diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-12 19:53:20 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-12 19:53:20 +0100 |
commit | 7430f75d8a0afa7312ca478c3943184dc091bde4 (patch) | |
tree | 7ee89ce06d93fa9b665dd822092de34d472da4a5 | |
parent | 1f1abb67cbfa621d281471fabce6f310879fb4fb (diff) | |
download | queue-3.18-7430f75d8a0afa7312ca478c3943184dc091bde4.tar.gz |
remove applied patches and added a new one
17 files changed, 97 insertions, 1043 deletions
diff --git a/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch b/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch deleted file mode 100644 index 131ab0d..0000000 --- a/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d60229d84846a8399257006af9c5444599f64361 Mon Sep 17 00:00:00 2001 -From: Colin Ian King <colin.king@canonical.com> -Date: Fri, 22 Nov 2019 13:13:54 +0000 -Subject: ALSA: cs4236: fix error return comparison of an unsigned integer - -From: Colin Ian King <colin.king@canonical.com> - -commit d60229d84846a8399257006af9c5444599f64361 upstream. - -The return from pnp_irq is an unsigned integer type resource_size_t -and hence the error check for a positive non-error code is always -going to be true. A check for a non-failure return from pnp_irq -should in fact be for (resource_size_t)-1 rather than >= 0. - -Addresses-Coverity: ("Unsigned compared against 0") -Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support") -Signed-off-by: Colin Ian King <colin.king@canonical.com> -Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/isa/cs423x/cs4236.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/sound/isa/cs423x/cs4236.c -+++ b/sound/isa/cs423x/cs4236.c -@@ -293,7 +293,8 @@ static int snd_cs423x_pnp_init_mpu(int d - } else { - mpu_port[dev] = pnp_port_start(pdev, 0); - if (mpu_irq[dev] >= 0 && -- pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) { -+ pnp_irq_valid(pdev, 0) && -+ pnp_irq(pdev, 0) != (resource_size_t)-1) { - mpu_irq[dev] = pnp_irq(pdev, 0); - } else { - mpu_irq[dev] = -1; /* disable interrupt */ diff --git a/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch b/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch deleted file mode 100644 index 68158e5..0000000 --- a/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Wed, 18 Dec 2019 20:26:06 +0100 -Subject: ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code - -From: Takashi Iwai <tiwai@suse.de> - -commit 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd upstream. - -Jia-Ju Bai reported a possible sleep-in-atomic scenario in the ice1724 -driver with Infrasonic Quartet support code: namely, ice->set_rate -callback gets called inside ice->reg_lock spinlock, while the callback -in quartet.c holds ice->gpio_mutex. - -This patch fixes the invalid call: it simply moves the calls of -ice->set_rate and ice->set_mclk callbacks outside the spinlock. - -Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> -Cc: <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/5d43135e-73b9-a46a-2155-9e91d0dcdf83@gmail.com -Link: https://lore.kernel.org/r/20191218192606.12866-1-tiwai@suse.de -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/pci/ice1712/ice1724.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - ---- a/sound/pci/ice1712/ice1724.c -+++ b/sound/pci/ice1712/ice1724.c -@@ -663,6 +663,7 @@ static int snd_vt1724_set_pro_rate(struc - unsigned long flags; - unsigned char mclk_change; - unsigned int i, old_rate; -+ bool call_set_rate = false; - - if (rate > ice->hw_rates->list[ice->hw_rates->count - 1]) - return -EINVAL; -@@ -686,7 +687,7 @@ static int snd_vt1724_set_pro_rate(struc - * setting clock rate for internal clock mode */ - old_rate = ice->get_rate(ice); - if (force || (old_rate != rate)) -- ice->set_rate(ice, rate); -+ call_set_rate = true; - else if (rate == ice->cur_rate) { - spin_unlock_irqrestore(&ice->reg_lock, flags); - return 0; -@@ -694,12 +695,14 @@ static int snd_vt1724_set_pro_rate(struc - } - - ice->cur_rate = rate; -+ spin_unlock_irqrestore(&ice->reg_lock, flags); -+ -+ if (call_set_rate) -+ ice->set_rate(ice, rate); - - /* setting master clock */ - mclk_change = ice->set_mclk(ice, rate); - -- spin_unlock_irqrestore(&ice->reg_lock, flags); -- - if (mclk_change && ice->gpio.i2s_mclk_changed) - ice->gpio.i2s_mclk_changed(ice); - if (ice->gpio.set_pro_rate) diff --git a/ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch b/ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch deleted file mode 100644 index 1c70992..0000000 --- a/ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 84b032dbfdf1c139cd2b864e43959510646975f8 Mon Sep 17 00:00:00 2001 -From: Florian Fainelli <f.fainelli@gmail.com> -Date: Tue, 10 Dec 2019 10:53:44 -0800 -Subject: ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() - -From: Florian Fainelli <f.fainelli@gmail.com> - -commit 84b032dbfdf1c139cd2b864e43959510646975f8 upstream. - -This reverts commit 6bb86fefa086faba7b60bb452300b76a47cde1a5 -("libahci_platform: Staticize ahci_platform_<en/dis>able_phys()") we are -going to need ahci_platform_{enable,disable}_phys() in a subsequent -commit for ahci_brcm.c in order to properly control the PHY -initialization order. - -Also make sure the function prototypes are declared in -include/linux/ahci_platform.h