From: Greg Kroah-Hartman Date: Wed, 19 Apr 2017 15:35:58 +0000 (+0200) Subject: 3.18 patches X-Git-Tag: v4.4.63~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b78d7609f22de9af6cc324e59234f6a74fbfd23;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18 patches --- diff --git a/mbox_todo-3.18 b/mbox_todo-3.18 index f132fdc66ae..ee898236a7d 100644 --- a/mbox_todo-3.18 +++ b/mbox_todo-3.18 @@ -485,264 +485,6 @@ index 7f54ac081cf3..d9cc21df444d 100644 -- 2.12.2 -From 56f9b9502f2d15b9c7b83f9cfb32798e2e364f61 Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Mon, 13 Mar 2017 17:38:17 +0100 -Subject: [PATCH 092/251] bridge: drop netfilter fake rtable unconditionally -Status: RO -Content-Length: 2943 -Lines: 81 - -[ Upstream commit a13b2082ece95247779b9995c4e91b4246bed023 ] - -Andreas reports kernel oops during rmmod of the br_netfilter module. -Hannes debugged the oops down to a NULL rt6info->rt6i_indev. - -Problem is that br_netfilter has the nasty concept of adding a fake -rtable to skb->dst; this happens in a br_netfilter prerouting hook. - -A second hook (in bridge LOCAL_IN) is supposed to remove these again -before the skb is handed up the stack. - -However, on module unload hooks get unregistered which means an -skb could traverse the prerouting hook that attaches the fake_rtable, -while the 'fake rtable remove' hook gets removed from the hooklist -immediately after. - -Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core") -Reported-by: Andreas Karis -Debugged-by: Hannes Frederic Sowa -Signed-off-by: Florian Westphal -Acked-by: Pablo Neira Ayuso -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/bridge/br_input.c | 1 + - net/bridge/br_netfilter_hooks.c | 21 --------------------- - 2 files changed, 1 insertion(+), 21 deletions(-) - -diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c -index f7fba74108a9..e24754a0e052 100644 ---- a/net/bridge/br_input.c -+++ b/net/bridge/br_input.c -@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook); - static int - br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb) - { -+ br_drop_fake_rtable(skb); - return netif_receive_skb(skb); - } - -diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c -index 7ddbe7ec81d6..97fc19f001bf 100644 ---- a/net/bridge/br_netfilter_hooks.c -+++ b/net/bridge/br_netfilter_hooks.c -@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv, - } - - --/* PF_BRIDGE/LOCAL_IN ************************************************/ --/* The packet is locally destined, which requires a real -- * dst_entry, so detach the fake one. On the way up, the -- * packet would pass through PRE_ROUTING again (which already -- * took place when the packet entered the bridge), but we -- * register an IPv4 PRE_ROUTING 'sabotage' hook that will -- * prevent this from happening. */ --static unsigned int br_nf_local_in(void *priv, -- struct sk_buff *skb, -- const struct nf_hook_state *state) --{ -- br_drop_fake_rtable(skb); -- return NF_ACCEPT; --} -- - /* PF_BRIDGE/FORWARD *************************************************/ - static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) - { -@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = { - .priority = NF_BR_PRI_BRNF, - }, - { -- .hook = br_nf_local_in, -- .pf = NFPROTO_BRIDGE, -- .hooknum = NF_BR_LOCAL_IN, -- .priority = NF_BR_PRI_BRNF, -- }, -- { - .hook = br_nf_forward_ip, - .pf = NFPROTO_BRIDGE, - .hooknum = NF_BR_FORWARD, --- -2.12.2 - -From c10ffe988f15a0306d5d8cb1c6b475c9fe2fc2c9 Mon Sep 17 00:00:00 2001 -From: Roman Mashak -Date: Fri, 24 Feb 2017 11:00:32 -0500 -Subject: [PATCH 095/251] net sched actions: decrement module reference count - after table flush. -Status: RO -Content-Length: 2407 -Lines: 90 - -[ Upstream commit edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 ] - -When tc actions are loaded as a module and no actions have been installed, -flushing them would result in actions removed from the memory, but modules -reference count not being decremented, so that the modules would not be -unloaded. - -Following is example with GACT action: - -% sudo modprobe act_gact -% lsmod -Module Size Used by -act_gact 16384 0 -% -% sudo tc actions ls action gact -% -% sudo tc actions flush action gact -% lsmod -Module Size Used by -act_gact 16384 1 -% sudo tc actions flush action gact -% lsmod -Module Size Used by -act_gact 16384 2 -% sudo rmmod act_gact -rmmod: ERROR: Module act_gact is in use -.... - -After the fix: -% lsmod -Module Size Used by -act_gact 16384 0 -% -% sudo tc actions add action pass index 1 -% sudo tc actions add action pass index 2 -% sudo tc actions add action pass index 3 -% lsmod -Module Size Used by -act_gact 16384 3 -% -% sudo tc actions flush action gact -% lsmod -Module Size Used by -act_gact 16384 0 -% -% sudo tc actions flush action gact -% lsmod -Module Size Used by -act_gact 16384 0 -% sudo rmmod act_gact -% lsmod -Module Size Used by -% - -Fixes: f97017cdefef ("net-sched: Fix actions flushing") -Signed-off-by: Roman Mashak -Signed-off-by: Jamal Hadi Salim -Acked-by: Cong Wang -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/sched/act_api.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/net/sched/act_api.c b/net/sched/act_api.c -index 06e7c4a37245..694a06f1e0d5 100644 ---- a/net/sched/act_api.c -+++ b/net/sched/act_api.c -@@ -820,10 +820,8 @@ static int tca_action_flush(struct net *net, struct nlattr *nla, - goto out_module_put; - - err = a.ops->walk(skb, &dcb, RTM_DELACTION, &a); -- if (err < 0) -+ if (err <= 0) - goto out_module_put; -- if (err == 0) -- goto noflush_out; - - nla_nest_end(skb, nest); - -@@ -840,7 +838,6 @@ static int tca_action_flush(struct net *net, struct nlattr *nla, - out_module_put: - module_put(a.ops->owner); - err_out: --noflush_out: - kfree_skb(skb); - return err; - } --- -2.12.2 - -From fd74e8d258da9f9678da6bf88a0b02b2c1b71d0c Mon Sep 17 00:00:00 2001 -From: Eric Biggers -Date: Mon, 19 Dec 2016 14:20:13 -0800 -Subject: [PATCH 096/251] fscrypt: fix renaming and linking special files -Status: RO -Content-Length: 2187 -Lines: 59 - -commit 42d97eb0ade31e1bc537d086842f5d6e766d9d51 upstream. - -Attempting to link a device node, named pipe, or socket file into an -encrypted directory through rename(2) or link(2) always failed with -EPERM. This happened because fscrypt_has_permitted_context() saw that -the file was unencrypted and forbid creating the link. This behavior -was unexpected because such files are never encrypted; only regular -files, directories, and symlinks can be encrypted. - -To fix this, make fscrypt_has_permitted_context() always return true on -special files. - -This will be covered by a test in my encryption xfstests patchset. - -Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") -Signed-off-by: Eric Biggers -Reviewed-by: Richard Weinberger -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/crypto_policy.c | 6 ++++++ - fs/f2fs/crypto_policy.c | 5 +++++ - 2 files changed, 11 insertions(+) - -diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c -index 8a9feb341f31..dd561f916f0b 100644 ---- a/fs/ext4/crypto_policy.c -+++ b/fs/ext4/crypto_policy.c -@@ -156,6 +156,12 @@ int ext4_is_child_context_consistent_with_parent(struct inode *parent, - WARN_ON(1); /* Should never happen */ - return 0; - } -+ -+ /* No restrictions on file types which are never encrypted */ -+ if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && -+ !S_ISLNK(child->i_mode)) -+ return 1; -+ - /* no restrictions if the parent directory is not encrypted */ - if (!ext4_encrypted_inode(parent)) - return 1; -diff --git a/fs/f2fs/crypto_policy.c b/fs/f2fs/crypto_policy.c -index e504f548b64e..5bbd1989d5e6 100644 ---- a/fs/f2fs/crypto_policy.c -+++ b/fs/f2fs/crypto_policy.c -@@ -149,6 +149,11 @@ int f2fs_is_child_context_consistent_with_parent(struct inode *parent, - BUG_ON(1); - } - -+ /* No restrictions on file types which are never encrypted */ -+ if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && -+ !S_ISLNK(child->i_mode)) -+ return 1; -+ - /* no restrictions if the parent directory is not encrypted */ - if (!f2fs_encrypted_inode(parent)) - return 1; --- -2.12.2 - From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Mar 2017 12:17:51 +0100 @@ -770,349 +512,6 @@ index d9cc21df444d..cf9303a5d621 100644 -- 2.12.2 -From 50730d7f361f9915ec7063a629500119b0e8c3b6 Mon Sep 17 00:00:00 2001 -From: Thomas Huth -Date: Wed, 18 May 2016 21:01:20 +0200 -Subject: [PATCH 114/251] KVM: PPC: Book3S PR: Fix illegal opcode emulation -Content-Length: 2006 -Lines: 47 - -commit 708e75a3ee750dce1072134e630d66c4e6eaf63c upstream. - -If kvmppc_handle_exit_pr() calls kvmppc_emulate_instruction() to emulate -one instruction (in the BOOK3S_INTERRUPT_H_EMUL_ASSIST case), it calls -kvmppc_core_queue_program() afterwards if kvmppc_emulate_instruction() -returned EMULATE_FAIL, so the guest gets an program interrupt for the -illegal opcode. -However, the kvmppc_emulate_instruction() also tried to inject a -program exception for this already, so the program interrupt gets -injected twice and the return address in srr0 gets destroyed. -All other callers of kvmppc_emulate_instruction() are also injecting -a program interrupt, and since the callers have the right knowledge -about the srr1 flags that should be used, it is the function -kvmppc_emulate_instruction() that should _not_ inject program -interrupts, so remove the kvmppc_core_queue_program() here. - -This fixes the issue discovered by Laurent Vivier with kvm-unit-tests -where the logs are filled with these messages when the test tries -to execute an illegal instruction: - - Couldn't emulate instruction 0x00000000 (op 0 xop 0) - kvmppc_handle_exit_pr: emulation at 700 failed (00000000) - -Signed-off-by: Thomas Huth -Reviewed-by: Alexander Graf -Tested-by: Laurent Vivier -Signed-off-by: Paul Mackerras -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/kvm/emulate.