--
2.12.2
-From 56f9b9502f2d15b9c7b83f9cfb32798e2e364f61 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Mon, 13 Mar 2017 17:38:17 +0100
-Subject: [PATCH 092/251] bridge: drop netfilter fake rtable unconditionally
-Status: RO
-Content-Length: 2943
-Lines: 81
-
-[ Upstream commit a13b2082ece95247779b9995c4e91b4246bed023 ]
-
-Andreas reports kernel oops during rmmod of the br_netfilter module.
-Hannes debugged the oops down to a NULL rt6info->rt6i_indev.
-
-Problem is that br_netfilter has the nasty concept of adding a fake
-rtable to skb->dst; this happens in a br_netfilter prerouting hook.
-
-A second hook (in bridge LOCAL_IN) is supposed to remove these again
-before the skb is handed up the stack.
-
-However, on module unload hooks get unregistered which means an
-skb could traverse the prerouting hook that attaches the fake_rtable,
-while the 'fake rtable remove' hook gets removed from the hooklist
-immediately after.
-
-Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core")
-Reported-by: Andreas Karis <akaris@redhat.com>
-Debugged-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bridge/br_input.c | 1 +
- net/bridge/br_netfilter_hooks.c | 21 ---------------------
- 2 files changed, 1 insertion(+), 21 deletions(-)
-
-diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
-index f7fba74108a9..e24754a0e052 100644
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook);
- static int
- br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
- {
-+ br_drop_fake_rtable(skb);
- return netif_receive_skb(skb);
- }
-
-diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
-index 7ddbe7ec81d6..97fc19f001bf 100644
---- a/net/bridge/br_netfilter_hooks.c
-+++ b/net/bridge/br_netfilter_hooks.c
-@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv,
- }
-
-
--/* PF_BRIDGE/LOCAL_IN ************************************************/
--/* The packet is locally destined, which requires a real
-- * dst_entry, so detach the fake one. On the way up, the
-- * packet would pass through PRE_ROUTING again (which already
-- * took place when the packet entered the bridge), but we
-- * register an IPv4 PRE_ROUTING 'sabotage' hook that will
-- * prevent this from happening. */
--static unsigned int br_nf_local_in(void *priv,
-- struct sk_buff *skb,
-- const struct nf_hook_state *state)
--{
-- br_drop_fake_rtable(skb);
-- return NF_ACCEPT;
--}
--
- /* PF_BRIDGE/FORWARD *************************************************/
- static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
- {
-@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
- .priority = NF_BR_PRI_BRNF,
- },
- {
-- .hook = br_nf_local_in,
-- .pf = NFPROTO_BRIDGE,
-- .hooknum = NF_BR_LOCAL_IN,
-- .priority = NF_BR_PRI_BRNF,
-- },
-- {
- .hook = br_nf_forward_ip,
- .pf = NFPROTO_BRIDGE,
- .hooknum = NF_BR_FORWARD,
---
-2.12.2
-
-From c10ffe988f15a0306d5d8cb1c6b475c9fe2fc2c9 Mon Sep 17 00:00:00 2001
-From: Roman Mashak <mrv@mojatatu.com>
-Date: Fri, 24 Feb 2017 11:00:32 -0500
-Subject: [PATCH 095/251] net sched actions: decrement module reference count
- after table flush.
-Status: RO
-Content-Length: 2407
-Lines: 90
-
-[ Upstream commit edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 ]
-
-When tc actions are loaded as a module and no actions have been installed,
-flushing them would result in actions removed from the memory, but modules
-reference count not being decremented, so that the modules would not be
-unloaded.
-
-Following is example with GACT action:
-
-% sudo modprobe act_gact
-% lsmod
-Module Size Used by
-act_gact 16384 0
-%
-% sudo tc actions ls action gact
-%
-% sudo tc actions flush action gact
-% lsmod
-Module Size Used by
-act_gact 16384 1
-% sudo tc actions flush action gact
-% lsmod
-Module Size Used by
-act_gact 16384 2
-% sudo rmmod act_gact
-rmmod: ERROR: Module act_gact is in use
-....
-
-After the fix:
-% lsmod
-Module Size Used by
-act_gact 16384 0
-%
-% sudo tc actions add action pass index 1
-% sudo tc actions add action pass index 2
-% sudo tc actions add action pass index 3
-% lsmod
-Module Size Used by
-act_gact 16384 3
-%
-% sudo tc actions flush action gact
-% lsmod
-Module Size Used by
-act_gact 16384 0
-%
-% sudo tc actions flush action gact
-% lsmod
-Module Size Used by
-act_gact 16384 0
-% sudo rmmod act_gact
-% lsmod
-Module Size Used by
-%
-
-Fixes: f97017cdefef ("net-sched: Fix actions flushing")
-Signed-off-by: Roman Mashak <mrv@mojatatu.com>
-Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
-Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/act_api.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/net/sched/act_api.c b/net/sched/act_api.c
-index 06e7c4a37245..694a06f1e0d5 100644
---- a/net/sched/act_api.c
-+++ b/net/sched/act_api.c
-@@ -820,10 +820,8 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
- goto out_module_put;
-
- err = a.ops->walk(skb, &dcb, RTM_DELACTION, &a);
-- if (err < 0)
-+ if (err <= 0)
- goto out_module_put;
-- if (err == 0)
-- goto noflush_out;
-
- nla_nest_end(skb, nest);
-
-@@ -840,7 +838,6 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
- out_module_put:
- module_put(a.ops->owner);
- err_out:
--noflush_out:
- kfree_skb(skb);
- return err;
- }
---
-2.12.2
-
-From fd74e8d258da9f9678da6bf88a0b02b2c1b71d0c Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Mon, 19 Dec 2016 14:20:13 -0800
-Subject: [PATCH 096/251] fscrypt: fix renaming and linking special files
-Status: RO
-Content-Length: 2187
-Lines: 59
-
-commit 42d97eb0ade31e1bc537d086842f5d6e766d9d51 upstream.
-
-Attempting to link a device node, named pipe, or socket file into an
-encrypted directory through rename(2) or link(2) always failed with
-EPERM. This happened because fscrypt_has_permitted_context() saw that
-the file was unencrypted and forbid creating the link. This behavior
-was unexpected because such files are never encrypted; only regular
-files, directories, and symlinks can be encrypted.
-
-To fix this, make fscrypt_has_permitted_context() always return true on
-special files.
-
-This will be covered by a test in my encryption xfstests patchset.
-
-Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support")
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Reviewed-by: Richard Weinberger <richard@nod.at>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/crypto_policy.c | 6 ++++++
- fs/f2fs/crypto_policy.c | 5 +++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c
-index 8a9feb341f31..dd561f916f0b 100644
---- a/fs/ext4/crypto_policy.c
-+++ b/fs/ext4/crypto_policy.c
-@@ -156,6 +156,12 @@ int ext4_is_child_context_consistent_with_parent(struct inode *parent,
- WARN_ON(1); /* Should never happen */
- return 0;
- }
-+
-+ /* No restrictions on file types which are never encrypted */
-+ if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
-+ !S_ISLNK(child->i_mode))
-+ return 1;
-+
- /* no restrictions if the parent directory is not encrypted */
- if (!ext4_encrypted_inode(parent))
- return 1;
-diff --git a/fs/f2fs/crypto_policy.c b/fs/f2fs/crypto_policy.c
-index e504f548b64e..5bbd1989d5e6 100644
---- a/fs/f2fs/crypto_policy.c
-+++ b/fs/f2fs/crypto_policy.c
-@@ -149,6 +149,11 @@ int f2fs_is_child_context_consistent_with_parent(struct inode *parent,
- BUG_ON(1);
- }
-
-+ /* No restrictions on file types which are never encrypted */
-+ if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
-+ !S_ISLNK(child->i_mode))
-+ return 1;
-+
- /* no restrictions if the parent directory is not encrypted */
- if (!f2fs_encrypted_inode(parent))
- return 1;
---
-2.12.2
-
From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Mar 2017 12:17:51 +0100
--
2.12.2
-From 50730d7f361f9915ec7063a629500119b0e8c3b6 Mon Sep 17 00:00:00 2001
-From: Thomas Huth <thuth@redhat.com>
-Date: Wed, 18 May 2016 21:01:20 +0200
-Subject: [PATCH 114/251] KVM: PPC: Book3S PR: Fix illegal opcode emulation
-Content-Length: 2006
-Lines: 47
-
-commit 708e75a3ee750dce1072134e630d66c4e6eaf63c upstream.
-
-If kvmppc_handle_exit_pr() calls kvmppc_emulate_instruction() to emulate
-one instruction (in the BOOK3S_INTERRUPT_H_EMUL_ASSIST case), it calls
-kvmppc_core_queue_program() afterwards if kvmppc_emulate_instruction()
-returned EMULATE_FAIL, so the guest gets an program interrupt for the
-illegal opcode.
-However, the kvmppc_emulate_instruction() also tried to inject a
-program exception for this already, so the program interrupt gets
-injected twice and the return address in srr0 gets destroyed.
-All other callers of kvmppc_emulate_instruction() are also injecting
-a program interrupt, and since the callers have the right knowledge
-about the srr1 flags that should be used, it is the function
-kvmppc_emulate_instruction() that should _not_ inject program
-interrupts, so remove the kvmppc_core_queue_program() here.
-
-This fixes the issue discovered by Laurent Vivier with kvm-unit-tests
-where the logs are filled with these messages when the test tries
-to execute an illegal instruction:
-
- Couldn't emulate instruction 0x00000000 (op 0 xop 0)
- kvmppc_handle_exit_pr: emulation at 700 failed (00000000)
-
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Alexander Graf <agraf@suse.de>
-Tested-by: Laurent Vivier <lvivier@redhat.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/kvm/emulate.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/arch/powerpc/kvm/emulate.c b/arch/powerpc/kvm/emulate.c
-index 5cc2e7af3a7b..b379146de55b 100644
---- a/arch/powerpc/kvm/emulate.c
-+++ b/arch/powerpc/kvm/emulate.c
-@@ -302,7 +302,6 @@ int kvmppc_emulate_instruction(struct kvm_run *run, struct kvm_vcpu *vcpu)
- advance = 0;
- printk(KERN_ERR "Couldn't emulate instruction 0x%08x "
- "(op %d xop %d)\n", inst, get_op(inst), get_xop(inst));
-- kvmppc_core_queue_program(vcpu, 0);
- }
- }
-
---
-2.12.2
-
-From 13a26889cbc1eb8a7b9a7712c05538c55659fe40 Mon Sep 17 00:00:00 2001
-From: Dave Airlie <airlied@redhat.com>
-Date: Thu, 14 Jan 2016 08:07:55 +1000
-Subject: [PATCH 116/251] drm/amdgpu: add missing irq.h include
-Content-Length: 751
-Lines: 25
-
-commit e9c5e7402dad6f4f04c2430db6f283512bcd4392 upstream.
-
-this fixes the build on arm.
-
-Signed-off-by: Dave Airlie <airlied@redhat.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
-index 7c42ff670080..a0924330d125 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
-@@ -25,6 +25,7 @@
- * Alex Deucher
- * Jerome Glisse
- */
-+#include <linux/irq.h>
- #include <drm/drmP.h>
- #include <drm/drm_crtc_helper.h>
- #include <drm/amdgpu_drm.h>
---
-2.12.2
-
-From cea050150323a2c09efc316f0272af053e0b87e2 Mon Sep 17 00:00:00 2001
-From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
-Date: Wed, 25 Nov 2015 14:05:30 -0700
-Subject: [PATCH 117/251] tpm_tis: Use devm_free_irq not free_irq
-Content-Length: 1236
-Lines: 33
-
-commit 727f28b8ca24a581c7bd868326b8cea1058c720a upstream.
-
-The interrupt is always allocated with devm_request_irq so it
-must always be freed with devm_free_irq.
-
-Fixes: 448e9c55c12d ("tpm_tis: verify interrupt during init")
-Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
-Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-Tested-by: Martin Wilck <Martin.Wilck@ts.fujitsu.com>
-Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-Acked-by: Peter Huewe <peterhuewe@gmx.de>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/char/tpm/tpm_tis.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
-index 65f7eecc45b0..f10a107614b4 100644
---- a/drivers/char/tpm/tpm_tis.c
-+++ b/drivers/char/tpm/tpm_tis.c
-@@ -401,7 +401,7 @@ static void disable_interrupts(struct tpm_chip *chip)
- iowrite32(intmask,
- chip->vendor.iobase +
- TPM_INT_ENABLE(chip->vendor.locality));
-- free_irq(chip->vendor.irq, chip);
-+ devm_free_irq(chip->pdev, chip->vendor.irq, chip);
- chip->vendor.irq = 0;
- }
-
---
-2.12.2
-
-From 6cc5b73d79697e1a529249572ac022192f1ddffd Mon Sep 17 00:00:00 2001
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-Date: Mon, 25 Jan 2016 16:00:41 +0100
-Subject: [PATCH 118/251] hv_netvsc: use skb_get_hash() instead of a homegrown
- implementation
-Content-Length: 2988
-Lines: 108
-
-commit 757647e10e55c01fb7a9c4356529442e316a7c72 upstream.
-
-Recent changes to 'struct flow_keys' (e.g commit d34af823ff40 ("net: Add
-VLAN ID to flow_keys")) introduced a performance regression in netvsc
-driver. Is problem is, however, not the above mentioned commit but the
-fact that netvsc_set_hash() function did some assumptions on the struct
-flow_keys data layout and this is wrong.
-
-Get rid of netvsc_set_hash() by switching to skb_get_hash(). This change
-will also imply switching to Jenkins hash from the currently used Toeplitz
-but it seems there is no good excuse for Toeplitz to stay.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/hyperv/netvsc_drv.c | 67 ++---------------------------------------
- 1 file changed, 3 insertions(+), 64 deletions(-)
-
-diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
-index e8a09ff9e724..c8a7802d2953 100644
---- a/drivers/net/hyperv/netvsc_drv.c
-+++ b/drivers/net/hyperv/netvsc_drv.c
-@@ -197,65 +197,6 @@ static void *init_ppi_data(struct rndis_message *msg, u32 ppi_size,
- return ppi;
- }
-
--union sub_key {
-- u64 k;
-- struct {
-- u8 pad[3];
-- u8 kb;
-- u32 ka;
-- };
--};
--
--/* Toeplitz hash function
-- * data: network byte order
-- * return: host byte order
-- */
--static u32 comp_hash(u8 *key, int klen, void *data, int dlen)
--{
-- union sub_key subk;
-- int k_next = 4;
-- u8 dt;
-- int i, j;
-- u32 ret = 0;
--
-- subk.k = 0;
-- subk.ka = ntohl(*(u32 *)key);
--
-- for (i = 0; i < dlen; i++) {
-- subk.kb = key[k_next];
-- k_next = (k_next + 1) % klen;
-- dt = ((u8 *)data)[i];
-- for (j = 0; j < 8; j++) {
-- if (dt & 0x80)
-- ret ^= subk.ka;
-- dt <<= 1;
-- subk.k <<= 1;
-- }
-- }
--
-- return ret;
--}
--
--static bool netvsc_set_hash(u32 *hash, struct sk_buff *skb)
--{
-- struct flow_keys flow;
-- int data_len;
--
-- if (!skb_flow_dissect_flow_keys(skb, &flow, 0) ||
-- !(flow.basic.n_proto == htons(ETH_P_IP) ||
-- flow.basic.n_proto == htons(ETH_P_IPV6)))
-- return false;
--
-- if (flow.basic.ip_proto == IPPROTO_TCP)
-- data_len = 12;
-- else
-- data_len = 8;
--
-- *hash = comp_hash(netvsc_hash_key, HASH_KEYLEN, &flow, data_len);
--
-- return true;
--}
--
- static u16 netvsc_select_queue(struct net_device *ndev, struct sk_buff *skb,
- void *accel_priv, select_queue_fallback_t fallback)
- {
-@@ -268,11 +209,9 @@ static u16 netvsc_select_queue(struct net_device *ndev, struct sk_buff *skb,
- if (nvsc_dev == NULL || ndev->real_num_tx_queues <= 1)
- return 0;
-
-- if (netvsc_set_hash(&hash, skb)) {
-- q_idx = nvsc_dev->send_table[hash % VRSS_SEND_TAB_SIZE] %
-- ndev->real_num_tx_queues;
-- skb_set_hash(skb, hash, PKT_HASH_TYPE_L3);
-- }
-+ hash = skb_get_hash(skb);
-+ q_idx = nvsc_dev->send_table[hash % VRSS_SEND_TAB_SIZE] %
-+ ndev->real_num_tx_queues;
-
- return q_idx;
- }
---
-2.12.2
-
-From 6052eb871217c0679ac63779fc5e43eb49c83b0c Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Mon, 23 May 2016 16:24:05 -0700
-Subject: [PATCH 119/251] kernek/fork.c: allocate idle task for a CPU always on
- its local node
-Content-Length: 3134
-Lines: 88
-
-commit 725fc629ff2545b061407305ae51016c9f928fce upstream.
-
-Linux preallocates the task structs of the idle tasks for all possible
-CPUs. This currently means they all end up on node 0. This also
-implies that the cache line of MWAIT, which is around the flags field in
-the task struct, are all located in node 0.
-
-We see a noticeable performance improvement on Knights Landing CPUs when
-the cache lines used for MWAIT are located in the local nodes of the
-CPUs using them. I would expect this to give a (likely slight)
-improvement on other systems too.
