-From ec50c80c780152d2058c23d9e246fc81f73742da Mon Sep 17 00:00:00 2001
-From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
-Date: Mon, 21 Nov 2016 13:37:48 +0100
-Subject: [PATCH 007/251] s390/qdio: clear DSCI prior to scanning multiple
- input queues
-Status: RO
-Content-Length: 2241
-Lines: 56
-
-commit 1e4a382fdc0ba8d1a85b758c0811de3a3631085e upstream.
-
-For devices with multiple input queues, tiqdio_call_inq_handlers()
-iterates over all input queues and clears the device's DSCI
-during each iteration. If the DSCI is re-armed during one
-of the later iterations, we therefore do not scan the previous
-queues again.
-The re-arming also raises a new adapter interrupt. But its
-handler does not trigger a rescan for the device, as the DSCI
-has already been erroneously cleared.
-This can result in queue stalls on devices with multiple
-input queues.
-
-Fix it by clearing the DSCI just once, prior to scanning the queues.
-
-As the code is moved in front of the loop, we also need to access
-the DSCI directly (ie irq->dsci) instead of going via each queue's
-parent pointer to the same irq. This is not a functional change,
-and a follow-up patch will clean up the other users.
-
-In practice, this bug only affects CQ-enabled HiperSockets devices,
-ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is
-needed for AF_IUCV socket applications that use HiperSockets
-communication.
-
-Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
-Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
-Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/s390/cio/qdio_thinint.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/s390/cio/qdio_thinint.c b/drivers/s390/cio/qdio_thinint.c
-index 5d06253c2a7a..30e9fbbff051 100644
---- a/drivers/s390/cio/qdio_thinint.c
-+++ b/drivers/s390/cio/qdio_thinint.c
-@@ -147,11 +147,11 @@ static inline void tiqdio_call_inq_handlers(struct qdio_irq *irq)
- struct qdio_q *q;
- int i;
-
-- for_each_input_queue(irq, q, i) {
-- if (!references_shared_dsci(irq) &&
-- has_multiple_inq_on_dsci(irq))
-- xchg(q->irq_ptr->dsci, 0);
-+ if (!references_shared_dsci(irq) &&
-+ has_multiple_inq_on_dsci(irq))
-+ xchg(irq->dsci, 0);
-
-+ for_each_input_queue(irq, q, i) {
- if (q->u.in.queue_start_poll) {
- /* skip if polling is enabled or already in work */
- if (test_and_set_bit(QDIO_QUEUE_IRQS_DISABLED,
---
-2.12.2
-
-From 792bd1fb5b0338232e47412bce2a9b6f0f1fbdaf Mon Sep 17 00:00:00 2001
-From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
-Date: Mon, 30 Jan 2017 15:52:14 +0100
-Subject: [PATCH 008/251] s390/dcssblk: fix device size calculation in
- dcssblk_direct_access()
-Status: RO
-Content-Length: 1263
-Lines: 32
-
-commit a63f53e34db8b49675448d03ae324f6c5bc04fe6 upstream.
-
-Since commit dd22f551 "block: Change direct_access calling convention",
-the device size calculation in dcssblk_direct_access() is off-by-one.
-This results in bdev_direct_access() always returning -ENXIO because the
-returned value is not page aligned.
-
-Fix this by adding 1 to the dev_sz calculation.
-
-Fixes: dd22f551 ("block: Change direct_access calling convention")
-Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/s390/block/dcssblk.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/s390/block/dcssblk.c b/drivers/s390/block/dcssblk.c
-index 94a8f4ab57bc..ae1dc37e4068 100644
---- a/drivers/s390/block/dcssblk.c
-+++ b/drivers/s390/block/dcssblk.c
-@@ -892,7 +892,7 @@ dcssblk_direct_access (struct block_device *bdev, sector_t secnum,
- dev_info = bdev->bd_disk->private_data;
- if (!dev_info)
- return -ENODEV;
-- dev_sz = dev_info->end - dev_info->start;
-+ dev_sz = dev_info->end - dev_info->start + 1;
- offset = secnum * 512;
- addr = (void *) (dev_info->start + offset);
- *pfn = virt_to_phys(addr) >> PAGE_SHIFT;
---
-2.12.2
-
-From 9cf431dbd8f78d4e78d4aa3ef4fb453cd71e2978 Mon Sep 17 00:00:00 2001
-From: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Date: Fri, 24 Feb 2017 07:43:51 +0100
-Subject: [PATCH 009/251] s390: TASK_SIZE for kernel threads
-Status: RO
-Content-Length: 1158
-Lines: 30
-
-commit fb94a687d96c570d46332a4a890f1dcb7310e643 upstream.
-
-Return a sensible value if TASK_SIZE if called from a kernel thread.
-
-This gets us around an issue with copy_mount_options that does a magic
-size calculation "TASK_SIZE - (unsigned long)data" while in a kernel
-thread and data pointing to kernel space.
-
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/include/asm/processor.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h
-index c1ea67db8404..c61ed7890cef 100644
---- a/arch/s390/include/asm/processor.h
-+++ b/arch/s390/include/asm/processor.h
-@@ -74,7 +74,8 @@ extern void execve_tail(void);
- * User space process size: 2GB for 31 bit, 4TB or 8PT for 64 bit.
- */
-
--#define TASK_SIZE_OF(tsk) ((tsk)->mm->context.asce_limit)
-+#define TASK_SIZE_OF(tsk) ((tsk)->mm ? \
-+ (tsk)->mm->context.asce_limit : TASK_MAX_SIZE)
- #define TASK_UNMAPPED_BASE (test_thread_flag(TIF_31BIT) ? \
- (1UL << 30) : (1UL << 41))
- #define TASK_SIZE TASK_SIZE_OF(current)
---
-2.12.2
-
-From 296f7bd7f1dbd2379489ea779779ef437d9e6c6f Mon Sep 17 00:00:00 2001
-From: Heiko Carstens <heiko.carstens@de.ibm.com>
-Date: Sat, 4 Feb 2017 11:40:36 +0100
-Subject: [PATCH 010/251] s390: make setup_randomness work
-Status: RO
-Content-Length: 1465
-Lines: 40
-
-commit da8fd820f389a0e29080b14c61bf5cf1d8ef5ca1 upstream.
-
-Commit bcfcbb6bae64 ("s390: add system information as device
-randomness") intended to add some virtual machine specific information
-to the randomness pool.
-
-Unfortunately it uses the page allocator before it is ready to use. In
-result the page allocator always returns NULL and the setup_randomness
-function never adds anything to the randomness pool.
-
-To fix this use memblock_alloc and memblock_free instead.
-
-Fixes: bcfcbb6bae64 ("s390: add system information as device randomness")
-Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/kernel/setup.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
-index 1f581eb61bc2..1cf4aae76780 100644
---- a/arch/s390/kernel/setup.c
-+++ b/arch/s390/kernel/setup.c
-@@ -805,10 +805,10 @@ static void __init setup_randomness(void)
- {
- struct sysinfo_3_2_2 *vmms;
-
-- vmms = (struct sysinfo_3_2_2 *) alloc_page(GFP_KERNEL);
-- if (vmms && stsi(vmms, 3, 2, 2) == 0 && vmms->count)
-+ vmms = (struct sysinfo_3_2_2 *) memblock_alloc(PAGE_SIZE, PAGE_SIZE);
-+ if (stsi(vmms, 3, 2, 2) == 0 && vmms->count)
- add_device_randomness(&vmms, vmms->count);
-- free_page((unsigned long) vmms);
-+ memblock_free((unsigned long) vmms, PAGE_SIZE);
- }
-
- /*
---
-2.12.2
-
-From 376a12eb7f608fad96b13fab3f151eb4c9b40c7c Mon Sep 17 00:00:00 2001
-From: Heiko Carstens <heiko.carstens@de.ibm.com>
-Date: Sun, 5 Feb 2017 23:03:18 +0100
-Subject: [PATCH 011/251] s390: use correct input data address for
- setup_randomness
-Status: RO
-Content-Length: 1414
-Lines: 37
-
-commit 4920e3cf77347d7d7373552d4839e8d832321313 upstream.
-
-The current implementation of setup_randomness uses the stack address
-and therefore the pointer to the SYSIB 3.2.2 block as input data
-address. Furthermore the length of the input data is the number of
-virtual-machine description blocks which is typically one.
-
-This means that typically a single zero byte is fed to
-add_device_randomness.
-
-Fix both of these and use the address of the first virtual machine
-description block as input data address and also use the correct
-length.
-
-Fixes: bcfcbb6bae64 ("s390: add system information as device randomness")
-Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/kernel/setup.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
-index 1cf4aae76780..d097d71685df 100644
---- a/arch/s390/kernel/setup.c
-+++ b/arch/s390/kernel/setup.c
-@@ -807,7 +807,7 @@ static void __init setup_randomness(void)
-
- vmms = (struct sysinfo_3_2_2 *) memblock_alloc(PAGE_SIZE, PAGE_SIZE);
- if (stsi(vmms, 3, 2, 2) == 0 && vmms->count)
-- add_device_randomness(&vmms, vmms->count);
-+ add_device_randomness(&vmms->vm, sizeof(vmms->vm[0]) * vmms->count);
- memblock_free((unsigned long) vmms, PAGE_SIZE);
- }
-
---
-2.12.2
-
From 839d42687dfce0ed0ea2c6bd8d707cc0e276fbe7 Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Fri, 20 Jan 2017 18:28:35 +1300
--
2.12.2
-From adc48c710b7e3d0d169e013ca089f46347aaf064 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Wed, 11 Jan 2017 15:29:48 +0100
-Subject: [PATCH 041/251] MIPS: Update defconfigs for NF_CT_PROTO_DCCP/UDPLITE
- change
-Content-Length: 5304
-Lines: 136
-
-commit 9ddc16ad8e0bc7742fc96d5aaabc5b8698512cd1 upstream.
-
-In linux-4.10-rc, NF_CT_PROTO_UDPLITE and NF_CT_PROTO_DCCP are bool
-symbols instead of tristate, and kernelci.org reports a bunch of
-warnings for this, like:
-
-arch/mips/configs/malta_kvm_guest_defconfig:63:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
-arch/mips/configs/malta_defconfig:62:warning: symbol value 'm' invalid for NF_CT_PROTO_DCCP
-arch/mips/configs/malta_defconfig:63:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
-arch/mips/configs/ip22_defconfig:70:warning: symbol value 'm' invalid for NF_CT_PROTO_DCCP
-arch/mips/configs/ip22_defconfig:71:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
-
-This changes all the MIPS defconfigs with these symbols to have them
-built-in.
-
-Fixes: 9b91c96c5d1f ("netfilter: conntrack: built-in support for UDPlite")
-Fixes: c51d39010a1b ("netfilter: conntrack: built-in support for DCCP")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Cc: linux-mips@linux-mips.org
-Cc: linux-kernel@vger.kernel.org
-Patchwork: https://patchwork.linux-mips.org/patch/14999/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/configs/ip22_defconfig | 4 ++--
- arch/mips/configs/malta_defconfig | 4 ++--
- arch/mips/configs/malta_kvm_defconfig | 4 ++--
- arch/mips/configs/malta_kvm_guest_defconfig | 4 ++--
- arch/mips/configs/maltaup_xpa_defconfig | 4 ++--
- arch/mips/configs/nlm_xlp_defconfig | 2 +-
- arch/mips/configs/nlm_xlr_defconfig | 2 +-
- 7 files changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/arch/mips/configs/ip22_defconfig b/arch/mips/configs/ip22_defconfig
-index 57ed466e00db..2f140d75d01c 100644
---- a/arch/mips/configs/ip22_defconfig
-+++ b/arch/mips/configs/ip22_defconfig
-@@ -68,8 +68,8 @@ CONFIG_NETFILTER_NETLINK_QUEUE=m
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_DCCP=m
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_DCCP=y
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
-diff --git a/arch/mips/configs/malta_defconfig b/arch/mips/configs/malta_defconfig
-index 5afb4840aec7..739ccd0dca64 100644
---- a/arch/mips/configs/malta_defconfig
-+++ b/arch/mips/configs/malta_defconfig
-@@ -59,8 +59,8 @@ CONFIG_NETFILTER=y
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_DCCP=m
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_DCCP=y
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
-diff --git a/arch/mips/configs/malta_kvm_defconfig b/arch/mips/configs/malta_kvm_defconfig
-index 98f13879bb8f..47f4ecf125ba 100644
---- a/arch/mips/configs/malta_kvm_defconfig
-+++ b/arch/mips/configs/malta_kvm_defconfig
-@@ -60,8 +60,8 @@ CONFIG_NETFILTER=y
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_DCCP=m
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_DCCP=y
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
-diff --git a/arch/mips/configs/malta_kvm_guest_defconfig b/arch/mips/configs/malta_kvm_guest_defconfig
-index 3b5d5913f548..e79d325aa085 100644
---- a/arch/mips/configs/malta_kvm_guest_defconfig
-+++ b/arch/mips/configs/malta_kvm_guest_defconfig
-@@ -59,8 +59,8 @@ CONFIG_NETFILTER=y
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_DCCP=m
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_DCCP=y
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
-diff --git a/arch/mips/configs/maltaup_xpa_defconfig b/arch/mips/configs/maltaup_xpa_defconfig
-index 732215732751..ae87ad86243b 100644
---- a/arch/mips/configs/maltaup_xpa_defconfig
-+++ b/arch/mips/configs/maltaup_xpa_defconfig
-@@ -61,8 +61,8 @@ CONFIG_NETFILTER=y
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_DCCP=m
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_DCCP=y
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
-diff --git a/arch/mips/configs/nlm_xlp_defconfig b/arch/mips/configs/nlm_xlp_defconfig
-index b3d1d37f85ea..47492fee2952 100644
---- a/arch/mips/configs/nlm_xlp_defconfig
-+++ b/arch/mips/configs/nlm_xlp_defconfig
-@@ -111,7 +111,7 @@ CONFIG_NETFILTER=y
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
-diff --git a/arch/mips/configs/nlm_xlr_defconfig b/arch/mips/configs/nlm_xlr_defconfig
-index 3d8016d6cf3e..472a818f1eb8 100644
---- a/arch/mips/configs/nlm_xlr_defconfig
-+++ b/arch/mips/configs/nlm_xlr_defconfig
-@@ -91,7 +91,7 @@ CONFIG_NETFILTER=y
- CONFIG_NF_CONNTRACK=m
- CONFIG_NF_CONNTRACK_SECMARK=y
- CONFIG_NF_CONNTRACK_EVENTS=y
--CONFIG_NF_CT_PROTO_UDPLITE=m
-+CONFIG_NF_CT_PROTO_UDPLITE=y
- CONFIG_NF_CONNTRACK_AMANDA=m
- CONFIG_NF_CONNTRACK_FTP=m
- CONFIG_NF_CONNTRACK_H323=m
---
-2.12.2
-
-From 8ed0fdcc0c1157f49795913ab9fd3de768fad8f6 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Fri, 3 Feb 2017 17:43:50 +0100
-Subject: [PATCH 042/251] MIPS: ip27: Disable qlge driver in defconfig
-Content-Length: 1534
-Lines: 41
-
-commit b617649468390713db1515ea79fc772d2eb897a8 upstream.
-
-One of the last remaining failures in kernelci.org is for a gcc bug:
-
-drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints:
-drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190
-
-This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot
-reproduce the problem here. However, it is clear that ip27_defconfig
-does not actually need this driver as the platform has only PCI-X but
-not PCIe, and the qlge adapter in turn is PCIe-only.