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/arch/powerpc/kvm/emulate.c b/arch/powerpc/kvm/emulate.c -index 5cc2e7af3a7b..b379146de55b 100644 ---- a/arch/powerpc/kvm/emulate.c -+++ b/arch/powerpc/kvm/emulate.c -@@ -302,7 +302,6 @@ int kvmppc_emulate_instruction(struct kvm_run *run, struct kvm_vcpu *vcpu) - advance = 0; - printk(KERN_ERR "Couldn't emulate instruction 0x%08x " - "(op %d xop %d)\n", inst, get_op(inst), get_xop(inst)); -- kvmppc_core_queue_program(vcpu, 0); - } - } - --- -2.12.2 - -From 13a26889cbc1eb8a7b9a7712c05538c55659fe40 Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Thu, 14 Jan 2016 08:07:55 +1000 -Subject: [PATCH 116/251] drm/amdgpu: add missing irq.h include -Content-Length: 751 -Lines: 25 - -commit e9c5e7402dad6f4f04c2430db6f283512bcd4392 upstream. - -this fixes the build on arm. - -Signed-off-by: Dave Airlie -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -index 7c42ff670080..a0924330d125 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -@@ -25,6 +25,7 @@ - * Alex Deucher - * Jerome Glisse - */ -+#include - #include - #include - #include --- -2.12.2 - -From cea050150323a2c09efc316f0272af053e0b87e2 Mon Sep 17 00:00:00 2001 -From: Jason Gunthorpe -Date: Wed, 25 Nov 2015 14:05:30 -0700 -Subject: [PATCH 117/251] tpm_tis: Use devm_free_irq not free_irq -Content-Length: 1236 -Lines: 33 - -commit 727f28b8ca24a581c7bd868326b8cea1058c720a upstream. - -The interrupt is always allocated with devm_request_irq so it -must always be freed with devm_free_irq. - -Fixes: 448e9c55c12d ("tpm_tis: verify interrupt during init") -Signed-off-by: Jason Gunthorpe -Acked-by: Jarkko Sakkinen -Tested-by: Jarkko Sakkinen -Tested-by: Martin Wilck -Signed-off-by: Jarkko Sakkinen -Acked-by: Peter Huewe -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/tpm/tpm_tis.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c -index 65f7eecc45b0..f10a107614b4 100644 ---- a/drivers/char/tpm/tpm_tis.c -+++ b/drivers/char/tpm/tpm_tis.c -@@ -401,7 +401,7 @@ static void disable_interrupts(struct tpm_chip *chip) - iowrite32(intmask, - chip->vendor.iobase + - TPM_INT_ENABLE(chip->vendor.locality)); -- free_irq(chip->vendor.irq, chip); -+ devm_free_irq(chip->pdev, chip->vendor.irq, chip); - chip->vendor.irq = 0; - } - --- -2.12.2 - -From 6cc5b73d79697e1a529249572ac022192f1ddffd Mon Sep 17 00:00:00 2001 -From: Vitaly Kuznetsov -Date: Mon, 25 Jan 2016 16:00:41 +0100 -Subject: [PATCH 118/251] hv_netvsc: use skb_get_hash() instead of a homegrown - implementation -Content-Length: 2988 -Lines: 108 - -commit 757647e10e55c01fb7a9c4356529442e316a7c72 upstream. - -Recent changes to 'struct flow_keys' (e.g commit d34af823ff40 ("net: Add -VLAN ID to flow_keys")) introduced a performance regression in netvsc -driver. Is problem is, however, not the above mentioned commit but the -fact that netvsc_set_hash() function did some assumptions on the struct -flow_keys data layout and this is wrong. - -Get rid of netvsc_set_hash() by switching to skb_get_hash(). This change -will also imply switching to Jenkins hash from the currently used Toeplitz -but it seems there is no good excuse for Toeplitz to stay. - -Signed-off-by: Vitaly Kuznetsov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/hyperv/netvsc_drv.c | 67 ++--------------------------------------- - 1 file changed, 3 insertions(+), 64 deletions(-) - -diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c -index e8a09ff9e724..c8a7802d2953 100644 ---- a/drivers/net/hyperv/netvsc_drv.c -+++ b/drivers/net/hyperv/netvsc_drv.c -@@ -197,65 +197,6 @@ static void *init_ppi_data(struct rndis_message *msg, u32 ppi_size, - return ppi; - } - --union sub_key { -- u64 k; -- struct { -- u8 pad[3]; -- u8 kb; -- u32 ka; -- }; --}; -- --/* Toeplitz hash function -- * data: network byte order -- * return: host byte order -- */ --static u32 comp_hash(u8 *key, int klen, void *data, int dlen) --{ -- union sub_key subk; -- int k_next = 4; -- u8 dt; -- int i, j; -- u32 ret = 0; -- -- subk.k = 0; -- subk.ka = ntohl(*(u32 *)key); -- -- for (i = 0; i < dlen; i++) { -- subk.kb = key[k_next]; -- k_next = (k_next + 1) % klen; -- dt = ((u8 *)data)[i]; -- for (j = 0; j < 8; j++) { -- if (dt & 0x80) -- ret ^= subk.ka; -- dt <<= 1; -- subk.k <<= 1; -- } -- } -- -- return ret; --} -- --static bool netvsc_set_hash(u32 *hash, struct sk_buff *skb) --{ -- struct flow_keys flow; -- int data_len; -- -- if (!skb_flow_dissect_flow_keys(skb, &flow, 0) || -- !(flow.basic.n_proto == htons(ETH_P_IP) || -- flow.basic.n_proto == htons(ETH_P_IPV6))) -- return false; -- -- if (flow.basic.ip_proto == IPPROTO_TCP) -- data_len = 12; -- else -- data_len = 8; -- -- *hash = comp_hash(netvsc_hash_key, HASH_KEYLEN, &flow, data_len); -- -- return true; --} -- - static u16 netvsc_select_queue(struct net_device *ndev, struct sk_buff *skb, - void *accel_priv, select_queue_fallback_t fallback) - { -@@ -268,11 +209,9 @@ static u16 netvsc_select_queue(struct net_device *ndev, struct sk_buff *skb, - if (nvsc_dev == NULL || ndev->real_num_tx_queues <= 1) - return 0; - -- if (netvsc_set_hash(&hash, skb)) { -- q_idx = nvsc_dev->send_table[hash % VRSS_SEND_TAB_SIZE] % -- ndev->real_num_tx_queues; -- skb_set_hash(skb, hash, PKT_HASH_TYPE_L3); -- } -+ hash = skb_get_hash(skb); -+ q_idx = nvsc_dev->send_table[hash % VRSS_SEND_TAB_SIZE] % -+ ndev->real_num_tx_queues; - - return q_idx; - } --- -2.12.2 - -From 6052eb871217c0679ac63779fc5e43eb49c83b0c Mon Sep 17 00:00:00 2001 -From: Andi Kleen -Date: Mon, 23 May 2016 16:24:05 -0700 -Subject: [PATCH 119/251] kernek/fork.c: allocate idle task for a CPU always on - its local node -Content-Length: 3134 -Lines: 88 - -commit 725fc629ff2545b061407305ae51016c9f928fce upstream. - -Linux preallocates the task structs of the idle tasks for all possible -CPUs. This currently means they all end up on node 0. This also -implies that the cache line of MWAIT, which is around the flags field in -the task struct, are all located in node 0. - -We see a noticeable performance improvement on Knights Landing CPUs when -the cache lines used for MWAIT are located in the local nodes of the -CPUs using them. I would expect this to give a (likely slight) -improvement on other systems too. - -The patch implements placing the idle task in the node of its CPUs, by -passing the right target node to copy_process() - -[akpm@linux-foundation.org: use NUMA_NO_NODE, not a bare -1] -Link: http://lkml.kernel.org/r/1463492694-15833-1-git-send-email-andi@firstfloor.org -Signed-off-by: Andi Kleen -Cc: Thomas Gleixner -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - kernel/fork.