diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-06 12:43:41 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-06 12:43:41 +0200 |
| commit | 2eb50c4eceeaee1ae2dfffc02141b168bbbab598 (patch) | |
| tree | cdc6aac8d86252f9f499100d3dd3d7296c0e0ce0 | |
| parent | dbbb753dd93ffb6cdb549e01e499775498d558ff (diff) | |
| download | queue-3.18-2eb50c4eceeaee1ae2dfffc02141b168bbbab598.tar.gz | |
drop everything that is now merged
33 files changed, 0 insertions, 1695 deletions
diff --git a/alarmtimer-use-eopnotsupp-instead-of-enotsupp.patch b/alarmtimer-use-eopnotsupp-instead-of-enotsupp.patch deleted file mode 100644 index 7af5584..0000000 --- a/alarmtimer-use-eopnotsupp-instead-of-enotsupp.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f18ddc13af981ce3c7b7f26925f099e7c6929aba Mon Sep 17 00:00:00 2001 -From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> -Date: Tue, 3 Sep 2019 14:18:02 -0300 -Subject: alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP - -From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> - -commit f18ddc13af981ce3c7b7f26925f099e7c6929aba upstream. - -ENOTSUPP is not supposed to be returned to userspace. This was found on an -OpenPower machine, where the RTC does not support set_alarm. - -On that system, a clock_nanosleep(CLOCK_REALTIME_ALARM, ...) results in -"524 Unknown error 524" - -Replace it with EOPNOTSUPP which results in the expected "95 Operation not -supported" error. - -Fixes: 1c6b39ad3f01 (alarmtimers: Return -ENOTSUPP if no RTC device is present) -Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Cc: stable@vger.kernel.org -Link: https://lkml.kernel.org/r/20190903171802.28314-1-cascardo@canonical.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - kernel/time/alarmtimer.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/kernel/time/alarmtimer.c -+++ b/kernel/time/alarmtimer.c -@@ -533,7 +533,7 @@ static int alarm_timer_create(struct k_i - struct alarm_base *base; - - if (!alarmtimer_get_rtcdev()) -- return -ENOTSUPP; -+ return -EOPNOTSUPP; - - if (!capable(CAP_WAKE_ALARM)) - return -EPERM; -@@ -762,7 +762,7 @@ static int alarm_timer_nsleep(const cloc - struct restart_block *restart; - - if (!alarmtimer_get_rtcdev()) -- return -ENOTSUPP; -+ return -EOPNOTSUPP; - - if (flags & ~TIMER_ABSTIME) - return -EINVAL; diff --git a/appletalk-enforce-cap_net_raw-for-raw-sockets.patch b/appletalk-enforce-cap_net_raw-for-raw-sockets.patch deleted file mode 100644 index a7f2453..0000000 --- a/appletalk-enforce-cap_net_raw-for-raw-sockets.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:46 +0200 -Subject: appletalk: enforce CAP_NET_RAW for raw sockets - -From: Ori Nimron <orinimron123@gmail.com> - -[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ] - -When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/appletalk/ddp.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1029,6 +1029,11 @@ static int atalk_create(struct net *net, - */ - if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) - goto out; -+ -+ rc = -EPERM; -+ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) -+ goto out; -+ - rc = -ENOMEM; - sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto); - if (!sk) diff --git a/arm-zynq-use-memcpy_toio-instead-of-memcpy-on-smp-bring-up.patch b/arm-zynq-use-memcpy_toio-instead-of-memcpy-on-smp-bring-up.patch deleted file mode 100644 index 6b1be05..0000000 --- a/arm-zynq-use-memcpy_toio-instead-of-memcpy-on-smp-bring-up.patch +++ /dev/null @@ -1,48 +0,0 @@ -From b7005d4ef4f3aa2dc24019ffba03a322557ac43d Mon Sep 17 00:00:00 2001 -From: Luis Araneda <luaraneda@gmail.com> -Date: Thu, 8 Aug 2019 08:52:43 -0400 -Subject: ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up - -From: Luis Araneda <luaraneda@gmail.com> - -commit b7005d4ef4f3aa2dc24019ffba03a322557ac43d upstream. - -This fixes a kernel panic on memcpy when -FORTIFY_SOURCE is enabled. - -The initial smp implementation on commit aa7eb2bb4e4a -("arm: zynq: Add smp support") -used memcpy, which worked fine until commit ee333554fed5 -("ARM: 8749/1: Kconfig: Add ARCH_HAS_FORTIFY_SOURCE") -enabled overflow checks at runtime, producing a read -overflow panic. - -The computed size of memcpy args are: -- p_size (dst): 4294967295 = (size_t) -1 -- q_size (src): 1 -- size (len): 8 - -Additionally, the memory is marked as __iomem, so one of -the memcpy_* functions should be used for read/write. - -Fixes: aa7eb2bb4e4a ("arm: zynq: Add smp support") -Signed-off-by: Luis Araneda <luaraneda@gmail.com> -Cc: stable@vger.kernel.org -Signed-off-by: Michal Simek <michal.simek@xilinx.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/arm/mach-zynq/platsmp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/arm/mach-zynq/platsmp.c -+++ b/arch/arm/mach-zynq/platsmp.c -@@ -65,7 +65,7 @@ int zynq_cpun_start(u32 address, int cpu - * 0x4: Jump by mov instruction - * 0x8: Jumping address - */ -- memcpy((__force void *)zero, &zynq_secondary_trampoline, -+ memcpy_toio(zero, &zynq_secondary_trampoline, - trampoline_size); - writel(address, zero + trampoline_size); - diff --git a/asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch b/asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch deleted file mode 100644 index 7008d77..0000000 --- a/asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 2757970f6d0d0a112247600b23d38c0c728ceeb3 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Tue, 19 Feb 2019 16:46:47 +0100 -Subject: ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() - -From: Takashi Iwai <tiwai@suse.de> - -commit 2757970f6d0d0a112247600b23d38c0c728ceeb3 upstream. - -The node obtained from of_find_node_by_path() has to be unreferenced -after the use, but we forgot it for the root node. - -Fixes: f0fba2ad1b6b ("ASoC: multi-component - ASoC Multi-Component Support") -Cc: Timur Tabi <timur@kernel.org> -Cc: Nicolin Chen <nicoleotsuka@gmail.com> -Cc: Xiubo Li <Xiubo.Lee@gmail.com> -Cc: Fabio Estevam <festevam@gmail.com> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Acked-by: Nicolin Chen <nicoleotsuka@gmail.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/soc/fsl/fsl_ssi.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/sound/soc/fsl/fsl_ssi.c -+++ b/sound/soc/fsl/fsl_ssi.c -@@ -1284,6 +1284,7 @@ static int fsl_ssi_probe(struct platform - struct fsl_ssi_private *ssi_private; - int ret = 0; - struct device_node *np = pdev->dev.of_node; -+ struct device_node *root; - const struct of_device_id *of_id; - const char *p, *sprop; - const uint32_t *iprop; -@@ -1427,7 +1428,9 @@ static int fsl_ssi_probe(struct platform - * device tree. We also pass the address of the CPU DAI driver - * structure. - */ -- sprop = of_get_property(of_find_node_by_path("/"), "compatible", NULL); -+ root = of_find_node_by_path("/"); -+ sprop = of_get_property(root, "compatible", NULL); -+ of_node_put(root); - /* Sometimes the compatible name has a "fsl," prefix, so we strip it. */ - p = strrchr(sprop, ','); - if (p) diff --git a/ax25-enforce-cap_net_raw-for-raw-sockets.patch b/ax25-enforce-cap_net_raw-for-raw-sockets.patch deleted file mode 100644 index a378292..0000000 --- a/ax25-enforce-cap_net_raw-for-raw-sockets.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:47 +0200 -Subject: ax25: enforce CAP_NET_RAW for raw sockets - -From: Ori Nimron <orinimron123@gmail.com> - -[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ] - -When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ax25/af_ax25.