+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Lenny Szubowicz <lszubowi@redhat.com>
-Date: Tue, 27 Mar 2018 09:56:40 -0400
-Subject: ACPI: acpi_pad: Fix memory leak in power saving threads
-
-From: Lenny Szubowicz <lszubowi@redhat.com>
-
-[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ]
-
-Fix once per second (round_robin_time) memory leak of about 1 KB in
-each acpi_pad kernel idling thread that is activated.
-
-Found by testing with kmemleak.
-
-Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/acpi_pad.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/acpi/acpi_pad.c
-+++ b/drivers/acpi/acpi_pad.c
-@@ -117,6 +117,7 @@ static void round_robin_cpu(unsigned int
- cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus);
- if (cpumask_empty(tmp)) {
- mutex_unlock(&round_robin_lock);
-+ free_cpumask_var(tmp);
- return;
- }
- for_each_cpu(cpu, tmp) {
-@@ -134,6 +135,8 @@ static void round_robin_cpu(unsigned int
- mutex_unlock(&round_robin_lock);
-
- set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu));
-+
-+ free_cpumask_var(tmp);
- }
-
- static void exit_round_robin(unsigned int tsk_index)
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Chen Yu <yu.c.chen@intel.com>
-Date: Mon, 29 Jan 2018 10:26:46 +0800
-Subject: ACPI: processor_perflib: Do not send _PPC change notification if not ready
-
-From: Chen Yu <yu.c.chen@intel.com>
-
-[ Upstream commit ba1edb9a5125a617d612f98eead14b9b84e75c3a ]
-
-The following warning was triggered after resumed from S3 -
-if all the nonboot CPUs were put offline before suspend:
-
-[ 1840.329515] unchecked MSR access error: RDMSR from 0x771 at rIP: 0xffffffff86061e3a (native_read_msr+0xa/0x30)
-[ 1840.329516] Call Trace:
-[ 1840.329521] __rdmsr_on_cpu+0x33/0x50
-[ 1840.329525] generic_exec_single+0x81/0xb0
-[ 1840.329527] smp_call_function_single+0xd2/0x100
-[ 1840.329530] ? acpi_ds_result_pop+0xdd/0xf2
-[ 1840.329532] ? acpi_ds_create_operand+0x215/0x23c
-[ 1840.329534] rdmsrl_on_cpu+0x57/0x80
-[ 1840.329536] ? cpumask_next+0x1b/0x20
-[ 1840.329538] ? rdmsrl_on_cpu+0x57/0x80
-[ 1840.329541] intel_pstate_update_perf_limits+0xf3/0x220
-[ 1840.329544] ? notifier_call_chain+0x4a/0x70
-[ 1840.329546] intel_pstate_set_policy+0x4e/0x150
-[ 1840.329548] cpufreq_set_policy+0xcd/0x2f0
-[ 1840.329550] cpufreq_update_policy+0xb2/0x130
-[ 1840.329552] ? cpufreq_update_policy+0x130/0x130
-[ 1840.329556] acpi_processor_ppc_has_changed+0x65/0x80
-[ 1840.329558] acpi_processor_notify+0x80/0x100
-[ 1840.329561] acpi_ev_notify_dispatch+0x44/0x5c
-[ 1840.329563] acpi_os_execute_deferred+0x14/0x20
-[ 1840.329565] process_one_work+0x193/0x3c0
-[ 1840.329567] worker_thread+0x35/0x3b0
-[ 1840.329569] kthread+0x125/0x140
-[ 1840.329571] ? process_one_work+0x3c0/0x3c0
-[ 1840.329572] ? kthread_park+0x60/0x60
-[ 1840.329575] ? do_syscall_64+0x67/0x180
-[ 1840.329577] ret_from_fork+0x25/0x30
-[ 1840.329585] unchecked MSR access error: WRMSR to 0x774 (tried to write 0x0000000000000000) at rIP: 0xffffffff86061f78 (native_write_msr+0x8/0x30)
-[ 1840.329586] Call Trace:
-[ 1840.329587] __wrmsr_on_cpu+0x37/0x40
-[ 1840.329589] generic_exec_single+0x81/0xb0
-[ 1840.329592] smp_call_function_single+0xd2/0x100
-[ 1840.329594] ? acpi_ds_create_operand+0x215/0x23c
-[ 1840.329595] ? cpumask_next+0x1b/0x20
-[ 1840.329597] wrmsrl_on_cpu+0x57/0x70
-[ 1840.329598] ? rdmsrl_on_cpu+0x57/0x80
-[ 1840.329599] ? wrmsrl_on_cpu+0x57/0x70
-[ 1840.329602] intel_pstate_hwp_set+0xd3/0x150
-[ 1840.329604] intel_pstate_set_policy+0x119/0x150
-[ 1840.329606] cpufreq_set_policy+0xcd/0x2f0
-[ 1840.329607] cpufreq_update_policy+0xb2/0x130
-[ 1840.329610] ? cpufreq_update_policy+0x130/0x130
-[ 1840.329613] acpi_processor_ppc_has_changed+0x65/0x80
-[ 1840.329615] acpi_processor_notify+0x80/0x100
-[ 1840.329617] acpi_ev_notify_dispatch+0x44/0x5c
-[ 1840.329619] acpi_os_execute_deferred+0x14/0x20
-[ 1840.329620] process_one_work+0x193/0x3c0
-[ 1840.329622] worker_thread+0x35/0x3b0
-[ 1840.329624] kthread+0x125/0x140
-[ 1840.329625] ? process_one_work+0x3c0/0x3c0
-[ 1840.329626] ? kthread_park+0x60/0x60
-[ 1840.329628] ? do_syscall_64+0x67/0x180
-[ 1840.329631] ret_from_fork+0x25/0x30
-
-This is because if there's only one online CPU, the MSR_PM_ENABLE
-(package wide)can not be enabled after resumed, due to
-intel_pstate_hwp_enable() will only be invoked on AP's online
-process after resumed - if there's no AP online, the HWP remains
-disabled after resumed (BIOS has disabled it in S3). Then if
-there comes a _PPC change notification which touches HWP register
-during this stage, the warning is triggered.
-
-Since we don't call acpi_processor_register_performance() when
-HWP is enabled, the pr->performance will be NULL. When this is
-NULL we don't need to do _PPC change notification.
-
-Reported-by: Doug Smythies <dsmythies@telus.net>
-Suggested-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
-Signed-off-by: Yu Chen <yu.c.chen@intel.com>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/processor_perflib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/acpi/processor_perflib.c
-+++ b/drivers/acpi/processor_perflib.c
-@@ -165,7 +165,7 @@ int acpi_processor_ppc_has_changed(struc
- {
- int ret;
-
-- if (ignore_ppc) {
-+ if (ignore_ppc || !pr->performance) {
- /*
- * Only when it is notification event, the _OST object
- * will be evaluated. Otherwise it is skipped.
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Seunghun Han <kkamagui@gmail.com>
-Date: Wed, 14 Mar 2018 16:12:56 -0700
-Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c
-
-From: Seunghun Han <kkamagui@gmail.com>
-
-[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ]
-
-I found an ACPI cache leak in ACPI early termination and boot continuing case.
-
-When early termination occurs due to malicious ACPI table, Linux kernel
-terminates ACPI function and continues to boot process. While kernel terminates
-ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
-
-Boot log of ACPI operand cache leak is as follows:
->[ 0.464168] ACPI: Added _OSI(Module Device)
->[ 0.467022] ACPI: Added _OSI(Processor Device)
->[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
->[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device)
->[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
->[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
->[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
->[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
->[ 0.497683] ACPI: Interpreter enabled
->[ 0.499385] ACPI: (supports S0)
->[ 0.501151] ACPI: Using IOAPIC for interrupt routing
->[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
->[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
->[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
->[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
->[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
->[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
->[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
->[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
->[ 0.529668] Call Trace:
->[ 0.530811] ? dump_stack+0x5c/0x81
->[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0
->[ 0.533905] ? acpi_os_delete_cache+0xa/0x10
->[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b
->[ 0.537237] ? acpi_terminate+0xa/0x14
->[ 0.538701] ? acpi_init+0x2af/0x34f
->[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27
->[ 0.541593] ? do_one_initcall+0x4e/0x1a0
->[ 0.543008] ? kernel_init_freeable+0x19e/0x21f
->[ 0.546202] ? rest_init+0x80/0x80
->[ 0.547513] ? kernel_init+0xa/0x100
->[ 0.548817] ? ret_from_fork+0x25/0x30
->[ 0.550587] vgaarb: loaded
->[ 0.551716] EDAC MC: Ver: 3.0.0
->[ 0.553744] PCI: Probing PCI hardware
->[ 0.555038] PCI host bridge to bus 0000:00
-> ... Continue to boot and log is omitted ...
-
-I analyzed this memory leak in detail and found acpi_ns_evaluate() function
-only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
-occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
-also not null. Therefore, this causes acpi operand memory leak.
-
-This cache leak causes a security threat because an old kernel (<= 4.9) shows
-memory locations of kernel functions in stack dump. Some malicious users
-could use this information to neutralize kernel ASLR.
-
-I made a patch to fix ACPI operand cache leak.
-
-Signed-off-by: Seunghun Han <kkamagui@gmail.com>
-Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/acpica/nseval.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/acpi/acpica/nseval.c
-+++ b/drivers/acpi/acpica/nseval.c
-@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi
- /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */
-
- status = AE_OK;
-+ } else if (ACPI_FAILURE(status)) {
-+
-+ /* If return_object exists, delete it */
-+
-+ if (info->return_object) {
-+ acpi_ut_remove_reference(info->return_object);
-+ info->return_object = NULL;
-+ }
- }
-
- ACPI_DEBUG_PRINT((ACPI_DB_NAMES,
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Erik Schmauss <erik.schmauss@intel.com>
-Date: Wed, 14 Mar 2018 16:13:08 -0700
-Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read
-
-From: Erik Schmauss <erik.schmauss@intel.com>
-
-[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ]
-
-This ensures that acpi_ev_fixed_event_detect() does not use fixed_status
-and and fixed_enable as uninitialized variables.
-
-Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/acpica/evevent.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/drivers/acpi/acpica/evevent.c
-+++ b/drivers/acpi/acpica/evevent.c
-@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void)
- u32 fixed_status;
- u32 fixed_enable;
- u32 i;
-+ acpi_status status;
-
- ACPI_FUNCTION_NAME(ev_fixed_event_detect);
-
-@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void)
- * Read the fixed feature status and enable registers, as all the cases
- * depend on their values. Ignore errors here.
- */
-- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
-- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
-+ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
-+ status |=
-+ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
-+ if (ACPI_FAILURE(status)) {
-+ return (int_status);
-+ }
-
- ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS,
- "Fixed Event Block: Enable %08X Status %08X\n",
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Takashi Iwai <tiwai@suse.de>
-Date: Thu, 8 Mar 2018 08:26:48 +0100
-Subject: ALSA: vmaster: Propagate slave error
-
-From: Takashi Iwai <tiwai@suse.de>
-
-[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ]
-
-In slave_update() of vmaster code ignores the error from the slave
-get() callback and copies the values. It's not only about the missing
-error code but also that this may potentially lead to a leak of
-uninitialized variables when the slave get() don't clear them.
-
-This patch fixes slave_update() not to copy the potentially
-uninitialized values when an error is returned from the slave get()
-callback, and to propagate the error value properly.
-
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/core/vmaster.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/sound/core/vmaster.c
-+++ b/sound/core/vmaster.c
-@@ -68,10 +68,13 @@ static int slave_update(struct link_slav
- return -ENOMEM;
- uctl->id = slave->slave.id;
- err = slave->slave.get(&slave->slave, uctl);
-+ if (err < 0)
-+ goto error;
- for (ch = 0; ch < slave->info.count; ch++)
- slave->vals[ch] = uctl->value.integer.value[ch];
-+ error:
- kfree(uctl);
-- return 0;
-+ return err < 0 ? err : 0;
- }
-
- /* get the slave ctl info and save the initial values */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Philipp Puschmann <pp@emlix.com>
-Date: Fri, 23 Mar 2018 10:22:15 +0100
-Subject: arm: dts: socfpga: fix GIC PPI warning
-
-From: Philipp Puschmann <pp@emlix.com>
-
-[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ]
-
-Fixes the warning "GIC: PPI13 is secure or misconfigured" by
-changing the interrupt type from level_low to edge_raising
-
-Signed-off-by: Philipp Puschmann <pp@emlix.com>
-Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/boot/dts/socfpga.dtsi | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/arm/boot/dts/socfpga.dtsi
-+++ b/arch/arm/boot/dts/socfpga.dtsi
-@@ -643,7 +643,7 @@
- timer@fffec600 {
- compatible = "arm,cortex-a9-twd-timer";
- reg = <0xfffec600 0x100>;
-- interrupts = <1 13 0xf04>;
-+ interrupts = <1 13 0xf01>;
- clocks = <&mpu_periph_clk>;
- };
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Tony Lindgren <tony@atomide.com>
-Date: Thu, 22 Feb 2018 10:02:49 -0800
-Subject: ARM: OMAP: Fix dmtimer init for omap1
-
-From: Tony Lindgren <tony@atomide.com>
-
-[ Upstream commit ba6887836178d43b3665b9da075c2c5dfe1d207c ]
-
-We need to enable PM runtime on omap1 also as otherwise we
-will get errors:
-
-omap_timer omap_timer.1: omap_dm_timer_probe: pm_runtime_get_sync failed!
-omap_timer: probe of omap_timer.1 failed with error -13
-...
-
-We are checking for OMAP_TIMER_NEEDS_RESET flag elsewhere so this is
-safe to do.
-
-Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
-Cc: Keerthy <j-keerthy@ti.com>
-Cc: Ladislav Michl <ladis@linux-mips.org>
-Signed-off-by: Tony Lindgren <tony@atomide.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/plat-omap/dmtimer.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
---- a/arch/arm/plat-omap/dmtimer.c
-+++ b/arch/arm/plat-omap/dmtimer.c
-@@ -853,11 +853,8 @@ static int omap_dm_timer_probe(struct pl
- timer->irq = irq->start;
- timer->pdev = pdev;
-
-- /* Skip pm_runtime_enable for OMAP1 */
-- if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) {
-- pm_runtime_enable(dev);
-- pm_runtime_irq_safe(dev);
-- }
-+ pm_runtime_enable(dev);
-+ pm_runtime_irq_safe(dev);
-
- if (!timer->reserved) {
- pm_runtime_get_sync(dev);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-Date: Tue, 2 Jan 2018 16:25:35 +0100
-Subject: ARM: OMAP1: clock: Fix debugfs_create_*() usage
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit 8cbbf1745dcde7ba7e423dc70619d223de90fd43 ]
-
-When exposing data access through debugfs, the correct
-debugfs_create_*() functions must be used, depending on data type.
-
-Remove all casts from data pointers passed to debugfs_create_*()
-functions, as such casts prevent the compiler from flagging bugs.
-
-Correct all wrong usage:
- - clk.rate is unsigned long, not u32,
- - clk.flags is u8, not u32, which exposed the successive
- clk.rate_offset and clk.src_offset fields.
-
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Acked-by: Aaro Koskinen <aaro.koskinen@iki.fi>
-Signed-off-by: Tony Lindgren <tony@atomide.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/mach-omap1/clock.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/arch/arm/mach-omap1/clock.c
-+++ b/arch/arm/mach-omap1/clock.c
-@@ -1031,17 +1031,17 @@ static int clk_debugfs_register_one(stru
- return -ENOMEM;
- c->dent = d;
-
-- d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount);
-+ d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount);
- if (!d) {
- err = -ENOMEM;
- goto err_out;
- }
-- d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate);
-+ d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate);
- if (!d) {
- err = -ENOMEM;
- goto err_out;
- }
-- d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags);
-+ d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags);
- if (!d) {
- err = -ENOMEM;
- goto err_out;
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Tony Lindgren <tony@atomide.com>
-Date: Fri, 9 Feb 2018 08:15:53 -0800
-Subject: ARM: OMAP3: Fix prm wake interrupt for resume
-
-From: Tony Lindgren <tony@atomide.com>
-
-[ Upstream commit d3be6d2a08bd26580562d9714d3d97ea9ba22c73 ]
-
-For platform_suspend_ops, the finish call is too late to re-enable wake
-irqs and we need re-enable wake irqs on wake call instead.
-
-Otherwise noirq resume for devices has already happened. And then
-dev_pm_disarm_wake_irq() has already disabled the dedicated wake irqs
-when the interrupt triggers and the wake irq is never handled.
-
-For devices that are already in PM runtime suspended state when we
-enter suspend this means that a possible wake irq will never trigger.
-
-And this can lead into a situation where a device has a pending padconf
-wake irq, and the device will stay unresponsive to any further wake
-irqs.
-
-This issue can be easily reproduced by setting serial console log level
-to zero, letting the serial console idle, and suspend the system from
-an ssh terminal. Then try to wake up the system by typing to the serial
-console.
-
-Note that this affects only omap3 PRM interrupt as that's currently
-the only omap variant that does anything in omap_pm_wake().
-
-In general, for the wake irqs to work, the interrupt must have either
-IRQF_NO_SUSPEND or IRQF_EARLY_RESUME set for it to trigger before
-dev_pm_disarm_wake_irq() disables the wake irqs.
-
-Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
-Cc: Tero Kristo <t-kristo@ti.com>
-Signed-off-by: Tony Lindgren <tony@atomide.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/mach-omap2/pm.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/arm/mach-omap2/pm.c
-+++ b/arch/arm/mach-omap2/pm.c
-@@ -231,7 +231,7 @@ static void omap_pm_end(void)
- cpu_idle_poll_ctrl(false);
- }
-
--static void omap_pm_finish(void)
-+static void omap_pm_wake(void)
- {
- if (cpu_is_omap34xx())
- omap_prcm_irq_complete();
-@@ -241,7 +241,7 @@ static const struct platform_suspend_ops
- .begin = omap_pm_begin,
- .end = omap_pm_end,
- .enter = omap_pm_enter,
-- .finish = omap_pm_finish,
-+ .wake = omap_pm_wake,
- .valid = suspend_valid_only_mem,
- };
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Wed, 31 Jan 2018 16:17:43 -0800
-Subject: asm-generic: provide generic_pmdp_establish()
-
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-
-[ Upstream commit c58f0bb77ed8bf93dfdde762b01cb67eebbdfc29 ]
-
-Patch series "Do not lose dirty bit on THP pages", v4.
-
-Vlastimil noted that pmdp_invalidate() is not atomic and we can lose
-dirty and access bits if CPU sets them after pmdp dereference, but
-before set_pmd_at().
-
-The bug can lead to data loss, but the race window is tiny and I haven't
-seen any reports that suggested that it happens in reality. So I don't
-think it worth sending it to stable.
-
-Unfortunately, there's no way to address the issue in a generic way. We
-need to fix all architectures that support THP one-by-one.
-
-All architectures that have THP supported have to provide atomic
-pmdp_invalidate() that returns previous value.
-
-If generic implementation of pmdp_invalidate() is used, architecture
-needs to provide atomic pmdp_estabish().
-
-pmdp_estabish() is not used out-side generic implementation of
-pmdp_invalidate() so far, but I think this can change in the future.
-
-This patch (of 12):
-
-This is an implementation of pmdp_establish() that is only suitable for
-an architecture that doesn't have hardware dirty/accessed bits. In this
-case we can't race with CPU which sets these bits and non-atomic
-approach is fine.
-
-Link: http://lkml.kernel.org/r/20171213105756.69879-2-kirill.shutemov@linux.intel.com
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Cc: Vlastimil Babka <vbabka@suse.cz>
-Cc: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Michal Hocko <mhocko@kernel.org>
-Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
-Cc: Catalin Marinas <catalin.marinas@arm.com>
-Cc: David Daney <david.daney@cavium.com>
-Cc: David Miller <davem@davemloft.net>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Cc: Nitin Gupta <nitin.m.gupta@oracle.com>
-Cc: Ralf Baechle <ralf@linux-mips.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vineet Gupta <vgupta@synopsys.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/asm-generic/pgtable.h | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
---- a/include/asm-generic/pgtable.h
-+++ b/include/asm-generic/pgtable.h
-@@ -181,6 +181,21 @@ extern void pgtable_trans_huge_deposit(s
- extern pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp);
- #endif
-
-+#ifdef CONFIG_TRANSPARENT_HUGEPAGE
-+/*
-+ * This is an implementation of pmdp_establish() that is only suitable for an
-+ * architecture that doesn't have hardware dirty/accessed bits. In this case we
-+ * can't race with CPU which sets these bits and non-atomic aproach is fine.
-+ */
-+static inline pmd_t generic_pmdp_establish(struct vm_area_struct *vma,
-+ unsigned long address, pmd_t *pmdp, pmd_t pmd)
-+{
-+ pmd_t old_pmd = *pmdp;
-+ set_pmd_at(vma->vm_mm, address, pmdp, pmd);
-+ return old_pmd;
-+}
-+#endif
-+
- #ifndef __HAVE_ARCH_PMDP_INVALIDATE
- extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
- pmd_t *pmdp);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Mon, 15 Jan 2018 11:08:38 +0300
-Subject: ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit 123af9043e93cb6f235207d260d50f832cdb5439 ]
-
-The loop timeout doesn't work because it's a post op and ends with "tmo"
-set to -1. I changed it from a post-op to a pre-op and I changed the
-initial the starting value from 5 to 6 so we still iterate 5 times. I
-left the other as it was because it's a large number.
-
-Fixes: b3c70c9ea62a ("ASoC: Alchemy AC97C/I2SC audio support")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/soc/au1x/ac97c.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/sound/soc/au1x/ac97c.c
-+++ b/sound/soc/au1x/ac97c.c
-@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_rea
- do {
- mutex_lock(&ctx->lock);
-
-- tmo = 5;
-- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
-+ tmo = 6;
-+ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
- udelay(21); /* wait an ac97 frame time */
- if (!tmo) {
- pr_debug("ac97rd timeout #1\n");
-@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_rea
- * poll, Forrest, poll...
- */
- tmo = 0x10000;
-- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
-+ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
- asm volatile ("nop");
- data = RD(ctx, AC97_CMDRESP);
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
-Date: Mon, 12 Mar 2018 17:09:40 +0530
-Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
-
-From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
-
-[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ]
-
-When attempt to run worker (ath10k_sta_rc_update_wk) after the station object
-(ieee80211_sta) delete will trigger the kernel panic.
-
-This problem arise in AP + Mesh configuration, Where the current node AP VAP
-and neighbor node mesh VAP MAC address are same. When the current mesh node
-try to establish the mesh link with neighbor node, driver peer creation for
-the neighbor mesh node fails due to duplication MAC address. Already the AP
-VAP created with same MAC address.
-
-It is caused by the following scenario steps.
-
-Steps:
-1. In above condition, ath10k driver sta_state callback (ath10k_sta_state)
- fails to do the state change for a station from IEEE80211_STA_NOTEXIST
- to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is
- called from ieee80211_add_station() to handle the new station
- (neighbor mesh node) request from the wpa_supplicant.
-2. Concurrently ath10k receive the sta_rc_update callback notification from
- the mesh_neighbour_update() to handle the beacon frames of the above
- neighbor mesh node. since its atomic callback, ath10k driver queue the
- work (ath10k_sta_rc_update_wk) to handle rc update.
-3. Due to driver sta_state callback fails (step 1), mac80211 free the station
- object.
-4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access
- the station object which is already deleted. so it will trigger kernel
- panic.
-
-Added the peer exist check in sta_rc_update callback before queue the work.
-
-Kernel Panic log:
-
-Unable to handle kernel NULL pointer dereference at virtual address 00000000
-pgd = c0204000
-[00000000] *pgd=00000000
-Internal error: Oops: 17 [#1] PREEMPT SMP ARM
-CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1
-task: dcef0000 ti: d72b6000 task.ti: d72b6000
-PC is at pwq_activate_delayed_work+0x10/0x40
-LR is at pwq_activate_delayed_work+0xc/0x40
-pc : [<c023f988>] lr : [<c023f984>] psr: 40000193
-sp : d72b7f18 ip : 0000007a fp : d72b6000
-r10: 00000000 r9 : dd404414 r8 : d8c31998
-r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300
-r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000
-Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
-Control: 10c5787d Table: 595bc06a DAC: 00000015
-...
-Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238)
-Stack: (0xd72b7f18 to 0xd72b8000)
-7f00: 00000001 dcee1300
-7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089
-7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000
-7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000
-7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340
-7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000
-7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
-[<c023f988>] (pwq_activate_delayed_work) from [<c02410dc>] (pwq_dec_nr_in_flight+0x58/0xc4)
-[<c02410dc>] (pwq_dec_nr_in_flight) from [<c0242790>] (worker_thread+0x228/0x360)
-[<c0242790>] (worker_thread) from [<c02474dc>] (kthread+0xd8/0xec)
-[<c02474dc>] (kthread) from [<c0208d20>] (ret_from_fork+0x14/0x34)
-Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs
-Rebooting in 3 seconds..
-
-Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/drivers/net/wireless/ath/ath10k/mac.c
-+++ b/drivers/net/wireless/ath/ath10k/mac.c
-@@ -4319,10 +4319,20 @@ static void ath10k_sta_rc_update(struct
- {
- struct ath10k *ar = hw->priv;
- struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
-+ struct ath10k_vif *arvif = (void *)vif->drv_priv;
-+ struct ath10k_peer *peer;
- u32 bw, smps;
-
- spin_lock_bh(&ar->data_lock);
-
-+ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr);
-+ if (!peer) {
-+ spin_unlock_bh(&ar->data_lock);
-+ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n",
-+ sta->addr, arvif->vdev_id);
-+ return;
-+ }
-+
- ath10k_dbg(ar, ATH10K_DBG_MAC,
- "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n",
- sta->addr, changed, sta->bandwidth, sta->rx_nss,
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Richard Guy Briggs <rgb@redhat.com>
-Date: Wed, 21 Feb 2018 04:30:07 -0500
-Subject: audit: return on memory error to avoid null pointer dereference
-
-From: Richard Guy Briggs <rgb@redhat.com>
-
-[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ]
-
-If there is a memory allocation error when trying to change an audit
-kernel feature value, the ignored allocation error will trigger a NULL
-pointer dereference oops on subsequent use of that pointer. Return
-instead.
-
-Passes audit-testsuite.
-See: https://github.com/linux-audit/audit-kernel/issues/76
-
-Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
-[PM: not necessary (other funcs check for NULL), but a good practice]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/audit.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/kernel/audit.c
-+++ b/kernel/audit.c
-@@ -738,6 +738,8 @@ static void audit_log_feature_change(int
- return;
-
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
-+ if (!ab)
-+ return;
- audit_log_task_info(ab, current);
- audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
- audit_feature_names[which], !!old_feature, !!new_feature,
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Matthias Schiffer <mschiffer@universe-factory.net>
-Date: Fri, 16 Mar 2018 11:29:10 +0100
-Subject: batman-adv: fix header size check in batadv_dbg_arp()
-
-From: Matthias Schiffer <mschiffer@universe-factory.net>
-
-[ Upstream commit 6f27d2c2a8c236d296201c19abb8533ec20d212b ]
-
-Checking for 0 is insufficient: when an SKB without a batadv header, but
-with a VLAN header is received, hdr_size will be 4, making the following
-code interpret the Ethernet header as a batadv header.
-
-Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
-Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
-Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/batman-adv/distributed-arp-table.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/batman-adv/distributed-arp-table.c
-+++ b/net/batman-adv/distributed-arp-table.c
-@@ -343,7 +343,7 @@ static void batadv_dbg_arp(struct batadv
- batadv_arp_hw_src(skb, hdr_size), &ip_src,
- batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
-
-- if (hdr_size == 0)
-+ if (hdr_size < sizeof(struct batadv_unicast_packet))
- return;
-
- unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: "Linus Lüssing" <linus.luessing@c0d3.blue>
-Date: Tue, 20 Mar 2018 03:13:27 +0100
-Subject: batman-adv: fix multicast-via-unicast transmission with AP isolation
-
-From: "Linus Lüssing" <linus.luessing@c0d3.blue>
-
-[ Upstream commit f8fb3419ead44f9a3136995acd24e35da4525177 ]
-
-For multicast frames AP isolation is only supposed to be checked on
-the receiving nodes and never on the originating one.
-
-Furthermore, the isolation or wifi flag bits should only be intepreted
-as such for unicast and never multicast TT entries.
-
-By injecting flags to the multicast TT entry claimed by a single
-target node it was verified in tests that this multicast address
-becomes unreachable, leading to packet loss.
-
-Omitting the "src" parameter to the batadv_transtable_search() call
-successfully skipped the AP isolation check and made the target
-reachable again.
-
-Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
-Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
-Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/batman-adv/multicast.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/batman-adv/multicast.c
-+++ b/net/batman-adv/multicast.c
-@@ -394,8 +394,8 @@ static struct batadv_orig_node *
- batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv,
- struct ethhdr *ethhdr)
- {
-- return batadv_transtable_search(bat_priv, ethhdr->h_source,
-- ethhdr->h_dest, BATADV_NO_FLAGS);
-+ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest,
-+ BATADV_NO_FLAGS);
- }
-
- /**
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Matthias Schiffer <mschiffer@universe-factory.net>
-Date: Tue, 23 Jan 2018 10:59:49 +0100
-Subject: batman-adv: fix packet checksum in receive path
-
-From: Matthias Schiffer <mschiffer@universe-factory.net>
-
-[ Upstream commit abd6360591d3f8259f41c34e31ac4826dfe621b8 ]
-
-eth_type_trans() internally calls skb_pull(), which does not adjust the
-skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the
-form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are
-received.
-
-Note that in usual setups, packets don't reach batman-adv with
-CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
-batadv's ethtype?), which is why the log messages do not occur on every
-system using batman-adv. I could reproduce this issue by stacking
-batman-adv on top of a VXLAN interface.
-
-Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
-Tested-by: Maximilian Wilhelm <max@sdn.clinic>
-Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
-Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/batman-adv/soft-interface.c | 8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-
---- a/net/batman-adv/soft-interface.c
-+++ b/net/batman-adv/soft-interface.c
-@@ -401,13 +401,7 @@ void batadv_interface_rx(struct net_devi
-
- /* skb->dev & skb->pkt_type are set here */
- skb->protocol = eth_type_trans(skb, soft_iface);
--
-- /* should not be necessary anymore as we use skb_pull_rcsum()
-- * TODO: please verify this and remove this TODO
-- * -- Dec 21st 2009, Simon Wunderlich
-- */
--
-- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */
-+ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
-
- batadv_inc_counter(bat_priv, BATADV_CNT_RX);
- batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: "Linus Lüssing" <linus.luessing@c0d3.blue>
-Date: Thu, 22 Mar 2018 00:21:32 +0100
-Subject: batman-adv: fix packet loss for broadcasted DHCP packets to a server
-
-From: "Linus Lüssing" <linus.luessing@c0d3.blue>
-
-[ Upstream commit a752c0a4524889cdc0765925258fd1fd72344100 ]
-
-DHCP connectivity issues can currently occur if the following conditions
-are met:
-
-1) A DHCP packet from a client to a server
-2) This packet has a multicast destination
-3) This destination has a matching entry in the translation table
- (FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03
- for IPv6)
-4) The orig-node determined by TT for the multicast destination
- does not match the orig-node determined by best-gateway-selection
-
-In this case the DHCP packet will be dropped.
-
-The "gateway-out-of-range" check is supposed to only be applied to
-unicasted DHCP packets to a specific DHCP server.
-
-In that case dropping the the unicasted frame forces the client to
-retry via a broadcasted one, but now directed to the new best
-gateway.
-
-A DHCP packet with broadcast/multicast destination is already ensured to
-always be delivered to the best gateway. Dropping a multicasted
-DHCP packet here will only prevent completing DHCP as there is no
-other fallback.
-
-So far, it seems the unicast check was implicitly performed by
-expecting the batadv_transtable_search() to return NULL for multicast
-destinations. However, a multicast address could have always ended up in
-the translation table and in fact is now common.
-
-To fix this potential loss of a DHCP client-to-server packet to a
-multicast address this patch adds an explicit multicast destination
-check to reliably bail out of the gateway-out-of-range check for such
-destinations.
-
-The issue and fix were tested in the following three node setup:
-
-- Line topology, A-B-C
-- A: gateway client, DHCP client
-- B: gateway server, hop-penalty increased: 30->60, DHCP server
-- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF
-
-Without this patch, A would never transmit its DHCP Discover packet
-due to an always "out-of-range" condition. With this patch,
-a full DHCP handshake between A and B was possible again.
-
-Fixes: be7af5cf9cae ("batman-adv: refactoring gateway handling code")
-Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
-Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/batman-adv/gateway_client.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/batman-adv/gateway_client.c
-+++ b/net/batman-adv/gateway_client.c
-@@ -804,6 +804,9 @@ bool batadv_gw_out_of_range(struct batad
-
- vid = batadv_get_vid(skb, 0);
-
-+ if (is_multicast_ether_addr(ethhdr->h_dest))
-+ goto out;
-+
- orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
- ethhdr->h_dest, vid);
- if (!orig_dst_node)
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Matthias Schiffer <mschiffer@universe-factory.net>
-Date: Tue, 23 Jan 2018 10:59:50 +0100
-Subject: batman-adv: invalidate checksum on fragment reassembly
-
-From: Matthias Schiffer <mschiffer@universe-factory.net>
-
-[ Upstream commit 3bf2a09da956b43ecfaa630a2ef9a477f991a46a ]
-
-A more sophisticated implementation could try to combine fragment checksums
-when all fragments have CHECKSUM_COMPLETE and are split at even offsets.
-For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure"
-warnings in the kernel log when fragmented frames are received. In
-consequence, skb_pull_rcsum() can be replaced with skb_pull().
-
-Note that in usual setups, packets don't reach batman-adv with
-CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
-batadv's ethtype?), which is why the log messages do not occur on every
-system using batman-adv. I could reproduce this issue by stacking
-batman-adv on top of a VXLAN interface.
-
-Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
-Tested-by: Maximilian Wilhelm <max@sdn.clinic>
-Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
-Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/batman-adv/fragmentation.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/batman-adv/fragmentation.c
-+++ b/net/batman-adv/fragmentation.c
-@@ -260,7 +260,8 @@ batadv_frag_merge_packets(struct hlist_h
- /* Move the existing MAC header to just before the payload. (Override
- * the fragment header.)
- */
-- skb_pull_rcsum(skb_out, hdr_size);
-+ skb_pull(skb_out, hdr_size);
-+ skb_out->ip_summed = CHECKSUM_NONE;
- memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN);
- skb_set_mac_header(skb_out, -ETH_HLEN);
- skb_reset_network_header(skb_out);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Tang Junhui <tang.junhui@zte.com.cn>
-Date: Wed, 7 Feb 2018 11:41:43 -0800
-Subject: bcache: fix for allocator and register thread race
-
-From: Tang Junhui <tang.junhui@zte.com.cn>
-
-[ Upstream commit 682811b3ce1a5a4e20d700939a9042f01dbc66c4 ]
-
-After long time running of random small IO writing,
-I reboot the machine, and after the machine power on,
-I found bcache got stuck, the stack is:
-[root@ceph153 ~]# cat /proc/2510/task/*/stack
-[<ffffffffa06b2455>] closure_sync+0x25/0x90 [bcache]
-[<ffffffffa06b6be8>] bch_journal+0x118/0x2b0 [bcache]
-[<ffffffffa06b6dc7>] bch_journal_meta+0x47/0x70 [bcache]
-[<ffffffffa06be8f7>] bch_prio_write+0x237/0x340 [bcache]
-[<ffffffffa06a8018>] bch_allocator_thread+0x3c8/0x3d0 [bcache]
-[<ffffffff810a631f>] kthread+0xcf/0xe0
-[<ffffffff8164c318>] ret_from_fork+0x58/0x90
-[<ffffffffffffffff>] 0xffffffffffffffff
-[root@ceph153 ~]# cat /proc/2038/task/*/stack
-[<ffffffffa06b1abd>] __bch_btree_map_nodes+0x12d/0x150 [bcache]
-[<ffffffffa06b1bd1>] bch_btree_insert+0xf1/0x170 [bcache]
-[<ffffffffa06b637f>] bch_journal_replay+0x13f/0x230 [bcache]
-[<ffffffffa06c75fe>] run_cache_set+0x79a/0x7c2 [bcache]
-[<ffffffffa06c0cf8>] register_bcache+0xd48/0x1310 [bcache]
-[<ffffffff812f702f>] kobj_attr_store+0xf/0x20
-[<ffffffff8125b216>] sysfs_write_file+0xc6/0x140
-[<ffffffff811dfbfd>] vfs_write+0xbd/0x1e0
-[<ffffffff811e069f>] SyS_write+0x7f/0xe0
-[<ffffffff8164c3c9>] system_call_fastpath+0x16/0x1
-The stack shows the register thread and allocator thread
-were getting stuck when registering cache device.
-
-I reboot the machine several times, the issue always
-exsit in this machine.
-
-I debug the code, and found the call trace as bellow:
-register_bcache()
- ==>run_cache_set()
- ==>bch_journal_replay()
- ==>bch_btree_insert()
- ==>__bch_btree_map_nodes()
- ==>btree_insert_fn()
- ==>btree_split() //node need split
- ==>btree_check_reserve()
-In btree_check_reserve(), It will check if there is enough buckets
-of RESERVE_BTREE type, since allocator thread did not work yet, so
-no buckets of RESERVE_BTREE type allocated, so the register thread
-waits on c->btree_cache_wait, and goes to sleep.
-
-Then the allocator thread initialized, the call trace is bellow:
-bch_allocator_thread()
-==>bch_prio_write()
- ==>bch_journal_meta()
- ==>bch_journal()
- ==>journal_wait_for_write()
-In journal_wait_for_write(), It will check if journal is full by
-journal_full(), but the long time random small IO writing
-causes the exhaustion of journal buckets(journal.blocks_free=0),
-In order to release the journal buckets,
-the allocator calls btree_flush_write() to flush keys to
-btree nodes, and waits on c->journal.wait until btree nodes writing
-over or there has already some journal buckets space, then the
-allocator thread goes to sleep. but in btree_flush_write(), since
-bch_journal_replay() is not finished, so no btree nodes have journal
-(condition "if (btree_current_write(b)->journal)" never satisfied),
-so we got no btree node to flush, no journal bucket released,
-and allocator sleep all the times.
-
-Through the above analysis, we can see that:
-1) Register thread wait for allocator thread to allocate buckets of
- RESERVE_BTREE type;
-2) Alloctor thread wait for register thread to replay journal, so it
- can flush btree nodes and get journal bucket.
- then they are all got stuck by waiting for each other.
-
-Hua Rui provided a patch for me, by allocating some buckets of
-RESERVE_BTREE type in advance, so the register thread can get bucket
-when btree node splitting and no need to waiting for the allocator
-thread. I tested it, it has effect, and register thread run a step
-forward, but finally are still got stuck, the reason is only 8 bucket
-of RESERVE_BTREE type were allocated, and in bch_journal_replay(),
-after 2 btree nodes splitting, only 4 bucket of RESERVE_BTREE type left,
-then btree_check_reserve() is not satisfied anymore, so it goes to sleep
-again, and in the same time, alloctor thread did not flush enough btree
-nodes to release a journal bucket, so they all got stuck again.
-
-So we need to allocate more buckets of RESERVE_BTREE type in advance,
-but how much is enough? By experience and test, I think it should be
-as much as journal buckets. Then I modify the code as this patch,
-and test in the machine, and it works.
-
-This patch modified base on Hua Rui’s patch, and allocate more buckets
-of RESERVE_BTREE type in advance to avoid register thread and allocate
-thread going to wait for each other.
-
-[patch v2] ca->sb.njournal_buckets would be 0 in the first time after
-cache creation, and no journal exists, so just 8 btree buckets is OK.
-
-Signed-off-by: Hua Rui <huarui.dev@gmail.com>
-Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
-Reviewed-by: Michael Lyle <mlyle@lyle.org>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/btree.c | 9 ++++++---
- drivers/md/bcache/super.c | 13 ++++++++++++-
- 2 files changed, 18 insertions(+), 4 deletions(-)
-
---- a/drivers/md/bcache/btree.c
-+++ b/drivers/md/bcache/btree.c
-@@ -1869,14 +1869,17 @@ void bch_initial_gc_finish(struct cache_
- */
- for_each_cache(ca, c, i) {
- for_each_bucket(b, ca) {
-- if (fifo_full(&ca->free[RESERVE_PRIO]))
-+ if (fifo_full(&ca->free[RESERVE_PRIO]) &&
-+ fifo_full(&ca->free[RESERVE_BTREE]))
- break;
-
- if (bch_can_invalidate_bucket(ca, b) &&
- !GC_MARK(b)) {
- __bch_invalidate_one_bucket(ca, b);
-- fifo_push(&ca->free[RESERVE_PRIO],
-- b - ca->buckets);
-+ if (!fifo_push(&ca->free[RESERVE_PRIO],
-+ b - ca->buckets))
-+ fifo_push(&ca->free[RESERVE_BTREE],
-+ b - ca->buckets);
- }
- }
- }
---- a/drivers/md/bcache/super.c
-+++ b/drivers/md/bcache/super.c
-@@ -1848,6 +1848,7 @@ void bch_cache_release(struct kobject *k
- static int cache_alloc(struct cache_sb *sb, struct cache *ca)
- {
- size_t free;
-+ size_t btree_buckets;
- struct bucket *b;
-
- __module_get(THIS_MODULE);
-@@ -1857,9 +1858,19 @@ static int cache_alloc(struct cache_sb *
- ca->journal.bio.bi_max_vecs = 8;
- ca->journal.bio.bi_io_vec = ca->journal.bio.bi_inline_vecs;
-
-+ /*
-+ * when ca->sb.njournal_buckets is not zero, journal exists,
-+ * and in bch_journal_replay(), tree node may split,
-+ * so bucket of RESERVE_BTREE type is needed,
-+ * the worst situation is all journal buckets are valid journal,
-+ * and all the keys need to replay,
-+ * so the number of RESERVE_BTREE type buckets should be as much
-+ * as journal buckets
-+ */
-+ btree_buckets = ca->sb.njournal_buckets ?: 8;
- free = roundup_pow_of_two(ca->sb.nbuckets) >> 10;
-
-- if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) ||
-+ if (!init_fifo(&ca->free[RESERVE_BTREE], btree_buckets, GFP_KERNEL) ||
- !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
- !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) ||
- !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) ||
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Tang Junhui <tang.junhui@zte.com.cn>
-Date: Wed, 7 Feb 2018 11:41:46 -0800
-Subject: bcache: fix for data collapse after re-attaching an attached device
-
-From: Tang Junhui <tang.junhui@zte.com.cn>
-
-[ Upstream commit 73ac105be390c1de42a2f21643c9778a5e002930 ]
-
-back-end device sdm has already attached a cache_set with ID
-f67ebe1f-f8bc-4d73-bfe5-9dc88607f119, then try to attach with
-another cache set, and it returns with an error:
-[root]# cd /sys/block/sdm/bcache
-[root]# echo 5ccd0a63-148e-48b8-afa2-aca9cbd6279f > attach
--bash: echo: write error: Invalid argument
-
-After that, execute a command to modify the label of bcache
-device:
-[root]# echo data_disk1 > label
-
-Then we reboot the system, when the system power on, the back-end
-device can not attach to cache_set, a messages show in the log:
-Feb 5 12:05:52 ceph152 kernel: [922385.508498] bcache:
-bch_cached_dev_attach() couldn't find uuid for sdm in set
-
-In sysfs_attach(), dc->sb.set_uuid was assigned to the value
-which input through sysfs, no matter whether it is success
-or not in bch_cached_dev_attach(). For example, If the back-end
-device has already attached to an cache set, bch_cached_dev_attach()
-would fail, but dc->sb.set_uuid was changed. Then modify the
-label of bcache device, it will call bch_write_bdev_super(),
-which would write the dc->sb.set_uuid to the super block, so we
-record a wrong cache set ID in the super block, after the system
-reboot, the cache set couldn't find the uuid of the back-end
-device, so the bcache device couldn't exist and use any more.
-
-In this patch, we don't assigned cache set ID to dc->sb.set_uuid
-in sysfs_attach() directly, but input it into bch_cached_dev_attach(),
-and assigned dc->sb.set_uuid to the cache set ID after the back-end
-device attached to the cache set successful.
-
-Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
-Reviewed-by: Michael Lyle <mlyle@lyle.org>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/bcache.h | 2 +-
- drivers/md/bcache/super.c | 10 ++++++----
- drivers/md/bcache/sysfs.c | 6 ++++--
- 3 files changed, 11 insertions(+), 7 deletions(-)
-
---- a/drivers/md/bcache/bcache.h
-+++ b/drivers/md/bcache/bcache.h
-@@ -922,7 +922,7 @@ void bcache_write_super(struct cache_set
-
- int bch_flash_dev_create(struct cache_set *c, uint64_t size);
-
--int bch_cached_dev_attach(struct cached_dev *, struct cache_set *);
-+int bch_cached_dev_attach(struct cached_dev *, struct cache_set *, uint8_t *);
- void bch_cached_dev_detach(struct cached_dev *);
- void bch_cached_dev_run(struct cached_dev *);
- void bcache_device_stop(struct bcache_device *);
---- a/drivers/md/bcache/super.c
-+++ b/drivers/md/bcache/super.c
-@@ -967,7 +967,8 @@ void bch_cached_dev_detach(struct cached
- cached_dev_put(dc);
- }
-
--int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c)
-+int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c,
-+ uint8_t *set_uuid)
- {
- uint32_t rtime = cpu_to_le32(get_seconds());
- struct uuid_entry *u;
-@@ -975,7 +976,8 @@ int bch_cached_dev_attach(struct cached_
-
- bdevname(dc->bdev, buf);
-
-- if (memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16))
-+ if ((set_uuid && memcmp(set_uuid, c->sb.set_uuid, 16)) ||
-+ (!set_uuid && memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16)))
- return -ENOENT;
-
- if (dc->disk.c) {
-@@ -1209,7 +1211,7 @@ static void register_bdev(struct cache_s
-
- list_add(&dc->list, &uncached_devices);
- list_for_each_entry(c, &bch_cache_sets, list)
-- bch_cached_dev_attach(dc, c);
-+ bch_cached_dev_attach(dc, c, NULL);
-
- if (BDEV_STATE(&dc->sb) == BDEV_STATE_NONE ||
- BDEV_STATE(&dc->sb) == BDEV_STATE_STALE)
-@@ -1729,7 +1731,7 @@ static void run_cache_set(struct cache_s
- bcache_write_super(c);
-
- list_for_each_entry_safe(dc, t, &uncached_devices, list)
-- bch_cached_dev_attach(dc, c);
-+ bch_cached_dev_attach(dc, c, NULL);
-
- flash_devs_run(c);
-
---- a/drivers/md/bcache/sysfs.c
-+++ b/drivers/md/bcache/sysfs.c
-@@ -263,11 +263,13 @@ STORE(__cached_dev)
- }
-
- if (attr == &sysfs_attach) {
-- if (bch_parse_uuid(buf, dc->sb.set_uuid) < 16)
-+ uint8_t set_uuid[16];
-+
-+ if (bch_parse_uuid(buf, set_uuid) < 16)
- return -EINVAL;
-
- list_for_each_entry(c, &bch_cache_sets, list) {
-- v = bch_cached_dev_attach(dc, c);
-+ v = bch_cached_dev_attach(dc, c, set_uuid);
- if (!v)
- return size;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Tang Junhui <tang.junhui@zte.com.cn>
-Date: Tue, 27 Feb 2018 09:49:30 -0800
-Subject: bcache: fix kcrashes with fio in RAID5 backend dev
-
-From: Tang Junhui <tang.junhui@zte.com.cn>
-
-[ Upstream commit 60eb34ec5526e264c2bbaea4f7512d714d791caf ]
-
-Kernel crashed when run fio in a RAID5 backend bcache device, the call
-trace is bellow:
-[ 440.012034] kernel BUG at block/blk-ioc.c:146!
-[ 440.012696] invalid opcode: 0000 [#1] SMP NOPTI
-[ 440.026537] CPU: 2 PID: 2205 Comm: md127_raid5 Not tainted 4.15.0 #8
-[ 440.027441] Hardware name: HP ProLiant MicroServer Gen8, BIOS J06 07/16
-/2015
-[ 440.028615] RIP: 0010:put_io_context+0x8b/0x90
-[ 440.029246] RSP: 0018:ffffa8c882b43af8 EFLAGS: 00010246
-[ 440.029990] RAX: 0000000000000000 RBX: ffffa8c88294fca0 RCX: 0000000000
-0f4240
-[ 440.031006] RDX: 0000000000000004 RSI: 0000000000000286 RDI: ffffa8c882
-94fca0
-[ 440.032030] RBP: ffffa8c882b43b10 R08: 0000000000000003 R09: ffff949cb8
-0c1700
-[ 440.033206] R10: 0000000000000104 R11: 000000000000b71c R12: 00000000000
-01000
-[ 440.034222] R13: 0000000000000000 R14: ffff949cad84db70 R15: ffff949cb11
-bd1e0
-[ 440.035239] FS: 0000000000000000(0000) GS:ffff949cba280000(0000) knlGS:
-0000000000000000
-[ 440.060190] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[ 440.084967] CR2: 00007ff0493ef000 CR3: 00000002f1e0a002 CR4: 00000000001
-606e0
-[ 440.110498] Call Trace:
-[ 440.135443] bio_disassociate_task+0x1b/0x60
-[ 440.160355] bio_free+0x1b/0x60
-[ 440.184666] bio_put+0x23/0x30
-[ 440.208272] search_free+0x23/0x40 [bcache]
-[ 440.231448] cached_dev_write_complete+0x31/0x70 [bcache]
-[ 440.254468] closure_put+0xb6/0xd0 [bcache]
-[ 440.277087] request_endio+0x30/0x40 [bcache]
-[ 440.298703] bio_endio+0xa1/0x120
-[ 440.319644] handle_stripe+0x418/0x2270 [raid456]
-[ 440.340614] ? load_balance+0x17b/0x9c0
-[ 440.360506] handle_active_stripes.isra.58+0x387/0x5a0 [raid456]
-[ 440.380675] ? __release_stripe+0x15/0x20 [raid456]
-[ 440.400132] raid5d+0x3ed/0x5d0 [raid456]
-[ 440.419193] ? schedule+0x36/0x80
-[ 440.437932] ? schedule_timeout+0x1d2/0x2f0
-[ 440.456136] md_thread+0x122/0x150
-[ 440.473687] ? wait_woken+0x80/0x80
-[ 440.491411] kthread+0x102/0x140
-[ 440.508636] ? find_pers+0x70/0x70
-[ 440.524927] ? kthread_associate_blkcg+0xa0/0xa0
-[ 440.541791] ret_from_fork+0x35/0x40
-[ 440.558020] Code: c2 48 00 5b 41 5c 41 5d 5d c3 48 89 c6 4c 89 e7 e8 bb c2
-48 00 48 8b 3d bc 36 4b 01 48 89 de e8 7c f7 e0 ff 5b 41 5c 41 5d 5d c3 <0f> 0b
-0f 1f 00 0f 1f 44 00 00 55 48 8d 47 b8 48 89 e5 41 57 41
-[ 440.610020] RIP: put_io_context+0x8b/0x90 RSP: ffffa8c882b43af8
-[ 440.628575] ---[ end trace a1fd79d85643a73e ]--
-
-All the crash issue happened when a bypass IO coming, in such scenario
-s->iop.bio is pointed to the s->orig_bio. In search_free(), it finishes the
-s->orig_bio by calling bio_complete(), and after that, s->iop.bio became
-invalid, then kernel would crash when calling bio_put(). Maybe its upper
-layer's faulty, since bio should not be freed before we calling bio_put(),
-but we'd better calling bio_put() first before calling bio_complete() to
-notify upper layer ending this bio.