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index 2e55b53399de..278a2ddad351 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -331,13 +331,14 @@ void set_task_stack_end_magic(struct task_struct *tsk) - *stackend = STACK_END_MAGIC; /* for overflow detection */ - } - --static struct task_struct *dup_task_struct(struct task_struct *orig) -+static struct task_struct *dup_task_struct(struct task_struct *orig, int node) - { - struct task_struct *tsk; - struct thread_info *ti; -- int node = tsk_fork_get_node(orig); - int err; - -+ if (node == NUMA_NO_NODE) -+ node = tsk_fork_get_node(orig); - tsk = alloc_task_struct_node(node); - if (!tsk) - return NULL; -@@ -1270,7 +1271,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, - int __user *child_tidptr, - struct pid *pid, - int trace, -- unsigned long tls) -+ unsigned long tls, -+ int node) - { - int retval; - struct task_struct *p; -@@ -1323,7 +1325,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, - goto fork_out; - - retval = -ENOMEM; -- p = dup_task_struct(current); -+ p = dup_task_struct(current, node); - if (!p) - goto fork_out; - -@@ -1699,7 +1701,8 @@ static inline void init_idle_pids(struct pid_link *links) - struct task_struct *fork_idle(int cpu) - { - struct task_struct *task; -- task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0, 0); -+ task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0, 0, -+ cpu_to_node(cpu)); - if (!IS_ERR(task)) { - init_idle_pids(task->pids); - init_idle(task, cpu); -@@ -1744,7 +1747,7 @@ long _do_fork(unsigned long clone_flags, - } - - p = copy_process(clone_flags, stack_start, stack_size, -- child_tidptr, NULL, trace, tls); -+ child_tidptr, NULL, trace, tls, NUMA_NO_NODE); - /* - * Do this prior waking up the new thread - the thread pointer - * might get invalid after that point, if the thread exits quickly. --- -2.12.2 - From 4cb0c0b73d1c79a8ce260836b3f27650aa1c57f1 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Thu, 2 Mar 2017 12:17:22 -0800 @@ -1242,3240 +641,35 @@ index 41446668ccce..d5677d39c1e4 100644 - ) : \ + 1 ) : \ (sizeof(n) <= 4) ? \ - __ilog2_u32(n) : \ - __ilog2_u64(n) \ --- -2.12.2 - -From f02729f2ab87c84bbc959e7631487a4b84dbdf63 Mon Sep 17 00:00:00 2001 -From: Peter Zijlstra -Date: Thu, 16 Mar 2017 13:47:49 +0100 -Subject: [PATCH 121/251] perf/core: Fix event inheritance on fork() -Content-Length: 2243 -Lines: 62 - -commit e7cc4865f0f31698ef2f7aac01a50e78968985b7 upstream. - -While hunting for clues to a use-after-free, Oleg spotted that -perf_event_init_context() can loose an error value with the result -that fork() can succeed even though we did not fully inherit the perf -event context. - -Spotted-by: Oleg Nesterov -Signed-off-by: Peter Zijlstra (Intel) -Cc: Alexander Shishkin -Cc: Arnaldo Carvalho de Melo -Cc: Arnaldo Carvalho de Melo -Cc: Dmitry Vyukov -Cc: Frederic Weisbecker -Cc: Jiri Olsa -Cc: Linus Torvalds -Cc: Mathieu Desnoyers -Cc: Peter Zijlstra -Cc: Stephane Eranian -Cc: Thomas Gleixner -Cc: Vince Weaver -Cc: oleg@redhat.com -Fixes: 889ff0150661 ("perf/core: Split context's event group list into pinned and non-pinned lists") -Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.org -Signed-off-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - kernel/events/core.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index 9bbe9ac23cf2..e4b5494f05f8 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -9230,7 +9230,7 @@ static int perf_event_init_context(struct task_struct *child, int ctxn) - ret = inherit_task_group(event, parent, parent_ctx, - child, ctxn, &inherited_all); - if (ret) -- break; -+ goto out_unlock; - } - - /* -@@ -9246,7 +9246,7 @@ static int perf_event_init_context(struct task_struct *child, int ctxn) - ret = inherit_task_group(event, parent, parent_ctx, - child, ctxn, &inherited_all); - if (ret) -- break; -+ goto out_unlock; - } - - raw_spin_lock_irqsave(&parent_ctx->lock, flags); -@@ -9274,6 +9274,7 @@ static int perf_event_init_context(struct task_struct *child, int ctxn) - } - - raw_spin_unlock_irqrestore(&parent_ctx->lock, flags); -+out_unlock: - mutex_unlock(&parent_ctx->mutex); - - perf_unpin_context(parent_ctx); --- -2.12.2 - -From 09875d1393d4589bcdfeeba8747a12dd69810cc9 Mon Sep 17 00:00:00 2001 -From: "Rafael J. Wysocki" -Date: Wed, 15 Mar 2017 00:12:16 +0100 -Subject: [PATCH 122/251] cpufreq: Fix and clean up show_cpuinfo_cur_freq() -Content-Length: 992 -Lines: 33 - -commit 9b4f603e7a9f4282aec451063ffbbb8bb410dcd9 upstream. - -There is a missing newline in show_cpuinfo_cur_freq(), so add it, -but while at it clean that function up somewhat too. - -Signed-off-by: Rafael J. Wysocki -Acked-by: Viresh Kumar -Signed-off-by: Greg Kroah-Hartman ---- - drivers/cpufreq/cpufreq.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index 8412ce5f93a7..86fa9fdc8323 100644 ---- a/drivers/cpufreq/cpufreq.c -+++ b/drivers/cpufreq/cpufreq.c -@@ -626,9 +626,11 @@ static ssize_t show_cpuinfo_cur_freq(struct cpufreq_policy *policy, - char *buf) - { - unsigned int cur_freq = __cpufreq_get(policy); -- if (!cur_freq) -- return sprintf(buf, ""); -- return sprintf(buf, "%u\n", cur_freq); -+ -+ if (cur_freq) -+ return sprintf(buf, "%u\n", cur_freq); -+ -+ return sprintf(buf, "\n"); - } - - /** --- -2.12.2 - -From 582f548924cdda2dadf842020075f6b2525421d2 Mon Sep 17 00:00:00 2001 -From: Shaohua Li -Date: Tue, 28 Feb 2017 13:00:20 -0800 -Subject: [PATCH 124/251] md/raid1/10: fix potential deadlock -Content-Length: 3293 -Lines: 86 - -commit 61eb2b43b99ebdc9bc6bc83d9792257b243e7cb3 upstream. - -Neil Brown pointed out a potential deadlock in raid 10 code with -bio_split/chain. The raid1 code could have the same issue, but recent -barrier rework makes it less likely to happen. The deadlock happens in -below sequence: - -1. generic_make_request(bio), this will set current->bio_list -2. raid10_make_request will split bio to bio1 and bio2 -3. __make_request(bio1), wait_barrer, add underlayer disk bio to -current->bio_list -4. __make_request(bio2), wait_barrer - -If raise_barrier happens between 3 & 4, since wait_barrier runs at 3, -raise_barrier waits for IO completion from 3. And since raise_barrier -sets barrier, 4 waits for raise_barrier. But IO from 3 can't be -dispatched because raid10_make_request() doesn't finished yet. - -The solution is to adjust the IO ordering. Quotes from Neil: -" -It is much safer to: - - if (need to split) { - split = bio_split(bio, ...) - bio_chain(...) - make_request_fn(split); - generic_make_request(bio); - } else - make_request_fn(mddev, bio); - -This way we first process the initial section of the bio (in 'split') -which will queue some requests to the underlying devices. These -requests will be queued in generic_make_request. -Then we queue the remainder of the bio, which will be added to the end -of the generic_make_request queue. -Then we return. -generic_make_request() will pop the lower-level device requests off the -queue and handle them first. Then it will process the remainder -of the original bio once the first section has been fully processed. -" - -Note, this only happens in read path. In write path, the bio is flushed to -underlaying disks either by blk flush (from schedule) or offladed to raid1/10d. -It's queued in current->bio_list. - -Cc: Coly Li -Suggested-by: NeilBrown -Reviewed-by: Jack Wang -Signed-off-by: Shaohua Li -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/raid10.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index ebb0dd612ebd..122af340a531 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1477,7 +1477,25 @@ static void make_request(struct mddev *mddev, struct bio *bio) - split = bio; - } - -+ /* -+ * If a bio is splitted, the first part of bio will pass -+ * barrier but the bio is queued in current->bio_list (see -+ * generic_make_request). If there is a raise_barrier() called -+ * here, the second part of bio can't pass barrier. But since -+ * the first part bio isn't dispatched to underlaying disks -+ * yet, the barrier is never released, hence raise_barrier will -+ * alays wait. We have a deadlock. -+ * Note, this only happens in read path. For write path, the -+ * first part of bio is dispatched in a schedule() call -+ * (because of blk plug) or offloaded to raid10d. -+ * Quitting from the function immediately can change the bio -+ * order queued in bio_list and avoid the deadlock. -+ */ - __make_request(mddev, split); -+ if (split != bio && bio_data_dir(bio) == READ) { -+ generic_make_request(bio); -+ break; -+ } - } while (split != bio); - - /* In case raid10d snuck in to freeze_array */ --- -2.12.2 - -From d267ecbdfdb4199c0e3a967ecc17a6b80d95209a Mon Sep 17 00:00:00 2001 -From: Max Lohrmann -Date: Tue, 7 Mar 2017 22:09:56 -0800 -Subject: [PATCH 128/251] target: Fix VERIFY_16 handling in sbc_parse_cdb -Content-Length: 1397 -Lines: 42 - -commit 13603685c1f12c67a7a2427f00b63f39a2b6f7c9 upstream. - -As reported by Max, the Windows 2008 R2 chkdsk utility expects -VERIFY_16 to be supported, and does not handle the returned -CHECK_CONDITION properly, resulting in an infinite loop. - -The kernel will log huge amounts of this error: - -kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending -CHECK_CONDITION. - -Signed-off-by: Max Lohrmann -Signed-off-by: Nicholas Bellinger -Signed-off-by: Greg Kroah-Hartman ---- - drivers/target/target_core_sbc.