-
-The patch implements placing the idle task in the node of its CPUs, by
-passing the right target node to copy_process()
-
-[akpm@linux-foundation.org: use NUMA_NO_NODE, not a bare -1]
-Link: http://lkml.kernel.org/r/1463492694-15833-1-git-send-email-andi@firstfloor.org
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/fork.c | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 2e55b53399de..278a2ddad351 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -331,13 +331,14 @@ void set_task_stack_end_magic(struct task_struct *tsk)
- *stackend = STACK_END_MAGIC; /* for overflow detection */
- }
-
--static struct task_struct *dup_task_struct(struct task_struct *orig)
-+static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
- {
- struct task_struct *tsk;
- struct thread_info *ti;
-- int node = tsk_fork_get_node(orig);
- int err;
-
-+ if (node == NUMA_NO_NODE)
-+ node = tsk_fork_get_node(orig);
- tsk = alloc_task_struct_node(node);
- if (!tsk)
- return NULL;
-@@ -1270,7 +1271,8 @@ static struct task_struct *copy_process(unsigned long clone_flags,
- int __user *child_tidptr,
- struct pid *pid,
- int trace,
-- unsigned long tls)
-+ unsigned long tls,
-+ int node)
- {
- int retval;
- struct task_struct *p;
-@@ -1323,7 +1325,7 @@ static struct task_struct *copy_process(unsigned long clone_flags,
- goto fork_out;
-
- retval = -ENOMEM;
-- p = dup_task_struct(current);
-+ p = dup_task_struct(current, node);
- if (!p)
- goto fork_out;
-
-@@ -1699,7 +1701,8 @@ static inline void init_idle_pids(struct pid_link *links)
- struct task_struct *fork_idle(int cpu)
- {
- struct task_struct *task;
-- task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0, 0);
-+ task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0, 0,
-+ cpu_to_node(cpu));
- if (!IS_ERR(task)) {
- init_idle_pids(task->pids);
- init_idle(task, cpu);
-@@ -1744,7 +1747,7 @@ long _do_fork(unsigned long clone_flags,
- }
-
- p = copy_process(clone_flags, stack_start, stack_size,
-- child_tidptr, NULL, trace, tls);
-+ child_tidptr, NULL, trace, tls, NUMA_NO_NODE);
- /*
- * Do this prior waking up the new thread - the thread pointer
- * might get invalid after that point, if the thread exits quickly.
---
-2.12.2
-
From 4cb0c0b73d1c79a8ce260836b3f27650aa1c57f1 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 2 Mar 2017 12:17:22 -0800
- ) : \
+ 1 ) : \
(sizeof(n) <= 4) ? \
- __ilog2_u32(n) : \
- __ilog2_u64(n) \
---
-2.12.2
-
-From f02729f2ab87c84bbc959e7631487a4b84dbdf63 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Thu, 16 Mar 2017 13:47:49 +0100
-Subject: [PATCH 121/251] perf/core: Fix event inheritance on fork()
-Content-Length: 2243
-Lines: 62
-
-commit e7cc4865f0f31698ef2f7aac01a50e78968985b7 upstream.
-
-While hunting for clues to a use-after-free, Oleg spotted that
-perf_event_init_context() can loose an error value with the result
-that fork() can succeed even though we did not fully inherit the perf
-event context.
-
-Spotted-by: Oleg Nesterov <oleg@redhat.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Cc: Frederic Weisbecker <fweisbec@gmail.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Cc: oleg@redhat.com
-Fixes: 889ff0150661 ("perf/core: Split context's event group list into pinned and non-pinned lists")
-Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/events/core.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9bbe9ac23cf2..e4b5494f05f8 100644
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -9230,7 +9230,7 @@ static int perf_event_init_context(struct task_struct *child, int ctxn)
- ret = inherit_task_group(event, parent, parent_ctx,
- child, ctxn, &inherited_all);
- if (ret)
-- break;
-+ goto out_unlock;
- }
-
- /*
-@@ -9246,7 +9246,7 @@ static int perf_event_init_context(struct task_struct *child, int ctxn)
- ret = inherit_task_group(event, parent, parent_ctx,
- child, ctxn, &inherited_all);
- if (ret)
-- break;
-+ goto out_unlock;
- }
-
- raw_spin_lock_irqsave(&parent_ctx->lock, flags);
-@@ -9274,6 +9274,7 @@ static int perf_event_init_context(struct task_struct *child, int ctxn)
- }
-
- raw_spin_unlock_irqrestore(&parent_ctx->lock, flags);
-+out_unlock:
- mutex_unlock(&parent_ctx->mutex);
-
- perf_unpin_context(parent_ctx);
---
-2.12.2
-
-From 09875d1393d4589bcdfeeba8747a12dd69810cc9 Mon Sep 17 00:00:00 2001
-From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
-Date: Wed, 15 Mar 2017 00:12:16 +0100
-Subject: [PATCH 122/251] cpufreq: Fix and clean up show_cpuinfo_cur_freq()
-Content-Length: 992
-Lines: 33
-
-commit 9b4f603e7a9f4282aec451063ffbbb8bb410dcd9 upstream.
-
-There is a missing newline in show_cpuinfo_cur_freq(), so add it,
-but while at it clean that function up somewhat too.
-
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/cpufreq/cpufreq.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
-index 8412ce5f93a7..86fa9fdc8323 100644
---- a/drivers/cpufreq/cpufreq.c
-+++ b/drivers/cpufreq/cpufreq.c
-@@ -626,9 +626,11 @@ static ssize_t show_cpuinfo_cur_freq(struct cpufreq_policy *policy,
- char *buf)
- {
- unsigned int cur_freq = __cpufreq_get(policy);
-- if (!cur_freq)
-- return sprintf(buf, "<unknown>");
-- return sprintf(buf, "%u\n", cur_freq);
-+
-+ if (cur_freq)
-+ return sprintf(buf, "%u\n", cur_freq);
-+
-+ return sprintf(buf, "<unknown>\n");
- }
-
- /**
---
-2.12.2
-
-From 582f548924cdda2dadf842020075f6b2525421d2 Mon Sep 17 00:00:00 2001
-From: Shaohua Li <shli@fb.com>
-Date: Tue, 28 Feb 2017 13:00:20 -0800
-Subject: [PATCH 124/251] md/raid1/10: fix potential deadlock
-Content-Length: 3293
-Lines: 86
-
-commit 61eb2b43b99ebdc9bc6bc83d9792257b243e7cb3 upstream.
-
-Neil Brown pointed out a potential deadlock in raid 10 code with
-bio_split/chain. The raid1 code could have the same issue, but recent
-barrier rework makes it less likely to happen. The deadlock happens in
-below sequence:
-
-1. generic_make_request(bio), this will set current->bio_list
-2. raid10_make_request will split bio to bio1 and bio2
-3. __make_request(bio1), wait_barrer, add underlayer disk bio to
-current->bio_list
-4. __make_request(bio2), wait_barrer
-
-If raise_barrier happens between 3 & 4, since wait_barrier runs at 3,
-raise_barrier waits for IO completion from 3. And since raise_barrier
-sets barrier, 4 waits for raise_barrier. But IO from 3 can't be
-dispatched because raid10_make_request() doesn't finished yet.
-
-The solution is to adjust the IO ordering. Quotes from Neil:
-"
-It is much safer to:
-
- if (need to split) {
- split = bio_split(bio, ...)
- bio_chain(...)
- make_request_fn(split);
- generic_make_request(bio);
- } else
- make_request_fn(mddev, bio);
-
-This way we first process the initial section of the bio (in 'split')
-which will queue some requests to the underlying devices. These
-requests will be queued in generic_make_request.
-Then we queue the remainder of the bio, which will be added to the end
-of the generic_make_request queue.
-Then we return.
-generic_make_request() will pop the lower-level device requests off the
-queue and handle them first. Then it will process the remainder
-of the original bio once the first section has been fully processed.
-"
-
-Note, this only happens in read path. In write path, the bio is flushed to
-underlaying disks either by blk flush (from schedule) or offladed to raid1/10d.
-It's queued in current->bio_list.
-
-Cc: Coly Li <colyli@suse.de>
-Suggested-by: NeilBrown <neilb@suse.com>
-Reviewed-by: Jack Wang <jinpu.wang@profitbricks.com>
-Signed-off-by: Shaohua Li <shli@fb.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/raid10.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index ebb0dd612ebd..122af340a531 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -1477,7 +1477,25 @@ static void make_request(struct mddev *mddev, struct bio *bio)
- split = bio;
- }
-
-+ /*
-+ * If a bio is splitted, the first part of bio will pass
-+ * barrier but the bio is queued in current->bio_list (see
-+ * generic_make_request). If there is a raise_barrier() called
-+ * here, the second part of bio can't pass barrier. But since
-+ * the first part bio isn't dispatched to underlaying disks
-+ * yet, the barrier is never released, hence raise_barrier will
-+ * alays wait. We have a deadlock.
-+ * Note, this only happens in read path. For write path, the
-+ * first part of bio is dispatched in a schedule() call
-+ * (because of blk plug) or offloaded to raid10d.
-+ * Quitting from the function immediately can change the bio
-+ * order queued in bio_list and avoid the deadlock.
-+ */
- __make_request(mddev, split);
-+ if (split != bio && bio_data_dir(bio) == READ) {
-+ generic_make_request(bio);
-+ break;
-+ }
- } while (split != bio);
-
- /* In case raid10d snuck in to freeze_array */
---
-2.12.2
-
-From d267ecbdfdb4199c0e3a967ecc17a6b80d95209a Mon Sep 17 00:00:00 2001
-From: Max Lohrmann <post@wickenrode.com>
-Date: Tue, 7 Mar 2017 22:09:56 -0800
-Subject: [PATCH 128/251] target: Fix VERIFY_16 handling in sbc_parse_cdb
-Content-Length: 1397
-Lines: 42
-
-commit 13603685c1f12c67a7a2427f00b63f39a2b6f7c9 upstream.
-
-As reported by Max, the Windows 2008 R2 chkdsk utility expects
-VERIFY_16 to be supported, and does not handle the returned
-CHECK_CONDITION properly, resulting in an infinite loop.
-
-The kernel will log huge amounts of this error:
-
-kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending
-CHECK_CONDITION.
-
-Signed-off-by: Max Lohrmann <post@wickenrode.com>
-Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/target/target_core_sbc.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
-index 2e27b1034ede..90c5dffc9fa4 100644
---- a/drivers/target/target_core_sbc.c
-+++ b/drivers/target/target_core_sbc.c
-@@ -1096,9 +1096,15 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
- return ret;
- break;
- case VERIFY:
-+ case VERIFY_16:
- size = 0;
-- sectors = transport_get_sectors_10(cdb);
-- cmd->t_task_lba = transport_lba_32(cdb);
-+ if (cdb[0] == VERIFY) {
-+ sectors = transport_get_sectors_10(cdb);
-+ cmd->t_task_lba = transport_lba_32(cdb);
-+ } else {
-+ sectors = transport_get_sectors_16(cdb);
-+ cmd->t_task_lba = transport_lba_64(cdb);
-+ }
- cmd->execute_cmd = sbc_emulate_noop;
- goto check_lba;
- case REZERO_UNIT:
---
-2.12.2
-
-From 4f47ca4882564c4b76cc9c426583a49d23893dda Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:39:01 +0100
-Subject: [PATCH 129/251] isdn/gigaset: fix NULL-deref at probe
-Content-Length: 1072
-Lines: 30
-
-commit 68c32f9c2a36d410aa242e661506e5b2c2764179 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Fixes: cf7776dc05b8 ("[PATCH] isdn4linux: Siemens Gigaset drivers - direct USB connection")
-Cc: Hansjoerg Lipp <hjlipp@web.de>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/isdn/gigaset/bas-gigaset.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
-index aecec6d32463..7f1c625b08ec 100644
---- a/drivers/isdn/gigaset/bas-gigaset.c
-+++ b/drivers/isdn/gigaset/bas-gigaset.c
-@@ -2317,6 +2317,9 @@ static int gigaset_probe(struct usb_interface *interface,
- return -ENODEV;
- }
-
-+ if (hostif->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- dev_info(&udev->dev,
- "%s: Device matched (Vendor: 0x%x, Product: 0x%x)\n",
- __func__, le16_to_cpu(udev->descriptor.idVendor),
---
-2.12.2
-
-From e08f608ab4288f4192a504e6c94dd7c9c931dad8 Mon Sep 17 00:00:00 2001
-From: Andreas Gruenbacher <agruenba@redhat.com>
-Date: Mon, 6 Mar 2017 12:58:42 -0500
-Subject: [PATCH 130/251] gfs2: Avoid alignment hole in struct lm_lockname
-Content-Length: 1009
-Lines: 30
-
-commit 28ea06c46fbcab63fd9a55531387b7928a18a590 upstream.
-
-Commit 88ffbf3e03 switches to using rhashtables for glocks, hashing over
-the entire struct lm_lockname instead of its individual fields. On some
-architectures, struct lm_lockname contains a hole of uninitialized
-memory due to alignment rules, which now leads to incorrect hash values.
-Get rid of that hole.
-
-Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
-Signed-off-by: Bob Peterson <rpeterso@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/gfs2/incore.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h
-index de7b4f97ac75..be519416c112 100644
---- a/fs/gfs2/incore.h
-+++ b/fs/gfs2/incore.h
-@@ -207,7 +207,7 @@ struct lm_lockname {
- struct gfs2_sbd *ln_sbd;
- u64 ln_number;
- unsigned int ln_type;
--};
-+} __packed __aligned(sizeof(int));
-
- #define lm_name_equal(name1, name2) \
- (((name1)->ln_number == (name2)->ln_number) && \
---
-2.12.2
-
-From d88b83e66bbf588a5d85168d9839501cd47fe561 Mon Sep 17 00:00:00 2001
-From: Tahsin Erdogan <tahsin@google.com>
-Date: Sat, 25 Feb 2017 13:00:19 -0800
-Subject: [PATCH 131/251] percpu: acquire pcpu_lock when updating
- pcpu_nr_empty_pop_pages
-Content-Length: 1047
-Lines: 33
-
-commit 320661b08dd6f1746d5c7ab4eb435ec64b97cd45 upstream.
-
-Update to pcpu_nr_empty_pop_pages in pcpu_alloc() is currently done
-without holding pcpu_lock. This can lead to bad updates to the variable.
-Add missing lock calls.
-
-Fixes: b539b87fed37 ("percpu: implmeent pcpu_nr_empty_pop_pages and chunk->nr_populated")
-Signed-off-by: Tahsin Erdogan <tahsin@google.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/percpu.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/mm/percpu.c b/mm/percpu.c
-index 1f376bce413c..ef6353f0adbd 100644
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -1012,8 +1012,11 @@ area_found:
- mutex_unlock(&pcpu_alloc_mutex);
- }
-
-- if (chunk != pcpu_reserved_chunk)
-+ if (chunk != pcpu_reserved_chunk) {
-+ spin_lock_irqsave(&pcpu_lock, flags);
- pcpu_nr_empty_pop_pages -= occ_pages;
-+ spin_unlock_irqrestore(&pcpu_lock, flags);
-+ }
-
- if (pcpu_nr_empty_pop_pages < PCPU_EMPTY_POP_PAGES_LOW)
- pcpu_schedule_balance_work();
---
-2.12.2
-
-From 5fa513cb07213608907d4daa123b81e5a32d13e0 Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Wed, 15 Feb 2017 01:26:39 -0500
-Subject: [PATCH 132/251] ext4: fix fencepost in s_first_meta_bg validation
-Content-Length: 1128
-Lines: 31
-
-commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream.
-
-It is OK for s_first_meta_bg to be equal to the number of block group
-descriptor blocks. (It rarely happens, but it shouldn't cause any
-problems.)
-
-https://bugzilla.kernel.org/show_bug.cgi?id=194567
-
-Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Cc: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/super.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 6fe8e30eeb99..68345a9e59b8 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3666,7 +3666,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
- db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- EXT4_DESC_PER_BLOCK(sb);
- if (ext4_has_feature_meta_bg(sb)) {
-- if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+ if (le32_to_cpu(es->s_first_meta_bg) > db_count) {
- ext4_msg(sb, KERN_WARNING,
- "first meta block group too large: %u "
- "(group descriptor block count %u)",
---
-2.12.2
-
-From a5c3f390eb7799c3d1d92121382372b1fd365fa3 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Sun, 26 Mar 2017 12:13:55 +0200
-Subject: [PATCH 133/251] Linux 4.4.57
-Status: RO
-Content-Length: 301
-Lines: 18
-
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index cf9303a5d621..841675e63a38 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 4
--SUBLEVEL = 56
-+SUBLEVEL = 57
- EXTRAVERSION =
- NAME = Blurry Fish Butt
-
---
-2.12.2
-
-From b362d6735156add0e43b1221b17277d5fb45622d Mon Sep 17 00:00:00 2001
-From: Or Gerlitz <ogerlitz@mellanox.com>
-Date: Wed, 15 Mar 2017 18:10:47 +0200
-Subject: [PATCH 134/251] net/openvswitch: Set the ipv6 source tunnel key
- address attribute correctly
-Content-Length: 1163
-Lines: 32
-
-[ Upstream commit 3d20f1f7bd575d147ffa75621fa560eea0aec690 ]
-
-When dealing with ipv6 source tunnel key address attribute
-(OVS_TUNNEL_KEY_ATTR_IPV6_SRC) we are wrongly setting the tunnel
-dst ip, fix that.
-
-Fixes: 6b26ba3a7d95 ('openvswitch: netlink attributes for IPv6 tunneling')
-Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
-Reported-by: Paul Blakey <paulb@mellanox.com>
-Acked-by: Jiri Benc <jbenc@redhat.com>
-Acked-by: Joe Stringer <joe@ovn.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/openvswitch/flow_netlink.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
-index d1bd4a45ca2d..d26b28def310 100644
---- a/net/openvswitch/flow_netlink.c
-+++ b/net/openvswitch/flow_netlink.c
-@@ -588,7 +588,7 @@ static int ip_tun_from_nlattr(const struct nlattr *attr,
- ipv4 = true;
- break;
- case OVS_TUNNEL_KEY_ATTR_IPV6_SRC:
-- SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst,
-+ SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src,
- nla_get_in6_addr(a), is_mask);
- ipv6 = true;
- break;
---
-2.12.2
-
-From 12f0bffc489dff7088c73f600b6be5769bc73cbd Mon Sep 17 00:00:00 2001
-From: Florian Fainelli <f.fainelli@gmail.com>
-Date: Wed, 15 Mar 2017 12:57:21 -0700
-Subject: [PATCH 135/251] net: bcmgenet: Do not suspend PHY if Wake-on-LAN is
- enabled
-Content-Length: 1278
-Lines: 39
-
-[ Upstream commit 5371bbf4b295eea334ed453efa286afa2c3ccff3 ]
-
-Suspending the PHY would be putting it in a low power state where it
-may no longer allow us to do Wake-on-LAN.