-
-The driver was originally enabled in 2010 along with lots of other
-drivers.
-
-Fixes: 59d302b342e5 ("MIPS: IP27: Make defconfig useful again.")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Cc: Ralf Baechle <ralf@linux-mips.org>
-Cc: linux-mips@linux-mips.org
-Cc: linux-kernel@vger.kernel.org
-Patchwork: https://patchwork.linux-mips.org/patch/15197/
-Signed-off-by: James Hogan <james.hogan@imgtec.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/configs/ip27_defconfig | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/arch/mips/configs/ip27_defconfig b/arch/mips/configs/ip27_defconfig
-index 48e16d98b2cc..6ecc67f3736b 100644
---- a/arch/mips/configs/ip27_defconfig
-+++ b/arch/mips/configs/ip27_defconfig
-@@ -206,7 +206,6 @@ CONFIG_MLX4_EN=m
- # CONFIG_MLX4_DEBUG is not set
- CONFIG_TEHUTI=m
- CONFIG_BNX2X=m
--CONFIG_QLGE=m
- CONFIG_SFC=m
- CONFIG_BE2NET=m
- CONFIG_LIBERTAS_THINFIRM=m
---
-2.12.2
-
-From 7a6a965f350ec47171184898368a17b8228cdaf9 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Wed, 11 Jan 2017 15:29:50 +0100
-Subject: [PATCH 043/251] MIPS: Update ip27_defconfig for SCSI_DH change
-Content-Length: 1140
-Lines: 35
-
-commit ea58fca1842a5dc410cae4167b01643db971a4e2 upstream.
-
-Since linux-4.3, SCSI_DH is a bool symbol, causing a warning in
-kernelci.org:
-
-arch/mips/configs/ip27_defconfig:136:warning: symbol value 'm' invalid for SCSI_DH
-
-This updates the defconfig to have the feature built-in.
-
-Fixes: 086b91d052eb ("scsi_dh: integrate into the core SCSI code")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Cc: linux-mips@linux-mips.org
-Cc: linux-kernel@vger.kernel.org
-Patchwork: https://patchwork.linux-mips.org/patch/15001/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/configs/ip27_defconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/mips/configs/ip27_defconfig b/arch/mips/configs/ip27_defconfig
-index 6ecc67f3736b..b15508447366 100644
---- a/arch/mips/configs/ip27_defconfig
-+++ b/arch/mips/configs/ip27_defconfig
-@@ -134,7 +134,7 @@ CONFIG_LIBFC=m
- CONFIG_SCSI_QLOGIC_1280=y
- CONFIG_SCSI_PMCRAID=m
- CONFIG_SCSI_BFA_FC=m
--CONFIG_SCSI_DH=m
-+CONFIG_SCSI_DH=y
- CONFIG_SCSI_DH_RDAC=m
- CONFIG_SCSI_DH_HP_SW=m
- CONFIG_SCSI_DH_EMC=m
---
-2.12.2
-
-From c018595d83a39dc4156f46ac21955778835e7781 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Tue, 17 Jan 2017 16:18:46 +0100
-Subject: [PATCH 044/251] MIPS: ip22: Fix ip28 build for modern gcc
-Content-Length: 1395
-Lines: 37
-
-commit 23ca9b522383d3b9b7991d8586db30118992af4a upstream.
-
-kernelci reports a failure of the ip28_defconfig build after upgrading its
-gcc version:
-
-arch/mips/sgi-ip22/Platform:29: *** gcc doesn't support needed option -mr10k-cache-barrier=store. Stop.
-
-The problem apparently is that the -mr10k-cache-barrier=store option is now
-rejected for CPUs other than r10k. Explicitly including the CPU in the
-check fixes this and is safe because both options were introduced in
-gcc-4.4.
+From 28ec98bc2e4a175b60f45d505e715a33b93dd077 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sat, 18 Mar 2017 19:10:23 +0800
+Subject: [PATCH 073/251] Linux 4.4.55
+Status: RO
+Content-Length: 301
+Lines: 18
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Cc: linux-mips@linux-mips.org
-Cc: linux-kernel@vger.kernel.org
-Patchwork: https://patchwork.linux-mips.org/patch/15049/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- arch/mips/sgi-ip22/Platform | 2 +-
+ Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/arch/mips/sgi-ip22/Platform b/arch/mips/sgi-ip22/Platform
-index b7a4b7e04c38..e8f6b3a42a48 100644
---- a/arch/mips/sgi-ip22/Platform
-+++ b/arch/mips/sgi-ip22/Platform
-@@ -25,7 +25,7 @@ endif
- # Simplified: what IP22 does at 128MB+ in ksegN, IP28 does at 512MB+ in xkphys
- #
- ifdef CONFIG_SGI_IP28
-- ifeq ($(call cc-option-yn,-mr10k-cache-barrier=store), n)
-+ ifeq ($(call cc-option-yn,-march=r10000 -mr10k-cache-barrier=store), n)
- $(error gcc doesn't support needed option -mr10k-cache-barrier=store)
- endif
- endif
+diff --git a/Makefile b/Makefile
+index 7f54ac081cf3..d9cc21df444d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 54
++SUBLEVEL = 55
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
--
2.12.2
-From d2a8d746ae9530aeea0a3b4b129c970ffc90d926 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Wed, 11 Jan 2017 15:29:49 +0100
-Subject: [PATCH 045/251] MIPS: Update lemote2f_defconfig for CPU_FREQ_STAT
- change
-Content-Length: 1241
-Lines: 35
-
-commit b3f6046186ef45acfeebc5a59c9fb45cefc685e7 upstream.
-
-Since linux-4.8, CPU_FREQ_STAT is a bool symbol, causing a warning in
-kernelci.org:
-
-arch/mips/configs/lemote2f_defconfig:42:warning: symbol value 'm' invalid for CPU_FREQ_STAT
-
-This updates the defconfig to have the feature built-in.
+From 56f9b9502f2d15b9c7b83f9cfb32798e2e364f61 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 13 Mar 2017 17:38:17 +0100
+Subject: [PATCH 092/251] bridge: drop netfilter fake rtable unconditionally
+Status: RO
+Content-Length: 2943
+Lines: 81
-Fixes: 1aefc75b2449 ("cpufreq: stats: Make the stats code non-modular")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Cc: linux-mips@linux-mips.org
-Cc: linux-kernel@vger.kernel.org
-Patchwork: https://patchwork.linux-mips.org/patch/15000/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/configs/lemote2f_defconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+[ Upstream commit a13b2082ece95247779b9995c4e91b4246bed023 ]
-diff --git a/arch/mips/configs/lemote2f_defconfig b/arch/mips/configs/lemote2f_defconfig
-index 004cf52d1b7d..c24b87819ccb 100644
---- a/arch/mips/configs/lemote2f_defconfig
-+++ b/arch/mips/configs/lemote2f_defconfig
-@@ -39,7 +39,7 @@ CONFIG_HIBERNATION=y
- CONFIG_PM_STD_PARTITION="/dev/hda3"
- CONFIG_CPU_FREQ=y
- CONFIG_CPU_FREQ_DEBUG=y
--CONFIG_CPU_FREQ_STAT=m
-+CONFIG_CPU_FREQ_STAT=y
- CONFIG_CPU_FREQ_STAT_DETAILS=y
- CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
- CONFIG_CPU_FREQ_GOV_POWERSAVE=m
---
-2.12.2
+Andreas reports kernel oops during rmmod of the br_netfilter module.
+Hannes debugged the oops down to a NULL rt6info->rt6i_indev.
-From 4b91e7a2a9a78b161caebfa5fcf6372a40161699 Mon Sep 17 00:00:00 2001
-From: John Crispin <john@phrozen.org>
-Date: Tue, 20 Dec 2016 19:12:46 +0100
-Subject: [PATCH 047/251] MIPS: ralink: Cosmetic change to prom_init().
-Content-Length: 1412
-Lines: 49
+Problem is that br_netfilter has the nasty concept of adding a fake
+rtable to skb->dst; this happens in a br_netfilter prerouting hook.
-commit 9c48568b3692f1a56cbf1935e4eea835e6b185b1 upstream.
+A second hook (in bridge LOCAL_IN) is supposed to remove these again
+before the skb is handed up the stack.
-Over the years the code has been changed various times leading to
-argc/argv being defined in a different function to where we actually
-use the variables. Clean this up by moving them to prom_init_cmdline().
+However, on module unload hooks get unregistered which means an
+skb could traverse the prerouting hook that attaches the fake_rtable,
+while the 'fake rtable remove' hook gets removed from the hooklist
+immediately after.
-Signed-off-by: John Crispin <john@phrozen.org>
-Cc: linux-mips@linux-mips.org
-Patchwork: https://patchwork.linux-mips.org/patch/14902/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core")
+Reported-by: Andreas Karis <akaris@redhat.com>
+Debugged-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- arch/mips/ralink/prom.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
+ net/bridge/br_input.c | 1 +
+ net/bridge/br_netfilter_hooks.c | 21 ---------------------
+ 2 files changed, 1 insertion(+), 21 deletions(-)
-diff --git a/arch/mips/ralink/prom.c b/arch/mips/ralink/prom.c
-index 39a9142f71be..7ecb4af79b7b 100644
---- a/arch/mips/ralink/prom.c
-+++ b/arch/mips/ralink/prom.c
-@@ -30,8 +30,10 @@ const char *get_system_type(void)
- return soc_info.sys_type;
- }
-
--static __init void prom_init_cmdline(int argc, char **argv)
-+static __init void prom_init_cmdline(void)
- {
-+ int argc;
-+ char **argv;
- int i;
-
- pr_debug("prom: fw_arg0=%08x fw_arg1=%08x fw_arg2=%08x fw_arg3=%08x\n",
-@@ -60,14 +62,11 @@ static __init void prom_init_cmdline(int argc, char **argv)
-
- void __init prom_init(void)
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index f7fba74108a9..e24754a0e052 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook);
+ static int
+ br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
{
-- int argc;
-- char **argv;
--
- prom_soc_init(&soc_info);
-
- pr_info("SoC Type: %s\n", get_system_type());
-
-- prom_init_cmdline(argc, argv);
-+ prom_init_cmdline();
++ br_drop_fake_rtable(skb);
+ return netif_receive_skb(skb);
}
- void __init prom_free_prom_memory(void)
---
-2.12.2
-
-From 32883383f5e0c95436c2affaad675245727c0493 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Tue, 17 Jan 2017 16:18:43 +0100
-Subject: [PATCH 048/251] MIPS: ralink: Remove unused rt*_wdt_reset functions
-Content-Length: 2704
-Lines: 91
-
-commit 886f9c69fc68f56ddea34d3de51ac1fc2ac8dfbc upstream.
-
-All pointers to these functions were removed, so now they produce
-warnings:
-
-arch/mips/ralink/rt305x.c:92:13: error: 'rt305x_wdt_reset' defined but not used [-Werror=unused-function]
-
-This removes the functions. If we need them again, the patch can be
-reverted later.
-
-Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Cc: John Crispin <john@phrozen.org>
-Cc: Colin Ian King <colin.king@canonical.com>
-Cc: linux-mips@linux-mips.org
-Cc: linux-kernel@vger.kernel.org
-Patchwork: https://patchwork.linux-mips.org/patch/15044/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/ralink/rt288x.c | 10 ----------
- arch/mips/ralink/rt305x.c | 11 -----------
- arch/mips/ralink/rt3883.c | 10 ----------
- 3 files changed, 31 deletions(-)
-
-diff --git a/arch/mips/ralink/rt288x.c b/arch/mips/ralink/rt288x.c
-index 844f5cd55c8f..15506a1ff22a 100644
---- a/arch/mips/ralink/rt288x.c
-+++ b/arch/mips/ralink/rt288x.c
-@@ -40,16 +40,6 @@ static struct rt2880_pmx_group rt2880_pinmux_data_act[] = {
- { 0 }
- };
-
--static void rt288x_wdt_reset(void)
--{
-- u32 t;
--
-- /* enable WDT reset output on pin SRAM_CS_N */
-- t = rt_sysc_r32(SYSC_REG_CLKCFG);
-- t |= CLKCFG_SRAM_CS_N_WDT;
-- rt_sysc_w32(t, SYSC_REG_CLKCFG);
--}
--
- void __init ralink_clk_init(void)
- {
- unsigned long cpu_rate, wmac_rate = 40000000;
-diff --git a/arch/mips/ralink/rt305x.c b/arch/mips/ralink/rt305x.c
-index 9e4572592065..15b32cd01906 100644
---- a/arch/mips/ralink/rt305x.c
-+++ b/arch/mips/ralink/rt305x.c
-@@ -89,17 +89,6 @@ static struct rt2880_pmx_group rt5350_pinmux_data[] = {
- { 0 }
- };
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 7ddbe7ec81d6..97fc19f001bf 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv,
+ }
--static void rt305x_wdt_reset(void)
--{
-- u32 t;
--
-- /* enable WDT reset output on pin SRAM_CS_N */
-- t = rt_sysc_r32(SYSC_REG_SYSTEM_CONFIG);
-- t |= RT305X_SYSCFG_SRAM_CS0_MODE_WDT <<
-- RT305X_SYSCFG_SRAM_CS0_MODE_SHIFT;
-- rt_sysc_w32(t, SYSC_REG_SYSTEM_CONFIG);
--}
--
- static unsigned long rt5350_get_mem_size(void)
- {
- void __iomem *sysc = (void __iomem *) KSEG1ADDR(RT305X_SYSC_BASE);
-diff --git a/arch/mips/ralink/rt3883.c b/arch/mips/ralink/rt3883.c
-index 582995aaaf4e..f42834c7f007 100644
---- a/arch/mips/ralink/rt3883.c
-+++ b/arch/mips/ralink/rt3883.c
-@@ -63,16 +63,6 @@ static struct rt2880_pmx_group rt3883_pinmux_data[] = {
- { 0 }
- };
--static void rt3883_wdt_reset(void)
+-/* PF_BRIDGE/LOCAL_IN ************************************************/
+-/* The packet is locally destined, which requires a real
+- * dst_entry, so detach the fake one. On the way up, the
+- * packet would pass through PRE_ROUTING again (which already
+- * took place when the packet entered the bridge), but we
+- * register an IPv4 PRE_ROUTING 'sabotage' hook that will
+- * prevent this from happening. */
+-static unsigned int br_nf_local_in(void *priv,
+- struct sk_buff *skb,
+- const struct nf_hook_state *state)
-{
-- u32 t;
--
-- /* enable WDT reset output on GPIO 2 */
-- t = rt_sysc_r32(RT3883_SYSC_REG_SYSCFG1);
-- t |= RT3883_SYSCFG1_GPIO2_AS_WDT_OUT;
-- rt_sysc_w32(t, RT3883_SYSC_REG_SYSCFG1);
+- br_drop_fake_rtable(skb);
+- return NF_ACCEPT;
-}
-
- void __init ralink_clk_init(void)
+ /* PF_BRIDGE/FORWARD *************************************************/
+ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- unsigned long cpu_rate, sys_rate;
---
-2.12.2
-
-From 2e4aff2405af6a4573299dee361a44903c9bb717 Mon Sep 17 00:00:00 2001
-From: Ralf Baechle <ralf@linux-mips.org>
-Date: Tue, 20 Sep 2016 14:33:01 +0200
-Subject: [PATCH 051/251] MIPS: DEC: Avoid la pseudo-instruction in delay slots
-Content-Length: 2448
-Lines: 81
-
-commit 3021773c7c3e75e20b693931a19362681e744ea9 upstream.