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c -index 2e27b1034ede..90c5dffc9fa4 100644 ---- a/drivers/target/target_core_sbc.c -+++ b/drivers/target/target_core_sbc.c -@@ -1096,9 +1096,15 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops) - return ret; - break; - case VERIFY: -+ case VERIFY_16: - size = 0; -- sectors = transport_get_sectors_10(cdb); -- cmd->t_task_lba = transport_lba_32(cdb); -+ if (cdb[0] == VERIFY) { -+ sectors = transport_get_sectors_10(cdb); -+ cmd->t_task_lba = transport_lba_32(cdb); -+ } else { -+ sectors = transport_get_sectors_16(cdb); -+ cmd->t_task_lba = transport_lba_64(cdb); -+ } - cmd->execute_cmd = sbc_emulate_noop; - goto check_lba; - case REZERO_UNIT: --- -2.12.2 - -From 4f47ca4882564c4b76cc9c426583a49d23893dda Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:39:01 +0100 -Subject: [PATCH 129/251] isdn/gigaset: fix NULL-deref at probe -Content-Length: 1072 -Lines: 30 - -commit 68c32f9c2a36d410aa242e661506e5b2c2764179 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Fixes: cf7776dc05b8 ("[PATCH] isdn4linux: Siemens Gigaset drivers - direct USB connection") -Cc: Hansjoerg Lipp -Signed-off-by: Johan Hovold -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/isdn/gigaset/bas-gigaset.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c -index aecec6d32463..7f1c625b08ec 100644 ---- a/drivers/isdn/gigaset/bas-gigaset.c -+++ b/drivers/isdn/gigaset/bas-gigaset.c -@@ -2317,6 +2317,9 @@ static int gigaset_probe(struct usb_interface *interface, - return -ENODEV; - } - -+ if (hostif->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - dev_info(&udev->dev, - "%s: Device matched (Vendor: 0x%x, Product: 0x%x)\n", - __func__, le16_to_cpu(udev->descriptor.idVendor), --- -2.12.2 - -From e08f608ab4288f4192a504e6c94dd7c9c931dad8 Mon Sep 17 00:00:00 2001 -From: Andreas Gruenbacher -Date: Mon, 6 Mar 2017 12:58:42 -0500 -Subject: [PATCH 130/251] gfs2: Avoid alignment hole in struct lm_lockname -Content-Length: 1009 -Lines: 30 - -commit 28ea06c46fbcab63fd9a55531387b7928a18a590 upstream. - -Commit 88ffbf3e03 switches to using rhashtables for glocks, hashing over -the entire struct lm_lockname instead of its individual fields. On some -architectures, struct lm_lockname contains a hole of uninitialized -memory due to alignment rules, which now leads to incorrect hash values. -Get rid of that hole. - -Signed-off-by: Andreas Gruenbacher -Signed-off-by: Bob Peterson -Signed-off-by: Greg Kroah-Hartman ---- - fs/gfs2/incore.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h -index de7b4f97ac75..be519416c112 100644 ---- a/fs/gfs2/incore.h -+++ b/fs/gfs2/incore.h -@@ -207,7 +207,7 @@ struct lm_lockname { - struct gfs2_sbd *ln_sbd; - u64 ln_number; - unsigned int ln_type; --}; -+} __packed __aligned(sizeof(int)); - - #define lm_name_equal(name1, name2) \ - (((name1)->ln_number == (name2)->ln_number) && \ --- -2.12.2 - -From d88b83e66bbf588a5d85168d9839501cd47fe561 Mon Sep 17 00:00:00 2001 -From: Tahsin Erdogan -Date: Sat, 25 Feb 2017 13:00:19 -0800 -Subject: [PATCH 131/251] percpu: acquire pcpu_lock when updating - pcpu_nr_empty_pop_pages -Content-Length: 1047 -Lines: 33 - -commit 320661b08dd6f1746d5c7ab4eb435ec64b97cd45 upstream. - -Update to pcpu_nr_empty_pop_pages in pcpu_alloc() is currently done -without holding pcpu_lock. This can lead to bad updates to the variable. -Add missing lock calls. - -Fixes: b539b87fed37 ("percpu: implmeent pcpu_nr_empty_pop_pages and chunk->nr_populated") -Signed-off-by: Tahsin Erdogan -Signed-off-by: Tejun Heo -Signed-off-by: Greg Kroah-Hartman ---- - mm/percpu.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/mm/percpu.c b/mm/percpu.c -index 1f376bce413c..ef6353f0adbd 100644 ---- a/mm/percpu.c -+++ b/mm/percpu.c -@@ -1012,8 +1012,11 @@ area_found: - mutex_unlock(&pcpu_alloc_mutex); - } - -- if (chunk != pcpu_reserved_chunk) -+ if (chunk != pcpu_reserved_chunk) { -+ spin_lock_irqsave(&pcpu_lock, flags); - pcpu_nr_empty_pop_pages -= occ_pages; -+ spin_unlock_irqrestore(&pcpu_lock, flags); -+ } - - if (pcpu_nr_empty_pop_pages < PCPU_EMPTY_POP_PAGES_LOW) - pcpu_schedule_balance_work(); --- -2.12.2 - -From 5fa513cb07213608907d4daa123b81e5a32d13e0 Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Wed, 15 Feb 2017 01:26:39 -0500 -Subject: [PATCH 132/251] ext4: fix fencepost in s_first_meta_bg validation -Content-Length: 1128 -Lines: 31 - -commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream. - -It is OK for s_first_meta_bg to be equal to the number of block group -descriptor blocks. (It rarely happens, but it shouldn't cause any -problems.) - -https://bugzilla.kernel.org/show_bug.cgi?id=194567 - -Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe -Signed-off-by: Theodore Ts'o -Cc: Jiri Slaby -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/super.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 6fe8e30eeb99..68345a9e59b8 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3666,7 +3666,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) / - EXT4_DESC_PER_BLOCK(sb); - if (ext4_has_feature_meta_bg(sb)) { -- if (le32_to_cpu(es->s_first_meta_bg) >= db_count) { -+ if (le32_to_cpu(es->s_first_meta_bg) > db_count) { - ext4_msg(sb, KERN_WARNING, - "first meta block group too large: %u " - "(group descriptor block count %u)", --- -2.12.2 - -From a5c3f390eb7799c3d1d92121382372b1fd365fa3 Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Sun, 26 Mar 2017 12:13:55 +0200 -Subject: [PATCH 133/251] Linux 4.4.57 -Status: RO -Content-Length: 301 -Lines: 18 - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index cf9303a5d621..841675e63a38 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 4 --SUBLEVEL = 56 -+SUBLEVEL = 57 - EXTRAVERSION = - NAME = Blurry Fish Butt - --- -2.12.2 - -From b362d6735156add0e43b1221b17277d5fb45622d Mon Sep 17 00:00:00 2001 -From: Or Gerlitz -Date: Wed, 15 Mar 2017 18:10:47 +0200 -Subject: [PATCH 134/251] net/openvswitch: Set the ipv6 source tunnel key - address attribute correctly -Content-Length: 1163 -Lines: 32 - -[ Upstream commit 3d20f1f7bd575d147ffa75621fa560eea0aec690 ] - -When dealing with ipv6 source tunnel key address attribute -(OVS_TUNNEL_KEY_ATTR_IPV6_SRC) we are wrongly setting the tunnel -dst ip, fix that. - -Fixes: 6b26ba3a7d95 ('openvswitch: netlink attributes for IPv6 tunneling') -Signed-off-by: Or Gerlitz -Reported-by: Paul Blakey -Acked-by: Jiri Benc -Acked-by: Joe Stringer -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/openvswitch/flow_netlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c -index d1bd4a45ca2d..d26b28def310 100644 ---- a/net/openvswitch/flow_netlink.c -+++ b/net/openvswitch/flow_netlink.c -@@ -588,7 +588,7 @@ static int ip_tun_from_nlattr(const struct nlattr *attr, - ipv4 = true; - break; - case OVS_TUNNEL_KEY_ATTR_IPV6_SRC: -- SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.dst, -+ SW_FLOW_KEY_PUT(match, tun_key.u.ipv6.src, - nla_get_in6_addr(a), is_mask); - ipv6 = true; - break; --- -2.12.2 - -From 12f0bffc489dff7088c73f600b6be5769bc73cbd Mon Sep 17 00:00:00 2001 -From: Florian Fainelli -Date: Wed, 15 Mar 2017 12:57:21 -0700 -Subject: [PATCH 135/251] net: bcmgenet: Do not suspend PHY if Wake-on-LAN is - enabled -Content-Length: 1278 -Lines: 39 - -[ Upstream commit 5371bbf4b295eea334ed453efa286afa2c3ccff3 ] - -Suspending the PHY would be putting it in a low power state where it -may no longer allow us to do Wake-on-LAN. - -Fixes: cc013fb48898 ("net: bcmgenet: correctly suspend and resume PHY device") -Signed-off-by: Florian Fainelli -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c -index 91627561c58d..f971d92f7b41 100644 ---- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c -+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c -@@ -3495,7 +3495,8 @@ static int bcmgenet_suspend(struct device *d) - - bcmgenet_netif_stop(dev); - -- phy_suspend(priv->phydev); -+ if (!device_may_wakeup(d)) -+ phy_suspend(priv->phydev); - - netif_device_detach(dev); - -@@ -3592,7 +3593,8 @@ static int bcmgenet_resume(struct device *d) - - netif_device_attach(dev); - -- phy_resume(priv->phydev); -+ if (!device_may_wakeup(d)) -+ phy_resume(priv->phydev); - - if (priv->eee.eee_enabled) - bcmgenet_eee_enable_set(dev, true); --- -2.12.2 - -From f3126725228c0fdbe17c18bcc5ace1b86465cce9 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Wed, 15 Mar 2017 13:21:28 -0700 -Subject: [PATCH 136/251] net: properly release sk_frag.page -Content-Length: 1357 -Lines: 48 - -[ Upstream commit 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ] - -I mistakenly added the code to release sk->sk_frag in -sk_common_release() instead of sk_destruct() - -TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call -sk_common_release() at close time, thus leaking one (order-3) page. - -iSCSI is using such sockets. - -Fixes: 5640f7685831 ("net: use a per task frag allocator") -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/core/sock.