-
-Fixes: cc013fb48898 ("net: bcmgenet: correctly suspend and resume PHY device")
-Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-index 91627561c58d..f971d92f7b41 100644
---- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-@@ -3495,7 +3495,8 @@ static int bcmgenet_suspend(struct device *d)
-
- bcmgenet_netif_stop(dev);
-
-- phy_suspend(priv->phydev);
-+ if (!device_may_wakeup(d))
-+ phy_suspend(priv->phydev);
-
- netif_device_detach(dev);
-
-@@ -3592,7 +3593,8 @@ static int bcmgenet_resume(struct device *d)
-
- netif_device_attach(dev);
-
-- phy_resume(priv->phydev);
-+ if (!device_may_wakeup(d))
-+ phy_resume(priv->phydev);
-
- if (priv->eee.eee_enabled)
- bcmgenet_eee_enable_set(dev, true);
---
-2.12.2
-
-From f3126725228c0fdbe17c18bcc5ace1b86465cce9 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 15 Mar 2017 13:21:28 -0700
-Subject: [PATCH 136/251] net: properly release sk_frag.page
-Content-Length: 1357
-Lines: 48
-
-[ Upstream commit 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ]
-
-I mistakenly added the code to release sk->sk_frag in
-sk_common_release() instead of sk_destruct()
-
-TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call
-sk_common_release() at close time, thus leaking one (order-3) page.
-
-iSCSI is using such sockets.
-
-Fixes: 5640f7685831 ("net: use a per task frag allocator")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/sock.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/net/core/sock.c b/net/core/sock.c
-index f4c0917e66b5..9f4c4473156a 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -1459,6 +1459,11 @@ void sk_destruct(struct sock *sk)
- pr_debug("%s: optmem leakage (%d bytes) detected\n",
- __func__, atomic_read(&sk->sk_omem_alloc));
-
-+ if (sk->sk_frag.page) {
-+ put_page(sk->sk_frag.page);
-+ sk->sk_frag.page = NULL;
-+ }
-+
- if (sk->sk_peer_cred)
- put_cred(sk->sk_peer_cred);
- put_pid(sk->sk_peer_pid);
-@@ -2691,11 +2696,6 @@ void sk_common_release(struct sock *sk)
-
- sk_refcnt_debug_release(sk);
-
-- if (sk->sk_frag.page) {
-- put_page(sk->sk_frag.page);
-- sk->sk_frag.page = NULL;
-- }
--
- sock_put(sk);
- }
- EXPORT_SYMBOL(sk_common_release);
---
-2.12.2
-
-From ae43f9360a21b35cf785ae9a0fdce524d7af0938 Mon Sep 17 00:00:00 2001
-From: "Lendacky, Thomas" <Thomas.Lendacky@amd.com>
-Date: Wed, 15 Mar 2017 15:11:23 -0500
-Subject: [PATCH 137/251] amd-xgbe: Fix jumbo MTU processing on newer hardware
-Content-Length: 9733
-Lines: 284
-
-[ Upstream commit 622c36f143fc9566ba49d7cec994c2da1182d9e2 ]
-
-Newer hardware does not provide a cumulative payload length when multiple
-descriptors are needed to handle the data. Once the MTU increases beyond
-the size that can be handled by a single descriptor, the SKB does not get
-built properly by the driver.
-
-The driver will now calculate the size of the data buffers used by the
-hardware. The first buffer of the first descriptor is for packet headers
-or packet headers and data when the headers can't be split. Subsequent
-descriptors in a multi-descriptor chain will not use the first buffer. The
-second buffer is used by all the descriptors in the chain for payload data.
-Based on whether the driver is processing the first, intermediate, or last
-descriptor it can calculate the buffer usage and build the SKB properly.
-
-Tested and verified on both old and new hardware.
-
-Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 6 +-
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 20 +++---
- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 102 +++++++++++++++++-----------
- 3 files changed, 78 insertions(+), 50 deletions(-)
-
-diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
-index b6fa89102526..66ba1e0ff37e 100644
---- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
-+++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
-@@ -913,8 +913,8 @@
- #define RX_PACKET_ATTRIBUTES_CSUM_DONE_WIDTH 1
- #define RX_PACKET_ATTRIBUTES_VLAN_CTAG_INDEX 1
- #define RX_PACKET_ATTRIBUTES_VLAN_CTAG_WIDTH 1
--#define RX_PACKET_ATTRIBUTES_INCOMPLETE_INDEX 2
--#define RX_PACKET_ATTRIBUTES_INCOMPLETE_WIDTH 1
-+#define RX_PACKET_ATTRIBUTES_LAST_INDEX 2
-+#define RX_PACKET_ATTRIBUTES_LAST_WIDTH 1
- #define RX_PACKET_ATTRIBUTES_CONTEXT_NEXT_INDEX 3
- #define RX_PACKET_ATTRIBUTES_CONTEXT_NEXT_WIDTH 1
- #define RX_PACKET_ATTRIBUTES_CONTEXT_INDEX 4
-@@ -923,6 +923,8 @@
- #define RX_PACKET_ATTRIBUTES_RX_TSTAMP_WIDTH 1
- #define RX_PACKET_ATTRIBUTES_RSS_HASH_INDEX 6
- #define RX_PACKET_ATTRIBUTES_RSS_HASH_WIDTH 1
-+#define RX_PACKET_ATTRIBUTES_FIRST_INDEX 7
-+#define RX_PACKET_ATTRIBUTES_FIRST_WIDTH 1
-
- #define RX_NORMAL_DESC0_OVT_INDEX 0
- #define RX_NORMAL_DESC0_OVT_WIDTH 16
-diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
-index f6a7161e3b85..5e6238e0b2bd 100644
---- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
-+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
-@@ -1658,10 +1658,15 @@ static int xgbe_dev_read(struct xgbe_channel *channel)
-
- /* Get the header length */
- if (XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, FD)) {
-+ XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES,
-+ FIRST, 1);
- rdata->rx.hdr_len = XGMAC_GET_BITS_LE(rdesc->desc2,
- RX_NORMAL_DESC2, HL);
- if (rdata->rx.hdr_len)
- pdata->ext_stats.rx_split_header_packets++;
-+ } else {
-+ XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES,
-+ FIRST, 0);
- }
-
- /* Get the RSS hash */
-@@ -1684,19 +1689,16 @@ static int xgbe_dev_read(struct xgbe_channel *channel)
- }
- }
-
-- /* Get the packet length */
-- rdata->rx.len = XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, PL);
--
-- if (!XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, LD)) {
-- /* Not all the data has been transferred for this packet */
-- XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES,
-- INCOMPLETE, 1);
-+ /* Not all the data has been transferred for this packet */
-+ if (!XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, LD))
- return 0;
-- }
-
- /* This is the last of the data for this packet */
- XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES,
-- INCOMPLETE, 0);
-+ LAST, 1);
-+
-+ /* Get the packet length */
-+ rdata->rx.len = XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, PL);
-
- /* Set checksum done indicator as appropriate */
- if (netdev->features & NETIF_F_RXCSUM)
-diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
-index 53ce1222b11d..865b7e0b133b 100644
---- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
-+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
-@@ -1760,13 +1760,12 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata,
- {
- struct sk_buff *skb;
- u8 *packet;
-- unsigned int copy_len;
-
- skb = napi_alloc_skb(napi, rdata->rx.hdr.dma_len);
- if (!skb)
- return NULL;
-
-- /* Start with the header buffer which may contain just the header
-+ /* Pull in the header buffer which may contain just the header
- * or the header plus data
- */
- dma_sync_single_range_for_cpu(pdata->dev, rdata->rx.hdr.dma_base,
-@@ -1775,30 +1774,49 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata,
-
- packet = page_address(rdata->rx.hdr.pa.pages) +
- rdata->rx.hdr.pa.pages_offset;
-- copy_len = (rdata->rx.hdr_len) ? rdata->rx.hdr_len : len;
-- copy_len = min(rdata->rx.hdr.dma_len, copy_len);
-- skb_copy_to_linear_data(skb, packet, copy_len);
-- skb_put(skb, copy_len);
--
-- len -= copy_len;
-- if (len) {
-- /* Add the remaining data as a frag */
-- dma_sync_single_range_for_cpu(pdata->dev,
-- rdata->rx.buf.dma_base,
-- rdata->rx.buf.dma_off,
-- rdata->rx.buf.dma_len,
-- DMA_FROM_DEVICE);
--
-- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
-- rdata->rx.buf.pa.pages,
-- rdata->rx.buf.pa.pages_offset,
-- len, rdata->rx.buf.dma_len);
-- rdata->rx.buf.pa.pages = NULL;
-- }
-+ skb_copy_to_linear_data(skb, packet, len);
-+ skb_put(skb, len);
-
- return skb;
- }
-
-+static unsigned int xgbe_rx_buf1_len(struct xgbe_ring_data *rdata,
-+ struct xgbe_packet_data *packet)
-+{
-+ /* Always zero if not the first descriptor */
-+ if (!XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, FIRST))
-+ return 0;
-+
-+ /* First descriptor with split header, return header length */
-+ if (rdata->rx.hdr_len)
-+ return rdata->rx.hdr_len;
-+
-+ /* First descriptor but not the last descriptor and no split header,
-+ * so the full buffer was used
-+ */
-+ if (!XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, LAST))
-+ return rdata->rx.hdr.dma_len;
-+
-+ /* First descriptor and last descriptor and no split header, so
-+ * calculate how much of the buffer was used
-+ */
-+ return min_t(unsigned int, rdata->rx.hdr.dma_len, rdata->rx.len);
-+}
-+
-+static unsigned int xgbe_rx_buf2_len(struct xgbe_ring_data *rdata,
-+ struct xgbe_packet_data *packet,
-+ unsigned int len)
-+{
-+ /* Always the full buffer if not the last descriptor */
-+ if (!XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, LAST))
-+ return rdata->rx.buf.dma_len;
-+
-+ /* Last descriptor so calculate how much of the buffer was used
-+ * for the last bit of data
-+ */
-+ return rdata->rx.len - len;
-+}
-+
- static int xgbe_tx_poll(struct xgbe_channel *channel)
- {
- struct xgbe_prv_data *pdata = channel->pdata;
-@@ -1881,8 +1899,8 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
- struct napi_struct *napi;
- struct sk_buff *skb;
- struct skb_shared_hwtstamps *hwtstamps;
-- unsigned int incomplete, error, context_next, context;
-- unsigned int len, rdesc_len, max_len;
-+ unsigned int last, error, context_next, context;
-+ unsigned int len, buf1_len, buf2_len, max_len;
- unsigned int received = 0;
- int packet_count = 0;
-
-@@ -1892,7 +1910,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
- if (!ring)
- return 0;
-
-- incomplete = 0;
-+ last = 0;
- context_next = 0;
-
- napi = (pdata->per_channel_irq) ? &channel->napi : &pdata->napi;
-@@ -1926,9 +1944,8 @@ read_again:
- received++;
- ring->cur++;
-
-- incomplete = XGMAC_GET_BITS(packet->attributes,
-- RX_PACKET_ATTRIBUTES,
-- INCOMPLETE);
-+ last = XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES,
-+ LAST);
- context_next = XGMAC_GET_BITS(packet->attributes,
- RX_PACKET_ATTRIBUTES,
- CONTEXT_NEXT);
-@@ -1937,7 +1954,7 @@ read_again:
- CONTEXT);
-
- /* Earlier error, just drain the remaining data */
-- if ((incomplete || context_next) && error)
-+ if ((!last || context_next) && error)
- goto read_again;
-
- if (error || packet->errors) {
-@@ -1949,16 +1966,22 @@ read_again:
- }
-
- if (!context) {
-- /* Length is cumulative, get this descriptor's length */
-- rdesc_len = rdata->rx.len - len;
-- len += rdesc_len;
-+ /* Get the data length in the descriptor buffers */
-+ buf1_len = xgbe_rx_buf1_len(rdata, packet);
-+ len += buf1_len;
-+ buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
-+ len += buf2_len;
-
-- if (rdesc_len && !skb) {
-+ if (!skb) {
- skb = xgbe_create_skb(pdata, napi, rdata,
-- rdesc_len);
-- if (!skb)
-+ buf1_len);
-+ if (!skb) {
- error = 1;
-- } else if (rdesc_len) {
-+ goto skip_data;
-+ }
-+ }
-+
-+ if (buf2_len) {
- dma_sync_single_range_for_cpu(pdata->dev,
- rdata->rx.buf.dma_base,
- rdata->rx.buf.dma_off,
-@@ -1968,13 +1991,14 @@ read_again:
- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
- rdata->rx.buf.pa.pages,
- rdata->rx.buf.pa.pages_offset,
-- rdesc_len,
-+ buf2_len,
- rdata->rx.buf.dma_len);
- rdata->rx.buf.pa.pages = NULL;
- }
- }
-
-- if (incomplete || context_next)
-+skip_data:
-+ if (!last || context_next)
- goto read_again;
-
- if (!skb)
-@@ -2033,7 +2057,7 @@ next_packet:
- }
-
- /* Check if we need to save state before leaving */
-- if (received && (incomplete || context_next)) {
-+ if (received && (!last || context_next)) {
- rdata = XGBE_GET_DESC_DATA(ring, ring->cur);
- rdata->state_saved = 1;
- rdata->state.skb = skb;
---
-2.12.2
-
-From 610c6bcc5fcfb6d02d63cfded2375a829df7faba Mon Sep 17 00:00:00 2001
-From: Andrey Ulanov <andreyu@google.com>
-Date: Tue, 14 Mar 2017 20:16:42 -0700
-Subject: [PATCH 138/251] net: unix: properly re-increment inflight counter of
- GC discarded candidates
-Content-Length: 4671
-Lines: 107
-
-[ Upstream commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 ]
-
-Dmitry has reported that a BUG_ON() condition in unix_notinflight()
-may be triggered by a simple code that forwards unix socket in an
-SCM_RIGHTS message.
-That is caused by incorrect unix socket GC implementation in unix_gc().
-
-The GC first collects list of candidates, then (a) decrements their
-"children's" inflight counter, (b) checks which inflight counters are
-now 0, and then (c) increments all inflight counters back.
-(a) and (c) are done by calling scan_children() with inc_inflight or
-dec_inflight as the second argument.
-
-Commit 6209344f5a37 ("net: unix: fix inflight counting bug in garbage
-collector") changed scan_children() such that it no longer considers
-sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
-of code that that unsets this flag _before_ invoking
-scan_children(, dec_iflight, ). This may lead to incorrect inflight
-counters for some sockets.
-
-This change fixes this bug by changing order of operations:
-UNIX_GC_CANDIDATE is now unset only after all inflight counters are
-restored to the original state.
-
- kernel BUG at net/unix/garbage.c:149!
- RIP: 0010:[<ffffffff8717ebf4>] [<ffffffff8717ebf4>]
- unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
- Call Trace:
- [<ffffffff8716cfbf>] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
- [<ffffffff8716f6a9>] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
- [<ffffffff86a90a01>] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
- [<ffffffff86a9808a>] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
- [<ffffffff86a980ea>] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
- [<ffffffff86a98284>] kfree_skb+0x184/0x570 net/core/skbuff.c:705
- [<ffffffff871789d5>] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
- [<ffffffff87179039>] unix_release+0x49/0x90 net/unix/af_unix.c:836
- [<ffffffff86a694b2>] sock_release+0x92/0x1f0 net/socket.c:570
- [<ffffffff86a6962b>] sock_close+0x1b/0x20 net/socket.c:1017
- [<ffffffff81a76b8e>] __fput+0x34e/0x910 fs/file_table.c:208
- [<ffffffff81a771da>] ____fput+0x1a/0x20 fs/file_table.c:244
- [<ffffffff81483ab0>] task_work_run+0x1a0/0x280 kernel/task_work.c:116
- [< inline >] exit_task_work include/linux/task_work.h:21
- [<ffffffff8141287a>] do_exit+0x183a/0x2640 kernel/exit.c:828
- [<ffffffff8141383e>] do_group_exit+0x14e/0x420 kernel/exit.c:931
- [<ffffffff814429d3>] get_signal+0x663/0x1880 kernel/signal.c:2307
- [<ffffffff81239b45>] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
- [<ffffffff8100666a>] exit_to_usermode_loop+0x1ea/0x2d0
- arch/x86/entry/common.c:156
- [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
- [<ffffffff81009693>] syscall_return_slowpath+0x4d3/0x570
- arch/x86/entry/common.c:259
- [<ffffffff881478e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
-
-Link: https://lkml.org/lkml/2017/3/6/252
-Signed-off-by: Andrey Ulanov <andreyu@google.com>
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector")
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/unix/garbage.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index 6a0d48525fcf..c36757e72844 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -146,6 +146,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
- if (s) {
- struct unix_sock *u = unix_sk(s);
-
-+ BUG_ON(!atomic_long_read(&u->inflight));
- BUG_ON(list_empty(&u->link));
-
- if (atomic_long_dec_and_test(&u->inflight))
-@@ -341,6 +342,14 @@ void unix_gc(void)
- }
- list_del(&cursor);
-
-+ /* Now gc_candidates contains only garbage. Restore original
-+ * inflight counters for these as well, and remove the skbuffs
-+ * which are creating the cycle(s).
-+ */
-+ skb_queue_head_init(&hitlist);
-+ list_for_each_entry(u, &gc_candidates, link)
-+ scan_children(&u->sk, inc_inflight, &hitlist);
-+
- /* not_cycle_list contains those sockets which do not make up a
- * cycle. Restore these to the inflight list.
- */
-@@ -350,14 +359,6 @@ void unix_gc(void)
- list_move_tail(&u->link, &gc_inflight_list);
- }
-
-- /* Now gc_candidates contains only garbage. Restore original
-- * inflight counters for these as well, and remove the skbuffs
-- * which are creating the cycle(s).
-- */
-- skb_queue_head_init(&hitlist);
-- list_for_each_entry(u, &gc_candidates, link)
-- scan_children(&u->sk, inc_inflight, &hitlist);
--
- spin_unlock(&unix_gc_lock);
-
- /* Here we are. Hitlist is filled. Die. */
---
-2.12.2
-
-From 9d1894cba25c06b061565da6934ab43f446d3c69 Mon Sep 17 00:00:00 2001
-From: Maor Gottlieb <maorg@mellanox.com>
-Date: Tue, 21 Mar 2017 15:59:17 +0200
-Subject: [PATCH 139/251] net/mlx5: Increase number of max QPs in default
- profile
-Content-Length: 1120
-Lines: 30
-
-[ Upstream commit 5f40b4ed975c26016cf41953b7510fe90718e21c ]
-
-With ConnectX-4 sharing SRQs from the same space as QPs, we hit a
-limit preventing some applications to allocate needed QPs amount.