-
-When expanding the la or dla pseudo-instruction in a delay slot the GNU
-assembler will complain should the pseudo-instruction expand to multiple
-actual instructions, since only the first of them will be in the delay
-slot leading to the pseudo-instruction being only partially executed if
-the branch is taken. Use of PTR_LA in the dec int-handler.S leads to
-such warnings:
-
- arch/mips/dec/int-handler.S: Assembler messages:
- arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot
- arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot
-
-Avoid this by open coding the PTR_LA macros.
-
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 38 insertions(+), 2 deletions(-)
-
-diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S
-index 8c6f508e59de..554d1da97743 100644
---- a/arch/mips/dec/int-handler.S
-+++ b/arch/mips/dec/int-handler.S
-@@ -146,7 +146,25 @@
- /*
- * Find irq with highest priority
- */
-- PTR_LA t1,cpu_mask_nr_tbl
-+ # open coded PTR_LA t1, cpu_mask_nr_tbl
-+#if (_MIPS_SZPTR == 32)
-+ # open coded la t1, cpu_mask_nr_tbl
-+ lui t1, %hi(cpu_mask_nr_tbl)
-+ addiu t1, %lo(cpu_mask_nr_tbl)
-+
-+#endif
-+#if (_MIPS_SZPTR == 64)
-+ # open coded dla t1, cpu_mask_nr_tbl
-+ .set push
-+ .set noat
-+ lui t1, %highest(cpu_mask_nr_tbl)
-+ lui AT, %hi(cpu_mask_nr_tbl)
-+ daddiu t1, t1, %higher(cpu_mask_nr_tbl)
-+ daddiu AT, AT, %lo(cpu_mask_nr_tbl)
-+ dsll t1, 32
-+ daddu t1, t1, AT
-+ .set pop
-+#endif
- 1: lw t2,(t1)
- nop
- and t2,t0
-@@ -195,7 +213,25 @@
- /*
- * Find irq with highest priority
- */
-- PTR_LA t1,asic_mask_nr_tbl
-+ # open coded PTR_LA t1,asic_mask_nr_tbl
-+#if (_MIPS_SZPTR == 32)
-+ # open coded la t1, asic_mask_nr_tbl
-+ lui t1, %hi(asic_mask_nr_tbl)
-+ addiu t1, %lo(asic_mask_nr_tbl)
-+
-+#endif
-+#if (_MIPS_SZPTR == 64)
-+ # open coded dla t1, asic_mask_nr_tbl
-+ .set push
-+ .set noat
-+ lui t1, %highest(asic_mask_nr_tbl)
-+ lui AT, %hi(asic_mask_nr_tbl)
-+ daddiu t1, t1, %higher(asic_mask_nr_tbl)
-+ daddiu AT, AT, %lo(asic_mask_nr_tbl)
-+ dsll t1, 32
-+ daddu t1, t1, AT
-+ .set pop
-+#endif
- 2: lw t2,(t1)
- nop
- and t2,t0
---
-2.12.2
-
-From 127651058594cafc624cf63bd266a42a62dfefcf Mon Sep 17 00:00:00 2001
-From: James Hogan <james.hogan@imgtec.com>
-Date: Thu, 28 Apr 2016 17:06:16 +0100
-Subject: [PATCH 052/251] MIPS: Netlogic: Fix CP0_EBASE redefinition warnings
-Content-Length: 3506
-Lines: 106
-
-commit 32eb6e8bee147b45e5e59230630d59541ccbb6e5 upstream.
-
-A couple of netlogic assembly files define CP0_EBASE to $15, the same as
-CP0_PRID in mipsregs.h, and use it for accessing both CP0_PRId and
-CP0_EBase registers. However commit 609cf6f2291a ("MIPS: CPS: Early
-debug using an ns16550-compatible UART") added a different definition of
-CP0_EBASE to mipsregs.h, which included a register select of 1. This
-causes harmless build warnings like the following:
-
- arch/mips/netlogic/common/reset.S:53:0: warning: "CP0_EBASE" redefined
- #define CP0_EBASE $15
- ^
- In file included from arch/mips/netlogic/common/reset.S:41:0:
- ./arch/mips/include/asm/mipsregs.h:63:0: note: this is the location of the previous definition
- #define CP0_EBASE $15, 1
- ^
-
-Update the code to use the definitions from mipsregs.h for accessing
-both registers.
-
-Fixes: 609cf6f2291a ("MIPS: CPS: Early debug using an ns16550-compatible UART")
-Signed-off-by: James Hogan <james.hogan@imgtec.com>
-Acked-by: Jayachandran C <jchandra@broadcom.com>
-Cc: linux-mips@linux-mips.org
-Patchwork: https://patchwork.linux-mips.org/patch/13183/
-Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/netlogic/common/reset.S | 11 +++++------
- arch/mips/netlogic/common/smpboot.S | 4 +---
- 2 files changed, 6 insertions(+), 9 deletions(-)
-
-diff --git a/arch/mips/netlogic/common/reset.S b/arch/mips/netlogic/common/reset.S
-index edbab9b8691f..c474981a6c0d 100644
---- a/arch/mips/netlogic/common/reset.S
-+++ b/arch/mips/netlogic/common/reset.S
-@@ -50,7 +50,6 @@
- #include <asm/netlogic/xlp-hal/sys.h>
- #include <asm/netlogic/xlp-hal/cpucontrol.h>
-
--#define CP0_EBASE $15
- #define SYS_CPU_COHERENT_BASE CKSEG1ADDR(XLP_DEFAULT_IO_BASE) + \
- XLP_IO_SYS_OFFSET(0) + XLP_IO_PCI_HDRSZ + \
- SYS_CPU_NONCOHERENT_MODE * 4
-@@ -92,7 +91,7 @@
- * registers. On XLPII CPUs, usual cache instructions work.
- */
- .macro xlp_flush_l1_dcache
-- mfc0 t0, CP0_EBASE, 0
-+ mfc0 t0, CP0_PRID
- andi t0, t0, PRID_IMP_MASK
- slt t1, t0, 0x1200
- beqz t1, 15f
-@@ -171,7 +170,7 @@ FEXPORT(nlm_reset_entry)
- nop
-
- 1: /* Entry point on core wakeup */
-- mfc0 t0, CP0_EBASE, 0 /* processor ID */
-+ mfc0 t0, CP0_PRID /* processor ID */
- andi t0, PRID_IMP_MASK
- li t1, 0x1500 /* XLP 9xx */
- beq t0, t1, 2f /* does not need to set coherent */
-@@ -182,8 +181,8 @@ FEXPORT(nlm_reset_entry)
- nop
-
- /* set bit in SYS coherent register for the core */
-- mfc0 t0, CP0_EBASE, 1
-- mfc0 t1, CP0_EBASE, 1
-+ mfc0 t0, CP0_EBASE
-+ mfc0 t1, CP0_EBASE
- srl t1, 5
- andi t1, 0x3 /* t1 <- node */
- li t2, 0x40000
-@@ -232,7 +231,7 @@ EXPORT(nlm_boot_siblings)
-
- * NOTE: All GPR contents are lost after the mtcr above!
- */
-- mfc0 v0, CP0_EBASE, 1
-+ mfc0 v0, CP0_EBASE
- andi v0, 0x3ff /* v0 <- node/core */
-
- /*
-diff --git a/arch/mips/netlogic/common/smpboot.S b/arch/mips/netlogic/common/smpboot.S
-index 805355b0bd05..f0cc4c9de2bb 100644
---- a/arch/mips/netlogic/common/smpboot.S
-+++ b/arch/mips/netlogic/common/smpboot.S
-@@ -48,8 +48,6 @@
- #include <asm/netlogic/xlp-hal/sys.h>
- #include <asm/netlogic/xlp-hal/cpucontrol.h>
-
--#define CP0_EBASE $15
--
- .set noreorder
- .set noat
- .set arch=xlr /* for mfcr/mtcr, XLR is sufficient */
-@@ -86,7 +84,7 @@ NESTED(nlm_boot_secondary_cpus, 16, sp)
- PTR_L gp, 0(t1)
-
- /* a0 has the processor id */
-- mfc0 a0, CP0_EBASE, 1
-+ mfc0 a0, CP0_EBASE
- andi a0, 0x3ff /* a0 <- node/core */
- PTR_LA t0, nlm_early_init_secondary
- jalr t0
---
-2.12.2
-
-From 2ca39d1300152e70977797c3e39c105adfcc0e0b Mon Sep 17 00:00:00 2001
-From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
-Date: Tue, 14 Feb 2017 14:46:42 +0530
-Subject: [PATCH 054/251] powerpc: Emulation support for load/store
- instructions on LE
-Status: RO
-Content-Length: 3197
-Lines: 106
-
-commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream.
-
-emulate_step() uses a number of underlying kernel functions that were
-initially not enabled for LE. This has been rectified since. So, fix
-emulate_step() for LE for the corresponding instructions.
-
-Reported-by: Anton Blanchard <anton@samba.org>
-Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/lib/sstep.c | 20 --------------------
- 1 file changed, 20 deletions(-)
-
-diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
-index dc885b30f7a6..4014881e9843 100644
---- a/arch/powerpc/lib/sstep.c
-+++ b/arch/powerpc/lib/sstep.c
-@@ -1806,8 +1806,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
- goto instr_done;
-
- case LARX:
-- if (regs->msr & MSR_LE)
-- return 0;
- if (op.ea & (size - 1))
- break; /* can't handle misaligned */
- err = -EFAULT;
-@@ -1829,8 +1827,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
- goto ldst_done;
-
- case STCX:
-- if (regs->msr & MSR_LE)
-- return 0;
- if (op.ea & (size - 1))
- break; /* can't handle misaligned */
- err = -EFAULT;
-@@ -1854,8 +1850,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
- goto ldst_done;
-
- case LOAD:
-- if (regs->msr & MSR_LE)
-- return 0;
- err = read_mem(®s->gpr[op.reg], op.ea, size, regs);
- if (!err) {
- if (op.type & SIGNEXT)
-@@ -1867,8 +1861,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
-
- #ifdef CONFIG_PPC_FPU
- case LOAD_FP:
-- if (regs->msr & MSR_LE)
-- return 0;
- if (size == 4)
- err = do_fp_load(op.reg, do_lfs, op.ea, size, regs);
- else
-@@ -1877,15 +1869,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
- #endif
- #ifdef CONFIG_ALTIVEC
- case LOAD_VMX:
-- if (regs->msr & MSR_LE)
-- return 0;
- err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs);
- goto ldst_done;
- #endif
- #ifdef CONFIG_VSX
- case LOAD_VSX:
-- if (regs->msr & MSR_LE)
-- return 0;
- err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs);
- goto ldst_done;
- #endif
-@@ -1908,8 +1896,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
- goto instr_done;
-
- case STORE:
-- if (regs->msr & MSR_LE)
-- return 0;
- if ((op.type & UPDATE) && size == sizeof(long) &&
- op.reg == 1 && op.update_reg == 1 &&
- !(regs->msr & MSR_PR) &&
-@@ -1922,8 +1908,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
-
- #ifdef CONFIG_PPC_FPU
- case STORE_FP:
-- if (regs->msr & MSR_LE)
-- return 0;
- if (size == 4)
- err = do_fp_store(op.reg, do_stfs, op.ea, size, regs);
- else
-@@ -1932,15 +1916,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr)
- #endif
- #ifdef CONFIG_ALTIVEC
- case STORE_VMX:
-- if (regs->msr & MSR_LE)
-- return 0;
- err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs);
- goto ldst_done;
- #endif
- #ifdef CONFIG_VSX
- case STORE_VSX:
-- if (regs->msr & MSR_LE)
-- return 0;
- err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs);
- goto ldst_done;
- #endif
---
-2.12.2
-
-From b0e85701a7766341618d5e924f29f359431f9c91 Mon Sep 17 00:00:00 2001
-From: Janosch Frank <frankja@linux.vnet.ibm.com>
-Date: Thu, 2 Mar 2017 15:23:42 +0100
-Subject: [PATCH 068/251] KVM: s390: Fix guest migration for huge guests
- resulting in panic
-Status: RO
-Content-Length: 1904
-Lines: 58
-
-commit 2e4d88009f57057df7672fa69a32b5224af54d37 upstream.
-
-While we can technically not run huge page guests right now, we can
-setup a guest with huge pages. Trying to migrate it will trigger a
-VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it
-will happily try to work on non-existing page table entries.
-
-With this patch, we always return "dirty" if we encounter a large page
-when migrating. This at least fixes the immediate problem until we
-have proper handling for both kind of pages.
-
-Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
-Cc: <stable@vger.kernel.org> # 3.16+
-
-Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
-Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/mm/pgtable.c | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
-index 8345ae1f117d..05ae254f84cf 100644
---- a/arch/s390/mm/pgtable.c
-+++ b/arch/s390/mm/pgtable.c
-@@ -1237,11 +1237,28 @@ EXPORT_SYMBOL_GPL(s390_reset_cmma);
- */
- bool gmap_test_and_clear_dirty(unsigned long address, struct gmap *gmap)
- {
-+ pgd_t *pgd;
-+ pud_t *pud;
-+ pmd_t *pmd;
- pte_t *pte;
- spinlock_t *ptl;
- bool dirty = false;
-
-- pte = get_locked_pte(gmap->mm, address, &ptl);
-+ pgd = pgd_offset(gmap->mm, address);
-+ pud = pud_alloc(gmap->mm, pgd, address);
-+ if (!pud)
-+ return false;
-+ pmd = pmd_alloc(gmap->mm, pud, address);
-+ if (!pmd)
-+ return false;
-+ /* We can't run guests backed by huge pages, but userspace can
-+ * still set them up and then try to migrate them without any
-+ * migration support.
-+ */
-+ if (pmd_large(*pmd))
-+ return true;
-+
-+ pte = pte_alloc_map_lock(gmap->mm, pmd, address, &ptl);
- if (unlikely(!pte))
- return false;
-
---
-2.12.2
-
-From 28ec98bc2e4a175b60f45d505e715a33b93dd077 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Sat, 18 Mar 2017 19:10:23 +0800
-Subject: [PATCH 073/251] Linux 4.4.55
-Content-Length: 301
-Lines: 18
-
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 7f54ac081cf3..d9cc21df444d 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 4
--SUBLEVEL = 54
-+SUBLEVEL = 55
- EXTRAVERSION =
- NAME = Blurry Fish Butt
-
---
-2.12.2
-
-From 2681a7853ad73bfebc3a683765a496bb283c6648 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 3 Mar 2017 14:08:21 -0800
-Subject: [PATCH 082/251] tcp: fix various issues for sockets morphing to
- listen state
-Content-Length: 2289
-Lines: 72
-
-[ Upstream commit 02b2faaf0af1d85585f6d6980e286d53612acfc2 ]
-
-Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting
-tcp_disconnect() path that was never really considered and/or used
-before syzkaller ;)
-
-I was not able to reproduce the bug, but it seems issues here are the
-three possible actions that assumed they would never trigger on a
-listener.