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -860,6 +860,8 @@ static int ax25_create(struct net *net, - break; - - case SOCK_RAW: -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - break; - default: - return -ESOCKTNOSUPPORT; diff --git a/btrfs-fix-use-after-free-when-using-the-tree-modification-log.patch b/btrfs-fix-use-after-free-when-using-the-tree-modification-log.patch deleted file mode 100644 index 29590f8..0000000 --- a/btrfs-fix-use-after-free-when-using-the-tree-modification-log.patch +++ /dev/null @@ -1,99 +0,0 @@ -From efad8a853ad2057f96664328a0d327a05ce39c76 Mon Sep 17 00:00:00 2001 -From: Filipe Manana <fdmanana@suse.com> -Date: Mon, 12 Aug 2019 19:14:29 +0100 -Subject: Btrfs: fix use-after-free when using the tree modification log - -From: Filipe Manana <fdmanana@suse.com> - -commit efad8a853ad2057f96664328a0d327a05ce39c76 upstream. - -At ctree.c:get_old_root(), we are accessing a root's header owner field -after we have freed the respective extent buffer. This results in an -use-after-free that can lead to crashes, and when CONFIG_DEBUG_PAGEALLOC -is set, results in a stack trace like the following: - - [ 3876.799331] stack segment: 0000 [#1] SMP DEBUG_PAGEALLOC PTI - [ 3876.799363] CPU: 0 PID: 15436 Comm: pool Not tainted 5.3.0-rc3-btrfs-next-54 #1 - [ 3876.799385] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 - [ 3876.799433] RIP: 0010:btrfs_search_old_slot+0x652/0xd80 [btrfs] - (...) - [ 3876.799502] RSP: 0018:ffff9f08c1a2f9f0 EFLAGS: 00010286 - [ 3876.799518] RAX: ffff8dd300000000 RBX: ffff8dd85a7a9348 RCX: 000000038da26000 - [ 3876.799538] RDX: 0000000000000000 RSI: ffffe522ce368980 RDI: 0000000000000246 - [ 3876.799559] RBP: dae1922adadad000 R08: 0000000008020000 R09: ffffe522c0000000 - [ 3876.799579] R10: ffff8dd57fd788c8 R11: 000000007511b030 R12: ffff8dd781ddc000 - [ 3876.799599] R13: ffff8dd9e6240578 R14: ffff8dd6896f7a88 R15: ffff8dd688cf90b8 - [ 3876.799620] FS: 00007f23ddd97700(0000) GS:ffff8dda20200000(0000) knlGS:0000000000000000 - [ 3876.799643] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [ 3876.799660] CR2: 00007f23d4024000 CR3: 0000000710bb0005 CR4: 00000000003606f0 - [ 3876.799682] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - [ 3876.799703] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - [ 3876.799723] Call Trace: - [ 3876.799735] ? do_raw_spin_unlock+0x49/0xc0 - [ 3876.799749] ? _raw_spin_unlock+0x24/0x30 - [ 3876.799779] resolve_indirect_refs+0x1eb/0xc80 [btrfs] - [ 3876.799810] find_parent_nodes+0x38d/0x1180 [btrfs] - [ 3876.799841] btrfs_check_shared+0x11a/0x1d0 [btrfs] - [ 3876.799870] ? extent_fiemap+0x598/0x6e0 [btrfs] - [ 3876.799895] extent_fiemap+0x598/0x6e0 [btrfs] - [ 3876.799913] do_vfs_ioctl+0x45a/0x700 - [ 3876.799926] ksys_ioctl+0x70/0x80 - [ 3876.799938] ? trace_hardirqs_off_thunk+0x1a/0x20 - [ 3876.799953] __x64_sys_ioctl+0x16/0x20 - [ 3876.799965] do_syscall_64+0x62/0x220 - [ 3876.799977] entry_SYSCALL_64_after_hwframe+0x49/0xbe - [ 3876.799993] RIP: 0033:0x7f23e0013dd7 - (...) - [ 3876.800056] RSP: 002b:00007f23ddd96ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 - [ 3876.800078] RAX: ffffffffffffffda RBX: 00007f23d80210f8 RCX: 00007f23e0013dd7 - [ 3876.800099] RDX: 00007f23d80210f8 RSI: 00000000c020660b RDI: 0000000000000003 - [ 3876.800626] RBP: 000055fa2a2a2440 R08: 0000000000000000 R09: 00007f23ddd96d7c - [ 3876.801143] R10: 00007f23d8022000 R11: 0000000000000246 R12: 00007f23ddd96d80 - [ 3876.801662] R13: 00007f23ddd96d78 R14: 00007f23d80210f0 R15: 00007f23ddd96d80 - (...) - [ 3876.805107] ---[ end trace e53161e179ef04f9 ]--- - -Fix that by saving the root's header owner field into a local variable -before freeing the root's extent buffer, and then use that local variable -when needed. - -Fixes: 30b0463a9394d9 ("Btrfs: fix accessing the root pointer in tree mod log functions") -CC: stable@vger.kernel.org # 3.10+ -Reviewed-by: Nikolay Borisov <nborisov@suse.com> -Reviewed-by: Anand Jain <anand.jain@oracle.com> -Signed-off-by: Filipe Manana <fdmanana@suse.com> -Reviewed-by: David Sterba <dsterba@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/btrfs/ctree.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/fs/btrfs/ctree.c -+++ b/fs/btrfs/ctree.c -@@ -1410,6 +1410,7 @@ get_old_root(struct btrfs_root *root, u6 - struct tree_mod_elem *tm; - struct extent_buffer *eb = NULL; - struct extent_buffer *eb_root; -+ u64 eb_root_owner = 0; - struct extent_buffer *old; - struct tree_mod_root *old_root = NULL; - u64 old_generation = 0; -@@ -1442,6 +1443,7 @@ get_old_root(struct btrfs_root *root, u6 - free_extent_buffer(old); - } - } else if (old_root) { -+ eb_root_owner = btrfs_header_owner(eb_root); - btrfs_tree_read_unlock(eb_root); - free_extent_buffer(eb_root); - eb = alloc_dummy_extent_buffer(logical, root->nodesize); -@@ -1459,7 +1461,7 @@ get_old_root(struct btrfs_root *root, u6 - if (old_root) { - btrfs_set_header_bytenr(eb, eb->start); - btrfs_set_header_backref_rev(eb, BTRFS_MIXED_BACKREF_REV); -- btrfs_set_header_owner(eb, btrfs_header_owner(eb_root)); -+ btrfs_set_header_owner(eb, eb_root_owner); - btrfs_set_header_level(eb, old_root->level); - btrfs_set_header_generation(eb, old_generation); - } diff --git a/btrfs-relinquish-cpus-in-btrfs_compare_trees.patch b/btrfs-relinquish-cpus-in-btrfs_compare_trees.patch deleted file mode 100644 index c2aef4d..0000000 --- a/btrfs-relinquish-cpus-in-btrfs_compare_trees.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 6af112b11a4bc1b560f60a618ac9c1dcefe9836e Mon Sep 17 00:00:00 2001 -From: Nikolay Borisov <nborisov@suse.com> -Date: Wed, 4 Sep 2019 19:33:58 +0300 -Subject: btrfs: Relinquish CPUs in btrfs_compare_trees - -From: Nikolay Borisov <nborisov@suse.com> - -commit 6af112b11a4bc1b560f60a618ac9c1dcefe9836e upstream. - -When doing any form of incremental send the parent and the child trees -need to be compared via btrfs_compare_trees. This can result in long -loop chains without ever relinquishing the CPU. This causes softlockup -detector to trigger when comparing trees with a lot of items. Example -report: - -watchdog: BUG: soft lockup - CPU#0 stuck for 24s! [snapperd:16153] -CPU: 0 PID: 16153 Comm: snapperd Not tainted 5.2.9-1-default #1 openSUSE Tumbleweed (unreleased) -Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 -pstate: 40000005 (nZcv daif -PAN -UAO) -pc : __ll_sc_arch_atomic_sub_return+0x14/0x20 -lr : btrfs_release_extent_buffer_pages+0xe0/0x1e8 [btrfs] -sp : ffff00001273b7e0 -Call trace: - __ll_sc_arch_atomic_sub_return+0x14/0x20 - release_extent_buffer+0xdc/0x120 [btrfs] - free_extent_buffer.part.0+0xb0/0x118 [btrfs] - free_extent_buffer+0x24/0x30 [btrfs] - btrfs_release_path+0x4c/0xa0 [btrfs] - btrfs_free_path.part.0+0x20/0x40 [btrfs] - btrfs_free_path+0x24/0x30 [btrfs] - get_inode_info+0xa8/0xf8 [btrfs] - finish_inode_if_needed+0xe0/0x6d8 [btrfs] - changed_cb+0x9c/0x410 [btrfs] - btrfs_compare_trees+0x284/0x648 [btrfs] - send_subvol+0x33c/0x520 [btrfs] - btrfs_ioctl_send+0x8a0/0xaf0 [btrfs] - btrfs_ioctl+0x199c/0x2288 [btrfs] - do_vfs_ioctl+0x4b0/0x820 - ksys_ioctl+0x84/0xb8 - __arm64_sys_ioctl+0x28/0x38 - el0_svc_common.constprop.0+0x7c/0x188 - el0_svc_handler+0x34/0x90 - el0_svc+0x8/0xc - -Fix this by adding a call to cond_resched at the beginning of the main -loop in btrfs_compare_trees. - -Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function") -CC: stable@vger.kernel.org # 4.4+ -Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> -Signed-off-by: Nikolay Borisov <nborisov@suse.com> -Reviewed-by: David Sterba <dsterba@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/btrfs/ctree.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/ctree.c -+++ b/fs/btrfs/ctree.c -@@ -5433,6 +5433,7 @@ int btrfs_compare_trees(struct btrfs_roo - advance_left = advance_right = 0; - - while (1) { -+ cond_resched(); - if (advance_left && !left_end_reached) { - ret = tree_advance(left_root, left_path, &left_level, - left_root_level, diff --git a/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch b/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch deleted file mode 100644 index a8254fa..0000000 --- a/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Bjørn Mork <bjorn@mork.no> -Date: Wed, 18 Sep 2019 14:01:46 +0200 -Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize - -From: Bjørn Mork <bjorn@mork.no> - -[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ] - -Endpoints with zero wMaxPacketSize are not usable for transferring -data. Ignore such endpoints when looking for valid in, out and -status pipes, to make the driver more robust against invalid and -meaningless descriptors. - -The wMaxPacketSize of the out pipe is used as divisor. So this change -fixes a divide-by-zero bug. - -Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com -Signed-off-by: Bjørn Mork <bjorn@mork.no> -Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/usb/cdc_ncm.