as a result. - -Cc: stable@vger.kernel.org -Reviewed-by: Hans de Goede <hdegoede@redhat.com> -Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/ata/libahci_platform.c | 6 ++++-- - include/linux/ahci_platform.h | 2 ++ - 2 files changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/ata/libahci_platform.c -+++ b/drivers/ata/libahci_platform.c -@@ -49,7 +49,7 @@ static struct scsi_host_template ahci_pl - * RETURNS: - * 0 on success otherwise a negative error code - */ --static int ahci_platform_enable_phys(struct ahci_host_priv *hpriv) -+int ahci_platform_enable_phys(struct ahci_host_priv *hpriv) - { - int rc, i; - -@@ -77,6 +77,7 @@ disable_phys: - } - return rc; - } -+EXPORT_SYMBOL_GPL(ahci_platform_enable_phys); - - /** - * ahci_platform_disable_phys - Disable PHYs -@@ -84,7 +85,7 @@ disable_phys: - * - * This function disables all PHYs found in hpriv->phys. - */ --static void ahci_platform_disable_phys(struct ahci_host_priv *hpriv) -+void ahci_platform_disable_phys(struct ahci_host_priv *hpriv) - { - int i; - -@@ -96,6 +97,7 @@ static void ahci_platform_disable_phys(s - phy_exit(hpriv->phys[i]); - } - } -+EXPORT_SYMBOL_GPL(ahci_platform_disable_phys); - - /** - * ahci_platform_enable_clks - Enable platform clocks ---- a/include/linux/ahci_platform.h -+++ b/include/linux/ahci_platform.h -@@ -22,6 +22,8 @@ struct ata_port_info; - struct ahci_host_priv; - struct platform_device; - -+int ahci_platform_enable_phys(struct ahci_host_priv *hpriv); -+void ahci_platform_disable_phys(struct ahci_host_priv *hpriv); - int ahci_platform_enable_clks(struct ahci_host_priv *hpriv); - void ahci_platform_disable_clks(struct ahci_host_priv *hpriv); - int ahci_platform_enable_resources(struct ahci_host_priv *hpriv); diff --git a/bluetooth-delete-a-stray-unlock.patch b/bluetooth-delete-a-stray-unlock.patch deleted file mode 100644 index 132ce70..0000000 --- a/bluetooth-delete-a-stray-unlock.patch +++ /dev/null @@ -1,36 +0,0 @@ -From df66499a1fab340c167250a5743931dc50d5f0fa Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Tue, 19 Nov 2019 09:17:05 +0300 -Subject: Bluetooth: delete a stray unlock - -From: Dan Carpenter <dan.carpenter@oracle.com> - -commit df66499a1fab340c167250a5743931dc50d5f0fa upstream. - -We used to take a lock in amp_physical_cfm() but then we moved it to -the caller function. Unfortunately the unlock on this error path was -overlooked so it leads to a double unlock. - -Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: Marcel Holtmann <marcel@holtmann.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/bluetooth/l2cap_core.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -4878,10 +4878,8 @@ void __l2cap_physical_cfm(struct l2cap_c - BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d", - chan, result, local_amp_id, remote_amp_id); - -- if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) { -- l2cap_chan_unlock(chan); -+ if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) - return; -- } - - if (chan->state != BT_CONNECTED) { - l2cap_do_create(chan, result, local_amp_id, remote_amp_id); diff --git a/chardev-avoid-potential-use-after-free-in-chrdev_open.patch b/chardev-avoid-potential-use-after-free-in-chrdev_open.patch new file mode 100644 index 0000000..056f1f7 --- /dev/null +++ b/chardev-avoid-potential-use-after-free-in-chrdev_open.patch @@ -0,0 +1,96 @@ +From 68faa679b8be1a74e6663c21c3a9d25d32f1c079 Mon Sep 17 00:00:00 2001 +From: Will Deacon <will@kernel.org> +Date: Thu, 19 Dec 2019 12:02:03 +0000 +Subject: chardev: Avoid potential use-after-free in 'chrdev_open()' + +From: Will Deacon <will@kernel.org> + +commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream. + +'chrdev_open()' calls 'cdev_get()' to obtain a reference to the +'struct cdev *' stashed in the 'i_cdev' field of the target inode +structure. If the pointer is NULL, then it is initialised lazily by +looking up the kobject in the 'cdev_map' and so the whole procedure is +protected by the 'cdev_lock' spinlock to serialise initialisation of +the shared pointer. + +Unfortunately, it is possible for the initialising thread to fail *after* +installing the new pointer, for example if the subsequent '->open()' call +on the file fails. In this case, 'cdev_put()' is called, the reference +count on the kobject is dropped and, if nobody else has taken a reference, +the release function is called which finally clears 'inode->i_cdev' from +'cdev_purge()' before potentially freeing the object. The problem here +is that a racing thread can happily take the 'cdev_lock' and see the +non-NULL pointer in the inode, which can result in a refcount increment +from zero and a warning: + + | ------------[ cut here ]------------ + | refcount_t: addition on 0; use-after-free. + | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0 + | Modules linked in: + | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 + | RIP: 0010:refcount_warn_saturate+0x6d/0xf0 + | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08 + | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282 + | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000 + | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798 + | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039 + | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700 + | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700 + | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0 + | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + | Call Trace: + | kobject_get+0x5c/0x60 + | cdev_get+0x2b/0x60 + | chrdev_open+0x55/0x220 + | ? cdev_put.part.3+0x20/0x20 + | do_dentry_open+0x13a/0x390 + | path_openat+0x2c8/0x1470 + | do_filp_open+0x93/0x100 + | ? selinux_file_ioctl+0x17f/0x220 + | do_sys_open+0x186/0x220 + | do_syscall_64+0x48/0x150 + | entry_SYSCALL_64_after_hwframe+0x44/0xa9 + | RIP: 0033:0x7f3b87efcd0e + | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4 + | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 + | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e + | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c + | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000 + | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e + | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000 + | ---[ end trace 24f53ca58db8180a ]--- + +Since 'cdev_get()' can already fail to obtain a reference, simply move +it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()', +which will cause the racing thread to return -ENXIO if the initialising +thread fails unexpectedly. + +Cc: Hillf Danton <hdanton@sina.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com +Signed-off-by: Will Deacon <will@kernel.org> +Cc: stable <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/char_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -354,7 +354,7 @@ static struct kobject *cdev_get(struct c + + if (owner && !try_module_get(owner)) + return NULL; +- kobj = kobject_get(&p->kobj); ++ kobj = kobject_get_unless_zero(&p->kobj); + if (!kobj) + module_put(owner); + return kobj; diff --git a/gpiolib-fix-up-emulated-open-drain-outputs.patch b/gpiolib-fix-up-emulated-open-drain-outputs.patch deleted file mode 100644 index a67b9a3..0000000 --- a/gpiolib-fix-up-emulated-open-drain-outputs.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 256efaea1fdc4e38970489197409a26125ee0aaa Mon Sep 17 00:00:00 2001 -From: Russell King <rmk+kernel@armlinux.org.uk> -Date: Sat, 7 Dec 2019 16:20:18 +0000 -Subject: gpiolib: fix up emulated open drain outputs - -From: Russell King <rmk+kernel@armlinux.org.uk> - -commit 256efaea1fdc4e38970489197409a26125ee0aaa upstream. - -gpiolib has a corner case with open drain outputs that are emulated. -When such outputs are outputting a logic 1, emulation will set the -hardware to input mode, which will cause gpiod_get_direction() to -report that it is in input mode. This is different from the behaviour -with a true open-drain output. - -Unify the semantics here. - -Cc: <stable@vger.kernel.org> -Suggested-by: Linus Walleij <linus.walleij@linaro.org> -Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> -Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/gpio/gpiolib.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/gpio/gpiolib.c -+++ b/drivers/gpio/gpiolib.c -@@ -147,6 +147,14 @@ int gpiod_get_direction(const struct gpi - chip = gpiod_to_chip(desc); - offset = gpio_chip_hwgpio(desc); - -+ /* -+ * Open drain emulation using input mode may incorrectly report -+ * input here, fix that up. -+ */ -+ if (test_bit(FLAG_OPEN_DRAIN, &desc->flags) && -+ test_bit(FLAG_IS_OUT, &desc->flags)) -+ return 0; -+ - if (!chip->get_direction) - return status; - diff --git a/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch deleted file mode 100644 index 00285b9..0000000 --- a/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch +++ /dev/null @@ -1,170 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:44:46 AM CET -From: Eric Dumazet <edumazet@google.com> -Date: Mon, 6 Jan 2020 12:30:48 -0800 -Subject: macvlan: do not assume mac_header is set in macvlan_broadcast() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ] - -Use of eth_hdr() in tx path is error prone. - -Many drivers call skb_reset_mac_header() before using it, -but others do not. - -Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") -attempted to fix this generically, but commit d346a3fae3ff -("packet: introduce PACKET_QDISC_BYPASS socket option") brought -back the macvlan bug. - -Lets add a new helper, so that tx paths no longer have -to call skb_reset_mac_header() only to get a pointer -to skb->data. - -Hopefully we will be able to revert 6d1ccff62780 -("net: reset mac header in dev_start_xmit()") and save few cycles -in transmit fast path. - -BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] -BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] -BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 -Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 - -CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x197/0x210 lib/dump_stack.c:118 - print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 - __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 - kasan_report+0x12/0x20 mm/kasan/common.c:639 - __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 - __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] - mc_hash drivers/net/macvlan.c:251 [inline] - macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 - macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] - macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 - __netdev_start_xmit include/linux/netdevice.h:4447 [inline] - netdev_start_xmit include/linux/netdevice.h:4461 [inline] - dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 - packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 - packet_snd net/packet/af_packet.c:2966 [inline] - packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 - sock_sendmsg_nosec net/socket.c:639 [inline] - sock_sendmsg+0xd7/0x130 net/socket.c:659 - __sys_sendto+0x262/0x380 net/socket.c:1985 - __do_sys_sendto net/socket.c:1997 [inline] - __se_sys_sendto net/socket.c:1993 [inline] - __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x442639 -Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 -RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 -RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 -R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 - -Allocated by task 9389: - save_stack+0x23/0x90 mm/kasan/common.c:72 - set_track mm/kasan/common.c:80 [inline] - __kasan_kmalloc mm/kasan/common.c:513 [inline] - __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 - kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 - __do_kmalloc mm/slab.c:3656 [inline] - __kmalloc+0x163/0x770 mm/slab.c:3665 - kmalloc include/linux/slab.h:561 [inline] - tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 - tomoyo_get_realpath security/tomoyo/file.c:151 [inline] - tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 - tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 - security_inode_getattr+0xf2/0x150 security/security.c:1222 - vfs_getattr+0x25/0x70 fs/stat.c:115 - vfs_statx_fd+0x71/0xc0 fs/stat.c:145 - vfs_fstat include/linux/fs.h:3265 [inline] - __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 - __se_sys_newfstat fs/stat.c:375 [inline] - __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 9389: - save_stack+0x23/0x90 mm/kasan/common.c:72 - set_track mm/kasan/common.c:80 [inline] - kasan_set_free_info mm/kasan/common.c:335 [inline] - __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 - kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 - __cache_free mm/slab.c:3426 [inline] - kfree+0x10a/0x2c0 mm/slab.c:3757 - tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 - tomoyo_get_realpath security/tomoyo/file.c:151 [inline] - tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 - tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 - security_inode_getattr+0xf2/0x150 security/security.c:1222 - vfs_getattr+0x25/0x70 fs/stat.c:115 - vfs_statx_fd+0x71/0xc0 fs/stat.c:145 - vfs_fstat include/linux/fs.h:3265 [inline] - __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 - __se_sys_newfstat fs/stat.c:375 [inline] - __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -The buggy address belongs to the object at ffff8880a4932000 - which belongs to the cache kmalloc-4k of size 4096 -The buggy address is located 1025 bytes inside of - 4096-byte region [ffff8880a4932000, ffff8880a4933000) -The buggy address belongs to the page: -page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 -raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 -raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ->ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - -Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/macvlan.c | 2 +- - include/linux/if_ether.h | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - ---- a/drivers/net/macvlan.c -+++ b/drivers/net/macvlan.c -@@ -233,7 +233,7 @@ static void macvlan_broadcast(struct sk_ - struct net_device *src, - enum macvlan_mode mode) - { -- const struct ethhdr *eth = eth_hdr(skb); -+ const struct ethhdr *eth = skb_eth_hdr(skb); - const struct macvlan_dev *vlan; - struct sk_buff *nskb; - unsigned int i; ---- a/include/linux/if_ether.h -+++ b/include/linux/if_ether.h -@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con - return (struct ethhdr *)skb_mac_header(skb); - } - -+/* Prefer this version in TX path, instead of -+ * skb_reset_mac_header() + eth_hdr() -+ */ -+static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb) -+{ -+ return (struct ethhdr *)skb->data; -+} -+ - int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); - - extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len); diff --git a/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch b/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch deleted file mode 100644 index 8b1f00a..0000000 --- a/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:52:53 AM CET -From: Chen-Yu Tsai <wens@csie.org> -Date: Mon, 6 Jan 2020 11:09:22 +0800 -Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes - -From: Chen-Yu Tsai <wens@csie.org> - -[ Upstream commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a ] - -Allow all the RGMII modes to be used. This would allow us to represent -the hardware better in the device tree with RGMII_ID where in most -cases the PHY's internal delay for both RX and TX are used. - -Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's") -Signed-off-by: Chen-Yu Tsai <wens@csie.