-Double the size to 256K.
-
-Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters')
-Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
-Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
-index ba115ec7aa92..1e611980cf99 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
-@@ -85,7 +85,7 @@ static struct mlx5_profile profile[] = {
- [2] = {
- .mask = MLX5_PROF_MASK_QP_SIZE |
- MLX5_PROF_MASK_MR_CACHE,
-- .log_max_qp = 17,
-+ .log_max_qp = 18,
- .mr_cache[0] = {
- .size = 500,
- .limit = 250
---
-2.12.2
-
-From fdcee7c1e2f8c6f46f26010b133ed963b620da2b Mon Sep 17 00:00:00 2001
-From: Gal Pressman <galp@mellanox.com>
-Date: Tue, 21 Mar 2017 15:59:19 +0200
-Subject: [PATCH 140/251] net/mlx5e: Count LRO packets correctly
-Content-Length: 1894
-Lines: 50
-
-[ Upstream commit 8ab7e2ae15d84ba758b2c8c6f4075722e9bd2a08 ]
-
-RX packets statistics ('rx_packets' counter) used to count LRO packets
-as one, even though it contains multiple segments.
-This patch will increment the counter by the number of segments, and
-align the driver with the behavior of other drivers in the stack.
-
-Note that no information is lost in this patch due to 'rx_lro_packets'
-counter existence.
-
-Before, ethtool showed:
-$ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets"
- rx_packets: 435277
- rx_lro_packets: 35847
- rx_packets_phy: 1935066
-
-Now, we will see the more logical statistics:
-$ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets"
- rx_packets: 1935066
- rx_lro_packets: 35847
- rx_packets_phy: 1935066
-
-Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files")
-Signed-off-by: Gal Pressman <galp@mellanox.com>
-Cc: kernel-team@fb.com
-Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
-index cf0098596e85..e9408f5e2a1d 100644
---- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
-@@ -197,6 +197,10 @@ static inline void mlx5e_build_rx_skb(struct mlx5_cqe64 *cqe,
- if (lro_num_seg > 1) {
- mlx5e_lro_update_hdr(skb, cqe);
- skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt, lro_num_seg);
-+ /* Subtract one since we already counted this as one
-+ * "regular" packet in mlx5e_complete_rx_cqe()
-+ */
-+ rq->stats.packets += lro_num_seg - 1;
- rq->stats.lro_packets++;
- rq->stats.lro_bytes += cqe_bcnt;
- }
---
-2.12.2
-
-From 85f00dac91a1047b57e600df9636c8408f70001f Mon Sep 17 00:00:00 2001
-From: Doug Berger <opendmb@gmail.com>
-Date: Tue, 21 Mar 2017 14:01:06 -0700
-Subject: [PATCH 141/251] net: bcmgenet: remove bcmgenet_internal_phy_setup()
-Content-Length: 3576
-Lines: 81
-
-[ Upstream commit 31739eae738ccbe8b9d627c3f2251017ca03f4d2 ]
-
-Commit 6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset")
-removed the bcmgenet_mii_reset() function from bcmgenet_power_up() and
-bcmgenet_internal_phy_setup() functions. In so doing it broke the reset
-of the internal PHY devices used by the GENETv1-GENETv3 which required
-this reset before the UniMAC was enabled. It also broke the internal
-GPHY devices used by the GENETv4 because the config_init that installed
-the AFE workaround was no longer occurring after the reset of the GPHY
-performed by bcmgenet_phy_power_set() in bcmgenet_internal_phy_setup().
-In addition the code in bcmgenet_internal_phy_setup() related to the
-"enable APD" comment goes with the bcmgenet_mii_reset() so it should
-have also been removed.
-
-Commit bd4060a6108b ("net: bcmgenet: Power on integrated GPHY in
-bcmgenet_power_up()") moved the bcmgenet_phy_power_set() call to the
-bcmgenet_power_up() function, but failed to remove it from the
-bcmgenet_internal_phy_setup() function. Had it done so, the
-bcmgenet_internal_phy_setup() function would have been empty and could
-have been removed at that time.
-
-Commit 5dbebbb44a6a ("net: bcmgenet: Software reset EPHY after power on")
-was submitted to correct the functional problems introduced by
-commit 6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset"). It
-was included in v4.4 and made available on 4.3-stable. Unfortunately,
-it didn't fully revert the commit because this bcmgenet_mii_reset()
-doesn't apply the soft reset to the internal GPHY used by GENETv4 like
-the previous one did. This prevents the restoration of the AFE work-
-arounds for internal GPHY devices after the bcmgenet_phy_power_set() in
-bcmgenet_internal_phy_setup().
-
-This commit takes the alternate approach of removing the unnecessary
-bcmgenet_internal_phy_setup() function which shouldn't have been in v4.3
-so that when bcmgenet_mii_reset() was restored it should have only gone
-into bcmgenet_power_up(). This will avoid the problems while also
-removing the redundancy (and hopefully some of the confusion).
-
-Fixes: 6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset")
-Signed-off-by: Doug Berger <opendmb@gmail.com>
-Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/broadcom/genet/bcmmii.c | 15 ---------------
- 1 file changed, 15 deletions(-)
-
-diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
-index 8bdfe53754ba..e96d1f95bb47 100644
---- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
-+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
-@@ -220,20 +220,6 @@ void bcmgenet_phy_power_set(struct net_device *dev, bool enable)
- udelay(60);
- }
-
--static void bcmgenet_internal_phy_setup(struct net_device *dev)
--{
-- struct bcmgenet_priv *priv = netdev_priv(dev);
-- u32 reg;
--
-- /* Power up PHY */
-- bcmgenet_phy_power_set(dev, true);
-- /* enable APD */
-- reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
-- reg |= EXT_PWR_DN_EN_LD;
-- bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT);
-- bcmgenet_mii_reset(dev);
--}
--
- static void bcmgenet_moca_phy_setup(struct bcmgenet_priv *priv)
- {
- u32 reg;
-@@ -281,7 +267,6 @@ int bcmgenet_mii_config(struct net_device *dev)
-
- if (priv->internal_phy) {
- phy_name = "internal PHY";
-- bcmgenet_internal_phy_setup(dev);
- } else if (priv->phy_interface == PHY_INTERFACE_MODE_MOCA) {
- phy_name = "MoCA";
- bcmgenet_moca_phy_setup(priv);
---
-2.12.2
-
-From 38dece41e5be77478b333db580b5e171b136befa Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 21 Mar 2017 19:22:28 -0700
-Subject: [PATCH 142/251] ipv4: provide stronger user input validation in
- nl_fib_input()
-Content-Length: 1155
-Lines: 35
-
-[ Upstream commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b ]
-
-Alexander reported a KMSAN splat caused by reads of uninitialized
-field (tb_id_in) from user provided struct fib_result_nl
-
-It turns out nl_fib_input() sanity tests on user input is a bit
-wrong :
-
-User can pretend nlh->nlmsg_len is big enough, but provide
-at sendmsg() time a too small buffer.
-
-Reported-by: Alexander Potapenko <glider@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/fib_frontend.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
-index 4e60dae86df5..1adba44f8fbc 100644
---- a/net/ipv4/fib_frontend.c
-+++ b/net/ipv4/fib_frontend.c
-@@ -1080,7 +1080,8 @@ static void nl_fib_input(struct sk_buff *skb)
-
- net = sock_net(skb->sk);
- nlh = nlmsg_hdr(skb);
-- if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len ||
-+ if (skb->len < nlmsg_total_size(sizeof(*frn)) ||
-+ skb->len < nlh->nlmsg_len ||
- nlmsg_len(nlh) < sizeof(*frn))
- return;
-
---
-2.12.2
-
-From 95aa915c2f04c27bb3935c8b9446435f40f17f9d Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Wed, 22 Mar 2017 13:08:08 +0100
-Subject: [PATCH 143/251] socket, bpf: fix sk_filter use after free in
- sk_clone_lock
-Content-Length: 2672
-Lines: 61
-
-[ Upstream commit a97e50cc4cb67e1e7bff56f6b41cda62ca832336 ]
-
-In sk_clone_lock(), we create a new socket and inherit most of the
-parent's members via sock_copy() which memcpy()'s various sections.
-Now, in case the parent socket had a BPF socket filter attached,
-then newsk->sk_filter points to the same instance as the original
-sk->sk_filter.
-
-sk_filter_charge() is then called on the newsk->sk_filter to take a
-reference and should that fail due to hitting max optmem, we bail
-out and release the newsk instance.
-
-The issue is that commit 278571baca2a ("net: filter: simplify socket
-charging") wrongly combined the dismantle path with the failure path
-of xfrm_sk_clone_policy(). This means, even when charging failed, we
-call sk_free_unlock_clone() on the newsk, which then still points to
-the same sk_filter as the original sk.
-
-Thus, sk_free_unlock_clone() calls into __sk_destruct() eventually
-where it tests for present sk_filter and calls sk_filter_uncharge()
-on it, which potentially lets sk_omem_alloc wrap around and releases
-the eBPF prog and sk_filter structure from the (still intact) parent.
-
-Fix it by making sure that when sk_filter_charge() failed, we reset
-newsk->sk_filter back to NULL before passing to sk_free_unlock_clone(),
-so that we don't mess with the parents sk_filter.
-
-Only if xfrm_sk_clone_policy() fails, we did reach the point where
-either the parent's filter was NULL and as a result newsk's as well
-or where we previously had a successful sk_filter_charge(), thus for
-that case, we do need sk_filter_uncharge() to release the prior taken
-reference on sk_filter.
-
-Fixes: 278571baca2a ("net: filter: simplify socket charging")
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/sock.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 9f4c4473156a..9c708a5fb751 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -1557,6 +1557,12 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
- is_charged = sk_filter_charge(newsk, filter);
-
- if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) {
-+ /* We need to make sure that we don't uncharge the new
-+ * socket if we couldn't charge it in the first place
-+ * as otherwise we uncharge the parent's filter.
-+ */
-+ if (!is_charged)
-+ RCU_INIT_POINTER(newsk->sk_filter, NULL);
- /* It is still raw copy of parent, so invalidate
- * destructor and make plain sk_free() */
- newsk->sk_destruct = NULL;
---
-2.12.2
-
-From afaed241928f029e788bbbeed26b2b530ba7cd1a Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Wed, 22 Mar 2017 08:10:21 -0700
-Subject: [PATCH 144/251] tcp: initialize icsk_ack.lrcvtime at session start
- time
-Content-Length: 1952
-Lines: 53
-
-[ Upstream commit 15bb7745e94a665caf42bfaabf0ce062845b533b ]
-
-icsk_ack.lrcvtime has a 0 value at socket creation time.
-
-tcpi_last_data_recv can have bogus value if no payload is ever received.
-
-This patch initializes icsk_ack.lrcvtime for active sessions
-in tcp_finish_connect(), and for passive sessions in
-tcp_create_openreq_child()
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Neal Cardwell <ncardwell@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/tcp_input.c | 2 +-
- net/ipv4/tcp_minisocks.c | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 7cc0f8aac28f..818630cec54f 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -5435,6 +5435,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
- struct inet_connection_sock *icsk = inet_csk(sk);
-
- tcp_set_state(sk, TCP_ESTABLISHED);
-+ icsk->icsk_ack.lrcvtime = tcp_time_stamp;
-
- if (skb) {
- icsk->icsk_af_ops->sk_rx_dst_set(sk, skb);
-@@ -5647,7 +5648,6 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
- * to stand against the temptation 8) --ANK
- */
- inet_csk_schedule_ack(sk);
-- icsk->icsk_ack.lrcvtime = tcp_time_stamp;
- tcp_enter_quickack_mode(sk);
- inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK,
- TCP_DELACK_MAX, TCP_RTO_MAX);
-diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
-index 9475a2748a9a..019db68bdb9f 100644
---- a/net/ipv4/tcp_minisocks.c
-+++ b/net/ipv4/tcp_minisocks.c
-@@ -472,6 +472,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
- newtp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
- newtp->rtt_min[0].rtt = ~0U;
- newicsk->icsk_rto = TCP_TIMEOUT_INIT;
-+ newicsk->icsk_ack.lrcvtime = tcp_time_stamp;
-
- newtp->packets_out = 0;
- newtp->retrans_out = 0;
---
-2.12.2
-
-From 9ac7bd114e13628467c037066786775a357d91d6 Mon Sep 17 00:00:00 2001
-From: Matjaz Hegedic <matjaz.hegedic@gmail.com>
-Date: Fri, 10 Mar 2017 14:33:09 -0800
-Subject: [PATCH 145/251] Input: elan_i2c - add ASUS EeeBook X205TA special
- touchpad fw
-Content-Length: 1524
-Lines: 50
-
-commit 92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream.
-
-EeeBook X205TA is yet another ASUS device with a special touchpad
-firmware that needs to be accounted for during initialization, or
-else the touchpad will go into an invalid state upon suspend/resume.
-Adding the appropriate ic_type and product_id check fixes the problem.
-
-Signed-off-by: Matjaz Hegedic <matjaz.hegedic@gmail.com>
-Acked-by: KT Liao <kt.liao@emc.com.tw>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/mouse/elan_i2c_core.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
-index ed1935f300a7..da5458dfb1e3 100644
---- a/drivers/input/mouse/elan_i2c_core.c
-+++ b/drivers/input/mouse/elan_i2c_core.c
-@@ -218,17 +218,19 @@ static int elan_query_product(struct elan_tp_data *data)
-
- static int elan_check_ASUS_special_fw(struct elan_tp_data *data)
- {
-- if (data->ic_type != 0x0E)
-- return false;
--
-- switch (data->product_id) {
-- case 0x05 ... 0x07:
-- case 0x09:
-- case 0x13:
-+ if (data->ic_type == 0x0E) {
-+ switch (data->product_id) {
-+ case 0x05 ... 0x07:
-+ case 0x09:
-+ case 0x13:
-+ return true;
-+ }
-+ } else if (data->ic_type == 0x08 && data->product_id == 0x26) {
-+ /* ASUS EeeBook X205TA */
- return true;
-- default:
-- return false;
- }
-+
-+ return false;
- }
-
- static int __elan_initialize(struct elan_tp_data *data)
---
-2.12.2
-
-From 5f9243e4fca610599c30b552baacdcffc76ea7af Mon Sep 17 00:00:00 2001
-From: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Date: Tue, 7 Mar 2017 09:31:29 -0800
-Subject: [PATCH 146/251] Input: i8042 - add noloop quirk for Dell Embedded Box
- PC 3000
-Content-Length: 1172
-Lines: 36
-
-commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream.
-
-The aux port does not get detected without noloop quirk, so external PS/2
-mouse cannot work as result.
-
-The PS/2 mouse can work with this quirk.
-
-BugLink: https://bugs.launchpad.net/bugs/1591053
-Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
-index 0cdd95801a25..25eab453f2b2 100644
---- a/drivers/input/serio/i8042-x86ia64io.h
-+++ b/drivers/input/serio/i8042-x86ia64io.h
-@@ -120,6 +120,13 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
- },
- },
- {
-+ /* Dell Embedded Box PC 3000 */
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"),
-+ },
-+ },
-+ {
- /* OQO Model 01 */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "OQO"),
---
-2.12.2
-
-From a07d3669654ad335c19df048199da0a063e0c387 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:34:02 -0700
-Subject: [PATCH 147/251] Input: iforce - validate number of endpoints before
- using them
-Content-Length: 1031
-Lines: 29
-
-commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer or accessing memory that lie beyond the end of the endpoint
-array should a malicious device lack the expected endpoints.
-
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/joystick/iforce/iforce-usb.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/input/joystick/iforce/iforce-usb.c b/drivers/input/joystick/iforce/iforce-usb.c
-index d96aa27dfcdc..db64adfbe1af 100644
---- a/drivers/input/joystick/iforce/iforce-usb.c
-+++ b/drivers/input/joystick/iforce/iforce-usb.c
-@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_interface *intf,
-
- interface = intf->cur_altsetting;
-
-+ if (interface->desc.bNumEndpoints < 2)
-+ return -ENODEV;
-+
- epirq = &interface->endpoint[0].desc;
- epout = &interface->endpoint[1].desc;
-
---
-2.12.2
-
-From 6bed7c1e2b78e58adab2e8448f3e6799857b5726 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:36:13 -0700
-Subject: [PATCH 148/251] Input: ims-pcu - validate number of endpoints before
- using them
-Content-Length: 1032
-Lines: 30
-
-commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack control-interface endpoints.