-
-1) tcp_write_timer_handler
-2) tcp_delack_timer_handler
-3) MTU reduction
-
-Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN
- states from tcp_v6_mtu_reduced()
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv4/tcp_ipv4.c | 7 +++++--
- net/ipv4/tcp_timer.c | 6 ++++--
- 2 files changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index b58a38eea059..f66d4b5d47f9 100644
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -271,10 +271,13 @@ EXPORT_SYMBOL(tcp_v4_connect);
- */
- void tcp_v4_mtu_reduced(struct sock *sk)
- {
-- struct dst_entry *dst;
- struct inet_sock *inet = inet_sk(sk);
-- u32 mtu = tcp_sk(sk)->mtu_info;
-+ struct dst_entry *dst;
-+ u32 mtu;
-
-+ if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
-+ return;
-+ mtu = tcp_sk(sk)->mtu_info;
- dst = inet_csk_update_pmtu(sk, mtu);
- if (!dst)
- return;
-diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
-index 193ba1fa8a9a..ebb34d0c5e80 100644
---- a/net/ipv4/tcp_timer.c
-+++ b/net/ipv4/tcp_timer.c
-@@ -223,7 +223,8 @@ void tcp_delack_timer_handler(struct sock *sk)
-
- sk_mem_reclaim_partial(sk);
-
-- if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
-+ if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
-+ !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
- goto out;
-
- if (time_after(icsk->icsk_ack.timeout, jiffies)) {
-@@ -504,7 +505,8 @@ void tcp_write_timer_handler(struct sock *sk)
- struct inet_connection_sock *icsk = inet_csk(sk);
- int event;
-
-- if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending)
-+ if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
-+ !icsk->icsk_pending)
- goto out;
-
- if (time_after(icsk->icsk_timeout, jiffies)) {
---
-2.12.2
-
-From 9e7683301beef0cef8254eecb661e7eac3146717 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 3 Mar 2017 21:01:02 -0800
-Subject: [PATCH 083/251] net: fix socket refcounting in
- skb_complete_wifi_ack()
-Content-Length: 1864
-Lines: 58
-
-[ Upstream commit dd4f10722aeb10f4f582948839f066bebe44e5fb ]
-
-TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt
-By the time TX completion happens, sk_refcnt might be already 0.
-
-sock_hold()/sock_put() would then corrupt critical state, like
-sk_wmem_alloc.
-
-Fixes: bf7fa551e0ce ("mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Alexander Duyck <alexander.h.duyck@intel.com>
-Cc: Johannes Berg <johannes@sipsolutions.net>
-Cc: Soheil Hassas Yeganeh <soheil@google.com>
-Cc: Willem de Bruijn <willemb@google.com>
-Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/skbuff.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 4968b5ddea69..370f4f86e2b5 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3735,7 +3735,7 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
- {
- struct sock *sk = skb->sk;
- struct sock_exterr_skb *serr;
-- int err;
-+ int err = 1;
-
- skb->wifi_acked_valid = 1;
- skb->wifi_acked = acked;
-@@ -3745,14 +3745,15 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked)
- serr->ee.ee_errno = ENOMSG;
- serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS;
-
-- /* take a reference to prevent skb_orphan() from freeing the socket */
-- sock_hold(sk);
--
-- err = sock_queue_err_skb(sk, skb);
-+ /* Take a reference to prevent skb_orphan() from freeing the socket,
-+ * but only if the socket refcount is not zero.
-+ */
-+ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
-+ err = sock_queue_err_skb(sk, skb);
-+ sock_put(sk);
-+ }
- if (err)
- kfree_skb(skb);
--
-- sock_put(sk);
- }
- EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
-
---
-2.12.2
-
-From ec4d8692b76e08a40221eb7c74775a390114f098 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 3 Mar 2017 21:01:03 -0800
-Subject: [PATCH 084/251] net: fix socket refcounting in
- skb_complete_tx_timestamp()
-Content-Length: 1731
-Lines: 49
-
-[ Upstream commit 9ac25fc063751379cb77434fef9f3b088cd3e2f7 ]
-
-TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt
-By the time TX completion happens, sk_refcnt might be already 0.
-
-sock_hold()/sock_put() would then corrupt critical state, like
-sk_wmem_alloc and lead to leaks or use after free.
-
-Fixes: 62bccb8cdb69 ("net-timestamp: Make the clone operation stand-alone from phy timestamping")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Alexander Duyck <alexander.h.duyck@intel.com>
-Cc: Johannes Berg <johannes@sipsolutions.net>
-Cc: Soheil Hassas Yeganeh <soheil@google.com>
-Cc: Willem de Bruijn <willemb@google.com>
-Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/core/skbuff.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 370f4f86e2b5..73dfd7729bc9 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3678,13 +3678,14 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
- if (!skb_may_tx_timestamp(sk, false))
- return;
-
-- /* take a reference to prevent skb_orphan() from freeing the socket */
-- sock_hold(sk);
--
-- *skb_hwtstamps(skb) = *hwtstamps;
-- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
--
-- sock_put(sk);
-+ /* Take a reference to prevent skb_orphan() from freeing the socket,
-+ * but only if the socket refcount is not zero.
-+ */
-+ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
-+ *skb_hwtstamps(skb) = *hwtstamps;
-+ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
-+ sock_put(sk);
-+ }
- }
- EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
-
---
-2.12.2
-
-From d0ebde92fbeb98eedbfce15cef3c86b652846d25 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 5 Mar 2017 10:52:16 -0800
-Subject: [PATCH 085/251] dccp: fix use-after-free in dccp_feat_activate_values
-Content-Length: 9868
-Lines: 235
-
-[ Upstream commit 62f8f4d9066c1c6f2474845d1ca7e2891f2ae3fd ]
-
-Dmitry reported crashes in DCCP stack [1]
-
-Problem here is that when I got rid of listener spinlock, I missed the
-fact that DCCP stores a complex state in struct dccp_request_sock,
-while TCP does not.
-
-Since multiple cpus could access it at the same time, we need to add
-protection.
-
-[1]
-BUG: KASAN: use-after-free in dccp_feat_activate_values+0x967/0xab0
-net/dccp/feat.c:1541 at addr ffff88003713be68
-Read of size 8 by task syz-executor2/8457
-CPU: 2 PID: 8457 Comm: syz-executor2 Not tainted 4.10.0-rc7+ #127
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
-Call Trace:
- <IRQ>
- __dump_stack lib/dump_stack.c:15 [inline]
- dump_stack+0x292/0x398 lib/dump_stack.c:51
- kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
- print_address_description mm/kasan/report.c:200 [inline]
- kasan_report_error mm/kasan/report.c:289 [inline]
- kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
- kasan_report mm/kasan/report.c:332 [inline]
- __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332
- dccp_feat_activate_values+0x967/0xab0 net/dccp/feat.c:1541
- dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
- dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
- dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
- dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
- ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
- NF_HOOK include/linux/netfilter.h:257 [inline]
- ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
- dst_input include/net/dst.h:507 [inline]
- ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
- NF_HOOK include/linux/netfilter.h:257 [inline]
- ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
- __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
- __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
- process_backlog+0xe5/0x6c0 net/core/dev.c:4839
- napi_poll net/core/dev.c:5202 [inline]
- net_rx_action+0xe70/0x1900 net/core/dev.c:5267
- __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
- do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
- </IRQ>
- do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
- do_softirq kernel/softirq.c:176 [inline]
- __local_bh_enable_ip+0x1f2/0x200 kernel/softirq.c:181
- local_bh_enable include/linux/bottom_half.h:31 [inline]
- rcu_read_unlock_bh include/linux/rcupdate.h:971 [inline]
- ip6_finish_output2+0xbb0/0x23d0 net/ipv6/ip6_output.c:123
- ip6_finish_output+0x302/0x960 net/ipv6/ip6_output.c:148
- NF_HOOK_COND include/linux/netfilter.h:246 [inline]
- ip6_output+0x1cb/0x8d0 net/ipv6/ip6_output.c:162
- ip6_xmit+0xcdf/0x20d0 include/net/dst.h:501
- inet6_csk_xmit+0x320/0x5f0 net/ipv6/inet6_connection_sock.c:179
- dccp_transmit_skb+0xb09/0x1120 net/dccp/output.c:141
- dccp_xmit_packet+0x215/0x760 net/dccp/output.c:280
- dccp_write_xmit+0x168/0x1d0 net/dccp/output.c:362
- dccp_sendmsg+0x79c/0xb10 net/dccp/proto.c:796
- inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
- sock_sendmsg_nosec net/socket.c:635 [inline]
- sock_sendmsg+0xca/0x110 net/socket.c:645
- SYSC_sendto+0x660/0x810 net/socket.c:1687
- SyS_sendto+0x40/0x50 net/socket.c:1655
- entry_SYSCALL_64_fastpath+0x1f/0xc2
-RIP: 0033:0x4458b9
-RSP: 002b:00007f8ceb77bb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00000000004458b9
-RDX: 0000000000000023 RSI: 0000000020e60000 RDI: 0000000000000017
-RBP: 00000000006e1b90 R08: 00000000200f9fe1 R09: 0000000000000020
-R10: 0000000000008010 R11: 0000000000000282 R12: 00000000007080a8
-R13: 0000000000000000 R14: 00007f8ceb77c9c0 R15: 00007f8ceb77c700
-Object at ffff88003713be50, in cache kmalloc-64 size: 64
-Allocated:
-PID = 8446
- save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
- save_stack+0x43/0xd0 mm/kasan/kasan.c:502
- set_track mm/kasan/kasan.c:514 [inline]
- kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
- kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2738
- kmalloc include/linux/slab.h:490 [inline]
- dccp_feat_entry_new+0x214/0x410 net/dccp/feat.c:467
- dccp_feat_push_change+0x38/0x220 net/dccp/feat.c:487
- __feat_register_sp+0x223/0x2f0 net/dccp/feat.c:741
- dccp_feat_propagate_ccid+0x22b/0x2b0 net/dccp/feat.c:949
- dccp_feat_server_ccid_dependencies+0x1b3/0x250 net/dccp/feat.c:1012
- dccp_make_response+0x1f1/0xc90 net/dccp/output.c:423
- dccp_v6_send_response+0x4ec/0xc20 net/dccp/ipv6.c:217
- dccp_v6_conn_request+0xaba/0x11b0 net/dccp/ipv6.c:377
- dccp_rcv_state_process+0x51e/0x1650 net/dccp/input.c:606
- dccp_v6_do_rcv+0x213/0x350 net/dccp/ipv6.c:632
- sk_backlog_rcv include/net/sock.h:893 [inline]
- __sk_receive_skb+0x36f/0xcc0 net/core/sock.c:479
- dccp_v6_rcv+0xba5/0x1d00 net/dccp/ipv6.c:742
- ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
- NF_HOOK include/linux/netfilter.h:257 [inline]
- ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
- dst_input include/net/dst.h:507 [inline]
- ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
- NF_HOOK include/linux/netfilter.h:257 [inline]
- ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
- __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
- __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
- process_backlog+0xe5/0x6c0 net/core/dev.c:4839
- napi_poll net/core/dev.c:5202 [inline]
- net_rx_action+0xe70/0x1900 net/core/dev.c:5267
- __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
-Freed:
-PID = 15
- save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
- save_stack+0x43/0xd0 mm/kasan/kasan.c:502
- set_track mm/kasan/kasan.c:514 [inline]
- kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
- slab_free_hook mm/slub.c:1355 [inline]
- slab_free_freelist_hook mm/slub.c:1377 [inline]
- slab_free mm/slub.c:2954 [inline]
- kfree+0xe8/0x2b0 mm/slub.c:3874
- dccp_feat_entry_destructor.part.4+0x48/0x60 net/dccp/feat.c:418
- dccp_feat_entry_destructor net/dccp/feat.c:416 [inline]
- dccp_feat_list_pop net/dccp/feat.c:541 [inline]
- dccp_feat_activate_values+0x57f/0xab0 net/dccp/feat.c:1543
- dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121
- dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457
- dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186
- dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711
- ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279
- NF_HOOK include/linux/netfilter.h:257 [inline]
- ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
- dst_input include/net/dst.h:507 [inline]
- ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
- NF_HOOK include/linux/netfilter.h:257 [inline]
- ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203
- __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190
- __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228
- process_backlog+0xe5/0x6c0 net/core/dev.c:4839
- napi_poll net/core/dev.c:5202 [inline]
- net_rx_action+0xe70/0x1900 net/core/dev.c:5267
- __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
-Memory state around the buggy address:
- ffff88003713bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff88003713bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
->ffff88003713be00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
- ^
-
-Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/dccp.h | 1 +
- net/dccp/minisocks.c | 24 ++++++++++++++++--------
- 2 files changed, 17 insertions(+), 8 deletions(-)
-
-diff --git a/include/linux/dccp.h b/include/linux/dccp.h
-index 61d042bbbf60..68449293c4b6 100644
---- a/include/linux/dccp.h
-+++ b/include/linux/dccp.h
-@@ -163,6 +163,7 @@ struct dccp_request_sock {
- __u64 dreq_isr;
- __u64 dreq_gsr;
- __be32 dreq_service;
-+ spinlock_t dreq_lock;
- struct list_head dreq_featneg;
- __u32 dreq_timestamp_echo;
- __u32 dreq_timestamp_time;
-diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
-index e314caa39176..68eed344b471 100644
---- a/net/dccp/minisocks.c
-+++ b/net/dccp/minisocks.c
-@@ -146,6 +146,13 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
- struct dccp_request_sock *dreq = dccp_rsk(req);
- bool own_req;
-
-+ /* TCP/DCCP listeners became lockless.
-+ * DCCP stores complex state in its request_sock, so we need
-+ * a protection for them, now this code runs without being protected
-+ * by the parent (listener) lock.
-+ */
-+ spin_lock_bh(&dreq->dreq_lock);
-+
- /* Check for retransmitted REQUEST */
- if (dccp_hdr(skb)->dccph_type == DCCP_PKT_REQUEST) {
-
-@@ -160,7 +167,7 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
- inet_rtx_syn_ack(sk, req);
- }
- /* Network Duplicate, discard packet */
-- return NULL;
-+ goto out;
- }
-
- DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_PACKET_ERROR;
-@@ -186,20 +193,20 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb,
-
- child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
- req, &own_req);
-- if (!child)
-- goto listen_overflow;
--
-- return inet_csk_complete_hashdance(sk, child, req, own_req);
-+ if (child) {
-+ child = inet_csk_complete_hashdance(sk, child, req, own_req);
-+ goto out;
-+ }
-
--listen_overflow:
-- dccp_pr_debug("listen_overflow!\n");
- DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_TOO_BUSY;
- drop:
- if (dccp_hdr(skb)->dccph_type != DCCP_PKT_RESET)
- req->rsk_ops->send_reset(sk, skb);
-
- inet_csk_reqsk_queue_drop(sk, req);
-- return NULL;
-+out:
-+ spin_unlock_bh(&dreq->dreq_lock);
-+ return child;
- }
-
- EXPORT_SYMBOL_GPL(dccp_check_req);
-@@ -250,6 +257,7 @@ int dccp_reqsk_init(struct request_sock *req,
- {
- struct dccp_request_sock *dreq = dccp_rsk(req);
-
-+ spin_lock_init(&dreq->dreq_lock);
- inet_rsk(req)->ir_rmt_port = dccp_hdr(skb)->dccph_sport;
- inet_rsk(req)->ir_num = ntohs(dccp_hdr(skb)->dccph_dport);
- inet_rsk(req)->acked = 0;
---
-2.12.2
-
-From e671f1cc588f380b17e1c0ce38c7c712d13dfe93 Mon Sep 17 00:00:00 2001
-From: David Ahern <dsa@cumulusnetworks.com>
-Date: Mon, 6 Mar 2017 08:53:04 -0800
-Subject: [PATCH 086/251] vrf: Fix use-after-free in vrf_xmit
-Content-Length: 1945
-Lines: 52
-
-[ Upstream commit f7887d40e541f74402df0684a1463c0a0bb68c68 ]
-
-KASAN detected a use-after-free:
-
-[ 269.467067] BUG: KASAN: use-after-free in vrf_xmit+0x7f1/0x827 [vrf] at addr ffff8800350a21c0
-[ 269.467067] Read of size 4 by task ssh/1879
-[ 269.467067] CPU: 1 PID: 1879 Comm: ssh Not tainted 4.10.0+ #249
-[ 269.467067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
-[ 269.467067] Call Trace:
-[ 269.467067] dump_stack+0x81/0xb6
-[ 269.467067] kasan_object_err+0x21/0x78
-[ 269.467067] kasan_report+0x2f7/0x450
-[ 269.467067] ? vrf_xmit+0x7f1/0x827 [vrf]
-[ 269.467067] ? ip_output+0xa4/0xdb
-[ 269.467067] __asan_load4+0x6b/0x6d
-[ 269.467067] vrf_xmit+0x7f1/0x827 [vrf]
-...
