-8250_pci-have-acces-cards-that-use-the-four-port-pericom.patch -leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch -usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch -asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch -cdc-wdm-pass-return-value-of-recover_from_urb_loss.patch -libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch -perf-header-fix-wrong-node-write-in-numa_topology-feature.patch -drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch -asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch -kvm-x86-mmu-do-not-cache-mmio-accesses-while-memslots-are-in-flux.patch -fs-nfs-fix-nfs_parse_devname-to-not-modify-it-s-argument.patch -irqchip-brcmstb-l2-use-_irqsave-locking-variants-in-non-interrupt.patch -powerpc-83xx-also-save-restore-sprg4-7-during-suspend.patch -powerpc-wii-properly-disable-use-of-bats-when-requested.patch -clocksource-drivers-exynos_mct-fix-error-path-in-timer-resources.patch -mmc-omap-fix-the-maximum-timeout-setting.patch -btrfs-init-csum_list-before-possible-free.patch -powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area.patch -alsa-bebob-use-more-identical-mod_alias-for-saffire-pro-10-i-o.patch -staging-android-ashmem-avoid-range_alloc-allocation-with.patch -serial-8250_of-assume-reg-shift-of-2-for-mrvl-mmp-uart.patch -regulator-wm831x-dcdc-fix-list-of-wm831x_dcdc_ilim-from-ma-to-ua.patch -powerpc-powernv-make-opal-log-only-readable-by-root.patch -btrfs-fix-corruption-reading-shared-and-compressed-extents-after.patch -tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch -nfsv4.1-reinitialise-sequence-results-before-retransmitting-a.patch -9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch -powerpc-32-clear-on-stack-exception-marker-upon-exception-return.patch -net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch -ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch -cifs-do-not-reset-lease-state-to-none-on-lease-break.patch -nfsd-fix-memory-corruption-caused-by-readdir.patch -cifs-fix-read-after-write-for-files-with-read-caching.patch -mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch -mm-fix-potential-data-race-in-sys_swapon.patch -mm-swap-bounds-check-swap_info-array-accesses-to-avoid-null-derefs.patch -s390-virtio-handle-find-on-invalid-queue-gracefully.patch -scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch -net-hsr-fix-possible-crash-in-add_timer.patch -cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch -lib-div64.c-off-by-one-in-shift.patch -xen-cpu_hotplug-prevent-an-out-of-bounds-access.patch -route-set-the-deleted-fnhe-fnhe_daddr-to-0-in-ip_del_fnhe-to-fix-a.patch -vxlan-test-dev-flags-iff_up-before-calling-gro_cells_receive.patch -gro_cells-make-sure-device-is-up-in-gro_cells_receive.patch -kernel-sysctl.c-add-missing-range-check-in.patch -it-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape-twice.patch -md-fix-failed-allocation-of-md_register_thread.patch -net-sh_eth-fix-a-missing-check-of-of_get_phy_mode.patch -net-mlx4_core-fix-locking-in-sriov-mode-when-switching-between.patch -net-mlx4_core-fix-qp-mtt-size-calculation.patch -l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch -pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch -tcp-refine-memory-limit-test-in-tcp_fragment.patch -fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch -fuse-add-fopen_stream-to-use-stream_open.patch -binder-replace-p-with-pk-for-stable.patch -media-uvcvideo-fix-type-check-leading-to-overflow.patch -mwifiex-fix-possible-buffer-overflows-at-parsing-bss-descriptor.patch -mwifiex-abort-at-too-short-bss-descriptor-element.patch -mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch -netns-provide-pure-entropy-for-net_hash_mix.patch diff --git a/queue-3.16/splice-don-t-merge-into-linked-buffers.patch b/queue-3.16/splice-don-t-merge-into-linked-buffers.patch deleted file mode 100644 index edeab091..00000000 --- a/queue-3.16/splice-don-t-merge-into-linked-buffers.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: Jann Horn <jannh@google.com> -Date: Wed, 23 Jan 2019 15:19:17 +0100 -Subject: splice: don't merge into linked buffers - -commit a0ce2f0aa6ad97c3d4927bf2ca54bcebdf062d55 upstream. - -Before this patch, it was possible for two pipes to affect each other after -data had been transferred between them with tee(): - -============ -$ cat tee_test.c - -int main(void) { - int pipe_a[2]; - if (pipe(pipe_a)) err(1, "pipe"); - int pipe_b[2]; - if (pipe(pipe_b)) err(1, "pipe"); - if (write(pipe_a[1], "abcd", 4) != 4) err(1, "write"); - if (tee(pipe_a[0], pipe_b[1], 2, 0) != 2) err(1, "tee"); - if (write(pipe_b[1], "xx", 2) != 2) err(1, "write"); - - char buf[5]; - if (read(pipe_a[0], buf, 4) != 4) err(1, "read"); - buf[4] = 0; - printf("got back: '%s'\n", buf); -} -$ gcc -o tee_test tee_test.c -$ ./tee_test -got back: 'abxx' -$ -============ - -As suggested by Al Viro, fix it by creating a separate type for -non-mergeable pipe buffers, then changing the types of