-
-Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/misc/ims-pcu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
-index 9c0ea36913b4..f4e8fbec6a94 100644
---- a/drivers/input/misc/ims-pcu.c
-+++ b/drivers/input/misc/ims-pcu.c
-@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
- return -EINVAL;
-
- alt = pcu->ctrl_intf->cur_altsetting;
-+
-+ if (alt->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- pcu->ep_ctrl = &alt->endpoint[0].desc;
- pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);
-
---
-2.12.2
-
-From 0812c6855c89d905e34e88166570cae4a401b23a Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:39:29 -0700
-Subject: [PATCH 149/251] Input: hanwang - validate number of endpoints before
- using them
-Content-Length: 1020
-Lines: 29
-
-commit ba340d7b83703768ce566f53f857543359aa1b98 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/tablet/hanwang.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/input/tablet/hanwang.c b/drivers/input/tablet/hanwang.c
-index cd852059b99e..df4bea96d7ed 100644
---- a/drivers/input/tablet/hanwang.c
-+++ b/drivers/input/tablet/hanwang.c
-@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
- int error;
- int i;
-
-+ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL);
- input_dev = input_allocate_device();
- if (!hanwang || !input_dev) {
---
-2.12.2
-
-From e916f1d6188ef765303b4f74387d7e92d49a5be6 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:37:01 -0700
-Subject: [PATCH 150/251] Input: yealink - validate number of endpoints before
- using them
-Content-Length: 1017
-Lines: 30
-
-commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/misc/yealink.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/input/misc/yealink.c b/drivers/input/misc/yealink.c
-index 79c964c075f1..6e7ff9561d92 100644
---- a/drivers/input/misc/yealink.c
-+++ b/drivers/input/misc/yealink.c
-@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
- int ret, pipe, i;
-
- interface = intf->cur_altsetting;
-+
-+ if (interface->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- endpoint = &interface->endpoint[0].desc;
- if (!usb_endpoint_is_int_in(endpoint))
- return -ENODEV;
---
-2.12.2
-
-From c05490638ddfffa35d2fb03c1852f9013757a9e1 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:35:12 -0700
-Subject: [PATCH 151/251] Input: cm109 - validate number of endpoints before
- using them
-Content-Length: 976
-Lines: 30
-
-commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/misc/cm109.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/input/misc/cm109.c b/drivers/input/misc/cm109.c
-index 9365535ba7f1..50a7faa504f7 100644
---- a/drivers/input/misc/cm109.c
-+++ b/drivers/input/misc/cm109.c
-@@ -675,6 +675,10 @@ static int cm109_usb_probe(struct usb_interface *intf,
- int error = -ENOMEM;
-
- interface = intf->cur_altsetting;
-+
-+ if (interface->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- endpoint = &interface->endpoint[0].desc;
-
- if (!usb_endpoint_is_int_in(endpoint))
---
-2.12.2
-
-From b3c4c0c470b58dd4a5e40e11ccd9fea7fbbfa799 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:41:55 -0700
-Subject: [PATCH 152/251] Input: kbtab - validate number of endpoints before
- using them
-Content-Length: 972
-Lines: 28
-
-commit cb1b494663e037253337623bf1ef2df727883cb7 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/tablet/kbtab.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/input/tablet/kbtab.c b/drivers/input/tablet/kbtab.c
-index d2ac7c2b5b82..2812f9236b7d 100644
---- a/drivers/input/tablet/kbtab.c
-+++ b/drivers/input/tablet/kbtab.c
-@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *i
- struct input_dev *input_dev;
- int error = -ENOMEM;
-
-+ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL);
- input_dev = input_allocate_device();
- if (!kbtab || !input_dev)
---
-2.12.2
-
-From 549993001e7de0553d85c9022dc41d5b3ff7d1ff Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Thu, 16 Mar 2017 11:43:09 -0700
-Subject: [PATCH 153/251] Input: sur40 - validate number of endpoints before
- using them
-Content-Length: 1132
-Lines: 30
-
-commit 92461f5d723037530c1f36cce93640770037812c upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer or accessing memory that lie beyond the end of the endpoint
-array should a malicious device lack the expected endpoints.
-
-Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/input/touchscreen/sur40.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c
-index 45b466e3bbe8..0146e2c74649 100644
---- a/drivers/input/touchscreen/sur40.c
-+++ b/drivers/input/touchscreen/sur40.c
-@@ -500,6 +500,9 @@ static int sur40_probe(struct usb_interface *interface,
- if (iface_desc->desc.bInterfaceClass != 0xFF)
- return -ENODEV;
-
-+ if (iface_desc->desc.bNumEndpoints < 5)
-+ return -ENODEV;
-+
- /* Use endpoint #4 (0x86). */
- endpoint = &iface_desc->endpoint[4].desc;
- if (endpoint->bEndpointAddress != TOUCH_ENDPOINT)
---
-2.12.2
-
-From 8f0f081647cc1c7e7ce6bea99a3b2ebb3604b1f1 Mon Sep 17 00:00:00 2001
-From: Dan Williams <dcbw@redhat.com>
-Date: Thu, 9 Mar 2017 11:32:28 -0600
-Subject: [PATCH 157/251] USB: serial: option: add Quectel UC15, UC20, EC21,
- and EC25 modems
-Status: RO
-Content-Length: 2146
-Lines: 50
-
-commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream.
-
-Add Quectel UC15, UC20, EC21, and EC25. The EC20 is handled by
-qcserial due to a USB VID/PID conflict with an existing Acer
-device.
-
-Signed-off-by: Dan Williams <dcbw@redhat.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/option.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
-index 42cc72e54c05..af67a0de6b5d 100644
---- a/drivers/usb/serial/option.c
-+++ b/drivers/usb/serial/option.c
-@@ -233,6 +233,14 @@ static void option_instat_callback(struct urb *urb);
- #define BANDRICH_PRODUCT_1012 0x1012
-
- #define QUALCOMM_VENDOR_ID 0x05C6
-+/* These Quectel products use Qualcomm's vendor ID */
-+#define QUECTEL_PRODUCT_UC20 0x9003
-+#define QUECTEL_PRODUCT_UC15 0x9090
-+
-+#define QUECTEL_VENDOR_ID 0x2c7c
-+/* These Quectel products use Quectel's vendor ID */
-+#define QUECTEL_PRODUCT_EC21 0x0121
-+#define QUECTEL_PRODUCT_EC25 0x0125
-
- #define CMOTECH_VENDOR_ID 0x16d8
- #define CMOTECH_PRODUCT_6001 0x6001
-@@ -1161,7 +1169,14 @@ static const struct usb_device_id option_ids[] = {
- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
-- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */
-+ /* Quectel products using Qualcomm vendor ID */
-+ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
-+ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
-+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
-+ /* Quectel products using Quectel vendor ID */
-+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
-+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
-+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
- .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
- { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
- { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
---
-2.12.2
-
-From 19f0fe67b9d04580c377efc568cc8630a5af06b4 Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Tue, 14 Mar 2017 12:09:56 +0100
-Subject: [PATCH 159/251] ACM gadget: fix endianness in notifications
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 1317
-Lines: 36
-
-commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream.
-
-The gadget code exports the bitfield for serial status changes
-over the wire in its internal endianness. The fix is to convert
-to little endian before sending it over the wire.
-
-Signed-off-by: Oliver Neukum <oneukum@suse.com>
-Tested-by: 家瑋 <momo1208@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/function/f_acm.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_acm.c b/drivers/usb/gadget/function/f_acm.c
-index 2fa1e80a3ce7..67e474b13fca 100644
---- a/drivers/usb/gadget/function/f_acm.c
-+++ b/drivers/usb/gadget/function/f_acm.c
-@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struct f_acm *acm)
- {
- struct usb_composite_dev *cdev = acm->port.func.config->cdev;
- int status;
-+ __le16 serial_state;
-
- spin_lock(&acm->lock);
- if (acm->notify_req) {
- dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n",
- acm->port_num, acm->serial_state);
-+ serial_state = cpu_to_le16(acm->serial_state);
- status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE,
-- 0, &acm->serial_state, sizeof(acm->serial_state));
-+ 0, &serial_state, sizeof(acm->serial_state));
- } else {
- acm->pending = true;
- status = 0;
---
-2.12.2
-
-From 815321da2e267c5c44a2900b39ac92632a9d6e80 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:47:53 +0100
-Subject: [PATCH 168/251] uwb: i1480-dfu: fix NULL-deref at probe
-Content-Length: 1114
-Lines: 33
-
-commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Note that the dereference happens in the cmd and wait_init_done
-callbacks which are called during probe.
-
-Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver")
-Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
-Cc: David Vrabel <david.vrabel@csr.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/uwb/i1480/dfu/usb.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/uwb/i1480/dfu/usb.c b/drivers/uwb/i1480/dfu/usb.c
-index 2bfc846ac071..6345e85822a4 100644
---- a/drivers/uwb/i1480/dfu/usb.c
-+++ b/drivers/uwb/i1480/dfu/usb.c
-@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface *iface, const struct usb_device_id *id)
- result);
- }
-
-+ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- result = -ENOMEM;
- i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL);
- if (i1480_usb == NULL) {
---
-2.12.2
-
-From 2c251e568e1a5dfbdab7156eaa848cd45b3cb127 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:47:52 +0100
-Subject: [PATCH 169/251] uwb: hwa-rc: fix NULL-deref at probe
-Content-Length: 1047
-Lines: 33
-
-commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Note that the dereference happens in the start callback which is called
-during probe.
-
-Fixes: de520b8bd552 ("uwb: add HWA radio controller driver")
-Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
-Cc: David Vrabel <david.vrabel@csr.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/uwb/hwa-rc.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c
-index 0257f35cfb9d..e75bbe5a10cd 100644
---- a/drivers/uwb/hwa-rc.c
-+++ b/drivers/uwb/hwa-rc.c
-@@ -825,6 +825,9 @@ static int hwarc_probe(struct usb_interface *iface,
- struct hwarc *hwarc;
- struct device *dev = &iface->dev;
-
-+ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- result = -ENOMEM;
- uwb_rc = uwb_rc_alloc();
- if (uwb_rc == NULL) {
---
-2.12.2
-
-From dcf879cb9ed37f4e4cb242aaa17316d6c37404dc Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:40:22 +0100
-Subject: [PATCH 170/251] mmc: ushc: fix NULL-deref at probe
-Content-Length: 1009
-Lines: 30
-
-commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver")
-Cc: David Vrabel <david.vrabel@csr.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/mmc/host/ushc.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/mmc/host/ushc.c b/drivers/mmc/host/ushc.c
-index d2c386f09d69..1d843357422e 100644
---- a/drivers/mmc/host/ushc.c
-+++ b/drivers/mmc/host/ushc.c
-@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interface *intf, const struct usb_device_id *id
- struct ushc_data *ushc;
- int ret;
-
-+ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev);
- if (mmc == NULL)
- return -ENOMEM;
---
-2.12.2
-
-From 8f189e1d0ecac38ac69b44b89f2561c3bcffacbd Mon Sep 17 00:00:00 2001
-From: Michael Engl <michael.engl@wjw-solutions.com>
-Date: Tue, 3 Oct 2017 13:57:00 +0100
-Subject: [PATCH 171/251] iio: adc: ti_am335x_adc: fix fifo overrun recovery
-Content-Length: 2556
-Lines: 65
-
-commit e83bb3e6f3efa21f4a9d883a25d0ecd9dfb431e1 upstream.
-
-The tiadc_irq_h(int irq, void *private) function is handling FIFO
-overruns by clearing flags, disabling and enabling the ADC to
-recover.
-
-If the ADC is running in continuous mode a FIFO overrun happens
-regularly. If the disabling of the ADC happens concurrently with
-a new conversion. It might happen that the enabling of the ADC
-is ignored by the hardware. This stops the ADC permanently. No
-more interrupts are triggered.
-
-According to the AM335x Reference Manual (SPRUH73H October 2011 -
-Revised April 2013 - Chapter 12.4 and 12.5) it is necessary to
-check the ADC FSM bits in REG_ADCFSM before enabling the ADC
-again. Because the disabling of the ADC is done right after the
-current conversion has been finished.
-
-To trigger this bug it is necessary to run the ADC in continuous
-mode. The ADC values of all channels need to be read in an endless
-loop. The bug appears within the first 6 hours (~5.4 million
-handled FIFO overruns). The user space application will hang on
-reading new values from the character device.
-
-Fixes: ca9a563805f7a ("iio: ti_am335x_adc: Add continuous sampling support")
-Signed-off-by: Michael Engl <michael.engl@wjw-solutions.com>
-Signed-off-by: Jonathan Cameron <jic23@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/iio/adc/ti_am335x_adc.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/iio/adc/ti_am335x_adc.c b/drivers/iio/adc/ti_am335x_adc.c
-index 0470fc843d4e..9b6854607d73 100644
---- a/drivers/iio/adc/ti_am335x_adc.c
-+++ b/drivers/iio/adc/ti_am335x_adc.c
-@@ -151,7 +151,9 @@ static irqreturn_t tiadc_irq_h(int irq, void *private)
- {
- struct iio_dev *indio_dev = private;
- struct tiadc_device *adc_dev = iio_priv(indio_dev);
-- unsigned int status, config;
-+ unsigned int status, config, adc_fsm;
-+ unsigned short count = 0;
-+
- status = tiadc_readl(adc_dev, REG_IRQSTATUS);
-
- /*
-@@ -165,6 +167,15 @@ static irqreturn_t tiadc_irq_h(int irq, void *private)
- tiadc_writel(adc_dev, REG_CTRL, config);
- tiadc_writel(adc_dev, REG_IRQSTATUS, IRQENB_FIFO1OVRRUN
- | IRQENB_FIFO1UNDRFLW | IRQENB_FIFO1THRES);
-+
-+ /* wait for idle state.
-+ * ADC needs to finish the current conversion
-+ * before disabling the module
-+ */
-+ do {
-+ adc_fsm = tiadc_readl(adc_dev, REG_ADCFSM);
-+ } while (adc_fsm != 0x10 && count++ < 100);
-+
- tiadc_writel(adc_dev, REG_CTRL, (config | CNTRLREG_TSCSSENB));
- return IRQ_HANDLED;
- } else if (status & IRQENB_FIFO1THRES) {
---
-2.12.2
-
-From 7413d1f8991e7d5c240d89a3feb35e2a54d27baf Mon Sep 17 00:00:00 2001
-From: Song Hongyan <hongyan.song@intel.com>
-Date: Wed, 22 Feb 2017 17:17:38 +0800
-Subject: [PATCH 172/251] iio: hid-sensor-trigger: Change get poll value
- function order to avoid sensor properties losing after resume from S3
-Content-Length: 2044
-Lines: 48
-
-commit 3bec247474469f769af41e8c80d3a100dd97dd76 upstream.
-
-In function _hid_sensor_power_state(), when hid_sensor_read_poll_value()
-is called, sensor's all properties will be updated by the value from
-sensor hardware/firmware.
-In some implementation, sensor hardware/firmware will do a power cycle
-during S3. In this case, after resume, once hid_sensor_read_poll_value()
-is called, sensor's all properties which are kept by driver during S3
-will be changed to default value.
-But instead, if a set feature function is called first, sensor
-hardware/firmware will be recovered to the last status. So change the
-sensor_hub_set_feature() calling order to behind of set feature function
-to avoid sensor properties lose.
-
-Signed-off-by: Song Hongyan <hongyan.song@intel.com>
-Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
-Signed-off-by: Jonathan Cameron <jic23@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
-index 595511022795..0a86ef43e781 100644
---- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
-+++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
-@@ -51,8 +51,6 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state)
- st->report_state.report_id,
- st->report_state.index,
- HID_USAGE_SENSOR_PROP_REPORTING_STATE_ALL_EVENTS_ENUM);
--
-- poll_value = hid_sensor_read_poll_value(st);
- } else {
- int val;
-
-@@ -89,7 +87,9 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state)
- sensor_hub_get_feature(st->hsdev, st->power_state.report_id,
- st->power_state.index,
- sizeof(state_val), &state_val);
-- if (state && poll_value)
-+ if (state)
-+ poll_value = hid_sensor_read_poll_value(st);
-+ if (poll_value > 0)
- msleep_interruptible(poll_value * 2);
-
- return 0;
---
-2.12.2
-
-From c7d1545c48ffbf19185753c1d786e5aab950d3e3 Mon Sep 17 00:00:00 2001
-From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
-Date: Mon, 6 Mar 2017 23:23:42 +0000
-Subject: [PATCH 173/251] parport: fix attempt to write duplicate procfiles
-Content-Length: 1584
-Lines: 41
-
-commit 03270c6ac6207fc55bbf9d20d195029dca210c79 upstream.
-
-Usually every parallel port will have a single pardev registered with
-it. But ppdev driver is an exception. This userspace parallel port
-driver allows to create multiple parrallel port devices for a single
-parallel port. And as a result we were having a nice warning like:
-"sysctl table check failed:
-/dev/parport/parport0/devices/ppdev0/timeslice Sysctl already exists"
-
-Use the same logic as used in parport_register_device() and register
-the proc files only once for each parallel port.
-
-Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem")
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1414656
-Bugzilla: https://bugs.archlinux.org/task/52322
-Tested-by: James Feeney <james@nurealm.net>
-Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/parport/share.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/parport/share.c b/drivers/parport/share.c
-index 5ce5ef211bdb..754f21fd9768 100644
---- a/drivers/parport/share.c
-+++ b/drivers/parport/share.c
-@@ -936,8 +936,10 @@ parport_register_dev_model(struct parport *port, const char *name,
- * pardevice fields. -arca
- */
- port->ops->init_state(par_dev, par_dev->state);
-- port->proc_device = par_dev;
-- parport_device_proc_register(par_dev);
-+ if (!test_and_set_bit(PARPORT_DEVPROC_REGISTERED, &port->devflags)) {
-+ port->proc_device = par_dev;
-+ parport_device_proc_register(par_dev);
-+ }
-
- return par_dev;
-
---
-2.12.2
-
-From 27d9bf096406439ce406c82291cfe09c6653f94c Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Wed, 15 Mar 2017 14:52:02 -0400
-Subject: [PATCH 174/251] ext4: mark inode dirty after converting inline
- directory
-Content-Length: 1573
-Lines: 42
-
-commit b9cf625d6ecde0d372e23ae022feead72b4228a6 upstream.
-
-If ext4_convert_inline_data() was called on a directory with inline
-data, the filesystem was left in an inconsistent state (as considered by
-e2fsck) because the file size was not increased to cover the new block.
-This happened because the inode was not marked dirty after i_disksize
-was updated. Fix this by marking the inode dirty at the end of
-ext4_finish_convert_inline_dir().
-
-This bug was probably not noticed before because most users mark the
-inode dirty afterwards for other reasons. But if userspace executed
-FS_IOC_SET_ENCRYPTION_POLICY with invalid parameters, as exercised by
-'kvm-xfstests -c adv generic/396', then the inode was never marked dirty
-after updating i_disksize.
-
-Fixes: 3c47d54170b6a678875566b1b8d6dcf57904e49b
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/inline.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
-index d4be4e23bc21..dad8e7bdf0a6 100644
---- a/fs/ext4/inline.c
-+++ b/fs/ext4/inline.c
-@@ -1158,10 +1158,9 @@ static int ext4_finish_convert_inline_dir(handle_t *handle,
- set_buffer_uptodate(dir_block);
- err = ext4_handle_dirty_dirent_node(handle, inode, dir_block);
- if (err)
-- goto out;
-+ return err;
- set_buffer_verified(dir_block);
--out:
-- return err;
-+ return ext4_mark_inode_dirty(handle, inode);
- }
-
- static int ext4_convert_inline_data_nolock(handle_t *handle,
---
-2.12.2
-
-From 52e40a2fcc3952f1edd2f810c36d05eece984cba Mon Sep 17 00:00:00 2001
-From: Adrian Hunter <adrian.hunter@intel.com>
-Date: Mon, 20 Mar 2017 19:50:29 +0200
-Subject: [PATCH 175/251] mmc: sdhci: Do not disable interrupts while waiting
- for clock
-Content-Length: 1383
-Lines: 40
-
-commit e2ebfb2142acefecc2496e71360f50d25726040b upstream.