-
-Which corresponds to the skb access after xmit handling. Fix by saving
-skb->len and using the saved value to update stats.
-
-Fixes: 193125dbd8eb2 ("net: Introduce VRF device driver")
-Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/vrf.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index d6b619667f1a..349aecbc210a 100644
---- a/drivers/net/vrf.c
-+++ b/drivers/net/vrf.c
-@@ -345,6 +345,7 @@ static netdev_tx_t is_ip_tx_frame(struct sk_buff *skb, struct net_device *dev)
-
- static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev)
- {
-+ int len = skb->len;
- netdev_tx_t ret = is_ip_tx_frame(skb, dev);
-
- if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
-@@ -352,7 +353,7 @@ static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev)
-
- u64_stats_update_begin(&dstats->syncp);
- dstats->tx_pkts++;
-- dstats->tx_bytes += skb->len;
-+ dstats->tx_bytes += len;
- u64_stats_update_end(&dstats->syncp);
- } else {
- this_cpu_inc(dev->dstats->tx_drps);
---
-2.12.2
-
-From 6c72458ab428ce659261fa060295e580503a5b12 Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Tue, 7 Mar 2017 23:50:50 +0300
-Subject: [PATCH 087/251] uapi: fix linux/packet_diag.h userspace compilation
- error
-Content-Length: 1344
-Lines: 40
-
-[ Upstream commit 745cb7f8a5de0805cade3de3991b7a95317c7c73 ]
-
-Replace MAX_ADDR_LEN with its numeric value to fix the following
-linux/packet_diag.h userspace compilation error:
-
-/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function)
- __u8 pdmc_addr[MAX_ADDR_LEN];
-
-This is not the first case in the UAPI where the numeric value
-of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h
-already does the same:
-
-$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h
- __u8 mac[32]; /* MAX_ADDR_LEN */
-
-There are no UAPI headers besides these two that use MAX_ADDR_LEN.
-
-Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
-Acked-by: Pavel Emelyanov <xemul@virtuozzo.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/uapi/linux/packet_diag.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
-index d08c63f3dd6f..0c5d5dd61b6a 100644
---- a/include/uapi/linux/packet_diag.h
-+++ b/include/uapi/linux/packet_diag.h
-@@ -64,7 +64,7 @@ struct packet_diag_mclist {
- __u32 pdmc_count;
- __u16 pdmc_type;
- __u16 pdmc_alen;
-- __u8 pdmc_addr[MAX_ADDR_LEN];
-+ __u8 pdmc_addr[32]; /* MAX_ADDR_LEN */
- };
-
- struct packet_diag_ring {
---
-2.12.2
-
-From 710fbeb3f5c5441fbe002b2c1566ceaad0725c01 Mon Sep 17 00:00:00 2001
-From: Etienne Noss <etienne.noss@wifirst.fr>
-Date: Fri, 10 Mar 2017 16:55:32 +0100
-Subject: [PATCH 088/251] act_connmark: avoid crashing on malformed nlattrs
- with null parms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 2433
-Lines: 53
-
-[ Upstream commit 52491c7607c5527138095edf44c53169dc1ddb82 ]
-
-tcf_connmark_init does not check in its configuration if TCA_CONNMARK_PARMS
-is set, resulting in a null pointer dereference when trying to access it.
-
-[501099.043007] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
-[501099.043039] IP: [<ffffffffc10c60fb>] tcf_connmark_init+0x8b/0x180 [act_connmark]
-...
-[501099.044334] Call Trace:
-[501099.044345] [<ffffffffa47270e8>] ? tcf_action_init_1+0x198/0x1b0
-[501099.044363] [<ffffffffa47271b0>] ? tcf_action_init+0xb0/0x120
-[501099.044380] [<ffffffffa47250a4>] ? tcf_exts_validate+0xc4/0x110
-[501099.044398] [<ffffffffc0f5fa97>] ? u32_set_parms+0xa7/0x270 [cls_u32]
-[501099.044417] [<ffffffffc0f60bf0>] ? u32_change+0x680/0x87b [cls_u32]
-[501099.044436] [<ffffffffa4725d1d>] ? tc_ctl_tfilter+0x4dd/0x8a0
-[501099.044454] [<ffffffffa44a23a1>] ? security_capable+0x41/0x60
-[501099.044471] [<ffffffffa470ca01>] ? rtnetlink_rcv_msg+0xe1/0x220
-[501099.044490] [<ffffffffa470c920>] ? rtnl_newlink+0x870/0x870
-[501099.044507] [<ffffffffa472cc61>] ? netlink_rcv_skb+0xa1/0xc0
-[501099.044524] [<ffffffffa47073f4>] ? rtnetlink_rcv+0x24/0x30
-[501099.044541] [<ffffffffa472c634>] ? netlink_unicast+0x184/0x230
-[501099.044558] [<ffffffffa472c9d8>] ? netlink_sendmsg+0x2f8/0x3b0
-[501099.044576] [<ffffffffa46d8880>] ? sock_sendmsg+0x30/0x40
-[501099.044592] [<ffffffffa46d8e03>] ? SYSC_sendto+0xd3/0x150
-[501099.044608] [<ffffffffa425fda1>] ? __do_page_fault+0x2d1/0x510
-[501099.044626] [<ffffffffa47fbd7b>] ? system_call_fast_compare_end+0xc/0x9b
-
-Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action")
-Signed-off-by: Étienne Noss <etienne.noss@wifirst.fr>
-Signed-off-by: Victorien Molle <victorien.molle@wifirst.fr>
-Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sched/act_connmark.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
-index bb41699c6c49..7ecb14f3db54 100644
---- a/net/sched/act_connmark.c
-+++ b/net/sched/act_connmark.c
-@@ -109,6 +109,9 @@ static int tcf_connmark_init(struct net *net, struct nlattr *nla,
- if (ret < 0)
- return ret;
-
-+ if (!tb[TCA_CONNMARK_PARMS])
-+ return -EINVAL;
-+
- parm = nla_data(tb[TCA_CONNMARK_PARMS]);
-
- if (!tcf_hash_check(parm->index, a, bind)) {
---
-2.12.2
-
-From b57955ea30e13aa37e5955bf20617f839f32c560 Mon Sep 17 00:00:00 2001
-From: David Ahern <dsa@cumulusnetworks.com>
-Date: Fri, 10 Mar 2017 09:46:15 -0800
-Subject: [PATCH 089/251] mpls: Send route delete notifications when router
- module is unloaded
-Content-Length: 1050
-Lines: 29
-
-[ Upstream commit e37791ec1ad785b59022ae211f63a16189bacebf ]
-
-When the mpls_router module is unloaded, mpls routes are deleted but
-notifications are not sent to userspace leaving userspace caches
-out of sync. Add the call to mpls_notify_route in mpls_net_exit as
-routes are freed.
-
-Fixes: 0189197f44160 ("mpls: Basic routing support")
-Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mpls/af_mpls.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
-index 881bc2072809..52cfc4478511 100644
---- a/net/mpls/af_mpls.c
-+++ b/net/mpls/af_mpls.c
-@@ -1567,6 +1567,7 @@ static void mpls_net_exit(struct net *net)
- for (index = 0; index < platform_labels; index++) {
- struct mpls_route *rt = rtnl_dereference(platform_label[index]);
- RCU_INIT_POINTER(platform_label[index], NULL);
-+ mpls_notify_route(net, index, rt, NULL, NULL);
- mpls_rt_free(rt);
- }
- rtnl_unlock();
---
-2.12.2
-
-From 5f8bc3856e285cc12597879039c17f7397f4b37d Mon Sep 17 00:00:00 2001
-From: Sabrina Dubroca <sd@queasysnail.net>
-Date: Mon, 13 Mar 2017 13:28:09 +0100
-Subject: [PATCH 090/251] ipv6: make ECMP route replacement less greedy
-Content-Length: 2282
-Lines: 67
-
-[ Upstream commit 67e194007be08d071294456274dd53e0a04fdf90 ]
-
-Commit 27596472473a ("ipv6: fix ECMP route replacement") introduced a
-loop that removes all siblings of an ECMP route that is being
-replaced. However, this loop doesn't stop when it has replaced
-siblings, and keeps removing other routes with a higher metric.
-We also end up triggering the WARN_ON after the loop, because after
-this nsiblings < 0.
-
-Instead, stop the loop when we have taken care of all routes with the
-same metric as the route being replaced.
-
- Reproducer:
- ===========
- #!/bin/sh
-
- ip netns add ns1
- ip netns add ns2
- ip -net ns1 link set lo up
-
- for x in 0 1 2 ; do
- ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
- ip -net ns1 link set eth$x up
- ip -net ns2 link set veth$x up
- done
-
- ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
- nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
- ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
- ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048
-
- echo "before replace, 3 routes"
- ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
- echo
-
- ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
- nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2
-
- echo "after replace, only 2 routes, metric 2048 is gone"
- ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
-
-Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
-Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
-Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
-Reviewed-by: Xin Long <lucien.xin@gmail.com>
-Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv6/ip6_fib.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
-index 34cf46d74554..85bf86458706 100644
---- a/net/ipv6/ip6_fib.c
-+++ b/net/ipv6/ip6_fib.c
-@@ -903,6 +903,8 @@ add:
- ins = &rt->dst.rt6_next;
- iter = *ins;
- while (iter) {
-+ if (iter->rt6i_metric > rt->rt6i_metric)
-+ break;
- if (rt6_qualify_for_ecmp(iter)) {
- *ins = iter->dst.rt6_next;
- fib6_purge_rt(iter, fn, info->nl_net);
---
-2.12.2
-
-From aed728c38c483650885dfd975dd9f4903e5505bf Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Mon, 13 Mar 2017 16:24:28 +0100
-Subject: [PATCH 091/251] ipv6: avoid write to a possibly cloned skb
-Content-Length: 1969
-Lines: 61
-
-[ Upstream commit 79e49503efe53a8c51d8b695bedc8a346c5e4a87 ]
-
-ip6_fragment, in case skb has a fraglist, checks if the
-skb is cloned. If it is, it will move to the 'slow path' and allocates
-new skbs for each fragment.
-
-However, right before entering the slowpath loop, it updates the
-nexthdr value of the last ipv6 extension header to NEXTHDR_FRAGMENT,
-to account for the fragment header that will be inserted in the new
-ipv6-fragment skbs.
-
-In case original skb is cloned this munges nexthdr value of another
-skb. Avoid this by doing the nexthdr update for each of the new fragment
-skbs separately.
-
-This was observed with tcpdump on a bridge device where netfilter ipv6
-reassembly is active: tcpdump shows malformed fragment headers as
-the l4 header (icmpv6, tcp, etc). is decoded as a fragment header.
-
-Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Reported-by: Andreas Karis <akaris@redhat.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ipv6/ip6_output.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 58900c21e4e4..8004532fa882 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -742,13 +742,14 @@ slow_path:
- * Fragment the datagram.
- */
-
-- *prevhdr = NEXTHDR_FRAGMENT;
- troom = rt->dst.dev->needed_tailroom;
-
- /*
- * Keep copying data until we run out.
- */
- while (left > 0) {
-+ u8 *fragnexthdr_offset;
-+
- len = left;
- /* IF: it doesn't fit, use 'mtu' - the data space left */
- if (len > mtu)
-@@ -793,6 +794,10 @@ slow_path:
- */
- skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
-
-+ fragnexthdr_offset = skb_network_header(frag);
-+ fragnexthdr_offset += prevhdr - skb_network_header(skb);
-+ *fragnexthdr_offset = NEXTHDR_FRAGMENT;
-+
- /*
- * Build fragment header.
- */
---
-2.12.2
-
-From 56f9b9502f2d15b9c7b83f9cfb32798e2e364f61 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Mon, 13 Mar 2017 17:38:17 +0100
-Subject: [PATCH 092/251] bridge: drop netfilter fake rtable unconditionally
-Content-Length: 2943
-Lines: 81
-
-[ Upstream commit a13b2082ece95247779b9995c4e91b4246bed023 ]
-
-Andreas reports kernel oops during rmmod of the br_netfilter module.
-Hannes debugged the oops down to a NULL rt6info->rt6i_indev.
-
-Problem is that br_netfilter has the nasty concept of adding a fake
-rtable to skb->dst; this happens in a br_netfilter prerouting hook.
-
-A second hook (in bridge LOCAL_IN) is supposed to remove these again
-before the skb is handed up the stack.
-
-However, on module unload hooks get unregistered which means an
-skb could traverse the prerouting hook that attaches the fake_rtable,
-while the 'fake rtable remove' hook gets removed from the hooklist
-immediately after.
-
-Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core")
-Reported-by: Andreas Karis <akaris@redhat.com>
-Debugged-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bridge/br_input.c | 1 +
- net/bridge/br_netfilter_hooks.c | 21 ---------------------
- 2 files changed, 1 insertion(+), 21 deletions(-)
-
-diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
-index f7fba74108a9..e24754a0e052 100644
---- a/net/bridge/br_input.c
-+++ b/net/bridge/br_input.c
-@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook);
- static int
- br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
- {
-+ br_drop_fake_rtable(skb);
- return netif_receive_skb(skb);
- }
-
-diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
-index 7ddbe7ec81d6..97fc19f001bf 100644
---- a/net/bridge/br_netfilter_hooks.c
-+++ b/net/bridge/br_netfilter_hooks.c
-@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv,
- }
-
-
--/* PF_BRIDGE/LOCAL_IN ************************************************/
--/* The packet is locally destined, which requires a real
-- * dst_entry, so detach the fake one. On the way up, the
-- * packet would pass through PRE_ROUTING again (which already
-- * took place when the packet entered the bridge), but we
-- * register an IPv4 PRE_ROUTING 'sabotage' hook that will
-- * prevent this from happening. */
--static unsigned int br_nf_local_in(void *priv,
-- struct sk_buff *skb,
-- const struct nf_hook_state *state)
--{
-- br_drop_fake_rtable(skb);
-- return NF_ACCEPT;
--}
--
- /* PF_BRIDGE/FORWARD *************************************************/
- static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
- {
-@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
- .priority = NF_BR_PRI_BRNF,
- },
- {
-- .hook = br_nf_local_in,
-- .pf = NFPROTO_BRIDGE,
-- .hooknum = NF_BR_LOCAL_IN,
-- .priority = NF_BR_PRI_BRNF,
-- },
-- {
- .hook = br_nf_forward_ip,
- .pf = NFPROTO_BRIDGE,
- .hooknum = NF_BR_FORWARD,
---
-2.12.2
-
-From 4ab956b561334866dfe1b17d9c7567313e07cfa2 Mon Sep 17 00:00:00 2001
-From: Jon Maxwell <jmaxwell37@gmail.com>
-Date: Fri, 10 Mar 2017 16:40:33 +1100
-Subject: [PATCH 093/251] dccp/tcp: fix routing redirect race
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 5663
-Lines: 162
-
-[ Upstream commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 ]
-
-As Eric Dumazet pointed out this also needs to be fixed in IPv6.