buffers in -splice_pipe_to_pipe() and link_pipe(). - -Fixes: 7c77f0b3f920 ("splice: implement pipe to pipe splicing") -Fixes: 70524490ee2e ("[PATCH] splice: add support for sys_tee()") -Suggested-by: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -[bwh: Backported to 3.16: Use generic_pipe_buf_steal(), as for other pipe - types, since anon_pipe_buf_steal() does not exist here] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/pipe.c | 14 ++++++++++++++ - fs/splice.c | 4 ++++ - include/linux/pipe_fs_i.h | 1 + - 3 files changed, 19 insertions(+) - ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ -219,6 +219,14 @@ static const struct pipe_buf_operations - .get = generic_pipe_buf_get, - }; - -+static const struct pipe_buf_operations anon_pipe_buf_nomerge_ops = { -+ .can_merge = 0, -+ .confirm = generic_pipe_buf_confirm, -+ .release = anon_pipe_buf_release, -+ .steal = generic_pipe_buf_steal, -+ .get = generic_pipe_buf_get, -+}; -+ - static const struct pipe_buf_operations packet_pipe_buf_ops = { - .can_merge = 0, - .confirm = generic_pipe_buf_confirm, -@@ -227,6 +235,12 @@ static const struct pipe_buf_operations - .get = generic_pipe_buf_get, - }; - -+void pipe_buf_mark_unmergeable(struct pipe_buffer *buf) -+{ -+ if (buf->ops == &anon_pipe_buf_ops) -+ buf->ops = &anon_pipe_buf_nomerge_ops; -+} -+ - static ssize_t - pipe_read(struct kiocb *iocb, struct iov_iter *to) - { ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -1901,6 +1901,8 @@ retry: - */ - obuf->flags &= ~PIPE_BUF_FLAG_GIFT; - -+ pipe_buf_mark_unmergeable(obuf); -+ - obuf->len = len; - opipe->nrbufs++; - ibuf->offset += obuf->len; -@@ -1975,6 +1977,8 @@ static int link_pipe(struct pipe_inode_i - */ - obuf->flags &= ~PIPE_BUF_FLAG_GIFT; - -+ pipe_buf_mark_unmergeable(obuf); -+ - if (obuf->len > len) - obuf->len = len; - ---- a/include/linux/pipe_fs_i.h -+++ b/include/linux/pipe_fs_i.h -@@ -140,6 +140,7 @@ void generic_pipe_buf_get(struct pipe_in - int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *); - int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *); - void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *); -+void pipe_buf_mark_unmergeable(struct pipe_buffer *buf); - - extern const struct pipe_buf_operations nosteal_pipe_buf_ops; - diff --git a/queue-3.16/staging-android-ashmem-avoid-range_alloc-allocation-with.patch b/queue-3.16/staging-android-ashmem-avoid-range_alloc-allocation-with.patch deleted file mode 100644 index 9ce3a05f..00000000 --- a/queue-3.16/staging-android-ashmem-avoid-range_alloc-allocation-with.patch +++ /dev/null @@ -1,143 +0,0 @@ -From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Date: Fri, 22 Feb 2019 20:03:55 +0900 -Subject: staging: android: ashmem: Avoid range_alloc() allocation with - ashmem_mutex held. - -commit ecd182cbf4e107928077866399100228d2359c60 upstream. - -ashmem_pin() is calling range_shrink() without checking whether -range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex -held should be avoided because ashmem_shrink_scan() tries to hold it. - -Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin() -and make range_alloc() not to fail. - -This patch is mostly meant for backporting purpose for fuzz testing on -stable/distributor kernels, for there is a plan to remove this code in -near future. - -Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Reviewed-by: Joel Fernandes <joel@joelfernandes.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/android/ashmem.c | 42 ++++++++++++++++++-------------- - 1 file changed, 24 insertions(+), 18 deletions(-) - ---- a/drivers/staging/android/ashmem.c -+++ b/drivers/staging/android/ashmem.c -@@ -158,19 +158,15 @@ static inline void lru_del(struct ashmem - * @end: The ending page (inclusive) - * - * This function is protected by ashmem_mutex. -- * -- * Return: 0 if successful, or -ENOMEM if there is an error - */ --static int range_alloc(struct ashmem_area *asma, -- struct ashmem_range *prev_range, unsigned int purged, -- size_t start, size_t end) -+static void range_alloc(struct ashmem_area *asma, -+ struct ashmem_range *prev_range, unsigned int purged, -+ size_t start, size_t end, -+ struct ashmem_range **new_range) - { -- struct ashmem_range *range; -- -- range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL); -- if (unlikely(!range)) -- return -ENOMEM; -+ struct ashmem_range *range = *new_range; - -+ *new_range = NULL; - range->asma = asma; - range->pgstart = start; - range->pgend = end; -@@ -180,8 +176,6 @@ static int range_alloc(struct ashmem_are - - if (range_on_lru(range)) - lru_add(range); -- -- return 0; - } - - /** -@@ -576,7 +570,8 @@ static int get_name(struct ashmem_area * - * - * Caller must hold ashmem_mutex. - */ --static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend) -+static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend, -+ struct ashmem_range **new_range) - { - struct ashmem_range *range, *next; - int ret = ASHMEM_NOT_PURGED; -@@ -628,7 +623,7 @@ static int ashmem_pin(struct ashmem_area - * second half and adjust the first chunk's endpoint. - */ - range_alloc(asma, range, range->purged, -- pgend + 1, range->pgend); -+ pgend + 1, range->pgend, new_range); - range_shrink(range, range->pgstart, pgstart - 1); - break; - } -@@ -642,7 +637,8 @@ static int ashmem_pin(struct ashmem_area - * - * Caller must hold ashmem_mutex. - */ --static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend) -+static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend, -+ struct ashmem_range **new_range) - { - struct ashmem_range *range, *next; - unsigned int purged = ASHMEM_NOT_PURGED; -@@ -668,7 +664,8 @@ restart: - } - } - -- return range_alloc(asma, range, purged, pgstart, pgend); -+ range_alloc(asma, range, purged, pgstart, pgend, new_range); -+ return 0; - } - - /* -@@ -701,10 +698,17 @@ static int ashmem_pin_unpin(struct ashme - struct ashmem_pin pin; - size_t pgstart, pgend; - int ret = -EINVAL; -+ struct ashmem_range *range = NULL; - - if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) - return -EFAULT; - -+ if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) { -+ range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL); -+ if (!range) -+ return -ENOMEM; -+ } -+ - mutex_lock(&ashmem_mutex); - - if (unlikely(!asma->file)) -@@ -728,10 +732,10 @@ static int ashmem_pin_unpin(struct ashme - - switch (cmd) { - case ASHMEM_PIN: -- ret = ashmem_pin(asma, pgstart, pgend); -+ ret = ashmem_pin(asma, pgstart, pgend, &range); - break; - case ASHMEM_UNPIN: -- ret = ashmem_unpin(asma, pgstart, pgend); -+ ret = ashmem_unpin(asma, pgstart, pgend, &range); - break; - case ASHMEM_GET_PIN_STATUS: - ret = ashmem_get_pin_status(asma, pgstart, pgend); -@@ -740,6 +744,8 @@ static int ashmem_pin_unpin(struct ashme - - out_unlock: - mutex_unlock(&ashmem_mutex); -+ if (range) -+ kmem_cache_free(ashmem_range_cachep, range); - - return ret; - } diff --git a/queue-3.16/staging-iio-adt7316-allow-adt751x-to-use-internal-vref-for-all.patch b/queue-3.16/staging-iio-adt7316-allow-adt751x-to-use-internal-vref-for-all.patch deleted file mode 100644 index f6bac67f..00000000 --- a/queue-3.16/staging-iio-adt7316-allow-adt751x-to-use-internal-vref-for-all.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Tue, 11 Dec 2018 17:55:00 -0700 -Subject: staging: iio: adt7316: allow adt751x to use internal vref for all - dacs - -commit 10bfe7cc1739c22f0aa296b39e53f61e9e3f4d99 upstream. - -With adt7516/7/9, internal vref is available for dacs a and b, dacs c and -d, or all dacs. The driver doesn't currently support internal vref for all -dacs. Change the else if to an if so both bits are checked rather than -just one or the other. - -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -1093,7 +1093,7 @@ static ssize_t adt7316_store_DAC_interna - ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK); - if (data & 0x1) - ldac_config |= ADT7516_DAC_AB_IN_VREF; -- else if (data & 0x2) -+ if (data & 0x2) - ldac_config |= ADT7516_DAC_CD_IN_VREF; - } else { - ret = kstrtou8(buf, 16, &data); diff --git a/queue-3.16/staging-iio-adt7316-fix-dac_bits-assignment.patch b/queue-3.16/staging-iio-adt7316-fix-dac_bits-assignment.patch deleted file mode 100644 index f28cc9ee..00000000 --- a/queue-3.16/staging-iio-adt7316-fix-dac_bits-assignment.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Sat, 22 Dec 2018 21:57:40 -0700 -Subject: staging: iio: adt7316: fix dac_bits assignment - -commit e9de475723de5bf207a5b7b88bdca863393e42c8 upstream. - -The value of dac_bits is used in adt7316_show_DAC() and adt7316_store_DAC(), -and it should be either 8, 10, or 12 bits depending on the device in use. The -driver currently only assigns a value to dac_bits in -adt7316_store_da_high_resolution(). The purpose of the dac high resolution -option is not to change dac resolution for normal operation. Instead, it -is specific to an optional feature where one or two of the four dacs can -be set to output voltage proportional to temperature. If the user chooses -to set dac a and/or dac b to output voltage proportional to temperature, -the da_high_resolution attribute can optionally be enabled to use 10 bit -resolution rather than the default 8 bits. This is only available on the -10 and 12 bit dac devices. If the user attempts to read or write dacs a -or b under these settings, the driver's current behaviour is to return an -error. Dacs c and d continue to operate normally under these conditions. -With the above in mind, remove the dac_bits assignments from this function -since the value of dac_bits as used in the driver is not dependent on this -dac high resolution option. - -Since the dac_bits assignments discussed above are currently the only ones -in this driver, the default value of dac_bits is 0. This results in incorrect -calculations when the dacs are read or written in adt7316_show_DAC() and -adt7316_store_DAC(). To correct this, assign a value to dac_bits in -adt7316_probe() to ensure