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/net/usb/cdc_ncm.c -+++ b/drivers/net/usb/cdc_ncm.c -@@ -635,8 +635,12 @@ cdc_ncm_find_endpoints(struct usbnet *de - u8 ep; - - for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) { -- - e = intf->cur_altsetting->endpoint + ep; -+ -+ /* ignore endpoints which cannot transfer data */ -+ if (!usb_endpoint_maxp(&e->desc)) -+ continue; -+ - switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) { - case USB_ENDPOINT_XFER_INT: - if (usb_endpoint_dir_in(&e->desc)) { diff --git a/cfg80211-purge-frame-registrations-on-iftype-change.patch b/cfg80211-purge-frame-registrations-on-iftype-change.patch deleted file mode 100644 index 5bcbf4e..0000000 --- a/cfg80211-purge-frame-registrations-on-iftype-change.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c1d3ad84eae35414b6b334790048406bd6301b12 Mon Sep 17 00:00:00 2001 -From: Denis Kenzior <denkenz@gmail.com> -Date: Wed, 28 Aug 2019 16:11:10 -0500 -Subject: cfg80211: Purge frame registrations on iftype change - -From: Denis Kenzior <denkenz@gmail.com> - -commit c1d3ad84eae35414b6b334790048406bd6301b12 upstream. - -Currently frame registrations are not purged, even when changing the -interface type. This can lead to potentially weird situations where -frames possibly not allowed on a given interface type remain registered -due to the type switching happening after registration. - -The kernel currently relies on userspace apps to actually purge the -registrations themselves, this is not something that the kernel should -rely on. - -Add a call to cfg80211_mlme_purge_registrations() to forcefully remove -any registrations left over prior to switching the iftype. - -Cc: stable@vger.kernel.org -Signed-off-by: Denis Kenzior <denkenz@gmail.com> -Link: https://lore.kernel.org/r/20190828211110.15005-1-denkenz@gmail.com -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/wireless/util.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/wireless/util.c -+++ b/net/wireless/util.c -@@ -921,6 +921,7 @@ int cfg80211_change_iface(struct cfg8021 - } - - cfg80211_process_rdev_events(rdev); -+ cfg80211_mlme_purge_registrations(dev->ieee80211_ptr); - } - - err = rdev_change_virtual_intf(rdev, dev, ntype, flags, params); diff --git a/cifs-fix-oplock-handling-for-smb-2.1-protocols.patch b/cifs-fix-oplock-handling-for-smb-2.1-protocols.patch deleted file mode 100644 index 6352490..0000000 --- a/cifs-fix-oplock-handling-for-smb-2.1-protocols.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a016e2794fc3a245a91946038dd8f34d65e53cc3 Mon Sep 17 00:00:00 2001 -From: Pavel Shilovsky <pshilov@microsoft.com> -Date: Thu, 26 Sep 2019 12:31:20 -0700 -Subject: CIFS: Fix oplock handling for SMB 2.1+ protocols - -From: Pavel Shilovsky <pshilov@microsoft.com> - -commit a016e2794fc3a245a91946038dd8f34d65e53cc3 upstream. - -There may be situations when a server negotiates SMB 2.1 -protocol version or higher but responds to a CREATE request -with an oplock rather than a lease. - -Currently the client doesn't handle such a case correctly: -when another CREATE comes in the server sends an oplock -break to the initial CREATE and the client doesn't send -an ack back due to a wrong caching level being set (READ -instead of RWH). Missing an oplock break ack makes the -server wait until the break times out which dramatically -increases the latency of the second CREATE. - -Fix this by properly detecting oplocks when using SMB 2.1 -protocol version and higher. - -Cc: <stable@vger.kernel.org> -Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/cifs/smb2ops.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/fs/cifs/smb2ops.c -+++ b/fs/cifs/smb2ops.c -@@ -1207,6 +1207,11 @@ smb21_set_oplock_level(struct cifsInodeI - if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) - return; - -+ /* Check if the server granted an oplock rather than a lease */ -+ if (oplock & SMB2_OPLOCK_LEVEL_EXCLUSIVE) -+ return smb2_set_oplock_level(cinode, oplock, epoch, -+ purge_cache); -+ - if (oplock & SMB2_LEASE_READ_CACHING_HE) { - new_oplock |= CIFS_CACHE_READ_FLG; - strcat(message, "R"); diff --git a/dev-mem-bail-out-upon-sigkill.patch b/dev-mem-bail-out-upon-sigkill.patch deleted file mode 100644 index d9e6a13..0000000 --- a/dev-mem-bail-out-upon-sigkill.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 8619e5bdeee8b2c685d686281f2d2a6017c4bc15 Mon Sep 17 00:00:00 2001 -From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Date: Mon, 26 Aug 2019 22:13:25 +0900 -Subject: /dev/mem: Bail out upon SIGKILL. - -From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> - -commit 8619e5bdeee8b2c685d686281f2d2a6017c4bc15 upstream. - -syzbot found that a thread can stall for minutes inside read_mem() or -write_mem() after that thread was killed by SIGKILL [1]. Reading from -iomem areas of /dev/mem can be slow, depending on the hardware. -While reading 2GB at one read() is legal, delaying termination of killed -thread for minutes is bad. Thus, allow reading/writing /dev/mem and -/dev/kmem to be preemptible and killable. - - [ 1335.912419][T20577] read_mem: sz=4096 count=2134565632 - [ 1335.943194][T20577] read_mem: sz=4096 count=2134561536 - [ 1335.978280][T20577] read_mem: sz=4096 count=2134557440 - [ 1336.011147][T20577] read_mem: sz=4096 count=2134553344 - [ 1336.041897][T20577] read_mem: sz=4096 count=2134549248 - -Theoretically, reading/writing /dev/mem and /dev/kmem can become -"interruptible". But this patch chose "killable". Future patch will make -them "interruptible" so that we can revert to "killable" if some program -regressed. - -[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e - -Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> -Cc: stable <stable@vger.kernel.org> -Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com> -Link: https://lore.kernel.org/r/1566825205-10703-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/char/mem.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -99,6 +99,13 @@ void __weak unxlate_dev_mem_ptr(unsigned - { - } - -+static inline bool should_stop_iteration(void) -+{ -+ if (need_resched()) -+ cond_resched(); -+ return fatal_signal_pending(current); -+} -+ - /* - * This funcion reads the *physical* memory. The f_pos points directly to the - * memory location. -@@ -165,6 +172,8 @@ static ssize_t read_mem(struct file *fil - p += sz; - count -= sz; - read += sz; -+ if (should_stop_iteration()) -+ break; - } - - *ppos += read; -@@ -236,6 +245,8 @@ static ssize_t write_mem(struct file *fi - p += sz; - count -= sz; - written += sz; -+ if (should_stop_iteration()) -+ break; - } - - *ppos += written; -@@ -443,6 +454,10 @@ static ssize_t read_kmem(struct file *fi - read += sz; - low_count -= sz; - count -= sz; -+ if (should_stop_iteration()) { -+ count = 0; -+ break; -+ } - } - } - -@@ -467,6 +482,8 @@ static ssize_t read_kmem(struct file *fi - buf += sz; - read += sz; - p += sz; -+ if (should_stop_iteration()) -+ break; - } - free_page((unsigned long)kbuf); - } -@@ -517,6 +534,8 @@ static ssize_t do_write_kmem(unsigned lo - p += sz; - count -= sz; - written += sz; -+ if (should_stop_iteration()) -+ break; - } - - *ppos += written; -@@ -568,6 +587,8 @@ static ssize_t write_kmem(struct file *f - buf += sz; - virtr += sz; - p += sz; -+ if (should_stop_iteration()) -+ break; - } - free_page((unsigned long)kbuf); - } diff --git a/fuse-fix-missing-unlock_page-in-fuse_writepage.patch b/fuse-fix-missing-unlock_page-in-fuse_writepage.patch deleted file mode 100644 index 5f4c36e..0000000 --- a/fuse-fix-missing-unlock_page-in-fuse_writepage.