-v2: Contains the IPv6 tcp/Ipv6 dccp patches as well.
-
-We have seen a few incidents lately where a dst_enty has been freed
-with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
-dst_entry. If the conditions/timings are right a crash then ensues when the
-freed dst_entry is referenced later on. A Common crashing back trace is:
-
- #8 [] page_fault at ffffffff8163e648
- [exception RIP: __tcp_ack_snd_check+74]
-.
-.
- #9 [] tcp_rcv_established at ffffffff81580b64
-#10 [] tcp_v4_do_rcv at ffffffff8158b54a
-#11 [] tcp_v4_rcv at ffffffff8158cd02
-#12 [] ip_local_deliver_finish at ffffffff815668f4
-#13 [] ip_local_deliver at ffffffff81566bd9
-#14 [] ip_rcv_finish at ffffffff8156656d
-#15 [] ip_rcv at ffffffff81566f06
-#16 [] __netif_receive_skb_core at ffffffff8152b3a2
-#17 [] __netif_receive_skb at ffffffff8152b608
-#18 [] netif_receive_skb at ffffffff8152b690
-#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3]
-#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3]
-#21 [] net_rx_action at ffffffff8152bac2
-#22 [] __do_softirq at ffffffff81084b4f
-#23 [] call_softirq at ffffffff8164845c
-#24 [] do_softirq at ffffffff81016fc5
-#25 [] irq_exit at ffffffff81084ee5
-#26 [] do_IRQ at ffffffff81648ff8
-
-Of course it may happen with other NIC drivers as well.
-
-It's found the freed dst_entry here:
-
- 224 static bool tcp_in_quickack_mode(struct sock *sk)↩
- 225 {↩
- 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩
- 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩
- 228 ↩
- 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩
- 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩
- 231 }↩
-
-But there are other backtraces attributed to the same freed dst_entry in
-netfilter code as well.
-
-All the vmcores showed 2 significant clues:
-
-- Remote hosts behind the default gateway had always been redirected to a
-different gateway. A rtable/dst_entry will be added for that host. Making
-more dst_entrys with lower reference counts. Making this more probable.
-
-- All vmcores showed a postitive LockDroppedIcmps value, e.g:
-
-LockDroppedIcmps 267
-
-A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
-regardless of whether user space has the socket locked. This can result in a
-race condition where the same dst_entry cached in sk->sk_dst_entry can be
-decremented twice for the same socket via:
-
-do_redirect()->__sk_dst_check()-> dst_release().
-
-Which leads to the dst_entry being prematurely freed with another socket
-pointing to it via sk->sk_dst_cache and a subsequent crash.
-
-To fix this skip do_redirect() if usespace has the socket locked. Instead let
-the redirect take place later when user space does not have the socket
-locked.
-
-The dccp/IPv6 code is very similar in this respect, so fixing it there too.
-
-As Eric Garver pointed out the following commit now invalidates routes. Which
-can set the dst->obsolete flag so that ipv4_dst_check() returns null and
-triggers the dst_release().
-
-Fixes: ceb3320610d6 ("ipv4: Kill routes during PMTU/redirect updates.")
-Cc: Eric Garver <egarver@redhat.com>
-Cc: Hannes Sowa <hsowa@redhat.com>
-Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/dccp/ipv4.c | 3 ++-
- net/dccp/ipv6.c | 8 +++++---
- net/ipv4/tcp_ipv4.c | 3 ++-
- net/ipv6/tcp_ipv6.c | 8 +++++---
- 4 files changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
-index 0759f5b9180e..6467bf392e1b 100644
---- a/net/dccp/ipv4.c
-+++ b/net/dccp/ipv4.c
-@@ -289,7 +289,8 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
-
- switch (type) {
- case ICMP_REDIRECT:
-- dccp_do_redirect(skb, sk);
-+ if (!sock_owned_by_user(sk))
-+ dccp_do_redirect(skb, sk);
- goto out;
- case ICMP_SOURCE_QUENCH:
- /* Just silently ignore these. */
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index 27c4e81efa24..8113ad58fcb4 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -122,10 +122,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
- np = inet6_sk(sk);
-
- if (type == NDISC_REDIRECT) {
-- struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
-+ if (!sock_owned_by_user(sk)) {
-+ struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
-
-- if (dst)
-- dst->ops->redirect(dst, sk, skb);
-+ if (dst)
-+ dst->ops->redirect(dst, sk, skb);
-+ }
- goto out;
- }
-
-diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index f66d4b5d47f9..198fc2314c82 100644
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -423,7 +423,8 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
-
- switch (type) {
- case ICMP_REDIRECT:
-- do_redirect(icmp_skb, sk);
-+ if (!sock_owned_by_user(sk))
-+ do_redirect(icmp_skb, sk);
- goto out;
- case ICMP_SOURCE_QUENCH:
- /* Just silently ignore these. */
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 76a8c8057a23..1a63c4deef26 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -376,10 +376,12 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
- np = inet6_sk(sk);
-
- if (type == NDISC_REDIRECT) {
-- struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
-+ if (!sock_owned_by_user(sk)) {
-+ struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
-
-- if (dst)
-- dst->ops->redirect(dst, sk, skb);
-+ if (dst)
-+ dst->ops->redirect(dst, sk, skb);
-+ }
- goto out;
- }
-
---
-2.12.2
-
-From 676fe978525d3d3f583e1f6463f3b25623e81afd Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Mon, 13 Mar 2017 00:01:30 +0100
-Subject: [PATCH 094/251] dccp: fix memory leak during tear-down of
- unsuccessful connection request
-Content-Length: 1037
-Lines: 29
-
-[ Upstream commit 72ef9c4125c7b257e3a714d62d778ab46583d6a3 ]
-
-This patch fixes a memory leak, which happens if the connection request
-is not fulfilled between parsing the DCCP options and handling the SYN
-(because e.g. the backlog is full), because we forgot to free the
-list of ack vectors.
-
-Reported-by: Jianwen Ji <jiji@redhat.com>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/dccp/ccids/ccid2.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
-index f053198e730c..5e3a7302f774 100644
---- a/net/dccp/ccids/ccid2.c
-+++ b/net/dccp/ccids/ccid2.c
-@@ -749,6 +749,7 @@ static void ccid2_hc_tx_exit(struct sock *sk)
- for (i = 0; i < hc->tx_seqbufc; i++)
- kfree(hc->tx_seqbuf[i]);
- hc->tx_seqbufc = 0;
-+ dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
- }
-
- static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
+@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
+ .priority = NF_BR_PRI_BRNF,
+ },
+ {
+- .hook = br_nf_local_in,
+- .pf = NFPROTO_BRIDGE,
+- .hooknum = NF_BR_LOCAL_IN,
+- .priority = NF_BR_PRI_BRNF,
+- },
+- {
+ .hook = br_nf_forward_ip,
+ .pf = NFPROTO_BRIDGE,
+ .hooknum = NF_BR_FORWARD,
--
2.12.2
From: Eric Biggers <ebiggers@google.com>
Date: Mon, 19 Dec 2016 14:20:13 -0800
Subject: [PATCH 096/251] fscrypt: fix renaming and linking special files
+Status: RO
Content-Length: 2187
Lines: 59
- load_mm_cr4(current->mm);
+ if (current->active_mm)
+ load_mm_cr4(current->active_mm);
- }
-
- static void x86_pmu_event_mapped(struct perf_event *event)
---
-2.12.2
-
-From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 22 Mar 2017 12:17:51 +0100
-Subject: [PATCH 102/251] Linux 4.4.56
-Content-Length: 301
-Lines: 18
-
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index d9cc21df444d..cf9303a5d621 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 4
- PATCHLEVEL = 4
--SUBLEVEL = 55
-+SUBLEVEL = 56
- EXTRAVERSION =
- NAME = Blurry Fish Butt
-
---
-2.12.2
-
-From ac1a97d8a562161e42edd23e5d0f1740a3d93c85 Mon Sep 17 00:00:00 2001
-From: Chris Bainbridge <chris.bainbridge@gmail.com>
-Date: Mon, 25 Apr 2016 13:48:38 +0100
-Subject: [PATCH 103/251] usb: core: hub: hub_port_init lock controller instead
- of bus
-Content-Length: 8176
-Lines: 219
-
-commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 upstream.
-
-The XHCI controller presents two USB buses to the system - one for USB2
-and one for USB3. The hub init code (hub_port_init) is reentrant but
-only locks one bus per thread, leading to a race condition failure when
-two threads attempt to simultaneously initialise a USB2 and USB3 device:
-
-[ 8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
-[ 13.183701] usb 3-3: device descriptor read/all, error -110
-
-On a test system this failure occurred on 6% of all boots.
-
-The call traces at the point of failure are:
-
-Call Trace:
- [<ffffffff81b9bab7>] schedule+0x37/0x90
- [<ffffffff817da7cd>] usb_kill_urb+0x8d/0xd0
- [<ffffffff8111e5e0>] ? wake_up_atomic_t+0x30/0x30
- [<ffffffff817dafbe>] usb_start_wait_urb+0xbe/0x150
- [<ffffffff817db10c>] usb_control_msg+0xbc/0xf0
- [<ffffffff817d07de>] hub_port_init+0x51e/0xb70
- [<ffffffff817d4697>] hub_event+0x817/0x1570
- [<ffffffff810f3e6f>] process_one_work+0x1ff/0x620
- [<ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
- [<ffffffff810f4684>] worker_thread+0x64/0x4b0
- [<ffffffff810f4620>] ? rescuer_thread+0x390/0x390
- [<ffffffff810fa7f5>] kthread+0x105/0x120
- [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
- [<ffffffff81ba183f>] ret_from_fork+0x3f/0x70
- [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
-
-Call Trace:
- [<ffffffff817fd36d>] xhci_setup_device+0x53d/0xa40
- [<ffffffff817fd87e>] xhci_address_device+0xe/0x10
- [<ffffffff817d047f>] hub_port_init+0x1bf/0xb70
- [<ffffffff811247ed>] ? trace_hardirqs_on+0xd/0x10
- [<ffffffff817d4697>] hub_event+0x817/0x1570
- [<ffffffff810f3e6f>] process_one_work+0x1ff/0x620
- [<ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
- [<ffffffff810f4684>] worker_thread+0x64/0x4b0
- [<ffffffff810f4620>] ? rescuer_thread+0x390/0x390
- [<ffffffff810fa7f5>] kthread+0x105/0x120
- [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
- [<ffffffff81ba183f>] ret_from_fork+0x3f/0x70
- [<ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
-
-Which results from the two call chains:
-
-hub_port_init
- usb_get_device_descriptor
- usb_get_descriptor
- usb_control_msg
- usb_internal_control_msg
- usb_start_wait_urb
- usb_submit_urb / wait_for_completion_timeout / usb_kill_urb
-
-hub_port_init
- hub_set_address
- xhci_address_device
- xhci_setup_device
-
-Mathias Nyman explains the current behaviour violates the XHCI spec:
-
- hub_port_reset() will end up moving the corresponding xhci device slot
- to default state.
-
- As hub_port_reset() is called several times in hub_port_init() it
- sounds reasonable that we could end up with two threads having their
- xhci device slots in default state at the same time, which according to
- xhci 4.5.3 specs still is a big no no:
-
- "Note: Software shall not transition more than one Device Slot to the
- Default State at a time"
-
- So both threads fail at their next task after this.
- One fails to read the descriptor, and the other fails addressing the
- device.
-
-Fix this in hub_port_init by locking the USB controller (instead of an
-individual bus) to prevent simultaneous initialisation of both buses.
-
-Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel")
-Link: https://lkml.org/lkml/2016/2/8/312
-Link: https://lkml.org/lkml/2016/2/4/748
-Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
-Cc: stable <stable@vger.kernel.org>
-Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
- [sumits: minor merge conflict resolution for linux-4.4.y]
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/hcd.c | 15 +++++++++++++--
- drivers/usb/core/hub.c | 8 ++++----
- include/linux/usb.h | 3 +--
- include/linux/usb/hcd.h | 1 +
- 4 files changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index f44ce09367bc..9a5303c17de7 100644
---- a/drivers/usb/core/hcd.c
-+++ b/drivers/usb/core/hcd.c
-@@ -966,7 +966,7 @@ static void usb_bus_init (struct usb_bus *bus)
- bus->bandwidth_allocated = 0;
- bus->bandwidth_int_reqs = 0;
- bus->bandwidth_isoc_reqs = 0;
-- mutex_init(&bus->usb_address0_mutex);
-+ mutex_init(&bus->devnum_next_mutex);
-
- INIT_LIST_HEAD (&bus->bus_list);
- }
-@@ -2497,6 +2497,14 @@ struct usb_hcd *usb_create_shared_hcd(const struct hc_driver *driver,
- return NULL;
- }
- if (primary_hcd == NULL) {
-+ hcd->address0_mutex = kmalloc(sizeof(*hcd->address0_mutex),
-+ GFP_KERNEL);
-+ if (!hcd->address0_mutex) {
-+ kfree(hcd);
-+ dev_dbg(dev, "hcd address0 mutex alloc failed\n");
-+ return NULL;
-+ }
-+ mutex_init(hcd->address0_mutex);
- hcd->bandwidth_mutex = kmalloc(sizeof(*hcd->bandwidth_mutex),
- GFP_KERNEL);
- if (!hcd->bandwidth_mutex) {
-@@ -2508,6 +2516,7 @@ struct usb_hcd *usb_create_shared_hcd(const struct hc_driver *driver,
- dev_set_drvdata(dev, hcd);
- } else {
- mutex_lock(&usb_port_peer_mutex);
-+ hcd->address0_mutex = primary_hcd->address0_mutex;
- hcd->bandwidth_mutex = primary_hcd->bandwidth_mutex;
- hcd->primary_hcd = primary_hcd;
- primary_hcd->primary_hcd = primary_hcd;
-@@ -2574,8 +2583,10 @@ static void hcd_release(struct kref *kref)
- struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref);
-
- mutex_lock(&usb_port_peer_mutex);
-- if (usb_hcd_is_primary_hcd(hcd))
-+ if (usb_hcd_is_primary_hcd(hcd)) {
-+ kfree(hcd->address0_mutex);
- kfree(hcd->bandwidth_mutex);
-+ }
- if (hcd->shared_hcd) {
- struct usb_hcd *peer = hcd->shared_hcd;
-
-diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 780db8bb2262..f52d8abf6979 100644
---- a/drivers/usb/core/hub.c
-+++ b/drivers/usb/core/hub.c
-@@ -1980,7 +1980,7 @@ static void choose_devnum(struct usb_device *udev)
- struct usb_bus *bus = udev->bus;
-
- /* be safe when more hub events are proceed in parallel */
-- mutex_lock(&bus->usb_address0_mutex);
-+ mutex_lock(&bus->devnum_next_mutex);
- if (udev->wusb) {
- devnum = udev->portnum + 1;
- BUG_ON(test_bit(devnum, bus->devmap.devicemap));
-@@ -1998,7 +1998,7 @@ static void choose_devnum(struct usb_device *udev)
- set_bit(devnum, bus->devmap.devicemap);
- udev->devnum = devnum;
- }
-- mutex_unlock(&bus->usb_address0_mutex);
-+ mutex_unlock(&bus->devnum_next_mutex);
- }
-
- static void release_devnum(struct usb_device *udev)
-@@ -4262,7 +4262,7 @@ hub_port_init(struct usb_hub *hub, struct usb_device *udev, int port1,
- if (oldspeed == USB_SPEED_LOW)
- delay = HUB_LONG_RESET_TIME;
-
-- mutex_lock(&hdev->bus->usb_address0_mutex);
-+ mutex_lock(hcd->address0_mutex);
-
- /* Reset the device; full speed may morph to high speed */
- /* FIXME a USB 2.0 device may morph into SuperSpeed on reset. */
-@@ -4548,7 +4548,7 @@ fail:
- hub_port_disable(hub, port1, 0);
- update_devnum(udev, devnum); /* for disconnect processing */
- }
-- mutex_unlock(&hdev->bus->usb_address0_mutex);
-+ mutex_unlock(hcd->address0_mutex);
- return retval;
- }
-
-diff --git a/include/linux/usb.h b/include/linux/usb.h
-index 12891ffd4bf0..8c75af6b7d5b 100644
---- a/include/linux/usb.h
-+++ b/include/linux/usb.h
-@@ -371,14 +371,13 @@ struct usb_bus {
-
- int devnum_next; /* Next open device number in
- * round-robin allocation */
-+ struct mutex devnum_next_mutex; /* devnum_next mutex */
-
- struct usb_devmap devmap; /* device address allocation map */
- struct usb_device *root_hub; /* Root hub */
- struct usb_bus *hs_companion; /* Companion EHCI bus, if any */
- struct list_head bus_list; /* list of busses */
-
-- struct mutex usb_address0_mutex; /* unaddressed device mutex */
--
- int bandwidth_allocated; /* on this bus: how much of the time
- * reserved for periodic (intr/iso)
- * requests is used, on average?
-diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
-index f89c24bd53a4..3993b21f3d11 100644
---- a/include/linux/usb/hcd.h
-+++ b/include/linux/usb/hcd.h
-@@ -180,6 +180,7 @@ struct usb_hcd {
- * bandwidth_mutex should be dropped after a successful control message
- * to the device, or resetting the bandwidth after a failed attempt.
- */
-+ struct mutex *address0_mutex;
- struct mutex *bandwidth_mutex;
- struct usb_hcd *shared_hcd;
- struct usb_hcd *primary_hcd;
---
-2.12.2
-
-From 45d9558837d4d79e6d241f1c45cabea8d20dca22 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Mon, 27 Jun 2016 10:23:10 -0400
-Subject: [PATCH 104/251] USB: don't free bandwidth_mutex too early
-Content-Length: 4635
-Lines: 119
-
-commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1 upstream.
-
-The USB core contains a bug that can show up when a USB-3 host
-controller is removed. If the primary (USB-2) hcd structure is
-released before the shared (USB-3) hcd, the core will try to do a
-double-free of the common bandwidth_mutex.
-
-The problem was described in graphical form by Chung-Geol Kim, who
-first reported it:
-
-=================================================
- At *remove USB(3.0) Storage
- sequence <1> --> <5> ((Problem Case))
-=================================================
- VOLD
-------------------------------------|------------
- (uevent)
- ________|_________
- |<1> |
- |dwc3_otg_sm_work |
- |usb_put_hcd |
- |peer_hcd(kref=2)|
- |__________________|
- ________|_________
- |<2> |
- |New USB BUS #2 |
- | |
- |peer_hcd(kref=1) |
- | |
- --(Link)-bandXX_mutex|
- | |__________________|
- |
- ___________________ |
- |<3> | |
- |dwc3_otg_sm_work | |
- |usb_put_hcd | |
- |primary_hcd(kref=1)| |
- |___________________| |
- _________|_________ |
- |<4> | |
- |New USB BUS #1 | |
- |hcd_release | |
- |primary_hcd(kref=0)| |
- | | |
- |bandXX_mutex(free) |<-
- |___________________|
- (( VOLD ))
- ______|___________
- |<5> |
- | SCSI |
- |usb_put_hcd |
- |peer_hcd(kref=0) |
- |*hcd_release |
- |bandXX_mutex(free*)|<- double free
- |__________________|
-
-=================================================
-
-This happens because hcd_release() frees the bandwidth_mutex whenever
-it sees a primary hcd being released (which is not a very good idea
-in any case), but in the course of releasing the primary hcd, it
-changes the pointers in the shared hcd in such a way that the shared
-hcd will appear to be primary when it gets released.
-
-This patch fixes the problem by changing hcd_release() so that it
-deallocates the bandwidth_mutex only when the _last_ hcd structure
-referencing it is released. The patch also removes an unnecessary
-test, so that when an hcd is released, both the shared_hcd and
-primary_hcd pointers in the hcd's peer will be cleared.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
-Tested-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ }
+
+ static void x86_pmu_event_mapped(struct perf_event *event)
+--
+2.12.2
+
+From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 22 Mar 2017 12:17:51 +0100
+Subject: [PATCH 102/251] Linux 4.4.56
+Content-Length: 301
+Lines: 18
+
---
- drivers/usb/core/hcd.c | 17 +++++++----------
- 1 file changed, 7 insertions(+), 10 deletions(-)
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index 9a5303c17de7..5724d7c41e29 100644
---- a/drivers/usb/core/hcd.c
-+++ b/drivers/usb/core/hcd.c
-@@ -2573,26 +2573,23 @@ EXPORT_SYMBOL_GPL(usb_create_hcd);
- * Don't deallocate the bandwidth_mutex until the last shared usb_hcd is
- * deallocated.
- *
-- * Make sure to only deallocate the bandwidth_mutex when the primary HCD is
-- * freed. When hcd_release() is called for either hcd in a peer set
-- * invalidate the peer's ->shared_hcd and ->primary_hcd pointers to
-- * block new peering attempts
-+ * Make sure to deallocate the bandwidth_mutex only when the last HCD is
-+ * freed. When hcd_release() is called for either hcd in a peer set,
-+ * invalidate the peer's ->shared_hcd and ->primary_hcd pointers.
- */
- static void hcd_release(struct kref *kref)
- {
- struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref);
-
- mutex_lock(&usb_port_peer_mutex);
-- if (usb_hcd_is_primary_hcd(hcd)) {
-- kfree(hcd->address0_mutex);
-- kfree(hcd->bandwidth_mutex);
-- }
- if (hcd->shared_hcd) {
- struct usb_hcd *peer = hcd->shared_hcd;
+diff --git a/Makefile b/Makefile
+index d9cc21df444d..cf9303a5d621 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 55
++SUBLEVEL = 56
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
- peer->shared_hcd = NULL;
-- if (peer->primary_hcd == hcd)
-- peer->primary_hcd = NULL;
-+ peer->primary_hcd = NULL;
-+ } else {
-+ kfree(hcd->address0_mutex);
-+ kfree(hcd->bandwidth_mutex);
- }
- mutex_unlock(&usb_port_peer_mutex);
- kfree(hcd);
--
2.12.2
--
2.12.2
-From 68ea3948ed3d48dd1e0897b121f37da6f14ffbcc Mon Sep 17 00:00:00 2001
-From: Sebastian Ott <sebott@linux.vnet.ibm.com>
-Date: Fri, 15 Apr 2016 09:41:35 +0200
-Subject: [PATCH 115/251] s390/pci: fix use after free in dma_init
-Content-Length: 1833
-Lines: 64
-
-commit dba599091c191d209b1499511a524ad9657c0e5a upstream.
-
-After a failure during registration of the dma_table (because of the
-function being in error state) we free its memory but don't reset the
-associated pointer to zero.
-
-When we then receive a notification from firmware (about the function
-being in error state) we'll try to walk and free the dma_table again.
-
-Fix this by resetting the dma_table pointer. In addition to that make
-sure that we free the iommu_bitmap when appropriate.
-
-Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
-Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/pci/pci_dma.c | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
-index 3a40f718baef..4004e03267cd 100644
---- a/arch/s390/pci/pci_dma.c
-+++ b/arch/s390/pci/pci_dma.c
-@@ -455,7 +455,7 @@ int zpci_dma_init_device(struct zpci_dev *zdev)
- zdev->dma_table = dma_alloc_cpu_table();
- if (!zdev->dma_table) {
- rc = -ENOMEM;
-- goto out_clean;
-+ goto out;
- }
-
- /*
-@@ -475,18 +475,22 @@ int zpci_dma_init_device(struct zpci_dev *zdev)
- zdev->iommu_bitmap = vzalloc(zdev->iommu_pages / 8);
- if (!zdev->iommu_bitmap) {
- rc = -ENOMEM;
-- goto out_reg;
-+ goto free_dma_table;
- }
-
- rc = zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma,
- (u64) zdev->dma_table);
- if (rc)
-- goto out_reg;
-- return 0;
-+ goto free_bitmap;
-
--out_reg:
-+ return 0;
-+free_bitmap:
-+ vfree(zdev->iommu_bitmap);
-+ zdev->iommu_bitmap = NULL;
-+free_dma_table:
- dma_free_cpu_table(zdev->dma_table);
--out_clean:
-+ zdev->dma_table = NULL;
-+out:
- return rc;
- }
-
---
-2.12.2
-
From 13a26889cbc1eb8a7b9a7712c05538c55659fe40 Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Thu, 14 Jan 2016 08:07:55 +1000
Date: Thu, 9 Mar 2017 11:32:28 -0600
Subject: [PATCH 157/251] USB: serial: option: add Quectel UC15, UC20, EC21,
and EC25 modems
+Status: RO
Content-Length: 2146
Lines: 50
--
2.12.2
-From 9218793a39def5ee7555d990ef6034260024a379 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
-Date: Fri, 17 Mar 2017 17:21:28 +0100
-Subject: [PATCH 158/251] USB: serial: qcserial: add Dell DW5811e
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 1135
-Lines: 26
-
-commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream.
-
-This is a Dell branded Sierra Wireless EM7455.
-
-Signed-off-by: Bjørn Mork <bjorn@mork.no>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/qcserial.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
-index 696458db7e3c..38b3f0d8cd58 100644
---- a/drivers/usb/serial/qcserial.c
-+++ b/drivers/usb/serial/qcserial.c
-@@ -169,6 +169,8 @@ static const struct usb_device_id id_table[] = {
- {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
- {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
- {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
-+ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
-+ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
-
- /* Huawei devices */
- {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
---
-2.12.2
-
From 19f0fe67b9d04580c377efc568cc8630a5af06b4 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 14 Mar 2017 12:09:56 +0100
--
2.12.2
-From 8a8a8007871acae231ca5dba49f648d64326e919 Mon Sep 17 00:00:00 2001
-From: Roger Quadros <rogerq@ti.com>
-Date: Wed, 8 Mar 2017 16:05:43 +0200
-Subject: [PATCH 160/251] usb: gadget: f_uvc: Fix SuperSpeed companion
- descriptor's wBytesPerInterval
-Content-Length: 1446
-Lines: 35
-
-commit 09424c50b7dff40cb30011c09114404a4656e023 upstream.
-
-The streaming_maxburst module parameter is 0 offset (0..15)
-so we must add 1 while using it for wBytesPerInterval
-calculation for the SuperSpeed companion descriptor.
-
-Without this host uvcvideo driver will always see the wrong
-wBytesPerInterval for SuperSpeed uvc gadget and may not find
-a suitable video interface endpoint.
-e.g. for streaming_maxburst = 0 case it will always
-fail as wBytePerInterval was evaluating to 0.
-
-Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Signed-off-by: Roger Quadros <rogerq@ti.com>
-Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/gadget/function/f_uvc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
-index 29b41b5dee04..c7689d05356c 100644
---- a/drivers/usb/gadget/function/f_uvc.c
-+++ b/drivers/usb/gadget/function/f_uvc.c
-@@ -625,7 +625,7 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
- uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst;
- uvc_ss_streaming_comp.wBytesPerInterval =
- cpu_to_le16(max_packet_size * max_packet_mult *
-- opts->streaming_maxburst);
-+ (opts->streaming_maxburst + 1));
-
- /* Allocate endpoints. */
- ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep);
---
-2.12.2
-
-From 2c929ea720f968da2f1ad90db995cc49a937955f Mon Sep 17 00:00:00 2001
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Mon, 13 Mar 2017 20:50:08 +0100
-Subject: [PATCH 161/251] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
-Content-Length: 3060
-Lines: 83
-
-commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream.
-
-Some USB 2.0 devices erroneously report millisecond values in
-bInterval. The generic config code manages to catch most of them,
-but in some cases it's not completely enough.
-
-The case at stake here is a USB 2.0 braille device, which wants to
-announce 10ms and thus sets bInterval to 10, but with the USB 2.0
-computation that yields to 64ms. It happens that one can type fast
-enough to reach this interval and get the device buffers overflown,
-leading to problematic latencies. The generic config code does not
-catch this case because the 64ms is considered a sane enough value.
-
-This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk
-to mark devices which actually report milliseconds in bInterval,
-and marks Vario Ultra devices as needing it.
-
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Acked-by: Alan Stern <stern@rowland.harvard.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/config.c | 10 ++++++++++
- drivers/usb/core/quirks.c | 8 ++++++++
- include/linux/usb/quirks.h | 6 ++++++
- 3 files changed, 24 insertions(+)
-
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index ac30a051ad71..325cbc9c35d8 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -246,6 +246,16 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
-
- /*
- * Adjust bInterval for quirked devices.
-+ */
-+ /*
-+ * This quirk fixes bIntervals reported in ms.
-+ */
-+ if (to_usb_device(ddev)->quirks &
-+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) {
-+ n = clamp(fls(d->bInterval) + 3, i, j);
-+ i = j = n;
-+ }
-+ /*
- * This quirk fixes bIntervals reported in
- * linear microframes.
- */
-diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
-index 24f9f98968a5..96b21b0dac1e 100644
---- a/drivers/usb/core/quirks.c
-+++ b/drivers/usb/core/quirks.c
-@@ -170,6 +170,14 @@ static const struct usb_device_id usb_quirk_list[] = {
- /* M-Systems Flash Disk Pioneers */
- { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
-
-+ /* Baum Vario Ultra */
-+ { USB_DEVICE(0x0904, 0x6101), .driver_info =
-+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
-+ { USB_DEVICE(0x0904, 0x6102), .driver_info =
-+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
-+ { USB_DEVICE(0x0904, 0x6103), .driver_info =
-+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
-+
- /* Keytouch QWERTY Panel keyboard */
- { USB_DEVICE(0x0926, 0x3333), .driver_info =
- USB_QUIRK_CONFIG_INTF_STRINGS },
-diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
-index 1d0043dc34e4..de2a722fe3cf 100644
---- a/include/linux/usb/quirks.h
-+++ b/include/linux/usb/quirks.h
-@@ -50,4 +50,10 @@
- /* device can't handle Link Power Management */
- #define USB_QUIRK_NO_LPM BIT(10)
-
-+/*
-+ * Device reports its bInterval as linear frames instead of the
-+ * USB 2.0 calculation.