-
-This patch moves bio_complete() under bio_put() to avoid kernel crash.
-
-[mlyle: fixed commit subject for character limits]
-
-Reported-by: Matthias Ferdinand <bcache@mfedv.net>
-Tested-by: Matthias Ferdinand <bcache@mfedv.net>
-Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
-Reviewed-by: Michael Lyle <mlyle@lyle.org>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/request.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/md/bcache/request.c
-+++ b/drivers/md/bcache/request.c
-@@ -631,11 +631,11 @@ static void do_bio_hook(struct search *s
- static void search_free(struct closure *cl)
- {
- struct search *s = container_of(cl, struct search, cl);
-- bio_complete(s);
-
- if (s->iop.bio)
- bio_put(s->iop.bio);
-
-+ bio_complete(s);
- closure_debug_destroy(cl);
- mempool_free(s, s->d->c->search);
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Coly Li <colyli@suse.de>
-Date: Wed, 7 Feb 2018 11:41:41 -0800
-Subject: bcache: properly set task state in bch_writeback_thread()
-
-From: Coly Li <colyli@suse.de>
-
-[ Upstream commit 99361bbf26337186f02561109c17a4c4b1a7536a ]
-
-Kernel thread routine bch_writeback_thread() has the following code block,
-
-447 down_write(&dc->writeback_lock);
-448~450 if (check conditions) {
-451 up_write(&dc->writeback_lock);
-452 set_current_state(TASK_INTERRUPTIBLE);
-453
-454 if (kthread_should_stop())
-455 return 0;
-456
-457 schedule();
-458 continue;
-459 }
-
-If condition check is true, its task state is set to TASK_INTERRUPTIBLE
-and call schedule() to wait for others to wake up it.
-
-There are 2 issues in current code,
-1, Task state is set to TASK_INTERRUPTIBLE after the condition checks, if
- another process changes the condition and call wake_up_process(dc->
- writeback_thread), then at line 452 task state is set back to
- TASK_INTERRUPTIBLE, the writeback kernel thread will lose a chance to be
- waken up.
-2, At line 454 if kthread_should_stop() is true, writeback kernel thread
- will return to kernel/kthread.c:kthread() with TASK_INTERRUPTIBLE and
- call do_exit(). It is not good to enter do_exit() with task state
- TASK_INTERRUPTIBLE, in following code path might_sleep() is called and a
- warning message is reported by __might_sleep(): "WARNING: do not call
- blocking ops when !TASK_RUNNING; state=1 set at [xxxx]".
-
-For the first issue, task state should be set before condition checks.
-Ineed because dc->writeback_lock is required when modifying all the
-conditions, calling set_current_state() inside code block where dc->
-writeback_lock is hold is safe. But this is quite implicit, so I still move
-set_current_state() before all the condition checks.
-
-For the second issue, frankley speaking it does not hurt when kernel thread
-exits with TASK_INTERRUPTIBLE state, but this warning message scares users,
-makes them feel there might be something risky with bcache and hurt their
-data. Setting task state to TASK_RUNNING before returning fixes this
-problem.
-
-In alloc.c:allocator_wait(), there is also a similar issue, and is also
-fixed in this patch.
-
-Changelog:
-v3: merge two similar fixes into one patch
-v2: fix the race issue in v1 patch.
-v1: initial buggy fix.
-
-Signed-off-by: Coly Li <colyli@suse.de>
-Reviewed-by: Hannes Reinecke <hare@suse.de>
-Reviewed-by: Michael Lyle <mlyle@lyle.org>
-Cc: Michael Lyle <mlyle@lyle.org>
-Cc: Junhui Tang <tang.junhui@zte.com.cn>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/alloc.c | 4 +++-
- drivers/md/bcache/writeback.c | 7 +++++--
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
---- a/drivers/md/bcache/alloc.c
-+++ b/drivers/md/bcache/alloc.c
-@@ -285,8 +285,10 @@ do { \
- break; \
- \
- mutex_unlock(&(ca)->set->bucket_lock); \
-- if (kthread_should_stop()) \
-+ if (kthread_should_stop()) { \
-+ set_current_state(TASK_RUNNING); \
- return 0; \
-+ } \
- \
- try_to_freeze(); \
- schedule(); \
---- a/drivers/md/bcache/writeback.c
-+++ b/drivers/md/bcache/writeback.c
-@@ -425,19 +425,22 @@ static int bch_writeback_thread(void *ar
-
- while (!kthread_should_stop()) {
- down_write(&dc->writeback_lock);
-+ set_current_state(TASK_INTERRUPTIBLE);
- if (!atomic_read(&dc->has_dirty) ||
- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
- !dc->writeback_running)) {
- up_write(&dc->writeback_lock);
-- set_current_state(TASK_INTERRUPTIBLE);
-
-- if (kthread_should_stop())
-+ if (kthread_should_stop()) {
-+ set_current_state(TASK_RUNNING);
- return 0;
-+ }
-
- try_to_freeze();
- schedule();
- continue;
- }
-+ set_current_state(TASK_RUNNING);
-
- searched_full_index = refill_dirty(dc);
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Coly Li <colyli@suse.de>
-Date: Sun, 18 Mar 2018 17:36:15 -0700
-Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set
-
-From: Coly Li <colyli@suse.de>
-
-[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ]
-
-In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()",
-cached_dev_get() is called when creating dc->writeback_thread, and
-cached_dev_put() is called when exiting dc->writeback_thread. This
-modification works well unless people detach the bcache device manually by
- 'echo 1 > /sys/block/bcache<N>/bcache/detach'
-Because this sysfs interface only calls bch_cached_dev_detach() which wakes
-up dc->writeback_thread but does not stop it. The reason is, before patch
-"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside
-bch_writeback_thread(), if cache is not dirty after writeback,
-cached_dev_put() will be called here. And in cached_dev_make_request() when
-a new write request makes cache from clean to dirty, cached_dev_get() will
-be called there. Since we don't operate dc->count in these locations,
-refcount d->count cannot be dropped after cache becomes clean, and
-cached_dev_detach_finish() won't be called to detach bcache device.
-
-This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is
-set inside bch_writeback_thread(). If this bit is set and cache is clean
-(no existing writeback_keys), break the while-loop, call cached_dev_put()
-and quit the writeback thread.
-
-Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the
-writeback thread should continue to perform writeback, this is the original
-design of manually detach.
-
-It is safe to do the following check without locking, let me explain why,
-+ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
-+ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
-
-If the kenrel thread does not sleep and continue to run due to conditions
-are not updated in time on the running CPU core, it just consumes more CPU
-cycles and has no hurt. This should-sleep-but-run is safe here. We just
-focus on the should-run-but-sleep condition, which means the writeback
-thread goes to sleep in mistake while it should continue to run.
-1, First of all, no matter the writeback thread is hung or not,
- kthread_stop() from cached_dev_detach_finish() will wake up it and
- terminate by making kthread_should_stop() return true. And in normal
- run time, bit on index BCACHE_DEV_DETACHING is always cleared, the
- condition
- !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)
- is always true and can be ignored as constant value.
-2, If one of the following conditions is true, the writeback thread should
- go to sleep,
- "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)"
- each of them independently controls the writeback thread should sleep or
- not, let's analyse them one by one.
-2.1 condition "!atomic_read(&dc->has_dirty)"
- If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will
- call bch_writeback_queue() immediately or call bch_writeback_add() which
- indirectly calls bch_writeback_queue() too. In bch_writeback_queue(),
- wake_up_process(dc->writeback_thread) is called. It sets writeback
- thread's task state to TASK_RUNNING and following an implicit memory
- barrier, then tries to wake up the writeback thread.
- In writeback thread, its task state is set to TASK_INTERRUPTIBLE before
- doing the condition check. If other CPU core sets the TASK_RUNNING state
- after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread
- will be scheduled to run very soon because its state is not
- TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before
- writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier
- of wake_up_process() will make sure modification of dc->has_dirty on
- other CPU core is updated and observed on the CPU core of writeback
- thread. Therefore the condition check will correctly be false, and
- continue writeback code without sleeping.
-2.2 condition "!dc->writeback_running)"
- dc->writeback_running can be changed via sysfs file, every time it is
- modified, a following bch_writeback_queue() is alwasy called. So the
- change is always observed on the CPU core of writeback thread. If
- dc->writeback_running is changed from 0 to 1 on other CPU core, this
- condition check will observe the modification and allow writeback
- thread to continue to run without sleeping.
-Now we can see, even without a locking protection, multiple conditions
-check is safe here, no deadlock or process hang up will happen.
-
-I compose a separte patch because that patch "bcache: fix cached_dev->count
-usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes
-Reinecke. Also this fix is not trivial and good for a separate patch.
-
-Signed-off-by: Coly Li <colyli@suse.de>
-Reviewed-by: Michael Lyle <mlyle@lyle.org>
-Cc: Hannes Reinecke <hare@suse.com>
-Cc: Huijun Tang <tang.junhui@zte.com.cn>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/writeback.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
---- a/drivers/md/bcache/writeback.c
-+++ b/drivers/md/bcache/writeback.c
-@@ -426,9 +426,15 @@ static int bch_writeback_thread(void *ar
- while (!kthread_should_stop()) {
- down_write(&dc->writeback_lock);
- set_current_state(TASK_INTERRUPTIBLE);
-- if (!atomic_read(&dc->has_dirty) ||
-- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
-- !dc->writeback_running)) {
-+ /*
-+ * If the bache device is detaching, skip here and continue
-+ * to perform writeback. Otherwise, if no dirty data on cache,
-+ * or there is dirty data on cache but writeback is disabled,
-+ * the writeback thread should sleep here and wait for others
-+ * to wake up it.
-+ */
-+ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
-+ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
- up_write(&dc->writeback_lock);
-
- if (kthread_should_stop()) {
-@@ -450,6 +456,14 @@ static int bch_writeback_thread(void *ar
- cached_dev_put(dc);
- SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN);
- bch_write_bdev_super(dc, NULL);
-+ /*
-+ * If bcache device is detaching via sysfs interface,
-+ * writeback thread should stop after there is no dirty
-+ * data on cache. BCACHE_DEV_DETACHING flag is set in
-+ * bch_cached_dev_detach().
-+ */
-+ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
-+ break;
- }
-
- up_write(&dc->writeback_lock);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Tang Junhui <tang.junhui@zte.com.cn>
-Date: Wed, 7 Feb 2018 11:41:45 -0800
-Subject: bcache: return attach error when no cache set exist
-
-From: Tang Junhui <tang.junhui@zte.com.cn>
-
-[ Upstream commit 7f4fc93d4713394ee8f1cd44c238e046e11b4f15 ]
-
-I attach a back-end device to a cache set, and the cache set is not
-registered yet, this back-end device did not attach successfully, and no
-error returned:
-[root]# echo 87859280-fec6-4bcc-20df7ca8f86b > /sys/block/sde/bcache/attach
-[root]#
-
-In sysfs_attach(), the return value "v" is initialized to "size" in
-the beginning, and if no cache set exist in bch_cache_sets, the "v" value
-would not change any more, and return to sysfs, sysfs regard it as success
-since the "size" is a positive number.
-
-This patch fixes this issue by assigning "v" with "-ENOENT" in the
-initialization.
-
-Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
-Reviewed-by: Michael Lyle <mlyle@lyle.org>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/sysfs.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/drivers/md/bcache/sysfs.c
-+++ b/drivers/md/bcache/sysfs.c
-@@ -191,7 +191,7 @@ STORE(__cached_dev)
- {
- struct cached_dev *dc = container_of(kobj, struct cached_dev,
- disk.kobj);
-- ssize_t v = size;
-+ ssize_t v;
- struct cache_set *c;
- struct kobj_uevent_env *env;
-
-@@ -268,6 +268,7 @@ STORE(__cached_dev)
- if (bch_parse_uuid(buf, set_uuid) < 16)
- return -EINVAL;
-
-+ v = -ENOENT;
- list_for_each_entry(c, &bch_cache_sets, list) {
- v = bch_cached_dev_attach(dc, c, set_uuid);
- if (!v)
-@@ -275,7 +276,7 @@ STORE(__cached_dev)
- }
-
- pr_err("Can't attach %s: cache set not found", buf);
-- size = v;
-+ return v;
- }
-
- if (attr == &sysfs_detach && dc->disk.c)
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Liu Bo <bo.liu@linux.alibaba.com>
-Date: Tue, 3 Apr 2018 01:59:48 +0800
-Subject: Btrfs: bail out on error during replay_dir_deletes
-
-From: Liu Bo <bo.liu@linux.alibaba.com>
-
-[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ]
-
-If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs
-to bail out, otherwise @ret would be forced to be 0 after 'break;' and
-the caller won't be aware of it.
-
-Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
-Reviewed-by: Nikolay Borisov <nborisov@suse.com>
-Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/tree-log.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/fs/btrfs/tree-log.c
-+++ b/fs/btrfs/tree-log.c
-@@ -1983,8 +1983,10 @@ again:
- nritems = btrfs_header_nritems(path->nodes[0]);
- if (path->slots[0] >= nritems) {
- ret = btrfs_next_leaf(root, path);
-- if (ret)
-+ if (ret == 1)
- break;
-+ else if (ret < 0)
-+ goto out;
- }
- btrfs_item_key_to_cpu(path->nodes[0], &found_key,
- path->slots[0]);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Filipe Manana <fdmanana@suse.com>
-Date: Mon, 26 Mar 2018 23:59:12 +0100
-Subject: Btrfs: fix copy_items() return value when logging an inode
-
-From: Filipe Manana <fdmanana@suse.com>
-
-[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ]
-
-When logging an inode, at tree-log.c:copy_items(), if we call
-btrfs_next_leaf() at the loop which checks for the need to log holes, we
-need to make sure copy_items() returns the value 1 to its caller and
-not 0 (on success). This is because the path the caller passed was
-released and is now different from what is was before, and the caller
-expects a return value of 0 to mean both success and that the path
-has not changed, while a return value of 1 means both success and
-signals the caller that it can not reuse the path, it has to perform
-another tree search.
-
-Even though this is a case that should not be triggered on normal
-circumstances or very rare at least, its consequences can be very
-unpredictable (especially when replaying a log tree).
-
-Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents")
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/tree-log.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/fs/btrfs/tree-log.c
-+++ b/fs/btrfs/tree-log.c
-@@ -3539,6 +3539,7 @@ fill_holes:
- ASSERT(ret == 0);
- src = src_path->nodes[0];
- i = 0;
-+ need_find_last_extent = true;
- }
-
- btrfs_item_key_to_cpu(src, &key, i);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Jeff Mahoney <jeffm@suse.com>
-Date: Fri, 16 Mar 2018 14:36:27 -0400
-Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers
-
-From: Jeff Mahoney <jeffm@suse.com>
-
-[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ]
-
-While running btrfs/011, I hit the following lockdep splat.
-
-This is the important bit:
- pcpu_alloc+0x1ac/0x5e0
- __percpu_counter_init+0x4e/0xb0
- btrfs_init_fs_root+0x99/0x1c0 [btrfs]
- btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
- resolve_indirect_refs+0x130/0x830 [btrfs]
- find_parent_nodes+0x69e/0xff0 [btrfs]
- btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
- btrfs_find_all_roots+0x50/0x70 [btrfs]
- btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
- btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
-
-The percpu_counter_init call in btrfs_alloc_subvolume_writers
-uses GFP_KERNEL, which we can't do during transaction commit.
-
-This switches it to GFP_NOFS.
-
-========================================================
-WARNING: possible irq lock inversion dependency detected
-4.12.14-kvmsmall #8 Tainted: G W
---------------------------------------------------------
-kswapd0/50 just changed the state of lock:
- (&delayed_node->mutex){+.+.-.}, at: [<ffffffffc06994fa>] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
-but this lock took another, RECLAIM_FS-unsafe lock in the past:
- (pcpu_alloc_mutex){+.+.+.}
-
-and interrupts could create inverse lock ordering between them.
-
-other info that might help us debug this:
-Chain exists of:
- &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex
-
- Possible interrupt unsafe locking scenario:
-
- CPU0 CPU1
- ---- ----
- lock(pcpu_alloc_mutex);
- local_irq_disable();
- lock(&delayed_node->mutex);
- lock(&found->groups_sem);
- <Interrupt>
- lock(&delayed_node->mutex);
-
- *** DEADLOCK ***
-
-2 locks held by kswapd0/50:
- #0: (shrinker_rwsem){++++..}, at: [<ffffffff811dc11f>] shrink_slab+0x7f/0x5b0
- #1: (&type->s_umount_key#30){+++++.}, at: [<ffffffff8126dec6>] trylock_super+0x16/0x50
-
-the shortest dependencies between 2nd lock and 1st lock:
- -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 {
- HARDIRQ-ON-W at:
- __mutex_lock+0x4e/0x8c0
- pcpu_alloc+0x1ac/0x5e0
- alloc_kmem_cache_cpus.isra.70+0x25/0xa0
- __do_tune_cpucache+0x2c/0x220
- do_tune_cpucache+0x26/0xc0
- enable_cpucache+0x6d/0xf0
- kmem_cache_init_late+0x42/0x75
- start_kernel+0x343/0x4cb
- x86_64_start_kernel+0x127/0x134
- secondary_startup_64+0xa5/0xb0
- SOFTIRQ-ON-W at:
- __mutex_lock+0x4e/0x8c0
- pcpu_alloc+0x1ac/0x5e0
- alloc_kmem_cache_cpus.isra.70+0x25/0xa0
- __do_tune_cpucache+0x2c/0x220
- do_tune_cpucache+0x26/0xc0
- enable_cpucache+0x6d/0xf0
- kmem_cache_init_late+0x42/0x75
- start_kernel+0x343/0x4cb
- x86_64_start_kernel+0x127/0x134
- secondary_startup_64+0xa5/0xb0
- RECLAIM_FS-ON-W at:
- __kmalloc+0x47/0x310
- pcpu_extend_area_map+0x2b/0xc0
- pcpu_alloc+0x3ec/0x5e0
- alloc_kmem_cache_cpus.isra.70+0x25/0xa0
- __do_tune_cpucache+0x2c/0x220
- do_tune_cpucache+0x26/0xc0
- enable_cpucache+0x6d/0xf0
- __kmem_cache_create+0x1bf/0x390
- create_cache+0xba/0x1b0
- kmem_cache_create+0x1f8/0x2b0
- ksm_init+0x6f/0x19d
- do_one_initcall+0x50/0x1b0
- kernel_init_freeable+0x201/0x289
- kernel_init+0xa/0x100
- ret_from_fork+0x3a/0x50
- INITIAL USE at:
- __mutex_lock+0x4e/0x8c0
- pcpu_alloc+0x1ac/0x5e0
- alloc_kmem_cache_cpus.isra.70+0x25/0xa0
- setup_cpu_cache+0x2f/0x1f0
- __kmem_cache_create+0x1bf/0x390
- create_boot_cache+0x8b/0xb1
- kmem_cache_init+0xa1/0x19e
- start_kernel+0x270/0x4cb
- x86_64_start_kernel+0x127/0x134
- secondary_startup_64+0xa5/0xb0
- }
- ... key at: [<ffffffff821d8e70>] pcpu_alloc_mutex+0x70/0xa0
- ... acquired at:
- pcpu_alloc+0x1ac/0x5e0
- __percpu_counter_init+0x4e/0xb0
- btrfs_init_fs_root+0x99/0x1c0 [btrfs]
- btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs]
- resolve_indirect_refs+0x130/0x830 [btrfs]
- find_parent_nodes+0x69e/0xff0 [btrfs]
- btrfs_find_all_roots_safe+0xa0/0x110 [btrfs]
- btrfs_find_all_roots+0x50/0x70 [btrfs]
- btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs]
- btrfs_commit_transaction+0x3ce/0x9b0 [btrfs]
- transaction_kthread+0x176/0x1b0 [btrfs]
- kthread+0x102/0x140
- ret_from_fork+0x3a/0x50
-
- -> (&fs_info->commit_root_sem){++++..} ops: 1566382 {
- HARDIRQ-ON-W at:
- down_write+0x3e/0xa0
- cache_block_group+0x287/0x420 [btrfs]
- find_free_extent+0x106c/0x12d0 [btrfs]
- btrfs_reserve_extent+0xd8/0x170 [btrfs]
- cow_file_range.isra.66+0x133/0x470 [btrfs]
- run_delalloc_range+0x121/0x410 [btrfs]
- writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
- __extent_writepage+0x19a/0x360 [btrfs]
- extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
- extent_writepages+0x4d/0x60 [btrfs]
- do_writepages+0x1a/0x70
- __filemap_fdatawrite_range+0xa7/0xe0
- btrfs_rename+0x5ee/0xdb0 [btrfs]
- vfs_rename+0x52a/0x7e0
- SyS_rename+0x351/0x3b0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- HARDIRQ-ON-R at:
- down_read+0x35/0x90
- caching_thread+0x57/0x560 [btrfs]
- normal_work_helper+0x1c0/0x5e0 [btrfs]
- process_one_work+0x1e0/0x5c0
- worker_thread+0x44/0x390
- kthread+0x102/0x140
- ret_from_fork+0x3a/0x50
- SOFTIRQ-ON-W at:
- down_write+0x3e/0xa0
- cache_block_group+0x287/0x420 [btrfs]
- find_free_extent+0x106c/0x12d0 [btrfs]
- btrfs_reserve_extent+0xd8/0x170 [btrfs]
- cow_file_range.isra.66+0x133/0x470 [btrfs]
- run_delalloc_range+0x121/0x410 [btrfs]
- writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
- __extent_writepage+0x19a/0x360 [btrfs]
- extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
- extent_writepages+0x4d/0x60 [btrfs]
- do_writepages+0x1a/0x70
- __filemap_fdatawrite_range+0xa7/0xe0
- btrfs_rename+0x5ee/0xdb0 [btrfs]
- vfs_rename+0x52a/0x7e0
- SyS_rename+0x351/0x3b0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- SOFTIRQ-ON-R at:
- down_read+0x35/0x90
- caching_thread+0x57/0x560 [btrfs]
- normal_work_helper+0x1c0/0x5e0 [btrfs]
- process_one_work+0x1e0/0x5c0
- worker_thread+0x44/0x390
- kthread+0x102/0x140
- ret_from_fork+0x3a/0x50
- INITIAL USE at:
- down_write+0x3e/0xa0
- cache_block_group+0x287/0x420 [btrfs]
- find_free_extent+0x106c/0x12d0 [btrfs]
- btrfs_reserve_extent+0xd8/0x170 [btrfs]
- cow_file_range.isra.66+0x133/0x470 [btrfs]
- run_delalloc_range+0x121/0x410 [btrfs]
- writepage_delalloc.isra.50+0xfe/0x180 [btrfs]
- __extent_writepage+0x19a/0x360 [btrfs]
- extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs]
- extent_writepages+0x4d/0x60 [btrfs]
- do_writepages+0x1a/0x70
- __filemap_fdatawrite_range+0xa7/0xe0
- btrfs_rename+0x5ee/0xdb0 [btrfs]
- vfs_rename+0x52a/0x7e0
- SyS_rename+0x351/0x3b0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- }
- ... key at: [<ffffffffc0729578>] __key.61970+0x0/0xfffffffffff9aa88 [btrfs]
- ... acquired at:
- cache_block_group+0x287/0x420 [btrfs]
- find_free_extent+0x106c/0x12d0 [btrfs]
- btrfs_reserve_extent+0xd8/0x170 [btrfs]
- btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
- btrfs_create_tree+0xbb/0x2a0 [btrfs]
- btrfs_create_uuid_tree+0x37/0x140 [btrfs]
- open_ctree+0x23c0/0x2660 [btrfs]
- btrfs_mount+0xd36/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- btrfs_mount+0x18c/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- do_mount+0x1c1/0xcc0
- SyS_mount+0x7e/0xd0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
-
- -> (&found->groups_sem){++++..} ops: 2134587 {
- HARDIRQ-ON-W at:
- down_write+0x3e/0xa0
- __link_block_group+0x34/0x130 [btrfs]
- btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
- open_ctree+0x2054/0x2660 [btrfs]
- btrfs_mount+0xd36/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- btrfs_mount+0x18c/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- do_mount+0x1c1/0xcc0
- SyS_mount+0x7e/0xd0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- HARDIRQ-ON-R at:
- down_read+0x35/0x90
- btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
- open_ctree+0x207b/0x2660 [btrfs]
- btrfs_mount+0xd36/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- btrfs_mount+0x18c/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- do_mount+0x1c1/0xcc0
- SyS_mount+0x7e/0xd0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- SOFTIRQ-ON-W at:
- down_write+0x3e/0xa0
- __link_block_group+0x34/0x130 [btrfs]
- btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
- open_ctree+0x2054/0x2660 [btrfs]
- btrfs_mount+0xd36/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- btrfs_mount+0x18c/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- do_mount+0x1c1/0xcc0
- SyS_mount+0x7e/0xd0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- SOFTIRQ-ON-R at:
- down_read+0x35/0x90
- btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs]
- open_ctree+0x207b/0x2660 [btrfs]
- btrfs_mount+0xd36/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- btrfs_mount+0x18c/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- do_mount+0x1c1/0xcc0
- SyS_mount+0x7e/0xd0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- INITIAL USE at:
- down_write+0x3e/0xa0
- __link_block_group+0x34/0x130 [btrfs]
- btrfs_read_block_groups+0x33d/0x7b0 [btrfs]
- open_ctree+0x2054/0x2660 [btrfs]
- btrfs_mount+0xd36/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- btrfs_mount+0x18c/0xf90 [btrfs]
- mount_fs+0x3a/0x160
- vfs_kern_mount+0x66/0x150
- do_mount+0x1c1/0xcc0
- SyS_mount+0x7e/0xd0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- }
- ... key at: [<ffffffffc0729488>] __key.59101+0x0/0xfffffffffff9ab78 [btrfs]
- ... acquired at:
- find_free_extent+0xcb4/0x12d0 [btrfs]
- btrfs_reserve_extent+0xd8/0x170 [btrfs]
- btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs]
- __btrfs_cow_block+0x110/0x5b0 [btrfs]
- btrfs_cow_block+0xd7/0x290 [btrfs]
- btrfs_search_slot+0x1f6/0x960 [btrfs]
- btrfs_lookup_inode+0x2a/0x90 [btrfs]
- __btrfs_update_delayed_inode+0x65/0x210 [btrfs]
- btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs]
- btrfs_evict_inode+0x3fe/0x6a0 [btrfs]
- evict+0xc4/0x190
- __dentry_kill+0xbf/0x170
- dput+0x2ae/0x2f0
- SyS_rename+0x2a6/0x3b0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
-
--> (&delayed_node->mutex){+.+.-.} ops: 5580204 {
- HARDIRQ-ON-W at:
- __mutex_lock+0x4e/0x8c0
- btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
- btrfs_update_inode+0x83/0x110 [btrfs]
- btrfs_dirty_inode+0x62/0xe0 [btrfs]
- touch_atime+0x8c/0xb0
- do_generic_file_read+0x818/0xb10
- __vfs_read+0xdc/0x150
- vfs_read+0x8a/0x130
- SyS_read+0x45/0xa0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- SOFTIRQ-ON-W at:
- __mutex_lock+0x4e/0x8c0
- btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
- btrfs_update_inode+0x83/0x110 [btrfs]
- btrfs_dirty_inode+0x62/0xe0 [btrfs]
- touch_atime+0x8c/0xb0
- do_generic_file_read+0x818/0xb10
- __vfs_read+0xdc/0x150
- vfs_read+0x8a/0x130
- SyS_read+0x45/0xa0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- IN-RECLAIM_FS-W at:
- __mutex_lock+0x4e/0x8c0
- __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
- btrfs_evict_inode+0x22c/0x6a0 [btrfs]
- evict+0xc4/0x190
- dispose_list+0x35/0x50
- prune_icache_sb+0x42/0x50
- super_cache_scan+0x139/0x190
- shrink_slab+0x262/0x5b0
- shrink_node+0x2eb/0x2f0
- kswapd+0x2eb/0x890
- kthread+0x102/0x140
- ret_from_fork+0x3a/0x50
- INITIAL USE at:
- __mutex_lock+0x4e/0x8c0
- btrfs_delayed_update_inode+0x46/0x6e0 [btrfs]
- btrfs_update_inode+0x83/0x110 [btrfs]
- btrfs_dirty_inode+0x62/0xe0 [btrfs]
- touch_atime+0x8c/0xb0
- do_generic_file_read+0x818/0xb10
- __vfs_read+0xdc/0x150
- vfs_read+0x8a/0x130
- SyS_read+0x45/0xa0
- do_syscall_64+0x79/0x1e0
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
- }
- ... key at: [<ffffffffc072d488>] __key.56935+0x0/0xfffffffffff96b78 [btrfs]
- ... acquired at:
- __lock_acquire+0x264/0x11c0
- lock_acquire+0xbd/0x1e0
- __mutex_lock+0x4e/0x8c0
- __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
- btrfs_evict_inode+0x22c/0x6a0 [btrfs]
- evict+0xc4/0x190
- dispose_list+0x35/0x50
- prune_icache_sb+0x42/0x50
- super_cache_scan+0x139/0x190
- shrink_slab+0x262/0x5b0
- shrink_node+0x2eb/0x2f0
- kswapd+0x2eb/0x890
- kthread+0x102/0x140
- ret_from_fork+0x3a/0x50
-
-stack backtrace:
-CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased)
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
-Call Trace:
- dump_stack+0x78/0xb7
- print_irq_inversion_bug.part.38+0x19f/0x1aa
- check_usage_forwards+0x102/0x120
- ? ret_from_fork+0x3a/0x50
- ? check_usage_backwards+0x110/0x110
- mark_lock+0x16c/0x270
- __lock_acquire+0x264/0x11c0
- ? pagevec_lookup_entries+0x1a/0x30
- ? truncate_inode_pages_range+0x2b3/0x7f0
- lock_acquire+0xbd/0x1e0
- ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
- __mutex_lock+0x4e/0x8c0
- ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
- ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
- ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs]
- __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs]
- btrfs_evict_inode+0x22c/0x6a0 [btrfs]
- evict+0xc4/0x190
- dispose_list+0x35/0x50
- prune_icache_sb+0x42/0x50
- super_cache_scan+0x139/0x190
- shrink_slab+0x262/0x5b0
- shrink_node+0x2eb/0x2f0
- kswapd+0x2eb/0x890
- kthread+0x102/0x140
- ? mem_cgroup_shrink_node+0x2c0/0x2c0
- ? kthread_create_on_node+0x40/0x40
- ret_from_fork+0x3a/0x50
-
-Signed-off-by: Jeff Mahoney <jeffm@suse.com>
-Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/disk-io.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/btrfs/disk-io.c
-+++ b/fs/btrfs/disk-io.c
-@@ -1194,7 +1194,7 @@ static struct btrfs_subvolume_writers *b
- if (!writers)
- return ERR_PTR(-ENOMEM);
-
-- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL);
-+ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS);
- if (ret < 0) {
- kfree(writers);
- return ERR_PTR(ret);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Liu Bo <bo.liu@linux.alibaba.com>
-Date: Tue, 3 Apr 2018 01:59:47 +0800
-Subject: Btrfs: fix NULL pointer dereference in log_dir_items
-
-From: Liu Bo <bo.liu@linux.alibaba.com>
-
-[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ]
-
-0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
-returned, path->nodes[0] could be NULL, log_dir_items lacks such a
-check for <0 and we may run into a null pointer dereference panic.
-
-Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
-Reviewed-by: Nikolay Borisov <nborisov@suse.com>
-Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/tree-log.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/fs/btrfs/tree-log.c
-+++ b/fs/btrfs/tree-log.c
-@@ -3085,8 +3085,11 @@ static noinline int log_dir_items(struct
- * from this directory and from this transaction
- */
- ret = btrfs_next_leaf(root, path);
-- if (ret == 1) {
-- last_offset = (u64)-1;
-+ if (ret) {
-+ if (ret == 1)
-+ last_offset = (u64)-1;
-+ else
-+ err = ret;
- goto done;
- }
- btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Nikolay Borisov <nborisov@suse.com>
-Date: Tue, 12 Dec 2017 11:14:49 +0200
-Subject: btrfs: Fix out of bounds access in btrfs_search_slot
-
-From: Nikolay Borisov <nborisov@suse.com>
-
-[ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ]
-
-When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then
-the level variable is going to be 7 (this is the max height of the
-tree). On the other hand btrfs_cow_block is always called with
-"level + 1" as an index into the nodes and slots arrays. This leads to
-an out of bounds access. Admittdely this will be benign since an OOB
-access of the nodes array will likely read the 0th element from the
-slots array, which in this case is going to be 0 (since we start CoW at
-the top of the tree). The OOB access into the slots array in turn will
-read the 0th and 1st values of the locks array, which would both be 0
-at the time. However, this benign behavior relies on the fact that the
-path being passed hasn't been initialised, if it has already been used to
-query a btree then it could potentially have populated the nodes/slots arrays.
-
-Fix it by explicitly checking if we are at level 7 (the maximum allowed
-index in nodes/slots arrays) and explicitly call the CoW routine with
-NULL for parent's node/slot.
-
-Signed-off-by: Nikolay Borisov <nborisov@suse.com>
-Fixes-coverity-id: 711515
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/ctree.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
---- a/fs/btrfs/ctree.c
-+++ b/fs/btrfs/ctree.c
-@@ -2758,6 +2758,8 @@ again:
- * contention with the cow code
- */
- if (cow) {
-+ bool last_level = (level == (BTRFS_MAX_LEVEL - 1));
-+
- /*
- * if we don't really need to cow this block
- * then we don't want to set the path blocking,
-@@ -2782,9 +2784,13 @@ again:
- }
-
- btrfs_set_path_blocking(p);
-- err = btrfs_cow_block(trans, root, b,
-- p->nodes[level + 1],
-- p->slots[level + 1], &b);
-+ if (last_level)
-+ err = btrfs_cow_block(trans, root, b, NULL, 0,
-+ &b);
-+ else
-+ err = btrfs_cow_block(trans, root, b,
-+ p->nodes[level + 1],
-+ p->slots[level + 1], &b);
- if (err) {
- ret = err;
- goto done;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Nikolay Borisov <nborisov@suse.com>
-Date: Thu, 5 Apr 2018 10:40:15 +0300
-Subject: btrfs: Fix possible softlock on single core machines
-
-From: Nikolay Borisov <nborisov@suse.com>
-
-[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ]
-
-do_chunk_alloc implements a loop checking whether there is a pending
-chunk allocation and if so causes the caller do loop. Generally this
-loop is executed only once, however testing with btrfs/072 on a single
-core vm machines uncovered an extreme case where the system could loop
-indefinitely. This is due to a missing cond_resched when loop which
-doesn't give a chance to the previous chunk allocator finish its job.
-
-The fix is to simply add the missing cond_resched.
-
-Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc")
-Signed-off-by: Nikolay Borisov <nborisov@suse.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/extent-tree.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/fs/btrfs/extent-tree.c
-+++ b/fs/btrfs/extent-tree.c
-@@ -3946,6 +3946,7 @@ again:
- if (wait_for_alloc) {
- mutex_unlock(&fs_info->chunk_mutex);
- wait_for_alloc = 0;
-+ cond_resched();
- goto again;
- }
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Filipe Manana <fdmanana@suse.com>
-Date: Tue, 6 Feb 2018 20:39:20 +0000
-Subject: Btrfs: send, fix issuing write op when processing hole in no data mode
-
-From: Filipe Manana <fdmanana@suse.com>
-
-[ Upstream commit d4dfc0f4d39475ccbbac947880b5464a74c30b99 ]
-
-When doing an incremental send of a filesystem with the no-holes feature
-enabled, we end up issuing a write operation when using the no data mode
-send flag, instead of issuing an update extent operation. Fix this by
-issuing the update extent operation instead.
-
-Trivial reproducer:
-
- $ mkfs.btrfs -f -O no-holes /dev/sdc
- $ mkfs.btrfs -f /dev/sdd
- $ mount /dev/sdc /mnt/sdc
- $ mount /dev/sdd /mnt/sdd
-
- $ xfs_io -f -c "pwrite -S 0xab 0 32K" /mnt/sdc/foobar
- $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap1
-
- $ xfs_io -c "fpunch 8K 8K" /mnt/sdc/foobar
- $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap2
-
- $ btrfs send /mnt/sdc/snap1 | btrfs receive /mnt/sdd
- $ btrfs send --no-data -p /mnt/sdc/snap1 /mnt/sdc/snap2 \
- | btrfs receive -vv /mnt/sdd
-
-Before this change the output of the second receive command is:
-
- receiving snapshot snap2 uuid=f6922049-8c22-e544-9ff9-fc6755918447...
- utimes
- write foobar, offset 8192, len 8192
- utimes foobar
- BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=f6922049-8c22-e544-9ff9-...
-
-After this change it is:
-
- receiving snapshot snap2 uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64...
- utimes
- update_extent foobar: offset=8192, len=8192
- utimes foobar
- BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64...
-
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/send.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/fs/btrfs/send.c
-+++ b/fs/btrfs/send.c
-@@ -4485,6 +4485,9 @@ static int send_hole(struct send_ctx *sc
- u64 len;
- int ret = 0;
-
-+ if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA)
-+ return send_update_extent(sctx, offset, end - offset);
-+
- p = fs_path_alloc();
- if (!p)
- return -ENOMEM;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Qu Wenruo <wqu@suse.com>
-Date: Tue, 27 Mar 2018 20:44:18 +0800
-Subject: btrfs: tests/qgroup: Fix wrong tree backref level
-
-From: Qu Wenruo <wqu@suse.com>
-
-[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ]
-
-The extent tree of the test fs is like the following:
-
- BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919
- item 0 key (4096 168 4096) itemoff 3944 itemsize 51
- extent refs 1 gen 1 flags 2
- tree block key (68719476736 0 0) level 1
- ^^^^^^^
- ref#0: tree block backref root 5
-
-And it's using an empty tree for fs tree, so there is no way that its
-level can be 1.
-
-For REAL (created by mkfs) fs tree backref with no skinny metadata, the
-result should look like:
-
- item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51
- refs 1 gen 4 flags TREE_BLOCK
- tree block key (256 INODE_ITEM 0) level 0
- ^^^^^^^
- tree block backref root 5
-
-Fix the level to 0, so it won't break later tree level checker.
-
-Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code")
-Signed-off-by: Qu Wenruo <wqu@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/tests/qgroup-tests.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/btrfs/tests/qgroup-tests.c
-+++ b/fs/btrfs/tests/qgroup-tests.c
-@@ -69,7 +69,7 @@ static int insert_normal_tree_ref(struct
- btrfs_set_extent_generation(leaf, item, 1);
- btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK);
- block_info = (struct btrfs_tree_block_info *)(item + 1);
-- btrfs_set_tree_block_level(leaf, block_info, 1);
-+ btrfs_set_tree_block_level(leaf, block_info, 0);
- iref = (struct btrfs_extent_inline_ref *)(block_info + 1);
- if (parent > 0) {
- btrfs_set_extent_inline_ref_type(leaf, iref,
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Maurizio Lombardi <mlombard@redhat.com>
-Date: Fri, 9 Mar 2018 13:59:06 +0100
-Subject: cdrom: do not call check_disk_change() inside cdrom_open()
-
-From: Maurizio Lombardi <mlombard@redhat.com>
-
-[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ]
-
-when mounting an ISO filesystem sometimes (very rarely)
-the system hangs because of a race condition between two tasks.
-
-PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount"
- #0 [ffff880078447ae0] __schedule at ffffffff8168d605
- #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49
- #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995
- #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef
- #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod]
- #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50
- #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3
- #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs]
- #8 [ffff880078447da8] mount_bdev at ffffffff81202570
- #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs]
-#10 [ffff880078447e28] mount_fs at ffffffff81202d09
-#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f
-#12 [ffff880078447ea8] do_mount at ffffffff81220fee
-#13 [ffff880078447f28] sys_mount at ffffffff812218d6
-#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49
- RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246
- RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010
- RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30
- RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010
- R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040
- R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30
- ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b
-
-This task was trying to mount the cdrom. It allocated and configured a
-super_block struct and owned the write-lock for the super_block->s_umount
-rwsem. While exclusively owning the s_umount lock, it called
-sr_block_ioctl and waited to acquire the global sr_mutex lock.
-
-PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd"
- #0 [ffff880078417898] __schedule at ffffffff8168d605
- #1 [ffff880078417900] schedule at ffffffff8168dc59
- #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605
- #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838
- #4 [ffff8800784179d0] down_read at ffffffff8168cde0
- #5 [ffff8800784179e8] get_super at ffffffff81201cc7
- #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de
- #7 [ffff880078417a40] flush_disk at ffffffff8123a94b
- #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50
- #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom]
-#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod]
-#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86
-#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65
-#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b
-#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7
-#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf
-#16 [ffff880078417d00] do_last at ffffffff8120d53d
-#17 [ffff880078417db0] path_openat at ffffffff8120e6b2
-#18 [ffff880078417e48] do_filp_open at ffffffff8121082b
-#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33
-#20 [ffff880078417f70] sys_open at ffffffff811fde4e
-#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49
- RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246
- RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000
- RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70
- RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020
- R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e
- R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010
- ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b
-
-This task tried to open the cdrom device, the sr_block_open function
-acquired the global sr_mutex lock. The call to check_disk_change()
-then saw an event flag indicating a possible media change and tried
-to flush any cached data for the device.
-As part of the flush, it tried to acquire the super_block->s_umount
-lock associated with the cdrom device.
-This was the same super_block as created and locked by the previous task.
-
-The first task acquires the s_umount lock and then the sr_mutex_lock;
-the second task acquires the sr_mutex_lock and then the s_umount lock.
-
-This patch fixes the issue by moving check_disk_change() out of
-cdrom_open() and let the caller take care of it.
-
-Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/block/paride/pcd.c | 2 ++
- drivers/cdrom/cdrom.c | 3 ---
- drivers/cdrom/gdrom.c | 3 +++
- drivers/ide/ide-cd.c | 2 ++
- drivers/scsi/sr.c | 2 ++
- 5 files changed, 9 insertions(+), 3 deletions(-)
-
---- a/drivers/block/paride/pcd.c
-+++ b/drivers/block/paride/pcd.c
-@@ -229,6 +229,8 @@ static int pcd_block_open(struct block_d
- struct pcd_unit *cd = bdev->bd_disk->private_data;
- int ret;
-
-+ check_disk_change(bdev);
-+
- mutex_lock(&pcd_mutex);
- ret = cdrom_open(&cd->info, bdev, mode);
- mutex_unlock(&pcd_mutex);
---- a/drivers/cdrom/cdrom.c
-+++ b/drivers/cdrom/cdrom.c
-@@ -1153,9 +1153,6 @@ int cdrom_open(struct cdrom_device_info
-
- cd_dbg(CD_OPEN, "entering cdrom_open\n");
-
-- /* open is event synchronization point, check events first */
-- check_disk_change(bdev);
--
- /* if this was a O_NONBLOCK open and we should honor the flags,
- * do a quick open without drive/disc integrity checks. */
- cdi->use_count++;
---- a/drivers/cdrom/gdrom.c
-+++ b/drivers/cdrom/gdrom.c
-@@ -497,6 +497,9 @@ static struct cdrom_device_ops gdrom_ops
- static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
- {
- int ret;
-+
-+ check_disk_change(bdev);
-+
- mutex_lock(&gdrom_mutex);
- ret = cdrom_open(gd.cd_info, bdev, mode);
- mutex_unlock(&gdrom_mutex);
---- a/drivers/ide/ide-cd.c
-+++ b/drivers/ide/ide-cd.c
-@@ -1593,6 +1593,8 @@ static int idecd_open(struct block_devic
- struct cdrom_info *info;
- int rc = -ENXIO;
-
-+ check_disk_change(bdev);
-+
- mutex_lock(&ide_cd_mutex);
- info = ide_cd_get(bdev->bd_disk);
- if (!info)
---- a/drivers/scsi/sr.c
-+++ b/drivers/scsi/sr.c
-@@ -522,6 +522,8 @@ static int sr_block_open(struct block_de
- struct scsi_cd *cd;
- int ret = -ENXIO;
-
-+ check_disk_change(bdev);
-+
- mutex_lock(&sr_mutex);
- cd = scsi_cd_get(bdev->bd_disk);
- if (cd) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Fri, 2 Feb 2018 16:48:47 +0100
-Subject: cifs: silence compiler warnings showing up with gcc-8.0.0
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit ade7db991b47ab3016a414468164f4966bd08202 ]
-
-This bug was fixed before, but came up again with the latest
-compiler in another function:
-
-fs/cifs/cifssmb.c: In function 'CIFSSMBSetEA':
-fs/cifs/cifssmb.c:6362:3: error: 'strncpy' offset 8 is out of the bounds [0, 4] [-Werror=array-bounds]
- strncpy(parm_data->list[0].name, ea_name, name_len);
-
-Let's apply the same fix that was used for the other instances.
-
-Fixes: b2a3ad9ca502 ("cifs: silence compiler warnings showing up with gcc-4.7.0")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Steve French <smfrench@gmail.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/cifs/cifssmb.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
---- a/fs/cifs/cifssmb.c
-+++ b/fs/cifs/cifssmb.c
-@@ -6413,9 +6413,7 @@ SetEARetry:
- pSMB->InformationLevel =
- cpu_to_le16(SMB_SET_FILE_EA);
-
-- parm_data =
-- (struct fealist *) (((char *) &pSMB->hdr.Protocol) +
-- offset);
-+ parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset;
- pSMB->ParameterOffset = cpu_to_le16(param_offset);
- pSMB->DataOffset = cpu_to_le16(offset);
- pSMB->SetupCount = 1;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Andrzej Hajda <a.hajda@samsung.com>
-Date: Fri, 16 Feb 2018 15:57:48 +0100
-Subject: clk: samsung: exynos3250: Fix PLL rates
-
-From: Andrzej Hajda <a.hajda@samsung.com>
-
-[ Upstream commit a8321e7887410a2b2e80ab89d1ef7b30562658ea ]
-
-Rates declared in PLL rate tables should match exactly rates calculated
-from PLL coefficients. If that is not the case, rate of the PLL's child clock
-might be set not as expected. For instance, if in the PLL rates table we have
-a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
-callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
-will return 393216003. If we now attempt to set rate of a PLL's child divider
-clock to 393216000/2 its rate will be 131072001, rather than 196608000.
-That is, the divider will be set to 3 instead of 2, because 393216003/2 is
-greater than 196608000.
-
-To fix this issue declared rates are changed to exactly match rates generated
-by the PLL, as calculated from the P, M, S, K coefficients.
-
-In this patch an erroneous P value for 74176002 output frequency is also
-corrected.
-
-Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
-Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
-Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
-Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/clk/samsung/clk-exynos3250.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/clk/samsung/clk-exynos3250.c
-+++ b/drivers/clk/samsung/clk-exynos3250.c
-@@ -740,7 +740,7 @@ static struct samsung_pll_rate_table exy
- PLL_36XX_RATE(144000000, 96, 2, 3, 0),
- PLL_36XX_RATE( 96000000, 128, 2, 4, 0),
- PLL_36XX_RATE( 84000000, 112, 2, 4, 0),
-- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691),
-+ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691),
- PLL_36XX_RATE( 73728000, 98, 2, 4, 19923),
- PLL_36XX_RATE( 67737598, 270, 3, 5, 62285),
- PLL_36XX_RATE( 65535999, 174, 2, 5, 49982),
-@@ -776,7 +776,7 @@ static struct samsung_pll_rate_table exy
- PLL_36XX_RATE(148352005, 98, 2, 3, 59070),
- PLL_36XX_RATE(108000000, 144, 2, 4, 0),
- PLL_36XX_RATE( 74250000, 99, 2, 4, 0),
-- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070),
-+ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070),
- PLL_36XX_RATE( 54054000, 216, 3, 5, 14156),
- PLL_36XX_RATE( 54000000, 144, 2, 5, 0),
- { /* sentinel */ }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Andrzej Hajda <a.hajda@samsung.com>
-Date: Fri, 16 Feb 2018 15:57:49 +0100
-Subject: clk: samsung: exynos5250: Fix PLL rates
-
-From: Andrzej Hajda <a.hajda@samsung.com>
-
-[ Upstream commit 2ac051eeabaa411ef89ae7cd5bb8e60cb41ad780 ]
-
-Rates declared in PLL rate tables should match exactly rates calculated
-from PLL coefficients. If that is not the case, rate of the PLL's child clock
-might be set not as expected. For instance, if in the PLL rates table we have
-a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
-callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
-will return 393216003. If we now attempt to set rate of a PLL's child divider
-clock to 393216000/2 its rate will be 131072001, rather than 196608000.
-That is, the divider will be set to 3 instead of 2, because 393216003/2 is
-greater than 196608000.
-
-To fix this issue declared rates are changed to exactly match rates generated
-by the PLL, as calculated from the P, M, S, K coefficients.