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d5880c7a8620290a6c90ced7a0e8bd0ad9419601 Mon Sep 17 00:00:00 2001 -From: Vasily Averin <vvs@virtuozzo.com> -Date: Fri, 13 Sep 2019 18:17:11 +0300 -Subject: fuse: fix missing unlock_page in fuse_writepage() - -From: Vasily Averin <vvs@virtuozzo.com> - -commit d5880c7a8620290a6c90ced7a0e8bd0ad9419601 upstream. - -unlock_page() was missing in case of an already in-flight write against the -same page. - -Signed-off-by: Vasily Averin <vvs@virtuozzo.com> -Fixes: ff17be086477 ("fuse: writepage: skip already in flight") -Cc: <stable@vger.kernel.org> # v3.13 -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/file.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -1765,6 +1765,7 @@ static int fuse_writepage(struct page *p - WARN_ON(wbc->sync_mode == WB_SYNC_ALL); - - redirty_page_for_writepage(wbc, page); -+ unlock_page(page); - return 0; - } - diff --git a/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch b/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch deleted file mode 100644 index ff65400..0000000 --- a/hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 416dacb819f59180e4d86a5550052033ebb6d72c Mon Sep 17 00:00:00 2001 -From: Alan Stern <stern@rowland.harvard.edu> -Date: Wed, 21 Aug 2019 13:27:12 -0400 -Subject: HID: hidraw: Fix invalid read in hidraw_ioctl - -From: Alan Stern <stern@rowland.harvard.edu> - -commit 416dacb819f59180e4d86a5550052033ebb6d72c upstream. - -The syzbot fuzzer has reported a pair of problems in the -hidraw_ioctl() function: slab-out-of-bounds read and use-after-free -read. An example of the first: - -BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525 -Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833 - -CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS -Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0xca/0x13e lib/dump_stack.c:113 - print_address_description+0x6a/0x32c mm/kasan/report.c:351 - __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 - kasan_report+0xe/0x12 mm/kasan/common.c:612 - strlen+0x79/0x90 lib/string.c:525 - strlen include/linux/string.h:281 [inline] - hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446 - vfs_ioctl fs/ioctl.c:46 [inline] - file_ioctl fs/ioctl.c:509 [inline] - do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 - ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 - __do_sys_ioctl fs/ioctl.c:720 [inline] - __se_sys_ioctl fs/ioctl.c:718 [inline] - __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 - do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x459829 -Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 -48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff -ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 -RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829 -RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004 -RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4 -R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff - -The two problems have the same cause: hidraw_ioctl() fails to test -whether the device has been removed. This patch adds the missing test. - -Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -CC: <stable@vger.kernel.org> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/hid/hidraw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/hid/hidraw.c -+++ b/drivers/hid/hidraw.c -@@ -383,7 +383,7 @@ static long hidraw_ioctl(struct file *fi - - mutex_lock(&minors_lock); - dev = hidraw_table[minor]; -- if (!dev) { -+ if (!dev || !dev->exist) { - ret = -ENODEV; - goto out; - } diff --git a/hid-lg-make-transfer-buffers-dma-capable.patch b/hid-lg-make-transfer-buffers-dma-capable.patch deleted file mode 100644 index 92fbba7..0000000 --- a/hid-lg-make-transfer-buffers-dma-capable.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 061232f0d47fa10103f3efa3e890f002a930d902 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Date: Mon, 21 Nov 2016 11:48:40 +0100 -Subject: HID: lg: make transfer buffers DMA capable - -From: Benjamin Tissoires <benjamin.tissoires@redhat.com> - -commit 061232f0d47fa10103f3efa3e890f002a930d902 upstream. - -Kernel v4.9 strictly enforces DMA capable buffers, so we need to remove -buffers allocated on the stack. - -[jkosina@suse.cz: fix up second usage of hid_hw_raw_request(), spotted by - 0day build bot] -Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/hid/hid-lg.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - ---- a/drivers/hid/hid-lg.c -+++ b/drivers/hid/hid-lg.c -@@ -690,11 +690,16 @@ static int lg_probe(struct hid_device *h - - /* Setup wireless link with Logitech Wii wheel */ - if (hdev->product == USB_DEVICE_ID_LOGITECH_WII_WHEEL) { -- unsigned char buf[] = { 0x00, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; -+ const unsigned char cbuf[] = { 0x00, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; -+ u8 *buf = kmemdup(cbuf, sizeof(cbuf), GFP_KERNEL); - -- ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(buf), -- HID_FEATURE_REPORT, HID_REQ_SET_REPORT); -+ if (!buf) { -+ ret = -ENOMEM; -+ goto err_free; -+ } - -+ ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf), -+ HID_FEATURE_REPORT, HID_REQ_SET_REPORT); - if (ret >= 0) { - /* insert a little delay of 10 jiffies ~ 40ms */ - wait_queue_head_t wait; -@@ -705,9 +710,10 @@ static int lg_probe(struct hid_device *h - buf[1] = 0xB2; - get_random_bytes(&buf[2], 2); - -- ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(buf), -+ ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf), - HID_FEATURE_REPORT, HID_REQ_SET_REPORT); - } -+ kfree(buf); - } - - if (drv_data->quirks & LG_FF) diff --git a/hid-prodikeys-fix-general-protection-fault-during-probe.patch b/hid-prodikeys-fix-general-protection-fault-during-probe.patch deleted file mode 100644 index e0ddc3c..0000000 --- a/hid-prodikeys-fix-general-protection-fault-during-probe.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 98375b86c79137416e9fd354177b85e768c16e56 Mon Sep 17 00:00:00 2001 -From: Alan Stern <stern@rowland.harvard.edu> -Date: Wed, 4 Sep 2019 11:54:20 -0400 -Subject: HID: prodikeys: Fix general protection fault during probe - -From: Alan Stern <stern@rowland.harvard.edu> - -commit 98375b86c79137416e9fd354177b85e768c16e56 upstream. - -The syzbot fuzzer provoked a general protection fault in the -hid-prodikeys driver: - -kasan: CONFIG_KASAN_INLINE enabled -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] SMP KASAN -CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #28 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS -Google 01/01/2011 -Workqueue: usb_hub_wq hub_event -RIP: 0010:pcmidi_submit_output_report drivers/hid/hid-prodikeys.c:300 [inline] -RIP: 0010:pcmidi_set_operational drivers/hid/hid-prodikeys.c:558 [inline] -RIP: 0010:pcmidi_snd_initialise drivers/hid/hid-prodikeys.c:686 [inline] -RIP: 0010:pk_probe+0xb51/0xfd0 drivers/hid/hid-prodikeys.c:836 -Code: 0f 85 50 04 00 00 48 8b 04 24 4c 89 7d 10 48 8b 58 08 e8 b2 53 e4 fc -48 8b 54 24 20 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f -85 13 04 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b - -The problem is caused by the fact that pcmidi_get_output_report() will -return an error if the HID device doesn't provide the right sort of -output report, but pcmidi_set_operational() doesn't bother to check -the return code and assumes the function call always succeeds. - -This patch adds the missing check and aborts the probe operation if -necessary. - -Reported-and-tested-by: syzbot+1088533649dafa1c9004@syzkaller.appspotmail.com -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -CC: <stable@vger.kernel.org> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/hid/hid-prodikeys.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - ---- a/drivers/hid/hid-prodikeys.c -+++ b/drivers/hid/hid-prodikeys.c -@@ -557,10 +557,14 @@ static void pcmidi_setup_extra_keys( - - static int pcmidi_set_operational(struct pcmidi_snd *pm) - { -+ int rc; -+ - if (pm->ifnum != 1) - return 0; /* only set up ONCE for interace 1 */ - -- pcmidi_get_output_report(pm); -+ rc = pcmidi_get_output_report(pm); -+ if (rc < 0) -+ return rc; - pcmidi_submit_output_report(pm, 0xc1); - return 0; - } -@@ -689,7 +693,11 @@ static int pcmidi_snd_initialise(struct - spin_lock_init(&pm->rawmidi_in_lock); - - init_sustain_timers(pm); -- pcmidi_set_operational(pm); -+ err = pcmidi_set_operational(pm); -+ if (err < 0) { -+ pk_error("failed to find output report\n"); -+ goto fail_register; -+ } - - /* register it */ - err = snd_card_register(card); diff --git a/hwrng-core-don-t-wait-on-add_early_randomness.patch b/hwrng-core-don-t-wait-on-add_early_randomness.patch deleted file mode 100644 index 245959c..0000000 --- a/hwrng-core-don-t-wait-on-add_early_randomness.