correct operation as soon as the device is -registered and available to userspace. - -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -654,15 +654,9 @@ static ssize_t adt7316_store_da_high_res - u8 config3; - int ret; - -- chip->dac_bits = 8; -- -- if (buf[0] == '1') { -+ if (buf[0] == '1') - config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION; -- if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) -- chip->dac_bits = 12; -- else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) -- chip->dac_bits = 10; -- } else -+ else - config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); - - ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3); -@@ -2129,6 +2123,13 @@ int adt7316_probe(struct device *dev, st - else - return -ENODEV; - -+ if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) -+ chip->dac_bits = 12; -+ else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) -+ chip->dac_bits = 10; -+ else -+ chip->dac_bits = 8; -+ - chip->ldac_pin = adt7316_platform_data[1]; - if (!chip->ldac_pin) { - chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA; diff --git a/queue-3.16/staging-iio-adt7316-fix-handling-of-dac-high-resolution-option.patch b/queue-3.16/staging-iio-adt7316-fix-handling-of-dac-high-resolution-option.patch deleted file mode 100644 index 19377bdd..00000000 --- a/queue-3.16/staging-iio-adt7316-fix-handling-of-dac-high-resolution-option.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Sat, 22 Dec 2018 21:57:41 -0700 -Subject: staging: iio: adt7316: fix handling of dac high resolution option - -commit 76b7fe8d6c4daf4db672eb953c892c6f6572a282 upstream. - -The adt7316/7 and adt7516/7 have the option to output voltage proportional -to temperature on dac a and/or dac b. The default dac resolution in this -mode is 8 bits with the dac high resolution option enabling 10 bits. None -of these settings affect dacs c and d. Remove the "1 (12 bits)" output from -the show function since that is not an option for this mode. Return -"1 (10 bits)" if the device is one of the above mentioned chips and the dac -high resolution mode is enabled. - -In the store function, the driver currently allows the user to write to the -ADT7316_DA_HIGH_RESOLUTION bit regardless of the device in use. Add a check -to return an error in the case of an adt7318 or adt7519. Remove the else -statement that clears the ADT7316_DA_HIGH_RESOLUTION bit. Instead, clear it -before conditionally enabling it, depending on user input. This matches the -typical pattern in the driver when an attribute is a boolean. - -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -635,9 +635,7 @@ static ssize_t adt7316_show_da_high_reso - struct adt7316_chip_info *chip = iio_priv(dev_info); - - if (chip->config3 & ADT7316_DA_HIGH_RESOLUTION) { -- if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) -- return sprintf(buf, "1 (12 bits)\n"); -- else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) -+ if (chip->id != ID_ADT7318 && chip->id != ID_ADT7519) - return sprintf(buf, "1 (10 bits)\n"); - } - -@@ -654,10 +652,12 @@ static ssize_t adt7316_store_da_high_res - u8 config3; - int ret; - -+ if (chip->id == ID_ADT7318 || chip->id == ID_ADT7519) -+ return -EPERM; -+ -+ config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); - if (buf[0] == '1') -- config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION; -- else -- config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); -+ config3 |= ADT7316_DA_HIGH_RESOLUTION; - - ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3); - if (ret) diff --git a/queue-3.16/staging-iio-adt7316-fix-register-and-bit-definitions.patch b/queue-3.16/staging-iio-adt7316-fix-register-and-bit-definitions.patch deleted file mode 100644 index d691c347..00000000 --- a/queue-3.16/staging-iio-adt7316-fix-register-and-bit-definitions.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Tue, 11 Dec 2018 17:54:53 -0700 -Subject: staging: iio: adt7316: fix register and bit definitions - -commit 53a6f022b4fe8645468adaffca901dbf8c3c547e upstream. - -Change two register addresses and one bit definition to match the -datasheet. - -Note that there are many issues in this driver so I would -not suggest backporting these fixes to stable trees. - -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -59,8 +59,8 @@ - #define ADT7316_CONFIG1 0x18 - #define ADT7316_CONFIG2 0x19 - #define ADT7316_CONFIG3 0x1A --#define ADT7316_LDAC_CONFIG 0x1B --#define ADT7316_DAC_CONFIG 0x1C -+#define ADT7316_DAC_CONFIG 0x1B -+#define ADT7316_LDAC_CONFIG 0x1C - #define ADT7316_INT_MASK1 0x1D - #define ADT7316_INT_MASK2 0x1E - #define ADT7316_IN_TEMP_OFFSET 0x1F -@@ -117,7 +117,7 @@ - */ - #define ADT7316_ADCLK_22_5 0x1 - #define ADT7316_DA_HIGH_RESOLUTION 0x2 --#define ADT7316_DA_EN_VIA_DAC_LDCA 0x4 -+#define ADT7316_DA_EN_VIA_DAC_LDCA 0x8 - #define ADT7516_AIN_IN_VREF 0x10 - #define ADT7316_EN_IN_TEMP_PROP_DACA 0x20 - #define ADT7316_EN_EX_TEMP_PROP_DACB 0x40 diff --git a/queue-3.16/staging-iio-adt7316-fix-the-dac-read-calculation.patch b/queue-3.16/staging-iio-adt7316-fix-the-dac-read-calculation.patch deleted file mode 100644 index c8e9d5ad..00000000 --- a/queue-3.16/staging-iio-adt7316-fix-the-dac-read-calculation.