-
-Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
-Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
-Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
-Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/clk/samsung/clk-exynos5250.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/clk/samsung/clk-exynos5250.c
-+++ b/drivers/clk/samsung/clk-exynos5250.c
-@@ -700,13 +700,13 @@ static struct samsung_pll_rate_table epl
- /* sorted in descending order */
- /* PLL_36XX_RATE(rate, m, p, s, k) */
- PLL_36XX_RATE(192000000, 64, 2, 2, 0),
-- PLL_36XX_RATE(180633600, 90, 3, 2, 20762),
-+ PLL_36XX_RATE(180633605, 90, 3, 2, 20762),
- PLL_36XX_RATE(180000000, 90, 3, 2, 0),
- PLL_36XX_RATE(73728000, 98, 2, 4, 19923),
-- PLL_36XX_RATE(67737600, 90, 2, 4, 20762),
-+ PLL_36XX_RATE(67737602, 90, 2, 4, 20762),
- PLL_36XX_RATE(49152000, 98, 3, 4, 19923),
-- PLL_36XX_RATE(45158400, 90, 3, 4, 20762),
-- PLL_36XX_RATE(32768000, 131, 3, 5, 4719),
-+ PLL_36XX_RATE(45158401, 90, 3, 4, 20762),
-+ PLL_36XX_RATE(32768001, 131, 3, 5, 4719),
- { },
- };
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Andrzej Hajda <a.hajda@samsung.com>
-Date: Fri, 16 Feb 2018 15:57:50 +0100
-Subject: clk: samsung: exynos5260: Fix PLL rates
-
-From: Andrzej Hajda <a.hajda@samsung.com>
-
-[ Upstream commit cdb68fbd4e7962be742c4f29475220c5bf28d8a5 ]
-
-Rates declared in PLL rate tables should match exactly rates calculated from
-the PLL coefficients. If that is not the case, rate of the PLL's child clock
-might be set not as expected. For instance, if in the PLL rates table we have
-a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
-callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
-will return 393216003. If we now attempt to set rate of a PLL's child divider
-clock to 393216000/2 its rate will be 131072001, rather than 196608000.
-That is, the divider will be set to 3 instead of 2, because 393216003/2 is
-greater than 196608000.
-
-To fix this issue declared rates are changed to exactly match rates generated
-by the PLL, as calculated from the P, M, S, K coefficients.
-
-Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
-Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
-Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/clk/samsung/clk-exynos5260.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/clk/samsung/clk-exynos5260.c
-+++ b/drivers/clk/samsung/clk-exynos5260.c
-@@ -102,7 +102,7 @@ static struct samsung_pll_rate_table pll
- PLL_36XX_RATE(480000000, 160, 2, 2, 0),
- PLL_36XX_RATE(432000000, 144, 2, 2, 0),
- PLL_36XX_RATE(400000000, 200, 3, 2, 0),
-- PLL_36XX_RATE(394073130, 459, 7, 2, 49282),
-+ PLL_36XX_RATE(394073128, 459, 7, 2, 49282),
- PLL_36XX_RATE(333000000, 111, 2, 2, 0),
- PLL_36XX_RATE(300000000, 100, 2, 2, 0),
- PLL_36XX_RATE(266000000, 266, 3, 3, 0),
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Andrzej Hajda <a.hajda@samsung.com>
-Date: Fri, 16 Feb 2018 15:57:53 +0100
-Subject: clk: samsung: s3c2410: Fix PLL rates
-
-From: Andrzej Hajda <a.hajda@samsung.com>
-
-[ Upstream commit 179db533c08431f509a3823077549773d519358b ]
-
-Rates declared in PLL rate tables should match exactly rates calculated from
-the PLL coefficients. If that is not the case, rate of the PLL's child clock
-might be set not as expected. For instance, if in the PLL rates table we have
-a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate
-callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate
-will return 393216003. If we now attempt to set rate of a PLL's child divider
-clock to 393216000/2 its rate will be 131072001, rather than 196608000.
-That is, the divider will be set to 3 instead of 2, because 393216003/2 is
-greater than 196608000.
-
-To fix this issue declared rates are changed to exactly match rates generated
-by the PLL, as calculated from the P, M, S, K coefficients.
-
-Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
-Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
-Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/clk/samsung/clk-s3c2410.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
---- a/drivers/clk/samsung/clk-s3c2410.c
-+++ b/drivers/clk/samsung/clk-s3c2410.c
-@@ -170,7 +170,7 @@ static struct samsung_pll_rate_table pll
- PLL_35XX_RATE(226000000, 105, 1, 1),
- PLL_35XX_RATE(210000000, 132, 2, 1),
- /* 2410 common */
-- PLL_35XX_RATE(203000000, 161, 3, 1),
-+ PLL_35XX_RATE(202800000, 161, 3, 1),
- PLL_35XX_RATE(192000000, 88, 1, 1),
- PLL_35XX_RATE(186000000, 85, 1, 1),
- PLL_35XX_RATE(180000000, 82, 1, 1),
-@@ -180,18 +180,18 @@ static struct samsung_pll_rate_table pll
- PLL_35XX_RATE(147000000, 90, 2, 1),
- PLL_35XX_RATE(135000000, 82, 2, 1),
- PLL_35XX_RATE(124000000, 116, 1, 2),
-- PLL_35XX_RATE(118000000, 150, 2, 2),
-+ PLL_35XX_RATE(118500000, 150, 2, 2),
- PLL_35XX_RATE(113000000, 105, 1, 2),
-- PLL_35XX_RATE(101000000, 127, 2, 2),
-+ PLL_35XX_RATE(101250000, 127, 2, 2),
- PLL_35XX_RATE(90000000, 112, 2, 2),
-- PLL_35XX_RATE(85000000, 105, 2, 2),
-+ PLL_35XX_RATE(84750000, 105, 2, 2),
- PLL_35XX_RATE(79000000, 71, 1, 2),
-- PLL_35XX_RATE(68000000, 82, 2, 2),
-- PLL_35XX_RATE(56000000, 142, 2, 3),
-+ PLL_35XX_RATE(67500000, 82, 2, 2),
-+ PLL_35XX_RATE(56250000, 142, 2, 3),
- PLL_35XX_RATE(48000000, 120, 2, 3),
-- PLL_35XX_RATE(51000000, 161, 3, 3),
-+ PLL_35XX_RATE(50700000, 161, 3, 3),
- PLL_35XX_RATE(45000000, 82, 1, 3),
-- PLL_35XX_RATE(34000000, 82, 2, 3),
-+ PLL_35XX_RATE(33750000, 82, 2, 3),
- { /* sentinel */ },
- };
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Colin Ian King <colin.king@canonical.com>
-Date: Mon, 26 Feb 2018 11:36:14 +0000
-Subject: clocksource/drivers/fsl_ftm_timer: Fix error return checking
-
-From: Colin Ian King <colin.king@canonical.com>
-
-[ Upstream commit f287eb9013ccf199cbfa4eabd80c36fedfc15a73 ]
-
-The error checks on freq for a negative error return always fails because
-freq is unsigned and can never be negative. Fix this by making freq a
-signed long.
-
-Detected with Coccinelle:
-drivers/clocksource/fsl_ftm_timer.c:287:5-9: WARNING: Unsigned expression
-compared with zero: freq <= 0
-drivers/clocksource/fsl_ftm_timer.c:291:5-9: WARNING: Unsigned expression
-compared with zero: freq <= 0
-
-Fixes: 2529c3a33079 ("clocksource: Add Freescale FlexTimer Module (FTM) timer support")
-Signed-off-by: Colin Ian King <colin.king@canonical.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
-Cc: kernel-janitors@vger.kernel.org
-Link: https://lkml.kernel.org/r/20180226113614.3092-1-colin.king@canonical.com
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/clocksource/fsl_ftm_timer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/clocksource/fsl_ftm_timer.c
-+++ b/drivers/clocksource/fsl_ftm_timer.c
-@@ -282,7 +282,7 @@ static int __init __ftm_clk_init(struct
-
- static unsigned long __init ftm_clk_init(struct device_node *np)
- {
-- unsigned long freq;
-+ long freq;
-
- freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt");
- if (freq <= 0)
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: mulhern <amulhern@redhat.com>
-Date: Mon, 27 Nov 2017 10:02:39 -0500
-Subject: dm thin: fix documentation relative to low water mark threshold
-
-From: mulhern <amulhern@redhat.com>
-
-[ Upstream commit 9b28a1102efc75d81298198166ead87d643a29ce ]
-
-Fixes:
-1. The use of "exceeds" when the opposite of exceeds, falls below,
-was meant.
-2. Properly speaking, a table can not exceed a threshold.
-
-It emphasizes the important point, which is that it is the userspace
-daemon's responsibility to check for low free space when a device
-is resumed, since it won't get a special event indicating low free
-space in that situation.
-
-Signed-off-by: mulhern <amulhern@redhat.com>
-Signed-off-by: Mike Snitzer <snitzer@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- Documentation/device-mapper/thin-provisioning.txt | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
---- a/Documentation/device-mapper/thin-provisioning.txt
-+++ b/Documentation/device-mapper/thin-provisioning.txt
-@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks o
- free space on the data device drops below this level then a dm event
- will be triggered which a userspace daemon should catch allowing it to
- extend the pool device. Only one such event will be sent.
--Resuming a device with a new table itself triggers an event so the
--userspace daemon can use this to detect a situation where a new table
--already exceeds the threshold.
-+
-+No special event is triggered if a just resumed device's free space is below
-+the low water mark. However, resuming a device always triggers an
-+event; a userspace daemon should verify that free space exceeds the low
-+water mark when handling this event.
-
- A low water mark for the metadata device is maintained in the kernel and
- will trigger a dm event if free space on the metadata device drops below
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Qi Hou <qi.hou@windriver.com>
-Date: Tue, 6 Mar 2018 09:13:37 +0800
-Subject: dmaengine: pl330: fix a race condition in case of threaded irqs
-
-From: Qi Hou <qi.hou@windriver.com>
-
-[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ]
-
-When booting up with "threadirqs" in command line, all irq handlers of the DMA
-controller pl330 will be threaded forcedly. These threads will race for the same
-list, pl330->req_done.
-
-Before the callback, the spinlock was released. And after it, the spinlock was
-taken. This opened an race window where another threaded irq handler could steal
-the spinlock and be permitted to delete entries of the list, pl330->req_done.
-
-If the later deleted an entry that was still referred to by the former, there would
-be a kernel panic when the former was scheduled and tried to get the next sibling
-of the deleted entry.
-
-The scenario could be depicted as below:
-
- Thread: T1 pl330->req_done Thread: T2
- | | |
- | -A-B-C-D- |
- Locked | |
- | | Waiting
- Del A | |
- | -B-C-D- |
- Unlocked | |
- | | Locked
- Waiting | |
- | | Del B
- | | |
- | -C-D- Unlocked
- Waiting | |
- |
- Locked
- |
- get C via B
- \
- - Kernel panic
-
-The kernel panic looked like as below:
-
-Unable to handle kernel paging request at virtual address dead000000000108
-pgd = ffffff8008c9e000
-[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000
-Internal error: Oops: 96000044 [#1] PREEMPT SMP
-Modules linked in:
-CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2
-Hardware name: Broadcom NS2 SVK (DT)
-task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000
-PC is at pl330_irq_handler+0x27c/0x390
-LR is at pl330_irq_handler+0x2a8/0x390
-pc : [<ffffff80084cb694>] lr : [<ffffff80084cb6c0>] pstate: 800001c5
-sp : ffffffc1f5ce3d00
-x29: ffffffc1f5ce3d00 x28: 0000000000000140
-x27: ffffffc1f5c530b0 x26: dead000000000100
-x25: dead000000000200 x24: 0000000000418958
-x23: 0000000000000001 x22: ffffffc1f5ccd668
-x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418
-x19: dead000000000060 x18: 0000000000000001
-x17: 0000000000000007 x16: 0000000000000001
-x15: ffffffffffffffff x14: ffffffffffffffff
-x13: ffffffffffffffff x12: 0000000000000000
-x11: 0000000000000001 x10: 0000000000000840
-x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338
-x7 : ffffff8008ce2020 x6 : 0000000000000000
-x5 : 0000000000000000 x4 : 0000000000000001
-x3 : dead000000000200 x2 : dead000000000100
-x1 : 0000000000000140 x0 : ffffffc1f5ccd590
-
-Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020)
-Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000)
-3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600
-3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998
-3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000
-3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0
-3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001
-3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8
-3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00
-3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000
-3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68
-3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80
-3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648
-3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00
-3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90
-3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0
-3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
-3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000
-3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8
-Call trace:
-Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60)
-3b20: dead000000000060 0000008000000000
-3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88
-3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4
-3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc
-3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000
-3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140
-3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000
-3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000
-3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff
-3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007
-[<ffffff80084cb694>] pl330_irq_handler+0x27c/0x390
-[<ffffff80080f09d0>] irq_forced_thread_fn+0x38/0x88
-[<ffffff80080f0d70>] irq_thread+0x140/0x200
-[<ffffff80080bf4f8>] kthread+0xd8/0xf0
-[<ffffff8008083690>] ret_from_fork+0x10/0x40
-Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443)
----[ end trace f50005726d31199c ]---
-Kernel panic - not syncing: Fatal exception in interrupt
-SMP: stopping secondary CPUs
-SMP: failed to stop secondary CPUs 0-1
-Kernel Offset: disabled
-Memory Limit: none
----[ end Kernel panic - not syncing: Fatal exception in interrupt
-
-To fix this, re-start with the list-head after dropping the lock then
-re-takeing it.
-
-Reviewed-by: Frank Mori Hess <fmh6jj@gmail.com>
-Tested-by: Frank Mori Hess <fmh6jj@gmail.com>
-Signed-off-by: Qi Hou <qi.hou@windriver.com>
-Signed-off-by: Vinod Koul <vinod.koul@intel.com>
-
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/dma/pl330.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/dma/pl330.c
-+++ b/drivers/dma/pl330.c
-@@ -1516,7 +1516,7 @@ static void pl330_dotask(unsigned long d
- /* Returns 1 if state was updated, 0 otherwise */
- static int pl330_update(struct pl330_dmac *pl330)
- {
-- struct dma_pl330_desc *descdone, *tmp;
-+ struct dma_pl330_desc *descdone;
- unsigned long flags;
- void __iomem *regs;
- u32 val;
-@@ -1592,7 +1592,9 @@ static int pl330_update(struct pl330_dma
- }
-
- /* Now that we are in no hurry, do the callbacks */
-- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) {
-+ while (!list_empty(&pl330->req_done)) {
-+ descdone = list_first_entry(&pl330->req_done,
-+ struct dma_pl330_desc, rqd);
- list_del(&descdone->rqd);
- spin_unlock_irqrestore(&pl330->lock, flags);
- dma_pl330_rqcb(descdone, PL330_ERR_NONE);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Esben Haabendal <eha@deif.com>
-Date: Sun, 8 Apr 2018 22:17:01 +0200
-Subject: dp83640: Ensure against premature access to PHY registers after reset
-
-From: Esben Haabendal <eha@deif.com>
-
-[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ]
-
-The datasheet specifies a 3uS pause after performing a software
-reset. The default implementation of genphy_soft_reset() does not
-provide this, so implement soft_reset with the needed pause.
-
-Signed-off-by: Esben Haabendal <eha@deif.com>
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/phy/dp83640.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
---- a/drivers/net/phy/dp83640.c
-+++ b/drivers/net/phy/dp83640.c
-@@ -1173,6 +1173,23 @@ static void dp83640_remove(struct phy_de
- kfree(dp83640);
- }
-
-+static int dp83640_soft_reset(struct phy_device *phydev)
-+{
-+ int ret;
-+
-+ ret = genphy_soft_reset(phydev);
-+ if (ret < 0)
-+ return ret;
-+
-+ /* From DP83640 datasheet: "Software driver code must wait 3 us
-+ * following a software reset before allowing further serial MII
-+ * operations with the DP83640."
-+ */
-+ udelay(10); /* Taking udelay inaccuracy into account */
-+
-+ return 0;
-+}
-+
- static int dp83640_config_init(struct phy_device *phydev)
- {
- struct dp83640_private *dp83640 = phydev->priv;
-@@ -1470,6 +1487,7 @@ static struct phy_driver dp83640_driver
- .flags = PHY_HAS_INTERRUPT,
- .probe = dp83640_probe,
- .remove = dp83640_remove,
-+ .soft_reset = dp83640_soft_reset,
- .config_init = dp83640_config_init,
- .config_aneg = genphy_config_aneg,
- .read_status = genphy_read_status,
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Date: Mon, 5 Feb 2018 21:09:59 +0100
-Subject: drm/exynos: fix comparison to bitshift when dealing with a mask
-
-From: Wolfram Sang <wsa+renesas@sang-engineering.com>
-
-[ Upstream commit 1293b6191010672c0c9dacae8f71c6f3e4d70cbe ]
-
-Due to a typo, the mask was destroyed by a comparison instead of a bit
-shift.
-
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Inki Dae <inki.dae@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/exynos/regs-fimc.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/exynos/regs-fimc.h
-+++ b/drivers/gpu/drm/exynos/regs-fimc.h
-@@ -569,7 +569,7 @@
- #define EXYNOS_CIIMGEFF_FIN_EMBOSSING (4 << 26)
- #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE (5 << 26)
- #define EXYNOS_CIIMGEFF_FIN_MASK (7 << 26)
--#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff < 13) | (0xff < 0))
-+#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff << 13) | (0xff << 0))
-
- /* Real input DMA size register */
- #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE (1 << 31)
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Markus Elfring <elfring@users.sourceforge.net>
-Date: Thu, 8 Feb 2018 18:42:51 +0100
-Subject: drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions
-
-From: Markus Elfring <elfring@users.sourceforge.net>
-
-[ Upstream commit 6f0a60298bbbea43ab5e3955913ab19c153076f3 ]
-
-Omit an extra message for a memory allocation failure in these functions.
-
-This issue was detected by using the Coccinelle software.
-
-Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
-Signed-off-by: Inki Dae <inki.dae@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
---- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
-+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
-@@ -268,7 +268,6 @@ static int g2d_init_cmdlist(struct g2d_d
-
- node = kcalloc(G2D_CMDLIST_NUM, sizeof(*node), GFP_KERNEL);
- if (!node) {
-- dev_err(dev, "failed to allocate memory\n");
- ret = -ENOMEM;
- goto err;
- }
-@@ -1264,10 +1263,9 @@ int exynos_g2d_exec_ioctl(struct drm_dev
- return -EFAULT;
-
- runqueue_node = kmem_cache_alloc(g2d->runqueue_slab, GFP_KERNEL);
-- if (!runqueue_node) {
-- dev_err(dev, "failed to allocate memory\n");
-+ if (!runqueue_node)
- return -ENOMEM;
-- }
-+
- run_cmdlist = &runqueue_node->run_cmdlist;
- event_list = &runqueue_node->event_list;
- INIT_LIST_HEAD(run_cmdlist);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Pierre-Yves Kerbrat <pkerbrat@kalray.eu>
-Date: Fri, 26 Jan 2018 11:24:12 +0100
-Subject: e1000e: allocate ring descriptors with dma_zalloc_coherent
-
-From: Pierre-Yves Kerbrat <pkerbrat@kalray.eu>
-
-[ Upstream commit aea3fca005fb45f80869f2e8d56fd4e64c1d1fdb ]
-
-Descriptor rings were not initialized at zero when allocated
-When area contained garbage data, it caused skb_over_panic in
-e1000_clean_rx_irq (if data had E1000_RXD_STAT_DD bit set)
-
-This patch makes use of dma_zalloc_coherent to make sure the
-ring is memset at 0 to prevent the area from containing garbage.
-
-Following is the signature of the panic:
-IODDR0@0.0: skbuff: skb_over_panic: text:80407b20 len:64010 put:64010 head:ab46d800 data:ab46d842 tail:0xab47d24c end:0xab46df40 dev:eth0
-IODDR0@0.0: BUG: failure at net/core/skbuff.c:105/skb_panic()!
-IODDR0@0.0: Kernel panic - not syncing: BUG!
-IODDR0@0.0:
-IODDR0@0.0: Process swapper/0 (pid: 0, threadinfo=81728000, task=8173cc00 ,cpu: 0)
-IODDR0@0.0: SP = <815a1c0c>
-IODDR0@0.0: Stack: 00000001
-IODDR0@0.0: b2d89800 815e33ac
-IODDR0@0.0: ea73c040 00000001
-IODDR0@0.0: 60040003 0000fa0a
-IODDR0@0.0: 00000002
-IODDR0@0.0:
-IODDR0@0.0: 804540c0 815a1c70
-IODDR0@0.0: b2744000 602ac070
-IODDR0@0.0: 815a1c44 b2d89800
-IODDR0@0.0: 8173cc00 815a1c08
-IODDR0@0.0:
-IODDR0@0.0: 00000006
-IODDR0@0.0: 815a1b50 00000000
-IODDR0@0.0: 80079434 00000001
-IODDR0@0.0: ab46df40 b2744000
-IODDR0@0.0: b2d89800
-IODDR0@0.0:
-IODDR0@0.0: 0000fa0a 8045745c
-IODDR0@0.0: 815a1c88 0000fa0a
-IODDR0@0.0: 80407b20 b2789f80
-IODDR0@0.0: 00000005 80407b20
-IODDR0@0.0:
-IODDR0@0.0:
-IODDR0@0.0: Call Trace:
-IODDR0@0.0: [<804540bc>] skb_panic+0xa4/0xa8
-IODDR0@0.0: [<80079430>] console_unlock+0x2f8/0x6d0
-IODDR0@0.0: [<80457458>] skb_put+0xa0/0xc0
-IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8
-IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8
-IODDR0@0.0: [<804079c8>] e1000_clean_rx_irq+0x188/0x3e8
-IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8
-IODDR0@0.0: [<80468b48>] __dev_kfree_skb_any+0x88/0xa8
-IODDR0@0.0: [<804101ac>] e1000e_poll+0x94/0x288
-IODDR0@0.0: [<8046e9d4>] net_rx_action+0x19c/0x4e8
-IODDR0@0.0: ...
-IODDR0@0.0: Maximum depth to print reached. Use kstack=<maximum_depth_to_print> To specify a custom value (where 0 means to display the full backtrace)
-IODDR0@0.0: ---[ end Kernel panic - not syncing: BUG!
-
-Signed-off-by: Pierre-Yves Kerbrat <pkerbrat@kalray.eu>
-Signed-off-by: Marius Gligor <mgligor@kalray.eu>
-Tested-by: Aaron Brown <aaron.f.brown@intel.com>
-Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/net/ethernet/intel/e1000e/netdev.c
-+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
-@@ -2330,8 +2330,8 @@ static int e1000_alloc_ring_dma(struct e
- {
- struct pci_dev *pdev = adapter->pdev;
-
-- ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma,
-- GFP_KERNEL);
-+ ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma,
-+ GFP_KERNEL);
- if (!ring->desc)
- return -ENOMEM;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Benjamin Poirier <bpoirier@suse.com>
-Date: Tue, 20 Feb 2018 15:12:00 +0900
-Subject: e1000e: Fix check_for_link return value with autoneg off
-
-From: Benjamin Poirier <bpoirier@suse.com>
-
-[ Upstream commit 4e7dc08e57c95673d2edaba8983c3de4dd1f65f5 ]
-
-When autoneg is off, the .check_for_link callback functions clear the
-get_link_status flag and systematically return a "pseudo-error". This means
-that the link is not detected as up until the next execution of the
-e1000_watchdog_task() 2 seconds later.
-
-Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
-Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
-Acked-by: Sasha Neftin <sasha.neftin@intel.com>
-Tested-by: Aaron Brown <aaron.f.brown@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +-
- drivers/net/ethernet/intel/e1000e/mac.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
-+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-@@ -1441,7 +1441,7 @@ static s32 e1000_check_for_copper_link_i
- * we have already determined whether we have link or not.
- */
- if (!mac->autoneg)
-- return -E1000_ERR_CONFIG;
-+ return 1;
-
- /* Auto-Neg is enabled. Auto Speed Detection takes care
- * of MAC speed/duplex configuration. So we only need to
---- a/drivers/net/ethernet/intel/e1000e/mac.c
-+++ b/drivers/net/ethernet/intel/e1000e/mac.c
-@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct
- * we have already determined whether we have link or not.
- */
- if (!mac->autoneg)
-- return -E1000_ERR_CONFIG;
-+ return 1;
-
- /* Auto-Neg is enabled. Auto Speed Detection takes care
- * of MAC speed/duplex configuration. So we only need to
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Peter Malone <peter.malone@gmail.com>
-Date: Wed, 7 Mar 2018 14:00:34 +0100
-Subject: fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
-
-From: Peter Malone <peter.malone@gmail.com>
-
-[ Upstream commit 250c6c49e3b68756b14983c076183568636e2bde ]
-
-Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
-sbusfb_ioctl_helper().
-
-'index' is defined as an int in sbusfb_ioctl_helper().
-We retrieve this from the user:
-if (get_user(index, &c->index) ||
- __get_user(count, &c->count) ||
- __get_user(ured, &c->red) ||
- __get_user(ugreen, &c->green) ||
- __get_user(ublue, &c->blue))
- return -EFAULT;
-
-and then we use 'index' in the following way:
-red = cmap->red[index + i] >> 8;
-green = cmap->green[index + i] >> 8;
-blue = cmap->blue[index + i] >> 8;
-
-This is a classic information leak vulnerability. 'index' should be
-an unsigned int, given its usage above.
-
-This patch is straight-forward; it changes 'index' to unsigned int
-in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.
-
-This patch fixes CVE-2018-6412.
-
-Signed-off-by: Peter Malone <peter.malone@gmail.com>
-Acked-by: Mathieu Malaterre <malat@debian.org>
-Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/video/fbdev/sbuslib.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/video/fbdev/sbuslib.c
-+++ b/drivers/video/fbdev/sbuslib.c
-@@ -121,7 +121,7 @@ int sbusfb_ioctl_helper(unsigned long cm
- unsigned char __user *ured;
- unsigned char __user *ugreen;
- unsigned char __user *ublue;
-- int index, count, i;
-+ unsigned int index, count, i;
-
- if (get_user(index, &c->index) ||
- __get_user(count, &c->count) ||
-@@ -160,7 +160,7 @@ int sbusfb_ioctl_helper(unsigned long cm
- unsigned char __user *ugreen;
- unsigned char __user *ublue;
- struct fb_cmap *cmap = &info->cmap;
-- int index, count, i;
-+ unsigned int index, count, i;
- u8 red, green, blue;
-
- if (get_user(index, &c->index) ||
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Hector Martin <marcan@marcan.st>
-Date: Fri, 3 Nov 2017 20:28:57 +0900
-Subject: firewire-ohci: work around oversized DMA reads on JMicron controllers
-
-From: Hector Martin <marcan@marcan.st>
-
-[ Upstream commit 188775181bc05f29372b305ef96485840e351fde ]
-
-At least some JMicron controllers issue buggy oversized DMA reads when
-fetching context descriptors, always fetching 0x20 bytes at once for
-descriptors which are only 0x10 bytes long. This is often harmless, but
-can cause page faults on modern systems with IOMMUs:
-
-DMAR: [DMA Read] Request device [05:00.0] fault addr fff56000 [fault reason 06] PTE Read access is not set
-firewire_ohci 0000:05:00.0: DMA context IT0 has stopped, error code: evt_descriptor_read
-
-This works around the problem by always leaving 0x10 padding bytes at
-the end of descriptor buffer pages, which should be harmless to do
-unconditionally for controllers in case others have the same behavior.
-
-Signed-off-by: Hector Martin <marcan@marcan.st>
-Reviewed-by: Clemens Ladisch <clemens@ladisch.de>
-Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/firewire/ohci.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/drivers/firewire/ohci.c
-+++ b/drivers/firewire/ohci.c
-@@ -1137,7 +1137,13 @@ static int context_add_buffer(struct con
- return -ENOMEM;
-
- offset = (void *)&desc->buffer - (void *)desc;
-- desc->buffer_size = PAGE_SIZE - offset;
-+ /*
-+ * Some controllers, like JMicron ones, always issue 0x20-byte DMA reads
-+ * for descriptors, even 0x10-byte ones. This can cause page faults when
-+ * an IOMMU is in use and the oversized read crosses a page boundary.
-+ * Work around this by always leaving at least 0x10 bytes of padding.
-+ */
-+ desc->buffer_size = PAGE_SIZE - offset - 0x10;
- desc->buffer_bus = bus_addr + offset;
- desc->used = 0;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Jean Delvare <jdelvare@suse.de>
-Date: Sat, 3 Feb 2018 11:25:20 +0100
-Subject: firmware: dmi_scan: Fix handling of empty DMI strings
-
-From: Jean Delvare <jdelvare@suse.de>
-
-[ Upstream commit a7770ae194569e96a93c48aceb304edded9cc648 ]
-
-The handling of empty DMI strings looks quite broken to me:
-* Strings from 1 to 7 spaces are not considered empty.
-* True empty DMI strings (string index set to 0) are not considered
- empty, and result in allocating a 0-char string.
-* Strings with invalid index also result in allocating a 0-char
- string.
-* Strings starting with 8 spaces are all considered empty, even if
- non-space characters follow (sounds like a weird thing to do, but
- I have actually seen occurrences of this in DMI tables before.)
-* Strings which are considered empty are reported as 8 spaces,
- instead of being actually empty.
-
-Some of these issues are the result of an off-by-one error in memcmp,
-the rest is incorrect by design.
-
-So let's get it square: missing strings and strings made of only
-spaces, regardless of their length, should be treated as empty and
-no memory should be allocated for them. All other strings are
-non-empty and should be allocated.
-
-Signed-off-by: Jean Delvare <jdelvare@suse.de>
-Fixes: 79da4721117f ("x86: fix DMI out of memory problems")
-Cc: Parag Warudkar <parag.warudkar@gmail.com>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/firmware/dmi_scan.c | 22 +++++++++-------------
- 1 file changed, 9 insertions(+), 13 deletions(-)
-
---- a/drivers/firmware/dmi_scan.c
-+++ b/drivers/firmware/dmi_scan.c
-@@ -15,7 +15,7 @@
- * of and an antecedent to, SMBIOS, which stands for System
- * Management BIOS. See further: http://www.dmtf.org/standards
- */
--static const char dmi_empty_string[] = " ";
-+static const char dmi_empty_string[] = "";
-
- static u16 __initdata dmi_ver;
- /*
-@@ -36,25 +36,21 @@ static int dmi_memdev_nr;
- static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s)
- {
- const u8 *bp = ((u8 *) dm) + dm->length;
-+ const u8 *nsp;
-
- if (s) {
-- s--;
-- while (s > 0 && *bp) {
-+ while (--s > 0 && *bp)
- bp += strlen(bp) + 1;
-- s--;
-- }
-
-- if (*bp != 0) {
-- size_t len = strlen(bp)+1;
-- size_t cmp_len = len > 8 ? 8 : len;
--
-- if (!memcmp(bp, dmi_empty_string, cmp_len))
-- return dmi_empty_string;
-+ /* Strings containing only spaces are considered empty */
-+ nsp = bp;
-+ while (*nsp == ' ')
-+ nsp++;
-+ if (*nsp != '\0')
- return bp;
-- }
- }
-
-- return "";
-+ return dmi_empty_string;
- }
-
- static const char * __init dmi_string(const struct dmi_header *dm, u8 s)
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Carlos Maiolino <cmaiolino@redhat.com>
-Date: Tue, 10 Apr 2018 22:39:04 -0700
-Subject: Force log to disk before reading the AGF during a fstrim
-
-From: Carlos Maiolino <cmaiolino@redhat.com>
-
-[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ]
-
-Forcing the log to disk after reading the agf is wrong, we might be
-calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held.
-
-This can cause a deadlock when racing a fstrim with a filesystem
-shutdown.
-
-The deadlock has been identified due a miscalculation bug in device-mapper
-dm-thin, which returns lack of space to its users earlier than the device itself
-really runs out of space, changing the device-mapper volume into an error state.
-
-The problem happened while filling the filesystem with a single file,
-triggering the bug in device-mapper, consequently causing an IO error
-and shutting down the filesystem.
-
-If such file is removed, and fstrim executed before the XFS finishes the
-shut down process, the fstrim process will end up holding the buffer
-lock, and going to sleep on the cil wait queue.
-
-At this point, the shut down process will try to wake up all the threads
-waiting on the cil wait queue, but for this, it will try to hold the
-same buffer log already held my the fstrim, locking up the filesystem.
-
-Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
-Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/xfs/xfs_discard.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
---- a/fs/xfs/xfs_discard.c
-+++ b/fs/xfs/xfs_discard.c
-@@ -51,19 +51,19 @@ xfs_trim_extents(
-
- pag = xfs_perag_get(mp, agno);
-
-- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
-- if (error || !agbp)
-- goto out_put_perag;
--
-- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
--
- /*
- * Force out the log. This means any transactions that might have freed
-- * space before we took the AGF buffer lock are now on disk, and the
-+ * space before we take the AGF buffer lock are now on disk, and the
- * volatile disk cache is flushed.
- */
- xfs_log_force(mp, XFS_LOG_SYNC);
-
-+ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
-+ if (error || !agbp)
-+ goto out_put_perag;
-+
-+ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
-+
- /*
- * Look up the longest btree in the AGF and start with it.
- */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Danilo Krummrich <danilokrummrich@dk-develop.de>
-Date: Tue, 10 Apr 2018 16:31:38 -0700
-Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table
-
-From: Danilo Krummrich <danilokrummrich@dk-develop.de>
-
-[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ]
-
-proc_sys_link_fill_cache() does not take currently unregistering sysctl
-tables into account, which might result into a page fault in
-sysctl_follow_link() - add a check to fix it.
-
-This bug has been present since v3.4.
-
-Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de
-Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
-Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
-Acked-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
-Cc: "Eric W. Biederman" <ebiederm@xmission.com>
-Cc: Alexey Dobriyan <adobriyan@gmail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/proc/proc_sysctl.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/fs/proc/proc_sysctl.c
-+++ b/fs/proc/proc_sysctl.c
-@@ -617,7 +617,10 @@ static bool proc_sys_link_fill_cache(str
- struct ctl_table *table)
- {
- bool ret = true;
-+
- head = sysctl_head_grab(head);
-+ if (IS_ERR(head))
-+ return false;
-
- if (S_ISLNK(table->mode)) {
- /* It is not an error if we can not follow the link ignore it */
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 10 Jan 2018 12:39:03 +0300
-Subject: HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit 7ad81482cad67cbe1ec808490d1ddfc420c42008 ]
-
-We get the "new_profile_index" value from the mouse device when we're
-handling raw events. Smatch taints it as untrusted data and complains
-that we need a bounds check. This seems like a reasonable warning
-otherwise there is a small read beyond the end of the array.
-
-Fixes: 0e70f97f257e ("HID: roccat: Add support for Kova[+] mouse")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Acked-by: Silvan Jegen <s.jegen@gmail.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hid/hid-roccat-kovaplus.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/hid/hid-roccat-kovaplus.c
-+++ b/drivers/hid/hid-roccat-kovaplus.c
-@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(u
- static void kovaplus_profile_activated(struct kovaplus_device *kovaplus,
- uint new_profile_index)
- {
-+ if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings))
-+ return;
- kovaplus->actual_profile = new_profile_index;
- kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level;
- kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Guenter Roeck <linux@roeck-us.net>
-Date: Mon, 26 Mar 2018 19:50:31 -0700
-Subject: hwmon: (nct6775) Fix writing pwmX_mode
-
-From: Guenter Roeck <linux@roeck-us.net>
-
-[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ]
-
-pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip
-register bit is set to 1 for DC mode. This got mixed up, and writing
-1 into pwmX_mode resulted in DC mode enabled. Fix it up by using
-the ABI definition throughout the driver for consistency.
-
-Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ")
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hwmon/nct6775.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/drivers/hwmon/nct6775.c
-+++ b/drivers/hwmon/nct6775.c
-@@ -1286,7 +1286,7 @@ static void nct6775_update_pwm(struct de
- duty_is_dc = data->REG_PWM_MODE[i] &&
- (nct6775_read_value(data, data->REG_PWM_MODE[i])
- & data->PWM_MODE_MASK[i]);
-- data->pwm_mode[i] = duty_is_dc;
-+ data->pwm_mode[i] = !duty_is_dc;
-
- fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]);
- for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) {
-@@ -2145,7 +2145,7 @@ show_pwm_mode(struct device *dev, struct
- struct nct6775_data *data = nct6775_update_device(dev);
- struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr);
-
-- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]);
-+ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]);
- }
-
- static ssize_t
-@@ -2166,9 +2166,9 @@ store_pwm_mode(struct device *dev, struc
- if (val > 1)
- return -EINVAL;
-
-- /* Setting DC mode is not supported for all chips/channels */
-+ /* Setting DC mode (0) is not supported for all chips/channels */
- if (data->REG_PWM_MODE[nr] == 0) {
-- if (val)
-+ if (!val)
- return -EINVAL;
- return count;
- }
-@@ -2177,7 +2177,7 @@ store_pwm_mode(struct device *dev, struc
- data->pwm_mode[nr] = val;
- reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]);
- reg &= ~data->PWM_MODE_MASK[nr];
-- if (val)
-+ if (!val)
- reg |= data->PWM_MODE_MASK[nr];
- nct6775_write_value(data, data->REG_PWM_MODE[nr], reg);
- mutex_unlock(&data->update_lock);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Guenter Roeck <linux@roeck-us.net>
-Date: Sat, 10 Mar 2018 17:55:47 -0800
-Subject: hwmon: (pmbus/adm1275) Accept negative page register values
-
-From: Guenter Roeck <linux@roeck-us.net>
-
-[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ]
-
-A negative page register value means that no page needs to be
-selected. This is used by status register read operations and needs
-to be accepted. The failure to do so so results in missed status
-and limit registers.
-
-Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hwmon/pmbus/adm1275.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/hwmon/pmbus/adm1275.c
-+++ b/drivers/hwmon/pmbus/adm1275.c
-@@ -67,7 +67,7 @@ static int adm1275_read_word_data(struct
- const struct adm1275_data *data = to_adm1275_data(info);
- int ret = 0;
-
-- if (page)
-+ if (page > 0)
- return -ENXIO;
-
- switch (reg) {
-@@ -144,7 +144,7 @@ static int adm1275_write_word_data(struc
- {
- int ret;
-
-- if (page)
-+ if (page > 0)
- return -ENXIO;
-
- switch (reg) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Guenter Roeck <linux@roeck-us.net>
-Date: Sat, 10 Mar 2018 17:49:47 -0800
-Subject: hwmon: (pmbus/max8688) Accept negative page register values
-
-From: Guenter Roeck <linux@roeck-us.net>
-
-[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ]
-
-A negative page register value means that no page needs to be
-selected. This is used by status register evaluations and needs
-to be accepted.
-
-Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver")
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hwmon/pmbus/max8688.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/hwmon/pmbus/max8688.c
-+++ b/drivers/hwmon/pmbus/max8688.c
-@@ -44,7 +44,7 @@ static int max8688_read_word_data(struct
- {
- int ret;
-
-- if (page)
-+ if (page > 0)
- return -ENXIO;
-
- switch (reg) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Gregory CLEMENT <gregory.clement@bootlin.com>
-Date: Wed, 14 Mar 2018 18:03:40 +0100
-Subject: i2c: mv64xxx: Apply errata delay only in standard mode
-
-From: Gregory CLEMENT <gregory.clement@bootlin.com>
-
-[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ]
-
-The errata FE-8471889 description has been updated. There is still a
-timing violation for repeated start. But the errata now states that it
-was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz)
-there is no issue.
-
-This patch limit the errata fix to the Standard mode.
-
-It has been tesed successfully on the clearfog (Aramda 388 based board).
-
-Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
-Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/i2c/busses/i2c-mv64xxx.c
-+++ b/drivers/i2c/busses/i2c-mv64xxx.c
-@@ -783,12 +783,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat
- */
- if (of_device_is_compatible(np, "marvell,mv78230-i2c")) {
- drv_data->offload_enabled = true;
-- drv_data->errata_delay = true;
-+ /* The delay is only needed in standard mode (100kHz) */
-+ if (bus_freq <= 100000)
-+ drv_data->errata_delay = true;
- }
-
- if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) {
- drv_data->offload_enabled = false;
-- drv_data->errata_delay = true;
-+ /* The delay is only needed in standard mode (100kHz) */
-+ if (bus_freq <= 100000)
-+ drv_data->errata_delay = true;
- }
-
- if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c"))
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Alex Estrin <alex.estrin@intel.com>
-Date: Thu, 1 Feb 2018 10:55:41 -0800
-Subject: IB/ipoib: Fix for potential no-carrier state
-
-From: Alex Estrin <alex.estrin@intel.com>
-
-[ Upstream commit 1029361084d18cc270f64dfd39529fafa10cfe01 ]
-
-On reboot SM can program port pkey table before ipoib registered its
-event handler, which could result in missing pkey event and leave root
-interface with initial pkey value from index 0.
-
-Since OPA port starts with invalid pkey in index 0, root interface will
-fail to initialize and stay down with no-carrier flag.
-
-For IB ipoib interface may end up with pkey different from value
-opensm put in pkey table idx 0, resulting in connectivity issues
-(different mcast groups, for example).
-
-Close the window by calling event handler after registration
-to make sure ipoib pkey is in sync with port pkey table.
-
-Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
-Reviewed-by: Ira Weiny <ira.weiny@intel.com>
-Signed-off-by: Alex Estrin <alex.estrin@intel.com>
-Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
-Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
-+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
-@@ -1644,6 +1644,9 @@ static struct net_device *ipoib_add_port
- goto event_failed;
- }
-
-+ /* call event handler to ensure pkey in sync */
-+ queue_work(ipoib_workqueue, &priv->flush_heavy);
-+
- result = register_netdev(priv->dev);
- if (result) {
- printk(KERN_WARNING "%s: couldn't register ipoib port %d; error %d\n",
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Petr Vorel <pvorel@suse.cz>
-Date: Fri, 23 Mar 2018 14:41:08 +0100
-Subject: ima: Fallback to the builtin hash algorithm
-
-From: Petr Vorel <pvorel@suse.cz>
-
-[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ]
-
-IMA requires having it's hash algorithm be compiled-in due to it's
-early use. The default IMA algorithm is protected by Kconfig to be
-compiled-in.
-
-The ima_hash kernel parameter allows to choose the hash algorithm. When
-the specified algorithm is not available or available as a module, IMA
-initialization fails, which leads to a kernel panic (mknodat syscall calls
-ima_post_path_mknod()). Therefore as fallback we force IMA to use
-the default builtin Kconfig hash algorithm.
-
-Fixed crash:
-
-$ grep CONFIG_CRYPTO_MD4 .config
-CONFIG_CRYPTO_MD4=m
-
-[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4
-...
-[ 1.545190] ima: Can not allocate md4 (reason: -2)
-...
-[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null)
-[ 2.611903] IP: ima_match_policy+0x23/0x390
-[ 2.612967] PGD 0 P4D 0
-[ 2.613080] Oops: 0000 [#1] SMP
-[ 2.613080] Modules linked in: autofs4
-[ 2.613080] Supported: Yes
-[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1
-[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
-[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000
-[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390
-[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296
-[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004
-[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728
-[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000
-[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f
-[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000
-[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
-[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0
-[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-[ 2.613080] Call Trace:
-[ 2.613080] ? shmem_mknod+0xbf/0xd0
-[ 2.613080] ima_post_path_mknod+0x1c/0x40
-[ 2.613080] SyS_mknod+0x210/0x220
-[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5
-[ 2.613080] RIP: 0033:0x7f5c1bfde570
-[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
-[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570
-[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f
-[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000
-[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660
-[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
-[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20
-[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88
-[ 2.613080] CR2: 0000000000000000
-[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]---
-[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
-[ 2.673052]
-[ 2.675337] Kernel Offset: disabled
-[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
-
-Signed-off-by: Petr Vorel <pvorel@suse.cz>
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/integrity/ima/ima_crypto.c | 2 ++
- security/integrity/ima/ima_main.c | 13 +++++++++++++
- 2 files changed, 15 insertions(+)
-
---- a/security/integrity/ima/ima_crypto.c
-+++ b/security/integrity/ima/ima_crypto.c
-@@ -108,6 +108,8 @@ int __init ima_init_crypto(void)
- hash_algo_name[ima_hash_algo], rc);
- return rc;
- }
-+ pr_info("Allocated hash algorithm: %s\n",
-+ hash_algo_name[ima_hash_algo]);
- return 0;
- }
-
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -16,6 +16,9 @@
- * implements the IMA hooks: ima_bprm_check, ima_file_mmap,
- * and ima_file_check.
- */
-+
-+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-+
- #include <linux/module.h>
- #include <linux/file.h>
- #include <linux/binfmts.h>
-@@ -351,6 +354,16 @@ static int __init init_ima(void)
-
- hash_setup(CONFIG_IMA_DEFAULT_HASH);
- error = ima_init();
-+
-+ if (error && strcmp(hash_algo_name[ima_hash_algo],
-+ CONFIG_IMA_DEFAULT_HASH) != 0) {
-+ pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
-+ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
-+ hash_setup_done = 0;
-+ hash_setup(CONFIG_IMA_DEFAULT_HASH);
-+ error = ima_init();
-+ }
-+
- if (!error) {
- ima_initialized = 1;
- ima_update_policy_flag();
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Mark Salter <msalter@redhat.com>
-Date: Fri, 2 Feb 2018 09:20:29 -0500
-Subject: irqchip/gic-v3: Change pr_debug message to pr_devel
-
-From: Mark Salter <msalter@redhat.com>
-
-[ Upstream commit b6dd4d83dc2f78cebc9a7e6e7e4bc2be4d29b94d ]
-
-The pr_debug() in gic-v3 gic_send_sgi() can trigger a circular locking
-warning:
-
- GICv3: CPU10: ICC_SGI1R_EL1 5000400
- ======================================================
- WARNING: possible circular locking dependency detected
- 4.15.0+ #1 Tainted: G W
- ------------------------------------------------------
- dynamic_debug01/1873 is trying to acquire lock:
- ((console_sem).lock){-...}, at: [<0000000099c891ec>] down_trylock+0x20/0x4c
-
- but task is already holding lock:
- (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc
-
- which lock already depends on the new lock.
-
- the existing dependency chain (in reverse order) is:
-
- -> #2 (&rq->lock){-.-.}:
- __lock_acquire+0x3b4/0x6e0
- lock_acquire+0xf4/0x2a8
- _raw_spin_lock+0x4c/0x60
- task_fork_fair+0x3c/0x148
- sched_fork+0x10c/0x214
- copy_process.isra.32.part.33+0x4e8/0x14f0
- _do_fork+0xe8/0x78c
- kernel_thread+0x48/0x54
- rest_init+0x34/0x2a4
- start_kernel+0x45c/0x488
-
- -> #1 (&p->pi_lock){-.-.}:
- __lock_acquire+0x3b4/0x6e0
- lock_acquire+0xf4/0x2a8
- _raw_spin_lock_irqsave+0x58/0x70
- try_to_wake_up+0x48/0x600
- wake_up_process+0x28/0x34
- __up.isra.0+0x60/0x6c
- up+0x60/0x68
- __up_console_sem+0x4c/0x7c
- console_unlock+0x328/0x634
- vprintk_emit+0x25c/0x390
- dev_vprintk_emit+0xc4/0x1fc
- dev_printk_emit+0x88/0xa8
- __dev_printk+0x58/0x9c
- _dev_info+0x84/0xa8
- usb_new_device+0x100/0x474
- hub_port_connect+0x280/0x92c
- hub_event+0x740/0xa84
- process_one_work+0x240/0x70c
- worker_thread+0x60/0x400
- kthread+0x110/0x13c
- ret_from_fork+0x10/0x18
-
- -> #0 ((console_sem).lock){-...}:
- validate_chain.isra.34+0x6e4/0xa20
- __lock_acquire+0x3b4/0x6e0
- lock_acquire+0xf4/0x2a8
- _raw_spin_lock_irqsave+0x58/0x70
- down_trylock+0x20/0x4c
- __down_trylock_console_sem+0x3c/0x9c
- console_trylock+0x20/0xb0
- vprintk_emit+0x254/0x390
- vprintk_default+0x58/0x90
- vprintk_func+0xbc/0x164
- printk+0x80/0xa0
- __dynamic_pr_debug+0x84/0xac
- gic_raise_softirq+0x184/0x18c
- smp_cross_call+0xac/0x218
- smp_send_reschedule+0x3c/0x48
- resched_curr+0x60/0x9c
- check_preempt_curr+0x70/0xdc
- wake_up_new_task+0x310/0x470
- _do_fork+0x188/0x78c
- SyS_clone+0x44/0x50
- __sys_trace_return+0x0/0x4
-
- other info that might help us debug this:
-
- Chain exists of:
- (console_sem).lock --> &p->pi_lock --> &rq->lock
-
- Possible unsafe locking scenario:
-
- CPU0 CPU1
- ---- ----
- lock(&rq->lock);
- lock(&p->pi_lock);
- lock(&rq->lock);
- lock((console_sem).lock);
-
- *** DEADLOCK ***
-
- 2 locks held by dynamic_debug01/1873:
- #0: (&p->pi_lock){-.-.}, at: [<000000001366df53>] wake_up_new_task+0x40/0x470
- #1: (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc
-
- stack backtrace:
- CPU: 10 PID: 1873 Comm: dynamic_debug01 Tainted: G W 4.15.0+ #1
- Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS T48 10/02/2017
- Call trace:
- dump_backtrace+0x0/0x188
- show_stack+0x24/0x2c
- dump_stack+0xa4/0xe0
- print_circular_bug.isra.31+0x29c/0x2b8
- check_prev_add.constprop.39+0x6c8/0x6dc
- validate_chain.isra.34+0x6e4/0xa20
- __lock_acquire+0x3b4/0x6e0
- lock_acquire+0xf4/0x2a8
- _raw_spin_lock_irqsave+0x58/0x70
- down_trylock+0x20/0x4c
- __down_trylock_console_sem+0x3c/0x9c
- console_trylock+0x20/0xb0
- vprintk_emit+0x254/0x390
- vprintk_default+0x58/0x90
- vprintk_func+0xbc/0x164
- printk+0x80/0xa0
- __dynamic_pr_debug+0x84/0xac
- gic_raise_softirq+0x184/0x18c
- smp_cross_call+0xac/0x218
- smp_send_reschedule+0x3c/0x48
- resched_curr+0x60/0x9c
- check_preempt_curr+0x70/0xdc
- wake_up_new_task+0x310/0x470
- _do_fork+0x188/0x78c
- SyS_clone+0x44/0x50
- __sys_trace_return+0x0/0x4
- GICv3: CPU0: ICC_SGI1R_EL1 12000
-
-This could be fixed with printk_deferred() but that might lessen its
-usefulness for debugging. So change it to pr_devel to keep it out of
-production kernels. Developers working on gic-v3 can enable it as
-needed in their kernels.
-
-Signed-off-by: Mark Salter <msalter@redhat.com>
-Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/irqchip/irq-gic-v3.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/irqchip/irq-gic-v3.c
-+++ b/drivers/irqchip/irq-gic-v3.c
-@@ -488,7 +488,7 @@ static void gic_send_sgi(u64 cluster_id,
- MPIDR_TO_SGI_AFFINITY(cluster_id, 1) |
- tlist << ICC_SGI1R_TARGET_LIST_SHIFT);
-
-- pr_debug("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val);
-+ pr_devel("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val);
- gic_write_sgi1r(val);
- }
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Jake Daryll Obina <jake.obina@gmail.com>
-Date: Fri, 22 Sep 2017 00:00:14 +0800
-Subject: jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
-
-From: Jake Daryll Obina <jake.obina@gmail.com>
-
-[ Upstream commit 5bdd0c6f89fba430e18d636493398389dadc3b17 ]
-
-If jffs2_iget() fails for a newly-allocated inode, jffs2_do_clear_inode()
-can get called twice in the error handling path, the first call in
-jffs2_iget() itself and the second through iget_failed(). This can result
-to a use-after-free error in the second jffs2_do_clear_inode() call, such
-as shown by the oops below wherein the second jffs2_do_clear_inode() call
-was trying to free node fragments that were already freed in the first
-jffs2_do_clear_inode() call.