-
-Disabling interrupts for even a millisecond can cause problems for some
-devices. That can happen when sdhci changes clock frequency because it
-waits for the clock to become stable under a spin lock.
-
-The spin lock is not necessary here. Anything that is racing with changes
-to the I/O state is already broken. The mmc core already provides
-synchronization via "claiming" the host.
-
-Although the spin lock probably should be removed from the code paths that
-lead to this point, such a patch would touch too much code to be suitable
-for stable trees. Consequently, for this patch, just drop the spin lock
-while waiting.
-
-Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
-Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-Tested-by: Ludovic Desroches <ludovic.desroches@microchip.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/mmc/host/sdhci.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
-index bda164089904..62d37d2ac557 100644
---- a/drivers/mmc/host/sdhci.c
-+++ b/drivers/mmc/host/sdhci.c
-@@ -1274,7 +1274,9 @@ clock_set:
- return;
- }
- timeout--;
-- mdelay(1);
-+ spin_unlock_irq(&host->lock);
-+ usleep_range(900, 1100);
-+ spin_lock_irq(&host->lock);
- }
-
- clk |= SDHCI_CLOCK_CARD_EN;
---
-2.12.2
-
-From 55b6c187cf9d12d8e667ccfa5386bd162fc7ae2b Mon Sep 17 00:00:00 2001
-From: Koos Vriezen <koos.vriezen@gmail.com>
-Date: Wed, 1 Mar 2017 21:02:50 +0100
-Subject: [PATCH 177/251] iommu/vt-d: Fix NULL pointer dereference in
- device_to_iommu
-Content-Length: 2697
-Lines: 73
-
-commit 5003ae1e735e6bfe4679d9bed6846274f322e77e upstream.
-
-The function device_to_iommu() in the Intel VT-d driver
-lacks a NULL-ptr check, resulting in this oops at boot on
-some platforms:
-
- BUG: unable to handle kernel NULL pointer dereference at 00000000000007ab
- IP: [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
- PGD 0
-
- [...]
-
- Call Trace:
- ? find_or_alloc_domain.constprop.29+0x1a/0x300
- ? dw_dma_probe+0x561/0x580 [dw_dmac_core]
- ? __get_valid_domain_for_dev+0x39/0x120
- ? __intel_map_single+0x138/0x180
- ? intel_alloc_coherent+0xb6/0x120
- ? sst_hsw_dsp_init+0x173/0x420 [snd_soc_sst_haswell_pcm]
- ? mutex_lock+0x9/0x30
- ? kernfs_add_one+0xdb/0x130
- ? devres_add+0x19/0x60
- ? hsw_pcm_dev_probe+0x46/0xd0 [snd_soc_sst_haswell_pcm]
- ? platform_drv_probe+0x30/0x90
- ? driver_probe_device+0x1ed/0x2b0
- ? __driver_attach+0x8f/0xa0
- ? driver_probe_device+0x2b0/0x2b0
- ? bus_for_each_dev+0x55/0x90
- ? bus_add_driver+0x110/0x210
- ? 0xffffffffa11ea000
- ? driver_register+0x52/0xc0
- ? 0xffffffffa11ea000
- ? do_one_initcall+0x32/0x130
- ? free_vmap_area_noflush+0x37/0x70
- ? kmem_cache_alloc+0x88/0xd0
- ? do_init_module+0x51/0x1c4
- ? load_module+0x1ee9/0x2430
- ? show_taint+0x20/0x20
- ? kernel_read_file+0xfd/0x190
- ? SyS_finit_module+0xa3/0xb0
- ? do_syscall_64+0x4a/0xb0
- ? entry_SYSCALL64_slow_path+0x25/0x25
- Code: 78 ff ff ff 4d 85 c0 74 ee 49 8b 5a 10 0f b6 9b e0 00 00 00 41 38 98 e0 00 00 00 77 da 0f b6 eb 49 39 a8 88 00 00 00 72 ce eb 8f <41> f6 82 ab 07 00 00 04 0f 85 76 ff ff ff 0f b6 4d 08 88 0e 49
- RIP [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
- RSP <ffffc90001457a78>
- CR2: 00000000000007ab
- ---[ end trace 16f974b6d58d0aad ]---
-
-Add the missing pointer check.
-
-Fixes: 1c387188c60f53b338c20eee32db055dfe022a9b ("iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions")
-Signed-off-by: Koos Vriezen <koos.vriezen@gmail.com>
-Signed-off-by: Joerg Roedel <jroedel@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/iommu/intel-iommu.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
-index f0fc6f7b5d98..0628372f3591 100644
---- a/drivers/iommu/intel-iommu.c
-+++ b/drivers/iommu/intel-iommu.c
-@@ -908,7 +908,7 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf
- * which we used for the IOMMU lookup. Strictly speaking
- * we could do this for all PCI devices; we only need to
- * get the BDF# from the scope table for ACPI matches. */
-- if (pdev->is_virtfn)
-+ if (pdev && pdev->is_virtfn)
- goto got_pdev;
-
- *bus = drhd->devices[i].bus;
---
-2.12.2
-
-From 17503963206584333b674740ba75b5079ea7e196 Mon Sep 17 00:00:00 2001
-From: Viresh Kumar <viresh.kumar@linaro.org>
-Date: Tue, 21 Mar 2017 11:36:06 +0530
-Subject: [PATCH 180/251] cpufreq: Restore policy min/max limits on CPU online
-Content-Length: 1475
-Lines: 38
-
-commit ff010472fb75670cb5c08671e820eeea3af59c87 upstream.
-
-On CPU online the cpufreq core restores the previous governor (or
-the previous "policy" setting for ->setpolicy drivers), but it does
-not restore the min/max limits at the same time, which is confusing,
-inconsistent and real pain for users who set the limits and then
-suspend/resume the system (using full suspend), in which case the
-limits are reset on all CPUs except for the boot one.
-
-Fix this by making cpufreq_online() restore the limits when an inactive
-policy is brought online.
-
-The commit log and patch are inspired from Rafael's earlier work.
-
-Reported-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/cpufreq/cpufreq.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
-index 86fa9fdc8323..38b363f4316b 100644
---- a/drivers/cpufreq/cpufreq.c
-+++ b/drivers/cpufreq/cpufreq.c
-@@ -1186,6 +1186,9 @@ static int cpufreq_online(unsigned int cpu)
- for_each_cpu(j, policy->related_cpus)
- per_cpu(cpufreq_cpu_data, j) = policy;
- write_unlock_irqrestore(&cpufreq_driver_lock, flags);
-+ } else {
-+ policy->min = policy->user_policy.min;
-+ policy->max = policy->user_policy.max;
- }
-
- if (cpufreq_driver->get && !cpufreq_driver->setpolicy) {
---
-2.12.2
-
-From 73dd1edf50a6bdf33046c2e4aa0b1ad4fef71a71 Mon Sep 17 00:00:00 2001
-From: Tomasz Majchrzak <tomasz.majchrzak@intel.com>
-Date: Thu, 28 Jul 2016 10:28:25 +0200
-Subject: [PATCH 181/251] raid10: increment write counter after bio is split
-Content-Length: 1096
-Lines: 38
-
-commit 9b622e2bbcf049c82e2550d35fb54ac205965f50 upstream.
-
-md pending write counter must be incremented after bio is split,
-otherwise it gets decremented too many times in end bio callback and
-becomes negative.
-
-Signed-off-by: Tomasz Majchrzak <tomasz.majchrzak@intel.com>
-Reviewed-by: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
-Signed-off-by: Shaohua Li <shli@fb.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/raid10.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 122af340a531..a92979e704e3 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -1072,6 +1072,8 @@ static void __make_request(struct mddev *mddev, struct bio *bio)
- int max_sectors;
- int sectors;
-
-+ md_write_start(mddev, bio);
-+
- /*
- * Register the new request and wait if the reconstruction
- * thread has put up a bar for new requests.
-@@ -1455,8 +1457,6 @@ static void make_request(struct mddev *mddev, struct bio *bio)
- return;
- }
-
-- md_write_start(mddev, bio);
--
- do {
-
- /*
---
-2.12.2
-
-From c4cf86f69597d4547a736e3edd5b88ae61b68fa2 Mon Sep 17 00:00:00 2001
-From: "Darrick J. Wong" <darrick.wong@oracle.com>
-Date: Mon, 5 Dec 2016 12:38:38 +1100
-Subject: [PATCH 183/251] xfs: don't allow di_size with high bit set
-Content-Length: 1355
-Lines: 38
-
-commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream.
-
-The on-disk field di_size is used to set i_size, which is a signed
-integer of loff_t. If the high bit of di_size is set, we'll end up with
-a negative i_size, which will cause all sorts of problems. Since the
-VFS won't let us create a file with such length, we should catch them
-here in the verifier too.
-
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
-Reviewed-by: Dave Chinner <dchinner@redhat.com>
-Signed-off-by: Dave Chinner <david@fromorbit.com>
-Cc: Nikolay Borisov <n.borisov.lkml@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/xfs/libxfs/xfs_inode_buf.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
-index 1aabfda669b0..7183b7ea065b 100644
---- a/fs/xfs/libxfs/xfs_inode_buf.c
-+++ b/fs/xfs/libxfs/xfs_inode_buf.c
-@@ -299,6 +299,14 @@ xfs_dinode_verify(
- if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC))
- return false;
-
-+ /* don't allow invalid i_size */
-+ if (be64_to_cpu(dip->di_size) & (1ULL << 63))
-+ return false;
-+
-+ /* No zero-length symlinks. */
-+ if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0)
-+ return false;
-+
- /* only version 3 or greater inodes are extensively verified here */
- if (dip->di_version < 3)
- return true;
---
-2.12.2
-
-From 7922c1becb36b61827a24ee32ffe7c39cf444efb Mon Sep 17 00:00:00 2001
-From: Eric Sandeen <sandeen@sandeen.net>
-Date: Tue, 8 Nov 2016 12:55:18 +1100
-Subject: [PATCH 184/251] xfs: fix up xfs_swap_extent_forks inline extent
- handling
-Content-Length: 3921
-Lines: 97
-
-commit 4dfce57db6354603641132fac3c887614e3ebe81 upstream.
-
-There have been several reports over the years of NULL pointer
-dereferences in xfs_trans_log_inode during xfs_fsr processes,
-when the process is doing an fput and tearing down extents
-on the temporary inode, something like:
-
-BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
-PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr"
- [exception RIP: xfs_trans_log_inode+0x10]
- #9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs]
-#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs]
-#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs]
-#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs]
-#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs]
-#14 [ffff8800a57bbe00] evict at ffffffff811e1b67
-#15 [ffff8800a57bbe28] iput at ffffffff811e23a5
-#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8
-#17 [ffff8800a57bbe88] dput at ffffffff811dd06c
-#18 [ffff8800a57bbea8] __fput at ffffffff811c823b
-#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e
-#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27
-#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c
-#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d
-
-As it turns out, this is because the i_itemp pointer, along
-with the d_ops pointer, has been overwritten with zeros
-when we tear down the extents during truncate. When the in-core
-inode fork on the temporary inode used by xfs_fsr was originally
-set up during the extent swap, we mistakenly looked at di_nextents
-to determine whether all extents fit inline, but this misses extents
-generated by speculative preallocation; we should be using if_bytes
-instead.
-
-This mistake corrupts the in-memory inode, and code in
-xfs_iext_remove_inline eventually gets bad inputs, causing
-it to memmove and memset incorrect ranges; this became apparent
-because the two values in ifp->if_u2.if_inline_ext[1] contained
-what should have been in d_ops and i_itemp; they were memmoved due
-to incorrect array indexing and then the original locations
-were zeroed with memset, again due to an array overrun.
-
-Fix this by properly using i_df.if_bytes to determine the number
-of extents, not di_nextents.
-
-Thanks to dchinner for looking at this with me and spotting the
-root cause.
-
-[nborisov: backported to 4.4]
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Eric Sandeen <sandeen@redhat.com>
-Reviewed-by: Brian Foster <bfoster@redhat.com>
-Signed-off-by: Dave Chinner <david@fromorbit.com>
-Signed-off-by: Nikolay Borisov <nborisov@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- fs/xfs/xfs_bmap_util.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
----
- fs/xfs/xfs_bmap_util.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
-index dbae6490a79a..832764ee035a 100644
---- a/fs/xfs/xfs_bmap_util.c
-+++ b/fs/xfs/xfs_bmap_util.c
-@@ -1713,6 +1713,7 @@ xfs_swap_extents(
- xfs_trans_t *tp;
- xfs_bstat_t *sbp = &sxp->sx_stat;
- xfs_ifork_t *tempifp, *ifp, *tifp;
-+ xfs_extnum_t nextents;
- int src_log_flags, target_log_flags;
- int error = 0;
- int aforkblks = 0;
-@@ -1899,7 +1900,8 @@ xfs_swap_extents(
- * pointer. Otherwise it's already NULL or
- * pointing to the extent.
- */
-- if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) {
-+ nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
-+ if (nextents <= XFS_INLINE_EXTS) {
- ifp->if_u1.if_extents =
- ifp->if_u2.if_inline_ext;
- }
-@@ -1918,7 +1920,8 @@ xfs_swap_extents(
- * pointer. Otherwise it's already NULL or
- * pointing to the extent.
- */
-- if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) {
-+ nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
-+ if (nextents <= XFS_INLINE_EXTS) {
- tifp->if_u1.if_extents =
- tifp->if_u2.if_inline_ext;
- }
---
-2.12.2
-
-From 74c8dd066cc06da0a7ee1a4da0ba565e3536a53a Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 15 Mar 2017 14:26:04 +0100
-Subject: [PATCH 185/251] nl80211: fix dumpit error path RTNL deadlocks
-Content-Length: 8374
-Lines: 326
-
-commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream.
-
-Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
-to be perfectly accurate - there are various error paths that miss unlock
-of the RTNL.
-
-To fix those, change the locking a bit to not be conditional in all those
-nl80211_prepare_*_dump() functions, but make those require the RTNL to
-start with, and fix the buggy error paths. This also let me use sparse
-(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
-validate the changes.