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Sat, 22 Dec 2018 21:57:42 -0700 -Subject: staging: iio: adt7316: fix the dac read calculation - -commit 45130fb030aec26ac28b4bb23344901df3ec3b7f upstream. - -The calculation of the current dac value is using the wrong bits of the -dac lsb register. Create two macros to shift the lsb register value into -lsb position, depending on whether the dac is 10 or 12 bit. Initialize -data to 0 so, with an 8 bit dac, the msb register value can be bitwise -ORed with data. - -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -47,6 +47,8 @@ - #define ADT7516_MSB_AIN3 0xA - #define ADT7516_MSB_AIN4 0xB - #define ADT7316_DA_DATA_BASE 0x10 -+#define ADT7316_DA_10_BIT_LSB_SHIFT 6 -+#define ADT7316_DA_12_BIT_LSB_SHIFT 4 - #define ADT7316_DA_MSB_DATA_REGS 4 - #define ADT7316_LSB_DAC_A 0x10 - #define ADT7316_MSB_DAC_A 0x11 -@@ -1409,7 +1411,7 @@ static IIO_DEVICE_ATTR(ex_analog_temp_of - static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, - int channel, char *buf) - { -- u16 data; -+ u16 data = 0; - u8 msb, lsb, offset; - int ret; - -@@ -1434,7 +1436,11 @@ static ssize_t adt7316_show_DAC(struct a - if (ret) - return -EIO; - -- data = (msb << offset) + (lsb & ((1 << offset) - 1)); -+ if (chip->dac_bits == 12) -+ data = lsb >> ADT7316_DA_12_BIT_LSB_SHIFT; -+ else if (chip->dac_bits == 10) -+ data = lsb >> ADT7316_DA_10_BIT_LSB_SHIFT; -+ data |= msb << offset; - - return sprintf(buf, "%d\n", data); - } diff --git a/queue-3.16/staging-iio-adt7316-fix-the-dac-write-calculation.patch b/queue-3.16/staging-iio-adt7316-fix-the-dac-write-calculation.patch deleted file mode 100644 index e0133804..00000000 --- a/queue-3.16/staging-iio-adt7316-fix-the-dac-write-calculation.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Sat, 22 Dec 2018 21:57:43 -0700 -Subject: staging: iio: adt7316: fix the dac write calculation - -commit 78accaea117c1ae878774974fab91ac4a0b0e2b0 upstream. - -The lsb calculation is not masking the correct bits from the user input. -Subtract 1 from (1 << offset) to correctly set up the mask to be applied -to user input. - -The lsb register stores its value starting at the bit 7 position. -adt7316_store_DAC() currently assumes the value is at the other end of the -register. Shift the lsb value before storing it in a new variable lsb_reg, -and write this variable to the lsb register. - -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -1448,7 +1448,7 @@ static ssize_t adt7316_show_DAC(struct a - static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, - int channel, const char *buf, size_t len) - { -- u8 msb, lsb, offset; -+ u8 msb, lsb, lsb_reg, offset; - u16 data; - int ret; - -@@ -1466,9 +1466,13 @@ static ssize_t adt7316_store_DAC(struct - return -EINVAL; - - if (chip->dac_bits > 8) { -- lsb = data & (1 << offset); -+ lsb = data & ((1 << offset) - 1); -+ if (chip->dac_bits == 12) -+ lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT; -+ else -+ lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT; - ret = chip->bus.write(chip->bus.client, -- ADT7316_DA_DATA_BASE + channel * 2, lsb); -+ ADT7316_DA_DATA_BASE + channel * 2, lsb_reg); - if (ret) - return -EIO; - } diff --git a/queue-3.16/staging-iio-adt7316-invert-the-logic-of-the-check-for-an-ldac-pin.patch b/queue-3.16/staging-iio-adt7316-invert-the-logic-of-the-check-for-an-ldac-pin.patch deleted file mode 100644 index f7e4715b..00000000 --- a/queue-3.16/staging-iio-adt7316-invert-the-logic-of-the-check-for-an-ldac-pin.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Jeremy Fertic <jeremyfertic@gmail.com> -Date: Tue, 11 Dec 2018 17:54:54 -0700 -Subject: staging: iio: adt7316: invert the logic of the check for an ldac pin - -commit 85a1c11913312132d0800ca2c1c42a011f96ea92 upstream. - -ADT7316_DA_EN_VIA_DAC_LDCA is set when the dac and ldac registers are being -used to update the dacs instead of the ldac pin. ADT7516_SEL_AIN3 is an adc -input that shares the ldac pin. Only set these bits if an ldac pin is not -being used. - -This could be backported to stable, but note there are various -other bugs that probably make that a waste of time. - -Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com> -Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") -Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/staging/iio/addac/adt7316.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/staging/iio/addac/adt7316.c -+++ b/drivers/staging/iio/addac/adt7316.c -@@ -2130,7 +2130,7 @@ int adt7316_probe(struct device *dev, st - return -ENODEV; - - chip->ldac_pin = adt7316_platform_data[1]; -- if (chip->ldac_pin) { -+ if (!chip->ldac_pin) { - chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA; - if ((chip->id & ID_FAMILY_MASK) == ID_ADT75XX) - chip->config1 |= ADT7516_SEL_AIN3; diff --git a/queue-3.16/tcp-refine-memory-limit-test-in-tcp_fragment.patch b/queue-3.16/tcp-refine-memory-limit-test-in-tcp_fragment.patch deleted file mode 100644 index e87116c3..00000000 --- a/queue-3.16/tcp-refine-memory-limit-test-in-tcp_fragment.