-
-[ 78.178860] jffs2: error: (1904) jffs2_do_read_inode_internal: CRC failed for read_inode of inode 24 at physical location 0x1fc00c
-[ 78.178914] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b7b
-[ 78.185871] pgd = ffffffc03a567000
-[ 78.188794] [6b6b6b6b6b6b6b7b] *pgd=0000000000000000, *pud=0000000000000000
-[ 78.194968] Internal error: Oops: 96000004 [#1] PREEMPT SMP
-...
-[ 78.513147] PC is at rb_first_postorder+0xc/0x28
-[ 78.516503] LR is at jffs2_kill_fragtree+0x28/0x90 [jffs2]
-[ 78.520672] pc : [<ffffff8008323d28>] lr : [<ffffff8000eb1cc8>] pstate: 60000105
-[ 78.526757] sp : ffffff800cea38f0
-[ 78.528753] x29: ffffff800cea38f0 x28: ffffffc01f3f8e80
-[ 78.532754] x27: 0000000000000000 x26: ffffff800cea3c70
-[ 78.536756] x25: 00000000dc67c8ae x24: ffffffc033d6945d
-[ 78.540759] x23: ffffffc036811740 x22: ffffff800891a5b8
-[ 78.544760] x21: 0000000000000000 x20: 0000000000000000
-[ 78.548762] x19: ffffffc037d48910 x18: ffffff800891a588
-[ 78.552764] x17: 0000000000000800 x16: 0000000000000c00
-[ 78.556766] x15: 0000000000000010 x14: 6f2065646f6e695f
-[ 78.560767] x13: 6461657220726f66 x12: 2064656c69616620
-[ 78.564769] x11: 435243203a6c616e x10: 7265746e695f6564
-[ 78.568771] x9 : 6f6e695f64616572 x8 : ffffffc037974038
-[ 78.572774] x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008
-[ 78.576775] x5 : 002f91d85bd44a2f x4 : 0000000000000000
-[ 78.580777] x3 : 0000000000000000 x2 : 000000403755e000
-[ 78.584779] x1 : 6b6b6b6b6b6b6b6b x0 : 6b6b6b6b6b6b6b6b
-...
-[ 79.038551] [<ffffff8008323d28>] rb_first_postorder+0xc/0x28
-[ 79.042962] [<ffffff8000eb5578>] jffs2_do_clear_inode+0x88/0x100 [jffs2]
-[ 79.048395] [<ffffff8000eb9ddc>] jffs2_evict_inode+0x3c/0x48 [jffs2]
-[ 79.053443] [<ffffff8008201ca8>] evict+0xb0/0x168
-[ 79.056835] [<ffffff8008202650>] iput+0x1c0/0x200
-[ 79.060228] [<ffffff800820408c>] iget_failed+0x30/0x3c
-[ 79.064097] [<ffffff8000eba0c0>] jffs2_iget+0x2d8/0x360 [jffs2]
-[ 79.068740] [<ffffff8000eb0a60>] jffs2_lookup+0xe8/0x130 [jffs2]
-[ 79.073434] [<ffffff80081f1a28>] lookup_slow+0x118/0x190
-[ 79.077435] [<ffffff80081f4708>] walk_component+0xfc/0x28c
-[ 79.081610] [<ffffff80081f4dd0>] path_lookupat+0x84/0x108
-[ 79.085699] [<ffffff80081f5578>] filename_lookup+0x88/0x100
-[ 79.089960] [<ffffff80081f572c>] user_path_at_empty+0x58/0x6c
-[ 79.094396] [<ffffff80081ebe14>] vfs_statx+0xa4/0x114
-[ 79.098138] [<ffffff80081ec44c>] SyS_newfstatat+0x58/0x98
-[ 79.102227] [<ffffff800808354c>] __sys_trace_return+0x0/0x4
-[ 79.106489] Code: d65f03c0 f9400001 b40000e1 aa0103e0 (f9400821)
-
-The jffs2_do_clear_inode() call in jffs2_iget() is unnecessary since
-iget_failed() will eventually call jffs2_do_clear_inode() if needed, so
-just remove it.
-
-Fixes: 5451f79f5f81 ("iget: stop JFFS2 from using iget() and read_inode()")
-Reviewed-by: Richard Weinberger <richard@nod.at>
-Signed-off-by: Jake Daryll Obina <jake.obina@gmail.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/jffs2/fs.c | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/fs/jffs2/fs.c
-+++ b/fs/jffs2/fs.c
-@@ -363,7 +363,6 @@ error_io:
- ret = -EIO;
- error:
- mutex_unlock(&f->sem);
-- jffs2_do_clear_inode(c, f);
- iget_failed(inode);
- return ERR_PTR(ret);
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Ulf Magnusson <ulfalizer@gmail.com>
-Date: Sun, 8 Oct 2017 19:11:21 +0200
-Subject: kconfig: Don't leak main menus during parsing
-
-From: Ulf Magnusson <ulfalizer@gmail.com>
-
-[ Upstream commit 0724a7c32a54e3e50d28e19e30c59014f61d4e2c ]
-
-If a 'mainmenu' entry appeared in the Kconfig files, two things would
-leak:
-
- - The 'struct property' allocated for the default "Linux Kernel
- Configuration" prompt.
-
- - The string for the T_WORD/T_WORD_QUOTE prompt after the
- T_MAINMENU token, allocated on the heap in zconf.l.
-
-To fix it, introduce a new 'no_mainmenu_stmt' nonterminal that matches
-if there's no 'mainmenu' and adds the default prompt. That means the
-prompt only gets allocated once regardless of whether there's a
-'mainmenu' statement or not, and managing it becomes simple.
-
-Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix:
-
- LEAK SUMMARY:
- definitely lost: 344,568 bytes in 14,352 blocks
- ...
-
-Summary after the fix:
-
- LEAK SUMMARY:
- definitely lost: 344,440 bytes in 14,350 blocks
- ...
-
-Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com>
-Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- scripts/kconfig/zconf.y | 33 ++++++++++++++++++++++++---------
- 1 file changed, 24 insertions(+), 9 deletions(-)
-
---- a/scripts/kconfig/zconf.y
-+++ b/scripts/kconfig/zconf.y
-@@ -102,7 +102,27 @@ static struct menu *current_menu, *curre
- %%
- input: nl start | start;
-
--start: mainmenu_stmt stmt_list | stmt_list;
-+start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list;
-+
-+/* mainmenu entry */
-+
-+mainmenu_stmt: T_MAINMENU prompt nl
-+{
-+ menu_add_prompt(P_MENU, $2, NULL);
-+};
-+
-+/* Default main menu, if there's no mainmenu entry */
-+
-+no_mainmenu_stmt: /* empty */
-+{
-+ /*
-+ * Hack: Keep the main menu title on the heap so we can safely free it
-+ * later regardless of whether it comes from the 'prompt' in
-+ * mainmenu_stmt or here
-+ */
-+ menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL);
-+};
-+
-
- stmt_list:
- /* empty */
-@@ -339,13 +359,6 @@ if_block:
- | if_block choice_stmt
- ;
-
--/* mainmenu entry */
--
--mainmenu_stmt: T_MAINMENU prompt nl
--{
-- menu_add_prompt(P_MENU, $2, NULL);
--};
--
- /* menu entry */
-
- menu: T_MENU prompt T_EOL
-@@ -486,6 +499,7 @@ word_opt: /* empty */ { $$ = NULL; }
-
- void conf_parse(const char *name)
- {
-+ const char *tmp;
- struct symbol *sym;
- int i;
-
-@@ -493,7 +507,6 @@ void conf_parse(const char *name)
-
- sym_init();
- _menu_init();
-- rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL);
-
- if (getenv("ZCONF_DEBUG"))
- zconfdebug = 1;
-@@ -503,8 +516,10 @@ void conf_parse(const char *name)
- if (!modules_sym)
- modules_sym = sym_find( "n" );
-
-+ tmp = rootmenu.prompt->text;
- rootmenu.prompt->text = _(rootmenu.prompt->text);
- rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text);
-+ free((char*)tmp);
-
- menu_finalize(&rootmenu);
- for_all_symbols(i, sym) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Ulf Magnusson <ulfalizer@gmail.com>
-Date: Sun, 8 Oct 2017 19:35:44 +0200
-Subject: kconfig: Fix automatic menu creation mem leak
-
-From: Ulf Magnusson <ulfalizer@gmail.com>
-
-[ Upstream commit ae7440ef0c8013d68c00dad6900e7cce5311bb1c ]
-
-expr_trans_compare() always allocates and returns a new expression,
-giving the following leak outline:
-
- ...
- *Allocate*
- basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no);
- ...
- for (menu = parent->next; menu; menu = menu->next) {
- ...
- *Copy*
- dep2 = expr_copy(basedep);
- ...
- *Free copy*
- expr_free(dep2);
- }
- *basedep lost!*
-
-Fix by freeing 'basedep' after the loop.
-
-Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix:
-
- LEAK SUMMARY:
- definitely lost: 344,376 bytes in 14,349 blocks
- ...
-
-Summary after the fix:
-
- LEAK SUMMARY:
- definitely lost: 44,448 bytes in 1,852 blocks
- ...
-
-Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com>
-Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- scripts/kconfig/menu.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/scripts/kconfig/menu.c
-+++ b/scripts/kconfig/menu.c
-@@ -364,6 +364,7 @@ void menu_finalize(struct menu *parent)
- menu->parent = parent;
- last_menu = menu;
- }
-+ expr_free(basedep);
- if (last_menu) {
- parent->list = parent->next;
- parent->next = last_menu->next;
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Ulf Magnusson <ulfalizer@gmail.com>
-Date: Sun, 8 Oct 2017 19:35:45 +0200
-Subject: kconfig: Fix expr_free() E_NOT leak
-
-From: Ulf Magnusson <ulfalizer@gmail.com>
-
-[ Upstream commit 5b1374b3b3c2fc4f63a398adfa446fb8eff791a4 ]
-
-Only the E_NOT operand and not the E_NOT node itself was freed, due to
-accidentally returning too early in expr_free(). Outline of leak:
-
- switch (e->type) {
- ...
- case E_NOT:
- expr_free(e->left.expr);
- return;
- ...
- }
- *Never reached, 'e' leaked*
- free(e);
-
-Fix by changing the 'return' to a 'break'.
-
-Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix:
-
- LEAK SUMMARY:
- definitely lost: 44,448 bytes in 1,852 blocks
- ...
-
-Summary after the fix:
-
- LEAK SUMMARY:
- definitely lost: 1,608 bytes in 67 blocks
- ...
-
-Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com>
-Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- scripts/kconfig/expr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/scripts/kconfig/expr.c
-+++ b/scripts/kconfig/expr.c
-@@ -106,7 +106,7 @@ void expr_free(struct expr *e)
- break;
- case E_NOT:
- expr_free(e->left.expr);
-- return;
-+ break;
- case E_EQUAL:
- case E_UNEQUAL:
- break;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Randy Dunlap <rdunlap@infradead.org>
-Date: Fri, 8 Dec 2017 10:19:19 -0800
-Subject: kdb: make "mdr" command repeat
-
-From: Randy Dunlap <rdunlap@infradead.org>
-
-[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ]
-
-The "mdr" command should repeat (continue) when only Enter/Return
-is pressed, so make it do so.
-
-Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
-Cc: Daniel Thompson <daniel.thompson@linaro.org>
-Cc: Jason Wessel <jason.wessel@windriver.com>
-Cc: kgdb-bugreport@lists.sourceforge.net
-Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------
- 1 file changed, 21 insertions(+), 6 deletions(-)
-
---- a/kernel/debug/kdb/kdb_main.c
-+++ b/kernel/debug/kdb/kdb_main.c
-@@ -1524,6 +1524,7 @@ static int kdb_md(int argc, const char *
- int symbolic = 0;
- int valid = 0;
- int phys = 0;
-+ int raw = 0;
-
- kdbgetintenv("MDCOUNT", &mdcount);
- kdbgetintenv("RADIX", &radix);
-@@ -1533,9 +1534,10 @@ static int kdb_md(int argc, const char *
- repeat = mdcount * 16 / bytesperword;
-
- if (strcmp(argv[0], "mdr") == 0) {
-- if (argc != 2)
-+ if (argc == 2 || (argc == 0 && last_addr != 0))
-+ valid = raw = 1;
-+ else
- return KDB_ARGCOUNT;
-- valid = 1;
- } else if (isdigit(argv[0][2])) {
- bytesperword = (int)(argv[0][2] - '0');
- if (bytesperword == 0) {
-@@ -1571,7 +1573,10 @@ static int kdb_md(int argc, const char *
- radix = last_radix;
- bytesperword = last_bytesperword;
- repeat = last_repeat;
-- mdcount = ((repeat * bytesperword) + 15) / 16;
-+ if (raw)
-+ mdcount = repeat;
-+ else
-+ mdcount = ((repeat * bytesperword) + 15) / 16;
- }
-
- if (argc) {
-@@ -1588,7 +1593,10 @@ static int kdb_md(int argc, const char *
- diag = kdbgetularg(argv[nextarg], &val);
- if (!diag) {
- mdcount = (int) val;
-- repeat = mdcount * 16 / bytesperword;
-+ if (raw)
-+ repeat = mdcount;
-+ else
-+ repeat = mdcount * 16 / bytesperword;
- }
- }
- if (argc >= nextarg+1) {
-@@ -1598,8 +1606,15 @@ static int kdb_md(int argc, const char *
- }
- }
-
-- if (strcmp(argv[0], "mdr") == 0)
-- return kdb_mdr(addr, mdcount);
-+ if (strcmp(argv[0], "mdr") == 0) {
-+ int ret;
-+ last_addr = addr;
-+ ret = kdb_mdr(addr, mdcount);
-+ last_addr += mdcount;
-+ last_repeat = mdcount;
-+ last_bytesperword = bytesperword; // to make REPEAT happy
-+ return ret;
-+ }
-
- switch (radix) {
- case 10:
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: David Rientjes <rientjes@google.com>
-Date: Wed, 21 Feb 2018 14:45:32 -0800
-Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
-
-From: David Rientjes <rientjes@google.com>
-
-[ Upstream commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e ]
-
-chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
-of chan->n_subbufs * sizeof(size_t *).
-
-kmalloc_slab() will generate a warning when this fails if
-chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.
-
-Limit chan->n_subbufs to the maximum allowed kmalloc() size.
-
-Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com
-Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()")
-Signed-off-by: David Rientjes <rientjes@google.com>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: Jens Axboe <axboe@kernel.dk>
-Cc: Dave Jiang <dave.jiang@intel.com>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Cc: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/relay.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/relay.c
-+++ b/kernel/relay.c
-@@ -166,7 +166,7 @@ static struct rchan_buf *relay_create_bu
- {
- struct rchan_buf *buf;
-
-- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
-+ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
- return NULL;
-
- buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Sean Christopherson <sean.j.christopherson@intel.com>
-Date: Fri, 23 Mar 2018 09:34:00 -0700
-Subject: KVM: VMX: raise internal error for exception during invalid protected mode state
-
-From: Sean Christopherson <sean.j.christopherson@intel.com>
-
-[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ]
-
-Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter
-an exception in Protected Mode while emulating guest due to invalid
-guest state. Unlike Big RM, KVM doesn't support emulating exceptions
-in PM, i.e. PM exceptions are always injected via the VMCS. Because
-we will never do VMRESUME due to emulation_required, the exception is
-never realized and we'll keep emulating the faulting instruction over
-and over until we receive a signal.
-
-Exit to userspace iff there is a pending exception, i.e. don't exit
-simply on a requested event. The purpose of this check and exit is to
-aid in debugging a guest that is in all likelihood already doomed.
-Invalid guest state in PM is extremely limited in normal operation,
-e.g. it generally only occurs for a few instructions early in BIOS,
-and any exception at this time is all but guaranteed to be fatal.
-Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly
-handled/emulated, while checking for vectored interrupts, e.g. INTR
-and NMI, without hitting false positives would add a fair amount of
-complexity for almost no benefit (getting hit by lightning seems
-more likely than encountering this specific scenario).
-
-Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an
-exception via the VMCS and emulation_required is true.
-
-Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -2064,6 +2064,8 @@ static void vmx_queue_exception(struct k
- return;
- }
-
-+ WARN_ON_ONCE(vmx->emulation_required);
-+
- if (kvm_exception_is_soft(nr)) {
- vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
- vmx->vcpu.arch.event_exit_inst_len);
-@@ -5722,12 +5724,12 @@ static int handle_invalid_guest_state(st
- goto out;
- }
-
-- if (err != EMULATE_DONE) {
-- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
-- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
-- vcpu->run->internal.ndata = 0;
-- return 0;
-- }
-+ if (err != EMULATE_DONE)
-+ goto emulation_error;
-+
-+ if (vmx->emulation_required && !vmx->rmode.vm86_active &&
-+ vcpu->arch.exception.pending)
-+ goto emulation_error;
-
- if (vcpu->arch.halt_request) {
- vcpu->arch.halt_request = 0;
-@@ -5743,6 +5745,12 @@ static int handle_invalid_guest_state(st
-
- out:
- return ret;
-+
-+emulation_error:
-+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
-+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
-+ vcpu->run->internal.ndata = 0;
-+ return 0;
- }
-
- static int __grow_ple_window(int val)
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 26 Oct 2017 15:45:47 +0200
-Subject: kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
-
-From: Paolo Bonzini <pbonzini@redhat.com>
-
-[ Upstream commit 51776043afa415435c7e4636204fbe4f7edc4501 ]
-
-This ioctl is obsolete (it was used by Xenner as far as I know) but
-still let's not break it gratuitously... Its handler is copying
-directly into struct kvm. Go through a bounce buffer instead, with
-the added benefit that we can actually do something useful with the
-flags argument---the previous code was exiting with -EINVAL but still
-doing the copy.
-
-This technically is a userspace ABI breakage, but since no one should be
-using the ioctl, it's a good occasion to see if someone actually
-complains.
-
-Cc: kernel-hardening@lists.openwall.com
-Cc: Kees Cook <keescook@chromium.org>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/x86.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4025,13 +4025,14 @@ long kvm_arch_vm_ioctl(struct file *filp
- break;
- }
- case KVM_XEN_HVM_CONFIG: {
-+ struct kvm_xen_hvm_config xhc;
- r = -EFAULT;
-- if (copy_from_user(&kvm->arch.xen_hvm_config, argp,
-- sizeof(struct kvm_xen_hvm_config)))
-+ if (copy_from_user(&xhc, argp, sizeof(xhc)))
- goto out;
- r = -EINVAL;
-- if (kvm->arch.xen_hvm_config.flags)
-+ if (xhc.flags)
- goto out;
-+ memcpy(&kvm->arch.xen_hvm_config, &xhc, sizeof(xhc));
- r = 0;
- break;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Cong Wang <xiyou.wangcong@gmail.com>
-Date: Mon, 26 Mar 2018 15:08:33 -0700
-Subject: llc: properly handle dev_queue_xmit() return value
-
-From: Cong Wang <xiyou.wangcong@gmail.com>
-
-[ Upstream commit b85ab56c3f81c5a24b5a5213374f549df06430da ]
-
-llc_conn_send_pdu() pushes the skb into write queue and
-calls llc_conn_send_pdus() to flush them out. However, the
-status of dev_queue_xmit() is not returned to caller,
-in this case, llc_conn_state_process().
-
-llc_conn_state_process() needs hold the skb no matter
-success or failure, because it still uses it after that,
-therefore we should hold skb before dev_queue_xmit() when
-that skb is the one being processed by llc_conn_state_process().
-
-For other callers, they can just pass NULL and ignore
-the return value as they are.
-
-Reported-by: Noam Rathaus <noamr@beyondsecurity.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/llc_conn.h | 2 +-
- net/llc/llc_c_ac.c | 15 +++++++++------
- net/llc/llc_conn.c | 32 +++++++++++++++++++++++---------
- 3 files changed, 33 insertions(+), 16 deletions(-)
-
---- a/include/net/llc_conn.h
-+++ b/include/net/llc_conn.h
-@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk);
-
- /* Access to a connection */
- int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
--void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
-+int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
- void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
- void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
- void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
---- a/net/llc/llc_c_ac.c
-+++ b/net/llc/llc_c_ac.c
-@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_
- llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
- rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
- if (likely(!rc)) {
-- llc_conn_send_pdu(sk, skb);
-+ rc = llc_conn_send_pdu(sk, skb);
- llc_conn_ac_inc_vs_by_1(sk, skb);
- }
- return rc;
-@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_
- llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
- rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
- if (likely(!rc)) {
-- llc_conn_send_pdu(sk, skb);
-+ rc = llc_conn_send_pdu(sk, skb);
- llc_conn_ac_inc_vs_by_1(sk, skb);
- }
- return rc;
-@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_
- int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb)
- {
- struct llc_sock *llc = llc_sk(sk);
-+ int ret;
-
- if (llc->ack_must_be_send) {
-- llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
-+ ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
- llc->ack_must_be_send = 0 ;
- llc->ack_pf = 0;
-- } else
-- llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
-- return 0;
-+ } else {
-+ ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
-+ }
-+
-+ return ret;
- }
-
- /**
---- a/net/llc/llc_conn.c
-+++ b/net/llc/llc_conn.c
-@@ -30,7 +30,7 @@
- #endif
-
- static int llc_find_offset(int state, int ev_type);
--static void llc_conn_send_pdus(struct sock *sk);
-+static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb);
- static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
- static int llc_exec_conn_trans_actions(struct sock *sk,
- struct llc_conn_state_trans *trans,
-@@ -193,11 +193,11 @@ out_skb_put:
- return rc;
- }
-
--void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
-+int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
- {
- /* queue PDU to send to MAC layer */
- skb_queue_tail(&sk->sk_write_queue, skb);
-- llc_conn_send_pdus(sk);
-+ return llc_conn_send_pdus(sk, skb);
- }
-
- /**
-@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct
- if (howmany_resend > 0)
- llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
- /* any PDUs to re-send are queued up; start sending to MAC */
-- llc_conn_send_pdus(sk);
-+ llc_conn_send_pdus(sk, NULL);
- out:;
- }
-
-@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct
- if (howmany_resend > 0)
- llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
- /* any PDUs to re-send are queued up; start sending to MAC */
-- llc_conn_send_pdus(sk);
-+ llc_conn_send_pdus(sk, NULL);
- out:;
- }
-
-@@ -340,12 +340,16 @@ out:
- /**
- * llc_conn_send_pdus - Sends queued PDUs
- * @sk: active connection
-+ * @hold_skb: the skb held by caller, or NULL if does not care
- *
-- * Sends queued pdus to MAC layer for transmission.
-+ * Sends queued pdus to MAC layer for transmission. When @hold_skb is
-+ * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
-+ * successfully, or 1 for failure.
- */
--static void llc_conn_send_pdus(struct sock *sk)
-+static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
- {
- struct sk_buff *skb;
-+ int ret = 0;
-
- while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
- struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
-@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct so
- skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
- if (!skb2)
- break;
-- skb = skb2;
-+ dev_queue_xmit(skb2);
-+ } else {
-+ bool is_target = skb == hold_skb;
-+ int rc;
-+
-+ if (is_target)
-+ skb_get(skb);
-+ rc = dev_queue_xmit(skb);
-+ if (is_target)
-+ ret = rc;
- }
-- dev_queue_xmit(skb);
- }
-+
-+ return ret;
- }
-
- /**
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Andrea Parri <parri.andrea@gmail.com>
-Date: Tue, 20 Feb 2018 19:45:56 +0100
-Subject: locking/xchg/alpha: Add unconditional memory barrier to cmpxchg()
-
-From: Andrea Parri <parri.andrea@gmail.com>
-
-[ Upstream commit cb13b424e986aed68d74cbaec3449ea23c50e167 ]
-
-Continuing along with the fight against smp_read_barrier_depends() [1]
-(or rather, against its improper use), add an unconditional barrier to
-cmpxchg. This guarantees that dependency ordering is preserved when a
-dependency is headed by an unsuccessful cmpxchg. As it turns out, the
-change could enable further simplification of LKMM as proposed in [2].
-
-[1] https://marc.info/?l=linux-kernel&m=150884953419377&w=2
- https://marc.info/?l=linux-kernel&m=150884946319353&w=2
- https://marc.info/?l=linux-kernel&m=151215810824468&w=2
- https://marc.info/?l=linux-kernel&m=151215816324484&w=2
-
-[2] https://marc.info/?l=linux-kernel&m=151881978314872&w=2
-
-Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
-Acked-by: Peter Zijlstra <peterz@infradead.org>
-Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
-Cc: Alan Stern <stern@rowland.harvard.edu>
-Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Matt Turner <mattst88@gmail.com>
-Cc: Richard Henderson <rth@twiddle.net>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Will Deacon <will.deacon@arm.com>
-Cc: linux-alpha@vger.kernel.org
-Link: http://lkml.kernel.org/r/1519152356-4804-1-git-send-email-parri.andrea@gmail.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/alpha/include/asm/xchg.h | 15 +++++++--------
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
---- a/arch/alpha/include/asm/xchg.h
-+++ b/arch/alpha/include/asm/xchg.h
-@@ -127,10 +127,9 @@ ____xchg(, volatile void *ptr, unsigned
- * store NEW in MEM. Return the initial value in MEM. Success is
- * indicated by comparing RETURN with OLD.
- *
-- * The memory barrier should be placed in SMP only when we actually
-- * make the change. If we don't change anything (so if the returned
-- * prev is equal to old) then we aren't acquiring anything new and
-- * we don't need any memory barrier as far I can tell.
-+ * The memory barrier is placed in SMP unconditionally, in order to
-+ * guarantee that dependency ordering is preserved when a dependency
-+ * is headed by an unsuccessful operation.
- */
-
- static inline unsigned long
-@@ -149,8 +148,8 @@ ____cmpxchg(_u8, volatile char *m, unsig
- " or %1,%2,%2\n"
- " stq_c %2,0(%4)\n"
- " beq %2,3f\n"
-- __ASM__MB
- "2:\n"
-+ __ASM__MB
- ".subsection 2\n"
- "3: br 1b\n"
- ".previous"
-@@ -176,8 +175,8 @@ ____cmpxchg(_u16, volatile short *m, uns
- " or %1,%2,%2\n"
- " stq_c %2,0(%4)\n"
- " beq %2,3f\n"
-- __ASM__MB
- "2:\n"
-+ __ASM__MB
- ".subsection 2\n"
- "3: br 1b\n"
- ".previous"
-@@ -199,8 +198,8 @@ ____cmpxchg(_u32, volatile int *m, int o
- " mov %4,%1\n"
- " stl_c %1,%2\n"
- " beq %1,3f\n"
-- __ASM__MB
- "2:\n"
-+ __ASM__MB
- ".subsection 2\n"
- "3: br 1b\n"
- ".previous"
-@@ -222,8 +221,8 @@ ____cmpxchg(_u64, volatile long *m, unsi
- " mov %4,%1\n"
- " stq_c %1,%2\n"
- " beq %1,3f\n"
-- __ASM__MB
- "2:\n"
-+ __ASM__MB
- ".subsection 2\n"
- "3: br 1b\n"
- ".previous"
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Andrea Parri <parri.andrea@gmail.com>
-Date: Thu, 22 Feb 2018 10:24:48 +0100
-Subject: locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs
-
-From: Andrea Parri <parri.andrea@gmail.com>
-
-[ Upstream commit 472e8c55cf6622d1c112dc2bc777f68bbd4189db ]
-
-Successful RMW operations are supposed to be fully ordered, but
-Alpha's xchg() and cmpxchg() do not meet this requirement.
-
-Will Deacon noticed the bug:
-
- > So MP using xchg:
- >
- > WRITE_ONCE(x, 1)
- > xchg(y, 1)
- >
- > smp_load_acquire(y) == 1
- > READ_ONCE(x) == 0
- >
- > would be allowed.
-
-... which thus violates the above requirement.
-
-Fix it by adding a leading smp_mb() to the xchg() and cmpxchg() implementations.
-
-Reported-by: Will Deacon <will.deacon@arm.com>
-Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
-Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
-Cc: Alan Stern <stern@rowland.harvard.edu>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Matt Turner <mattst88@gmail.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Richard Henderson <rth@twiddle.net>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: linux-alpha@vger.kernel.org
-Link: http://lkml.kernel.org/r/1519291488-5752-1-git-send-email-parri.andrea@gmail.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/alpha/include/asm/xchg.h | 21 ++++++++++++++++++---
- 1 file changed, 18 insertions(+), 3 deletions(-)
-
---- a/arch/alpha/include/asm/xchg.h
-+++ b/arch/alpha/include/asm/xchg.h
-@@ -11,6 +11,10 @@
- * Atomic exchange.
- * Since it can be used to implement critical sections
- * it must clobber "memory" (also for interrupts in UP).
-+ *
-+ * The leading and the trailing memory barriers guarantee that these
-+ * operations are fully ordered.
-+ *
- */
-
- static inline unsigned long
-@@ -18,6 +22,7 @@ ____xchg(_u8, volatile char *m, unsigned
- {
- unsigned long ret, tmp, addr64;
-
-+ smp_mb();
- __asm__ __volatile__(
- " andnot %4,7,%3\n"
- " insbl %1,%4,%1\n"
-@@ -42,6 +47,7 @@ ____xchg(_u16, volatile short *m, unsign
- {
- unsigned long ret, tmp, addr64;
-
-+ smp_mb();
- __asm__ __volatile__(
- " andnot %4,7,%3\n"
- " inswl %1,%4,%1\n"
-@@ -66,6 +72,7 @@ ____xchg(_u32, volatile int *m, unsigned
- {
- unsigned long dummy;
-
-+ smp_mb();
- __asm__ __volatile__(
- "1: ldl_l %0,%4\n"
- " bis $31,%3,%1\n"
-@@ -86,6 +93,7 @@ ____xchg(_u64, volatile long *m, unsigne
- {
- unsigned long dummy;
-
-+ smp_mb();
- __asm__ __volatile__(
- "1: ldq_l %0,%4\n"
- " bis $31,%3,%1\n"
-@@ -127,9 +135,12 @@ ____xchg(, volatile void *ptr, unsigned
- * store NEW in MEM. Return the initial value in MEM. Success is
- * indicated by comparing RETURN with OLD.
- *
-- * The memory barrier is placed in SMP unconditionally, in order to
-- * guarantee that dependency ordering is preserved when a dependency
-- * is headed by an unsuccessful operation.
-+ * The leading and the trailing memory barriers guarantee that these
-+ * operations are fully ordered.
-+ *
-+ * The trailing memory barrier is placed in SMP unconditionally, in
-+ * order to guarantee that dependency ordering is preserved when a
-+ * dependency is headed by an unsuccessful operation.
- */
-
- static inline unsigned long
-@@ -137,6 +148,7 @@ ____cmpxchg(_u8, volatile char *m, unsig
- {
- unsigned long prev, tmp, cmp, addr64;
-
-+ smp_mb();
- __asm__ __volatile__(
- " andnot %5,7,%4\n"
- " insbl %1,%5,%1\n"
-@@ -164,6 +176,7 @@ ____cmpxchg(_u16, volatile short *m, uns
- {
- unsigned long prev, tmp, cmp, addr64;
-
-+ smp_mb();
- __asm__ __volatile__(
- " andnot %5,7,%4\n"
- " inswl %1,%5,%1\n"
-@@ -191,6 +204,7 @@ ____cmpxchg(_u32, volatile int *m, int o
- {
- unsigned long prev, cmp;
-
-+ smp_mb();
- __asm__ __volatile__(
- "1: ldl_l %0,%5\n"
- " cmpeq %0,%3,%1\n"
-@@ -214,6 +228,7 @@ ____cmpxchg(_u64, volatile long *m, unsi
- {
- unsigned long prev, cmp;
-
-+ smp_mb();
- __asm__ __volatile__(
- "1: ldq_l %0,%5\n"
- " cmpeq %0,%3,%1\n"
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Greg Ungerer <gerg@linux-m68k.org>
-Date: Wed, 28 Mar 2018 17:12:18 +1000
-Subject: m68k: set dma and coherent masks for platform FEC ethernets
-
-From: Greg Ungerer <gerg@linux-m68k.org>
-
-[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ]
-
-As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no
-coherent_dma_mask") the Freescale FEC driver is issuing the following
-warning on driver initialization on ColdFire systems:
-
-WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20
-Modules linked in:
-CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4
-Stack from 41833dd8:
- 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000
- 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d
- 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000
- 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8
- 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c
- 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000
-Call Trace:
- [<40025534>] 0x40025534
- [<4004e514>] 0x4004e514
- [<400255de>] 0x400255de
- [<40159e20>] 0x40159e20
- [<40159e20>] 0x40159e20
-
-It is not fatal, the driver and the system continue to function normally.
-
-As per the warning the coherent_dma_mask is not set on this device.
-There is nothing special about the DMA memory coherency on this hardware
-so we can just set the mask to 32bits in the platform data for the FEC
-ethernet devices.
-
-Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/m68k/coldfire/device.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
---- a/arch/m68k/coldfire/device.c
-+++ b/arch/m68k/coldfire/device.c
-@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 =
- .id = 0,
- .num_resources = ARRAY_SIZE(mcf_fec0_resources),
- .resource = mcf_fec0_resources,
-- .dev.platform_data = FEC_PDATA,
-+ .dev = {
-+ .dma_mask = &mcf_fec0.dev.coherent_dma_mask,
-+ .coherent_dma_mask = DMA_BIT_MASK(32),
-+ .platform_data = FEC_PDATA,
-+ }
- };
-
- #ifdef MCFFEC_BASE1
-@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 =
- .id = 1,
- .num_resources = ARRAY_SIZE(mcf_fec1_resources),
- .resource = mcf_fec1_resources,
-- .dev.platform_data = FEC_PDATA,
-+ .dev = {
-+ .dma_mask = &mcf_fec1.dev.coherent_dma_mask,
-+ .coherent_dma_mask = DMA_BIT_MASK(32),
-+ .platform_data = FEC_PDATA,
-+ }
- };
- #endif /* MCFFEC_BASE1 */
- #endif /* CONFIG_FEC */
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Felix Fietkau <nbd@nbd.name>
-Date: Sat, 10 Feb 2018 13:20:34 +0100
-Subject: mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4
-
-From: Felix Fietkau <nbd@nbd.name>
-
-[ Upstream commit 651b9920d7a694ffb1f885aef2bbb068a25d9d66 ]
-
-This ensures that mac80211 allocated management frames are properly
-aligned, which makes copying them more efficient.
-For instance, mt76 uses iowrite32_copy to copy beacon frames to beacon
-template memory on the chip.
-Misaligned 32-bit accesses cause CPU exceptions on MIPS and should be
-avoided.
-
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/mac80211.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/include/net/mac80211.h
-+++ b/include/net/mac80211.h
-@@ -3368,7 +3368,7 @@ static inline int ieee80211_sta_ps_trans
- * The TX headroom reserved by mac80211 for its own tx_status functions.
- * This is enough for the radiotap header.
- */
--#define IEEE80211_TX_STATUS_HEADROOM 14
-+#define IEEE80211_TX_STATUS_HEADROOM ALIGN(14, 4)
-
- /**
- * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Yufen Yu <yuyufen@huawei.com>
-Date: Sat, 24 Feb 2018 12:05:56 +0800
-Subject: md/raid1: fix NULL pointer dereference
-
-From: Yufen Yu <yuyufen@huawei.com>
-
-[ Upstream commit 3de59bb9d551428cbdc76a9ea57883f82e350b4d ]
-
-In handle_write_finished(), if r1_bio->bios[m] != NULL, it thinks
-the corresponding conf->mirrors[m].rdev is also not NULL. But, it
-is not always true.
-
-Even if some io hold replacement rdev(i.e. rdev->nr_pending.count > 0),
-raid1_remove_disk() can also set the rdev as NULL. That means,
-bios[m] != NULL, but mirrors[m].rdev is NULL, resulting in NULL
-pointer dereference in handle_write_finished and sync_request_write.
-
-This patch can fix BUGs as follows:
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000140
- IP: [<ffffffff815bbbbd>] raid1d+0x2bd/0xfc0
- PGD 12ab52067 PUD 12f587067 PMD 0
- Oops: 0000 [#1] SMP
- CPU: 1 PID: 2008 Comm: md3_raid1 Not tainted 4.1.44+ #130
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
- Call Trace:
- ? schedule+0x37/0x90
- ? prepare_to_wait_event+0x83/0xf0
- md_thread+0x144/0x150
- ? wake_atomic_t_function+0x70/0x70
- ? md_start_sync+0xf0/0xf0
- kthread+0xd8/0xf0
- ? kthread_worker_fn+0x160/0x160
- ret_from_fork+0x42/0x70
- ? kthread_worker_fn+0x160/0x160
-
- BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8
- IP: sync_request_write+0x9e/0x980
- PGD 800000007c518067 P4D 800000007c518067 PUD 8002b067 PMD 0
- Oops: 0000 [#1] SMP PTI
- CPU: 24 PID: 2549 Comm: md3_raid1 Not tainted 4.15.0+ #118
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
- Call Trace:
- ? sched_clock+0x5/0x10
- ? sched_clock_cpu+0xc/0xb0
- ? flush_pending_writes+0x3a/0xd0
- ? pick_next_task_fair+0x4d5/0x5f0
- ? __switch_to+0xa2/0x430
- raid1d+0x65a/0x870
- ? find_pers+0x70/0x70
- ? find_pers+0x70/0x70
- ? md_thread+0x11c/0x160
- md_thread+0x11c/0x160
- ? finish_wait+0x80/0x80
- kthread+0x111/0x130
- ? kthread_create_worker_on_cpu+0x70/0x70
- ? do_syscall_64+0x6f/0x190
- ? SyS_exit_group+0x10/0x10
- ret_from_fork+0x35/0x40
-
-Reviewed-by: NeilBrown <neilb@suse.com>
-Signed-off-by: Yufen Yu <yuyufen@huawei.com>
-Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/raid1.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
---- a/drivers/md/raid1.c
-+++ b/drivers/md/raid1.c
-@@ -1722,6 +1722,17 @@ static int raid1_remove_disk(struct mdde
- struct md_rdev *repl =
- conf->mirrors[conf->raid_disks + number].rdev;
- freeze_array(conf, 0);
-+ if (atomic_read(&repl->nr_pending)) {
-+ /* It means that some queued IO of retry_list
-+ * hold repl. Thus, we cannot set replacement
-+ * as NULL, avoiding rdev NULL pointer
-+ * dereference in sync_request_write and
-+ * handle_write_finished.
-+ */
-+ err = -EBUSY;
-+ unfreeze_array(conf);
-+ goto abort;
-+ }
- clear_bit(Replacement, &repl->flags);
- p->rdev = repl;
- conf->mirrors[conf->raid_disks + number].rdev = NULL;
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Yufen Yu <yuyufen@huawei.com>
-Date: Tue, 6 Feb 2018 17:39:15 +0800
-Subject: md raid10: fix NULL deference in handle_write_completed()
-
-From: Yufen Yu <yuyufen@huawei.com>
-
-[ Upstream commit 01a69cab01c184d3786af09e9339311123d63d22 ]
-
-In the case of 'recover', an r10bio with R10BIO_WriteError &
-R10BIO_IsRecover will be progressed by handle_write_completed().
-This function traverses all r10bio->devs[copies].
-If devs[m].repl_bio != NULL, it thinks conf->mirrors[dev].replacement
-is also not NULL. However, this is not always true.
-
-When there is an rdev of raid10 has replacement, then each r10bio
-->devs[m].repl_bio != NULL in conf->r10buf_pool. However, in 'recover',
-even if corresponded replacement is NULL, it doesn't clear r10bio
-->devs[m].repl_bio, resulting in replacement NULL deference.
-
-This bug was introduced when replacement support for raid10 was
-added in Linux 3.3.
-
-As NeilBrown suggested:
- Elsewhere the determination of "is this device part of the
- resync/recovery" is made by resting bio->bi_end_io.
- If this is end_sync_write, then we tried to write here.
- If it is NULL, then we didn't try to write.
-
-Fixes: 9ad1aefc8ae8 ("md/raid10: Handle replacement devices during resync.")
-Cc: stable (V3.3+)
-Suggested-by: NeilBrown <neilb@suse.com>
-Signed-off-by: Yufen Yu <yuyufen@huawei.com>
-Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/raid10.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -2754,7 +2754,8 @@ static void handle_write_completed(struc
- for (m = 0; m < conf->copies; m++) {
- int dev = r10_bio->devs[m].devnum;
- rdev = conf->mirrors[dev].rdev;
-- if (r10_bio->devs[m].bio == NULL)
-+ if (r10_bio->devs[m].bio == NULL ||
-+ r10_bio->devs[m].bio->bi_end_io == NULL)
- continue;
- if (test_bit(BIO_UPTODATE,
- &r10_bio->devs[m].bio->bi_flags)) {
-@@ -2770,7 +2771,8 @@ static void handle_write_completed(struc
- md_error(conf->mddev, rdev);
- }
- rdev = conf->mirrors[dev].replacement;
-- if (r10_bio->devs[m].repl_bio == NULL)
-+ if (r10_bio->devs[m].repl_bio == NULL ||
-+ r10_bio->devs[m].repl_bio->bi_end_io == NULL)
- continue;
- if (test_bit(BIO_UPTODATE,
- &r10_bio->devs[m].repl_bio->bi_flags)) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Brad Love <brad@nextdimension.cc>
-Date: Tue, 6 Mar 2018 14:15:37 -0500
-Subject: media: cx23885: Override 888 ImpactVCBe crystal frequency
-
-From: Brad Love <brad@nextdimension.cc>
-
-[ Upstream commit 779c79d4b833ec646b0aed878da38edb45bbe156 ]
-
-Hauppauge produced a revision of ImpactVCBe using an 888,
-with a 25MHz crystal, instead of using the default third
-overtone 50Mhz crystal. This overrides that frequency so
-that the cx25840 is properly configured. Without the proper
-crystal setup the cx25840 cannot load the firmware or
-decode video.
-
-Signed-off-by: Brad Love <brad@nextdimension.cc>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/pci/cx23885/cx23885-core.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/drivers/media/pci/cx23885/cx23885-core.c
-+++ b/drivers/media/pci/cx23885/cx23885-core.c
-@@ -870,6 +870,16 @@ static int cx23885_dev_setup(struct cx23
- if (cx23885_boards[dev->board].clk_freq > 0)
- dev->clk_freq = cx23885_boards[dev->board].clk_freq;
-
-+ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE &&
-+ dev->pci->subsystem_device == 0x7137) {
-+ /* Hauppauge ImpactVCBe device ID 0x7137 is populated
-+ * with an 888, and a 25Mhz crystal, instead of the
-+ * usual third overtone 50Mhz. The default clock rate must
-+ * be overridden so the cx25840 is properly configured
-+ */
-+ dev->clk_freq = 25000000;
-+ }
-+
- dev->pci_bus = dev->pci->bus->number;
- dev->pci_slot = PCI_SLOT(dev->pci->devfn);
- cx23885_irq_add(dev, 0x001f00);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Brad Love <brad@nextdimension.cc>
-Date: Tue, 6 Mar 2018 14:15:36 -0500
-Subject: media: cx23885: Set subdev host data to clk_freq pointer
-
-From: Brad Love <brad@nextdimension.cc>
-
-[ Upstream commit 5ceade1d97fc6687e050c44c257382c192f56276 ]
-
-Currently clk_freq is ignored entirely, because the cx235840 driver
-configures the xtal at the chip defaults. This is an issue if a
-board is produced with a non-default frequency crystal. If clk_freq
-is not zero the cx25840 will attempt to use the setting provided,
-or fall back to defaults otherwise.
-
-Signed-off-by: Brad Love <brad@nextdimension.cc>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/pci/cx23885/cx23885-cards.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/media/pci/cx23885/cx23885-cards.c
-+++ b/drivers/media/pci/cx23885/cx23885-cards.c
-@@ -1950,6 +1950,10 @@ void cx23885_card_setup(struct cx23885_d
- &dev->i2c_bus[2].i2c_adap,
- "cx25840", 0x88 >> 1, NULL);
- if (dev->sd_cx25840) {
-+ /* set host data for clk_freq configuration */
-+ v4l2_set_subdev_hostdata(dev->sd_cx25840,
-+ &dev->clk_freq);
-+
- dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE;
- v4l2_subdev_call(dev->sd_cx25840, core, load_fw);
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Colin Ian King <colin.king@canonical.com>
-Date: Wed, 31 Jan 2018 12:33:09 -0500
-Subject: media: cx25821: prevent out-of-bounds read on array card
-
-From: Colin Ian King <colin.king@canonical.com>
-
-[ Upstream commit 67300abdbe9f1717532aaf4e037222762716d0f6 ]
-
-Currently an out of range dev->nr is detected by just reporting the
-issue and later on an out-of-bounds read on array card occurs because
-of this. Fix this by checking the upper range of dev->nr with the size
-of array card (removes the hard coded size), move this check earlier
-and also exit with the error -ENOSYS to avoid the later out-of-bounds
-array read.
-
-Detected by CoverityScan, CID#711191 ("Out-of-bounds-read")
-
-Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver")
-
-Signed-off-by: Colin Ian King <colin.king@canonical.com>
-Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
-[hans.verkuil@cisco.com: %ld -> %zd]
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/pci/cx25821/cx25821-core.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/drivers/media/pci/cx25821/cx25821-core.c
-+++ b/drivers/media/pci/cx25821/cx25821-core.c
-@@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25
- dev->nr = ++cx25821_devcount;
- sprintf(dev->name, "cx25821[%d]", dev->nr);
-
-+ if (dev->nr >= ARRAY_SIZE(card)) {
-+ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card));
-+ return -ENODEV;
-+ }
- if (dev->pci->device != 0x8210) {
- pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n",
- __func__, dev->pci->device);
-@@ -887,9 +891,6 @@ static int cx25821_dev_setup(struct cx25
- dev->channels[i].sram_channels = &cx25821_sram_channels[i];
- }
-
-- if (dev->nr > 1)
-- CX25821_INFO("dev->nr > 1!");
--
- /* board config */
- dev->board = 1; /* card[dev->nr]; */
- dev->_max_num_decoders = MAX_DECODERS;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Date: Sun, 11 Feb 2018 05:44:21 -0500
-Subject: media: dmxdev: fix error code for invalid ioctls
-
-From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
-[ Upstream commit a145f64c6107d3aa5a7cec9f8977d04ac2a896c9 ]
-
-Returning -EINVAL when an ioctl is not implemented is a very
-bad idea, as it is hard to distinguish from other error
-contitions that an ioctl could lead. Replace it by its
-right error code: -ENOTTY.
-
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/dvb-core/dmxdev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/media/dvb-core/dmxdev.c
-+++ b/drivers/media/dvb-core/dmxdev.c
-@@ -1069,7 +1069,7 @@ static int dvb_demux_do_ioctl(struct fil
- break;
-
- default:
-- ret = -EINVAL;
-+ ret = -ENOTTY;
- break;
- }
- mutex_unlock(&dmxdev->mutex);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Brad Love <brad@nextdimension.cc>
-Date: Thu, 4 Jan 2018 19:04:13 -0500
-Subject: media: em28xx: USB bulk packet size fix
-
-From: Brad Love <brad@nextdimension.cc>
-
-[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ]
-
-Hauppauge em28xx bulk devices exhibit continuity errors and corrupted
-packets, when run in VMWare virtual machines. Unknown if other
-manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected.
-
-According to documentation the maximum packet multiplier for em28xx in bulk
-transfer mode is 256 * 188 bytes. This changes the size of bulk transfers
-to maximum supported value and have a bonus beneficial alignment.
-
-Before:
-
-After:
-
-This sets up USB to expect just as many bytes as the em28xx is set to emit.
-
-Successful usage under load afterwards natively and in both VMWare
-and KVM/Qemu virtual machines.
-
-Signed-off-by: Brad Love <brad@nextdimension.cc>
-Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/usb/em28xx/em28xx.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/media/usb/em28xx/em28xx.h
-+++ b/drivers/media/usb/em28xx/em28xx.h
-@@ -183,7 +183,7 @@
- USB 2.0 spec says bulk packet size is always 512 bytes
- */
- #define EM28XX_BULK_PACKET_MULTIPLIER 384
--#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384
-+#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94
-
- #define EM28XX_INTERLACED_DEFAULT 1
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Tue, 16 Jan 2018 16:52:15 -0500
-Subject: media: s3c-camif: fix out-of-bounds array access
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ]
-
-While experimenting with older compiler versions, I ran
-into a warning that no longer shows up on gcc-4.8 or newer:
-
-drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format':
-drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds
-
-This is an off-by-one bug, leading to an access before the start of the
-array, while newer compilers silently assume this undefined behavior
-cannot happen and leave the loop at index 0 if no other entry matches.
-
-As Sylvester explains, we actually need to ensure that the
-value is within the range, so this reworks the loop to be
-easier to parse correctly, and an additional check to fall
-back on the first format value for any unexpected input.
-
-I found an existing gcc bug for it and added a reduced version
-of the function there.
-
-Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3
-Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
-
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/drivers/media/platform/s3c-camif/camif-capture.c
-+++ b/drivers/media/platform/s3c-camif/camif-capture.c
-@@ -1280,16 +1280,17 @@ static void __camif_subdev_try_format(st
- {
- const struct s3c_camif_variant *variant = camif->variant;
- const struct vp_pix_limits *pix_lim;
-- int i = ARRAY_SIZE(camif_mbus_formats);
-+ unsigned int i;
-
- /* FIXME: constraints against codec or preview path ? */
- pix_lim = &variant->vp_pix_limits[VP_CODEC];
-
-- while (i-- >= 0)
-+ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
- if (camif_mbus_formats[i] == mf->code)
- break;
-
-- mf->code = camif_mbus_formats[i];
-+ if (i == ARRAY_SIZE(camif_mbus_formats))
-+ mf->code = camif_mbus_formats[0];
-
- if (pad == CAMIF_SD_PAD_SINK) {
- v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Rob Herring <robh@kernel.org>
-Date: Fri, 9 Mar 2018 09:54:07 -0600
-Subject: microblaze: switch to NO_BOOTMEM
-
-From: Rob Herring <robh@kernel.org>
-
-[ Upstream commit 101646a24a2f9cdb61d7732459fbf068a7bbb542 ]
-
-Microblaze doesn't set CONFIG_NO_BOOTMEM and so memblock_virt_alloc()
-doesn't work for CONFIG_HAVE_MEMBLOCK && !CONFIG_NO_BOOTMEM.