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 78887832e76541f77169a24ac238fccb51059b63 Mon Sep 17 00:00:00 2001 -From: Laurent Vivier <lvivier@redhat.com> -Date: Tue, 17 Sep 2019 11:54:50 +0200 -Subject: hwrng: core - don't wait on add_early_randomness() - -From: Laurent Vivier <lvivier@redhat.com> - -commit 78887832e76541f77169a24ac238fccb51059b63 upstream. - -add_early_randomness() is called by hwrng_register() when the -hardware is added. If this hardware and its module are present -at boot, and if there is no data available the boot hangs until -data are available and can't be interrupted. - -For instance, in the case of virtio-rng, in some cases the host can be -not able to provide enough entropy for all the guests. - -We can have two easy ways to reproduce the problem but they rely on -misconfiguration of the hypervisor or the egd daemon: - -- if virtio-rng device is configured to connect to the egd daemon of the -host but when the virtio-rng driver asks for data the daemon is not -connected, - -- if virtio-rng device is configured to connect to the egd daemon of the -host but the egd daemon doesn't provide data. - -The guest kernel will hang at boot until the virtio-rng driver provides -enough data. - -To avoid that, call rng_get_data() in non-blocking mode (wait=0) -from add_early_randomness(). - -Signed-off-by: Laurent Vivier <lvivier@redhat.com> -Fixes: d9e797261933 ("hwrng: add randomness to system from rng...") -Cc: <stable@vger.kernel.org> -Reviewed-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/char/hw_random/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/char/hw_random/core.c -+++ b/drivers/char/hw_random/core.c -@@ -81,7 +81,7 @@ static void add_early_randomness(struct - unsigned char bytes[16]; - int bytes_read; - -- bytes_read = rng_get_data(rng, bytes, sizeof(bytes), 1); -+ bytes_read = rng_get_data(rng, bytes, sizeof(bytes), 0); - if (bytes_read > 0) - add_device_randomness(bytes, bytes_read); - } diff --git a/i2c-riic-clear-nack-in-tend-isr.patch b/i2c-riic-clear-nack-in-tend-isr.patch deleted file mode 100644 index 2dfa776..0000000 --- a/i2c-riic-clear-nack-in-tend-isr.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a71e2ac1f32097fbb2beab098687a7a95c84543e Mon Sep 17 00:00:00 2001 -From: Chris Brandt <chris.brandt@renesas.com> -Date: Thu, 26 Sep 2019 07:19:09 -0500 -Subject: i2c: riic: Clear NACK in tend isr - -From: Chris Brandt <chris.brandt@renesas.com> - -commit a71e2ac1f32097fbb2beab098687a7a95c84543e upstream. - -The NACKF flag should be cleared in INTRIICNAKI interrupt processing as -description in HW manual. - -This issue shows up quickly when PREEMPT_RT is applied and a device is -probed that is not plugged in (like a touchscreen controller). The result -is endless interrupts that halt system boot. - -Fixes: 310c18a41450 ("i2c: riic: add driver") -Cc: stable@vger.kernel.org -Reported-by: Chien Nguyen <chien.nguyen.eb@rvc.renesas.com> -Signed-off-by: Chris Brandt <chris.brandt@renesas.com> -Signed-off-by: Wolfram Sang <wsa@the-dreams.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/i2c/busses/i2c-riic.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/i2c/busses/i2c-riic.c -+++ b/drivers/i2c/busses/i2c-riic.c -@@ -212,6 +212,7 @@ static irqreturn_t riic_tend_isr(int irq - if (readb(riic->base + RIIC_ICSR2) & ICSR2_NACKF) { - /* We got a NACKIE */ - readb(riic->base + RIIC_ICDRR); /* dummy read */ -+ riic_clear_set_bit(riic, ICSR2_NACKF, 0, RIIC_ICSR2); - riic->err = -ENXIO; - } else if (riic->bytes_left) { - return IRQ_NONE; diff --git a/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch b/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch deleted file mode 100644 index ad01297..0000000 --- a/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch +++ /dev/null @@ -1,33 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:48 +0200 -Subject: ieee802154: enforce CAP_NET_RAW for raw sockets - -From: Ori Nimron <orinimron123@gmail.com> - -[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ] - -When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be -checked first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ieee802154/af_ieee802154.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/ieee802154/af_ieee802154.c -+++ b/net/ieee802154/af_ieee802154.c -@@ -252,6 +252,9 @@ static int ieee802154_create(struct net - - switch (sock->type) { - case SOCK_RAW: -+ rc = -EPERM; -+ if (!capable(CAP_NET_RAW)) -+ goto out; - proto = &ieee802154_raw_prot; - ops = &ieee802154_raw_ops; - break; diff --git a/kvm-x86-always-stop-emulation-on-page-fault.patch b/kvm-x86-always-stop-emulation-on-page-fault.patch deleted file mode 100644 index af57bdf..0000000 --- a/kvm-x86-always-stop-emulation-on-page-fault.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 8530a79c5a9f4e29e6ffb35ec1a79d81f4968ec8 Mon Sep 17 00:00:00 2001 -From: Jan Dakinevich <jan.dakinevich@virtuozzo.com> -Date: Tue, 27 Aug 2019 13:07:09 +0000 -Subject: KVM: x86: always stop emulation on page fault - -From: Jan Dakinevich <jan.dakinevich@virtuozzo.com> - -commit 8530a79c5a9f4e29e6ffb35ec1a79d81f4968ec8 upstream. - -inject_emulated_exception() returns true if and only if nested page -fault happens. However, page fault can come from guest page tables -walk, either nested or not nested. In both cases we should stop an -attempt to read under RIP and give guest to step over its own page -fault handler. - -This is also visible when an emulated instruction causes a #GP fault -and the VMware backdoor is enabled. To handle the VMware backdoor, -KVM intercepts #GP faults; with only the next patch applied, -x86_emulate_instruction() injects a #GP but returns EMULATE_FAIL -instead of EMULATE_DONE. EMULATE_FAIL causes handle_exception_nmi() -(or gp_interception() for SVM) to re-inject the original #GP because it -thinks emulation failed due to a non-VMware opcode. This patch prevents -the issue as x86_emulate_instruction() will return EMULATE_DONE after -injecting the #GP. - -Fixes: 6ea6e84309ca ("KVM: x86: inject exceptions produced by x86_decode_insn") -Cc: stable@vger.kernel.org -Cc: Denis Lunev <den@virtuozzo.com> -Cc: Roman Kagan <rkagan@virtuozzo.com> -Cc: Denis Plotnikov <dplotnikov@virtuozzo.com> -Signed-off-by: Jan Dakinevich <jan.dakinevich@virtuozzo.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/kvm/x86.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -5391,8 +5391,10 @@ int x86_emulate_instruction(struct kvm_v - if (reexecute_instruction(vcpu, cr2, write_fault_to_spt, - emulation_type)) - return EMULATE_DONE; -- if (ctxt->have_exception && inject_emulated_exception(vcpu)) -+ if (ctxt->have_exception) { -+ inject_emulated_exception(vcpu); - return EMULATE_DONE; -+ } - if (emulation_type & EMULTYPE_SKIP) - return EMULATE_FAIL; - return handle_emulation_failure(vcpu); diff --git a/kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch b/kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch deleted file mode 100644 index 09b5492..0000000 --- a/kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 16cfacc8085782dab8e365979356ce1ca87fd6cc Mon Sep 17 00:00:00 2001 -From: Sean Christopherson <sean.j.christopherson@intel.com> -Date: Tue, 3 Sep 2019 16:36:45 -0700 -Subject: KVM: x86: Manually calculate reserved bits when loading PDPTRS - -From: Sean Christopherson <sean.j.christopherson@intel.com> - -commit 16cfacc8085782dab8e365979356ce1ca87fd6cc upstream. - -Manually generate the PDPTR reserved bit mask when explicitly loading -PDPTRs. The reserved bits that are being tracked by the MMU reflect the -current paging mode, which is unlikely to be PAE paging in the vast -majority of flows that use load_pdptrs(), e.g. CR0 