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Fri, 21 Jun 2019 06:09:55 -0700 -Subject: tcp: refine memory limit test in tcp_fragment() - -commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream. - -tcp_fragment() might be called for skbs in the write queue. - -Memory limits might have been exceeded because tcp_sendmsg() only -checks limits at full skb (64KB) boundaries. - -Therefore, we need to make sure tcp_fragment() wont punish applications -that might have setup very low SO_SNDBUF values. - -Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Christoph Paasch <cpaasch@apple.com> -Tested-by: Christoph Paasch <cpaasch@apple.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/tcp_output.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1091,7 +1091,7 @@ int tcp_fragment(struct sock *sk, struct - if (nsize < 0) - nsize = 0; - -- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { -+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) { - NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); - return -ENOMEM; - } diff --git a/queue-3.16/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch b/queue-3.16/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch deleted file mode 100644 index eb794d2e..00000000 --- a/queue-3.16/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Tony Jones <tonyj@suse.de> -Date: Wed, 27 Feb 2019 17:55:32 -0800 -Subject: tools lib traceevent: Fix buffer overflow in arg_eval - -commit 7c5b019e3a638a5a290b0ec020f6ca83d2ec2aaa upstream. - -Fix buffer overflow observed when running perf test. - -The overflow is when trying to evaluate "1ULL << (64 - 1)" which is -resulting in -9223372036854775808 which overflows the 20 character -buffer. - -If is possible this bug has been reported before but I still don't see -any fix checked in: - -See: https://www.spinics.net/lists/linux-perf-users/msg07714.html - -Reported-by: Michael Sartain <mikesart@fastmail.com> -Reported-by: Mathias Krause <minipli@googlemail.com> -Signed-off-by: Tony Jones <tonyj@suse.de> -Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Cc: Frederic Weisbecker <fweisbec@gmail.com> -Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") -Link: http://lkml.kernel.org/r/20190228015532.8941-1-tonyj@suse.de -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - tools/lib/traceevent/event-parse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/lib/traceevent/event-parse.c -+++ b/tools/lib/traceevent/event-parse.c -@@ -2283,7 +2283,7 @@ static int arg_num_eval(struct print_arg - static char *arg_eval (struct print_arg *arg) - { - long long val; -- static char buf[20]; -+ static char buf[24]; - - switch (arg->type) { - case PRINT_ATOM: diff --git a/queue-3.16/tpm-fix-off-by-one-when-reading-binary_bios_measurements.patch b/queue-3.16/tpm-fix-off-by-one-when-reading-binary_bios_measurements.patch deleted file mode 100644 index a8cecab0..00000000 --- a/queue-3.16/tpm-fix-off-by-one-when-reading-binary_bios_measurements.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Jia Zhang <zhang.jia@linux.alibaba.com> -Date: Fri, 11 Jan 2019 16:59:33 +0800 -Subject: tpm: Fix off-by-one when reading binary_bios_measurements - -commit 64494d39ff630a63b5308042b20132b491e3706b upstream. - -It is unable to read the entry when it is the only one in -binary_bios_measurements: - -00000000 00 00 00 00 08 00 00 00 c4 2f ed ad 26 82 00 cb -00000010 1d 15 f9 78 41 c3 44 e7 9d ae 33 20 00 00 00 00 -00000020 - -This is obviously a firmware problem on my linux machine: - - Manufacturer: Inspur - Product Name: SA5212M4 - Version: 01 - -However, binary_bios_measurements should return it any way, -rather than nothing, after all its content is completely -valid. - -Fixes: 55a82ab3181b ("tpm: add bios measurement log") -Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> -Reviewd-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> -Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> -[bwh: Backported to 3.16: - - Fix an additional comparison in tpm1_bios_measurements_start() - - Adjust filename, context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/char/tpm/tpm_eventlog.c -+++ b/drivers/char/tpm/tpm_eventlog.c -@@ -81,7 +81,7 @@ static void *tpm_bios_measurements_start - for (i = 0; i < *pos; i++) { - event = addr; - -- if ((addr + sizeof(struct tcpa_event)) < limit) { -+ if ((addr + sizeof(struct tcpa_event)) <= limit) { - if (event->event_type == 0 && event->event_size == 0) - return NULL; - addr += sizeof(struct tcpa_event) + event->event_size; -@@ -89,13 +89,13 @@ static void *tpm_bios_measurements_start - } - - /* now check if current entry is valid */ -- if ((addr + sizeof(struct