-
-Similar change was already done by others architectures
-"ARM: mm: Remove bootmem code and switch to NO_BOOTMEM"
-(sha1: 84f452b1e8fc73ac0e31254c66e3e2260ce5263d)
-or
-"openrisc: Consolidate setup to use memblock instead of bootmem"
-(sha1: 266c7fad157265bb54d17db1c9545f2aaa488643)
-or
-"parisc: Drop bootmem and switch to memblock"
-(sha1: 4fe9e1d957e45ad8eba9885ee860a0e93d13a7c7)
-or
-"powerpc: Remove bootmem allocator"
-(sha1: 10239733ee8617bac3f1c1769af43a88ed979324)
-or
-"s390/mm: Convert bootmem to memblock"
-(sha1: 50be634507284eea38df78154d22615d21200b42)
-or
-"sparc64: Convert over to NO_BOOTMEM."
-(sha1: 625d693e9784f988371e69c2b41a2172c0be6c11)
-or
-"xtensa: drop sysmem and switch to memblock"
-(sha1: 0e46c1115f5816949220d62dd3ff04aa68e7ac6b)
-
-Issue was introduced by:
-"of/fdt: use memblock_virt_alloc for early alloc"
-(sha1: 0fa1c579349fdd90173381712ad78aa99c09d38b)
-
-Signed-off-by: Rob Herring <robh@kernel.org>
-Tested-by: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
-Tested-by: Michal Simek <michal.simek@xilinx.com>
-Signed-off-by: Michal Simek <michal.simek@xilinx.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/microblaze/Kconfig | 1
- arch/microblaze/mm/init.c | 56 ++++------------------------------------------
- 2 files changed, 7 insertions(+), 50 deletions(-)
-
---- a/arch/microblaze/Kconfig
-+++ b/arch/microblaze/Kconfig
-@@ -23,6 +23,7 @@ config MICROBLAZE
- select HAVE_FTRACE_MCOUNT_RECORD
- select HAVE_FUNCTION_GRAPH_TRACER
- select HAVE_FUNCTION_TRACER
-+ select NO_BOOTMEM
- select HAVE_MEMBLOCK
- select HAVE_MEMBLOCK_NODE_MAP
- select HAVE_OPROFILE
---- a/arch/microblaze/mm/init.c
-+++ b/arch/microblaze/mm/init.c
-@@ -32,9 +32,6 @@ int mem_init_done;
- #ifndef CONFIG_MMU
- unsigned int __page_offset;
- EXPORT_SYMBOL(__page_offset);
--
--#else
--static int init_bootmem_done;
- #endif /* CONFIG_MMU */
-
- char *klimit = _end;
-@@ -117,7 +114,6 @@ static void __init paging_init(void)
-
- void __init setup_memory(void)
- {
-- unsigned long map_size;
- struct memblock_region *reg;
-
- #ifndef CONFIG_MMU
-@@ -174,17 +170,6 @@ void __init setup_memory(void)
- pr_info("%s: max_low_pfn: %#lx\n", __func__, max_low_pfn);
- pr_info("%s: max_pfn: %#lx\n", __func__, max_pfn);
-
-- /*
-- * Find an area to use for the bootmem bitmap.
-- * We look for the first area which is at least
-- * 128kB in length (128kB is enough for a bitmap
-- * for 4GB of memory, using 4kB pages), plus 1 page
-- * (in case the address isn't page-aligned).
-- */
-- map_size = init_bootmem_node(NODE_DATA(0),
-- PFN_UP(TOPHYS((u32)klimit)), min_low_pfn, max_low_pfn);
-- memblock_reserve(PFN_UP(TOPHYS((u32)klimit)) << PAGE_SHIFT, map_size);
--
- /* Add active regions with valid PFNs */
- for_each_memblock(memory, reg) {
- unsigned long start_pfn, end_pfn;
-@@ -196,32 +181,9 @@ void __init setup_memory(void)
- &memblock.memory, 0);
- }
-
-- /* free bootmem is whole main memory */
-- free_bootmem_with_active_regions(0, max_low_pfn);
--
-- /* reserve allocate blocks */
-- for_each_memblock(reserved, reg) {
-- unsigned long top = reg->base + reg->size - 1;
--
-- pr_debug("reserved - 0x%08x-0x%08x, %lx, %lx\n",
-- (u32) reg->base, (u32) reg->size, top,
-- memory_start + lowmem_size - 1);
--
-- if (top <= (memory_start + lowmem_size - 1)) {
-- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT);
-- } else if (reg->base < (memory_start + lowmem_size - 1)) {
-- unsigned long trunc_size = memory_start + lowmem_size -
-- reg->base;
-- reserve_bootmem(reg->base, trunc_size, BOOTMEM_DEFAULT);
-- }
-- }
--
- /* XXX need to clip this if using highmem? */
- sparse_memory_present_with_active_regions(0);
-
--#ifdef CONFIG_MMU
-- init_bootmem_done = 1;
--#endif
- paging_init();
- }
-
-@@ -398,18 +360,12 @@ asmlinkage void __init mmu_init(void)
- /* This is only called until mem_init is done. */
- void __init *early_get_page(void)
- {
-- void *p;
-- if (init_bootmem_done) {
-- p = alloc_bootmem_pages(PAGE_SIZE);
-- } else {
-- /*
-- * Mem start + kernel_tlb -> here is limit
-- * because of mem mapping from head.S
-- */
-- p = __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE,
-- memory_start + kernel_tlb));
-- }
-- return p;
-+ /*
-+ * Mem start + kernel_tlb -> here is limit
-+ * because of mem mapping from head.S
-+ */
-+ return __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE,
-+ memory_start + kernel_tlb));
- }
-
- #endif /* CONFIG_MMU */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Mathias Kresin <dev@kresin.me>
-Date: Thu, 11 May 2017 08:18:24 +0200
-Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset
-
-From: Mathias Kresin <dev@kresin.me>
-
-[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ]
-
-According to the QCA u-boot source the "PCIE Phase Lock Loop
-Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the
-QCA955X and QCA956X at offset 0x10.
-
-Since the PCIE PLL config register is only defined for the AR724x fix
-only this value. The value is wrong since the day it was added and isn't
-used by any driver yet.
-
-Signed-off-by: Mathias Kresin <dev@kresin.me>
-Cc: Ralf Baechle <ralf@linux-mips.org>
-Cc: linux-mips@linux-mips.org
-Patchwork: https://patchwork.linux-mips.org/patch/16048/
-Signed-off-by: James Hogan <jhogan@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
-+++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
-@@ -167,7 +167,7 @@
- #define AR71XX_AHB_DIV_MASK 0x7
-
- #define AR724X_PLL_REG_CPU_CONFIG 0x00
--#define AR724X_PLL_REG_PCIE_CONFIG 0x18
-+#define AR724X_PLL_REG_PCIE_CONFIG 0x10
-
- #define AR724X_PLL_DIV_SHIFT 0
- #define AR724X_PLL_DIV_MASK 0x3ff
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Matt Redfearn <matt.redfearn@mips.com>
-Date: Mon, 29 Jan 2018 11:26:45 +0000
-Subject: MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS
-
-From: Matt Redfearn <matt.redfearn@mips.com>
-
-[ Upstream commit 0cde5b44a30f1daaef1c34e08191239dc63271c4 ]
-
-When commit b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support")
-added board support for the RBTX4939, it added a call to
-led_classdev_register even if the LED class is built as a module.
-Built-in arch code cannot call module code directly like this. Commit
-b33b44073734 ("MIPS: TXX9: use IS_ENABLED() macro") subsequently
-changed the inclusion of this code to a single check that
-CONFIG_LEDS_CLASS is either builtin or a module, but the same issue
-remains.
-
-This leads to MIPS allmodconfig builds failing when CONFIG_MACH_TX49XX=y
-is set:
-
-arch/mips/txx9/rbtx4939/setup.o: In function `rbtx4939_led_probe':
-setup.c:(.init.text+0xc0): undefined reference to `of_led_classdev_register'
-make: *** [Makefile:999: vmlinux] Error 1
-
-Fix this by using the IS_BUILTIN() macro instead.
-
-Fixes: b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support")
-Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
-Reviewed-by: James Hogan <jhogan@kernel.org>
-Cc: Ralf Baechle <ralf@linux-mips.org>
-Cc: linux-mips@linux-mips.org
-Patchwork: https://patchwork.linux-mips.org/patch/18544/
-Signed-off-by: James Hogan <jhogan@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/txx9/rbtx4939/setup.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/mips/txx9/rbtx4939/setup.c
-+++ b/arch/mips/txx9/rbtx4939/setup.c
-@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_p
-
- #define RBTX4939_MAX_7SEGLEDS 8
-
--#if IS_ENABLED(CONFIG_LEDS_CLASS)
-+#if IS_BUILTIN(CONFIG_LEDS_CLASS)
- static u8 led_val[RBTX4939_MAX_7SEGLEDS];
- struct rbtx4939_led_data {
- struct led_classdev cdev;
-@@ -262,7 +262,7 @@ static inline void rbtx4939_led_setup(vo
-
- static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val)
- {
--#if IS_ENABLED(CONFIG_LEDS_CLASS)
-+#if IS_BUILTIN(CONFIG_LEDS_CLASS)
- unsigned long flags;
- local_irq_save(flags);
- /* bit7: reserved for LED class */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Huang Ying <ying.huang@intel.com>
-Date: Thu, 5 Apr 2018 16:23:20 -0700
-Subject: mm: fix races between address_space dereference and free in page_evicatable
-
-From: Huang Ying <ying.huang@intel.com>
-
-[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ]
-
-When page_mapping() is called and the mapping is dereferenced in
-page_evicatable() through shrink_active_list(), it is possible for the
-inode to be truncated and the embedded address space to be freed at the
-same time. This may lead to the following race.
-
-CPU1 CPU2
-
-truncate(inode) shrink_active_list()
- ... page_evictable(page)
- truncate_inode_page(mapping, page);
- delete_from_page_cache(page)
- spin_lock_irqsave(&mapping->tree_lock, flags);
- __delete_from_page_cache(page, NULL)
- page_cache_tree_delete(..)
- ... mapping = page_mapping(page);
- page->mapping = NULL;
- ...
- spin_unlock_irqrestore(&mapping->tree_lock, flags);
- page_cache_free_page(mapping, page)
- put_page(page)
- if (put_page_testzero(page)) -> false
-- inode now has no pages and can be freed including embedded address_space
-
- mapping_unevictable(mapping)
- test_bit(AS_UNEVICTABLE, &mapping->flags);
-- we've dereferenced mapping which is potentially already free.
-
-Similar race exists between swap cache freeing and page_evicatable()
-too.
-
-The address_space in inode and swap cache will be freed after a RCU
-grace period. So the races are fixed via enclosing the page_mapping()
-and address_space usage in rcu_read_lock/unlock(). Some comments are
-added in code to make it clear what is protected by the RCU read lock.
-
-Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com
-Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: Mel Gorman <mgorman@techsingularity.net>
-Cc: Minchan Kim <minchan@kernel.org>
-Cc: "Huang, Ying" <ying.huang@intel.com>
-Cc: Johannes Weiner <hannes@cmpxchg.org>
-Cc: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/vmscan.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/mm/vmscan.c
-+++ b/mm/vmscan.c
-@@ -3753,7 +3753,13 @@ int zone_reclaim(struct zone *zone, gfp_
- */
- int page_evictable(struct page *page)
- {
-- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
-+ int ret;
-+
-+ /* Prevent address_space of inode and swap cache from being freed */
-+ rcu_read_lock();
-+ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
-+ rcu_read_unlock();
-+ return ret;
- }
-
- #ifdef CONFIG_SHMEM
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Vinayak Menon <vinmenon@codeaurora.org>
-Date: Wed, 28 Mar 2018 16:01:16 -0700
-Subject: mm/kmemleak.c: wait for scan completion before disabling free
-
-From: Vinayak Menon <vinmenon@codeaurora.org>
-
-[ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ]
-
-A crash is observed when kmemleak_scan accesses the object->pointer,
-likely due to the following race.
-
- TASK A TASK B TASK C
- kmemleak_write
- (with "scan" and
- NOT "scan=on")
- kmemleak_scan()
- create_object
- kmem_cache_alloc fails
- kmemleak_disable
- kmemleak_do_cleanup
- kmemleak_free_enabled = 0
- kfree
- kmemleak_free bails out
- (kmemleak_free_enabled is 0)
- slub frees object->pointer
- update_checksum
- crash - object->pointer
- freed (DEBUG_PAGEALLOC)
-
-kmemleak_do_cleanup waits for the scan thread to complete, but not for
-direct call to kmemleak_scan via kmemleak_write. So add a wait for
-kmemleak_scan completion before disabling kmemleak_free, and while at it
-fix the comment on stop_scan_thread.
-
-[vinmenon@codeaurora.org: fix stop_scan_thread comment]
- Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org
-Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org
-Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
-Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/kmemleak.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
---- a/mm/kmemleak.c
-+++ b/mm/kmemleak.c
-@@ -1481,8 +1481,7 @@ static void start_scan_thread(void)
- }
-
- /*
-- * Stop the automatic memory scanning thread. This function must be called
-- * with the scan_mutex held.
-+ * Stop the automatic memory scanning thread.
- */
- static void stop_scan_thread(void)
- {
-@@ -1746,12 +1745,15 @@ static void kmemleak_do_cleanup(struct w
- mutex_lock(&scan_mutex);
- stop_scan_thread();
-
-+ mutex_lock(&scan_mutex);
- /*
-- * Once the scan thread has stopped, it is safe to no longer track
-- * object freeing. Ordering of the scan thread stopping and the memory
-- * accesses below is guaranteed by the kthread_stop() function.
-+ * Once it is made sure that kmemleak_scan has stopped, it is safe to no
-+ * longer track object freeing. Ordering of the scan thread stopping and
-+ * the memory accesses below is guaranteed by the kthread_stop()
-+ * function.
- */
- kmemleak_free_enabled = 0;
-+ mutex_unlock(&scan_mutex);
-
- if (!kmemleak_found_leaks)
- __kmemleak_do_cleanup();
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
-Date: Thu, 5 Apr 2018 16:25:41 -0700
-Subject: mm/ksm: fix interaction with THP
-
-From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
-
-[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ]
-
-This patch fixes a corner case for KSM. When two pages belong or
-belonged to the same transparent hugepage, and they should be merged,
-KSM fails to split the page, and therefore no merging happens.
-
-This bug can be reproduced by:
-* making sure ksm is running (in case disabling ksmtuned)
-* enabling transparent hugepages
-* allocating a THP-aligned 1-THP-sized buffer
- e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21)
-* filling it with the same values
- e.g. memset(p, 42, 1<<21)
-* performing madvise to make it mergeable
- e.g. madvise(p, 1<<21, MADV_MERGEABLE)
-* waiting for KSM to perform a few scans
-
-The expected outcome is that the all the pages get merged (1 shared and
-the rest sharing); the actual outcome is that no pages get merged (1
-unshared and the rest volatile)
-
-The reason of this behaviour is that we increase the reference count
-once for both pages we want to merge, but if they belong to the same
-hugepage (or compound page), the reference counter used in both cases is
-the one of the head of the compound page. This means that
-split_huge_page will find a value of the reference counter too high and
-will fail.
-
-This patch solves this problem by testing if the two pages to merge
-belong to the same hugepage when attempting to merge them. If so, the
-hugepage is split safely. This means that the hugepage is not split if
-not necessary.
-
-Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com
-Signed-off-by: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
-Co-authored-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Minchan Kim <minchan@kernel.org>
-Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/ksm.c | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
---- a/mm/ksm.c
-+++ b/mm/ksm.c
-@@ -1475,8 +1475,22 @@ static void cmp_and_merge_page(struct pa
- tree_rmap_item =
- unstable_tree_search_insert(rmap_item, page, &tree_page);
- if (tree_rmap_item) {
-+ bool split;
-+
- kpage = try_to_merge_two_pages(rmap_item, page,
- tree_rmap_item, tree_page);
-+ /*
-+ * If both pages we tried to merge belong to the same compound
-+ * page, then we actually ended up increasing the reference
-+ * count of the same compound page twice, and split_huge_page
-+ * failed.
-+ * Here we set a flag if that happened, and we use it later to
-+ * try split_huge_page again. Since we call put_page right
-+ * afterwards, the reference count will be correct and
-+ * split_huge_page should succeed.
-+ */
-+ split = PageTransCompound(page)
-+ && compound_head(page) == compound_head(tree_page);
- put_page(tree_page);
- if (kpage) {
- /*
-@@ -1501,6 +1515,20 @@ static void cmp_and_merge_page(struct pa
- break_cow(tree_rmap_item);
- break_cow(rmap_item);
- }
-+ } else if (split) {
-+ /*
-+ * We are here if we tried to merge two pages and
-+ * failed because they both belonged to the same
-+ * compound page. We will split the page now, but no
-+ * merging will take place.
-+ * We do not want to add the cost of a full lock; if
-+ * the page is locked, it is better to skip it and
-+ * perhaps try again later.
-+ */
-+ if (!trylock_page(page))
-+ return;
-+ split_huge_page(page);
-+ unlock_page(page);
- }
- }
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Yisheng Xie <xieyisheng1@huawei.com>
-Date: Wed, 31 Jan 2018 16:16:15 -0800
-Subject: mm/mempolicy: add nodes_empty check in SYSC_migrate_pages
-
-From: Yisheng Xie <xieyisheng1@huawei.com>
-
-[ Upstream commit 0486a38bcc4749808edbc848f1bcf232042770fc ]
-
-As in manpage of migrate_pages, the errno should be set to EINVAL when
-none of the node IDs specified by new_nodes are on-line and allowed by
-the process's current cpuset context, or none of the specified nodes
-contain memory. However, when test by following case:
-
- new_nodes = 0;
- old_nodes = 0xf;
- ret = migrate_pages(pid, old_nodes, new_nodes, MAX);
-
-The ret will be 0 and no errno is set. As the new_nodes is empty, we
-should expect EINVAL as documented.
-
-To fix the case like above, this patch check whether target nodes AND
-current task_nodes is empty, and then check whether AND
-node_states[N_MEMORY] is empty.
-
-Link: http://lkml.kernel.org/r/1510882624-44342-4-git-send-email-xieyisheng1@huawei.com
-Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
-Acked-by: Vlastimil Babka <vbabka@suse.cz>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Chris Salls <salls@cs.ucsb.edu>
-Cc: Christopher Lameter <cl@linux.com>
-Cc: David Rientjes <rientjes@google.com>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-Cc: Tan Xiaojun <tanxiaojun@huawei.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mempolicy.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1464,10 +1464,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
- goto out_put;
- }
-
-- if (!nodes_subset(*new, node_states[N_MEMORY])) {
-- err = -EINVAL;
-+ task_nodes = cpuset_mems_allowed(current);
-+ nodes_and(*new, *new, task_nodes);
-+ if (nodes_empty(*new))
-+ goto out_put;
-+
-+ nodes_and(*new, *new, node_states[N_MEMORY]);
-+ if (nodes_empty(*new))
- goto out_put;
-- }
-
- err = security_task_movememory(task);
- if (err)
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Yisheng Xie <xieyisheng1@huawei.com>
-Date: Wed, 31 Jan 2018 16:16:11 -0800
-Subject: mm/mempolicy: fix the check of nodemask from user
-
-From: Yisheng Xie <xieyisheng1@huawei.com>
-
-[ Upstream commit 56521e7a02b7b84a5e72691a1fb15570e6055545 ]
-
-As Xiaojun reported the ltp of migrate_pages01 will fail on arm64 system
-which has 4 nodes[0...3], all have memory and CONFIG_NODES_SHIFT=2:
-
- migrate_pages01 0 TINFO : test_invalid_nodes
- migrate_pages01 14 TFAIL : migrate_pages_common.c:45: unexpected failure - returned value = 0, expected: -1
- migrate_pages01 15 TFAIL : migrate_pages_common.c:55: call succeeded unexpectedly
-
-In this case the test_invalid_nodes of migrate_pages01 will call:
-SYSC_migrate_pages as:
-
- migrate_pages(0, , {0x0000000000000001}, 64, , {0x0000000000000010}, 64) = 0
-
-The new nodes specifies one or more node IDs that are greater than the
-maximum supported node ID, however, the errno is not set to EINVAL as
-expected.
-
-As man pages of set_mempolicy[1], mbind[2], and migrate_pages[3]
-mentioned, when nodemask specifies one or more node IDs that are greater
-than the maximum supported node ID, the errno should set to EINVAL.
-However, get_nodes only check whether the part of bits
-[BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES), maxnode) is zero or not, and
-remain [MAX_NUMNODES, BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES)
-unchecked.
-
-This patch is to check the bits of [MAX_NUMNODES, maxnode) in get_nodes
-to let migrate_pages set the errno to EINVAL when nodemask specifies one
-or more node IDs that are greater than the maximum supported node ID,
-which follows the manpage's guide.
-
-[1] http://man7.org/linux/man-pages/man2/set_mempolicy.2.html
-[2] http://man7.org/linux/man-pages/man2/mbind.2.html
-[3] http://man7.org/linux/man-pages/man2/migrate_pages.2.html
-
-Link: http://lkml.kernel.org/r/1510882624-44342-3-git-send-email-xieyisheng1@huawei.com
-Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
-Reported-by: Tan Xiaojun <tanxiaojun@huawei.com>
-Acked-by: Vlastimil Babka <vbabka@suse.cz>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Chris Salls <salls@cs.ucsb.edu>
-Cc: Christopher Lameter <cl@linux.com>
-Cc: David Rientjes <rientjes@google.com>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mempolicy.c | 23 ++++++++++++++++++++---
- 1 file changed, 20 insertions(+), 3 deletions(-)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1286,6 +1286,7 @@ static int get_nodes(nodemask_t *nodes,
- unsigned long maxnode)
- {
- unsigned long k;
-+ unsigned long t;
- unsigned long nlongs;
- unsigned long endmask;
-
-@@ -1302,13 +1303,19 @@ static int get_nodes(nodemask_t *nodes,
- else
- endmask = (1UL << (maxnode % BITS_PER_LONG)) - 1;
-
-- /* When the user specified more nodes than supported just check
-- if the non supported part is all zero. */
-+ /*
-+ * When the user specified more nodes than supported just check
-+ * if the non supported part is all zero.
-+ *
-+ * If maxnode have more longs than MAX_NUMNODES, check
-+ * the bits in that area first. And then go through to
-+ * check the rest bits which equal or bigger than MAX_NUMNODES.
-+ * Otherwise, just check bits [MAX_NUMNODES, maxnode).
-+ */
- if (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) {
- if (nlongs > PAGE_SIZE/sizeof(long))
- return -EINVAL;
- for (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) {
-- unsigned long t;
- if (get_user(t, nmask + k))
- return -EFAULT;
- if (k == nlongs - 1) {
-@@ -1321,6 +1328,16 @@ static int get_nodes(nodemask_t *nodes,
- endmask = ~0UL;
- }
-
-+ if (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) {
-+ unsigned long valid_mask = endmask;
-+
-+ valid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1);
-+ if (get_user(t, nmask + nlongs - 1))
-+ return -EFAULT;
-+ if (t & valid_mask)
-+ return -EINVAL;
-+ }
-+
- if (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long)))
- return -EFAULT;
- nodes_addr(*nodes)[nlongs-1] &= endmask;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Yisheng Xie <xieyisheng1@huawei.com>
-Date: Thu, 22 Mar 2018 16:17:02 -0700
-Subject: mm/mempolicy.c: avoid use uninitialized preferred_node
-
-From: Yisheng Xie <xieyisheng1@huawei.com>
-
-[ Upstream commit 8970a63e965b43288c4f5f40efbc2bbf80de7f16 ]
-
-Alexander reported a use of uninitialized memory in __mpol_equal(),
-which is caused by incorrect use of preferred_node.
-
-When mempolicy in mode MPOL_PREFERRED with flags MPOL_F_LOCAL, it uses
-numa_node_id() instead of preferred_node, however, __mpol_equal() uses
-preferred_node without checking whether it is MPOL_F_LOCAL or not.
-
-[akpm@linux-foundation.org: slight comment tweak]
-Link: http://lkml.kernel.org/r/4ebee1c2-57f6-bcb8-0e2d-1833d1ee0bb7@huawei.com
-Fixes: fc36b8d3d819 ("mempolicy: use MPOL_F_LOCAL to Indicate Preferred Local Policy")
-Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
-Reported-by: Alexander Potapenko <glider@google.com>
-Tested-by: Alexander Potapenko <glider@google.com>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: Dmitriy Vyukov <dvyukov@google.com>
-Cc: Vlastimil Babka <vbabka@suse.cz>
-Cc: Michal Hocko <mhocko@kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mempolicy.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -2169,6 +2169,9 @@ bool __mpol_equal(struct mempolicy *a, s
- case MPOL_INTERLEAVE:
- return !!nodes_equal(a->v.nodes, b->v.nodes);
- case MPOL_PREFERRED:
-+ /* a's ->flags is the same as b's */
-+ if (a->flags & MPOL_F_LOCAL)
-+ return true;
- return a->v.preferred_node == b->v.preferred_node;
- default:
- BUG();
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Mel Gorman <mgorman@techsingularity.net>
-Date: Wed, 31 Jan 2018 16:19:52 -0800
-Subject: mm: pin address_space before dereferencing it while isolating an LRU page
-
-From: Mel Gorman <mgorman@techsingularity.net>
-
-[ Upstream commit 69d763fc6d3aee787a3e8c8c35092b4f4960fa5d ]
-
-Minchan Kim asked the following question -- what locks protects
-address_space destroying when race happens between inode trauncation and
-__isolate_lru_page? Jan Kara clarified by describing the race as follows
-
-CPU1 CPU2
-
-truncate(inode) __isolate_lru_page()
- ...
- truncate_inode_page(mapping, page);
- delete_from_page_cache(page)
- spin_lock_irqsave(&mapping->tree_lock, flags);
- __delete_from_page_cache(page, NULL)
- page_cache_tree_delete(..)
- ... mapping = page_mapping(page);
- page->mapping = NULL;
- ...
- spin_unlock_irqrestore(&mapping->tree_lock, flags);
- page_cache_free_page(mapping, page)
- put_page(page)
- if (put_page_testzero(page)) -> false
-- inode now has no pages and can be freed including embedded address_space
-
- if (mapping && !mapping->a_ops->migratepage)
-- we've dereferenced mapping which is potentially already free.
-
-The race is theoretically possible but unlikely. Before the
-delete_from_page_cache, truncate_cleanup_page is called so the page is
-likely to be !PageDirty or PageWriteback which gets skipped by the only
-caller that checks the mappping in __isolate_lru_page. Even if the race
-occurs, a substantial amount of work has to happen during a tiny window
-with no preemption but it could potentially be done using a virtual
-machine to artifically slow one CPU or halt it during the critical
-window.
-
-This patch should eliminate the race with truncation by try-locking the
-page before derefencing mapping and aborting if the lock was not
-acquired. There was a suggestion from Huang Ying to use RCU as a
-side-effect to prevent mapping being freed. However, I do not like the
-solution as it's an unconventional means of preserving a mapping and
-it's not a context where rcu_read_lock is obviously protecting rcu data.
-
-Link: http://lkml.kernel.org/r/20180104102512.2qos3h5vqzeisrek@techsingularity.net
-Fixes: c82449352854 ("mm: compaction: make isolate_lru_page() filter-aware again")
-Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
-Acked-by: Minchan Kim <minchan@kernel.org>
-Cc: "Huang, Ying" <ying.huang@intel.com>
-Cc: Jan Kara <jack@suse.cz>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/vmscan.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
---- a/mm/vmscan.c
-+++ b/mm/vmscan.c
-@@ -1215,6 +1215,7 @@ int __isolate_lru_page(struct page *page
-
- if (PageDirty(page)) {
- struct address_space *mapping;
-+ bool migrate_dirty;
-
- /* ISOLATE_CLEAN means only clean pages */
- if (mode & ISOLATE_CLEAN)
-@@ -1223,10 +1224,19 @@ int __isolate_lru_page(struct page *page
- /*
- * Only pages without mappings or that have a
- * ->migratepage callback are possible to migrate
-- * without blocking
-+ * without blocking. However, we can be racing with
-+ * truncation so it's necessary to lock the page
-+ * to stabilise the mapping as truncation holds
-+ * the page lock until after the page is removed
-+ * from the page cache.
- */
-+ if (!trylock_page(page))
-+ return ret;
-+
- mapping = page_mapping(page);
-- if (mapping && !mapping->a_ops->migratepage)
-+ migrate_dirty = mapping && mapping->a_ops->migratepage;
-+ unlock_page(page);
-+ if (!migrate_dirty)
- return ret;
- }
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-Date: Thu, 29 Mar 2018 19:05:29 +0900
-Subject: net: Fix untag for vlan packets without ethernet header
-
-From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-
-[ Upstream commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 ]
-
-In some situation vlan packets do not have ethernet headers. One example
-is packets from tun devices. Users can specify vlan protocol in tun_pi
-field instead of IP protocol, and skb_vlan_untag() attempts to untag such
-packets.
-
-skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
-however did not expect packets without ethernet headers, so in such a case
-size argument for memmove() underflowed and triggered crash.
-
-====
-BUG: unable to handle kernel paging request at ffff8801cccb8000
-IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
-PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
-Oops: 000b [#1] SMP KASAN
-Dumping ftrace buffer:
- (ftrace buffer empty)
-Modules linked in:
-CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
-RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
-RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
-RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
-RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
-R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
-R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
-FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
-DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
-DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
-Call Trace:
- memmove include/linux/string.h:360 [inline]
- skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
- skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
- __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
- __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
- netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
- netif_receive_skb+0xae/0x390 net/core/dev.c:4725
- tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
- tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
- tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
- call_write_iter include/linux/fs.h:1782 [inline]
- new_sync_write fs/read_write.c:469 [inline]
- __vfs_write+0x684/0x970 fs/read_write.c:482
- vfs_write+0x189/0x510 fs/read_write.c:544
- SYSC_write fs/read_write.c:589 [inline]
- SyS_write+0xef/0x220 fs/read_write.c:581
- do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
-RIP: 0033:0x454879
-RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
-RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
-RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
-RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
-R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
-Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
-RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
-CR2: ffff8801cccb8000
-====
-
-We don't need to copy headers for packets which do not have preceding
-headers of vlan headers, so skip memmove() in that case.
-
-Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
-Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
-Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/skbuff.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -4136,8 +4136,10 @@ static struct sk_buff *skb_reorder_vlan_
- }
-
- mac_len = skb->data - skb_mac_header(skb);
-- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
-- mac_len - VLAN_HLEN - ETH_TLEN);
-+ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
-+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
-+ mac_len - VLAN_HLEN - ETH_TLEN);
-+ }
- skb->mac_header += VLAN_HLEN;
- return skb;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-Date: Tue, 13 Mar 2018 14:51:27 +0900
-Subject: net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off
-
-From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-
-[ Upstream commit 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61 ]
-
-When we have a bridge with vlan_filtering on and a vlan device on top of
-it, packets would be corrupted in skb_vlan_untag() called from
-br_dev_xmit().
-
-The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(),
-which makes use of skb->mac_len. In this function mac_len is meant for
-handling rx path with vlan devices with reorder_header disabled, but in
-tx path mac_len is typically 0 and cannot be used, which is the problem
-in this case.
-
-The current code even does not properly handle rx path (skb_vlan_untag()
-called from __netif_receive_skb_core()) with reorder_header off actually.
-
-In rx path single tag case, it works as follows:
-
-- Before skb_reorder_vlan_header()
-
- mac_header data
- v v
- +-------------------+-------------+------+----
- | ETH | VLAN | ETH |
- | ADDRS | TPID | TCI | TYPE |
- +-------------------+-------------+------+----
- <-------- mac_len --------->
- <------------->
- to be removed
-
-- After skb_reorder_vlan_header()
-
- mac_header data
- v v
- +-------------------+------+----
- | ETH | ETH |
- | ADDRS | TYPE |
- +-------------------+------+----
- <-------- mac_len --------->
-
-This is ok, but in rx double tag case, it corrupts packets:
-
-- Before skb_reorder_vlan_header()
-
- mac_header data
- v v
- +-------------------+-------------+-------------+------+----
- | ETH | VLAN | VLAN | ETH |
- | ADDRS | TPID | TCI | TPID | TCI | TYPE |
- +-------------------+-------------+-------------+------+----
- <--------------- mac_len ---------------->
- <------------->
- should be removed
- <--------------------------->
- actually will be removed
-
-- After skb_reorder_vlan_header()
-
- mac_header data
- v v
- +-------------------+------+----
- | ETH | ETH |
- | ADDRS | TYPE |
- +-------------------+------+----
- <--------------- mac_len ---------------->
-
-So, two of vlan tags are both removed while only inner one should be
-removed and mac_header (and mac_len) is broken.
-
-skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2),
-so use skb->data and skb->mac_header to calculate the right offset.
-
-Reported-by: Brandon Carpenter <brandon.carpenter@cypherpath.com>
-Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off")
-Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/uapi/linux/if_ether.h | 1 +
- net/core/skbuff.c | 7 +++++--
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
---- a/include/uapi/linux/if_ether.h
-+++ b/include/uapi/linux/if_ether.h
-@@ -29,6 +29,7 @@
- */
-
- #define ETH_ALEN 6 /* Octets in one ethernet addr */
-+#define ETH_TLEN 2 /* Octets in ethernet type field */
- #define ETH_HLEN 14 /* Total octets in header. */
- #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */
- #define ETH_DATA_LEN 1500 /* Max. octets in payload */
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -4128,13 +4128,16 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_segl
-
- static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
- {
-+ int mac_len;
-+
- if (skb_cow(skb, skb_headroom(skb)) < 0) {
- kfree_skb(skb);
- return NULL;
- }
-
-- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
-- 2 * ETH_ALEN);
-+ mac_len = skb->data - skb_mac_header(skb);
-+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
-+ mac_len - VLAN_HLEN - ETH_TLEN);
- skb->mac_header += VLAN_HLEN;
- return skb;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Leon Romanovsky <leonro@mellanox.com>
-Date: Tue, 2 Jan 2018 16:49:56 +0200
-Subject: net/mlx5: Protect from command bit overflow
-
-From: Leon Romanovsky <leonro@mellanox.com>
-
-[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ]
-
-The system with CONFIG_UBSAN enabled on produces the following error
-during driver initialization. The reason to it that max_reg_cmds can be
-larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long.
-
-================================================================================
-UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42
-signed integer overflow:
--2147483648 - 1 cannot be represented in type 'int'
-CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
-Call Trace:
- dump_stack+0xe9/0x18f
- ? dma_virt_alloc+0x81/0x81
- ubsan_epilogue+0xe/0x4e
- handle_overflow+0x187/0x20c
- mlx5_cmd_init+0x73a/0x12b0
- mlx5_load_one+0x1c3d/0x1d30
- init_one+0xd02/0xf10
- pci_device_probe+0x26c/0x3b0
- driver_probe_device+0x622/0xb40
- __driver_attach+0x175/0x1b0
- bus_for_each_dev+0xef/0x190
- bus_add_driver+0x2db/0x490
- driver_register+0x16b/0x1e0
- __pci_register_driver+0x177/0x1b0
- init+0x6d/0x92
- do_one_initcall+0x15b/0x270
- kernel_init_freeable+0x2d8/0x3d0
- kernel_init+0x14/0x190
- ret_from_fork+0x24/0x30
-================================================================================
-
-Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
-Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
-@@ -1371,7 +1371,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *
-
- cmd->checksum_disabled = 1;
- cmd->max_reg_cmds = (1 << cmd->log_sz) - 1;
-- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1;
-+ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1;
-
- cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16;
- if (cmd->cmdif_rev > CMD_IF_REV) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Yelena Krivosheev <yelena@marvell.com>
-Date: Fri, 30 Mar 2018 12:05:31 +0200
-Subject: net: mvneta: fix enable of all initialized RXQs
-
-From: Yelena Krivosheev <yelena@marvell.com>
-
-[ Upstream commit e81b5e01c14add8395dfba7130f8829206bb507d ]
-
-In mvneta_port_up() we enable relevant RX and TX port queues by write
-queues bit map to an appropriate register.
-
-q_map must be ZERO in the beginning of this process.
-
-Signed-off-by: Yelena Krivosheev <yelena@marvell.com>
-Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
-Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/marvell/mvneta.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/net/ethernet/marvell/mvneta.c
-+++ b/drivers/net/ethernet/marvell/mvneta.c
-@@ -748,6 +748,7 @@ static void mvneta_port_up(struct mvneta
- }
- mvreg_write(pp, MVNETA_TXQ_CMD, q_map);
-
-+ q_map = 0;
- /* Enable all initialized RXQs. */
- q_map = 0;
- for (queue = 0; queue < rxq_number; queue++) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Pawel Dembicki <paweldembicki@gmail.com>
-Date: Sat, 24 Mar 2018 22:08:14 +0100
-Subject: net: qmi_wwan: add BroadMobi BM806U 2020:2033
-
-From: Pawel Dembicki <paweldembicki@gmail.com>
-
-[ Upstream commit 743989254ea9f132517806d8893ca9b6cf9dc86b ]
-
-BroadMobi BM806U is an Qualcomm MDM9225 based 3G/4G modem.
-Tested hardware BM806U is mounted on D-Link DWR-921-C3 router.
-The USB id is added to qmi_wwan.c to allow QMI communication with
-the BM806U.
-
-Tested on 4.14 kernel and OpenWRT.
-
-Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/usb/qmi_wwan.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/net/usb/qmi_wwan.c
-+++ b/drivers/net/usb/qmi_wwan.c
-@@ -754,6 +754,7 @@ static const struct usb_device_id produc
- {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
- {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
- {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
-+ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
- {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
- {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
- {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Joey Pabalinas <joeypabalinas@gmail.com>
-Date: Tue, 27 Feb 2018 22:05:53 -1000
-Subject: net/tcp/illinois: replace broken algorithm reference link
-
-From: Joey Pabalinas <joeypabalinas@gmail.com>
-
-[ Upstream commit ecc832758a654e375924ebf06a4ac971acb5ce60 ]
-
-The link to the pdf containing the algorithm description is now a
-dead link; it seems http://www.ifp.illinois.edu/~srikant/ has been
-moved to https://sites.google.com/a/illinois.edu/srikant/ and none of
-the original papers can be found there...
-
-I have replaced it with the only working copy I was able to find.
-
-n.b. there is also a copy available at:
-
-http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.6350&rep=rep1&type=pdf
-
-However, this seems to only be a *cached* version, so I am unsure
-exactly how reliable that link can be expected to remain over time
-and have decided against using that one.
-
-Signed-off-by: Joey Pabalinas <joeypabalinas@gmail.com>
-
- net/ipv4/tcp_illinois.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/tcp_illinois.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/ipv4/tcp_illinois.c
-+++ b/net/ipv4/tcp_illinois.c
-@@ -6,7 +6,7 @@
- * The algorithm is described in:
- * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm
- * for High-Speed Networks"
-- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf
-+ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf
- *
- * Implemented from description in paper and ns-2 simulation.
- * Copyright (C) 2007 Stephen Hemminger <shemminger@linux-foundation.org>
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Giuseppe Lippolis <giu.lippolis@gmail.com>
-Date: Mon, 26 Mar 2018 16:34:39 +0200
-Subject: net-usb: add qmi_wwan if on lte modem wistron neweb d18q1
-
-From: Giuseppe Lippolis <giu.lippolis@gmail.com>
-
-[ Upstream commit d4c4bc11353f3bea6754f7d21e3612c9f32d1d64 ]
-
-This modem is embedded on dlink dwr-921 router.
- The oem configuration states:
-
- T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
- D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
- P: Vendor=1435 ProdID=0918 Rev= 2.32
- S: Manufacturer=Android
- S: Product=Android
- S: SerialNumber=0123456789ABCDEF
- C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA
- I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
- E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
- E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
- E: Ad=84(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
- E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
- E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
- E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
- E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
- E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
- E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
- E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- I:* If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
- E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
-
-Tested on openwrt distribution
-
-Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/usb/qmi_wwan.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/net/usb/qmi_wwan.c
-+++ b/drivers/net/usb/qmi_wwan.c
-@@ -678,6 +678,9 @@ static const struct usb_device_id produc
- {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
- {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
- {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
-+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
-+ {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */
-+ {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */
- {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
- {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */
- {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Florian Westphal <fw@strlen.de>
-Date: Mon, 19 Feb 2018 01:24:53 +0100
-Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs
-
-From: Florian Westphal <fw@strlen.de>
-
-[ Upstream commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca ]
-
-All of these conditions are not fatal and should have
-been WARN_ONs from the get-go.
-
-Convert them to WARN_ONs and bail out.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++---------
- 1 file changed, 18 insertions(+), 9 deletions(-)
-
---- a/net/bridge/netfilter/ebtables.c
-+++ b/net/bridge/netfilter/ebtables.c
-@@ -1612,7 +1612,8 @@ static int compat_match_to_user(struct e
- int off = ebt_compat_match_offset(match, m->match_size);
- compat_uint_t msize = m->match_size - off;
-
-- BUG_ON(off >= m->match_size);
-+ if (WARN_ON(off >= m->match_size))
-+ return -EINVAL;
-
- if (copy_to_user(cm->u.name, match->name,
- strlen(match->name) + 1) || put_user(msize, &cm->match_size))
-@@ -1639,7 +1640,8 @@ static int compat_target_to_user(struct
- int off = xt_compat_target_offset(target);
- compat_uint_t tsize = t->target_size - off;
-
-- BUG_ON(off >= t->target_size);
-+ if (WARN_ON(off >= t->target_size))
-+ return -EINVAL;
-
- if (copy_to_user(cm->u.name, target->name,
- strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
-@@ -1867,7 +1869,8 @@ static int ebt_buf_add(struct ebt_entrie
- if (state->buf_kern_start == NULL)
- goto count_only;
-
-- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
-+ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
-+ return -EINVAL;
-
- memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
-
-@@ -1880,7 +1883,8 @@ static int ebt_buf_add_pad(struct ebt_en
- {
- char *b = state->buf_kern_start;
-
-- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
-+ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
-+ return -EINVAL;
-
- if (b != NULL && sz > 0)
- memset(b + state->buf_kern_offset, 0, sz);
-@@ -1957,8 +1961,10 @@ static int compat_mtw_from_user(struct c
- pad = XT_ALIGN(size_kern) - size_kern;
-
- if (pad > 0 && dst) {
-- BUG_ON(state->buf_kern_len <= pad);
-- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
-+ if (WARN_ON(state->buf_kern_len <= pad))
-+ return -EINVAL;
-+ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
-+ return -EINVAL;
- memset(dst + size_kern, 0, pad);
- }
- return off + match_size;
-@@ -2009,7 +2015,8 @@ static int ebt_size_mwt(struct compat_eb
- if (ret < 0)
- return ret;
-
-- BUG_ON(ret < match32->match_size);
-+ if (WARN_ON(ret < match32->match_size))
-+ return -EINVAL;
- growth += ret - match32->match_size;
- growth += ebt_compat_entry_padsize();
-
-@@ -2119,7 +2126,8 @@ static int size_entry_mwt(struct ebt_ent
-
- startoff = state->buf_user_offset - startoff;
-
-- BUG_ON(*total < startoff);
-+ if (WARN_ON(*total < startoff))
-+ return -EINVAL;
- *total -= startoff;
- return 0;
- }
-@@ -2247,7 +2255,8 @@ static int compat_do_replace(struct net
- state.buf_kern_len = size64;
-
- ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
-- BUG_ON(ret < 0); /* parses same data again */
-+ if (WARN_ON(ret < 0))
-+ goto out_unlock;
-
- vfree(entries_tmp);
- tmp.entries_size = size64;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Florian Westphal <fw@strlen.de>
-Date: Thu, 8 Mar 2018 12:54:19 +0100
-Subject: netfilter: ebtables: fix erroneous reject of last rule
-
-From: Florian Westphal <fw@strlen.de>
-
-[ Upstream commit 932909d9b28d27e807ff8eecb68c7748f6701628 ]
-
-The last rule in the blob has next_entry offset that is same as total size.
-This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel.
-
-Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bridge/netfilter/ebtables.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/net/bridge/netfilter/ebtables.c
-+++ b/net/bridge/netfilter/ebtables.c
-@@ -2086,8 +2086,12 @@ static int size_entry_mwt(struct ebt_ent
- * offsets are relative to beginning of struct ebt_entry (i.e., 0).
- */
- for (i = 0; i < 4 ; ++i) {
-- if (offsets[i] >= *total)
-+ if (offsets[i] > *total)
- return -EINVAL;
-+
-+ if (i < 3 && offsets[i] == *total)
-+ return -EINVAL;
-+
- if (i == 0)
- continue;
- if (offsets[i-1] > offsets[i])
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Richard Haines <richard_c_haines@btinternet.com>
-Date: Mon, 13 Nov 2017 20:54:22 +0000
-Subject: netlabel: If PF_INET6, check sk_buff ip header version
-
-From: Richard Haines <richard_c_haines@btinternet.com>
-
-[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ]
-
-When resolving a fallback label, check the sk_buff version as it
-is possible (e.g. SCTP) to have family = PF_INET6 while
-receiving ip_hdr(skb)->version = 4.
-
-Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
-Acked-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netlabel/netlabel_unlabeled.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/net/netlabel/netlabel_unlabeled.c
-+++ b/net/netlabel/netlabel_unlabeled.c
-@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct
- iface = rcu_dereference(netlbl_unlhsh_def);
- if (iface == NULL || !iface->valid)
- goto unlabel_getattr_nolabel;
-+
-+#if IS_ENABLED(CONFIG_IPV6)
-+ /* When resolving a fallback label, check the sk_buff version as
-+ * it is possible (e.g. SCTP) to have family = PF_INET6 while
-+ * receiving ip_hdr(skb)->version = 4.
-+ */
-+ if (family == PF_INET6 && ip_hdr(skb)->version == 4)
-+ family = PF_INET;
-+#endif /* IPv6 */
-+
- switch (family) {
- case PF_INET: {
- struct iphdr *hdr4;
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 14 Feb 2018 15:45:07 -0800
-Subject: NFC: llcp: Limit size of SDP URI
-
-From: Kees Cook <keescook@chromium.org>
-
-[ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ]
-
-The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
-this both in the NLA policy and in the code that performs the allocation
-and copy, to avoid writing past the end of the allocated buffer.
-
-Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface")
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/nfc/llcp_commands.c | 4 ++++
- net/nfc/netlink.c | 3 ++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
---- a/net/nfc/llcp_commands.c
-+++ b/net/nfc/llcp_commands.c
-@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_
-
- pr_debug("uri: %s, len: %zu\n", uri, uri_len);
-
-+ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
-+ if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
-+ return NULL;
-+
- sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
- if (sdreq == NULL)
- return NULL;
---- a/net/nfc/netlink.c
-+++ b/net/nfc/netlink.c
-@@ -60,7 +60,8 @@ static const struct nla_policy nfc_genl_
- };
-
- static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
-- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
-+ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
-+ .len = U8_MAX - 4 },
- [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
- };
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Jan Chochol <jan@chochol.info>
-Date: Fri, 5 Jan 2018 08:39:12 +0100
-Subject: nfs: Do not convert nfs_idmap_cache_timeout to jiffies
-
-From: Jan Chochol <jan@chochol.info>
-
-[ Upstream commit cbebc6ef4fc830f4040d4140bf53484812d5d5d9 ]
-
-Since commit 57e62324e469 ("NFS: Store the legacy idmapper result in the
-keyring") nfs_idmap_cache_timeout changed units from jiffies to seconds.
-Unfortunately sysctl interface was not updated accordingly.
-
-As a effect updating /proc/sys/fs/nfs/idmap_cache_timeout with some
-value will incorrectly multiply this value by HZ.
-Also reading /proc/sys/fs/nfs/idmap_cache_timeout will show real value
-divided by HZ.
-
-Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring")
-Signed-off-by: Jan Chochol <jan@chochol.info>
-Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/nfs/nfs4sysctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/nfs/nfs4sysctl.c
-+++ b/fs/nfs/nfs4sysctl.c
-@@ -31,7 +31,7 @@ static struct ctl_table nfs4_cb_sysctls[
- .data = &nfs_idmap_cache_timeout,
- .maxlen = sizeof(int),
- .mode = 0644,
-- .proc_handler = proc_dointvec_jiffies,
-+ .proc_handler = proc_dointvec,
- },
- { }
- };
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: piaojun <piaojun@huawei.com>
-Date: Wed, 31 Jan 2018 16:14:59 -0800
-Subject: ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute
-
-From: piaojun <piaojun@huawei.com>
-
-[ Upstream commit 16c8d569f5704a84164f30ff01b29879f3438065 ]
-
-The race between *set_acl and *get_acl will cause getting incomplete
-xattr data as below:
-
- processA processB
-
- ocfs2_set_acl
- ocfs2_xattr_set
- __ocfs2_xattr_set_handle
-
- ocfs2_get_acl_nolock
- ocfs2_xattr_get_nolock:
-
-processB may get incomplete xattr data if processA hasn't set_acl done.
-
-So we should use 'ip_xattr_sem' to protect getting extended attribute in
-ocfs2_get_acl_nolock(), as other processes could be changing it
-concurrently.
-
-Link: http://lkml.kernel.org/r/5A5DDCFF.7030001@huawei.com
-Signed-off-by: Jun Piao <piaojun@huawei.com>
-Reviewed-by: Alex Chen <alex.chen@huawei.com>
-Cc: Mark Fasheh <mfasheh@versity.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Joseph Qi <jiangqi903@gmail.com>
-Cc: Changwei Ge <ge.changwei@h3c.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/acl.c | 6 ++++++
- fs/ocfs2/xattr.c | 2 ++
- 2 files changed, 8 insertions(+)
-
---- a/fs/ocfs2/acl.c
-+++ b/fs/ocfs2/acl.c
-@@ -300,7 +300,9 @@ struct posix_acl *ocfs2_iop_get_acl(stru
- if (ret < 0)
- return ERR_PTR(ret);
-
-+ down_read(&OCFS2_I(inode)->ip_xattr_sem);
- acl = ocfs2_get_acl_nolock(inode, type, di_bh);
-+ up_read(&OCFS2_I(inode)->ip_xattr_sem);
-
- brelse(di_bh);
-
-@@ -319,7 +321,9 @@ int ocfs2_acl_chmod(struct inode *inode,
- if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL))
- return 0;
-
-+ down_read(&OCFS2_I(inode)->ip_xattr_sem);
- acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh);
-+ up_read(&OCFS2_I(inode)->ip_xattr_sem);
- if (IS_ERR(acl) || !acl)
- return PTR_ERR(acl);
- ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
-@@ -350,8 +354,10 @@ int ocfs2_init_acl(handle_t *handle,
-
- if (!S_ISLNK(inode->i_mode)) {
- if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) {
-+ down_read(&OCFS2_I(dir)->ip_xattr_sem);
- acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT,
- dir_bh);
-+ up_read(&OCFS2_I(dir)->ip_xattr_sem);
- if (IS_ERR(acl))
- return PTR_ERR(acl);
- }
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -645,9 +645,11 @@ int ocfs2_calc_xattr_init(struct inode *
- si->value_len);
-
- if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) {
-+ down_read(&OCFS2_I(dir)->ip_xattr_sem);
- acl_len = ocfs2_xattr_get_nolock(dir, dir_bh,
- OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT,
- "", NULL, 0);
-+ up_read(&OCFS2_I(dir)->ip_xattr_sem);
- if (acl_len > 0) {
- a_size = ocfs2_xattr_entry_real_size(0, acl_len);
- if (S_ISDIR(mode))
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: piaojun <piaojun@huawei.com>
-Date: Wed, 31 Jan 2018 16:14:44 -0800
-Subject: ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid
-
-From: piaojun <piaojun@huawei.com>
-
-[ Upstream commit 025bcbde3634b2c9b316f227fed13ad6ad6817fb ]
-
-If metadata is corrupted such as 'invalid inode block', we will get
-failed by calling 'mount()' and then set filesystem readonly as below:
-
- ocfs2_mount
- ocfs2_initialize_super
- ocfs2_init_global_system_inodes
- ocfs2_iget
- ocfs2_read_locked_inode
- ocfs2_validate_inode_block
- ocfs2_error
- ocfs2_handle_error
- ocfs2_set_ro_flag(osb, 0); // set readonly
-
-In this situation we need return -EROFS to 'mount.ocfs2', so that user
-can fix it by fsck. And then mount again. In addition, 'mount.ocfs2'
-should be updated correspondingly as it only return 1 for all errno.