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c -+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c -@@ -78,7 +78,7 @@ static int sun7i_gmac_init(struct platfo - * rate, which then uses the auto-reparenting feature of the - * clock driver, and enabling/disabling the clock. - */ -- if (gmac->interface == PHY_INTERFACE_MODE_RGMII) { -+ if (phy_interface_mode_is_rgmii(gmac->interface)) { - clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE); - clk_prepare_enable(gmac->tx_clk); - gmac->clk_enabled = 1; diff --git a/regulator-ab8500-remove-ab8505-usb-regulator.patch b/regulator-ab8500-remove-ab8505-usb-regulator.patch deleted file mode 100644 index 18450dd..0000000 --- a/regulator-ab8500-remove-ab8505-usb-regulator.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c Mon Sep 17 00:00:00 2001 -From: Stephan Gerhold <stephan@gerhold.net> -Date: Wed, 6 Nov 2019 18:31:24 +0100 -Subject: regulator: ab8500: Remove AB8505 USB regulator - -From: Stephan Gerhold <stephan@gerhold.net> - -commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream. - -The USB regulator was removed for AB8500 in -commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator"). -It was then added for AB8505 in -commit 547f384f33db ("regulator: ab8500: add support for ab8505"). - -However, there was never an entry added for it in -ab8505_regulator_match. This causes all regulators after it -to be initialized with the wrong device tree data, eventually -leading to an out-of-bounds array read. - -Given that it is not used anywhere in the kernel, it seems -likely that similar arguments against supporting it exist for -AB8505 (it is controlled by hardware). - -Therefore, simply remove it like for AB8500 instead of adding -an entry in ab8505_regulator_match. - -Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505") -Cc: Linus Walleij <linus.walleij@linaro.org> -Signed-off-by: Stephan Gerhold <stephan@gerhold.net> -Reviewed-by: Linus Walleij <linus.walleij@linaro.org> -Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net -Signed-off-by: Mark Brown <broonie@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/regulator/ab8500.c | 17 ----------------- - include/linux/regulator/ab8500.h | 1 - - 2 files changed, 18 deletions(-) - ---- a/drivers/regulator/ab8500.c -+++ b/drivers/regulator/ab8500.c -@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info - .update_val_idle = 0x82, - .update_val_normal = 0x02, - }, -- [AB8505_LDO_USB] = { -- .desc = { -- .name = "LDO-USB", -- .ops = &ab8500_regulator_mode_ops, -- .type = REGULATOR_VOLTAGE, -- .id = AB8505_LDO_USB, -- .owner = THIS_MODULE, -- .n_voltages = 1, -- .volt_table = fixed_3300000_voltage, -- }, -- .update_bank = 0x03, -- .update_reg = 0x82, -- .update_mask = 0x03, -- .update_val = 0x01, -- .update_val_idle = 0x03, -- .update_val_normal = 0x01, -- }, - [AB8505_LDO_AUDIO] = { - .desc = { - .name = "LDO-AUDIO", ---- a/include/linux/regulator/ab8500.h -+++ b/include/linux/regulator/ab8500.h -@@ -38,7 +38,6 @@ enum ab8505_regulator_id { - AB8505_LDO_AUX6, - AB8505_LDO_INTCORE, - AB8505_LDO_ADC, -- AB8505_LDO_USB, - AB8505_LDO_AUDIO, - AB8505_LDO_ANAMIC1, - AB8505_LDO_ANAMIC2, diff --git a/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch b/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch deleted file mode 100644 index 403bb2a..0000000 --- a/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch +++ /dev/null @@ -1,94 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:52:53 AM CET -From: Xin Long <lucien.xin@gmail.com> -Date: Sat, 4 Jan 2020 14:15:02 +0800 -Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY - -From: Xin Long <lucien.xin@gmail.com> - -[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ] - -This patch is to fix a memleak caused by no place to free cmd->obj.chunk -for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to -process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq -with an allocated chunk in cmd->obj.chunk. - -So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on -the cmd seq when any cmd returns error. While at it, also remove 'nomem' -label. - -Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sctp/sm_sideeffect.c | 28 ++++++++++++++++++---------- - 1 file changed, 18 insertions(+), 10 deletions(-) - ---- a/net/sctp/sm_sideeffect.c -+++ b/net/sctp/sm_sideeffect.c -@@ -1329,8 +1329,10 @@ static int sctp_cmd_interpreter(sctp_eve - /* Generate an INIT ACK chunk. */ - new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC, - 0); -- if (!new_obj) -- goto nomem; -+ if (!new_obj) { -+ error = -ENOMEM; -+ break; -+ } - - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, - SCTP_CHUNK(new_obj)); -@@ -1352,7 +1354,8 @@ static int sctp_cmd_interpreter(sctp_eve - if (!new_obj) { - if (cmd->obj.chunk) - sctp_chunk_free(cmd->obj.chunk); -- goto nomem; -+ error = -ENOMEM; -+ break; - } - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, - SCTP_CHUNK(new_obj)); -@@ -1399,8 +1402,10 @@ static int sctp_cmd_interpreter(sctp_eve - - /* Generate a SHUTDOWN chunk. */ - new_obj = sctp_make_shutdown(asoc, chunk); -- if (!new_obj) -- goto nomem; -+ if (!new_obj) { -+ error = -ENOMEM; -+ break; -+ } - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, - SCTP_CHUNK(new_obj)); - break; -@@ -1729,11 +1734,17 @@ static int sctp_cmd_interpreter(sctp_eve - break; - } - -- if (error) -+ if (error) { -+ cmd = sctp_next_cmd(commands); -+ while (cmd) { -+ if (cmd->verb == SCTP_CMD_REPLY) -+ sctp_chunk_free(cmd->obj.chunk); -+ cmd = sctp_next_cmd(commands); -+ } - break; -+ } - } - --out: - /* If this is in response to a received chunk, wait until - * we are done with the packet to open the queue so that we don't - * send multiple packets in response to a single request. -@@ -1744,8 +1755,5 @@ out: - } else if (local_cork) - error = sctp_outq_uncork(&asoc->outqueue); - return error; --nomem: -- error = -ENOMEM; -- goto out; - } - @@ -1,15 +1 @@ -alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch -taskstats-fix-data-race.patch -ata-libahci_platform-export-again-ahci_platform_-en-dis-able_phys.patch -gpiolib-fix-up-emulated-open-drain-outputs.patch -alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch -bluetooth-delete-a-stray-unlock.patch -regulator-ab8500-remove-ab8505-usb-regulator.patch -tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch -net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch -sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch -tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch -vlan-vlan_changelink-should-propagate-errors.patch -vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch -vxlan-fix-tos-value-before-xmit.patch -macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch +chardev-avoid-potential-use-after-free-in-chrdev_open.patch diff --git a/taskstats-fix-data-race.patch b/taskstats-fix-data-race.patch deleted file mode 100644 index 03beef9..0000000 --- a/taskstats-fix-data-race.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 Mon Sep 17 00:00:00 2001 -From: Christian Brauner <christian.brauner@ubuntu.com> -Date: Wed, 9 Oct 2019 13:48:09 +0200 -Subject: taskstats: fix data-race - -From: Christian Brauner <christian.brauner@ubuntu.com> - -commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 upstream. - -When assiging and testing taskstats in taskstats_exit() there's a race -when setting up and reading sig->stats when a thread-group with more -than one thread exits: - -write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0: - taskstats_tgid_alloc kernel/taskstats.c:567 [inline] - taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596 - do_exit+0x2c2/0x18e0 kernel/exit.c:864 - do_group_exit+0xb4/0x1c0 kernel/exit.c:983 - get_signal+0x2a2/0x1320 kernel/signal.c:2734 - do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815 - exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159 - prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] - syscall_return_slowpath arch/x86/entry/common.c:274 [inline] - do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1: - taskstats_tgid_alloc kernel/taskstats.c:559 [inline] - taskstats_exit+0xb2/0x717 kernel/taskstats.c:596 - do_exit+0x2c2/0x18e0 kernel/exit.c:864 - do_group_exit+0xb4/0x1c0 kernel/exit.c:983 - __do_sys_exit_group kernel/exit.c:994 [inline] - __se_sys_exit_group kernel/exit.c:992 [inline] - __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992 - do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fix this by using smp_load_acquire() and smp_store_release(). - -Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com -Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") -Cc: stable@vger.kernel.org -Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> -Acked-by: Marco Elver <elver@google.com> -Reviewed-by: Will Deacon <will@kernel.org> -Reviewed-by: Andrea Parri <parri.andrea@gmail.com> -Reviewed-by: Dmitry Vyukov <dvyukov@google.com> -Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - kernel/taskstats.c | 30 +++++++++++++++++++----------- - 1 file changed, 19 insertions(+), 11 deletions(-) - ---- a/kernel/taskstats.c -+++ b/kernel/taskstats.c -@@ -591,25 +591,33 @@ static int taskstats_user_cmd(struct sk_ - static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) - { - struct signal_struct *sig = tsk->signal; -- struct taskstats *stats; -+ struct taskstats *stats_new, *stats; - -- if (sig->stats || thread_group_empty(tsk)) -- goto ret; -+ /* Pairs with smp_store_release() below. */ -+ stats = smp_load_acquire(&sig->stats); -+ if (stats || thread_group_empty(tsk)) -+ return stats; - - /* No problem if kmem_cache_zalloc() fails */ -- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); -+ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); - - spin_lock_irq(&tsk->sighand->siglock); -- if (!sig->stats) { -- sig->stats = stats; -- stats = NULL; -+ stats = sig->stats; -+ if (!stats) { -+ /* -+ * Pairs with smp_store_release() above and order the -+ * kmem_cache_zalloc(). -+ */ -+ smp_store_release(&sig->stats, stats_new); -+ stats = stats_new; -+ stats_new = NULL; - } - spin_unlock_irq(&tsk->sighand->siglock); - -- if (stats) -- kmem_cache_free(taskstats_cache, stats); --ret: -- return sig->stats; -+ if (stats_new) -+ kmem_cache_free(taskstats_cache, stats_new); -+ -+ return stats; - } - - /* Send pid data out on exit */ diff --git a/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch b/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch deleted file mode 100644 index 8542639..0000000 --- a/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:52:53 AM CET -From: Pengcheng Yang <yangpc@wangsu.com> -Date: Mon, 30 Dec 2019 17:54:41 +0800 -Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK - -From: Pengcheng Yang <yangpc@wangsu.com> - -[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ] - -When we receive a D-SACK, where the sequence number satisfies: - undo_marker <= start_seq < end_seq <= prior_snd_una -we consider this is a valid D-SACK and tcp_is_sackblock_valid() -returns true, then this D-SACK is discarded as "old stuff", -but the variable first_sack_index is not marked as negative -in tcp_sacktag_write_queue(). - -If this D-SACK also carries a SACK that needs to be processed -(for example, the previous SACK segment was lost), this SACK -will be treated as a D-SACK in the following processing of -tcp_sacktag_write_queue(), which will eventually lead to -incorrect updates of undo_retrans and reordering. - -Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them") -Signed-off-by: Pengcheng Yang <yangpc@wangsu.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv4/tcp_input.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -1731,8 +1731,11 @@ tcp_sacktag_write_queue(struct sock *sk, - } - - /* Ignore very old stuff early */ -- if (!after(sp[used_sacks].end_seq, prior_snd_una)) -+ if (!after(sp[used_sacks].end_seq, prior_snd_una)) { -+ if (i == 0) -+ first_sack_index = -1; - continue; -+ } - - used_sacks++; - } diff --git a/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch b/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch deleted file mode 100644 index 13191e1..0000000 --- a/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e Mon Sep 17 00:00:00 2001 -From: Leo Yan <leo.yan@linaro.org> -Date: Wed, 27 Nov 2019 22:15:43 +0800 -Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops - -From: Leo Yan <leo.yan@linaro.org> - -commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream. - -As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug") -has mentioned the uart driver might cause recursive locking between -normal printing and the kernel debugging facilities (e.g. sysrq and -oops). In the commit it gave out suggestion for fixing recursive -locking issue: "The solution is to avoid locking in the sysrq case -and trylock in the oops_in_progress case." - -This patch follows the suggestion (also used the exactly same code with -other serial drivers, e.g. amba-pl011.c) to fix the recursive locking -issue, this can avoid stuck caused by deadlock and print out log for -sysrq and oops. - -Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") -Signed-off-by: Leo Yan <leo.yan@linaro.org> -Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> -Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/serial/msm_serial.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - ---- a/drivers/tty/serial/msm_serial.c -+++ b/drivers/tty/serial/msm_serial.c -@@ -860,6 +860,7 @@ static void __msm_console_write(struct u - int num_newlines = 0; - bool replaced = false; - void __iomem *tf; -+ int locked = 1; - - if (is_uartdm) - tf = port->membase + UARTDM_TF; -@@ -872,7 +873,13 @@ static void __msm_console_write(struct u - num_newlines++; - count += num_newlines; - -- spin_lock(&port->lock); -+ if (port->sysrq) -+ locked = 0; -+ else if (oops_in_progress) -+ locked = spin_trylock(&port->lock); -+ else -+ spin_lock(&port->lock); -+ - if (is_uartdm) - reset_dm_count(port, count); - -@@ -908,7 +915,9 @@ static void __msm_console_write(struct u - iowrite32_rep(tf, buf, 1); - i += num_chars; - } -- spin_unlock(&port->lock); -+ -+ if (locked) -+ spin_unlock(&port->lock); - } - - static void msm_console_write(struct console *co, const char *s, diff --git a/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch b/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch deleted file mode 100644 index 9d76130..0000000 --- a/vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch +++ /dev/null @@ -1,100 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:29:05 AM CET -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 7 Jan 2020 01:42:24 -0800 -Subject: vlan: fix memory leak in vlan_dev_set_egress_priority - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ] - -There are few cases where the ndo_uninit() handler might be not -called if an error happens while device is initialized. - -Since vlan_newlink() calls vlan_changelink() before -trying to register the netdevice, we need to make sure -vlan_dev_uninit() has been called at least once, -or we might leak allocated memory. - -BUG: memory leak -unreferenced object 0xffff888122a206c0 (size 32): - comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s) - hex dump (first 32 bytes): - 00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........ - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - backtrace: - [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] - [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline] - [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline] - [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 - [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline] - [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194 - [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126 - [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181 - [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305 - [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363 - [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 - [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 - [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 - [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] - [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 - [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 - [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline] - [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659 - [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 - [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 - [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 - [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline] - [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline] - [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 - -Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/8021q/vlan.h | 1 + - net/8021q/vlan_dev.c | 3 ++- - net/8021q/vlan_netlink.c | 9 +++++---- - 3 files changed, 8 insertions(+), 5 deletions(-) - ---- a/net/8021q/vlan.h -+++ b/net/8021q/vlan.h -@@ -109,6 +109,7 @@ int vlan_check_real_dev(struct net_devic - void vlan_setup(struct net_device *dev); - int register_vlan_dev(struct net_device *dev); - void unregister_vlan_dev(struct net_device *dev, struct list_head *head); -+void vlan_dev_uninit(struct net_device *dev); - bool vlan_dev_inherit_address(struct net_device *dev, - struct net_device *real_dev); - ---- a/net/8021q/vlan_dev.c -+++ b/net/8021q/vlan_dev.c -@@ -639,7 +639,8 @@ static int vlan_dev_init(struct net_devi - return 0; - } - --static void vlan_dev_uninit(struct net_device *dev) -+/* Note: this function might be called multiple times for the same device. */ -+void vlan_dev_uninit(struct net_device *dev) - { - struct vlan_priority_tci_mapping *pm; - struct vlan_dev_priv *vlan = vlan_dev_priv(dev); ---- a/net/8021q/vlan_netlink.c -+++ b/net/8021q/vlan_netlink.c -@@ -154,10 +154,11 @@ static int vlan_newlink(struct net *src_ - return -EINVAL; - - err = vlan_changelink(dev, tb, data); -- if (err < 0) -- return err; -- -- return register_vlan_dev(dev); -+ if (!err) -+ err = register_vlan_dev(dev); -+ if (err) -+ vlan_dev_uninit(dev); -+ return err; - } - - static inline size_t vlan_qos_map_size(unsigned int n) diff --git a/vlan-vlan_changelink-should-propagate-errors.patch b/vlan-vlan_changelink-should-propagate-errors.patch deleted file mode 100644 index cac3776..0000000 --- a/vlan-vlan_changelink-should-propagate-errors.patch +++ /dev/null @@ -1,49 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:52:53 AM CET -From: Eric Dumazet <edumazet@google.com> -Date: Tue, 7 Jan 2020 01:42:25 -0800 -Subject: vlan: vlan_changelink() should propagate errors - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ] - -Both vlan_dev_change_flags() and vlan_dev_set_egress_priority() -can return an error. vlan_changelink() should not ignore them. - -Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/8021q/vlan_netlink.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/net/8021q/vlan_netlink.c -+++ b/net/8021q/vlan_netlink.c -@@ -92,11 +92,13 @@ static int vlan_changelink(struct net_de - struct ifla_vlan_flags *flags; - struct ifla_vlan_qos_mapping *m; - struct nlattr *attr; -- int rem; -+ int rem, err; - - if (data[IFLA_VLAN_FLAGS]) { - flags = nla_data(data[IFLA_VLAN_FLAGS]); -- vlan_dev_change_flags(dev, flags->flags, flags->mask); -+ err = vlan_dev_change_flags(dev, flags->flags, flags->mask); -+ if (err) -+ return err; - } - if (data[IFLA_VLAN_INGRESS_QOS]) { - nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) { -@@ -107,7 +109,9 @@ static int vlan_changelink(struct net_de - if (data[IFLA_VLAN_EGRESS_QOS]) { - nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) { - m = nla_data(attr); -- vlan_dev_set_egress_priority(dev, m->from, m->to); -+ err = vlan_dev_set_egress_priority(dev, m->from, m->to); -+ if (err) -+ return err; - } - } - return 0; diff --git a/vxlan-fix-tos-value-before-xmit.patch b/vxlan-fix-tos-value-before-xmit.patch deleted file mode 100644 index 301261c..0000000 --- a/vxlan-fix-tos-value-before-xmit.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:44:46 AM CET -From: Hangbin Liu <liuhangbin@gmail.com> -Date: Thu, 2 Jan 2020 17:23:45 +0800 -Subject: vxlan: fix tos value before xmit - -From: Hangbin Liu <liuhangbin@gmail.com> - -[ Upstream commit 71130f29979c7c7956b040673e6b9d5643003176 ] - -Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter -tos value by RT_TOS() instead of using config tos directly. - -vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't -return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS() -directly in function ip_tunnel_ecn_encap(). - -Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API") -Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class") -Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/vxlan.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/vxlan.c -+++ b/drivers/net/vxlan.c -@@ -1798,7 +1798,7 @@ static void vxlan_xmit_one(struct sk_buf - return; - } - -- tos = ip_tunnel_ecn_encap(tos, old_iph, skb); -+ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); - ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); - - err = vxlan_xmit_skb(vxlan->vn_sock, rt, skb, |