-
-Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/nl80211.c | 121 ++++++++++++++++++++++---------------------------
- 1 file changed, 53 insertions(+), 68 deletions(-)
-
-diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index 1f0de6d74daa..9d0953e5734f 100644
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -492,21 +492,17 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
- {
- int err;
-
-- rtnl_lock();
--
- if (!cb->args[0]) {
- err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
- nl80211_fam.attrbuf, nl80211_fam.maxattr,
- nl80211_policy);
- if (err)
-- goto out_unlock;
-+ return err;
-
- *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
- nl80211_fam.attrbuf);
-- if (IS_ERR(*wdev)) {
-- err = PTR_ERR(*wdev);
-- goto out_unlock;
-- }
-+ if (IS_ERR(*wdev))
-+ return PTR_ERR(*wdev);
- *rdev = wiphy_to_rdev((*wdev)->wiphy);
- /* 0 is the first index - add 1 to parse only once */
- cb->args[0] = (*rdev)->wiphy_idx + 1;
-@@ -516,10 +512,8 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
- struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
- struct wireless_dev *tmp;
-
-- if (!wiphy) {
-- err = -ENODEV;
-- goto out_unlock;
-- }
-+ if (!wiphy)
-+ return -ENODEV;
- *rdev = wiphy_to_rdev(wiphy);
- *wdev = NULL;
-
-@@ -530,21 +524,11 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
- }
- }
-
-- if (!*wdev) {
-- err = -ENODEV;
-- goto out_unlock;
-- }
-+ if (!*wdev)
-+ return -ENODEV;
- }
-
- return 0;
-- out_unlock:
-- rtnl_unlock();
-- return err;
--}
--
--static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
--{
-- rtnl_unlock();
- }
-
- /* IE validation */
-@@ -3884,9 +3868,10 @@ static int nl80211_dump_station(struct sk_buff *skb,
- int sta_idx = cb->args[2];
- int err;
-
-+ rtnl_lock();
- err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
- if (err)
-- return err;
-+ goto out_err;
-
- if (!wdev->netdev) {
- err = -EINVAL;
-@@ -3922,7 +3907,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
- cb->args[2] = sta_idx;
- err = skb->len;
- out_err:
-- nl80211_finish_wdev_dump(rdev);
-+ rtnl_unlock();
-
- return err;
- }
-@@ -4639,9 +4624,10 @@ static int nl80211_dump_mpath(struct sk_buff *skb,
- int path_idx = cb->args[2];
- int err;
-
-+ rtnl_lock();
- err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
- if (err)
-- return err;
-+ goto out_err;
-
- if (!rdev->ops->dump_mpath) {
- err = -EOPNOTSUPP;
-@@ -4675,7 +4661,7 @@ static int nl80211_dump_mpath(struct sk_buff *skb,
- cb->args[2] = path_idx;
- err = skb->len;
- out_err:
-- nl80211_finish_wdev_dump(rdev);
-+ rtnl_unlock();
- return err;
- }
-
-@@ -4835,9 +4821,10 @@ static int nl80211_dump_mpp(struct sk_buff *skb,
- int path_idx = cb->args[2];
- int err;
-
-+ rtnl_lock();
- err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
- if (err)
-- return err;
-+ goto out_err;
-
- if (!rdev->ops->dump_mpp) {
- err = -EOPNOTSUPP;
-@@ -4870,7 +4857,7 @@ static int nl80211_dump_mpp(struct sk_buff *skb,
- cb->args[2] = path_idx;
- err = skb->len;
- out_err:
-- nl80211_finish_wdev_dump(rdev);
-+ rtnl_unlock();
- return err;
- }
-
-@@ -6806,9 +6793,12 @@ static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
- int start = cb->args[2], idx = 0;
- int err;
-
-+ rtnl_lock();
- err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
-- if (err)
-+ if (err) {
-+ rtnl_unlock();
- return err;
-+ }
-
- wdev_lock(wdev);
- spin_lock_bh(&rdev->bss_lock);
-@@ -6831,7 +6821,7 @@ static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
- wdev_unlock(wdev);
-
- cb->args[2] = idx;
-- nl80211_finish_wdev_dump(rdev);
-+ rtnl_unlock();
-
- return skb->len;
- }
-@@ -6915,9 +6905,10 @@ static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
- int res;
- bool radio_stats;
-
-+ rtnl_lock();
- res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
- if (res)
-- return res;
-+ goto out_err;
-
- /* prepare_wdev_dump parsed the attributes */
- radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
-@@ -6958,7 +6949,7 @@ static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
- cb->args[2] = survey_idx;
- res = skb->len;
- out_err:
-- nl80211_finish_wdev_dump(rdev);
-+ rtnl_unlock();
- return res;
- }
-
-@@ -10158,17 +10149,13 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
- void *data = NULL;
- unsigned int data_len = 0;
-
-- rtnl_lock();
--
- if (cb->args[0]) {
- /* subtract the 1 again here */
- struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
- struct wireless_dev *tmp;
-
-- if (!wiphy) {
-- err = -ENODEV;
-- goto out_unlock;
-- }
-+ if (!wiphy)
-+ return -ENODEV;
- *rdev = wiphy_to_rdev(wiphy);
- *wdev = NULL;
-
-@@ -10189,13 +10176,11 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
- nl80211_fam.attrbuf, nl80211_fam.maxattr,
- nl80211_policy);
- if (err)
-- goto out_unlock;
-+ return err;
-
- if (!nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID] ||
-- !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
-- err = -EINVAL;
-- goto out_unlock;
-- }
-+ !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
-+ return -EINVAL;
-
- *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
- nl80211_fam.attrbuf);
-@@ -10204,10 +10189,8 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
-
- *rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk),
- nl80211_fam.attrbuf);
-- if (IS_ERR(*rdev)) {
-- err = PTR_ERR(*rdev);
-- goto out_unlock;
-- }
-+ if (IS_ERR(*rdev))
-+ return PTR_ERR(*rdev);
-
- vid = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID]);
- subcmd = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
-@@ -10220,19 +10203,15 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
- if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
- continue;
-
-- if (!vcmd->dumpit) {
-- err = -EOPNOTSUPP;
-- goto out_unlock;
-- }
-+ if (!vcmd->dumpit)
-+ return -EOPNOTSUPP;
-
- vcmd_idx = i;
- break;
- }
-
-- if (vcmd_idx < 0) {
-- err = -EOPNOTSUPP;
-- goto out_unlock;
-- }
-+ if (vcmd_idx < 0)
-+ return -EOPNOTSUPP;
-
- if (nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]) {
- data = nla_data(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]);
-@@ -10249,9 +10228,6 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
-
- /* keep rtnl locked in successful case */
- return 0;
-- out_unlock:
-- rtnl_unlock();
-- return err;
- }
-
- static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
-@@ -10266,9 +10242,10 @@ static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
- int err;
- struct nlattr *vendor_data;
-
-+ rtnl_lock();
- err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
- if (err)
-- return err;
-+ goto out;
-
- vcmd_idx = cb->args[2];
- data = (void *)cb->args[3];
-@@ -10277,18 +10254,26 @@ static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
-
- if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
- WIPHY_VENDOR_CMD_NEED_NETDEV)) {
-- if (!wdev)
-- return -EINVAL;
-+ if (!wdev) {
-+ err = -EINVAL;
-+ goto out;
-+ }
- if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
-- !wdev->netdev)
-- return -EINVAL;
-+ !wdev->netdev) {
-+ err = -EINVAL;
-+ goto out;
-+ }
-
- if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
- if (wdev->netdev &&
-- !netif_running(wdev->netdev))
-- return -ENETDOWN;
-- if (!wdev->netdev && !wdev->p2p_started)
-- return -ENETDOWN;
-+ !netif_running(wdev->netdev)) {
-+ err = -ENETDOWN;
-+ goto out;
-+ }
-+ if (!wdev->netdev && !wdev->p2p_started) {
-+ err = -ENETDOWN;
-+ goto out;
-+ }
- }
- }
-
---
-2.12.2
-
-From f154de03f4167664808b002495a877dbe91dd798 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Tue, 14 Mar 2017 17:55:45 +0100
-Subject: [PATCH 186/251] USB: usbtmc: add missing endpoint sanity check
-Status: RO
-Content-Length: 2168
-Lines: 61
-
-commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream.
-
-USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
-but the driver failed to verify this, something which could lead to the
-endpoint addresses being taken from uninitialised memory.
-
-Make sure to zero all private data as part of allocation, and add the
-missing endpoint sanity check.
-
-Note that this also addresses a more recently introduced issue, where
-the interrupt-in-presence flag would also be uninitialised whenever the
-optional interrupt-in endpoint is not present. This in turn could lead
-to an interrupt urb being allocated, initialised and submitted based on
-uninitialised values.
-
-Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
-Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-[ johan: backport to v4.4 ]
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/class/usbtmc.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
-index deaddb950c20..24337ac3323f 100644
---- a/drivers/usb/class/usbtmc.c
-+++ b/drivers/usb/class/usbtmc.c
-@@ -1105,7 +1105,7 @@ static int usbtmc_probe(struct usb_interface *intf,
-
- dev_dbg(&intf->dev, "%s called\n", __func__);
-
-- data = kmalloc(sizeof(*data), GFP_KERNEL);
-+ data = kzalloc(sizeof(*data), GFP_KERNEL);
- if (!data)
- return -ENOMEM;
-
-@@ -1163,6 +1163,12 @@ static int usbtmc_probe(struct usb_interface *intf,
- }
- }
-
-+ if (!data->bulk_out || !data->bulk_in) {
-+ dev_err(&intf->dev, "bulk endpoints not found\n");
-+ retcode = -ENODEV;
-+ goto err_put;
-+ }
-+
- retcode = get_capabilities(data);
- if (retcode)
- dev_err(&intf->dev, "can't read capabilities\n");
-@@ -1186,6 +1192,7 @@ static int usbtmc_probe(struct usb_interface *intf,
- error_register:
- sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp);
- sysfs_remove_group(&intf->dev.kobj, &data_attr_grp);
-+err_put:
- kref_put(&data->kref, usbtmc_delete);
- return retcode;
- }
---
-2.12.2
-
-From 6d43e485e0067b682466eb4e3aff8ff9a6822966 Mon Sep 17 00:00:00 2001
-From: "Darrick J. Wong" <darrick.wong@oracle.com>
-Date: Wed, 25 Jan 2017 20:24:57 -0800
-Subject: [PATCH 187/251] xfs: clear _XBF_PAGES from buffers when readahead
- page
-Content-Length: 1594
-Lines: 42
-
-commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream.
-
-If we try to allocate memory pages to back an xfs_buf that we're trying
-to read, it's possible that we'll be so short on memory that the page
-allocation fails. For a blocking read we'll just wait, but for
-readahead we simply dump all the pages we've collected so far.
-
-Unfortunately, after dumping the pages we neglect to clear the
-_XBF_PAGES state, which means that the subsequent call to xfs_buf_free
-thinks that b_pages still points to pages we own. It then double-frees
-the b_pages pages.
-
-This results in screaming about negative page refcounts from the memory
-manager, which xfs oughtn't be triggering. To reproduce this case,
-mount a filesystem where the size of the inodes far outweighs the
-availalble memory (a ~500M inode filesystem on a VM with 300MB memory
-did the trick here) and run bulkstat in parallel with other memory
-eating processes to put a huge load on the system. The "check summary"
-phase of xfs_scrub also works for this purpose.
-
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
-Reviewed-by: Eric Sandeen <sandeen@redhat.com>
-Cc: Ivan Kozik <ivan@ludios.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/xfs/xfs_buf.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
-index eb1b8c8acfcb..8146b0cf20ce 100644
---- a/fs/xfs/xfs_buf.c
-+++ b/fs/xfs/xfs_buf.c
-@@ -375,6 +375,7 @@ retry:
- out_free_pages:
- for (i = 0; i < bp->b_page_count; i++)
- __free_page(bp->b_pages[i]);
-+ bp->b_flags &= ~_XBF_PAGES;
- return error;
- }
-
---
-2.12.2
-
-From 4db313df49466185211ea7d6d675f8c4f6724e23 Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:02 +0530
-Subject: [PATCH 189/251] igb: Workaround for igb i210 firmware issue
-Content-Length: 1454
-Lines: 38
-
-From: Chris J Arges <christopherarges@gmail.com>
-
-[ Upstream commit 4e684f59d760a2c7c716bb60190783546e2d08a1 ]
-
-Sometimes firmware may not properly initialize I347AT4_PAGE_SELECT causing
-the probe of an igb i210 NIC to fail. This patch adds an addition zeroing
-of this register during igb_get_phy_id to workaround this issue.
-
-Thanks for Jochen Henneberg for the idea and original patch.
-
-Signed-off-by: Chris J Arges <christopherarges@gmail.com>
-Tested-by: Aaron Brown <aaron.f.brown@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/intel/igb/e1000_phy.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/net/ethernet/intel/igb/e1000_phy.c b/drivers/net/ethernet/intel/igb/e1000_phy.c
-index 23ec28f43f6d..13ad20b250bc 100644
---- a/drivers/net/ethernet/intel/igb/e1000_phy.c
-+++ b/drivers/net/ethernet/intel/igb/e1000_phy.c
-@@ -77,6 +77,10 @@ s32 igb_get_phy_id(struct e1000_hw *hw)
- s32 ret_val = 0;
- u16 phy_id;
-
-+ /* ensure PHY page selection to fix misconfigured i210 */
-+ if (hw->mac.type == e1000_i210)
-+ phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0);
-+
- ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id);
- if (ret_val)
- goto out;
+ __ilog2_u32(n) : \
+ __ilog2_u64(n) \
--
2.12.2
-From ca7e3bdc9c7e01d8040422d9eae0b9f07c81419e Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:03 +0530
-Subject: [PATCH 190/251] igb: add i211 to i210 PHY workaround
-Content-Length: 1309
-Lines: 33
-
-From: Todd Fujinaka <todd.fujinaka@intel.com>
-
-[ Upstream commit 5bc8c230e2a993b49244f9457499f17283da9ec7 ]
-
-i210 and i211 share the same PHY but have different PCI IDs. Don't
-forget i211 for any i210 workarounds.
+From a5c3f390eb7799c3d1d92121382372b1fd365fa3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 26 Mar 2017 12:13:55 +0200
+Subject: [PATCH 133/251] Linux 4.4.57
+Status: RO
+Content-Length: 301
+Lines: 18
-Signed-off-by: Todd Fujinaka <todd.fujinaka@intel.com>
-Tested-by: Aaron Brown <aaron.f.brown@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/net/ethernet/intel/igb/e1000_phy.c | 2 +-
+ Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/drivers/net/ethernet/intel/igb/e1000_phy.c b/drivers/net/ethernet/intel/igb/e1000_phy.c
-index 13ad20b250bc..afaa98d1d4e4 100644
---- a/drivers/net/ethernet/intel/igb/e1000_phy.c
-+++ b/drivers/net/ethernet/intel/igb/e1000_phy.c
-@@ -78,7 +78,7 @@ s32 igb_get_phy_id(struct e1000_hw *hw)
- u16 phy_id;
-
- /* ensure PHY page selection to fix misconfigured i210 */
-- if (hw->mac.type == e1000_i210)
-+ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211))
- phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0);
-
- ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id);
---
-2.12.2
-
-From e4ce31c0265dc6086fb4f13d88deef50d20cdb24 Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:04 +0530
-Subject: [PATCH 191/251] x86/hyperv: Handle unknown NMIs on one CPU when
- unknown_nmi_panic
-Content-Length: 4630
-Lines: 122
-
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-
-[ Upstream commit 59107e2f48831daedc46973ce4988605ab066de3 ]
-
-There is a feature in Hyper-V ('Debug-VM --InjectNonMaskableInterrupt')
-which injects NMI to the guest. We may want to crash the guest and do kdump
-on this NMI by enabling unknown_nmi_panic. To make kdump succeed we need to
-allow the kdump kernel to re-establish VMBus connection so it will see
-VMBus devices (storage, network,..).
-
-To properly unload VMBus making it possible to start over during kdump we
-need to do the following:
-
- - Send an 'unload' message to the hypervisor. This can be done on any CPU
- so we do this the crashing CPU.
-
- - Receive the 'unload finished' reply message. WS2012R2 delivers this
- message to the CPU which was used to establish VMBus connection during
- module load and this CPU may differ from the CPU sending 'unload'.
-
-Receiving a VMBus message means the following:
-
- - There is a per-CPU slot in memory for one message. This slot can in
- theory be accessed by any CPU.
-
- - We get an interrupt on the CPU when a message was placed into the slot.
-
- - When we read the message we need to clear the slot and signal the fact
- to the hypervisor. In case there are more messages to this CPU pending
- the hypervisor will deliver the next message. The signaling is done by
- writing to an MSR so this can only be done on the appropriate CPU.
-
-To avoid doing cross-CPU work on crash we have vmbus_wait_for_unload()
-function which checks message slots for all CPUs in a loop waiting for the
-'unload finished' messages. However, there is an issue which arises when
-these conditions are met:
-
- - We're crashing on a CPU which is different from the one which was used
- to initially contact the hypervisor.
-
- - The CPU which was used for the initial contact is blocked with interrupts
- disabled and there is a message pending in the message slot.
-
-In this case we won't be able to read the 'unload finished' message on the
-crashing CPU. This is reproducible when we receive unknown NMIs on all CPUs
-simultaneously: the first CPU entering panic() will proceed to crash and
-all other CPUs will stop themselves with interrupts disabled.
-
-The suggested solution is to handle unknown NMIs for Hyper-V guests on the
-first CPU which gets them only. This will allow us to rely on VMBus
-interrupt handler being able to receive the 'unload finish' message in
-case it is delivered to a different CPU.
-
-The issue is not reproducible on WS2016 as Debug-VM delivers NMI to the
-boot CPU only, WS2012R2 and earlier Hyper-V versions are affected.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
-Acked-by: K. Y. Srinivasan <kys@microsoft.com>
-Cc: devel@linuxdriverproject.org
-Cc: Haiyang Zhang <haiyangz@microsoft.com>
-Link: http://lkml.kernel.org/r/20161202100720.28121-1-vkuznets@redhat.com
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/mshyperv.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
-index cfc4a966e2b9..83b5f7a323a9 100644
---- a/arch/x86/kernel/cpu/mshyperv.c
-+++ b/arch/x86/kernel/cpu/mshyperv.c
-@@ -30,6 +30,7 @@
- #include <asm/apic.h>
- #include <asm/timer.h>
- #include <asm/reboot.h>
-+#include <asm/nmi.h>
-
- struct ms_hyperv_info ms_hyperv;
- EXPORT_SYMBOL_GPL(ms_hyperv);
-@@ -157,6 +158,26 @@ static unsigned char hv_get_nmi_reason(void)
- return 0;
- }
-
-+#ifdef CONFIG_X86_LOCAL_APIC
-+/*
-+ * Prior to WS2016 Debug-VM sends NMIs to all CPUs which makes
-+ * it dificult to process CHANNELMSG_UNLOAD in case of crash. Handle
-+ * unknown NMI on the first CPU which gets it.
-+ */
-+static int hv_nmi_unknown(unsigned int val, struct pt_regs *regs)
-+{
-+ static atomic_t nmi_cpu = ATOMIC_INIT(-1);
-+
-+ if (!unknown_nmi_panic)
-+ return NMI_DONE;
-+
-+ if (atomic_cmpxchg(&nmi_cpu, -1, raw_smp_processor_id()) != -1)
-+ return NMI_HANDLED;
-+
-+ return NMI_DONE;
-+}
-+#endif
-+
- static void __init ms_hyperv_init_platform(void)
- {
- /*
-@@ -182,6 +203,9 @@ static void __init ms_hyperv_init_platform(void)
- printk(KERN_INFO "HyperV: LAPIC Timer Frequency: %#x\n",
- lapic_timer_frequency);
- }
-+
-+ register_nmi_handler(NMI_UNKNOWN, hv_nmi_unknown, NMI_FLAG_FIRST,
-+ "hv_nmi_unknown");
- #endif
+diff --git a/Makefile b/Makefile
+index cf9303a5d621..841675e63a38 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 56
++SUBLEVEL = 57
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
- if (ms_hyperv.features & HV_X64_MSR_TIME_REF_COUNT_AVAILABLE)
--
2.12.2
--
2.12.2
-From d3607fc2976e34f6b067508b608fefaa66fbecee Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:17 +0530
-Subject: [PATCH 204/251] ACPI / blacklist: add _REV quirks for Dell Precision
- 5520 and 3520
-Content-Length: 1499
-Lines: 50
-
-From: Alex Hung <alex.hung@canonical.com>
-
-[ Upstream commit 9523b9bf6dceef6b0215e90b2348cd646597f796 ]
-
-Precision 5520 and 3520 either hang at login and during suspend or reboot.
-
-It turns out that that adding them to acpi_rev_dmi_table[] helps to work
-around those issues.
-
-Signed-off-by: Alex Hung <alex.hung@canonical.com>
-[ rjw: Changelog ]
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/blacklist.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
-index 96809cd99ace..b2e9395e095c 100644
---- a/drivers/acpi/blacklist.c
-+++ b/drivers/acpi/blacklist.c
-@@ -346,6 +346,22 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343"),
- },
- },
-+ {
-+ .callback = dmi_enable_rev_override,
-+ .ident = "DELL Precision 5520",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 5520"),
-+ },
-+ },
-+ {
-+ .callback = dmi_enable_rev_override,
-+ .ident = "DELL Precision 3520",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 3520"),
-+ },
-+ },
- #endif
- {}
- };
---
-2.12.2
-
-From b8687d83b34cf372b943c5639d8960703aeb2b8e Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:18 +0530
-Subject: [PATCH 205/251] ACPI / blacklist: Make Dell Latitude 3350 ethernet
- work
-Content-Length: 1438
-Lines: 46
-
-From: Michael Pobega <mpobega@neverware.com>
-
-[ Upstream commit 708f5dcc21ae9b35f395865fc154b0105baf4de4 ]
-
-The Dell Latitude 3350's ethernet card attempts to use a reserved
-IRQ (18), resulting in ACPI being unable to enable the ethernet.