-And I will post a patch for 'mount.ocfs2' too.
-
-Link: http://lkml.kernel.org/r/5A4302FA.2010606@huawei.com
-Signed-off-by: Jun Piao <piaojun@huawei.com>
-Reviewed-by: Alex Chen <alex.chen@huawei.com>
-Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
-Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
-Reviewed-by: Gang He <ghe@suse.com>
-Cc: Mark Fasheh <mfasheh@versity.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ocfs2/super.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
---- a/fs/ocfs2/super.c
-+++ b/fs/ocfs2/super.c
-@@ -467,9 +467,8 @@ static int ocfs2_init_global_system_inod
- new = ocfs2_get_system_file_inode(osb, i, osb->slot_num);
- if (!new) {
- ocfs2_release_system_inodes(osb);
-- status = -EINVAL;
-+ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL;
- mlog_errno(status);
-- /* FIXME: Should ERROR_RO_FS */
- mlog(ML_ERROR, "Unable to load system inode %d, "
- "possibly corrupt fs?", i);
- goto bail;
-@@ -498,7 +497,7 @@ static int ocfs2_init_local_system_inode
- new = ocfs2_get_system_file_inode(osb, i, osb->slot_num);
- if (!new) {
- ocfs2_release_system_inodes(osb);
-- status = -EINVAL;
-+ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL;
- mlog(ML_ERROR, "status=%d, sysfile=%d, slot=%d\n",
- status, i, osb->slot_num);
- goto bail;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Helge Deller <deller@gmx.de>
-Date: Sun, 25 Mar 2018 14:04:22 +0200
-Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode
-
-From: Helge Deller <deller@gmx.de>
-
-[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ]
-
-Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy
-I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card.
-
-To avoid such instability, this patch switches the LBA PCI bus from Hard Fail
-mode into Soft Fail mode. In this mode the bus will return -1UL for timed out
-MMIO transactions, which is exactly how the x86 (and most other architectures)
-PCI busses behave.
-
-This patch is based on a proposal by Grant Grundler and Kyle McMartin 10
-years ago:
-https://www.spinics.net/lists/linux-parisc/msg01027.html
-
-Cc: Carlo Pisani <carlojpisani@gmail.com>
-Cc: Kyle McMartin <kyle@mcmartin.ca>
-Reviewed-by: Grant Grundler <grantgrundler@gmail.com>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/parisc/lba_pci.c | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
---- a/drivers/parisc/lba_pci.c
-+++ b/drivers/parisc/lba_pci.c
-@@ -1366,9 +1366,27 @@ lba_hw_init(struct lba_device *d)
- WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG);
- }
-
-- /* Set HF mode as the default (vs. -1 mode). */
-+
-+ /*
-+ * Hard Fail vs. Soft Fail on PCI "Master Abort".
-+ *
-+ * "Master Abort" means the MMIO transaction timed out - usually due to
-+ * the device not responding to an MMIO read. We would like HF to be
-+ * enabled to find driver problems, though it means the system will
-+ * crash with a HPMC.
-+ *
-+ * In SoftFail mode "~0L" is returned as a result of a timeout on the
-+ * pci bus. This is like how PCI busses on x86 and most other
-+ * architectures behave. In order to increase compatibility with
-+ * existing (x86) PCI hardware and existing Linux drivers we enable
-+ * Soft Faul mode on PA-RISC now too.
-+ */
- stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL);
-+#if defined(ENABLE_HARDFAIL)
- WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
-+#else
-+ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
-+#endif
-
- /*
- ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Thomas Vincent-Cross <me@tvc.id.au>
-Date: Tue, 27 Feb 2018 20:20:36 +1100
-Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220
-
-From: Thomas Vincent-Cross <me@tvc.id.au>
-
-[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ]
-
-Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679.
-
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679
-Signed-off-by: Thomas Vincent-Cross <me@tvc.id.au>
-Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/quirks.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/pci/quirks.c
-+++ b/drivers/pci/quirks.c
-@@ -3573,6 +3573,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
- /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0,
- quirk_dma_func1_alias);
-+/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */
-+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220,
-+ quirk_dma_func1_alias);
- /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
- quirk_dma_func1_alias);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Alex Williamson <alex.williamson@redhat.com>
-Date: Tue, 16 Jan 2018 10:05:26 -0700
-Subject: PCI: Add function 1 DMA alias quirk for Marvell 9128
-
-From: Alex Williamson <alex.williamson@redhat.com>
-
-[ Upstream commit aa008206634363ef800fbd5f0262016c9ff81dea ]
-
-The Marvell 9128 is the original device generating bug 42679, from which
-many other Marvell DMA alias quirks have been sourced, but we didn't have
-positive confirmation of the fix on 9128 until now.
-
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679
-Link: https://www.spinics.net/lists/kvm/msg161459.html
-Reported-by: Binarus <lists@binarus.de>
-Tested-by: Binarus <lists@binarus.de>
-Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/quirks.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/pci/quirks.c
-+++ b/drivers/pci/quirks.c
-@@ -3559,6 +3559,8 @@ static void quirk_dma_func1_alias(struct
- */
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
- quirk_dma_func1_alias);
-+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128,
-+ quirk_dma_func1_alias);
- /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130,
- quirk_dma_func1_alias);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
-Date: Sat, 3 Mar 2018 10:53:24 +0100
-Subject: PCI: Restore config space on runtime resume despite being unbound
-
-From: "Rafael J. Wysocki" <rjw@rjwysocki.net>
-
-[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ]
-
-We leave PCI devices not bound to a driver in D0 during runtime suspend.
-But they may have a parent which is bound and can be transitioned to
-D3cold at runtime. Once the parent goes to D3cold, the unbound child
-may go to D3cold as well. When the child goes to D3cold, its internal
-state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost.
-
-One example are recent hybrid graphics laptops which cut power to the
-discrete GPU when the root port above it goes to ACPI power state D3.
-Users may provoke this by unbinding the GPU driver and allowing runtime
-PM on the GPU via sysfs: The PM core will then treat the GPU as
-"suspended", which in turn allows the root port to runtime suspend,
-causing the power resources listed in its _PR3 object to be powered off.
-The GPU's BARs will be uninitialized when a driver later probes it.
-
-Another example are hybrid graphics laptops where the GPU itself (rather
-than the root port) is capable of runtime suspending to D3cold. If the
-GPU's integrated HDA controller is not bound and the GPU's driver
-decides to runtime suspend to D3cold, the HDA controller's BARs will be
-uninitialized when a driver later probes it.
-
-Fix by saving and restoring config space over a runtime suspend cycle
-even if the device is not bound.
-
-Acked-by: Bjorn Helgaas <bhelgaas@google.com>
-Tested-by: Peter Wu <peter@lekensteyn.nl> # Nvidia Optimus
-Tested-by: Lukas Wunner <lukas@wunner.de> # MacBook Pro
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-[lukas: add commit message, bikeshed code comments for clarity]
-Signed-off-by: Lukas Wunner <lukas@wunner.de>
-Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/pci-driver.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
---- a/drivers/pci/pci-driver.c
-+++ b/drivers/pci/pci-driver.c
-@@ -1120,11 +1120,14 @@ static int pci_pm_runtime_suspend(struct
- int error;
-
- /*
-- * If pci_dev->driver is not set (unbound), the device should
-- * always remain in D0 regardless of the runtime PM status
-+ * If pci_dev->driver is not set (unbound), we leave the device in D0,
-+ * but it may go to D3cold when the bridge above it runtime suspends.
-+ * Save its config space in case that happens.
- */
-- if (!pci_dev->driver)
-+ if (!pci_dev->driver) {
-+ pci_save_state(pci_dev);
- return 0;
-+ }
-
- if (!pm || !pm->runtime_suspend)
- return -ENOSYS;
-@@ -1163,16 +1166,18 @@ static int pci_pm_runtime_resume(struct
- const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
-
- /*
-- * If pci_dev->driver is not set (unbound), the device should
-- * always remain in D0 regardless of the runtime PM status
-+ * Restoring config space is necessary even if the device is not bound
-+ * to a driver because although we left it in D0, it may have gone to
-+ * D3cold when the bridge above it runtime suspended.
- */
-+ pci_restore_standard_config(pci_dev);
-+
- if (!pci_dev->driver)
- return 0;
-
- if (!pm || !pm->runtime_resume)
- return -ENOSYS;
-
-- pci_restore_standard_config(pci_dev);
- pci_fixup_device(pci_fixup_resume_early, pci_dev);
- __pci_enable_wake(pci_dev, PCI_D0, true, false);
- pci_fixup_device(pci_fixup_resume, pci_dev);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 23 Feb 2018 08:12:42 -0800
-Subject: percpu: add a schedule point in pcpu_balance_workfn()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit accd4f36a7d11c2d54544007eb65e10604dcf2f5 ]
-
-When a large BPF percpu map is destroyed, I have seen
-pcpu_balance_workfn() holding cpu for hundreds of milliseconds.
-
-On KASAN config and 112 hyperthreads, average time to destroy a chunk
-is ~4 ms.
-
-[ 2489.841376] destroy chunk 1 in 4148689 ns
-...
-[ 2490.093428] destroy chunk 32 in 4072718 ns
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/percpu.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -1146,6 +1146,7 @@ static void pcpu_balance_workfn(struct w
- spin_unlock_irq(&pcpu_lock);
- }
- pcpu_destroy_chunk(chunk);
-+ cond_resched();
- }
-
- /* service chunks which requested async area map extension */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Fri, 9 Mar 2018 12:52:04 +0100
-Subject: perf/core: Fix perf_output_read_group()
-
-From: Peter Zijlstra <peterz@infradead.org>
-
-[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ]
-
-Mark reported his arm64 perf fuzzer runs sometimes splat like:
-
- armv8pmu_read_counter+0x1e8/0x2d8
- armpmu_event_update+0x8c/0x188
- armpmu_read+0xc/0x18
- perf_output_read+0x550/0x11e8
- perf_event_read_event+0x1d0/0x248
- perf_event_exit_task+0x468/0xbb8
- do_exit+0x690/0x1310
- do_group_exit+0xd0/0x2b0
- get_signal+0x2e8/0x17a8
- do_signal+0x144/0x4f8
- do_notify_resume+0x148/0x1e8
- work_pending+0x8/0x14
-
-which asserts that we only call pmu::read() on ACTIVE events.
-
-The above callchain does:
-
- perf_event_exit_task()
- perf_event_exit_task_context()
- task_ctx_sched_out() // INACTIVE
- perf_event_exit_event()
- perf_event_set_state(EXIT) // EXIT
- sync_child_event()
- perf_event_read_event()
- perf_output_read()
- perf_output_read_group()
- leader->pmu->read()
-
-Which results in doing a pmu::read() on an !ACTIVE event.
-
-I _think_ this is 'new' since we added attr.inherit_stat, which added
-the perf_event_read_event() to the exit path, without that
-perf_event_read_output() would only trigger from samples and for
-@event to trigger a sample, it's leader _must_ be ACTIVE too.
-
-Still, adding this check makes it consistent with the @sub case for
-the siblings.
-
-Reported-and-Tested-by: Mark Rutland <mark.rutland@arm.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Vince Weaver <vincent.weaver@maine.edu>
-Cc: linux-kernel@vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/events/core.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -4878,7 +4878,8 @@ static void perf_output_read_group(struc
- if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING)
- values[n++] = running;
-
-- if (leader != event)
-+ if ((leader != event) &&
-+ (leader->state == PERF_EVENT_STATE_ACTIVE))
- leader->pmu->read(leader);
-
- values[n++] = perf_event_count(leader);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Mathieu Malaterre <malat@debian.org>
-Date: Sun, 25 Feb 2018 18:22:29 +0100
-Subject: powerpc: Add missing prototype for arch_irq_work_raise()
-
-From: Mathieu Malaterre <malat@debian.org>
-
-[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ]
-
-In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new
-function arch_irq_work_raise() was added without a prototype in header
-irq_work.h.
-
-Fix the following warning (treated as error in W=1):
- arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’
-
-Signed-off-by: Mathieu Malaterre <malat@debian.org>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/include/asm/irq_work.h | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/powerpc/include/asm/irq_work.h
-+++ b/arch/powerpc/include/asm/irq_work.h
-@@ -5,5 +5,6 @@ static inline bool arch_irq_work_has_int
- {
- return true;
- }
-+extern void arch_irq_work_raise(void);
-
- #endif /* _ASM_POWERPC_IRQ_WORK_H */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Michael Ellerman <mpe@ellerman.id.au>
-Date: Fri, 30 Mar 2018 23:27:25 +1100
-Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask()
-
-From: Michael Ellerman <mpe@ellerman.id.au>
-
-[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ]
-
-In mpic_physmask() we loop over all CPUs up to 32, then get the hard
-SMP processor id of that CPU.
-
-Currently that's possibly walking off the end of the paca array, but
-in a future patch we will change the paca array to be an array of
-pointers, and in that case we will get a NULL for missing CPUs and
-oops. eg:
-
- Unable to handle kernel paging request for data at address 0x88888888888888b8
- Faulting instruction address: 0xc00000000004e380
- Oops: Kernel access of bad area, sig: 11 [#1]
- ...
- NIP .mpic_set_affinity+0x60/0x1a0
- LR .irq_do_set_affinity+0x48/0x100
-
-Fix it by checking the CPU is possible, this also fixes the code if
-there are gaps in the CPU numbering which probably never happens on
-mpic systems but who knows.
-
-Debugged-by: Nicholas Piggin <npiggin@gmail.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/sysdev/mpic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/powerpc/sysdev/mpic.c
-+++ b/arch/powerpc/sysdev/mpic.c
-@@ -627,7 +627,7 @@ static inline u32 mpic_physmask(u32 cpum
- int i;
- u32 mask = 0;
-
-- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1)
-+ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1)
- mask |= (cpumask & 1) << get_hard_smp_processor_id(i);
- return mask;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Michael Ellerman <mpe@ellerman.id.au>
-Date: Wed, 21 Mar 2018 17:10:24 +0530
-Subject: powerpc/perf: Fix kernel address leak via sampling registers
-
-From: Michael Ellerman <mpe@ellerman.id.au>
-
-[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ]
-
-Current code in power_pmu_disable() does not clear the sampling
-registers like Sampling Instruction Address Register (SIAR) and
-Sampling Data Address Register (SDAR) after disabling the PMU. Since
-these are userspace readable and could contain kernel addresses, add
-code to explicitly clear the content of these registers.
-
-Also add a "context synchronizing instruction" to enforce no further
-updates to these registers as suggested by Power ISA v3.0B. From
-section 9.4, on page 1108:
-
- "If an mtspr instruction is executed that changes the value of a
- Performance Monitor register other than SIAR, SDAR, and SIER, the
- change is not guaranteed to have taken effect until after a
- subsequent context synchronizing instruction has been executed (see
- Chapter 11. "Synchronization Requirements for Context Alterations"
- on page 1133)."
-
-Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
-[mpe: Massage change log and add ISA reference]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
---- a/arch/powerpc/perf/core-book3s.c
-+++ b/arch/powerpc/perf/core-book3s.c
-@@ -1193,6 +1193,7 @@ static void power_pmu_disable(struct pmu
- */
- write_mmcr0(cpuhw, val);
- mb();
-+ isync();
-
- /*
- * Disable instruction sampling if it was enabled
-@@ -1201,12 +1202,26 @@ static void power_pmu_disable(struct pmu
- mtspr(SPRN_MMCRA,
- cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE);
- mb();
-+ isync();
- }
-
- cpuhw->disabled = 1;
- cpuhw->n_added = 0;
-
- ebb_switch_out(mmcr0);
-+
-+#ifdef CONFIG_PPC64
-+ /*
-+ * These are readable by userspace, may contain kernel
-+ * addresses and are not switched by context switch, so clear
-+ * them now to avoid leaking anything to userspace in general
-+ * including to another process.
-+ */
-+ if (ppmu->flags & PPMU_ARCH_207S) {
-+ mtspr(SPRN_SDAR, 0);
-+ mtspr(SPRN_SIAR, 0);
-+ }
-+#endif
- }
-
- local_irq_restore(flags);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
-Date: Wed, 21 Mar 2018 17:10:25 +0530
-Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer
-
-From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
-
-[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ]
-
-The current Branch History Rolling Buffer (BHRB) code does not check
-for any privilege levels before updating the data from BHRB. This
-could leak kernel addresses to userspace even when profiling only with
-userspace privileges. Add proper checks to prevent it.
-
-Acked-by: Balbir Singh <bsingharora@gmail.com>
-Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/perf/core-book3s.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/arch/powerpc/perf/core-book3s.c
-+++ b/arch/powerpc/perf/core-book3s.c
-@@ -443,6 +443,16 @@ static void power_pmu_bhrb_read(struct c
- /* invalid entry */
- continue;
-
-+ /*
-+ * BHRB rolling buffer could very much contain the kernel
-+ * addresses at this point. Check the privileges before
-+ * exporting it to userspace (avoid exposure of regions
-+ * where we could have speculative execution)
-+ */
-+ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) &&
-+ is_kernel_addr(addr))
-+ continue;
-+
- /* Branches are read most recent first (ie. mfbhrb 0 is
- * the most recent branch).
- * There are two types of valid entries:
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
-Date: Sun, 4 Mar 2018 23:00:25 +0530
-Subject: powerpc/xmon: Setup debugger hooks when first break-point is set
-
-From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
-
-[ Upstream commit e1368d0c9edbc366e45216e7295fd61ae55c2b12 ]
-
-Presently sysrq key for xmon('x') is registered during kernel init
-irrespective of the value of kernel param 'xmon'. Thus xmon is enabled
-even if 'xmon=off' is passed on the kernel command line. However this
-doesn't enable the kernel debugger hooks needed for instruction or
-data breakpoints. Thus when a break-point is hit with xmon=off a
-kernel oops of the form below is reported:
-
- Oops: Exception in kernel mode, sig: 5 [#1]
- < snip >
- Trace/breakpoint trap
-
-To fix this the patch checks and enables debugger hooks when an
-instruction or data break-point is set via xmon console.
-
-Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
-Reviewed-by: Balbir Singh <bsingharora@gmail.com>
-[mpe: Just printf directly, no need for static const char[]]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/xmon/xmon.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -1122,6 +1122,16 @@ static long check_bp_loc(unsigned long a
- return 1;
- }
-
-+/* Force enable xmon if not already enabled */
-+static inline void force_enable_xmon(void)
-+{
-+ /* Enable xmon hooks if needed */
-+ if (!xmon_on) {
-+ printf("xmon: Enabling debugger hooks\n");
-+ xmon_on = 1;
-+ }
-+}
-+
- static char *breakpoint_help_string =
- "Breakpoint command usage:\n"
- "b show breakpoints\n"
-@@ -1164,6 +1174,8 @@ bpt_cmds(void)
- dabr.address &= ~HW_BRK_TYPE_DABR;
- dabr.enabled = mode | BP_DABR;
- }
-+
-+ force_enable_xmon();
- break;
-
- case 'i': /* bi - hardware instr breakpoint */
-@@ -1184,6 +1196,7 @@ bpt_cmds(void)
- if (bp != NULL) {
- bp->enabled |= BP_IABR | BP_IABR_TE;
- iabr = bp;
-+ force_enable_xmon();
- }
- break;
- #endif
-@@ -1248,8 +1261,10 @@ bpt_cmds(void)
- if (!check_bp_loc(a))
- break;
- bp = new_breakpoint(a);
-- if (bp != NULL)
-+ if (bp != NULL) {
- bp->enabled |= BP_TRAP;
-+ force_enable_xmon();
-+ }
- break;
- }
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Alexey Dobriyan <adobriyan@gmail.com>
-Date: Tue, 6 Feb 2018 15:36:59 -0800
-Subject: proc: fix /proc/*/map_files lookup
-
-From: Alexey Dobriyan <adobriyan@gmail.com>
-
-[ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ]
-
-Current code does:
-
- if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
-
-However sscanf() is broken garbage.
-
-It silently accepts whitespace between format specifiers
-(did you know that?).
-
-It silently accepts valid strings which result in integer overflow.
-
-Do not use sscanf() for any even remotely reliable parsing code.
-
- OK
- # readlink '/proc/1/map_files/55a23af39000-55a23b05b000'
- /lib/systemd/systemd
-
- broken
- # readlink '/proc/1/map_files/ 55a23af39000-55a23b05b000'
- /lib/systemd/systemd
-
- broken
- # readlink '/proc/1/map_files/55a23af39000-55a23b05b000 '
- /lib/systemd/systemd
-
- very broken
- # readlink '/proc/1/map_files/1000000000000000055a23af39000-55a23b05b000'
- /lib/systemd/systemd
-
-Andrei said:
-
-: This patch breaks criu. It was a bug in criu. And this bug is on a minor
-: path, which works when memfd_create() isn't available. It is a reason why
-: I ask to not backport this patch to stable kernels.
-:
-: In CRIU this bug can be triggered, only if this patch will be backported
-: to a kernel which version is lower than v3.16.
-
-Link: http://lkml.kernel.org/r/20171120212706.GA14325@avx2
-Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
-Cc: Pavel Emelyanov <xemul@openvz.org>
-Cc: Andrei Vagin <avagin@virtuozzo.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/proc/base.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -94,6 +94,8 @@
- #include "internal.h"
- #include "fd.h"
-
-+#include "../../lib/kstrtox.h"
-+
- /* NOTE:
- * Implementing inode permission operations in /proc is almost
- * certainly an error. Permission checks need to happen during
-@@ -1642,8 +1644,33 @@ end_instantiate:
- static int dname_to_vma_addr(struct dentry *dentry,
- unsigned long *start, unsigned long *end)
- {
-- if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
-+ const char *str = dentry->d_name.name;
-+ unsigned long long sval, eval;
-+ unsigned int len;
-+
-+ len = _parse_integer(str, 16, &sval);
-+ if (len & KSTRTOX_OVERFLOW)
-+ return -EINVAL;
-+ if (sval != (unsigned long)sval)
- return -EINVAL;
-+ str += len;
-+
-+ if (*str != '-')
-+ return -EINVAL;
-+ str++;
-+
-+ len = _parse_integer(str, 16, &eval);
-+ if (len & KSTRTOX_OVERFLOW)
-+ return -EINVAL;
-+ if (eval != (unsigned long)eval)
-+ return -EINVAL;
-+ str += len;
-+
-+ if (*str != '\0')
-+ return -EINVAL;
-+
-+ *start = sval;
-+ *end = eval;
-
- return 0;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 25 Feb 2018 19:12:10 -0800
-Subject: r8152: fix tx packets accounting
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 4c27bf3c5b7434ccb9ab962301da661c26b467a4 ]
-
-r8152 driver handles TSO packets (limited to ~16KB) quite well,
-but pretends each TSO logical packet is a single packet on the wire.
-
-There is also some error since headers are accounted once, but
-error rate is small enough that we do not care.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/usb/r8152.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/net/usb/r8152.c
-+++ b/drivers/net/usb/r8152.c
-@@ -1590,7 +1590,7 @@ static int r8152_tx_agg_fill(struct r815
-
- tx_data += len;
- agg->skb_len += len;
-- agg->skb_num++;
-+ agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1;
-
- dev_kfree_skb_any(skb);
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Leon Romanovsky <leonro@mellanox.com>
-Date: Sun, 28 Jan 2018 11:25:30 +0200
-Subject: RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
-
-From: Leon Romanovsky <leonro@mellanox.com>
-
-[ Upstream commit b081808a66345ba725b77ecd8d759bee874cd937 ]
-
-Failure in XRCD FW deallocation command leaves memory leaked and
-returns error to the user which he can't do anything about it.
-
-This patch changes behavior to always free memory and always return
-success to the user.
-
-Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
-Reviewed-by: Majd Dibbiny <majd@mellanox.com>
-Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
-Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
-Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/infiniband/hw/mlx5/qp.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
---- a/drivers/infiniband/hw/mlx5/qp.c
-+++ b/drivers/infiniband/hw/mlx5/qp.c
-@@ -3028,12 +3028,9 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd
- int err;
-
- err = mlx5_core_xrcd_dealloc(dev->mdev, xrcdn);
-- if (err) {
-+ if (err)
- mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn);
-- return err;
-- }
-
- kfree(xrcd);
--
- return 0;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Date: Fri, 26 Jan 2018 23:13:44 +0100
-Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()'
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ]
-
-If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must
-release the reference on the current 'child' node before returning.
-
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/regulator/of_regulator.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/regulator/of_regulator.c
-+++ b/drivers/regulator/of_regulator.c
-@@ -181,6 +181,7 @@ int of_regulator_match(struct device *de
- dev_err(dev,
- "failed to parse DT for regulator %s\n",
- child->name);
-+ of_node_put(child);
- return -EINVAL;
- }
- match->of_node = of_node_get(child);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 22 Feb 2018 20:55:28 +0100
-Subject: regulatory: add NUL to request alpha2
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-[ Upstream commit 657308f73e674e86b60509a430a46e569bf02846 ]
-
-Similar to the ancient commit a5fe8e7695dc ("regulatory: add NUL
-to alpha2"), add another byte to alpha2 in the request struct so
-that when we use nla_put_string(), we don't overrun anything.
-
-Fixes: 73d54c9e74c4 ("cfg80211: add regulatory netlink multicast group")
-Reported-by: Kees Cook <keescook@google.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/regulatory.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/include/net/regulatory.h
-+++ b/include/net/regulatory.h
-@@ -78,7 +78,7 @@ struct regulatory_request {
- int wiphy_idx;
- enum nl80211_reg_initiator initiator;
- enum nl80211_user_reg_hint_type user_reg_hint_type;
-- char alpha2[2];
-+ char alpha2[3];
- enum nl80211_dfs_regions dfs_region;
- bool intersect;
- bool processed;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Colin Ian King <colin.king@canonical.com>
-Date: Thu, 15 Feb 2018 19:36:14 +0000
-Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift
-
-From: Colin Ian King <colin.king@canonical.com>
-
-[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ]
-
-The shifting of buf[5] by 24 bits to the left will be promoted to
-a 32 bit signed int and then sign-extended to an unsigned long. If
-the top bit of buf[5] is set then all then all the upper bits sec
-end up as also being set because of the sign-extension. Fix this by
-casting buf[5] to an unsigned long before the shift.
-
-Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
-
-Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver")
-Signed-off-by: Colin Ian King <colin.king@canonical.com>
-Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/rtc/rtc-tx4939.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/rtc/rtc-tx4939.c
-+++ b/drivers/rtc/rtc-tx4939.c
-@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d
- for (i = 2; i < 6; i++)
- buf[i] = __raw_readl(&rtcreg->dat);
- spin_unlock_irq(&pdata->lock);
-- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
-+ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
-+ (buf[3] << 8) | buf[2];
- rtc_time_to_tm(sec, tm);
- return rtc_valid_tm(tm);
- }
-@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct
- alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0;
- alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0;
- spin_unlock_irq(&pdata->lock);
-- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
-+ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
-+ (buf[3] << 8) | buf[2];
- rtc_time_to_tm(sec, &alrm->time);
- return rtc_valid_tm(&alrm->time);
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Sebastian Ott <sebott@linux.vnet.ibm.com>
-Date: Mon, 12 Feb 2018 12:01:03 +0100
-Subject: s390/cio: clear timer when terminating driver I/O
-
-From: Sebastian Ott <sebott@linux.vnet.ibm.com>
-
-[ Upstream commit 410d5e13e7638bc146321671e223d56495fbf3c7 ]
-
-When we terminate driver I/O (because we need to stop using a certain
-channel path) we also need to ensure that a timer (which may have been
-set up using ccw_device_start_timeout) is cleared.
-
-Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/s390/cio/device_fsm.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/s390/cio/device_fsm.c
-+++ b/drivers/s390/cio/device_fsm.c
-@@ -885,6 +885,7 @@ void ccw_device_kill_io(struct ccw_devic
- {
- int ret;
-
-+ ccw_device_set_timeout(cdev, 0);
- cdev->private->iretry = 255;
- cdev->private->async_kill_io_rc = -EIO;
- ret = ccw_device_cancel_halt_clear(cdev);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Sebastian Ott <sebott@linux.vnet.ibm.com>
-Date: Wed, 7 Feb 2018 13:18:19 +0100
-Subject: s390/cio: fix return code after missing interrupt
-
-From: Sebastian Ott <sebott@linux.vnet.ibm.com>
-
-[ Upstream commit 770b55c995d171f026a9efb85e71e3b1ea47b93d ]
-
-When a timeout occurs for users of ccw_device_start_timeout
-we will stop the IO and call the drivers int handler with
-the irb pointer set to ERR_PTR(-ETIMEDOUT). Sometimes
-however we'd set the irb pointer to ERR_PTR(-EIO) which is
-not intended. Just set the correct value in all codepaths.
-
-Reported-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
-Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/s390/cio/device_fsm.c | 6 ++++--
- drivers/s390/cio/io_sch.h | 1 +
- 2 files changed, 5 insertions(+), 2 deletions(-)
-
---- a/drivers/s390/cio/device_fsm.c
-+++ b/drivers/s390/cio/device_fsm.c
-@@ -784,6 +784,7 @@ ccw_device_online_timeout(struct ccw_dev
-
- ccw_device_set_timeout(cdev, 0);
- cdev->private->iretry = 255;
-+ cdev->private->async_kill_io_rc = -ETIMEDOUT;
- ret = ccw_device_cancel_halt_clear(cdev);
- if (ret == -EBUSY) {
- ccw_device_set_timeout(cdev, 3*HZ);
-@@ -860,7 +861,7 @@ ccw_device_killing_irq(struct ccw_device
- /* OK, i/o is dead now. Call interrupt handler. */
- if (cdev->handler)
- cdev->handler(cdev, cdev->private->intparm,
-- ERR_PTR(-EIO));
-+ ERR_PTR(cdev->private->async_kill_io_rc));
- }
-
- static void
-@@ -877,7 +878,7 @@ ccw_device_killing_timeout(struct ccw_de
- ccw_device_online_verify(cdev, 0);
- if (cdev->handler)
- cdev->handler(cdev, cdev->private->intparm,
-- ERR_PTR(-EIO));
-+ ERR_PTR(cdev->private->async_kill_io_rc));
- }
-
- void ccw_device_kill_io(struct ccw_device *cdev)
-@@ -885,6 +886,7 @@ void ccw_device_kill_io(struct ccw_devic
- int ret;
-
- cdev->private->iretry = 255;
-+ cdev->private->async_kill_io_rc = -EIO;
- ret = ccw_device_cancel_halt_clear(cdev);
- if (ret == -EBUSY) {
- ccw_device_set_timeout(cdev, 3*HZ);
---- a/drivers/s390/cio/io_sch.h
-+++ b/drivers/s390/cio/io_sch.h
-@@ -155,6 +155,7 @@ struct ccw_device_private {
- unsigned long intparm; /* user interruption parameter */
- struct qdio_irq *qdio_data;
- struct irb irb; /* device status */
-+ int async_kill_io_rc;
- struct senseid senseid; /* SenseID info */
- struct pgid pgid[8]; /* path group IDs per chpid*/
- struct ccw1 iccws[2]; /* ccws for SNID/SID/SPGID commands */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Davidlohr Bueso <dave@stgolabs.net>
-Date: Mon, 2 Apr 2018 09:49:54 -0700
-Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning
-
-From: Davidlohr Bueso <dave@stgolabs.net>
-
-[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ]
-
-While running rt-tests' pi_stress program I got the following splat:
-
- rq->clock_update_flags < RQCF_ACT_SKIP
- WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20
-
- [...]
-
- <IRQ>
- enqueue_top_rt_rq+0xf4/0x150
- ? cpufreq_dbs_governor_start+0x170/0x170
- sched_rt_rq_enqueue+0x65/0x80
- sched_rt_period_timer+0x156/0x360
- ? sched_rt_rq_enqueue+0x80/0x80
- __hrtimer_run_queues+0xfa/0x260
- hrtimer_interrupt+0xcb/0x220
- smp_apic_timer_interrupt+0x62/0x120
- apic_timer_interrupt+0xf/0x20
- </IRQ>
-
- [...]
-
- do_idle+0x183/0x1e0
- cpu_startup_entry+0x5f/0x70
- start_secondary+0x192/0x1d0
- secondary_startup_64+0xa5/0xb0
-
-We can get rid of it be the "traditional" means of adding an
-update_rq_clock() call after acquiring the rq->lock in
-do_sched_rt_period_timer().
-
-The case for the RT task throttling (which this workload also hits)
-can be ignored in that the skip_update call is actually bogus and
-quite the contrary (the request bits are removed/reverted).
-
-By setting RQCF_UPDATED we really don't care if the skip is happening
-or not and will therefore make the assert_clock_updated() check happy.
-
-Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
-Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Mike Galbraith <efault@gmx.de>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: dave@stgolabs.net
-Cc: linux-kernel@vger.kernel.org
-Cc: rostedt@goodmis.org
-Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/sched/rt.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/kernel/sched/rt.c
-+++ b/kernel/sched/rt.c
-@@ -818,6 +818,8 @@ static int do_sched_rt_period_timer(stru
- struct rq *rq = rq_of_rt_rq(rt_rq);
-
- raw_spin_lock(&rq->lock);
-+ update_rq_clock(rq);
-+
- if (rt_rq->rt_time) {
- u64 runtime;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Meelis Roos <mroos@linux.ee>
-Date: Fri, 9 Feb 2018 08:57:44 +0200
-Subject: scsi: aacraid: fix shutdown crash when init fails
-
-From: Meelis Roos <mroos@linux.ee>
-
-[ Upstream commit 00c20cdc79259c6c5bf978b21af96c2d3edb646d ]
-
-When aacraid init fails with "AAC0: adapter self-test failed.", shutdown
-leads to UBSAN warning and then oops:
-
-[154316.118423] ================================================================================
-[154316.118508] UBSAN: Undefined behaviour in drivers/scsi/scsi_lib.c:2328:27
-[154316.118566] member access within null pointer of type 'struct Scsi_Host'
-[154316.118631] CPU: 2 PID: 14530 Comm: reboot Tainted: G W 4.15.0-dirty #89
-[154316.118701] Hardware name: Hewlett Packard HP NetServer/HP System Board, BIOS 4.06.46 PW 06/25/2003
-[154316.118774] Call Trace:
-[154316.118848] dump_stack+0x48/0x65
-[154316.118916] ubsan_epilogue+0xe/0x40
-[154316.118976] __ubsan_handle_type_mismatch+0xfb/0x180
-[154316.119043] scsi_block_requests+0x20/0x30
-[154316.119135] aac_shutdown+0x18/0x40 [aacraid]
-[154316.119196] pci_device_shutdown+0x33/0x50
-[154316.119269] device_shutdown+0x18a/0x390
-[...]
-[154316.123435] BUG: unable to handle kernel NULL pointer dereference at 000000f4
-[154316.123515] IP: scsi_block_requests+0xa/0x30
-
-This is because aac_shutdown() does
-
- struct Scsi_Host *shost = pci_get_drvdata(dev);
- scsi_block_requests(shost);
-
-and that assumes shost has been assigned with pci_set_drvdata().
-
-However, pci_set_drvdata(pdev, shost) is done in aac_probe_one() far
-after bailing out with error from calling the init function
-((*aac_drivers[index].init)(aac)), and when the init function fails, no
-error is returned from aac_probe_one() so PCI layer assumes there is
-driver attached, and tries to shut it down later.
-
-Fix it by returning error from aac_probe_one() when card-specific init
-function fails.
-
-This fixes reboot on my HP NetRAID-4M with dead battery.
-
-Signed-off-by: Meelis Roos <mroos@linux.ee>
-Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/aacraid/linit.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/aacraid/linit.c
-+++ b/drivers/scsi/aacraid/linit.c
-@@ -1172,8 +1172,10 @@ static int aac_probe_one(struct pci_dev
- * Map in the registers from the adapter.
- */
- aac->base_size = AAC_MIN_FOOTPRINT_SIZE;
-- if ((*aac_drivers[index].init)(aac))
-+ if ((*aac_drivers[index].init)(aac)) {
-+ error = -ENODEV;
- goto out_unmap;
-+ }
-
- if (aac->sync_mode) {
- if (aac_sync_mode)
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Dave Carroll <david.carroll@microsemi.com>
-Date: Tue, 3 Apr 2018 15:50:42 -0600
-Subject: scsi: aacraid: Insure command thread is not recursively stopped
-
-From: Dave Carroll <david.carroll@microsemi.com>
-
-[ Upstream commit 1c6b41fb92936fa5facea464d5d7cbf855966d04 ]
-
-If a recursive IOP_RESET is invoked, usually due to the eh_thread
-handling errors after the first reset, be sure we flag that the command
-thread has been stopped to avoid an Oops of the form;
-
- [ 336.620256] CPU: 28 PID: 1193 Comm: scsi_eh_0 Kdump: loaded Not tainted 4.14.0-49.el7a.ppc64le #1
- [ 336.620297] task: c000003fd630b800 task.stack: c000003fd61a4000
- [ 336.620326] NIP: c000000000176794 LR: c00000000013038c CTR: c00000000024bc10
- [ 336.620361] REGS: c000003fd61a7720 TRAP: 0300 Not tainted (4.14.0-49.el7a.ppc64le)
- [ 336.620395] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 22084022 XER: 20040000
- [ 336.620435] CFAR: c000000000130388 DAR: 0000000000000000 DSISR: 40000000 SOFTE: 1
- [ 336.620435] GPR00: c00000000013038c c000003fd61a79a0 c0000000014c7e00 0000000000000000
- [ 336.620435] GPR04: 000000000000000c 000000000000000c 9000000000009033 0000000000000477
- [ 336.620435] GPR08: 0000000000000477 0000000000000000 0000000000000000 c008000010f7d940
- [ 336.620435] GPR12: c00000000024bc10 c000000007a33400 c0000000001708a8 c000003fe3b881d8
- [ 336.620435] GPR16: c000003fe3b88060 c000003fd61a7d10 fffffffffffff000 000000000000001e
- [ 336.620435] GPR20: 0000000000000001 c000000000ebf1a0 0000000000000001 c000003fe3b88000
- [ 336.620435] GPR24: 0000000000000003 0000000000000002 c000003fe3b88840 c000003fe3b887e8
- [ 336.620435] GPR28: c000003fe3b88000 c000003fc8181788 0000000000000000 c000003fc8181700
- [ 336.620750] NIP [c000000000176794] exit_creds+0x34/0x160
- [ 336.620775] LR [c00000000013038c] __put_task_struct+0x8c/0x1f0
- [ 336.620804] Call Trace:
- [ 336.620817] [c000003fd61a79a0] [c000003fe3b88000] 0xc000003fe3b88000 (unreliable)
- [ 336.620853] [c000003fd61a79d0] [c00000000013038c] __put_task_struct+0x8c/0x1f0
- [ 336.620889] [c000003fd61a7a00] [c000000000171418] kthread_stop+0x1e8/0x1f0
- [ 336.620922] [c000003fd61a7a40] [c008000010f7448c] aac_reset_adapter+0x14c/0x8d0 [aacraid]
- [ 336.620959] [c000003fd61a7b00] [c008000010f60174] aac_eh_host_reset+0x84/0x100 [aacraid]
- [ 336.621010] [c000003fd61a7b30] [c000000000864f24] scsi_try_host_reset+0x74/0x180
- [ 336.621046] [c000003fd61a7bb0] [c000000000867ac0] scsi_eh_ready_devs+0xc00/0x14d0
- [ 336.625165] [c000003fd61a7ca0] [c0000000008699e0] scsi_error_handler+0x550/0x730
- [ 336.632101] [c000003fd61a7dc0] [c000000000170a08] kthread+0x168/0x1b0
- [ 336.639031] [c000003fd61a7e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4
- [ 336.645971] Instruction dump:
- [ 336.648743] 384216a0 7c0802a6 fbe1fff8 f8010010 f821ffd1 7c7f1b78 60000000 60000000
- [ 336.657056] 39400000 e87f0838 f95f0838 7c0004ac <7d401828> 314affff 7d40192d 40c2fff4
- [ 336.663997] -[ end trace 4640cf8d4945ad95 ]-
-
-So flag when the thread is stopped by setting the thread pointer to NULL.
-
-Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
-Reviewed-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@microsemi.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/aacraid/commsup.c | 4 +++-
- drivers/scsi/aacraid/linit.c | 1 +
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/aacraid/commsup.c
-+++ b/drivers/scsi/aacraid/commsup.c
-@@ -1270,9 +1270,10 @@ static int _aac_reset_adapter(struct aac
- host = aac->scsi_host_ptr;
- scsi_block_requests(host);
- aac_adapter_disable_int(aac);
-- if (aac->thread->pid != current->pid) {
-+ if (aac->thread && aac->thread->pid != current->pid) {
- spin_unlock_irq(host->host_lock);
- kthread_stop(aac->thread);
-+ aac->thread = NULL;
- jafo = 1;
- }
-
-@@ -1343,6 +1344,7 @@ static int _aac_reset_adapter(struct aac
- aac->name);
- if (IS_ERR(aac->thread)) {
- retval = PTR_ERR(aac->thread);
-+ aac->thread = NULL;
- goto out;
- }
- }
---- a/drivers/scsi/aacraid/linit.c
-+++ b/drivers/scsi/aacraid/linit.c
-@@ -1096,6 +1096,7 @@ static void __aac_shutdown(struct aac_de
- up(&fib->event_wait);
- }
- kthread_stop(aac->thread);
-+ aac->thread = NULL;
- }
- aac_send_shutdown(aac);
- aac_adapter_disable_int(aac);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Chad Dupuis <chad.dupuis@cavium.com>
-Date: Wed, 24 Jan 2018 08:07:06 -0800
-Subject: scsi: bnx2fc: Fix check in SCSI completion handler for timed out request
-
-From: Chad Dupuis <chad.dupuis@cavium.com>
-
-[ Upstream commit ecf7ff49945f5741fa1da112f994939f942031d3 ]
-
-When a request times out we set the io_req flag BNX2FC_FLAG_IO_COMPL so
-that if a subsequent completion comes in on that task ID we will ignore
-it. The issue is that in the check for this flag there is a missing
-return so we will continue to process a request which may have already
-been returned to the ownership of the SCSI layer. This can cause
-unpredictable results.
-
-Solution is to add in the missing return.
-
-[mkp: typo plus title shortening]
-
-Signed-off-by: Chad Dupuis <chad.dupuis@cavium.com>
-Reviewed-by: Laurence Oberman <loberman@redhat.com>
-Tested-by: Laurence Oberman <loberman@redhat.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/bnx2fc/bnx2fc_io.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/scsi/bnx2fc/bnx2fc_io.c
-+++ b/drivers/scsi/bnx2fc/bnx2fc_io.c
-@@ -1932,6 +1932,7 @@ void bnx2fc_process_scsi_cmd_compl(struc
- /* we will not receive ABTS response for this IO */
- BNX2FC_IO_DBG(io_req, "Timer context finished processing "
- "this scsi cmd\n");
-+ return;
- }
-
- /* Cancel the timeout_work, as we received IO completion */
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Thu, 18 Jan 2018 14:16:38 +0100
-Subject: scsi: fas216: fix sense buffer initialization
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit 96d5eaa9bb74d299508d811d865c2c41b38b0301 ]
-
-While testing with the ARM specific memset() macro removed, I ran into a
-compiler warning that shows an old bug:
-
-drivers/scsi/arm/fas216.c: In function 'fas216_rq_sns_done':
-drivers/scsi/arm/fas216.c:2014:40: error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Werror=sizeof-pointer-memaccess]
-
-It turns out that the definition of the scsi_cmd structure changed back
-in linux-2.6.25, so now we clear only four bytes (sizeof(pointer))
-instead of 96 (SCSI_SENSE_BUFFERSIZE). I did not check whether we
-actually need to initialize the buffer here, but it's clear that if we
-do it, we should use the correct size.
-
-Fixes: de25deb18016 ("[SCSI] use dynamically allocated sense buffer")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/arm/fas216.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/arm/fas216.c
-+++ b/drivers/scsi/arm/fas216.c
-@@ -2010,7 +2010,7 @@ static void fas216_rq_sns_done(FAS216_In
- * have valid data in the sense buffer that could
- * confuse the higher levels.
- */
-- memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer));
-+ memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
- //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id);
- //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); }
- /*
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Jason Yan <yanaijie@huawei.com>
-Date: Thu, 8 Mar 2018 10:34:53 +0800
-Subject: scsi: libsas: defer ata device eh commands to libata
-
-From: Jason Yan <yanaijie@huawei.com>
-
-[ Upstream commit 318aaf34f1179b39fa9c30fa0f3288b645beee39 ]
-
-When ata device doing EH, some commands still attached with tasks are
-not passed to libata when abort failed or recover failed, so libata did
-not handle these commands. After these commands done, sas task is freed,
-but ata qc is not freed. This will cause ata qc leak and trigger a
-warning like below:
-
-WARNING: CPU: 0 PID: 28512 at drivers/ata/libata-eh.c:4037
-ata_eh_finish+0xb4/0xcc
-CPU: 0 PID: 28512 Comm: kworker/u32:2 Tainted: G W OE 4.14.0#1
-......
-Call trace:
-[<ffff0000088b7bd0>] ata_eh_finish+0xb4/0xcc
-[<ffff0000088b8420>] ata_do_eh+0xc4/0xd8
-[<ffff0000088b8478>] ata_std_error_handler+0x44/0x8c
-[<ffff0000088b8068>] ata_scsi_port_error_handler+0x480/0x694
-[<ffff000008875fc4>] async_sas_ata_eh+0x4c/0x80
-[<ffff0000080f6be8>] async_run_entry_fn+0x4c/0x170
-[<ffff0000080ebd70>] process_one_work+0x144/0x390
-[<ffff0000080ec100>] worker_thread+0x144/0x418
-[<ffff0000080f2c98>] kthread+0x10c/0x138
-[<ffff0000080855dc>] ret_from_fork+0x10/0x18
-
-If ata qc leaked too many, ata tag allocation will fail and io blocked
-for ever.
-
-As suggested by Dan Williams, defer ata device commands to libata and
-merge sas_eh_finish_cmd() with sas_eh_defer_cmd(). libata will handle
-ata qcs correctly after this.
-
-Signed-off-by: Jason Yan <yanaijie@huawei.com>
-CC: Xiaofei Tan <tanxiaofei@huawei.com>
-CC: John Garry <john.garry@huawei.com>
-CC: Dan Williams <dan.j.williams@intel.com>
-Reviewed-by: Dan Williams <dan.j.williams@intel.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/libsas/sas_scsi_host.c | 33 +++++++++++++--------------------
- 1 file changed, 13 insertions(+), 20 deletions(-)
-
---- a/drivers/scsi/libsas/sas_scsi_host.c
-+++ b/drivers/scsi/libsas/sas_scsi_host.c
-@@ -250,6 +250,7 @@ out_done:
- static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
- {
- struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host);
-+ struct domain_device *dev = cmd_to_domain_dev(cmd);
- struct sas_task *task = TO_SAS_TASK(cmd);
-
- /* At this point, we only get called following an actual abort
-@@ -258,6 +259,14 @@ static void sas_eh_finish_cmd(struct scs
- */
- sas_end_task(cmd, task);
-
-+ if (dev_is_sata(dev)) {
-+ /* defer commands to libata so that libata EH can
-+ * handle ata qcs correctly
-+ */
-+ list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q);
-+ return;
-+ }
-+
- /* now finish the command and move it on to the error
- * handler done list, this also takes it off the
- * error handler pending list.
-@@ -265,22 +274,6 @@ static void sas_eh_finish_cmd(struct scs
- scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q);
- }
-
--static void sas_eh_defer_cmd(struct scsi_cmnd *cmd)
--{
-- struct domain_device *dev = cmd_to_domain_dev(cmd);
-- struct sas_ha_struct *ha = dev->port->ha;
-- struct sas_task *task = TO_SAS_TASK(cmd);
--
-- if (!dev_is_sata(dev)) {
-- sas_eh_finish_cmd(cmd);
-- return;
-- }
--
-- /* report the timeout to libata */
-- sas_end_task(cmd, task);
-- list_move_tail(&cmd->eh_entry, &ha->eh_ata_q);
--}
--
- static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd)
- {
- struct scsi_cmnd *cmd, *n;
-@@ -288,7 +281,7 @@ static void sas_scsi_clear_queue_lu(stru
- list_for_each_entry_safe(cmd, n, error_q, eh_entry) {
- if (cmd->device->sdev_target == my_cmd->device->sdev_target &&
- cmd->device->lun == my_cmd->device->lun)
-- sas_eh_defer_cmd(cmd);
-+ sas_eh_finish_cmd(cmd);
- }
- }
-
-@@ -678,12 +671,12 @@ static void sas_eh_handle_sas_errors(str
- case TASK_IS_DONE:
- SAS_DPRINTK("%s: task 0x%p is done\n", __func__,
- task);
-- sas_eh_defer_cmd(cmd);
-+ sas_eh_finish_cmd(cmd);
- continue;
- case TASK_IS_ABORTED:
- SAS_DPRINTK("%s: task 0x%p is aborted\n",
- __func__, task);
-- sas_eh_defer_cmd(cmd);
-+ sas_eh_finish_cmd(cmd);
- continue;
- case TASK_IS_AT_LU:
- SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task);
-@@ -694,7 +687,7 @@ static void sas_eh_handle_sas_errors(str
- "recovered\n",
- SAS_ADDR(task->dev),
- cmd->device->lun);
-- sas_eh_defer_cmd(cmd);
-+ sas_eh_finish_cmd(cmd);
- sas_scsi_clear_queue_lu(work_q, cmd);
- goto Again;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: James Smart <jsmart2021@gmail.com>
-Date: Tue, 30 Jan 2018 15:58:45 -0800
-Subject: scsi: lpfc: Fix frequency of Release WQE CQEs
-
-From: James Smart <jsmart2021@gmail.com>
-
-[ Upstream commit 04673e38f56b30cd39b1fa0f386137d818b17781 ]
-
-The driver controls when the hardware sends completions that communicate
-consumption of elements from the WQ. This is done by setting a WQEC bit
-on a WQE.