and CR4 emulation, -__set_sregs(), etc... This can cause KVM to incorrectly signal a bad -PDPTR, or more likely, miss a reserved bit check and subsequently fail -a VM-Enter due to a bad VMCS.GUEST_PDPTR. - -Add a one off helper to generate the reserved bits instead of sharing -code across the MMU's calculations and the PDPTR emulation. The PDPTR -reserved bits are basically set in stone, and pushing a helper into -the MMU's calculation adds unnecessary complexity without improving -readability. - -Oppurtunistically fix/update the comment for load_pdptrs(). - -Note, the buggy commit also introduced a deliberate functional change, -"Also remove bit 5-6 from rsvd_bits_mask per latest SDM.", which was -effectively (and correctly) reverted by commit cd9ae5fe47df ("KVM: x86: -Fix page-tables reserved bits"). A bit of SDM archaeology shows that -the SDM from late 2008 had a bug (likely a copy+paste error) where it -listed bits 6:5 as AVL and A for PDPTEs used for 4k entries but reserved -for 2mb entries. I.e. the SDM contradicted itself, and bits 6:5 are and -always have been reserved. - -Fixes: 20c466b56168d ("KVM: Use rsvd_bits_mask in load_pdptrs()") -Cc: stable@vger.kernel.org -Cc: Nadav Amit <nadav.amit@gmail.com> -Reported-by: Doug Reiland <doug.reiland@intel.com> -Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> -Reviewed-by: Peter Xu <peterx@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/kvm/x86.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -486,8 +486,14 @@ int kvm_read_nested_guest_page(struct kv - data, offset, len, access); - } - -+static inline u64 pdptr_rsvd_bits(struct kvm_vcpu *vcpu) -+{ -+ return rsvd_bits(cpuid_maxphyaddr(vcpu), 63) | rsvd_bits(5, 8) | -+ rsvd_bits(1, 2); -+} -+ - /* -- * Load the pae pdptrs. Return true is they are all valid. -+ * Load the pae pdptrs. Return 1 if they are all valid, 0 otherwise. - */ - int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3) - { -@@ -506,7 +512,7 @@ int load_pdptrs(struct kvm_vcpu *vcpu, s - } - for (i = 0; i < ARRAY_SIZE(pdpte); ++i) { - if (is_present_gpte(pdpte[i]) && -- (pdpte[i] & vcpu->arch.mmu.rsvd_bits_mask[0][2])) { -+ (pdpte[i] & pdptr_rsvd_bits(vcpu))) { - ret = 0; - goto out; - } diff --git a/kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch b/kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch deleted file mode 100644 index 1141ef2..0000000 --- a/kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch +++ /dev/null @@ -1,53 +0,0 @@ -From c8848cee74ff05638e913582a476bde879c968ad Mon Sep 17 00:00:00 2001 -From: Jan Dakinevich <jan.dakinevich@virtuozzo.com> -Date: Tue, 27 Aug 2019 13:07:08 +0000 -Subject: KVM: x86: set ctxt->have_exception in x86_decode_insn() - -From: Jan Dakinevich <jan.dakinevich@virtuozzo.com> - -commit c8848cee74ff05638e913582a476bde879c968ad upstream. - -x86_emulate_instruction() takes into account ctxt->have_exception flag -during instruction decoding, but in practice this flag is never set in -x86_decode_insn(). - -Fixes: 6ea6e84309ca ("KVM: x86: inject exceptions produced by x86_decode_insn") -Cc: stable@vger.kernel.org -Cc: Denis Lunev <den@virtuozzo.com> -Cc: Roman Kagan <rkagan@virtuozzo.com> -Cc: Denis Plotnikov <dplotnikov@virtuozzo.com> -Signed-off-by: Jan Dakinevich <jan.dakinevich@virtuozzo.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/kvm/emulate.c | 2 ++ - arch/x86/kvm/x86.c | 6 ++++++ - 2 files changed, 8 insertions(+) - ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -4630,6 +4630,8 @@ done_prefixes: - ctxt->memopp->addr.mem.ea += ctxt->_eip; - - done: -+ if (rc == X86EMUL_PROPAGATE_FAULT) -+ ctxt->have_exception = true; - return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; - } - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -5392,6 +5392,12 @@ int x86_emulate_instruction(struct kvm_v - emulation_type)) - return EMULATE_DONE; - if (ctxt->have_exception) { -+ /* -+ * #UD should result in just EMULATION_FAILED, and trap-like -+ * exception should not be encountered during decode. -+ */ -+ WARN_ON_ONCE(ctxt->exception.vector == UD_VECTOR || -+ exception_type(ctxt->exception.vector) == EXCPT_TRAP); - inject_emulated_exception(vcpu); - return EMULATE_DONE; - } diff --git a/misdn-enforce-cap_net_raw-for-raw-sockets.patch b/misdn-enforce-cap_net_raw-for-raw-sockets.patch deleted file mode 100644 index 12fa857..0000000 --- a/misdn-enforce-cap_net_raw-for-raw-sockets.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:45 +0200 -Subject: mISDN: enforce CAP_NET_RAW for raw sockets - -From: Ori Nimron <orinimron123@gmail.com> - -[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ] - -When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/isdn/mISDN/socket.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/isdn/mISDN/socket.c -+++ b/drivers/isdn/mISDN/socket.c -@@ -763,6 +763,8 @@ base_sock_create(struct net *net, struct - - if (sock->type != SOCK_RAW) - return -ESOCKTNOSUPPORT; -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - - sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto); - if (!sk) diff --git a/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch b/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch deleted file mode 100644 index b0a2767..0000000 --- a/mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 37c673ade35c707d50583b5b25091ff8ebdeafd7 Mon Sep 17 00:00:00 2001 -From: Tokunori Ikegami <ikegami.t@gmail.com> -Date: Tue, 6 Aug 2019 04:03:18 +0900 -Subject: mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() - -From: Tokunori Ikegami <ikegami.t@gmail.com> - -commit 37c673ade35c707d50583b5b25091ff8ebdeafd7 upstream. - -As reported by the OpenWRT team, write requests sometimes fail on some -platforms. -Currently to check the state chip_ready() is used correctly as described by -the flash memory S29GL256P11TFI01 datasheet. -Also chip_good() is used to check if the write is succeeded and it was -implemented by the commit fb4a90bfcd6d8 ("[MTD] CFI-0002 - Improve error -checking"). -But actually the write failure is caused on some platforms and also it can -be fixed by using chip_good() to check the state and retry instead. -Also it seems that it is caused after repeated about 1,000 times to retry -the write one word with the reset command. -By using chip_good() to check the state to be done it can be reduced the -retry with reset. -It is depended on the actual flash chip behavior so the root cause is -unknown. - -Cc: Chris Packham <chris.packham@alliedtelesis.co.nz> -Cc: Joakim Tjernlund <Joakim.Tjernlund@infinera.com> -Cc: linux-mtd@lists.infradead.org -Cc: stable@vger.kernel.org -Reported-by: Fabio Bettoni <fbettoni@gmail.com> -Signed-off-by: Felix Fietkau <nbd@nbd.name> -Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> -Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com> -[vigneshr@ti.com: Fix a checkpatch warning] -Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - - ---- - drivers/mtd/chips/cfi_cmdset_0002.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - ---- a/drivers/mtd/chips/cfi_cmdset_0002.c -+++ b/drivers/mtd/chips/cfi_cmdset_0002.c -@@ -1626,29 +1626,35 @@ static int __xipram do_write_oneword(str - continue; - } - -- if (time_after(jiffies, timeo) && !chip_ready(map, adr)){ -+ /* -+ * We check "time_after" and "!chip_good" before checking -+ * "chip_good" to avoid the failure due to scheduling. -+ */ -+ if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) { - xip_enable(map, chip, adr); - printk(KERN_WARNING "MTD %s(): software timeout\n", __func__); - xip_disable(map, chip, adr); -+ ret = -EIO; - break; - } - -- if (chip_ready(map, adr)) -+ if (chip_good(map, adr, datum)) - break; - - /* Latency issues. Drop the lock, wait a while and retry */ - UDELAY(map, chip, adr, 1); - } -+ - /* Did we succeed? */ -- if (!chip_good(map, adr, datum)) { -+ if (ret) { - /* reset on all failures. */ - map_write( map, CMD(0xF0), chip->start ); - /* FIXME - should have reset delay before continuing */ - -- if (++retry_cnt <= MAX_RETRIES) -+ if (++retry_cnt <= MAX_RETRIES) { -+ ret = 0; - goto retry; -- -- ret = -EIO; -+ } - } - xip_enable(map, chip, adr); - op_done: diff --git a/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch b/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch deleted file mode 100644 index 07991de..0000000 --- a/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch +++ /dev/null @@ -1,45 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Peter Mamonov <pmamonov@gmail.com> -Date: Wed, 18 Sep 2019 19:27:55 +0300 -Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function - -From: Peter Mamonov <pmamonov@gmail.com> - -[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ] - -According to the DP83865 datasheet "the 10 Mbps HDX loopback can be -disabled in the expanded memory register 0x1C0.1". The driver erroneously -used bit 0 instead of bit 1. - -Fixes: 4621bf129856 ("phy: Add file missed in previous commit.") -Signed-off-by: Peter Mamonov <pmamonov@gmail.com> -Reviewed-by: Andrew Lunn <andrew@lunn.ch> -Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/phy/national.