tcpa_event)) >= limit) -+ if ((addr + sizeof(struct tcpa_event)) > limit) - return NULL; - - event = addr; - - if ((event->event_type == 0 && event->event_size == 0) || -- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit)) -+ ((addr + sizeof(struct tcpa_event) + event->event_size) > limit)) - return NULL; - - return addr; -@@ -111,7 +111,7 @@ static void *tpm_bios_measurements_next( - v += sizeof(struct tcpa_event) + event->event_size; - - /* now check if current entry is valid */ -- if ((v + sizeof(struct tcpa_event)) >= limit) -+ if ((v + sizeof(struct tcpa_event)) > limit) - return NULL; - - event = v; -@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next( - return NULL; - - if ((event->event_type == 0 && event->event_size == 0) || -- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit)) -+ ((v + sizeof(struct tcpa_event) + event->event_size) > limit)) - return NULL; - - (*pos)++; diff --git a/queue-3.16/tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-incomplete.patch b/queue-3.16/tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-incomplete.patch deleted file mode 100644 index e581bac3..00000000 --- a/queue-3.16/tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-incomplete.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> -Date: Fri, 8 Feb 2019 18:30:59 +0200 -Subject: tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete - -commit 442601e87a4769a8daba4976ec3afa5222ca211d upstream. - -Return -E2BIG when the transfer is incomplete. The upper layer does -not retry, so not doing that is incorrect behaviour. - -Fixes: a2871c62e186 ("tpm: Add support for Atmel I2C TPMs") -Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> -Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> -Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/char/tpm/tpm_i2c_atmel.c -+++ b/drivers/char/tpm/tpm_i2c_atmel.c -@@ -65,7 +65,14 @@ static int i2c_atmel_send(struct tpm_chi - dev_dbg(chip->dev, - "%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__, - (int)min_t(size_t, 64, len), buf, len, status); -- return status; -+ if (status < 0) -+ return status; -+ -+ /* The upper layer does not support incomplete sends. */ -+ if (status != len) -+ return -E2BIG; -+ -+ return 0; - } - - static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count) diff --git a/queue-3.16/tty-ipwireless-fix-potential-null-pointer-dereference.patch b/queue-3.16/tty-ipwireless-fix-potential-null-pointer-dereference.patch deleted file mode 100644 index b08b053f..00000000 --- a/queue-3.16/tty-ipwireless-fix-potential-null-pointer-dereference.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: YueHaibing <yuehaibing@huawei.com> -Date: Wed, 30 Jan 2019 18:30:51 +0800 -Subject: tty: ipwireless: Fix potential NULL pointer dereference - -commit 7dd50e205b3348dc7784efbdf85723551de64a25 upstream. - -There is a potential NULL pointer dereference in case -alloc_ctrl_packet() fails and returns NULL. - -Fixes: 099dc4fb6265 ("ipwireless: driver for PC Card 3G/UMTS modem") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/tty/ipwireless/hardware.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/tty/ipwireless/hardware.c -+++ b/drivers/tty/ipwireless/hardware.c -@@ -1515,6 +1515,8 @@ static void ipw_send_setup_packet(struct - sizeof(struct ipw_setup_get_version_query_packet), - ADDR_SETUP_PROT, TL_PROTOCOLID_SETUP, - TL_SETUP_SIGNO_GET_VERSION_QRY); -+ if (!ver_packet) -+ return; - ver_packet->header.length = sizeof(struct tl_setup_get_version_qry); - - /* diff --git a/queue-3.16/usb-serial-cp210x-add-id-for-ingenico-3070.patch b/queue-3.16/usb-serial-cp210x-add-id-for-ingenico-3070.patch deleted file mode 100644 index f831b924..00000000 --- a/queue-3.16/usb-serial-cp210x-add-id-for-ingenico-3070.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Ivan Mironov <mironov.ivan@gmail.com> -Date: Wed, 6 Feb 2019 21:14:13 +0500 -Subject: USB: serial: cp210x: add ID for Ingenico 3070 - -commit dd9d3d86b08d6a106830364879c42c78db85389c upstream. - -Here is how this device appears in kernel log: - - usb 3-1: new full-speed USB device number 18 using xhci_hcd - usb 3-1: New USB device found, idVendor=0b00, idProduct=3070 - usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 - usb 3-1: Product: Ingenico 3070 - usb 3-1: Manufacturer: Silicon Labs - usb 3-1: SerialNumber: 0001 - -Apparently this is a POS terminal with embedded USB-to-Serial converter. - -Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/serial/cp210x.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -57,6 +57,7 @@ static const struct usb_device_id id_tab - { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ - { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ - { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ -+ { USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */ - { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ - { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ - { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ diff --git a/queue-3.16/usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch b/queue-3.16/usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch deleted file mode 100644 index 6ec71605..00000000 --- a/queue-3.16/usb-serial-ftdi_sio-add-id-for-hjelmslund-electronics-usb485.