-
-Adding it to acpi_rev_dmi_table[] helps to work around this problem.
-
-Signed-off-by: Michael Pobega <mpobega@neverware.com>
-[ rjw: Changelog ]
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/blacklist.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
-index b2e9395e095c..2f24b578bcaf 100644
---- a/drivers/acpi/blacklist.c
-+++ b/drivers/acpi/blacklist.c
-@@ -362,6 +362,18 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
- DMI_MATCH(DMI_PRODUCT_NAME, "Precision 3520"),
- },
- },
-+ /*
-+ * Resolves a quirk with the Dell Latitude 3350 that
-+ * causes the ethernet adapter to not function.
-+ */
-+ {
-+ .callback = dmi_enable_rev_override,
-+ .ident = "DELL Latitude 3350",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude 3350"),
-+ },
-+ },
- #endif
- {}
- };
---
-2.12.2
-
-From ac601978a2aad7fbb617f0187268011b577a127f Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:19 +0530
-Subject: [PATCH 206/251] serial: 8250_pci: Detach low-level driver during PCI
- error recovery
-Content-Length: 3500
-Lines: 106
-
-From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
-
-[ Upstream commit f209fa03fc9d131b3108c2e4936181eabab87416 ]
-
-During a PCI error recovery, like the ones provoked by EEH in the ppc64
-platform, all IO to the device must be blocked while the recovery is
-completed. Current 8250_pci implementation only suspends the port
-instead of detaching it, which doesn't prevent incoming accesses like
-TIOCMGET and TIOCMSET calls from reaching the device. Those end up
-racing with the EEH recovery, crashing it. Similar races were also
-observed when opening the device and when shutting it down during
-recovery.
-
-This patch implements a more robust IO blockage for the 8250_pci
-recovery by unregistering the port at the beginning of the procedure and
-re-adding it afterwards. Since the port is detached from the uart
-layer, we can be sure that no request will make through to the device
-during recovery. This is similar to the solution used by the JSM serial
-driver.
-
-I thank Peter Hurley <peter@hurleysoftware.com> for valuable input on
-this one over one year ago.
-
-Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/8250/8250_pci.c | 23 +++++++++++++++++++----
- 1 file changed, 19 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
-index 5b24ffd93649..83ff1724ec79 100644
---- a/drivers/tty/serial/8250/8250_pci.c
-+++ b/drivers/tty/serial/8250/8250_pci.c
-@@ -57,6 +57,7 @@ struct serial_private {
- unsigned int nr;
- void __iomem *remapped_bar[PCI_NUM_BAR_RESOURCES];
- struct pci_serial_quirk *quirk;
-+ const struct pciserial_board *board;
- int line[0];
- };
-
-@@ -4058,6 +4059,7 @@ pciserial_init_ports(struct pci_dev *dev, const struct pciserial_board *board)
- }
- }
- priv->nr = i;
-+ priv->board = board;
- return priv;
-
- err_deinit:
-@@ -4068,7 +4070,7 @@ err_out:
- }
- EXPORT_SYMBOL_GPL(pciserial_init_ports);
-
--void pciserial_remove_ports(struct serial_private *priv)
-+void pciserial_detach_ports(struct serial_private *priv)
- {
- struct pci_serial_quirk *quirk;
- int i;
-@@ -4088,7 +4090,11 @@ void pciserial_remove_ports(struct serial_private *priv)
- quirk = find_quirk(priv->dev);
- if (quirk->exit)
- quirk->exit(priv->dev);
-+}
-
-+void pciserial_remove_ports(struct serial_private *priv)
-+{
-+ pciserial_detach_ports(priv);
- kfree(priv);
- }
- EXPORT_SYMBOL_GPL(pciserial_remove_ports);
-@@ -5819,7 +5825,7 @@ static pci_ers_result_t serial8250_io_error_detected(struct pci_dev *dev,
- return PCI_ERS_RESULT_DISCONNECT;
-
- if (priv)
-- pciserial_suspend_ports(priv);
-+ pciserial_detach_ports(priv);
-
- pci_disable_device(dev);
-
-@@ -5844,9 +5850,18 @@ static pci_ers_result_t serial8250_io_slot_reset(struct pci_dev *dev)
- static void serial8250_io_resume(struct pci_dev *dev)
- {
- struct serial_private *priv = pci_get_drvdata(dev);
-+ const struct pciserial_board *board;
-
-- if (priv)
-- pciserial_resume_ports(priv);
-+ if (!priv)
-+ return;
-+
-+ board = priv->board;
-+ kfree(priv);
-+ priv = pciserial_init_ports(dev, board);
-+
-+ if (!IS_ERR(priv)) {
-+ pci_set_drvdata(dev, priv);
-+ }
- }
-
- static const struct pci_error_handlers serial8250_err_handler = {
---
-2.12.2
-
From 540d6d756ff82a23eb5bb73aa8149bab15eb407a Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Wed, 11 Jan 2017 17:09:50 +0100
--
2.12.2
-From 3342857ac074768e14e361392ac09fbbd70d840e Mon Sep 17 00:00:00 2001
-From: Josh Poimboeuf <jpoimboe@redhat.com>
-Date: Thu, 16 Mar 2017 08:56:28 -0500
-Subject: [PATCH 233/251] ACPI: Fix incompatibility with mcount-based function
- graph tracing
-Content-Length: 1960
-Lines: 51
-
-commit 61b79e16c68d703dde58c25d3935d67210b7d71b upstream.
-
-Paul Menzel reported a warning:
-
- WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0
- Bad frame pointer: expected f6919d98, received f6919db0
- from func acpi_pm_device_sleep_wake return to c43b6f9d
-
-The warning means that function graph tracing is broken for the
-acpi_pm_device_sleep_wake() function. That's because the ACPI Makefile
-unconditionally sets the '-Os' gcc flag to optimize for size. That's an
-issue because mcount-based function graph tracing is incompatible with
-'-Os' on x86, thanks to the following gcc bug:
-
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109
-
-I have another patch pending which will ensure that mcount-based
-function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on
-x86.
-
-But this patch is needed in addition to that one because the ACPI
-Makefile overrides that config option for no apparent reason. It has
-had this flag since the beginning of git history, and there's no related
-comment, so I don't know why it's there. As far as I can tell, there's
-no reason for it to be there. The appropriate behavior is for it to
-honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the
-kernel.
-
-Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
-Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/Makefile | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
-index 675eaf337178..b9cebca376f9 100644
---- a/drivers/acpi/Makefile
-+++ b/drivers/acpi/Makefile
-@@ -2,7 +2,6 @@
- # Makefile for the Linux ACPI interpreter
- #
-
--ccflags-y := -Os
- ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
-
- #
---
-2.12.2
-
-From 566a8711a7dd11960fa0bf3a4fd89c742eb359f3 Mon Sep 17 00:00:00 2001
-From: Joerg Roedel <jroedel@suse.de>
-Date: Wed, 22 Mar 2017 18:33:25 +0100
-Subject: [PATCH 234/251] ACPI: Do not create a platform_device for
- IOAPIC/IOxAPIC
-Content-Length: 1103
-Lines: 36
-
-commit 08f63d97749185fab942a3a47ed80f5bd89b8b7d upstream.
-
-No platform-device is required for IO(x)APICs, so don't even
-create them.
-
-[ rjw: This fixes a problem with leaking platform device objects
- after IOAPIC/IOxAPIC hot-removal events.]
-
-Signed-off-by: Joerg Roedel <jroedel@suse.de>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/acpi_platform.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/acpi/acpi_platform.c b/drivers/acpi/acpi_platform.c
-index 296b7a14893a..5365ff6e69c1 100644
---- a/drivers/acpi/acpi_platform.c
-+++ b/drivers/acpi/acpi_platform.c
-@@ -24,9 +24,11 @@
- ACPI_MODULE_NAME("platform");
-
- static const struct acpi_device_id forbidden_id_list[] = {
-- {"PNP0000", 0}, /* PIC */
-- {"PNP0100", 0}, /* Timer */
-- {"PNP0200", 0}, /* AT DMA Controller */
-+ {"PNP0000", 0}, /* PIC */
-+ {"PNP0100", 0}, /* Timer */
-+ {"PNP0200", 0}, /* AT DMA Controller */
-+ {"ACPI0009", 0}, /* IOxAPIC */
-+ {"ACPI000A", 0}, /* IOAPIC */
- {"", 0},
- };
-
---
-2.12.2
-
-From 3eb392056aeb4a0beca5fcead9ad3d6b6ff0816e Mon Sep 17 00:00:00 2001
-From: Peter Xu <peterx@redhat.com>
-Date: Wed, 15 Mar 2017 16:01:17 +0800
-Subject: [PATCH 238/251] KVM: x86: clear bus pointer when destroyed
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 1484
-Lines: 46
-
-commit df630b8c1e851b5e265dc2ca9c87222e342c093b upstream.
-
-When releasing the bus, let's clear the bus pointers to mark it out. If
-any further device unregister happens on this bus, we know that we're
-done if we found the bus being released already.
-
-Signed-off-by: Peter Xu <peterx@redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- virt/kvm/kvm_main.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 336ed267c407..1ac5b7be7282 100644
---- a/virt/kvm/kvm_main.c
-+++ b/virt/kvm/kvm_main.c
-@@ -654,8 +654,10 @@ static void kvm_destroy_vm(struct kvm *kvm)
- list_del(&kvm->vm_list);
- spin_unlock(&kvm_lock);
- kvm_free_irq_routing(kvm);
-- for (i = 0; i < KVM_NR_BUSES; i++)
-+ for (i = 0; i < KVM_NR_BUSES; i++) {
- kvm_io_bus_destroy(kvm->buses[i]);
-+ kvm->buses[i] = NULL;
-+ }
- kvm_coalesced_mmio_free(kvm);
- #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
- mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm);
-@@ -3376,6 +3378,14 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
- struct kvm_io_bus *new_bus, *bus;
-
- bus = kvm->buses[bus_idx];
-+
-+ /*
-+ * It's possible the bus being released before hand. If so,
-+ * we're done here.
-+ */
-+ if (!bus)
-+ return 0;
-+
- r = -ENOENT;
- for (i = 0; i < bus->dev_count; i++)
- if (bus->range[i].dev == dev) {
---
-2.12.2
-
From ef55c3df5dbd60eb3daab7797feac850bd1e6fe3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
Date: Fri, 24 Mar 2017 19:01:09 +0900
--
2.12.2
-From 42462d23e60b89a3c2f7d8d63f5f4e464ba77727 Mon Sep 17 00:00:00 2001
-From: David Hildenbrand <david@redhat.com>
-Date: Thu, 23 Mar 2017 18:24:19 +0100
-Subject: [PATCH 246/251] KVM: kvm_io_bus_unregister_dev() should never fail
-Content-Length: 5392
-Lines: 167
-
-commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.
-
-No caller currently checks the return value of
-kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
-freeing their device. A stale reference will remain in the io_bus,
-getting at least used again, when the iobus gets teared down on
-kvm_destroy_vm() - leading to use after free errors.
-
-There is nothing the callers could do, except retrying over and over
-again.
-
-So let's simply remove the bus altogether, print an error and make
-sure no one can access this broken bus again (returning -ENOMEM on any
-attempt to access it).
-
-Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU")
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/kvm_host.h | 4 ++--
- virt/kvm/eventfd.c | 3 ++-
- virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++-----------------
- 3 files changed, 27 insertions(+), 20 deletions(-)
-
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index c923350ca20a..d7ce4e3280db 100644
---- a/include/linux/kvm_host.h
-+++ b/include/linux/kvm_host.h
-@@ -182,8 +182,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
- int len, void *val);
- int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
- int len, struct kvm_io_device *dev);
--int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-- struct kvm_io_device *dev);
-+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-+ struct kvm_io_device *dev);
-
- #ifdef CONFIG_KVM_ASYNC_PF
- struct kvm_async_pf {
-diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
-index 46dbc0a7dfc1..49001fa84ead 100644
---- a/virt/kvm/eventfd.c
-+++ b/virt/kvm/eventfd.c
-@@ -868,7 +868,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx,
- continue;
-
- kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
-- kvm->buses[bus_idx]->ioeventfd_count--;
-+ if (kvm->buses[bus_idx])
-+ kvm->buses[bus_idx]->ioeventfd_count--;
- ioeventfd_release(p);
- ret = 0;
- break;
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 1ac5b7be7282..cb092bd9965b 100644
---- a/virt/kvm/kvm_main.c
-+++ b/virt/kvm/kvm_main.c
-@@ -655,7 +655,8 @@ static void kvm_destroy_vm(struct kvm *kvm)
- spin_unlock(&kvm_lock);
- kvm_free_irq_routing(kvm);
- for (i = 0; i < KVM_NR_BUSES; i++) {
-- kvm_io_bus_destroy(kvm->buses[i]);
-+ if (kvm->buses[i])
-+ kvm_io_bus_destroy(kvm->buses[i]);
- kvm->buses[i] = NULL;
- }
- kvm_coalesced_mmio_free(kvm);
-@@ -3273,6 +3274,8 @@ int kvm_io_bus_write(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
- };
-
- bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);
-+ if (!bus)
-+ return -ENOMEM;
- r = __kvm_io_bus_write(vcpu, bus, &range, val);
- return r < 0 ? r : 0;
- }
-@@ -3290,6 +3293,8 @@ int kvm_io_bus_write_cookie(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx,
- };
-
- bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);
-+ if (!bus)
-+ return -ENOMEM;
-
- /* First try the device referenced by cookie. */
- if ((cookie >= 0) && (cookie < bus->dev_count) &&
-@@ -3340,6 +3345,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
- };
-
- bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);
-+ if (!bus)
-+ return -ENOMEM;
- r = __kvm_io_bus_read(vcpu, bus, &range, val);
- return r < 0 ? r : 0;
- }
-@@ -3352,6 +3359,9 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
- struct kvm_io_bus *new_bus, *bus;
-
- bus = kvm->buses[bus_idx];
-+ if (!bus)
-+ return -ENOMEM;
-+
- /* exclude ioeventfd which is limited by maximum fd */
- if (bus->dev_count - bus->ioeventfd_count > NR_IOBUS_DEVS - 1)
- return -ENOSPC;
-@@ -3371,45 +3381,41 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
- }
-
- /* Caller must hold slots_lock. */
--int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-- struct kvm_io_device *dev)
-+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-+ struct kvm_io_device *dev)
- {
-- int i, r;
-+ int i;
- struct kvm_io_bus *new_bus, *bus;
-
- bus = kvm->buses[bus_idx];
--
-- /*
-- * It's possible the bus being released before hand. If so,
-- * we're done here.
-- */
- if (!bus)
-- return 0;
-+ return;
-
-- r = -ENOENT;
- for (i = 0; i < bus->dev_count; i++)
- if (bus->range[i].dev == dev) {
-- r = 0;
- break;
- }
-
-- if (r)
-- return r;
-+ if (i == bus->dev_count)
-+ return;
-
- new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) *
- sizeof(struct kvm_io_range)), GFP_KERNEL);
-- if (!new_bus)
-- return -ENOMEM;
-+ if (!new_bus) {
-+ pr_err("kvm: failed to shrink bus, removing it completely\n");
-+ goto broken;
-+ }
-
- memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
- new_bus->dev_count--;
- memcpy(new_bus->range + i, bus->range + i + 1,
- (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
-
-+broken:
- rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
- synchronize_srcu_expedited(&kvm->srcu);
- kfree(bus);
-- return r;
-+ return;
- }
-
- static struct notifier_block kvm_cpu_notifier = {
---
-2.12.2
-
From 063d30f187f5c492aa4a6cca88b8afa08f5a170c Mon Sep 17 00:00:00 2001
From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date: Tue, 25 Oct 2016 11:37:59 +0200
--
2.12.2
-From d4ad442b9982fba9eab0f9003c8cd185a1afeff6 Mon Sep 17 00:00:00 2001
-From: Marc Zyngier <marc.zyngier@arm.com>
-Date: Thu, 16 Mar 2017 18:20:50 +0000
-Subject: [PATCH 10/52] arm/arm64: KVM: Take mmap_sem in
- kvm_arch_prepare_memory_region
-Status: RO
-Content-Length: 2022
-Lines: 62
-
-commit 72f310481a08db821b614e7b5d00febcc9064b36 upstream.
-
-We don't hold the mmap_sem while searching for VMAs (via find_vma), in
-kvm_arch_prepare_memory_region, which can end up in expected failures.
-
-Fixes: commit 8eef91239e57 ("arm/arm64: KVM: map MMIO regions at creation time")
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Eric Auger <eric.auger@rehat.com>
-Reviewed-by: Christoffer Dall <cdall@linaro.org>
-[ Handle dirty page logging failure case ]
-Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
-Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/kvm/mmu.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
-index 5366a736151e..f91ee2f27b41 100644
---- a/arch/arm/kvm/mmu.c
-+++ b/arch/arm/kvm/mmu.c
-@@ -1761,6 +1761,7 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
- (KVM_PHYS_SIZE >> PAGE_SHIFT))
- return -EFAULT;
-
-+ down_read(¤t->mm->mmap_sem);
- /*
- * A memory region could potentially cover multiple VMAs, and any holes
- * between them, so iterate over all of them to find out if we can map
-@@ -1804,8 +1805,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
- pa += vm_start - vma->vm_start;
-
- /* IO region dirty page logging not allowed */
-- if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES)
-- return -EINVAL;
-+ if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) {
-+ ret = -EINVAL;
-+ goto out;
-+ }
-
- ret = kvm_phys_addr_ioremap(kvm, gpa, pa,
- vm_end - vm_start,
-@@ -1817,7 +1820,7 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
- } while (hva < reg_end);
-
- if (change == KVM_MR_FLAGS_ONLY)
-- return ret;
-+ goto out;
-
- spin_lock(&kvm->mmu_lock);
- if (ret)
-@@ -1825,6 +1828,8 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
- else
- stage2_flush_memslot(kvm, memslot);
- spin_unlock(&kvm->mmu_lock);
-+out:
-+ up_read(¤t->mm->mmap_sem);
- return ret;
- }
-
---
-2.12.2
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