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - ---- a/drivers/net/phy/national.c -+++ b/drivers/net/phy/national.c -@@ -110,14 +110,17 @@ static void ns_giga_speed_fallback(struc - - static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable) - { -+ u16 lb_dis = BIT(1); -+ - if (disable) -- ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1); -+ ns_exp_write(phydev, 0x1c0, -+ ns_exp_read(phydev, 0x1c0) | lb_dis); - else - ns_exp_write(phydev, 0x1c0, -- ns_exp_read(phydev, 0x1c0) & 0xfffe); -+ ns_exp_read(phydev, 0x1c0) & ~lb_dis); - - pr_debug("10BASE-T HDX loopback %s\n", -- (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on"); -+ (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on"); - } - - static int ns_config_init(struct phy_device *phydev) diff --git a/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/nfc-enforce-cap_net_raw-for-raw-sockets.patch deleted file mode 100644 index 589f5db..0000000 --- a/nfc-enforce-cap_net_raw-for-raw-sockets.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Ori Nimron <orinimron123@gmail.com> -Date: Fri, 20 Sep 2019 09:35:49 +0200 -Subject: nfc: enforce CAP_NET_RAW for raw sockets - -From: Ori Nimron <orinimron123@gmail.com> - -[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ] - -When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked -first. - -Signed-off-by: Ori Nimron <orinimron123@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/nfc/llcp_sock.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -1005,10 +1005,13 @@ static int llcp_sock_create(struct net * - sock->type != SOCK_RAW) - return -ESOCKTNOSUPPORT; - -- if (sock->type == SOCK_RAW) -+ if (sock->type == SOCK_RAW) { -+ if (!capable(CAP_NET_RAW)) -+ return -EPERM; - sock->ops = &llcp_rawsock_ops; -- else -+ } else { - sock->ops = &llcp_sock_ops; -+ } - - sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC); - if (sk == NULL) diff --git a/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch b/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch deleted file mode 100644 index 6cb7bd2..0000000 --- a/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Li RongQing <lirongqing@baidu.com> -Date: Tue, 24 Sep 2019 19:11:52 +0800 -Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC - -From: Li RongQing <lirongqing@baidu.com> - -[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ] - -userspace openvswitch patch "(dpif-linux: Implement the API -functions to allow multiple handler threads read upcall)" -changes its type from U32 to UNSPEC, but leave the kernel -unchanged - -and after kernel 6e237d099fac "(netlink: Relax attr validation -for fixed length types)", this bug is exposed by the below -warning - - [ 57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length. - -Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's") -Signed-off-by: Li RongQing <lirongqing@baidu.com> -Acked-by: Pravin B Shelar <pshelar@ovn.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/openvswitch/datapath.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/openvswitch/datapath.c -+++ b/net/openvswitch/datapath.c -@@ -1974,7 +1974,7 @@ static const struct nla_policy vport_pol - [OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) }, - [OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 }, - [OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 }, -- [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 }, -+ [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC }, - [OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED }, - }; - diff --git a/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch b/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch deleted file mode 100644 index b254a0d..0000000 --- a/printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 223d596ac27e6e6c9e4585891f54d9ac067dbec2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin <sashal@kernel.org> -Date: Thu, 11 Jul 2019 16:29:37 +0200 -Subject: printk: Do not lose last line in kmsg buffer dump - -From: Vincent Whitchurch <vincent.whitchurch@axis.com> - -[ Upstream commit b46eff55ad5bd98e746c0a7022fe7ee071de5fee ] - -kmsg_dump_get_buffer() is supposed to select all the youngest log -messages which fit into the provided buffer. It determines the correct -start index by using msg_print_text() with a NULL buffer to calculate -the size of each entry. However, when performing the actual writes, -msg_print_text() only writes the entry to the buffer if the written len -is lesser than the size of the buffer. So if the lengths of the -selected youngest log messages happen to precisely fill up the provided -buffer, the last log message is not included. - -We don't want to modify msg_print_text() to fill up the buffer and start -returning a length which is equal to the size of the buffer, since -callers of its other users, such as kmsg_dump_get_line(), depend upon -the current behaviour. - -Instead, fix kmsg_dump_get_buffer() to compensate for this. - -For example, with the following two final prints: - -[ 6.427502] AAAAAAAAAAAAA -[ 6.427769] BBBBBBBB12345 - -A dump of a 64-byte buffer filled by kmsg_dump_get_buffer(), before this -patch: - - 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 35 32 32 31 39 37 <0>[ 6.522197 - 00000010: 5d 20 41 41 41 41 41 41 41 41 41 41 41 41 41 0a ] AAAAAAAAAAAAA. - 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - -After this patch: - - 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 34 35 36 36 37 38 <0>[ 6.456678 - 00000010: 5d 20 42 42 42 42 42 42 42 42 31 32 33 34 35 0a ] BBBBBBBB12345. - 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - -Link: http://lkml.kernel.org/r/20190711142937.4083-1-vincent.whitchurch@axis.com -Fixes: e2ae715d66bf4bec ("kmsg - kmsg_dump() use iterator to receive log buffer content") -To: rostedt@goodmis.org -Cc: linux-kernel@vger.kernel.org -Cc: <stable@vger.kernel.org> # v3.5+ -Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> -Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> -Signed-off-by: Petr Mladek <pmladek@suse.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - kernel/printk/printk.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/kernel/printk/printk.c -+++ b/kernel/printk/printk.c -@@ -2971,7 +2971,7 @@ bool kmsg_dump_get_buffer(struct kmsg_du - seq = dumper->cur_seq; - idx = dumper->cur_idx; - prev = 0; -- while (l > size && seq < dumper->next_seq) { -+ while (l >= size && seq < dumper->next_seq) { - struct printk_log *msg = log_from_idx(idx); - - l -= msg_print_text(msg, prev, true, NULL, 0); diff --git a/quota-fix-wrong-condition-in-is_quota_modification.patch b/quota-fix-wrong-condition-in-is_quota_modification.patch deleted file mode 100644 index 0ecb735..0000000 --- a/quota-fix-wrong-condition-in-is_quota_modification.