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Mans Rullgard <mans@mansr.com> -Date: Thu, 14 Feb 2019 19:45:33 +0000 -Subject: USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 - -commit 8d7fa3d4ea3f0ca69554215e87411494e6346fdc upstream. - -This adds the USB ID of the Hjelmslund Electronics USB485 Iso stick. - -Signed-off-by: Mans Rullgard <mans@mansr.com> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/usb/serial/ftdi_sio.c | 2 ++ - drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ - 2 files changed, 8 insertions(+) - ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -1033,6 +1033,8 @@ static const struct usb_device_id id_tab - { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, - { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, - { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, -+ /* EZPrototypes devices */ -+ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, - { } /* Terminating entry */ - }; - ---- a/drivers/usb/serial/ftdi_sio_ids.h -+++ b/drivers/usb/serial/ftdi_sio_ids.h -@@ -1308,6 +1308,12 @@ - #define IONICS_PLUGCOMPUTER_PID 0x0102 - - /* -+ * EZPrototypes (PID reseller) -+ */ -+#define EZPROTOTYPES_VID 0x1c40 -+#define HJELMSLUND_USB485_ISO_PID 0x0477 -+ -+/* - * Dresden Elektronik Sensor Terminal Board - */ - #define DE_VID 0x1cf1 /* Vendor ID */ diff --git a/queue-3.16/vxlan-test-dev-flags-iff_up-before-calling-gro_cells_receive.patch b/queue-3.16/vxlan-test-dev-flags-iff_up-before-calling-gro_cells_receive.patch deleted file mode 100644 index 38179303..00000000 --- a/queue-3.16/vxlan-test-dev-flags-iff_up-before-calling-gro_cells_receive.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Sun, 10 Mar 2019 10:36:40 -0700 -Subject: vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() - -commit 59cbf56fcd98ba2a715b6e97c4e43f773f956393 upstream. - -Same reasons than the ones explained in commit 4179cb5a4c92 -("vxlan: test dev->flags & IFF_UP before calling netif_rx()") - -netif_rx() or gro_cells_receive() must be called under a strict contract. - -At device dismantle phase, core networking clears IFF_UP -and flush_all_backlogs() is called after rcu grace period -to make sure no incoming packet might be in a cpu backlog -and still referencing the device. - -A similar protocol is used for gro_cells infrastructure, as -gro_cells_destroy() will be called only after a full rcu -grace period is observed after IFF_UP has been cleared. - -Most drivers call netif_rx() from their interrupt handler, -and since the interrupts are disabled at device dismantle, -netif_rx() does not have to check dev->flags & IFF_UP - -Virtual drivers do not have this guarantee, and must -therefore make the check themselves. - -Otherwise we risk use-after-free and/or crashes. - -Fixes: d342894c5d2f ("vxlan: virtual extensible lan") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/drivers/net/vxlan.c -+++ b/drivers/net/vxlan.c -@@ -1280,6 +1280,14 @@ static void vxlan_rcv(struct vxlan_sock - } - } - -+ rcu_read_lock(); -+ -+ if (unlikely(!(vxlan->dev->flags & IFF_UP))) { -+ rcu_read_unlock(); -+ atomic_long_inc(&vxlan->dev->rx_dropped); -+ goto drop; -+ } -+ - stats = this_cpu_ptr(vxlan->dev->tstats); - u64_stats_update_begin(&stats->syncp); - stats->rx_packets++; -@@ -1288,6 +1296,8 @@ static void vxlan_rcv(struct vxlan_sock - - netif_rx(skb); - -+ rcu_read_unlock(); -+ - return; - drop: - /* Consume bad packet */ diff --git a/queue-3.16/xen-cpu_hotplug-prevent-an-out-of-bounds-access.patch b/queue-3.16/xen-cpu_hotplug-prevent-an-out-of-bounds-access.patch deleted file mode 100644 index dbae17de..00000000 --- a/queue-3.16/xen-cpu_hotplug-prevent-an-out-of-bounds-access.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Thu, 7 Mar 2019 08:41:22 +0300 -Subject: xen, cpu_hotplug: Prevent an out of bounds access - -commit 201676095dda7e5b31a5e1d116d10fc22985075e upstream. - -The "cpu" variable comes from the sscanf() so Smatch marks it as -untrusted data. We can't pass a higher value than "nr_cpu_ids" to -cpu_possible() or it results in an out of bounds access. - -Fixes: d68d82afd4c8 ("xen: implement CPU hotplugging") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Juergen Gross <jgross@suse.com> -Signed-off-by: Juergen Gross <jgross@suse.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/xen/cpu_hotplug.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/xen/cpu_hotplug.c -+++ b/drivers/xen/cpu_hotplug.c -@@ -47,7 +47,7 @@ static int vcpu_online(unsigned int cpu) - } - static void vcpu_hotplug(unsigned int cpu) - { -- if (!cpu_possible(cpu)) -+ if (cpu >= nr_cpu_ids || !cpu_possible(cpu)) - return; - - switch (vcpu_online(cpu)) { |