-
-The current driver sets it on every Nth WQE posting. However, the driver
-isn't clearing the bit if the WQE is reused. Thus, if the queue depth
-isn't evenly divisible by N, with enough time, it can be set on every
-element, creating a lot of overhead and risking CQ full conditions.
-
-Correct by clearing the bit when not setting it on an Nth element.
-
-Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
-Signed-off-by: James Smart <james.smart@broadcom.com>
-Reviewed-by: Hannes Reinecke <hare@suse.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/lpfc/lpfc_sli.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/scsi/lpfc/lpfc_sli.c
-+++ b/drivers/scsi/lpfc/lpfc_sli.c
-@@ -115,6 +115,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, u
- /* set consumption flag every once in a while */
- if (!((q->host_index + 1) % q->entry_repost))
- bf_set(wqe_wqec, &wqe->generic.wqe_com, 1);
-+ else
-+ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0);
- if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED)
- bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id);
- lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: James Smart <jsmart2021@gmail.com>
-Date: Tue, 30 Jan 2018 15:58:55 -0800
-Subject: scsi: lpfc: Fix issue_lip if link is disabled
-
-From: James Smart <jsmart2021@gmail.com>
-
-[ Upstream commit 2289e9598dde9705400559ca2606fb8c145c34f0 ]
-
-The driver ignored checks on whether the link should be kept
-administratively down after a link bounce. Correct the checks.
-
-Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
-Signed-off-by: James Smart <james.smart@broadcom.com>
-Reviewed-by: Hannes Reinecke <hare@suse.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/lpfc/lpfc_attr.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/drivers/scsi/lpfc/lpfc_attr.c
-+++ b/drivers/scsi/lpfc/lpfc_attr.c
-@@ -629,7 +629,12 @@ lpfc_issue_lip(struct Scsi_Host *shost)
- LPFC_MBOXQ_t *pmboxq;
- int mbxstatus = MBXERR_ERROR;
-
-+ /*
-+ * If the link is offline, disabled or BLOCK_MGMT_IO
-+ * it doesn't make any sense to allow issue_lip
-+ */
- if ((vport->fc_flag & FC_OFFLINE_MODE) ||
-+ (phba->hba_flag & LINK_DISABLED) ||
- (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO))
- return -EPERM;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: James Smart <jsmart2021@gmail.com>
-Date: Tue, 30 Jan 2018 15:58:54 -0800
-Subject: scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing
-
-From: James Smart <jsmart2021@gmail.com>
-
-[ Upstream commit 161df4f09987ae2e9f0f97f0b38eee298b4a39ff ]
-
-During link bounce testing in a point-to-point topology, the host may
-enter a soft lockup on the lpfc_worker thread:
-
- Call Trace:
- lpfc_work_done+0x1f3/0x1390 [lpfc]
- lpfc_do_work+0x16f/0x180 [lpfc]
- kthread+0xc7/0xe0
- ret_from_fork+0x3f/0x70
-
-The driver was simultaneously setting a combination of flags that caused
-lpfc_do_work()to effectively spin between slow path work and new event
-data, causing the lockup.
-
-Ensure in the typical wq completions, that new event data flags are set
-if the slow path flag is running. The slow path will eventually
-reschedule the wq handling.
-
-Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
-Signed-off-by: James Smart <james.smart@broadcom.com>
-Reviewed-by: Hannes Reinecke <hare@suse.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/drivers/scsi/lpfc/lpfc_hbadisc.c
-+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
-@@ -716,8 +716,9 @@ lpfc_work_done(struct lpfc_hba *phba)
- (phba->hba_flag & HBA_SP_QUEUE_EVT)) {
- if (pring->flag & LPFC_STOP_IOCB_EVENT) {
- pring->flag |= LPFC_DEFERRED_RING_EVENT;
-- /* Set the lpfc data pending flag */
-- set_bit(LPFC_DATA_READY, &phba->data_flags);
-+ /* Preserve legacy behavior. */
-+ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT))
-+ set_bit(LPFC_DATA_READY, &phba->data_flags);
- } else {
- if (phba->link_state >= LPFC_LINK_UP) {
- pring->flag &= ~LPFC_DEFERRED_RING_EVENT;
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Thu, 25 Jan 2018 17:27:27 +0300
-Subject: scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ]
-
-My static checker complains about an out of bounds read:
-
- drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo()
- error: buffer overflow 'hd->sel_timeout' 255 <= u32max.
-
-It's true that we probably should have a bounds check here.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/message/fusion/mptctl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/message/fusion/mptctl.c
-+++ b/drivers/message/fusion/mptctl.c
-@@ -2694,6 +2694,8 @@ mptctl_hp_targetinfo(unsigned long arg)
- __FILE__, __LINE__, iocnum);
- return -ENODEV;
- }
-+ if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
-+ return -EINVAL;
- dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
- ioc->name));
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Bart Van Assche <bart.vanassche@wdc.com>
-Date: Thu, 25 Jan 2018 08:24:29 -0800
-Subject: scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion()
-
-From: Bart Van Assche <bart.vanassche@wdc.com>
-
-[ Upstream commit c02189e12ce3bf3808cb880569d3b10249f50bd9 ]
-
-A left shift must shift less than the bit width of the left argument.
-Avoid triggering undefined behavior if ha->mbx_count == 32.
-
-This patch avoids that UBSAN reports the following complaint:
-
-UBSAN: Undefined behaviour in drivers/scsi/qla2xxx/qla_isr.c:275:14
-shift exponent 32 is too large for 32-bit type 'int'
-Call Trace:
- dump_stack+0x4e/0x6c
- ubsan_epilogue+0xd/0x3b
- __ubsan_handle_shift_out_of_bounds+0x112/0x14c
- qla2x00_mbx_completion+0x1c5/0x25d [qla2xxx]
- qla2300_intr_handler+0x1ea/0x3bb [qla2xxx]
- qla2x00_mailbox_command+0x77b/0x139a [qla2xxx]
- qla2x00_mbx_reg_test+0x83/0x114 [qla2xxx]
- qla2x00_chip_diag+0x354/0x45f [qla2xxx]
- qla2x00_initialize_adapter+0x2c2/0xa4e [qla2xxx]
- qla2x00_probe_one+0x1681/0x392e [qla2xxx]
- pci_device_probe+0x10b/0x1f1
- driver_probe_device+0x21f/0x3a4
- __driver_attach+0xa9/0xe1
- bus_for_each_dev+0x6e/0xb5
- driver_attach+0x22/0x3c
- bus_add_driver+0x1d1/0x2ae
- driver_register+0x78/0x130
- __pci_register_driver+0x75/0xa8
- qla2x00_module_init+0x21b/0x267 [qla2xxx]
- do_one_initcall+0x5a/0x1e2
- do_init_module+0x9d/0x285
- load_module+0x20db/0x38e3
- SYSC_finit_module+0xa8/0xbc
- SyS_finit_module+0x9/0xb
- do_syscall_64+0x77/0x271
- entry_SYSCALL64_slow_path+0x25/0x25
-
-Reported-by: Meelis Roos <mroos@linux.ee>
-Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
-Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
-Reviewed-by: Laurence Oberman <loberman@redhat.com>
-Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/qla2xxx/qla_isr.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -268,7 +268,8 @@ qla2x00_mbx_completion(scsi_qla_host_t *
- struct device_reg_2xxx __iomem *reg = &ha->iobase->isp;
-
- /* Read all mbox registers? */
-- mboxes = (1 << ha->mbx_count) - 1;
-+ WARN_ON_ONCE(ha->mbx_count > 32);
-+ mboxes = (1ULL << ha->mbx_count) - 1;
- if (!ha->mcp)
- ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n");
- else
-@@ -2454,7 +2455,8 @@ qla24xx_mbx_completion(scsi_qla_host_t *
- struct device_reg_24xx __iomem *reg = &ha->iobase->isp24;
-
- /* Read all mbox registers? */
-- mboxes = (1 << ha->mbx_count) - 1;
-+ WARN_ON_ONCE(ha->mbx_count > 32);
-+ mboxes = (1ULL << ha->mbx_count) - 1;
- if (!ha->mcp)
- ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n");
- else
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Manish Rangankar <manish.rangankar@cavium.com>
-Date: Sun, 11 Feb 2018 22:48:41 -0800
-Subject: scsi: qla4xxx: skip error recovery in case of register disconnect.
-
-From: Manish Rangankar <manish.rangankar@cavium.com>
-
-[ Upstream commit 1bc5ad3a6acdcf56f83272f2de1cd2389ea9e9e2 ]
-
-A system crashes when continuously removing/re-adding the storage
-controller.
-
-Signed-off-by: Manish Rangankar <manish.rangankar@cavium.com>
-Reviewed-by: Ewan D. Milne <emilne@redhat.com>
-Reviewed-by: Tomas Henzl <thenzl@redhat.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/qla4xxx/ql4_def.h | 2 +
- drivers/scsi/qla4xxx/ql4_os.c | 46 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 48 insertions(+)
-
---- a/drivers/scsi/qla4xxx/ql4_def.h
-+++ b/drivers/scsi/qla4xxx/ql4_def.h
-@@ -167,6 +167,8 @@
- #define DEV_DB_NON_PERSISTENT 0
- #define DEV_DB_PERSISTENT 1
-
-+#define QL4_ISP_REG_DISCONNECT 0xffffffffU
-+
- #define COPY_ISID(dst_isid, src_isid) { \
- int i, j; \
- for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;) \
---- a/drivers/scsi/qla4xxx/ql4_os.c
-+++ b/drivers/scsi/qla4xxx/ql4_os.c
-@@ -268,6 +268,24 @@ static struct iscsi_transport qla4xxx_is
-
- static struct scsi_transport_template *qla4xxx_scsi_transport;
-
-+static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha)
-+{
-+ u32 reg_val = 0;
-+ int rval = QLA_SUCCESS;
-+
-+ if (is_qla8022(ha))
-+ reg_val = readl(&ha->qla4_82xx_reg->host_status);
-+ else if (is_qla8032(ha) || is_qla8042(ha))
-+ reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER);
-+ else
-+ reg_val = readw(&ha->reg->ctrl_status);
-+
-+ if (reg_val == QL4_ISP_REG_DISCONNECT)
-+ rval = QLA_ERROR;
-+
-+ return rval;
-+}
-+
- static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num,
- uint32_t iface_type, uint32_t payload_size,
- uint32_t pid, struct sockaddr *dst_addr)
-@@ -9230,10 +9248,17 @@ static int qla4xxx_eh_abort(struct scsi_
- struct srb *srb = NULL;
- int ret = SUCCESS;
- int wait = 0;
-+ int rval;
-
- ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n",
- ha->host_no, id, lun, cmd, cmd->cmnd[0]);
-
-+ rval = qla4xxx_isp_check_reg(ha);
-+ if (rval != QLA_SUCCESS) {
-+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
-+ return FAILED;
-+ }
-+
- spin_lock_irqsave(&ha->hardware_lock, flags);
- srb = (struct srb *) CMD_SP(cmd);
- if (!srb) {
-@@ -9285,6 +9310,7 @@ static int qla4xxx_eh_device_reset(struc
- struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
- struct ddb_entry *ddb_entry = cmd->device->hostdata;
- int ret = FAILED, stat;
-+ int rval;
-
- if (!ddb_entry)
- return ret;
-@@ -9304,6 +9330,12 @@ static int qla4xxx_eh_device_reset(struc
- cmd, jiffies, cmd->request->timeout / HZ,
- ha->dpc_flags, cmd->result, cmd->allowed));
-
-+ rval = qla4xxx_isp_check_reg(ha);
-+ if (rval != QLA_SUCCESS) {
-+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
-+ return FAILED;
-+ }
-+
- /* FIXME: wait for hba to go online */
- stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun);
- if (stat != QLA_SUCCESS) {
-@@ -9347,6 +9379,7 @@ static int qla4xxx_eh_target_reset(struc
- struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
- struct ddb_entry *ddb_entry = cmd->device->hostdata;
- int stat, ret;
-+ int rval;
-
- if (!ddb_entry)
- return FAILED;
-@@ -9364,6 +9397,12 @@ static int qla4xxx_eh_target_reset(struc
- ha->host_no, cmd, jiffies, cmd->request->timeout / HZ,
- ha->dpc_flags, cmd->result, cmd->allowed));
-
-+ rval = qla4xxx_isp_check_reg(ha);
-+ if (rval != QLA_SUCCESS) {
-+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
-+ return FAILED;
-+ }
-+
- stat = qla4xxx_reset_target(ha, ddb_entry);
- if (stat != QLA_SUCCESS) {
- starget_printk(KERN_INFO, scsi_target(cmd->device),
-@@ -9418,9 +9457,16 @@ static int qla4xxx_eh_host_reset(struct
- {
- int return_status = FAILED;
- struct scsi_qla_host *ha;
-+ int rval;
-
- ha = to_qla_host(cmd->device->host);
-
-+ rval = qla4xxx_isp_check_reg(ha);
-+ if (rval != QLA_SUCCESS) {
-+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
-+ return FAILED;
-+ }
-+
- if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba)
- qla4_83xx_set_idc_dontreset(ha);
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Jeremy Cline <jeremy@jcline.org>
-Date: Tue, 6 Mar 2018 21:47:32 +0000
-Subject: scsi: sd: Keep disk read-only when re-reading partition
-
-From: Jeremy Cline <jeremy@jcline.org>
-
-[ Upstream commit 20bd1d026aacc5399464f8328f305985c493cde3 ]
-
-If the read-only flag is true on a SCSI disk, re-reading the partition
-table sets the flag back to false.
-
-To observe this bug, you can run:
-
-1. blockdev --setro /dev/sda
-2. blockdev --rereadpt /dev/sda
-3. blockdev --getro /dev/sda
-
-This commit reads the disk's old state and combines it with the device
-disk-reported state rather than unconditionally marking it as RW.
-
-Reported-by: Li Ning <lining916740672@icloud.com>
-Signed-off-by: Jeremy Cline <jeremy@jcline.org>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/sd.c
-+++ b/drivers/scsi/sd.c
-@@ -2318,6 +2318,7 @@ sd_read_write_protect_flag(struct scsi_d
- int res;
- struct scsi_device *sdp = sdkp->device;
- struct scsi_mode_data data;
-+ int disk_ro = get_disk_ro(sdkp->disk);
- int old_wp = sdkp->write_prot;
-
- set_disk_ro(sdkp->disk, 0);
-@@ -2358,7 +2359,7 @@ sd_read_write_protect_flag(struct scsi_d
- "Test WP failed, assume Write Enabled\n");
- } else {
- sdkp->write_prot = ((data.device_specific & 0x80) != 0);
-- set_disk_ro(sdkp->disk, sdkp->write_prot);
-+ set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro);
- if (sdkp->first_scan || old_wp != sdkp->write_prot) {
- sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n",
- sdkp->write_prot ? "on" : "off");
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Thu, 25 Jan 2018 17:13:40 +0300
-Subject: scsi: sym53c8xx_2: iterator underflow in sym_getsync()
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit e6f791d95313c85f3dd4a26141e28e50ae9aa0ae ]
-
-We wanted to exit the loop with "div" set to zero, but instead, if we
-don't hit the break then "div" is -1 when we finish the loop. It leads
-to an array underflow a few lines later.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
-Acked-by: Matthew Wilcox <mawilcox@microsoft.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sym53c8xx_2/sym_hipd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/sym53c8xx_2/sym_hipd.c
-+++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c
-@@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char d
- * Look for the greatest clock divisor that allows an
- * input speed faster than the period.
- */
-- while (div-- > 0)
-+ while (--div > 0)
- if (kpc >= (div_10M[div] << 2)) break;
-
- /*
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Sujit Reddy Thumma <sthumma@codeaurora.org>
-Date: Wed, 24 Jan 2018 09:52:35 +0530
-Subject: scsi: ufs: Enable quirk to ignore sending WRITE_SAME command
-
-From: Sujit Reddy Thumma <sthumma@codeaurora.org>
-
-[ Upstream commit 84af7e8b895088d89f246d6b0f82717fafdebf61 ]
-
-WRITE_SAME command is not supported by UFS. Enable a quirk for the upper
-level drivers to not send WRITE SAME command.
-
-[mkp: botched patch, applied by hand]
-
-Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org>
-Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
-Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/ufs/ufshcd.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/scsi/ufs/ufshcd.c
-+++ b/drivers/scsi/ufs/ufshcd.c
-@@ -2795,6 +2795,8 @@ static int ufshcd_slave_alloc(struct scs
- /* REPORT SUPPORTED OPERATION CODES is not supported */
- sdev->no_report_opcodes = 1;
-
-+ /* WRITE_SAME command is not supported */
-+ sdev->no_write_same = 1;
-
- ufshcd_set_queue_depth(sdev);
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Masami Hiramatsu <mhiramat@kernel.org>
-Date: Sat, 17 Mar 2018 21:40:31 +0900
-Subject: selftests: ftrace: Add a testcase for probepoint
-
-From: Masami Hiramatsu <mhiramat@kernel.org>
-
-[ Upstream commit dfa453bc90eca0febff33c8d292a656e53702158 ]
-
-Add a testcase for probe point definition. This tests
-symbol, address and symbol+offset syntax. The offset
-must be positive and smaller than UINT_MAX.
-
-Link: http://lkml.kernel.org/r/152129043097.31874.14273580606301767394.stgit@devbox
-
-Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc | 43 +++++++++++++
- 1 file changed, 43 insertions(+)
- create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc
-
---- /dev/null
-+++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc
-@@ -0,0 +1,43 @@
-+#!/bin/sh
-+# SPDX-License-Identifier: GPL-2.0
-+# description: Kprobe events - probe points
-+
-+[ -f kprobe_events ] || exit_unsupported # this is configurable
-+
-+TARGET_FUNC=create_trace_kprobe
-+
-+dec_addr() { # hexaddr
-+ printf "%d" "0x"`echo $1 | tail -c 8`
-+}
-+
-+set_offs() { # prev target next
-+ A1=`dec_addr $1`
-+ A2=`dec_addr $2`
-+ A3=`dec_addr $3`
-+ TARGET="0x$2" # an address
-+ PREV=`expr $A1 - $A2` # offset to previous symbol
-+ NEXT=+`expr $A3 - $A2` # offset to next symbol
-+ OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol
-+}
-+
-+# We have to decode symbol addresses to get correct offsets.
-+# If the offset is not an instruction boundary, it cause -EILSEQ.
-+set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs`
-+
-+UINT_TEST=no
-+# printf "%x" -1 returns (unsigned long)-1.
-+if [ `printf "%x" -1 | wc -c` != 9 ]; then
-+ UINT_TEST=yes
-+fi
-+
-+echo 0 > events/enable
-+echo > kprobe_events
-+echo "p:testprobe ${TARGET_FUNC}" > kprobe_events
-+echo "p:testprobe ${TARGET}" > kprobe_events
-+echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events
-+! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events
-+if [ "${UINT_TEST}" = yes ]; then
-+! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events
-+fi
-+echo > kprobe_events
-+clear_trace
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Masami Hiramatsu <mhiramat@kernel.org>
-Date: Sat, 17 Mar 2018 21:39:44 +0900
-Subject: selftests: ftrace: Add a testcase for string type with kprobe_event
-
-From: Masami Hiramatsu <mhiramat@kernel.org>
-
-[ Upstream commit 5fbdbed797b6d12d043a5121fdbc8d8b49d10e80 ]
-
-Add a testcase for string type with kprobe event.
-This tests good/bad syntax combinations and also
-the traced data is correct in several way.
-
-Link: http://lkml.kernel.org/r/152129038381.31874.9201387794548737554.stgit@devbox
-
-Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 46 ++++++++++
- 1 file changed, 46 insertions(+)
- create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
-
---- /dev/null
-+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
-@@ -0,0 +1,46 @@
-+#!/bin/sh
-+# SPDX-License-Identifier: GPL-2.0
-+# description: Kprobe event string type argument
-+
-+[ -f kprobe_events ] || exit_unsupported # this is configurable
-+
-+echo 0 > events/enable
-+echo > kprobe_events
-+
-+case `uname -m` in
-+x86_64)
-+ ARG2=%si
-+ OFFS=8
-+;;
-+i[3456]86)
-+ ARG2=%cx
-+ OFFS=4
-+;;
-+aarch64)
-+ ARG2=%x1
-+ OFFS=8
-+;;
-+arm*)
-+ ARG2=%r1
-+ OFFS=4
-+;;
-+*)
-+ echo "Please implement other architecture here"
-+ exit_untested
-+esac
-+
-+: "Test get argument (1)"
-+echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events
-+echo 1 > events/kprobes/testprobe/enable
-+! echo test >> kprobe_events
-+tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\""
-+
-+echo 0 > events/kprobes/testprobe/enable
-+: "Test get argument (2)"
-+echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events
-+echo 1 > events/kprobes/testprobe/enable
-+! echo test1 test2 >> kprobe_events
-+tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\""
-+
-+echo 0 > events/enable
-+echo > kprobe_events
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Masami Hiramatsu <mhiramat@kernel.org>
-Date: Sat, 17 Mar 2018 21:38:56 +0900
-Subject: selftests: ftrace: Add probe event argument syntax testcase
-
-From: Masami Hiramatsu <mhiramat@kernel.org>
-
-[ Upstream commit 871bef2000968c312a4000b2f56d370dcedbc93c ]
-
-Add a testcase for probe event argument syntax which
-ensures the kprobe_events interface correctly parses
-given event arguments.
-
-Link: http://lkml.kernel.org/r/152129033679.31874.12705519603869152799.stgit@devbox
-
-Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 97 ++++++++++
- 1 file changed, 97 insertions(+)
- create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
-
---- /dev/null
-+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
-@@ -0,0 +1,97 @@
-+#!/bin/sh
-+# SPDX-License-Identifier: GPL-2.0
-+# description: Kprobe event argument syntax
-+
-+[ -f kprobe_events ] || exit_unsupported # this is configurable
-+
-+grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue
-+
-+echo 0 > events/enable
-+echo > kprobe_events
-+
-+PROBEFUNC="vfs_read"
-+GOODREG=
-+BADREG=
-+GOODSYM="_sdata"
-+if ! grep -qw ${GOODSYM} /proc/kallsyms ; then
-+ GOODSYM=$PROBEFUNC
-+fi
-+BADSYM="deaqswdefr"
-+SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "`
-+GOODTYPE="x16"
-+BADTYPE="y16"
-+
-+case `uname -m` in
-+x86_64|i[3456]86)
-+ GOODREG=%ax
-+ BADREG=%ex
-+;;
-+aarch64)
-+ GOODREG=%x0
-+ BADREG=%ax
-+;;
-+arm*)
-+ GOODREG=%r0
-+ BADREG=%ax
-+;;
-+esac
-+
-+test_goodarg() # Good-args
-+{
-+ while [ "$1" ]; do
-+ echo "p ${PROBEFUNC} $1" > kprobe_events
-+ shift 1
-+ done;
-+}
-+
-+test_badarg() # Bad-args
-+{
-+ while [ "$1" ]; do
-+ ! echo "p ${PROBEFUNC} $1" > kprobe_events
-+ shift 1
-+ done;
-+}
-+
-+echo > kprobe_events
-+
-+: "Register access"
-+test_goodarg ${GOODREG}
-+test_badarg ${BADREG}
-+
-+: "Symbol access"
-+test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10"
-+test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \
-+ "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10"
-+
-+: "Stack access"
-+test_goodarg "\$stack" "\$stack0" "\$stack1"
-+test_badarg "\$stackp" "\$stack0+10" "\$stack1-10"
-+
-+: "Retval access"
-+echo "r ${PROBEFUNC} \$retval" > kprobe_events
-+! echo "p ${PROBEFUNC} \$retval" > kprobe_events
-+
-+: "Comm access"
-+test_goodarg "\$comm"
-+
-+: "Indirect memory access"
-+test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \
-+ "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))"
-+test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \
-+ "+10(\$comm)" "+0(${GOODREG})+10"
-+
-+: "Name assignment"
-+test_goodarg "varname=${GOODREG}"
-+test_badarg "varname=varname2=${GOODREG}"
-+
-+: "Type syntax"
-+test_goodarg "${GOODREG}:${GOODTYPE}"
-+test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \
-+ "${GOODTYPE}:${GOODREG}"
-+
-+: "Combination check"
-+
-+test_goodarg "\$comm:string" "+0(\$stack):string"
-+test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string"
-+
-+echo > kprobe_events
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Anders Roxell <anders.roxell@linaro.org>
-Date: Tue, 6 Feb 2018 16:20:44 -0600
-Subject: selftests: memfd: add config fragment for fuse
-
-From: Anders Roxell <anders.roxell@linaro.org>
-
-[ Upstream commit 9a606f8d55cfc932ec02172aaed4124fdc150047 ]
-
-The memfd test requires to insert the fuse module (CONFIG_FUSE_FS).
-
-Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
-Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
-Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/testing/selftests/memfd/config | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 tools/testing/selftests/memfd/config
-
---- /dev/null
-+++ b/tools/testing/selftests/memfd/config
-@@ -0,0 +1 @@
-+CONFIG_FUSE_FS=m
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-Date: Fri, 23 Feb 2018 14:38:29 +0100
-Subject: serial: arc_uart: Fix out-of-bounds access through DT alias
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ]
-
-The arc_uart_ports[] array is indexed using a value derived from the
-"serialN" alias in DT, which may lead to an out-of-bounds access.
-
-Fix this by adding a range check.
-
-Note that the array size is defined by a Kconfig symbol
-(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a
-legitimate DTB.
-
-Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing")
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/arc_uart.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/drivers/tty/serial/arc_uart.c
-+++ b/drivers/tty/serial/arc_uart.c
-@@ -597,6 +597,11 @@ static int arc_serial_probe(struct platf
- if (dev_id < 0)
- dev_id = 0;
-
-+ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) {
-+ dev_err(&pdev->dev, "serial%d out of range\n", dev_id);
-+ return -EINVAL;
-+ }
-+
- uart = &arc_uart_ports[dev_id];
- port = &uart->port;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-Date: Fri, 23 Feb 2018 14:38:30 +0100
-Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ]
-
-The lpuart_ports[] array is indexed using a value derived from the
-"serialN" alias in DT, which may lead to an out-of-bounds access.
-
-Fix this by adding a range check.
-
-Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support")
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/fsl_lpuart.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/tty/serial/fsl_lpuart.c
-+++ b/drivers/tty/serial/fsl_lpuart.c
-@@ -1791,6 +1791,10 @@ static int lpuart_probe(struct platform_
- dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret);
- return ret;
- }
-+ if (ret >= ARRAY_SIZE(lpuart_ports)) {
-+ dev_err(&pdev->dev, "serial%d out of range\n", ret);
-+ return -EINVAL;
-+ }
- sport->port.line = ret;
- sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart");
- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-Date: Fri, 23 Feb 2018 14:38:31 +0100
-Subject: serial: imx: Fix out-of-bounds access through serial port index
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ]
-
-The imx_ports[] array is indexed using a value derived from the
-"serialN" alias in DT, or from platform data, which may lead to an
-out-of-bounds access.
-
-Fix this by adding a range check.
-
-Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back")
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/imx.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/tty/serial/imx.c
-+++ b/drivers/tty/serial/imx.c
-@@ -1899,6 +1899,12 @@ static int serial_imx_probe(struct platf
- else if (ret < 0)
- return ret;
-
-+ if (sport->port.line >= ARRAY_SIZE(imx_ports)) {
-+ dev_err(&pdev->dev, "serial%d out of range\n",
-+ sport->port.line);
-+ return -EINVAL;
-+ }
-+
- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- base = devm_ioremap_resource(&pdev->dev, res);
- if (IS_ERR(base))
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-Date: Fri, 23 Feb 2018 14:38:34 +0100
-Subject: serial: samsung: Fix out-of-bounds access through serial port index
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ]
-
-The s3c24xx_serial_ports[] array is indexed using a value derived from
-the "serialN" alias in DT, or from an incrementing probe index, which
-may lead to an out-of-bounds access.
-
-Fix this by adding a range check.
-
-Note that the array size is defined by a Kconfig symbol
-(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using
-a legitimate DTB or legitimate board code.
-
-Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports")
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/samsung.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/tty/serial/samsung.c
-+++ b/drivers/tty/serial/samsung.c
-@@ -1288,6 +1288,10 @@ static int s3c24xx_serial_probe(struct p
-
- dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index);
-
-+ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) {
-+ dev_err(&pdev->dev, "serial%d out of range\n", index);
-+ return -EINVAL;
-+ }
- ourport = &s3c24xx_serial_ports[index];
-
- ourport->drv_data = s3c24xx_get_driver_data(pdev);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-Date: Fri, 23 Feb 2018 14:38:37 +0100
-Subject: serial: xuartps: Fix out-of-bounds access through DT alias
-
-From: Geert Uytterhoeven <geert+renesas@glider.be>
-
-[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ]
-
-The cdns_uart_port[] array is indexed using a value derived from the
-"serialN" alias in DT, which may lead to an out-of-bounds access.
-
-Fix this by adding a range check.
-
-Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases")
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Reviewed-by: Michal Simek <michal.simek@xilinx.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/xilinx_uartps.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/tty/serial/xilinx_uartps.c
-+++ b/drivers/tty/serial/xilinx_uartps.c
-@@ -1001,7 +1001,7 @@ static struct uart_port *cdns_uart_get_p
- struct uart_port *port;
-
- /* Try the given port id if failed use default method */
-- if (cdns_uart_port[id].mapbase != 0) {
-+ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
- /* Find the next unused port */
- for (id = 0; id < CDNS_UART_NR_PORTS; id++)
- if (cdns_uart_port[id].mapbase == 0)
-perf-core-fix-the-perf_cpu_time_max_percent-check.patch
-firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch
-asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch
-kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch
-tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch
-pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch
-tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch
-dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch
-nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch
-watchdog-sp5100_tco-fix-watchdog-disable-bit.patch
-kconfig-don-t-leak-main-menus-during-parsing.patch
-kconfig-fix-automatic-menu-creation-mem-leak.patch
-kconfig-fix-expr_free-e_not-leak.patch
-btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch
-scsi-fas216-fix-sense-buffer-initialization.patch
-hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch
-jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch
-rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch
-ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch
-ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch
-mm-mempolicy-fix-the-check-of-nodemask-from-user.patch
-mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch
-asm-generic-provide-generic_pmdp_establish.patch
-mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch
-ib-ipoib-fix-for-potential-no-carrier-state.patch
-x86-power-fix-swsusp_arch_resume-prototype.patch
-firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch
-acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch
-mips-txx9-use-is_builtin-for-config_leds_class.patch
-xen-grant-table-use-put_page-instead-of-free_page.patch
-proc-fix-proc-map_files-lookup.patch
-cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch
-bcache-properly-set-task-state-in-bch_writeback_thread.patch
-bcache-fix-for-allocator-and-register-thread-race.patch
-bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch
-bcache-return-attach-error-when-no-cache-set-exist.patch
-irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch
-scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch
-scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch
-scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch
-scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch
-scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch
-usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch
-usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch
-selftests-memfd-add-config-fragment-for-fuse.patch
-scsi-aacraid-fix-shutdown-crash-when-init-fails.patch
-scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch
-arm-omap3-fix-prm-wake-interrupt-for-resume.patch
-arm-omap1-clock-fix-debugfs_create_-usage.patch
-nfc-llcp-limit-size-of-sdp-uri.patch
-mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch
-md-raid10-fix-null-deference-in-handle_write_completed.patch
-drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch
-drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch
-locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch
-kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch
-s390-cio-fix-return-code-after-missing-interrupt.patch
-s390-cio-clear-timer-when-terminating-driver-i-o.patch
-arm-omap-fix-dmtimer-init-for-omap1.patch
-smsc75xx-fix-smsc75xx_set_features.patch
-regulatory-add-nul-to-request-alpha2.patch
-locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch
-x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch
-media-dmxdev-fix-error-code-for-invalid-ioctls.patch
percpu-include-linux-sched.h-for-cond_resched.patch
-percpu-add-a-schedule-point-in-pcpu_balance_workfn.patch
-md-raid1-fix-null-pointer-dereference.patch
-batman-adv-fix-packet-checksum-in-receive-path.patch
-batman-adv-invalidate-checksum-on-fragment-reassembly.patch
-netfilter-ebtables-convert-bug_ons-to-warn_ons.patch
-clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch
-r8152-fix-tx-packets-accounting.patch
-bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch
-sit-fix-ifla_mtu-ignored-on-newlink.patch
-net-tcp-illinois-replace-broken-algorithm-reference-link.patch
-xen-pirq-fix-error-path-cleanup-when-binding-msis.patch
-btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch
-watchdog-f71808e_wdt-fix-magic-close-handling.patch
-e1000e-fix-check_for_link-return-value-with-autoneg-off.patch
-e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch
-usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch
-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch
-fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch
-xen-xenbus-use-put_device-instead-of-kfree.patch
-usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch
-netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch
-scsi-libsas-defer-ata-device-eh-commands-to-libata.patch
-microblaze-switch-to-no_bootmem.patch
-net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch
-batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch
-vti4-don-t-count-header-length-twice-on-tunnel-setup.patch
-vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch
-mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch
-selftests-ftrace-add-probe-event-argument-syntax-testcase.patch
-selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch
-selftests-ftrace-add-a-testcase-for-probepoint.patch
-batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch
-batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch
-net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch
-net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch
-llc-properly-handle-dev_queue_xmit-return-value.patch
-mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch
-net-fix-untag-for-vlan-packets-without-ethernet-header.patch
-net-mvneta-fix-enable-of-all-initialized-rxqs.patch
-sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch
-x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch
-fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch
-swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch
-sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch
-force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch
-tracing-uprobe_event-fix-strncpy-corner-case.patch
-scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch
-dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch
-soreuseport-initialise-timewait-reuseport-field.patch
-mm-ksm-fix-interaction-with-thp.patch
-mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch
-btrfs-bail-out-on-error-during-replay_dir_deletes.patch
-btrfs-fix-null-pointer-dereference-in-log_dir_items.patch
-btrfs-fix-possible-softlock-on-single-core-machines.patch
-sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch
-kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch
-sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch
-btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch
-btrfs-fix-copy_items-return-value-when-logging-an-inode.patch
-btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch
-xen-acpi-off-by-one-in-read_acpi_id.patch
-acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch
-powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch
-m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch
-parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch
-hwmon-nct6775-fix-writing-pwmx_mode.patch
-powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch
-powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch
-tools-thermal-tmon-fix-for-segfault.patch
-net-mlx5-protect-from-command-bit-overflow.patch
-ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch
-ima-fallback-to-the-builtin-hash-algorithm.patch
-virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch
-arm-dts-socfpga-fix-gic-ppi-warning.patch
-usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch
-zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch
-bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch
-acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch
-acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch
-i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch
-xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch
-mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch
-pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch
-usb-dwc2-fix-interval-type-issue.patch
-usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch
-powerpc-add-missing-prototype-for-arch_irq_work_raise.patch
-powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch
-perf-core-fix-perf_output_read_group.patch
-hwmon-pmbus-max8688-accept-negative-page-register-values.patch
-hwmon-pmbus-adm1275-accept-negative-page-register-values.patch
-cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch
-usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch
-usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch
-alsa-vmaster-propagate-slave-error.patch
-media-cx23885-override-888-impactvcbe-crystal-frequency.patch
-media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch
-media-s3c-camif-fix-out-of-bounds-array-access.patch
-dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch
-media-em28xx-usb-bulk-packet-size-fix.patch
-staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch
-rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch
-serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch
-serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch
-serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch
-serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch
-serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch
-pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch
-udf-provide-saner-default-for-invalid-uid-gid.patch
-media-cx25821-prevent-out-of-bounds-read-on-array-card.patch
-clk-samsung-s3c2410-fix-pll-rates.patch
-clk-samsung-exynos5260-fix-pll-rates.patch
-clk-samsung-exynos5250-fix-pll-rates.patch
-clk-samsung-exynos3250-fix-pll-rates.patch
-audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch
-netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch
-scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch
-scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch
-scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch
-regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch
-kdb-make-mdr-command-repeat.patch
+perf-core-fix-the-perf_cpu_time_max_percent-check.patch
perf-session-fix-undeclared-oe.patch
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Rich Felker <dalias@libc.org>
-Date: Thu, 15 Mar 2018 20:01:36 -0400
-Subject: sh: fix debug trap failure to process signals before return to user
-
-From: Rich Felker <dalias@libc.org>
-
-[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ]
-
-When responding to a debug trap (breakpoint) in userspace, the
-kernel's trap handler raised SIGTRAP but returned from the trap via a
-code path that ignored pending signals, resulting in an infinite loop
-re-executing the trapping instruction.
-
-Signed-off-by: Rich Felker <dalias@libc.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/sh/kernel/entry-common.S | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/sh/kernel/entry-common.S
-+++ b/arch/sh/kernel/entry-common.S
-@@ -255,7 +255,7 @@ debug_trap:
- mov.l @r8, r8
- jsr @r8
- nop
-- bra __restore_all
-+ bra ret_from_exception
- nop
- CFI_ENDPROC
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Xin Long <lucien.xin@gmail.com>
-Date: Tue, 27 Feb 2018 19:19:41 +0800
-Subject: sit: fix IFLA_MTU ignored on NEWLINK
-
-From: Xin Long <lucien.xin@gmail.com>
-
-[ Upstream commit 2b3957c34b6d7f03544b12ebbf875eee430745db ]
-
-Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len
-correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same
-mtu fix is also needed for sit.
-
-Note that dev->hard_header_len setting for sit works fine, no need to
-fix it. sit is actually ipv4 tunnel, it can't call ip6_tnl_change_mtu
-to set mtu.
-
-Reported-by: Jianlin Shi <jishi@redhat.com>
-Signed-off-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv6/sit.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/net/ipv6/sit.c
-+++ b/net/ipv6/sit.c
-@@ -1572,6 +1572,13 @@ static int ipip6_newlink(struct net *src
- if (err < 0)
- return err;
-
-+ if (tb[IFLA_MTU]) {
-+ u32 mtu = nla_get_u32(tb[IFLA_MTU]);
-+
-+ if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len)
-+ dev->mtu = mtu;
-+ }
-+
- #ifdef CONFIG_IPV6_SIT_6RD
- if (ipip6_netlink_6rd_parms(data, &ip6rd))
- err = ipip6_tunnel_update_6rd(nt, &ip6rd);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 20 Feb 2018 21:42:26 -0800
-Subject: smsc75xx: fix smsc75xx_set_features()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 88e80c62671ceecdbb77c902731ec95a4bfa62f9 ]
-
-If an attempt is made to disable RX checksums, USB adapter is changed
-but netdev->features is not, because smsc75xx_set_features() returns a
-non zero value.
-
-This throws errors from netdev_rx_csum_fault() :
-<devname>: hw csum failure
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Steve Glendinning <steve.glendinning@shawell.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/usb/smsc75xx.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/drivers/net/usb/smsc75xx.c
-+++ b/drivers/net/usb/smsc75xx.c
-@@ -945,10 +945,11 @@ static int smsc75xx_set_features(struct
- /* it's racing here! */
-
- ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl);
-- if (ret < 0)
-+ if (ret < 0) {
- netdev_warn(dev->net, "Error writing RFE_CTL\n");
--
-- return ret;
-+ return ret;
-+ }
-+ return 0;
- }
-
- static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm)
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 7 Apr 2018 13:42:43 -0700
-Subject: soreuseport: initialise timewait reuseport field
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 3099a52918937ab86ec47038ad80d377ba16c531 ]
-
-syzbot reported an uninit-value in inet_csk_bind_conflict() [1]
-
-It turns out we never propagated sk->sk_reuseport into timewait socket.
-
-[1]
-BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
-CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-Call Trace:
- __dump_stack lib/dump_stack.c:17 [inline]
- dump_stack+0x185/0x1d0 lib/dump_stack.c:53
- kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
- __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
- inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151
- inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320
- inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399
- SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
- SyS_bind+0x54/0x80 net/socket.c:1460
- do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
- entry_SYSCALL_64_after_hwframe+0x3d/0xa2
-RIP: 0033:0x4416e9
-RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031
-RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9
-RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004
-RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08
-R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478
-R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000
-
-Uninit was stored to memory at:
- kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
- kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
- kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
- __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
- tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283
- tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
- tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
- sk_backlog_rcv include/net/sock.h:908 [inline]
- __release_sock+0x2d6/0x680 net/core/sock.c:2271
- release_sock+0x97/0x2a0 net/core/sock.c:2786
- tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
- inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
- inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
- sock_release net/socket.c:595 [inline]
- sock_close+0xe0/0x300 net/socket.c:1149
- __fput+0x49e/0xa10 fs/file_table.c:209
- ____fput+0x37/0x40 fs/file_table.c:243
- task_work_run+0x243/0x2c0 kernel/task_work.c:113
- exit_task_work include/linux/task_work.h:22 [inline]
- do_exit+0x10e1/0x38d0 kernel/exit.c:867
- do_group_exit+0x1a0/0x360 kernel/exit.c:970
- SYSC_exit_group+0x21/0x30 kernel/exit.c:981
- SyS_exit_group+0x25/0x30 kernel/exit.c:979
- do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
- entry_SYSCALL_64_after_hwframe+0x3d/0xa2
-Uninit was stored to memory at:
- kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
- kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
- kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
- __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
- inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182
- tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
- tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
- tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
- sk_backlog_rcv include/net/sock.h:908 [inline]
- __release_sock+0x2d6/0x680 net/core/sock.c:2271
- release_sock+0x97/0x2a0 net/core/sock.c:2786
- tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
- inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
- inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
- sock_release net/socket.c:595 [inline]
- sock_close+0xe0/0x300 net/socket.c:1149
- __fput+0x49e/0xa10 fs/file_table.c:209
- ____fput+0x37/0x40 fs/file_table.c:243
- task_work_run+0x243/0x2c0 kernel/task_work.c:113
- exit_task_work include/linux/task_work.h:22 [inline]
- do_exit+0x10e1/0x38d0 kernel/exit.c:867
- do_group_exit+0x1a0/0x360 kernel/exit.c:970
- SYSC_exit_group+0x21/0x30 kernel/exit.c:981
- SyS_exit_group+0x25/0x30 kernel/exit.c:979
- do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
- entry_SYSCALL_64_after_hwframe+0x3d/0xa2
-Uninit was created at:
- kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
- kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
- kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
- kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
- inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163
- tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258
- tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003
- tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331
- sk_backlog_rcv include/net/sock.h:908 [inline]
- __release_sock+0x2d6/0x680 net/core/sock.c:2271
- release_sock+0x97/0x2a0 net/core/sock.c:2786
- tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269
- inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427
- inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435
- sock_release net/socket.c:595 [inline]
- sock_close+0xe0/0x300 net/socket.c:1149
- __fput+0x49e/0xa10 fs/file_table.c:209
- ____fput+0x37/0x40 fs/file_table.c:243
- task_work_run+0x243/0x2c0 kernel/task_work.c:113
- exit_task_work include/linux/task_work.h:22 [inline]
- do_exit+0x10e1/0x38d0 kernel/exit.c:867
- do_group_exit+0x1a0/0x360 kernel/exit.c:970
- SYSC_exit_group+0x21/0x30 kernel/exit.c:981
- SyS_exit_group+0x25/0x30 kernel/exit.c:979
- do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
- entry_SYSCALL_64_after_hwframe+0x3d/0xa2
-
-Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/inet_timewait_sock.h | 1 +
- net/ipv4/inet_timewait_sock.c | 1 +
- 2 files changed, 2 insertions(+)
-
---- a/include/net/inet_timewait_sock.h
-+++ b/include/net/inet_timewait_sock.h
-@@ -108,6 +108,7 @@ struct inet_timewait_sock {
- #define tw_family __tw_common.skc_family
- #define tw_state __tw_common.skc_state
- #define tw_reuse __tw_common.skc_reuse
-+#define tw_reuseport __tw_common.skc_reuseport
- #define tw_ipv6only __tw_common.skc_ipv6only
- #define tw_bound_dev_if __tw_common.skc_bound_dev_if
- #define tw_node __tw_common.skc_nulls_node
---- a/net/ipv4/inet_timewait_sock.c
-+++ b/net/ipv4/inet_timewait_sock.c
-@@ -191,6 +191,7 @@ struct inet_timewait_sock *inet_twsk_all
- tw->tw_dport = inet->inet_dport;
- tw->tw_family = sk->sk_family;
- tw->tw_reuse = sk->sk_reuse;
-+ tw->tw_reuseport = sk->sk_reuseport;
- tw->tw_hash = sk->sk_hash;
- tw->tw_ipv6only = 0;
- tw->tw_transparent = inet->transparent;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: "David S. Miller" <davem@davemloft.net>
-Date: Tue, 3 Apr 2018 08:24:35 -0700
-Subject: sparc64: Make atomic_xchg() an inline function rather than a macro.
-
-From: "David S. Miller" <davem@davemloft.net>
-
-[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ]
-
-This avoids a lot of -Wunused warnings such as:
-
-====================
-kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’:
-./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value]
- #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
-
-./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’
- #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
- ^~~~
-kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’
- atomic_xchg(&kgdb_active, cpu);
- ^~~~~~~~~~~
-====================
-
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/sparc/include/asm/atomic_64.h | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/arch/sparc/include/asm/atomic_64.h
-+++ b/arch/sparc/include/asm/atomic_64.h
-@@ -70,7 +70,11 @@ ATOMIC_OPS(sub)
- #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
-
- #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
--#define atomic_xchg(v, new) (xchg(&((v)->counter), new))
-+
-+static inline int atomic_xchg(atomic_t *v, int new)
-+{
-+ return xchg(&v->counter, new);
-+}
-
- static inline int __atomic_add_unless(atomic_t *v, int a, int u)
- {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Jens Axboe <axboe@kernel.dk>
-Date: Wed, 11 Apr 2018 11:26:09 -0600
-Subject: sr: get/drop reference to device in revalidate and check_events
-
-From: Jens Axboe <axboe@kernel.dk>
-
-[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ]
-
-We can't just use scsi_cd() to get the scsi_cd structure, we have
-to grab a live reference to the device. For both callbacks, we're
-not inside an open where we already hold a reference to the device.
-
-This fixes device removal/addition under concurrent device access,
-which otherwise could result in the below oops.
-
-NULL pointer dereference at 0000000000000010
-PGD 0 P4D 0
-Oops: 0000 [#1] PREEMPT SMP
-Modules linked in:
-sr 12:0:0:0: [sr2] scsi-1 drive
- scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl
-sr 12:0:0:0: Attached scsi CD-ROM sr2
- sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc
-sr 12:0:0:0: Attached scsi generic sg7 type 5
- igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif]
-CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650
-Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016
-RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod]
-RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292
-RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66
-RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000
-RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000
-R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d
-R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000
-FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0
-DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-Call Trace:
- ? __invalidate_device+0x48/0x60
- check_disk_change+0x4c/0x60
- sr_block_open+0x16/0xd0 [sr_mod]
- __blkdev_get+0xb9/0x450
- ? iget5_locked+0x1c0/0x1e0
- blkdev_get+0x11e/0x320
- ? bdget+0x11d/0x150
- ? _raw_spin_unlock+0xa/0x20
- ? bd_acquire+0xc0/0xc0
- do_dentry_open+0x1b0/0x320
- ? inode_permission+0x24/0xc0
- path_openat+0x4e6/0x1420
- ? cpumask_any_but+0x1f/0x40
- ? flush_tlb_mm_range+0xa0/0x120
- do_filp_open+0x8c/0xf0
- ? __seccomp_filter+0x28/0x230
- ? _raw_spin_unlock+0xa/0x20
- ? __handle_mm_fault+0x7d6/0x9b0
- ? list_lru_add+0xa8/0xc0
- ? _raw_spin_unlock+0xa/0x20
- ? __alloc_fd+0xaf/0x160
- ? do_sys_open+0x1a6/0x230
- do_sys_open+0x1a6/0x230
- do_syscall_64+0x5a/0x100
- entry_SYSCALL_64_after_hwframe+0x3d/0xa2
-
-Reviewed-by: Lee Duncan <lduncan@suse.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/sr.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
---- a/drivers/scsi/sr.c
-+++ b/drivers/scsi/sr.c
-@@ -587,18 +587,28 @@ out:
- static unsigned int sr_block_check_events(struct gendisk *disk,
- unsigned int clearing)
- {
-- struct scsi_cd *cd = scsi_cd(disk);
-+ unsigned int ret = 0;
-+ struct scsi_cd *cd;
-
-- if (atomic_read(&cd->device->disk_events_disable_depth))
-+ cd = scsi_cd_get(disk);
-+ if (!cd)
- return 0;
-
-- return cdrom_check_events(&cd->cdi, clearing);
-+ if (!atomic_read(&cd->device->disk_events_disable_depth))
-+ ret = cdrom_check_events(&cd->cdi, clearing);
-+
-+ scsi_cd_put(cd);
-+ return ret;
- }
-
- static int sr_block_revalidate_disk(struct gendisk *disk)
- {
-- struct scsi_cd *cd = scsi_cd(disk);
- struct scsi_sense_hdr sshdr;
-+ struct scsi_cd *cd;
-+
-+ cd = scsi_cd_get(disk);
-+ if (!cd)
-+ return -ENXIO;
-
- /* if the unit is not ready, nothing more to do */
- if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr))
-@@ -607,6 +617,7 @@ static int sr_block_revalidate_disk(stru
- sr_cd_check(&cd->cdi);
- get_sectorsize(cd);
- out:
-+ scsi_cd_put(cd);
- return 0;
- }
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Colin Ian King <colin.king@canonical.com>
-Date: Wed, 28 Feb 2018 11:28:49 +0000
-Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr
-
-From: Colin Ian King <colin.king@canonical.com>
-
-[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ]
-
-Currently the allocation of priv->oldaddr is not null checked which will
-lead to subsequent errors when accessing priv->oldaddr. Fix this with
-a null pointer check and a return of -ENOMEM on allocation failure.