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 6565c182094f69e4ffdece337d395eb7ec760efc Mon Sep 17 00:00:00 2001 -From: Chao Yu <chao@kernel.org> -Date: Wed, 11 Sep 2019 17:36:50 +0800 -Subject: quota: fix wrong condition in is_quota_modification() - -From: Chao Yu <yuchao0@huawei.com> - -commit 6565c182094f69e4ffdece337d395eb7ec760efc upstream. - -Quoted from -commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") - -" At LSF we decided that if we truncate up from isize we shouldn't trim - fallocated blocks that were fallocated with KEEP_SIZE and are past the - new i_size. This patch fixes ext4 to do this. " - -And generic/092 of fstest have covered this case for long time, however -is_quota_modification() didn't adjust based on that rule, so that in -below condition, we will lose to quota block change: -- fallocate blocks beyond EOF -- remount -- truncate(file_path, file_size) - -Fix it. - -Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com -Fixes: 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") -CC: stable@vger.kernel.org -Signed-off-by: Chao Yu <yuchao0@huawei.com> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/linux/quotaops.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/include/linux/quotaops.h -+++ b/include/linux/quotaops.h -@@ -21,7 +21,7 @@ static inline struct quota_info *sb_dqop - /* i_mutex must being held */ - static inline bool is_quota_modification(struct inode *inode, struct iattr *ia) - { -- return (ia->ia_valid & ATTR_SIZE && ia->ia_size != inode->i_size) || -+ return (ia->ia_valid & ATTR_SIZE) || - (ia->ia_valid & ATTR_UID && !uid_eq(ia->ia_uid, inode->i_uid)) || - (ia->ia_valid & ATTR_GID && !gid_eq(ia->ia_gid, inode->i_gid)); - } diff --git a/sch_netem-fix-a-divide-by-zero-in-tabledist.patch b/sch_netem-fix-a-divide-by-zero-in-tabledist.patch deleted file mode 100644 index 518077f..0000000 --- a/sch_netem-fix-a-divide-by-zero-in-tabledist.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 18 Sep 2019 08:05:39 -0700 -Subject: sch_netem: fix a divide by zero in tabledist() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ] - -syzbot managed to crash the kernel in tabledist() loading -an empty distribution table. - - t = dist->table[rnd % dist->size]; - -Simply return an error when such load is attempted. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sched/sch_netem.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/sched/sch_netem.c -+++ b/net/sched/sch_netem.c -@@ -725,7 +725,7 @@ static int get_dist_table(struct Qdisc * - int i; - size_t s; - -- if (n > NETEM_DIST_MAX) -+ if (!n || n > NETEM_DIST_MAX) - return -EINVAL; - - s = sizeof(struct disttable) + n * sizeof(s16); @@ -1,32 +0,0 @@ -hid-prodikeys-fix-general-protection-fault-during-probe.patch -hid-lg-make-transfer-buffers-dma-capable.patch -hid-hidraw-fix-invalid-read-in-hidraw_ioctl.patch -mtd-cfi_cmdset_0002-use-chip_good-to-retry-in-do_write_oneword.patch -asoc-fsl-fix-of-node-refcount-unbalance-in-fsl_ssi_probe_from_dt.patch -cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch -net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch -openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch -sch_netem-fix-a-divide-by-zero-in-tabledist.patch -skge-fix-checksum-byte-order.patch -usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch -usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch -misdn-enforce-cap_net_raw-for-raw-sockets.patch -appletalk-enforce-cap_net_raw-for-raw-sockets.patch -ax25-enforce-cap_net_raw-for-raw-sockets.patch -nfc-enforce-cap_net_raw-for-raw-sockets.patch -ieee802154-enforce-cap_net_raw-for-raw-sockets.patch -printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch -fuse-fix-missing-unlock_page-in-fuse_writepage.patch -kvm-x86-always-stop-emulation-on-page-fault.patch -kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch -kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch -arm-zynq-use-memcpy_toio-instead-of-memcpy-on-smp-bring-up.patch -alarmtimer-use-eopnotsupp-instead-of-enotsupp.patch -btrfs-fix-use-after-free-when-using-the-tree-modification-log.patch -btrfs-relinquish-cpus-in-btrfs_compare_trees.patch -cfg80211-purge-frame-registrations-on-iftype-change.patch -dev-mem-bail-out-upon-sigkill.patch -quota-fix-wrong-condition-in-is_quota_modification.patch -hwrng-core-don-t-wait-on-add_early_randomness.patch -i2c-riic-clear-nack-in-tend-isr.patch -cifs-fix-oplock-handling-for-smb-2.1-protocols.patch diff --git a/skge-fix-checksum-byte-order.patch b/skge-fix-checksum-byte-order.patch deleted file mode 100644 index d8c2800..0000000 --- a/skge-fix-checksum-byte-order.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Stephen Hemminger <stephen@networkplumber.org> -Date: Fri, 20 Sep 2019 18:18:26 +0200 -Subject: skge: fix checksum byte order - -From: Stephen Hemminger <stephen@networkplumber.org> - -[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ] - -Running old skge driver on PowerPC causes checksum errors -because hardware reported 1's complement checksum is in little-endian -byte order. - -Reported-by: Benoit <benoit.sansoni@gmail.com> -Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ethernet/marvell/skge.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/marvell/skge.c -+++ b/drivers/net/ethernet/marvell/skge.c -@@ -3114,7 +3114,7 @@ static struct sk_buff *skge_rx_get(struc - skb_put(skb, len); - - if (dev->features & NETIF_F_RXCSUM) { -- skb->csum = csum; -+ skb->csum = le16_to_cpu(csum); - skb->ip_summed = CHECKSUM_COMPLETE; - } - diff --git a/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch b/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch deleted file mode 100644 index cfe9b3d..0000000 --- a/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch +++ /dev/null @@ -1,39 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Bjørn Mork <bjorn@mork.no> -Date: Wed, 18 Sep 2019 14:17:38 +0200 -Subject: usbnet: ignore endpoints with invalid wMaxPacketSize - -From: Bjørn Mork <bjorn@mork.no> - -[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ] - -Endpoints with zero wMaxPacketSize are not usable for transferring -data. Ignore such endpoints when looking for valid in, out and -status pipes, to make the drivers more robust against invalid and -meaningless descriptors. - -The wMaxPacketSize of these endpoints are used for memory allocations -and as divisors in many usbnet minidrivers. Avoiding zero is therefore -critical. - -Signed-off-by: Bjørn Mork <bjorn@mork.no> -Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/usb/usbnet.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -114,6 +114,11 @@ int usbnet_get_endpoints(struct usbnet * - int intr = 0; - - e = alt->endpoint + ep; -+ -+ /* ignore endpoints which cannot transfer data */ -+ if (!usb_endpoint_maxp(&e->desc)) -+ continue; -+ - switch (e->desc.bmAttributes) { - case USB_ENDPOINT_XFER_INT: - if (!usb_endpoint_dir_in(&e->desc)) diff --git a/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch b/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch deleted file mode 100644 index 3a5a1ef..0000000 --- a/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Tue 01 Oct 2019 04:24:08 PM CEST -From: Oliver Neukum <oneukum@suse.com> -Date: Thu, 19 Sep 2019 10:23:08 +0200 -Subject: usbnet: sanity checking of packet sizes and device mtu - -From: Oliver Neukum <oneukum@suse.com> - -[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ] - -After a reset packet sizes and device mtu can change and need -to be reevaluated to calculate queue sizes. -Malicious devices can set this to zero and we divide by it. -Introduce sanity checking. - -Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com -Signed-off-by: Oliver Neukum <oneukum@suse.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/usb/usbnet.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -352,6 +352,8 @@ void usbnet_update_max_qlen(struct usbne - { - enum usb_device_speed speed = dev->udev->speed; - -+ if (!dev->rx_urb_size || !dev->hard_mtu) -+ goto insanity; - switch (speed) { - case USB_SPEED_HIGH: - dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size; -@@ -367,6 +369,7 @@ void usbnet_update_max_qlen(struct usbne - dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu; - break; - default: -+insanity: - dev->rx_qlen = dev->tx_qlen = 4; - } - } |