-+ */
-+#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
-+
- #endif /* __LINUX_USB_QUIRKS_H */
---
-2.12.2
-
-From 73490abe249c238e2141f62995e2cc2d4ae392db Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:47:50 +0100
-Subject: [PATCH 162/251] USB: uss720: fix NULL-deref at probe
-Content-Length: 1198
-Lines: 37
-
-commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer or accessing memory beyond the endpoint array should a
-malicious device lack the expected endpoints.
-
-Note that the endpoint access that causes the NULL-deref is currently
-only used for debugging purposes during probe so the oops only happens
-when dynamic debugging is enabled. This means the driver could be
-rewritten to continue to accept device with only two endpoints, should
-such devices exist.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/misc/uss720.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c
-index bbd029c9c725..442b6631162e 100644
---- a/drivers/usb/misc/uss720.c
-+++ b/drivers/usb/misc/uss720.c
-@@ -711,6 +711,11 @@ static int uss720_probe(struct usb_interface *intf,
-
- interface = intf->cur_altsetting;
-
-+ if (interface->desc.bNumEndpoints < 3) {
-+ usb_put_dev(usbdev);
-+ return -ENODEV;
-+ }
-+
- /*
- * Allocate parport interface
- */
---
-2.12.2
-
-From a7712869e2e7cb1a5add2a8613f04e6c3647ef38 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:47:49 +0100
-Subject: [PATCH 163/251] USB: lvtest: fix NULL-deref at probe
-Content-Length: 995
-Lines: 32
-
-commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should the probed device lack endpoints.
-
-Note that this driver does not bind to any devices by default.
-
-Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver")
-Cc: Pratyush Anand <pratyush.anand@gmail.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/misc/lvstest.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c
-index 86b4e4b2ab9a..383fa007348f 100644
---- a/drivers/usb/misc/lvstest.c
-+++ b/drivers/usb/misc/lvstest.c
-@@ -370,6 +370,10 @@ static int lvs_rh_probe(struct usb_interface *intf,
-
- hdev = interface_to_usbdev(intf);
- desc = intf->cur_altsetting;
-+
-+ if (desc->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- endpoint = &desc->endpoint[0].desc;
-
- /* valid only for SS root hub */
---
-2.12.2
-
-From d6389d6abb8aff1d67ea64ef5b295ab3f4967d2d Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:47:48 +0100
-Subject: [PATCH 164/251] USB: idmouse: fix NULL-deref at probe
-Content-Length: 929
-Lines: 28
-
-commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer should a malicious device lack endpoints.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/misc/idmouse.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c
-index 4e38683c653c..6d4e75785710 100644
---- a/drivers/usb/misc/idmouse.c
-+++ b/drivers/usb/misc/idmouse.c
-@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_interface *interface,
- if (iface_desc->desc.bInterfaceClass != 0x0A)
- return -ENODEV;
-
-+ if (iface_desc->desc.bNumEndpoints < 1)
-+ return -ENODEV;
-+
- /* allocate memory for our device state and initialize it */
- dev = kzalloc(sizeof(*dev), GFP_KERNEL);
- if (dev == NULL)
---
-2.12.2
-
-From a7cb1fafe429ebd9ecf7768edc577662cbb6011e Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Mon, 13 Mar 2017 13:47:51 +0100
-Subject: [PATCH 165/251] USB: wusbcore: fix NULL-deref at probe
-Content-Length: 1148
-Lines: 34
-
-commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.
-
-Make sure to check the number of endpoints to avoid dereferencing a
-NULL-pointer or accessing memory beyond the endpoint array should a
-malicious device lack the expected endpoints.
-
-This specifically fixes the NULL-pointer dereference when probing HWA HC
-devices.
-
-Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
-Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
-Cc: David Vrabel <david.vrabel@csr.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/wusbcore/wa-hc.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/usb/wusbcore/wa-hc.c b/drivers/usb/wusbcore/wa-hc.c
-index 252c7bd9218a..d01496fd27fe 100644
---- a/drivers/usb/wusbcore/wa-hc.c
-+++ b/drivers/usb/wusbcore/wa-hc.c
-@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct usb_interface *iface,
- int result;
- struct device *dev = &iface->dev;
-
-+ if (iface->cur_altsetting->desc.bNumEndpoints < 3)
-+ return -ENODEV;
-+
- result = wa_rpipes_create(wa);
- if (result < 0)
- goto error_rpipes_create;
---
-2.12.2
-
-From 47285be050ca3e9ca45f22966b0b655b5b83c250 Mon Sep 17 00:00:00 2001
-From: Bin Liu <b-liu@ti.com>
-Date: Fri, 10 Mar 2017 14:43:35 -0600
-Subject: [PATCH 166/251] usb: musb: cppi41: don't check early-TX-interrupt for
- Isoch transfer
-Content-Length: 1899
-Lines: 56
-
-commit 0090114d336a9604aa2d90bc83f20f7cd121b76c upstream.
-
-The CPPI 4.1 driver polls register to workaround the premature TX
-interrupt issue, but it causes audio playback underrun when triggered in
-Isoch transfers.
-
-Isoch doesn't do back-to-back transfers, the TX should be done by the
-time the next transfer is scheduled. So skip this polling workaround for
-Isoch transfer.
-
-Fixes: a655f481d83d6 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt")
-Reported-by: Alexandre Bailon <abailon@baylibre.com>
-Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Tested-by: Alexandre Bailon <abailon@baylibre.com>
-Signed-off-by: Bin Liu <b-liu@ti.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/musb/musb_cppi41.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/musb/musb_cppi41.c b/drivers/usb/musb/musb_cppi41.c
-index e499b862a946..88f26ac2a185 100644
---- a/drivers/usb/musb/musb_cppi41.c
-+++ b/drivers/usb/musb/musb_cppi41.c
-@@ -250,8 +250,27 @@ static void cppi41_dma_callback(void *private_data)
- transferred < cppi41_channel->packet_sz)
- cppi41_channel->prog_len = 0;
-
-- if (cppi41_channel->is_tx)
-- empty = musb_is_tx_fifo_empty(hw_ep);
-+ if (cppi41_channel->is_tx) {
-+ u8 type;
-+
-+ if (is_host_active(musb))
-+ type = hw_ep->out_qh->type;
-+ else
-+ type = hw_ep->ep_in.type;
-+
-+ if (type == USB_ENDPOINT_XFER_ISOC)
-+ /*
-+ * Don't use the early-TX-interrupt workaround below
-+ * for Isoch transfter. Since Isoch are periodic
-+ * transfer, by the time the next transfer is
-+ * scheduled, the current one should be done already.
-+ *
-+ * This avoids audio playback underrun issue.
-+ */
-+ empty = true;
-+ else
-+ empty = musb_is_tx_fifo_empty(hw_ep);
-+ }
-
- if (!cppi41_channel->is_tx || empty) {
- cppi41_trans_done(cppi41_channel);
---
-2.12.2
-
-From 14a2032287d43bbffadf22752e40830000aad503 Mon Sep 17 00:00:00 2001
-From: Guenter Roeck <linux@roeck-us.net>
-Date: Wed, 8 Mar 2017 10:19:36 -0800
-Subject: [PATCH 167/251] usb: hub: Fix crash after failure to read BOS
- descriptor
-Content-Length: 2813
-Lines: 69
-
-commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream.
-
-If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
-Nevertheless, it is dereferenced unconditionally in
-hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
-This results in a crash.
-
-usb 5-1: unable to get BOS descriptor
-...
-Unable to handle kernel NULL pointer dereference at virtual address 00000008
-pgd = ffffffc00165f000
-[00000008] *pgd=000000000174f003, *pud=000000000174f003,
- *pmd=0000000001750003, *pte=00e8000001751713
-Internal error: Oops: 96000005 [#1] PREEMPT SMP
-Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
-CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480
-Hardware name: Google Kevin (DT)
-Workqueue: events driver_set_config_work
-task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
-PC is at hub_port_init+0xc3c/0xd10
-LR is at hub_port_init+0xc3c/0xd10
-...
-Call trace:
-[<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
-[<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
-[<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
-[<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
-[<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
-[<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
-[<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
-[<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
-[<ffffffc0007747ec>] __device_attach+0xd0/0x158
-[<ffffffc000775080>] device_initial_probe+0x24/0x30
-[<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
-[<ffffffc000770bd0>] device_add+0x414/0x738
-[<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
-[<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
-[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
-[<ffffffc00024abcc>] worker_thread+0x480/0x610
-[<ffffffc000251a80>] kthread+0x164/0x178
-[<ffffffc0002045d0>] ret_from_fork+0x10/0x40
-
-Since we don't know anything about LPM capabilities without BOS descriptor,
-don't attempt to enable LPM if it is not available.
-
-Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
-Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/hub.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index f52d8abf6979..9e62c93af96e 100644
---- a/drivers/usb/core/hub.c
-+++ b/drivers/usb/core/hub.c
-@@ -4199,7 +4199,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev)
- struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
- int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN;
-
-- if (!udev->usb2_hw_lpm_capable)
-+ if (!udev->usb2_hw_lpm_capable || !udev->bos)
- return;
-
- if (hub)
---
-2.12.2
-
From 815321da2e267c5c44a2900b39ac92632a9d6e80 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@kernel.org>
Date: Mon, 13 Mar 2017 13:47:53 +0100
--
2.12.2
-From 48da8f817b9db7909e5758257bdc84a6c611d99a Mon Sep 17 00:00:00 2001
-From: Ilya Dryomov <idryomov@gmail.com>
-Date: Wed, 1 Mar 2017 17:33:27 +0100
-Subject: [PATCH 182/251] libceph: don't set weight to IN when OSD is destroyed
-Content-Length: 1361
-Lines: 34
-
-commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.
-
-Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
-osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
-This changes the result of applying an incremental for clients, not
-just OSDs. Because CRUSH computations are obviously affected,
-pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
-object placement, resulting in misdirected requests.
-
-Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.
-
-Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
-Link: http://tracker.ceph.com/issues/19122
-Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
-Reviewed-by: Sage Weil <sage@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/ceph/osdmap.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
-index ddc3573894b0..bc95e48d5cfb 100644
---- a/net/ceph/osdmap.c
-+++ b/net/ceph/osdmap.c
-@@ -1265,7 +1265,6 @@ static int decode_new_up_state_weight(void **p, void *end,
- if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
- (xorstate & CEPH_OSD_EXISTS)) {
- pr_info("osd%d does not exist\n", osd);
-- map->osd_weight[osd] = CEPH_OSD_IN;
- ret = set_primary_affinity(map, osd,
- CEPH_OSD_DEFAULT_PRIMARY_AFFINITY);
- if (ret)
---
-2.12.2
-
From c4cf86f69597d4547a736e3edd5b88ae61b68fa2 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Mon, 5 Dec 2016 12:38:38 +1100
From: Johan Hovold <johan@kernel.org>
Date: Tue, 14 Mar 2017 17:55:45 +0100
Subject: [PATCH 186/251] USB: usbtmc: add missing endpoint sanity check
+Status: RO
Content-Length: 2168
Lines: 61
--
2.12.2
-From ce5494107946450f79ffce4538c243c37b08d85f Mon Sep 17 00:00:00 2001
-From: Sumit Semwal <sumit.semwal@linaro.org>
-Date: Sat, 25 Mar 2017 21:48:15 +0530
-Subject: [PATCH 202/251] s390/zcrypt: Introduce CEX6 toleration
-Content-Length: 1646
-Lines: 43
-
-From: Harald Freudenberger <freude@linux.vnet.ibm.com>
-
-[ Upstream commit b3e8652bcbfa04807e44708d4d0c8cdad39c9215 ]
-
-Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/s390/crypto/ap_bus.c | 3 +++
- drivers/s390/crypto/ap_bus.h | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
-index 24ec282e15d8..7c3b8d3516e3 100644
---- a/drivers/s390/crypto/ap_bus.c
-+++ b/drivers/s390/crypto/ap_bus.c
-@@ -1651,6 +1651,9 @@ static void ap_scan_bus(struct work_struct *unused)
- ap_dev->queue_depth = queue_depth;
- ap_dev->raw_hwtype = device_type;
- ap_dev->device_type = device_type;
-+ /* CEX6 toleration: map to CEX5 */
-+ if (device_type == AP_DEVICE_TYPE_CEX6)
-+ ap_dev->device_type = AP_DEVICE_TYPE_CEX5;
- ap_dev->functions = device_functions;
- spin_lock_init(&ap_dev->lock);
- INIT_LIST_HEAD(&ap_dev->pendingq);
-diff --git a/drivers/s390/crypto/ap_bus.h b/drivers/s390/crypto/ap_bus.h
-index 6adcbdf225d1..cc741e948170 100644
---- a/drivers/s390/crypto/ap_bus.h
-+++ b/drivers/s390/crypto/ap_bus.h
-@@ -105,6 +105,7 @@ static inline int ap_test_bit(unsigned int *ptr, unsigned int nr)
- #define AP_DEVICE_TYPE_CEX3C 9
- #define AP_DEVICE_TYPE_CEX4 10
- #define AP_DEVICE_TYPE_CEX5 11
-+#define AP_DEVICE_TYPE_CEX6 12
-
- /*
- * Known function facilities
---
-2.12.2
-
From 4e2c66bb6658f6f4583c8920adeecb7bcc90bd9f Mon Sep 17 00:00:00 2001
From: Sumit Semwal <sumit.semwal@linaro.org>
Date: Sat, 25 Mar 2017 21:48:16 +0530
From: Ilya Dryomov <idryomov@gmail.com>
Date: Tue, 21 Mar 2017 13:44:28 +0100
Subject: [PATCH 225/251] libceph: force GFP_NOIO for socket allocations
+Status: RO
Content-Length: 4579
Lines: 104
--
2.12.2
-From eac3ab3e69151c21a0a71ec8711600022cc12fa3 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Fri, 24 Mar 2017 13:38:28 -0400
-Subject: [PATCH 237/251] USB: fix linked-list corruption in rh_call_control()
-Content-Length: 1325
-Lines: 44
-
-commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream.
-
-Using KASAN, Dmitry found a bug in the rh_call_control() routine: If
-buffer allocation fails, the routine returns immediately without
-unlinking its URB from the control endpoint, eventually leading to
-linked-list corruption.
-
-This patch fixes the problem by jumping to the end of the routine
-(where the URB is unlinked) when an allocation failure occurs.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/hcd.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index 5724d7c41e29..ca2cbdb3aa67 100644
---- a/drivers/usb/core/hcd.c
-+++ b/drivers/usb/core/hcd.c
-@@ -499,8 +499,10 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
- */
- tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
- tbuf = kzalloc(tbuf_size, GFP_KERNEL);
-- if (!tbuf)
-- return -ENOMEM;
-+ if (!tbuf) {
-+ status = -ENOMEM;
-+ goto err_alloc;
-+ }
-
- bufp = tbuf;
-
-@@ -705,6 +707,7 @@ error:
- }
-
- kfree(tbuf);
-+ err_alloc:
-
- /* any errors get returned through the urb completion */
- spin_lock_irq(&hcd_root_hub_lock);
---
-2.12.2
-
From 3eb392056aeb4a0beca5fcead9ad3d6b6ff0816e Mon Sep 17 00:00:00 2001
From: Peter Xu <peterx@redhat.com>
Date: Wed, 15 Mar 2017 16:01:17 +0800
projects / thirdparty / kernel / stable-queue.git / commitdiff