-
-Detected with Coccinelle:
-drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test,
-possible model on line 1723
-
-Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
-Signed-off-by: Colin Ian King <colin.king@canonical.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/staging/rtl8192u/r8192U_core.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/staging/rtl8192u/r8192U_core.c
-+++ b/drivers/staging/rtl8192u/r8192U_core.c
-@@ -1682,6 +1682,8 @@ static short rtl8192_usb_initendpoints(s
-
- priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL);
- priv->oldaddr = kmalloc(16, GFP_KERNEL);
-+ if (!priv->oldaddr)
-+ return -ENOMEM;
- oldaddr = priv->oldaddr;
- align = ((long)oldaddr) & 3;
- if (align) {
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Tom Abraham <tabraham@suse.com>
-Date: Tue, 10 Apr 2018 16:29:48 -0700
-Subject: swap: divide-by-zero when zero length swap file on ssd
-
-From: Tom Abraham <tabraham@suse.com>
-
-[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ]
-
-Calling swapon() on a zero length swap file on SSD can lead to a
-divide-by-zero.
-
-Although creating such files isn't possible with mkswap and they woud be
-considered invalid, it would be better for the swapon code to be more
-robust and handle this condition gracefully (return -EINVAL).
-Especially since the fix is small and straightforward.
-
-To help with wear leveling on SSD, the swapon syscall calculates a
-random position in the swap file using modulo p->highest_bit, which is
-set to maxpages - 1 in read_swap_header.
-
-If the swap file is zero length, read_swap_header sets maxpages=1 and
-last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we
-modulo p->highest_bit in swapon syscall.
-
-This can be prevented by having read_swap_header return zero if
-last_page is zero.
-
-Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com
-Signed-off-by: Thomas Abraham <tabraham@suse.com>
-Reported-by: <Mark.Landis@Teradata.com>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: Randy Dunlap <rdunlap@infradead.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/swapfile.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/mm/swapfile.c
-+++ b/mm/swapfile.c
-@@ -2217,6 +2217,10 @@ static unsigned long read_swap_header(st
- maxpages = swp_offset(pte_to_swp_entry(
- swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
- last_page = swap_header->info.last_page;
-+ if (!last_page) {
-+ pr_warn("Empty swap-file\n");
-+ return 0;
-+ }
- if (last_page > maxpages) {
- pr_warn("Truncating oversized swap area, only using %luk out of %luk\n",
- maxpages << (PAGE_SHIFT - 10),
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
-Date: Thu, 11 Jan 2018 19:47:51 -0500
-Subject: tools lib traceevent: Fix get_field_str() for dynamic strings
-
-From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
-
-[ Upstream commit d777f8de99b05d399c0e4e51cdce016f26bd971b ]
-
-If a field is a dynamic string, get_field_str() returned just the
-offset/size value and not the string. Have it parse the offset/size
-correctly to return the actual string. Otherwise filtering fails when
-trying to filter fields that are dynamic strings.
-
-Reported-by: Gopanapalli Pradeep <prap_hai@yahoo.com>
-Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
-Acked-by: Namhyung Kim <namhyung@kernel.org>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Link: http://lkml.kernel.org/r/20180112004823.146333275@goodmis.org
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/lib/traceevent/parse-filter.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
---- a/tools/lib/traceevent/parse-filter.c
-+++ b/tools/lib/traceevent/parse-filter.c
-@@ -1867,17 +1867,25 @@ static const char *get_field_str(struct
- struct pevent *pevent;
- unsigned long long addr;
- const char *val = NULL;
-+ unsigned int size;
- char hex[64];
-
- /* If the field is not a string convert it */
- if (arg->str.field->flags & FIELD_IS_STRING) {
- val = record->data + arg->str.field->offset;
-+ size = arg->str.field->size;
-+
-+ if (arg->str.field->flags & FIELD_IS_DYNAMIC) {
-+ addr = *(unsigned int *)val;
-+ val = record->data + (addr & 0xffff);
-+ size = addr >> 16;
-+ }
-
- /*
- * We need to copy the data since we can't be sure the field
- * is null terminated.
- */
-- if (*(val + arg->str.field->size - 1)) {
-+ if (*(val + size - 1)) {
- /* copy it */
- memcpy(arg->str.buffer, val, arg->str.field->size);
- /* the buffer is already NULL terminated */
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Frank Asseg <frank.asseg@objecthunter.net>
-Date: Mon, 12 Mar 2018 19:57:06 +0100
-Subject: tools/thermal: tmon: fix for segfault
-
-From: Frank Asseg <frank.asseg@objecthunter.net>
-
-[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ]
-
-Fixes a segfault occurring when e.g. <TAB> is pressed multiple times in the
-ncurses tmon application. The segfault is caused by incrementing
-cur_thermal_record in the main function without checking if it's value reached
-NR_THERMAL_RECORD immediately. Since the boundary check only occurred in
-update_thermal_data a race condition existed, which lead to an attempted read
-beyond the last element of the trec array.
-
-The fix was implemented by moving the cur_thermal_record incrementation to the
-update_thermal_data function using a temporary variable on which the boundary
-condition is checked before updating cur_thread_record, so that the variable is
-never incremented beyond the trec array's boundary.
-
-It seems the segfault does not occur on every machine: On a HP EliteBook G4 the
-segfault happens, while it does not happen on a Thinkpad T540p.
-
-Signed-off-by: Frank Asseg <frank.asseg@objecthunter.net>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/thermal/tmon/sysfs.c | 12 +++++++-----
- tools/thermal/tmon/tmon.c | 1 -
- 2 files changed, 7 insertions(+), 6 deletions(-)
-
---- a/tools/thermal/tmon/sysfs.c
-+++ b/tools/thermal/tmon/sysfs.c
-@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst
- int update_thermal_data()
- {
- int i;
-+ int next_thermal_record = cur_thermal_record + 1;
- char tz_name[256];
- static unsigned long samples;
-
-@@ -495,9 +496,9 @@ int update_thermal_data()
- }
-
- /* circular buffer for keeping historic data */
-- if (cur_thermal_record >= NR_THERMAL_RECORDS)
-- cur_thermal_record = 0;
-- gettimeofday(&trec[cur_thermal_record].tv, NULL);
-+ if (next_thermal_record >= NR_THERMAL_RECORDS)
-+ next_thermal_record = 0;
-+ gettimeofday(&trec[next_thermal_record].tv, NULL);
- if (tmon_log) {
- fprintf(tmon_log, "%lu ", ++samples);
- fprintf(tmon_log, "%3.1f ", p_param.t_target);
-@@ -507,11 +508,12 @@ int update_thermal_data()
- snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE,
- ptdata.tzi[i].instance);
- sysfs_get_ulong(tz_name, "temp",
-- &trec[cur_thermal_record].temp[i]);
-+ &trec[next_thermal_record].temp[i]);
- if (tmon_log)
- fprintf(tmon_log, "%lu ",
-- trec[cur_thermal_record].temp[i]/1000);
-+ trec[next_thermal_record].temp[i] / 1000);
- }
-+ cur_thermal_record = next_thermal_record;
- for (i = 0; i < ptdata.nr_cooling_dev; i++) {
- char cdev_name[256];
- unsigned long val;
---- a/tools/thermal/tmon/tmon.c
-+++ b/tools/thermal/tmon/tmon.c
-@@ -326,7 +326,6 @@ int main(int argc, char **argv)
- show_data_w();
- show_cooling_device();
- }
-- cur_thermal_record++;
- time_elapsed += ticktime;
- controller_handler(trec[0].temp[target_tz_index] / 1000,
- &yk);
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Anna-Maria Gleixner <anna-maria@linutronix.de>
-Date: Thu, 21 Dec 2017 11:41:37 +0100
-Subject: tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account
-
-From: Anna-Maria Gleixner <anna-maria@linutronix.de>
-
-[ Upstream commit 91633eed73a3ac37aaece5c8c1f93a18bae616a9 ]
-
-So far only CLOCK_MONOTONIC and CLOCK_REALTIME were taken into account as
-well as HRTIMER_MODE_ABS/REL in the hrtimer_init tracepoint. The query for
-detecting the ABS or REL timer modes is not valid anymore, it got broken
-by the introduction of HRTIMER_MODE_PINNED.
-
-HRTIMER_MODE_PINNED is not evaluated in the hrtimer_init() call, but for the
-sake of completeness print all given modes.
-
-Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
-Cc: Christoph Hellwig <hch@lst.de>
-Cc: John Stultz <john.stultz@linaro.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: keescook@chromium.org
-Link: http://lkml.kernel.org/r/20171221104205.7269-9-anna-maria@linutronix.de
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/trace/events/timer.h | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
---- a/include/trace/events/timer.h
-+++ b/include/trace/events/timer.h
-@@ -121,6 +121,20 @@ DEFINE_EVENT(timer_class, timer_cancel,
- TP_ARGS(timer)
- );
-
-+#define decode_clockid(type) \
-+ __print_symbolic(type, \
-+ { CLOCK_REALTIME, "CLOCK_REALTIME" }, \
-+ { CLOCK_MONOTONIC, "CLOCK_MONOTONIC" }, \
-+ { CLOCK_BOOTTIME, "CLOCK_BOOTTIME" }, \
-+ { CLOCK_TAI, "CLOCK_TAI" })
-+
-+#define decode_hrtimer_mode(mode) \
-+ __print_symbolic(mode, \
-+ { HRTIMER_MODE_ABS, "ABS" }, \
-+ { HRTIMER_MODE_REL, "REL" }, \
-+ { HRTIMER_MODE_ABS_PINNED, "ABS|PINNED" }, \
-+ { HRTIMER_MODE_REL_PINNED, "REL|PINNED" })
-+
- /**
- * hrtimer_init - called when the hrtimer is initialized
- * @hrtimer: pointer to struct hrtimer
-@@ -147,10 +161,8 @@ TRACE_EVENT(hrtimer_init,
- ),
-
- TP_printk("hrtimer=%p clockid=%s mode=%s", __entry->hrtimer,
-- __entry->clockid == CLOCK_REALTIME ?
-- "CLOCK_REALTIME" : "CLOCK_MONOTONIC",
-- __entry->mode == HRTIMER_MODE_ABS ?
-- "HRTIMER_MODE_ABS" : "HRTIMER_MODE_REL")
-+ decode_clockid(__entry->clockid),
-+ decode_hrtimer_mode(__entry->mode))
- );
-
- /**
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Masami Hiramatsu <mhiramat@kernel.org>
-Date: Tue, 10 Apr 2018 21:20:08 +0900
-Subject: tracing/uprobe_event: Fix strncpy corner case
-
-From: Masami Hiramatsu <mhiramat@kernel.org>
-
-[ Upstream commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 ]
-
-Fix string fetch function to terminate with NUL.
-It is OK to drop the rest of string.
-
-Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Song Liu <songliubraving@fb.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: security@kernel.org
-Cc: 范龙飞 <long7573@126.com>
-Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/trace/trace_uprobe.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/kernel/trace/trace_uprobe.c
-+++ b/kernel/trace/trace_uprobe.c
-@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, stri
- return;
-
- ret = strncpy_from_user(dst, src, maxlen);
-+ if (ret == maxlen)
-+ dst[--ret] = '\0';
-
- if (ret < 0) { /* Failed to fetch string */
- ((u8 *)get_rloc_data(dest))[0] = '\0';
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Jan Kara <jack@suse.cz>
-Date: Thu, 22 Feb 2018 10:39:52 +0100
-Subject: udf: Provide saner default for invalid uid / gid
-
-From: Jan Kara <jack@suse.cz>
-
-[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ]
-
-Currently when UDF filesystem is recorded without uid / gid (ids are set
-to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid=
-and gid= mount options. In such case filesystem could not be modified in
-any way as VFS refuses to modify files with invalid ids (even by root).
-This is confusing to users and not very useful default since such media
-mode is generally used for removable media. Use overflow[ug]id instead
-so that at least root can modify the filesystem.
-
-Reported-by: Steve Kenton <skenton@ou.edu>
-Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/udf/super.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/fs/udf/super.c
-+++ b/fs/udf/super.c
-@@ -2067,8 +2067,9 @@ static int udf_fill_super(struct super_b
- struct udf_sb_info *sbi;
-
- uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT);
-- uopt.uid = INVALID_UID;
-- uopt.gid = INVALID_GID;
-+ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */
-+ uopt.uid = make_kuid(current_user_ns(), overflowuid);
-+ uopt.gid = make_kgid(current_user_ns(), overflowgid);
- uopt.umask = 0;
- uopt.fmode = UDF_INVALID_MODE;
- uopt.dmode = UDF_INVALID_MODE;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
-Date: Tue, 6 Feb 2018 19:07:38 +0400
-Subject: usb: dwc2: Fix interval type issue
-
-From: Grigor Tovmasyan <Grigor.Tovmasyan@synopsys.com>
-
-[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ]
-
-The maximum value that unsigned char can hold is 255, meanwhile
-the maximum value of interval is 2^(bIntervalMax-1)=2^15.
-
-Signed-off-by: Grigor Tovmasyan <tovmasya@synopsys.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/dwc2/core.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/dwc2/core.h
-+++ b/drivers/usb/dwc2/core.h
-@@ -144,7 +144,7 @@ struct s3c_hsotg_ep {
- unsigned char dir_in;
- unsigned char index;
- unsigned char mc;
-- unsigned char interval;
-+ u16 interval;
-
- unsigned int halted:1;
- unsigned int periodic:1;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
-Date: Fri, 16 Mar 2018 15:33:54 -0700
-Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields
-
-From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
-
-[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ]
-
-Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP
-is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM.
-
-The GTXFIFOSIZ register for DWC_usb31 is as follows:
- +-------+-----------+----------------------------------+
- | BITS | Name | Description |
- +=======+===========+==================================+
- | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address |
- | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO |
- | 14:0 | TXFDEP | TXFIFO Depth |
- +-------+-----------+----------------------------------+
-
-Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/dwc3/core.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/usb/dwc3/core.h
-+++ b/drivers/usb/dwc3/core.h
-@@ -178,6 +178,8 @@
- #define DWC3_GUSB3PIPECTL_SUSPHY (1 << 17)
-
- /* Global TX Fifo Size Register */
-+#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */
-+#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */
- #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff)
- #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000)
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Chris Dickens <christopher.a.dickens@gmail.com>
-Date: Sun, 31 Dec 2017 18:59:42 -0800
-Subject: usb: gadget: composite: fix incorrect handling of OS desc requests
-
-From: Chris Dickens <christopher.a.dickens@gmail.com>
-
-[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ]
-
-When handling an OS descriptor request, one of the first operations is
-to zero out the request buffer using the wLength from the setup packet.
-There is no bounds checking, so a wLength > 4096 would clobber memory
-adjacent to the request buffer. Fix this by taking the min of wLength
-and the request buffer length prior to the memset. While at it, define
-the buffer length in a header file so that magic numbers don't appear
-throughout the code.
-
-When returning data to the host, the data length should be the min of
-the wLength and the valid data we have to return. Currently we are
-returning wLength, thus requests for a wLength greater than the amount
-of data in the OS descriptor buffer would return invalid (albeit zero'd)
-data following the valid descriptor data. Fix this by counting the
-number of bytes when constructing the data and using this when
-determining the length of the request.
-
-Signed-off-by: Chris Dickens <christopher.a.dickens@gmail.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/composite.c | 40 +++++++++++++++++++---------------------
- include/linux/usb/composite.h | 3 +++
- 2 files changed, 22 insertions(+), 21 deletions(-)
-
---- a/drivers/usb/gadget/composite.c
-+++ b/drivers/usb/gadget/composite.c
-@@ -1279,7 +1279,7 @@ static int count_ext_compat(struct usb_c
- return res;
- }
-
--static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
-+static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
- {
- int i, count;
-
-@@ -1306,10 +1306,12 @@ static void fill_ext_compat(struct usb_c
- buf += 23;
- }
- count += 24;
-- if (count >= 4096)
-- return;
-+ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
-+ return count;
- }
- }
-+
-+ return count;
- }
-
- static int count_ext_prop(struct usb_configuration *c, int interface)
-@@ -1354,25 +1356,20 @@ static int fill_ext_prop(struct usb_conf
- struct usb_os_desc *d;
- struct usb_os_desc_ext_prop *ext_prop;
- int j, count, n, ret;
-- u8 *start = buf;
-
- f = c->interface[interface];
-+ count = 10; /* header length */
- for (j = 0; j < f->os_desc_n; ++j) {
- if (interface != f->os_desc_table[j].if_id)
- continue;
- d = f->os_desc_table[j].os_desc;
- if (d)
- list_for_each_entry(ext_prop, &d->ext_prop, entry) {
-- /* 4kB minus header length */
-- n = buf - start;
-- if (n >= 4086)
-- return 0;
--
-- count = ext_prop->data_len +
-+ n = ext_prop->data_len +
- ext_prop->name_len + 14;
-- if (count > 4086 - n)
-- return -EINVAL;
-- usb_ext_prop_put_size(buf, count);
-+ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
-+ return count;
-+ usb_ext_prop_put_size(buf, n);
- usb_ext_prop_put_type(buf, ext_prop->type);
- ret = usb_ext_prop_put_name(buf, ext_prop->name,
- ext_prop->name_len);
-@@ -1398,11 +1395,12 @@ static int fill_ext_prop(struct usb_conf
- default:
- return -EINVAL;
- }
-- buf += count;
-+ buf += n;
-+ count += n;
- }
- }
-
-- return 0;
-+ return count;
- }
-
- /*
-@@ -1630,6 +1628,7 @@ unknown:
- req->complete = composite_setup_complete;
- buf = req->buf;
- os_desc_cfg = cdev->os_desc_config;
-+ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
- memset(buf, 0, w_length);
- buf[5] = 0x01;
- switch (ctrl->bRequestType & USB_RECIP_MASK) {
-@@ -1653,8 +1652,8 @@ unknown:
- count += 16; /* header */
- put_unaligned_le32(count, buf);
- buf += 16;
-- fill_ext_compat(os_desc_cfg, buf);
-- value = w_length;
-+ value = fill_ext_compat(os_desc_cfg, buf);
-+ value = min_t(u16, w_length, value);
- }
- break;
- case USB_RECIP_INTERFACE:
-@@ -1683,8 +1682,7 @@ unknown:
- interface, buf);
- if (value < 0)
- return value;
--
-- value = w_length;
-+ value = min_t(u16, w_length, value);
- }
- break;
- }
-@@ -1938,8 +1936,8 @@ int composite_os_desc_req_prepare(struct
- goto end;
- }
-
-- /* OS feature descriptor length <= 4kB */
-- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
-+ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
-+ GFP_KERNEL);
- if (!cdev->os_desc_req->buf) {
- ret = PTR_ERR(cdev->os_desc_req->buf);
- kfree(cdev->os_desc_req);
---- a/include/linux/usb/composite.h
-+++ b/include/linux/usb/composite.h
-@@ -53,6 +53,9 @@
- /* big enough to hold our biggest descriptor */
- #define USB_COMP_EP0_BUFSIZ 1024
-
-+/* OS feature descriptor length <= 4kB */
-+#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096
-+
- #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1)
- struct usb_configuration;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: John Keeping <john@metanate.com>
-Date: Fri, 12 Jan 2018 18:43:32 +0000
-Subject: usb: gadget: f_uac2: fix bFirstInterface in composite gadget
-
-From: John Keeping <john@metanate.com>
-
-[ Upstream commit 8813a59ed892305b5ac1b5b901740b1ad4b5fefa ]
-
-If there are multiple functions associated with a configuration, then
-the UAC2 interfaces may not start at zero. Set the correct first
-interface number in the association descriptor so that the audio
-interfaces are enumerated correctly in this case.
-
-Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
-Signed-off-by: John Keeping <john@metanate.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/function/f_uac2.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/usb/gadget/function/f_uac2.c
-+++ b/drivers/usb/gadget/function/f_uac2.c
-@@ -1029,6 +1029,8 @@ afunc_bind(struct usb_configuration *cfg
- dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
- return ret;
- }
-+ iad_desc.bFirstInterface = ret;
-+
- std_ac_if_desc.bInterfaceNumber = ret;
- agdev->ac_intf = ret;
- agdev->ac_alt = 0;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Lars-Peter Clausen <lars@metafoo.de>
-Date: Fri, 12 Jan 2018 11:26:16 +0100
-Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS
-
-From: Lars-Peter Clausen <lars@metafoo.de>
-
-[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ]
-
-Some UDC drivers (like the DWC3) expect that the response to a setup()
-request is queued from within the setup function itself so that it is
-available as soon as setup() has completed.
-
-Upon receiving a setup request the function fs driver creates an event that
-is made available to userspace. And only once userspace has acknowledged
-that event the response to the setup request is queued.
-
-So it violates the requirement of those UDC drivers and random failures can
-be observed. This is basically a race condition and if userspace is able to
-read the event and queue the response fast enough all is good. But if it is
-not, for example because other processes are currently scheduled to run,
-the USB host that sent the setup request will observe an error.
-
-To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS
-return code. If a setup() callback returns this value the UDC driver is
-aware that response is not yet available and can uses the appropriate
-methods to handle this case.
-
-Since in the case of function fs the response will never be available when
-the setup() function returns make sure that this status code is used.
-
-This fixed random occasional failures that were previously observed on a
-DWC3 based system under high system load.
-
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/function/f_fs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -2987,7 +2987,7 @@ static int ffs_func_setup(struct usb_fun
- __ffs_event_add(ffs, FUNCTIONFS_SETUP);
- spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
-
-- return 0;
-+ return USB_GADGET_DELAYED_STATUS;
- }
-
- static void ffs_func_suspend(struct usb_function *f)
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Stefan Agner <stefan@agner.ch>
-Date: Mon, 12 Feb 2018 00:14:42 +0100
-Subject: usb: gadget: fsl_udc_core: fix ep valid checks
-
-From: Stefan Agner <stefan@agner.ch>
-
-[ Upstream commit 20c63f4089cceab803438c383631963e34c4d8e5 ]
-
-Clang reports the following warning:
- drivers/usb/gadget/udc/fsl_udc_core.c:1312:10: warning: address of array
- 'ep->name' will always evaluate to 'true' [-Wpointer-bool-conversion]
- if (ep->name)
- ~~ ~~~~^~~~
-
-It seems that the authors intention was to check if the ep has been
-configured through struct_ep_setup. Check whether struct usb_ep name
-pointer has been set instead.
-
-Signed-off-by: Stefan Agner <stefan@agner.ch>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/udc/fsl_udc_core.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/usb/gadget/udc/fsl_udc_core.c
-+++ b/drivers/usb/gadget/udc/fsl_udc_core.c
-@@ -1305,7 +1305,7 @@ static void udc_reset_ep_queue(struct fs
- {
- struct fsl_ep *ep = get_ep_by_pipe(udc, pipe);
-
-- if (ep->name)
-+ if (ep->ep.name)
- nuke(ep, -ESHUTDOWN);
- }
-
-@@ -1693,7 +1693,7 @@ static void dtd_complete_irq(struct fsl_
- curr_ep = get_ep_by_pipe(udc, i);
-
- /* If the ep is configured */
-- if (curr_ep->name == NULL) {
-+ if (!curr_ep->ep.name) {
- WARNING("Invalid EP?");
- continue;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Date: Tue, 6 Feb 2018 09:50:40 +0100
-Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask
-
-From: Wolfram Sang <wsa+renesas@sang-engineering.com>
-
-[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ]
-
-Due to a typo, the mask was destroyed by a comparison instead of a bit
-shift.
-
-Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/udc/goku_udc.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/gadget/udc/goku_udc.h
-+++ b/drivers/usb/gadget/udc/goku_udc.h
-@@ -28,7 +28,7 @@ struct goku_udc_regs {
- # define INT_EP1DATASET 0x00040
- # define INT_EP2DATASET 0x00080
- # define INT_EP3DATASET 0x00100
--#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */
-+#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */
- # define INT_EP1NAK 0x00200
- # define INT_EP2NAK 0x00400
- # define INT_EP3NAK 0x00800
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Merlijn Wajer <merlijn@wizzup.org>
-Date: Mon, 5 Mar 2018 11:35:10 -0600
-Subject: usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers
-
-From: Merlijn Wajer <merlijn@wizzup.org>
-
-[ Upstream commit df6b074dbe248d8c43a82131e8fd429e401841a5 ]
-
-Without pm_runtime_{get,put}_sync calls in place, reading
-vbus status via /sys causes the following error:
-
-Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa0ab060
-pgd = b333e822
-[fa0ab060] *pgd=48011452(bad)
-
-[<c05261b0>] (musb_default_readb) from [<c0525bd0>] (musb_vbus_show+0x58/0xe4)
-[<c0525bd0>] (musb_vbus_show) from [<c04c0148>] (dev_attr_show+0x20/0x44)
-[<c04c0148>] (dev_attr_show) from [<c0259f74>] (sysfs_kf_seq_show+0x80/0xdc)
-[<c0259f74>] (sysfs_kf_seq_show) from [<c0210bac>] (seq_read+0x250/0x448)
-[<c0210bac>] (seq_read) from [<c01edb40>] (__vfs_read+0x1c/0x118)
-[<c01edb40>] (__vfs_read) from [<c01edccc>] (vfs_read+0x90/0x144)
-[<c01edccc>] (vfs_read) from [<c01ee1d0>] (SyS_read+0x3c/0x74)
-[<c01ee1d0>] (SyS_read) from [<c0106fe0>] (ret_fast_syscall+0x0/0x54)
-
-Solution was suggested by Tony Lindgren <tony@atomide.com>.
-
-Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
-Acked-by: Tony Lindgren <tony@atomide.com>
-Signed-off-by: Bin Liu <b-liu@ti.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/musb/musb_core.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/usb/musb/musb_core.c
-+++ b/drivers/usb/musb/musb_core.c
-@@ -1700,6 +1700,7 @@ musb_vbus_show(struct device *dev, struc
- unsigned long val;
- int vbus;
-
-+ pm_runtime_get_sync(dev);
- spin_lock_irqsave(&musb->lock, flags);
- val = musb->a_wait_bcon;
- /* FIXME get_vbus_status() is normally #defined as false...
-@@ -1707,6 +1708,7 @@ musb_vbus_show(struct device *dev, struc
- */
- vbus = musb_platform_get_vbus_status(musb);
- spin_unlock_irqrestore(&musb->lock, flags);
-+ pm_runtime_put_sync(dev);
-
- return sprintf(buf, "Vbus %s, timeout %lu msec\n",
- vbus ? "on" : "off", val);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Fredrik Noring <noring@nocrew.org>
-Date: Fri, 9 Mar 2018 18:34:34 +0100
-Subject: USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
-
-From: Fredrik Noring <noring@nocrew.org>
-
-[ Upstream commit d6c931ea32dc08ac2665bb5f009f9c40ad1bbdb3 ]
-
-Scatter-gather needs to be disabled when using dma_declare_coherent_memory
-and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers
-in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs
-that use HCD_LOCAL_MEM".
-
-The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers:
-
-------------[ cut here ]------------
-WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8
-Modules linked in:
-CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014
-Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031
- 805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000
- 00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420
- 805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538
- 00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000
- ...
-Call Trace:
-[<578af360>] show_stack+0x74/0x104
-[<2f3702c6>] __warn+0x118/0x120
-[<ae93fc9e>] warn_slowpath_null+0x44/0x58
-[<a891a517>] hcd_alloc_coherent+0x4c/0xc8
-[<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534
-[<110bc94c>] usb_hcd_submit_urb+0x82c/0x834
-[<02eb5baf>] usb_sg_wait+0x14c/0x1a0
-[<ccd09e85>] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124
-[<87a5c34c>] usb_stor_bulk_srb+0x40/0x60
-[<ff1792ac>] usb_stor_Bulk_transport+0x160/0x37c
-[<b9e2709c>] usb_stor_invoke_transport+0x3c/0x500
-[<004754f4>] usb_stor_control_thread+0x258/0x28c
-[<22edf42e>] kthread+0x134/0x13c
-[<a419ffd0>] ret_from_kernel_thread+0x14/0x1c
----[ end trace bcdb825805eefdcc ]---
-
-Signed-off-by: Fredrik Noring <noring@nocrew.org>
-Acked-by: Alan Stern <stern@rowland.harvard.edu>
-
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/host/ohci-hcd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/usb/host/ohci-hcd.c
-+++ b/drivers/usb/host/ohci-hcd.c
-@@ -443,7 +443,8 @@ static int ohci_init (struct ohci_hcd *o
- struct usb_hcd *hcd = ohci_to_hcd(ohci);
-
- /* Accept arbitrarily long scatter-gather lists */
-- hcd->self.sg_tablesize = ~0;
-+ if (!(hcd->driver->flags & HCD_LOCAL_MEM))
-+ hcd->self.sg_tablesize = ~0;
-
- if (distrust_firmware)
- ohci->flags |= OHCI_QUIRK_HUB_POWER;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Jay Vosburgh <jay.vosburgh@canonical.com>
-Date: Thu, 22 Mar 2018 14:42:41 +0000
-Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS
-
-From: Jay Vosburgh <jay.vosburgh@canonical.com>
-
-[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ]
-
-The operstate update logic will leave an interface in the
-default UNKNOWN operstate if the interface carrier state never changes
-from the default carrier up state set at creation. This includes the
-case of an explicit call to netif_carrier_on, as the carrier on to on
-transition has no effect on operstate.
-
- This affects virtio-net for the case that the virtio peer does
-not support VIRTIO_NET_F_STATUS (the feature that provides carrier state
-updates). Without this feature, the virtio specification states that
-"the link should be assumed active," so, logically, the operstate should
-be UP instead of UNKNOWN. This has impact on user space applications
-that use the operstate to make availability decisions for the interface.
-
- Resolve this by changing the virtio probe logic slightly to call
-netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS
-cases, and then the existing call to netif_carrier_on for the "without"
-case will cause an operstate transition.
-
-Cc: "Michael S. Tsirkin" <mst@redhat.com>
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/virtio_net.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/net/virtio_net.c
-+++ b/drivers/net/virtio_net.c
-@@ -1876,8 +1876,8 @@ static int virtnet_probe(struct virtio_d
-
- /* Assume link up if device can't report link status,
- otherwise get link status from config. */
-+ netif_carrier_off(dev);
- if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) {
-- netif_carrier_off(dev);
- schedule_work(&vi->config_work);
- } else {
- vi->status = VIRTIO_NET_S_LINK_UP;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Stefano Brivio <sbrivio@redhat.com>
-Date: Thu, 15 Mar 2018 17:16:27 +0100
-Subject: vti4: Don't count header length twice on tunnel setup
-
-From: Stefano Brivio <sbrivio@redhat.com>
-
-[ Upstream commit dd1df24737727e119c263acf1be2a92763938297 ]
-
-This re-introduces the effect of commit a32452366b72 ("vti4:
-Don't count header length twice.") which was accidentally
-reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of
-git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec").
-
-The commit message from Steffen Klassert said:
-
- We currently count the size of LL_MAX_HEADER and struct iphdr
- twice for vti4 devices, this leads to a wrong device mtu.
- The size of LL_MAX_HEADER and struct iphdr is already counted in
- ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
-
-And this is still the case now: ip_tunnel_bind_dev() already
-accounts for the header length of the link layer (not
-necessarily LL_MAX_HEADER, if the output device is found), plus
-one IP header.
-
-For example, with a vti device on top of veth, with MTU of 1500,
-the existing implementation would set the initial vti MTU to
-1332, accounting once for LL_MAX_HEADER (128, included in
-hard_header_len by vti) and twice for the same IP header (once
-from hard_header_len, once from ip_tunnel_bind_dev()).
-
-It should instead be 1480, because ip_tunnel_bind_dev() is able
-to figure out that the output device is veth, so no additional
-link layer header is attached, and will properly count one
-single IP header.
-
-The existing issue had the side effect of avoiding PMTUD for
-most xfrm policies, by arbitrarily lowering the initial MTU.
-However, the only way to get a consistent PMTU value is to let
-the xfrm PMTU discovery do its course, and commit d6af1a31cc72
-("vti: Add pmtu handling to vti_xmit.") now takes care of local
-delivery cases where the application ignores local socket
-notifications.
-
-Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code")
-Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec")
-Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-Acked-by: Sabrina Dubroca <sd@queasysnail.net>
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_vti.c | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/net/ipv4/ip_vti.c
-+++ b/net/ipv4/ip_vti.c
-@@ -365,7 +365,6 @@ static int vti_tunnel_init(struct net_de
- memcpy(dev->dev_addr, &iph->saddr, 4);
- memcpy(dev->broadcast, &iph->daddr, 4);
-
-- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr);
- dev->mtu = ETH_DATA_LEN;
- dev->flags = IFF_NOARP;
- dev->iflink = 0;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Stefano Brivio <sbrivio@redhat.com>
-Date: Thu, 15 Mar 2018 17:16:29 +0100
-Subject: vti4: Don't override MTU passed on link creation via IFLA_MTU
-
-From: Stefano Brivio <sbrivio@redhat.com>
-
-[ Upstream commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 ]
-
-Don't hardcode a MTU value on vti tunnel initialization,
-ip_tunnel_newlink() is able to deal with this already. See also
-commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK").
-
-Fixes: 1181412c1a67 ("net/ipv4: VTI support new module for ip_vti.")
-Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-Acked-by: Sabrina Dubroca <sd@queasysnail.net>
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/ip_vti.c | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/net/ipv4/ip_vti.c
-+++ b/net/ipv4/ip_vti.c
-@@ -365,7 +365,6 @@ static int vti_tunnel_init(struct net_de
- memcpy(dev->dev_addr, &iph->saddr, 4);
- memcpy(dev->broadcast, &iph->daddr, 4);
-
-- dev->mtu = ETH_DATA_LEN;
- dev->flags = IFF_NOARP;
- dev->iflink = 0;
- dev->addr_len = 4;
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Igor Pylypiv <igor.pylypiv@gmail.com>
-Date: Wed, 28 Feb 2018 00:59:12 -0800
-Subject: watchdog: f71808e_wdt: Fix magic close handling
-
-From: Igor Pylypiv <igor.pylypiv@gmail.com>
-
-[ Upstream commit 7bd3e7b743956afbec30fb525bc3c5e22e3d475c ]
-
-Watchdog close is "expected" when any byte is 'V' not just the last one.
-Writing "V" to the device fails because the last byte is the end of string.
-
-$ echo V > /dev/watchdog
-f71808e_wdt: Unexpected close, not stopping watchdog!
-
-Signed-off-by: Igor Pylypiv <igor.pylypiv@gmail.com>
-Reviewed-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/watchdog/f71808e_wdt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/watchdog/f71808e_wdt.c
-+++ b/drivers/watchdog/f71808e_wdt.c
-@@ -520,7 +520,8 @@ static ssize_t watchdog_write(struct fil
- char c;
- if (get_user(c, buf + i))
- return -EFAULT;
-- expect_close = (c == 'V');
-+ if (c == 'V')
-+ expect_close = true;
- }
-
- /* Properly order writes across fork()ed processes */
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Guenter Roeck <linux@roeck-us.net>
-Date: Sun, 24 Dec 2017 13:04:07 -0800
-Subject: watchdog: sp5100_tco: Fix watchdog disable bit
-
-From: Guenter Roeck <linux@roeck-us.net>
-
-[ Upstream commit f541c09ebfc61697b586b38c9ebaf4b70defb278 ]
-
-According to all published information, the watchdog disable bit for SB800
-compatible controllers is bit 1 of PM register 0x48, not bit 2. For the
-most part that doesn't matter in practice, since the bit has to be cleared
-to enable watchdog address decoding, which is the default setting, but it
-still needs to be fixed.
-
-Cc: Zoltán Böszörményi <zboszor@pr.hu>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/watchdog/sp5100_tco.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/watchdog/sp5100_tco.h
-+++ b/drivers/watchdog/sp5100_tco.h
-@@ -54,7 +54,7 @@
- #define SB800_PM_WATCHDOG_CONFIG 0x4C
-
- #define SB800_PCI_WATCHDOG_DECODE_EN (1 << 0)
--#define SB800_PM_WATCHDOG_DISABLE (1 << 2)
-+#define SB800_PM_WATCHDOG_DISABLE (1 << 1)
- #define SB800_PM_WATCHDOG_SECOND_RES (3 << 0)
- #define SB800_ACPI_MMIO_DECODE_EN (1 << 0)
- #define SB800_ACPI_MMIO_SEL (1 << 1)
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Fri, 6 Apr 2018 13:55:14 -0700
-Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init
-
-From: Dave Hansen <dave.hansen@linux.intel.com>
-
-[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ]
-
-__ro_after_init data gets stuck in the .rodata section. That's normally
-fine because the kernel itself manages the R/W properties.
-
-But, if we run __change_page_attr() on an area which is __ro_after_init,
-the .rodata checks will trigger and force the area to be immediately
-read-only, even if it is early-ish in boot. This caused problems when
-trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
-it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
-to clear _PAGE_RW. The kernel then oopses the next time it wrote to
-a __ro_after_init data structure.
-
-To fix this, add the kernel_set_to_readonly check, just like we have
-for kernel text, just a few lines below in this function.
-
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Acked-by: Kees Cook <keescook@chromium.org>
-Cc: Andrea Arcangeli <aarcange@redhat.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Arjan van de Ven <arjan@linux.intel.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dan Williams <dan.j.williams@intel.com>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Nadav Amit <namit@vmware.com>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: linux-mm@kvack.org
-Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/mm/pageattr.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/arch/x86/mm/pageattr.c
-+++ b/arch/x86/mm/pageattr.c
-@@ -275,9 +275,11 @@ static inline pgprot_t static_protection
-
- /*
- * The .rodata section needs to be read-only. Using the pfn
-- * catches all aliases.
-+ * catches all aliases. This also includes __ro_after_init,
-+ * so do not enforce until kernel_set_to_readonly is true.
- */
-- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
-+ if (kernel_set_to_readonly &&
-+ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
- __pa_symbol(__end_rodata) >> PAGE_SHIFT))
- pgprot_val(forbidden) |= _PAGE_RW;
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Fri, 2 Feb 2018 15:56:18 +0100
-Subject: x86/power: Fix swsusp_arch_resume prototype
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit 328008a72d38b5bde6491e463405c34a81a65d3e ]
-
-The declaration for swsusp_arch_resume marks it as 'asmlinkage', but the
-definition in x86-32 does not, and it fails to include the header with the
-declaration. This leads to a warning when building with
-link-time-optimizations:
-
-kernel/power/power.h:108:23: error: type of 'swsusp_arch_resume' does not match original declaration [-Werror=lto-type-mismatch]
- extern asmlinkage int swsusp_arch_resume(void);
- ^
-arch/x86/power/hibernate_32.c:148:0: note: 'swsusp_arch_resume' was previously declared here
- int swsusp_arch_resume(void)
-
-This moves the declaration into a globally visible header file and fixes up
-both x86 definitions to match it.
-
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Len Brown <len.brown@intel.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Nicolas Pitre <nico@linaro.org>
-Cc: linux-pm@vger.kernel.org
-Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
-Cc: Pavel Machek <pavel@ucw.cz>
-Cc: Bart Van Assche <bart.vanassche@wdc.com>
-Link: https://lkml.kernel.org/r/20180202145634.200291-2-arnd@arndb.de
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/power/hibernate_32.c | 2 +-
- arch/x86/power/hibernate_64.c | 2 +-
- include/linux/suspend.h | 2 ++
- kernel/power/power.h | 3 ---
- 4 files changed, 4 insertions(+), 5 deletions(-)
-
---- a/arch/x86/power/hibernate_32.c
-+++ b/arch/x86/power/hibernate_32.c
-@@ -142,7 +142,7 @@ static inline void resume_init_first_lev
- #endif
- }
-
--int swsusp_arch_resume(void)
-+asmlinkage int swsusp_arch_resume(void)
- {
- int error;
-
---- a/arch/x86/power/hibernate_64.c
-+++ b/arch/x86/power/hibernate_64.c
-@@ -78,7 +78,7 @@ static int set_up_temporary_mappings(voi
- return 0;
- }
-
--int swsusp_arch_resume(void)
-+asmlinkage int swsusp_arch_resume(void)
- {
- int error;
-
---- a/include/linux/suspend.h
-+++ b/include/linux/suspend.h
-@@ -325,6 +325,8 @@ extern int swsusp_page_is_forbidden(stru
- extern void swsusp_set_page_free(struct page *);
- extern void swsusp_unset_page_free(struct page *);
- extern unsigned long get_safe_page(gfp_t gfp_mask);
-+extern asmlinkage int swsusp_arch_suspend(void);
-+extern asmlinkage int swsusp_arch_resume(void);
-
- extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
- extern int hibernate(void);
---- a/kernel/power/power.h
-+++ b/kernel/power/power.h
-@@ -85,9 +85,6 @@ extern int in_suspend;
- extern dev_t swsusp_resume_device;
- extern sector_t swsusp_resume_block;
-
--extern asmlinkage int swsusp_arch_suspend(void);
--extern asmlinkage int swsusp_arch_resume(void);
--
- extern int create_basic_memory_bitmaps(void);
- extern void free_basic_memory_bitmaps(void);
- extern int hibernate_preallocate_memory(void);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Samuel Neves <sneves@dei.uc.pt>
-Date: Wed, 21 Feb 2018 20:50:36 +0000
-Subject: x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations
-
-From: Samuel Neves <sneves@dei.uc.pt>
-
-[ Upstream commit 4596749339e06dc7a424fc08a15eded850ed78b7 ]
-
-Without this fix, /proc/cpuinfo will display an incorrect amount
-of CPU cores, after bringing them offline and online again, as
-exemplified below:
-
- $ cat /proc/cpuinfo | grep cores
- cpu cores : 4
- cpu cores : 8
- cpu cores : 8
- cpu cores : 20
- cpu cores : 4
- cpu cores : 3
- cpu cores : 2
- cpu cores : 2
-
-This patch fixes this by always zeroing the booted_cores variable
-upon turning off a logical CPU.
-
-Tested-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
-Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: jgross@suse.com
-Cc: luto@kernel.org
-Cc: prarit@redhat.com
-Cc: vkuznets@redhat.com
-Link: http://lkml.kernel.org/r/20180221205036.5244-1-sneves@dei.uc.pt
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/smpboot.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -1290,6 +1290,7 @@ static void remove_siblinginfo(int cpu)
- cpumask_clear(cpu_core_mask(cpu));
- c->phys_proc_id = 0;
- c->cpu_core_id = 0;
-+ c->booted_cores = 0;
- cpumask_clear_cpu(cpu, cpu_sibling_setup_mask);
- }
-
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Thu, 29 Mar 2018 12:01:53 +0300
-Subject: xen/acpi: off by one in read_acpi_id()
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ]
-
-If acpi_id is == nr_acpi_bits, then we access one element beyond the end
-of the acpi_psd[] array or we set one bit beyond the end of the bit map
-when we do __set_bit(acpi_id, acpi_id_present);
-
-Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/xen-acpi-processor.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/drivers/xen/xen-acpi-processor.c
-+++ b/drivers/xen/xen-acpi-processor.c
-@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl
- }
- /* There are more ACPI Processor objects than in x2APIC or MADT.
- * This can happen with incorrect ACPI SSDT declerations. */
-- if (acpi_id > nr_acpi_bits) {
-- pr_debug("We only have %u, trying to set %u\n",
-- nr_acpi_bits, acpi_id);
-+ if (acpi_id >= nr_acpi_bits) {
-+ pr_debug("max acpi id %u, trying to set %u\n",
-+ nr_acpi_bits - 1, acpi_id);
- return AE_OK;
- }
- /* OK, There is a ACPI Processor object */
+++ /dev/null
-From foo@baz Wed May 2 13:21:43 PDT 2018
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-Date: Thu, 11 Jan 2018 09:36:37 +0000
-Subject: xen/grant-table: Use put_page instead of free_page
-
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-
-[ Upstream commit 3ac7292a25db1c607a50752055a18aba32ac2176 ]
-
-The page given to gnttab_end_foreign_access() to free could be a
-compound page so use put_page() instead of free_page() since it can
-handle both compound and single pages correctly.
-
-This bug was discovered when migrating a Xen VM with several VIFs and
-CONFIG_DEBUG_VM enabled. It hits a BUG usually after fewer than 10
-iterations. All netfront devices disconnect from the backend during a
-suspend/resume and this will call gnttab_end_foreign_access() if a
-netfront queue has an outstanding skb. The mismatch between calling
-get_page() and free_page() on a compound page causes a reference
-counting error which is detected when DEBUG_VM is enabled.
-
-Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
-Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/grant-table.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/grant-table.c
-+++ b/drivers/xen/grant-table.c
-@@ -322,7 +322,7 @@ static void gnttab_handle_deferred(unsig
- if (entry->page) {
- pr_debug("freeing g.e. %#x (pfn %#lx)\n",
- entry->ref, page_to_pfn(entry->page));
-- __free_page(entry->page);
-+ put_page(entry->page);
- } else
- pr_info("freeing g.e. %#x\n", entry->ref);
- kfree(entry);
-@@ -378,7 +378,7 @@ void gnttab_end_foreign_access(grant_ref
- if (gnttab_end_foreign_access_ref(ref, readonly)) {
- put_free_entry(ref);
- if (page != 0)
-- free_page(page);
-+ put_page(virt_to_page(page));
- } else
- gnttab_add_deferred(ref, readonly,
- page ? virt_to_page(page) : NULL);
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Roger Pau Monne <roger.pau@citrix.com>
-Date: Wed, 28 Feb 2018 09:19:03 +0000
-Subject: xen/pirq: fix error path cleanup when binding MSIs
-
-From: Roger Pau Monne <roger.pau@citrix.com>
-
-[ Upstream commit 910f8befdf5bccf25287d9f1743e3e546bcb7ce0 ]
-
-Current cleanup in the error path of xen_bind_pirq_msi_to_irq is
-wrong. First of all there's an off-by-one in the cleanup loop, which
-can lead to unbinding wrong IRQs.
-
-Secondly IRQs not bound won't be freed, thus leaking IRQ numbers.
-
-Note that there's no need to differentiate between bound and unbound
-IRQs when freeing them, __unbind_from_irq will deal with both of them
-correctly.
-
-Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
-Reported-by: Hooman Mirhadi <mirhadih@amazon.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Reviewed-by: Amit Shah <aams@amazon.com>
-Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/events/events_base.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/xen/events/events_base.c
-+++ b/drivers/xen/events/events_base.c
-@@ -763,8 +763,8 @@ out:
- mutex_unlock(&irq_mapping_update_lock);
- return irq;
- error_irq:
-- for (; i >= 0; i--)
-- __unbind_from_irq(irq + i);
-+ while (nvec--)
-+ __unbind_from_irq(irq + nvec);
- mutex_unlock(&irq_mapping_update_lock);
- return ret;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Arvind Yadav <arvind.yadav.cs@gmail.com>
-Date: Tue, 6 Mar 2018 15:40:37 +0530
-Subject: xen: xenbus: use put_device() instead of kfree()
-
-From: Arvind Yadav <arvind.yadav.cs@gmail.com>
-
-[ Upstream commit 351b2bccede1cb673ec7957b35ea997ea24c8884 ]
-
-Never directly free @dev after calling device_register(), even
-if it returned an error! Always use put_device() to give up the
-reference initialized.
-
-Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Juergen Gross <jgross@suse.com>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/xen/xenbus/xenbus_probe.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/xen/xenbus/xenbus_probe.c
-+++ b/drivers/xen/xenbus/xenbus_probe.c
-@@ -470,8 +470,11 @@ int xenbus_probe_node(struct xen_bus_typ
-
- /* Register with generic device framework. */
- err = device_register(&xendev->dev);
-- if (err)
-+ if (err) {
-+ put_device(&xendev->dev);
-+ xendev = NULL;
- goto fail;
-+ }
-
- return 0;
- fail:
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Mathias Nyman <mathias.nyman@linux.intel.com>
-Date: Fri, 16 Mar 2018 16:33:01 +0200
-Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot
-
-From: Mathias Nyman <mathias.nyman@linux.intel.com>
-
-[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ]
-
-set udev->slot_id to zero when disabling and freeing the xhci slot.
-Prevents usb core from calling xhci with a stale slot id.
-
-xHC controller may be reset during resume to recover from some error.
-All slots are unusable as they are disabled and freed.
-xhci driver starts slot enumeration again from 1 in the order they are
-enabled. In the worst case a stale udev->slot_id for one device matches
-a newly enabled slot_id for a different device, causing us to
-perform a action on the wrong device.
-
-Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/host/xhci-mem.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/usb/host/xhci-mem.c
-+++ b/drivers/usb/host/xhci-mem.c
-@@ -962,6 +962,8 @@ void xhci_free_virt_device(struct xhci_h
- if (dev->out_ctx)
- xhci_free_container_ctx(xhci, dev->out_ctx);
-
-+ if (dev->udev && dev->udev->slot_id)
-+ dev->udev->slot_id = 0;
- kfree(xhci->devs[slot_id]);
- xhci->devs[slot_id] = NULL;
- }
+++ /dev/null
-From foo@baz Wed May 2 13:21:44 PDT 2018
-From: Michael Schmitz <schmitzmic@gmail.com>
-Date: Sat, 3 Mar 2018 12:04:13 +1300
-Subject: zorro: Set up z->dev.dma_mask for the DMA API
-
-From: Michael Schmitz <schmitzmic@gmail.com>
-
-[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ]
-
-The generic DMA API uses dev->dma_mask to check the DMA addressable
-memory bitmask, and warns if no mask is set or even allocated.
-
-Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask
-to point to z->dev.dma_coherent_mask so device drivers that need DMA have
-everything set up to avoid warnings from dma_alloc_coherent(). Drivers can
-still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask.
-
-Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
-[geert: Handle Zorro II with 24-bit address space]
-Acked-by: Christoph Hellwig <hch@lst.de>
-Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
-Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/zorro/zorro.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
---- a/drivers/zorro/zorro.c
-+++ b/drivers/zorro/zorro.c
-@@ -16,6 +16,7 @@
- #include <linux/bitops.h>
- #include <linux/string.h>
- #include <linux/platform_device.h>
-+#include <linux/dma-mapping.h>
- #include <linux/slab.h>
-
- #include <asm/byteorder.h>
-@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru
- z->dev.parent = &bus->dev;
- z->dev.bus = &zorro_bus_type;
- z->dev.id = i;
-+ switch (z->rom.er_Type & ERT_TYPEMASK) {
-+ case ERT_ZORROIII:
-+ z->dev.coherent_dma_mask = DMA_BIT_MASK(32);
-+ break;
-+
-+ case ERT_ZORROII:
-+ default:
-+ z->dev.coherent_dma_mask = DMA_BIT_MASK(24);
-+ break;
-+ }
-+ z->dev.dma_mask = &z->dev.coherent_dma_mask;
- }
-
- /* ... then register them */
projects / thirdparty / kernel / stable-queue.git / commitdiff