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/net/core/sock.c b/net/core/sock.c -index f4c0917e66b5..9f4c4473156a 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -1459,6 +1459,11 @@ void sk_destruct(struct sock *sk) - pr_debug("%s: optmem leakage (%d bytes) detected\n", - __func__, atomic_read(&sk->sk_omem_alloc)); - -+ if (sk->sk_frag.page) { -+ put_page(sk->sk_frag.page); -+ sk->sk_frag.page = NULL; -+ } -+ - if (sk->sk_peer_cred) - put_cred(sk->sk_peer_cred); - put_pid(sk->sk_peer_pid); -@@ -2691,11 +2696,6 @@ void sk_common_release(struct sock *sk) - - sk_refcnt_debug_release(sk); - -- if (sk->sk_frag.page) { -- put_page(sk->sk_frag.page); -- sk->sk_frag.page = NULL; -- } -- - sock_put(sk); - } - EXPORT_SYMBOL(sk_common_release); --- -2.12.2 - -From ae43f9360a21b35cf785ae9a0fdce524d7af0938 Mon Sep 17 00:00:00 2001 -From: "Lendacky, Thomas" -Date: Wed, 15 Mar 2017 15:11:23 -0500 -Subject: [PATCH 137/251] amd-xgbe: Fix jumbo MTU processing on newer hardware -Content-Length: 9733 -Lines: 284 - -[ Upstream commit 622c36f143fc9566ba49d7cec994c2da1182d9e2 ] - -Newer hardware does not provide a cumulative payload length when multiple -descriptors are needed to handle the data. Once the MTU increases beyond -the size that can be handled by a single descriptor, the SKB does not get -built properly by the driver. - -The driver will now calculate the size of the data buffers used by the -hardware. The first buffer of the first descriptor is for packet headers -or packet headers and data when the headers can't be split. Subsequent -descriptors in a multi-descriptor chain will not use the first buffer. The -second buffer is used by all the descriptors in the chain for payload data. -Based on whether the driver is processing the first, intermediate, or last -descriptor it can calculate the buffer usage and build the SKB properly. - -Tested and verified on both old and new hardware. - -Signed-off-by: Tom Lendacky -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/amd/xgbe/xgbe-common.h | 6 +- - drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 20 +++--- - drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 102 +++++++++++++++++----------- - 3 files changed, 78 insertions(+), 50 deletions(-) - -diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h -index b6fa89102526..66ba1e0ff37e 100644 ---- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h -+++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h -@@ -913,8 +913,8 @@ - #define RX_PACKET_ATTRIBUTES_CSUM_DONE_WIDTH 1 - #define RX_PACKET_ATTRIBUTES_VLAN_CTAG_INDEX 1 - #define RX_PACKET_ATTRIBUTES_VLAN_CTAG_WIDTH 1 --#define RX_PACKET_ATTRIBUTES_INCOMPLETE_INDEX 2 --#define RX_PACKET_ATTRIBUTES_INCOMPLETE_WIDTH 1 -+#define RX_PACKET_ATTRIBUTES_LAST_INDEX 2 -+#define RX_PACKET_ATTRIBUTES_LAST_WIDTH 1 - #define RX_PACKET_ATTRIBUTES_CONTEXT_NEXT_INDEX 3 - #define RX_PACKET_ATTRIBUTES_CONTEXT_NEXT_WIDTH 1 - #define RX_PACKET_ATTRIBUTES_CONTEXT_INDEX 4 -@@ -923,6 +923,8 @@ - #define RX_PACKET_ATTRIBUTES_RX_TSTAMP_WIDTH 1 - #define RX_PACKET_ATTRIBUTES_RSS_HASH_INDEX 6 - #define RX_PACKET_ATTRIBUTES_RSS_HASH_WIDTH 1 -+#define RX_PACKET_ATTRIBUTES_FIRST_INDEX 7 -+#define RX_PACKET_ATTRIBUTES_FIRST_WIDTH 1 - - #define RX_NORMAL_DESC0_OVT_INDEX 0 - #define RX_NORMAL_DESC0_OVT_WIDTH 16 -diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c -index f6a7161e3b85..5e6238e0b2bd 100644 ---- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c -+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c -@@ -1658,10 +1658,15 @@ static int xgbe_dev_read(struct xgbe_channel *channel) - - /* Get the header length */ - if (XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, FD)) { -+ XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, -+ FIRST, 1); - rdata->rx.hdr_len = XGMAC_GET_BITS_LE(rdesc->desc2, - RX_NORMAL_DESC2, HL); - if (rdata->rx.hdr_len) - pdata->ext_stats.rx_split_header_packets++; -+ } else { -+ XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, -+ FIRST, 0); - } - - /* Get the RSS hash */ -@@ -1684,19 +1689,16 @@ static int xgbe_dev_read(struct xgbe_channel *channel) - } - } - -- /* Get the packet length */ -- rdata->rx.len = XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, PL); -- -- if (!XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, LD)) { -- /* Not all the data has been transferred for this packet */ -- XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, -- INCOMPLETE, 1); -+ /* Not all the data has been transferred for this packet */ -+ if (!XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, LD)) - return 0; -- } - - /* This is the last of the data for this packet */ - XGMAC_SET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, -- INCOMPLETE, 0); -+ LAST, 1); -+ -+ /* Get the packet length */ -+ rdata->rx.len = XGMAC_GET_BITS_LE(rdesc->desc3, RX_NORMAL_DESC3, PL); - - /* Set checksum done indicator as appropriate */ - if (netdev->features & NETIF_F_RXCSUM) -diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c -index 53ce1222b11d..865b7e0b133b 100644 ---- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c -+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c -@@ -1760,13 +1760,12 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata, - { - struct sk_buff *skb; - u8 *packet; -- unsigned int copy_len; - - skb = napi_alloc_skb(napi, rdata->rx.hdr.dma_len); - if (!skb) - return NULL; - -- /* Start with the header buffer which may contain just the header -+ /* Pull in the header buffer which may contain just the header - * or the header plus data - */ - dma_sync_single_range_for_cpu(pdata->dev, rdata->rx.hdr.dma_base, -@@ -1775,30 +1774,49 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata, - - packet = page_address(rdata->rx.hdr.pa.pages) + - rdata->rx.hdr.pa.pages_offset; -- copy_len = (rdata->rx.hdr_len) ? rdata->rx.hdr_len : len; -- copy_len = min(rdata->rx.hdr.dma_len, copy_len); -- skb_copy_to_linear_data(skb, packet, copy_len); -- skb_put(skb, copy_len); -- -- len -= copy_len; -- if (len) { -- /* Add the remaining data as a frag */ -- dma_sync_single_range_for_cpu(pdata->dev, -- rdata->rx.buf.dma_base, -- rdata->rx.buf.dma_off, -- rdata->rx.buf.dma_len, -- DMA_FROM_DEVICE); -- -- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, -- rdata->rx.buf.pa.pages, -- rdata->rx.buf.pa.pages_offset, -- len, rdata->rx.buf.dma_len); -- rdata->rx.buf.pa.pages = NULL; -- } -+ skb_copy_to_linear_data(skb, packet, len); -+ skb_put(skb, len); - - return skb; - } - -+static unsigned int xgbe_rx_buf1_len(struct xgbe_ring_data *rdata, -+ struct xgbe_packet_data *packet) -+{ -+ /* Always zero if not the first descriptor */ -+ if (!XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, FIRST)) -+ return 0; -+ -+ /* First descriptor with split header, return header length */ -+ if (rdata->rx.hdr_len) -+ return rdata->rx.hdr_len; -+ -+ /* First descriptor but not the last descriptor and no split header, -+ * so the full buffer was used -+ */ -+ if (!XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, LAST)) -+ return rdata->rx.hdr.dma_len; -+ -+ /* First descriptor and last descriptor and no split header, so -+ * calculate how much of the buffer was used -+ */ -+ return min_t(unsigned int, rdata->rx.hdr.dma_len, rdata->rx.len); -+} -+ -+static unsigned int xgbe_rx_buf2_len(struct xgbe_ring_data *rdata, -+ struct xgbe_packet_data *packet, -+ unsigned int len) -+{ -+ /* Always the full buffer if not the last descriptor */ -+ if (!XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, LAST)) -+ return rdata->rx.buf.dma_len; -+ -+ /* Last descriptor so calculate how much of the buffer was used -+ * for the last bit of data -+ */ -+ return rdata->rx.len - len; -+} -+ - static int xgbe_tx_poll(struct xgbe_channel *channel) - { - struct xgbe_prv_data *pdata = channel->pdata; -@@ -1881,8 +1899,8 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) - struct napi_struct *napi; - struct sk_buff *skb; - struct skb_shared_hwtstamps *hwtstamps; -- unsigned int incomplete, error, context_next, context; -- unsigned int len, rdesc_len, max_len; -+ unsigned int last, error, context_next, context; -+ unsigned int len, buf1_len, buf2_len, max_len; - unsigned int received = 0; - int packet_count = 0; - -@@ -1892,7 +1910,7 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget) - if (!ring) - return 0; - -- incomplete = 0; -+ last = 0; - context_next = 0; - - napi = (pdata->per_channel_irq) ? &channel->napi : &pdata->napi; -@@ -1926,9 +1944,8 @@ read_again: - received++; - ring->cur++; - -- incomplete = XGMAC_GET_BITS(packet->attributes, -- RX_PACKET_ATTRIBUTES, -- INCOMPLETE); -+ last = XGMAC_GET_BITS(packet->attributes, RX_PACKET_ATTRIBUTES, -+ LAST); - context_next = XGMAC_GET_BITS(packet->attributes, - RX_PACKET_ATTRIBUTES, - CONTEXT_NEXT); -@@ -1937,7 +1954,7 @@ read_again: - CONTEXT); - - /* Earlier error, just drain the remaining data */ -- if ((incomplete || context_next) && error) -+ if ((!last || context_next) && error) - goto read_again; - - if (error || packet->errors) { -@@ -1949,16 +1966,22 @@ read_again: - } - - if (!context) { -- /* Length is cumulative, get this descriptor's length */ -- rdesc_len = rdata->rx.len - len; -- len += rdesc_len; -+ /* Get the data length in the descriptor buffers */ -+ buf1_len = xgbe_rx_buf1_len(rdata, packet); -+ len += buf1_len; -+ buf2_len = xgbe_rx_buf2_len(rdata, packet, len); -+ len += buf2_len; - -- if (rdesc_len && !skb) { -+ if (!skb) { - skb = xgbe_create_skb(pdata, napi, rdata, -- rdesc_len); -- if (!skb) -+ buf1_len); -+ if (!skb) { - error = 1; -- } else if (rdesc_len) { -+ goto skip_data; -+ } -+ } -+ -+ if (buf2_len) { - dma_sync_single_range_for_cpu(pdata->dev, - rdata->rx.buf.dma_base, - rdata->rx.buf.dma_off, -@@ -1968,13 +1991,14 @@ read_again: - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, - rdata->rx.buf.pa.pages, - rdata->rx.buf.pa.pages_offset, -- rdesc_len, -+ buf2_len, - rdata->rx.buf.dma_len); - rdata->rx.buf.pa.pages = NULL; - } - } - -- if (incomplete || context_next) -+skip_data: -+ if (!last || context_next) - goto read_again; - - if (!skb) -@@ -2033,7 +2057,7 @@ next_packet: - } - - /* Check if we need to save state before leaving */ -- if (received && (incomplete || context_next)) { -+ if (received && (!last || context_next)) { - rdata = XGBE_GET_DESC_DATA(ring, ring->cur); - rdata->state_saved = 1; - rdata->state.skb = skb; --- -2.12.2 - -From 610c6bcc5fcfb6d02d63cfded2375a829df7faba Mon Sep 17 00:00:00 2001 -From: Andrey Ulanov -Date: Tue, 14 Mar 2017 20:16:42 -0700 -Subject: [PATCH 138/251] net: unix: properly re-increment inflight counter of - GC discarded candidates -Content-Length: 4671 -Lines: 107 - -[ Upstream commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 ] - -Dmitry has reported that a BUG_ON() condition in unix_notinflight() -may be triggered by a simple code that forwards unix socket in an -SCM_RIGHTS message. -That is caused by incorrect unix socket GC implementation in unix_gc(). - -The GC first collects list of candidates, then (a) decrements their -"children's" inflight counter, (b) checks which inflight counters are -now 0, and then (c) increments all inflight counters back. -(a) and (c) are done by calling scan_children() with inc_inflight or -dec_inflight as the second argument. - -Commit 6209344f5a37 ("net: unix: fix inflight counting bug in garbage -collector") changed scan_children() such that it no longer considers -sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block -of code that that unsets this flag _before_ invoking -scan_children(, dec_iflight, ). This may lead to incorrect inflight -counters for some sockets. - -This change fixes this bug by changing order of operations: -UNIX_GC_CANDIDATE is now unset only after all inflight counters are -restored to the original state. - - kernel BUG at net/unix/garbage.c:149! - RIP: 0010:[] [] - unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149 - Call Trace: - [] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487 - [] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496 - [] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655 - [] skb_release_all+0x1a/0x60 net/core/skbuff.c:668 - [] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684 - [] kfree_skb+0x184/0x570 net/core/skbuff.c:705 - [] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559 - [] unix_release+0x49/0x90 net/unix/af_unix.c:836 - [] sock_release+0x92/0x1f0 net/socket.c:570 - [] sock_close+0x1b/0x20 net/socket.c:1017 - [] __fput+0x34e/0x910 fs/file_table.c:208 - [] ____fput+0x1a/0x20 fs/file_table.c:244 - [] task_work_run+0x1a0/0x280 kernel/task_work.c:116 - [< inline >] exit_task_work include/linux/task_work.h:21 - [] do_exit+0x183a/0x2640 kernel/exit.c:828 - [] do_group_exit+0x14e/0x420 kernel/exit.c:931 - [] get_signal+0x663/0x1880 kernel/signal.c:2307 - [] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807 - [] exit_to_usermode_loop+0x1ea/0x2d0 - arch/x86/entry/common.c:156 - [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 - [] syscall_return_slowpath+0x4d3/0x570 - arch/x86/entry/common.c:259 - [] entry_SYSCALL_64_fastpath+0xc4/0xc6 - -Link: https://lkml.org/lkml/2017/3/6/252 -Signed-off-by: Andrey Ulanov -Reported-by: Dmitry Vyukov -Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector") -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/unix/garbage.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index 6a0d48525fcf..c36757e72844 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -146,6 +146,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp) - if (s) { - struct unix_sock *u = unix_sk(s); - -+ BUG_ON(!atomic_long_read(&u->inflight)); - BUG_ON(list_empty(&u->link)); - - if (atomic_long_dec_and_test(&u->inflight)) -@@ -341,6 +342,14 @@ void unix_gc(void) - } - list_del(&cursor); - -+ /* Now gc_candidates contains only garbage. Restore original -+ * inflight counters for these as well, and remove the skbuffs -+ * which are creating the cycle(s). -+ */ -+ skb_queue_head_init(&hitlist); -+ list_for_each_entry(u, &gc_candidates, link) -+ scan_children(&u->sk, inc_inflight, &hitlist); -+ - /* not_cycle_list contains those sockets which do not make up a - * cycle. Restore these to the inflight list. - */ -@@ -350,14 +359,6 @@ void unix_gc(void) - list_move_tail(&u->link, &gc_inflight_list); - } - -- /* Now gc_candidates contains only garbage. Restore original -- * inflight counters for these as well, and remove the skbuffs -- * which are creating the cycle(s). -- */ -- skb_queue_head_init(&hitlist); -- list_for_each_entry(u, &gc_candidates, link) -- scan_children(&u->sk, inc_inflight, &hitlist); -- - spin_unlock(&unix_gc_lock); - - /* Here we are. Hitlist is filled. Die. */ --- -2.12.2 - -From 9d1894cba25c06b061565da6934ab43f446d3c69 Mon Sep 17 00:00:00 2001 -From: Maor Gottlieb -Date: Tue, 21 Mar 2017 15:59:17 +0200 -Subject: [PATCH 139/251] net/mlx5: Increase number of max QPs in default - profile -Content-Length: 1120 -Lines: 30 - -[ Upstream commit 5f40b4ed975c26016cf41953b7510fe90718e21c ] - -With ConnectX-4 sharing SRQs from the same space as QPs, we hit a -limit preventing some applications to allocate needed QPs amount. -Double the size to 256K. - -Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters') -Signed-off-by: Maor Gottlieb -Signed-off-by: Saeed Mahameed -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c -index ba115ec7aa92..1e611980cf99 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/main.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c -@@ -85,7 +85,7 @@ static struct mlx5_profile profile[] = { - [2] = { - .mask = MLX5_PROF_MASK_QP_SIZE | - MLX5_PROF_MASK_MR_CACHE, -- .log_max_qp = 17, -+ .log_max_qp = 18, - .mr_cache[0] = { - .size = 500, - .limit = 250 --- -2.12.2 - -From fdcee7c1e2f8c6f46f26010b133ed963b620da2b Mon Sep 17 00:00:00 2001 -From: Gal Pressman -Date: Tue, 21 Mar 2017 15:59:19 +0200 -Subject: [PATCH 140/251] net/mlx5e: Count LRO packets correctly -Content-Length: 1894 -Lines: 50 - -[ Upstream commit 8ab7e2ae15d84ba758b2c8c6f4075722e9bd2a08 ] - -RX packets statistics ('rx_packets' counter) used to count LRO packets -as one, even though it contains multiple segments. -This patch will increment the counter by the number of segments, and -align the driver with the behavior of other drivers in the stack. - -Note that no information is lost in this patch due to 'rx_lro_packets' -counter existence. - -Before, ethtool showed: -$ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets" - rx_packets: 435277 - rx_lro_packets: 35847 - rx_packets_phy: 1935066 - -Now, we will see the more logical statistics: -$ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets" - rx_packets: 1935066 - rx_lro_packets: 35847 - rx_packets_phy: 1935066 - -Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files") -Signed-off-by: Gal Pressman -Cc: kernel-team@fb.com -Signed-off-by: Saeed Mahameed -Acked-by: Alexei Starovoitov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c -index cf0098596e85..e9408f5e2a1d 100644 ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c -@@ -197,6 +197,10 @@ static inline void mlx5e_build_rx_skb(struct mlx5_cqe64 *cqe, - if (lro_num_seg > 1) { - mlx5e_lro_update_hdr(skb, cqe); - skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt, lro_num_seg); -+ /* Subtract one since we already counted this as one -+ * "regular" packet in mlx5e_complete_rx_cqe() -+ */ -+ rq->stats.packets += lro_num_seg - 1; - rq->stats.lro_packets++; - rq->stats.lro_bytes += cqe_bcnt; - } --- -2.12.2 - -From 85f00dac91a1047b57e600df9636c8408f70001f Mon Sep 17 00:00:00 2001 -From: Doug Berger -Date: Tue, 21 Mar 2017 14:01:06 -0700 -Subject: [PATCH 141/251] net: bcmgenet: remove bcmgenet_internal_phy_setup() -Content-Length: 3576 -Lines: 81 - -[ Upstream commit 31739eae738ccbe8b9d627c3f2251017ca03f4d2 ] - -Commit 6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset") -removed the bcmgenet_mii_reset() function from bcmgenet_power_up() and -bcmgenet_internal_phy_setup() functions. In so doing it broke the reset -of the internal PHY devices used by the GENETv1-GENETv3 which required -this reset before the UniMAC was enabled. It also broke the internal -GPHY devices used by the GENETv4 because the config_init that installed -the AFE workaround was no longer occurring after the reset of the GPHY -performed by bcmgenet_phy_power_set() in bcmgenet_internal_phy_setup(). -In addition the code in bcmgenet_internal_phy_setup() related to the -"enable APD" comment goes with the bcmgenet_mii_reset() so it should -have also been removed. - -Commit bd4060a6108b ("net: bcmgenet: Power on integrated GPHY in -bcmgenet_power_up()") moved the bcmgenet_phy_power_set() call to the -bcmgenet_power_up() function, but failed to remove it from the -bcmgenet_internal_phy_setup() function. Had it done so, the -bcmgenet_internal_phy_setup() function would have been empty and could -have been removed at that time. - -Commit 5dbebbb44a6a ("net: bcmgenet: Software reset EPHY after power on") -was submitted to correct the functional problems introduced by -commit 6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset"). It -was included in v4.4 and made available on 4.3-stable. Unfortunately, -it didn't fully revert the commit because this bcmgenet_mii_reset() -doesn't apply the soft reset to the internal GPHY used by GENETv4 like -the previous one did. This prevents the restoration of the AFE work- -arounds for internal GPHY devices after the bcmgenet_phy_power_set() in -bcmgenet_internal_phy_setup(). - -This commit takes the alternate approach of removing the unnecessary -bcmgenet_internal_phy_setup() function which shouldn't have been in v4.3 -so that when bcmgenet_mii_reset() was restored it should have only gone -into bcmgenet_power_up(). This will avoid the problems while also -removing the redundancy (and hopefully some of the confusion). - -Fixes: 6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset") -Signed-off-by: Doug Berger -Reviewed-by: Florian Fainelli -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/genet/bcmmii.c | 15 --------------- - 1 file changed, 15 deletions(-) - -diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c -index 8bdfe53754ba..e96d1f95bb47 100644 ---- a/drivers/net/ethernet/broadcom/genet/bcmmii.c -+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c -@@ -220,20 +220,6 @@ void bcmgenet_phy_power_set(struct net_device *dev, bool enable) - udelay(60); - } - --static void bcmgenet_internal_phy_setup(struct net_device *dev) --{ -- struct bcmgenet_priv *priv = netdev_priv(dev); -- u32 reg; -- -- /* Power up PHY */ -- bcmgenet_phy_power_set(dev, true); -- /* enable APD */ -- reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT); -- reg |= EXT_PWR_DN_EN_LD; -- bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT); -- bcmgenet_mii_reset(dev); --} -- - static void bcmgenet_moca_phy_setup(struct bcmgenet_priv *priv) - { - u32 reg; -@@ -281,7 +267,6 @@ int bcmgenet_mii_config(struct net_device *dev) - - if (priv->internal_phy) { - phy_name = "internal PHY"; -- bcmgenet_internal_phy_setup(dev); - } else if (priv->phy_interface == PHY_INTERFACE_MODE_MOCA) { - phy_name = "MoCA"; - bcmgenet_moca_phy_setup(priv); --- -2.12.2 - -From 38dece41e5be77478b333db580b5e171b136befa Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Tue, 21 Mar 2017 19:22:28 -0700 -Subject: [PATCH 142/251] ipv4: provide stronger user input validation in - nl_fib_input() -Content-Length: 1155 -Lines: 35 - -[ Upstream commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b ] - -Alexander reported a KMSAN splat caused by reads of uninitialized -field (tb_id_in) from user provided struct fib_result_nl - -It turns out nl_fib_input() sanity tests on user input is a bit -wrong : - -User can pretend nlh->nlmsg_len is big enough, but provide -at sendmsg() time a too small buffer. - -Reported-by: Alexander Potapenko -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/fib_frontend.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 4e60dae86df5..1adba44f8fbc 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -1080,7 +1080,8 @@ static void nl_fib_input(struct sk_buff *skb) - - net = sock_net(skb->sk); - nlh = nlmsg_hdr(skb); -- if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len || -+ if (skb->len < nlmsg_total_size(sizeof(*frn)) || -+ skb->len < nlh->nlmsg_len || - nlmsg_len(nlh) < sizeof(*frn)) - return; - --- -2.12.2 - -From 95aa915c2f04c27bb3935c8b9446435f40f17f9d Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Wed, 22 Mar 2017 13:08:08 +0100 -Subject: [PATCH 143/251] socket, bpf: fix sk_filter use after free in - sk_clone_lock -Content-Length: 2672 -Lines: 61 - -[ Upstream commit a97e50cc4cb67e1e7bff56f6b41cda62ca832336 ] - -In sk_clone_lock(), we create a new socket and inherit most of the -parent's members via sock_copy() which memcpy()'s various sections. -Now, in case the parent socket had a BPF socket filter attached, -then newsk->sk_filter points to the same instance as the original -sk->sk_filter. - -sk_filter_charge() is then called on the newsk->sk_filter to take a -reference and should that fail due to hitting max optmem, we bail -out and release the newsk instance. - -The issue is that commit 278571baca2a ("net: filter: simplify socket -charging") wrongly combined the dismantle path with the failure path -of xfrm_sk_clone_policy(). This means, even when charging failed, we -call sk_free_unlock_clone() on the newsk, which then still points to -the same sk_filter as the original sk. - -Thus, sk_free_unlock_clone() calls into __sk_destruct() eventually -where it tests for present sk_filter and calls sk_filter_uncharge() -on it, which potentially lets sk_omem_alloc wrap around and releases -the eBPF prog and sk_filter structure from the (still intact) parent. - -Fix it by making sure that when sk_filter_charge() failed, we reset -newsk->sk_filter back to NULL before passing to sk_free_unlock_clone(), -so that we don't mess with the parents sk_filter. - -Only if xfrm_sk_clone_policy() fails, we did reach the point where -either the parent's filter was NULL and as a result newsk's as well -or where we previously had a successful sk_filter_charge(), thus for -that case, we do need sk_filter_uncharge() to release the prior taken -reference on sk_filter. - -Fixes: 278571baca2a ("net: filter: simplify socket charging") -Signed-off-by: Daniel Borkmann -Acked-by: Alexei Starovoitov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/core/sock.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/core/sock.c b/net/core/sock.c -index 9f4c4473156a..9c708a5fb751 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -1557,6 +1557,12 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) - is_charged = sk_filter_charge(newsk, filter); - - if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) { -+ /* We need to make sure that we don't uncharge the new -+ * socket if we couldn't charge it in the first place -+ * as otherwise we uncharge the parent's filter. -+ */ -+ if (!is_charged) -+ RCU_INIT_POINTER(newsk->sk_filter, NULL); - /* It is still raw copy of parent, so invalidate - * destructor and make plain sk_free() */ - newsk->sk_destruct = NULL; --- -2.12.2 - -From afaed241928f029e788bbbeed26b2b530ba7cd1a Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Wed, 22 Mar 2017 08:10:21 -0700 -Subject: [PATCH 144/251] tcp: initialize icsk_ack.lrcvtime at session start - time -Content-Length: 1952 -Lines: 53 - -[ Upstream commit 15bb7745e94a665caf42bfaabf0ce062845b533b ] - -icsk_ack.lrcvtime has a 0 value at socket creation time. - -tcpi_last_data_recv can have bogus value if no payload is ever received. - -This patch initializes icsk_ack.lrcvtime for active sessions -in tcp_finish_connect(), and for passive sessions in -tcp_create_openreq_child() - -Signed-off-by: Eric Dumazet -Acked-by: Neal Cardwell -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/tcp_input.c | 2 +- - net/ipv4/tcp_minisocks.c | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 7cc0f8aac28f..818630cec54f 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -5435,6 +5435,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb) - struct inet_connection_sock *icsk = inet_csk(sk); - - tcp_set_state(sk, TCP_ESTABLISHED); -+ icsk->icsk_ack.lrcvtime = tcp_time_stamp; - - if (skb) { - icsk->icsk_af_ops->sk_rx_dst_set(sk, skb); -@@ -5647,7 +5648,6 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, - * to stand against the temptation 8) --ANK - */ - inet_csk_schedule_ack(sk); -- icsk->icsk_ack.lrcvtime = tcp_time_stamp; - tcp_enter_quickack_mode(sk); - inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK, - TCP_DELACK_MAX, TCP_RTO_MAX); -diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c -index 9475a2748a9a..019db68bdb9f 100644 ---- a/net/ipv4/tcp_minisocks.c -+++ b/net/ipv4/tcp_minisocks.c -@@ -472,6 +472,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, - newtp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT); - newtp->rtt_min[0].rtt = ~0U; - newicsk->icsk_rto = TCP_TIMEOUT_INIT; -+ newicsk->icsk_ack.lrcvtime = tcp_time_stamp; - - newtp->packets_out = 0; - newtp->retrans_out = 0; --- -2.12.2 - -From 9ac7bd114e13628467c037066786775a357d91d6 Mon Sep 17 00:00:00 2001 -From: Matjaz Hegedic -Date: Fri, 10 Mar 2017 14:33:09 -0800 -Subject: [PATCH 145/251] Input: elan_i2c - add ASUS EeeBook X205TA special - touchpad fw -Content-Length: 1524 -Lines: 50 - -commit 92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream. - -EeeBook X205TA is yet another ASUS device with a special touchpad -firmware that needs to be accounted for during initialization, or -else the touchpad will go into an invalid state upon suspend/resume. -Adding the appropriate ic_type and product_id check fixes the problem. - -Signed-off-by: Matjaz Hegedic -Acked-by: KT Liao -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/mouse/elan_i2c_core.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c -index ed1935f300a7..da5458dfb1e3 100644 ---- a/drivers/input/mouse/elan_i2c_core.c -+++ b/drivers/input/mouse/elan_i2c_core.c -@@ -218,17 +218,19 @@ static int elan_query_product(struct elan_tp_data *data) - - static int elan_check_ASUS_special_fw(struct elan_tp_data *data) - { -- if (data->ic_type != 0x0E) -- return false; -- -- switch (data->product_id) { -- case 0x05 ... 0x07: -- case 0x09: -- case 0x13: -+ if (data->ic_type == 0x0E) { -+ switch (data->product_id) { -+ case 0x05 ... 0x07: -+ case 0x09: -+ case 0x13: -+ return true; -+ } -+ } else if (data->ic_type == 0x08 && data->product_id == 0x26) { -+ /* ASUS EeeBook X205TA */ - return true; -- default: -- return false; - } -+ -+ return false; - } - - static int __elan_initialize(struct elan_tp_data *data) --- -2.12.2 - -From 5f9243e4fca610599c30b552baacdcffc76ea7af Mon Sep 17 00:00:00 2001 -From: Kai-Heng Feng -Date: Tue, 7 Mar 2017 09:31:29 -0800 -Subject: [PATCH 146/251] Input: i8042 - add noloop quirk for Dell Embedded Box - PC 3000 -Content-Length: 1172 -Lines: 36 - -commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream. - -The aux port does not get detected without noloop quirk, so external PS/2 -mouse cannot work as result. - -The PS/2 mouse can work with this quirk. - -BugLink: https://bugs.launchpad.net/bugs/1591053 -Signed-off-by: Kai-Heng Feng -Reviewed-by: Marcos Paulo de Souza -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h -index 0cdd95801a25..25eab453f2b2 100644 ---- a/drivers/input/serio/i8042-x86ia64io.h -+++ b/drivers/input/serio/i8042-x86ia64io.h -@@ -120,6 +120,13 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = { - }, - }, - { -+ /* Dell Embedded Box PC 3000 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"), -+ }, -+ }, -+ { - /* OQO Model 01 */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "OQO"), --- -2.12.2 - -From a07d3669654ad335c19df048199da0a063e0c387 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:34:02 -0700 -Subject: [PATCH 147/251] Input: iforce - validate number of endpoints before - using them -Content-Length: 1031 -Lines: 29 - -commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer or accessing memory that lie beyond the end of the endpoint -array should a malicious device lack the expected endpoints. - -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/joystick/iforce/iforce-usb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/input/joystick/iforce/iforce-usb.c b/drivers/input/joystick/iforce/iforce-usb.c -index d96aa27dfcdc..db64adfbe1af 100644 ---- a/drivers/input/joystick/iforce/iforce-usb.c -+++ b/drivers/input/joystick/iforce/iforce-usb.c -@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_interface *intf, - - interface = intf->cur_altsetting; - -+ if (interface->desc.bNumEndpoints < 2) -+ return -ENODEV; -+ - epirq = &interface->endpoint[0].desc; - epout = &interface->endpoint[1].desc; - --- -2.12.2 - -From 6bed7c1e2b78e58adab2e8448f3e6799857b5726 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:36:13 -0700 -Subject: [PATCH 148/251] Input: ims-pcu - validate number of endpoints before - using them -Content-Length: 1032 -Lines: 30 - -commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack control-interface endpoints. - -Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/misc/ims-pcu.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c -index 9c0ea36913b4..f4e8fbec6a94 100644 ---- a/drivers/input/misc/ims-pcu.c -+++ b/drivers/input/misc/ims-pcu.c -@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc - return -EINVAL; - - alt = pcu->ctrl_intf->cur_altsetting; -+ -+ if (alt->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - pcu->ep_ctrl = &alt->endpoint[0].desc; - pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl); - --- -2.12.2 - -From 0812c6855c89d905e34e88166570cae4a401b23a Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:39:29 -0700 -Subject: [PATCH 149/251] Input: hanwang - validate number of endpoints before - using them -Content-Length: 1020 -Lines: 29 - -commit ba340d7b83703768ce566f53f857543359aa1b98 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets") -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/tablet/hanwang.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/input/tablet/hanwang.c b/drivers/input/tablet/hanwang.c -index cd852059b99e..df4bea96d7ed 100644 ---- a/drivers/input/tablet/hanwang.c -+++ b/drivers/input/tablet/hanwang.c -@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id - int error; - int i; - -+ if (intf->cur_altsetting->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL); - input_dev = input_allocate_device(); - if (!hanwang || !input_dev) { --- -2.12.2 - -From e916f1d6188ef765303b4f74387d7e92d49a5be6 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:37:01 -0700 -Subject: [PATCH 150/251] Input: yealink - validate number of endpoints before - using them -Content-Length: 1017 -Lines: 30 - -commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone") -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/misc/yealink.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/input/misc/yealink.c b/drivers/input/misc/yealink.c -index 79c964c075f1..6e7ff9561d92 100644 ---- a/drivers/input/misc/yealink.c -+++ b/drivers/input/misc/yealink.c -@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interface *intf, const struct usb_device_id *id) - int ret, pipe, i; - - interface = intf->cur_altsetting; -+ -+ if (interface->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - endpoint = &interface->endpoint[0].desc; - if (!usb_endpoint_is_int_in(endpoint)) - return -ENODEV; --- -2.12.2 - -From c05490638ddfffa35d2fb03c1852f9013757a9e1 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:35:12 -0700 -Subject: [PATCH 151/251] Input: cm109 - validate number of endpoints before - using them -Content-Length: 976 -Lines: 30 - -commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...") -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/misc/cm109.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/input/misc/cm109.c b/drivers/input/misc/cm109.c -index 9365535ba7f1..50a7faa504f7 100644 ---- a/drivers/input/misc/cm109.c -+++ b/drivers/input/misc/cm109.c -@@ -675,6 +675,10 @@ static int cm109_usb_probe(struct usb_interface *intf, - int error = -ENOMEM; - - interface = intf->cur_altsetting; -+ -+ if (interface->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - endpoint = &interface->endpoint[0].desc; - - if (!usb_endpoint_is_int_in(endpoint)) --- -2.12.2 - -From b3c4c0c470b58dd4a5e40e11ccd9fea7fbbfa799 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:41:55 -0700 -Subject: [PATCH 152/251] Input: kbtab - validate number of endpoints before - using them -Content-Length: 972 -Lines: 28 - -commit cb1b494663e037253337623bf1ef2df727883cb7 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/tablet/kbtab.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/input/tablet/kbtab.c b/drivers/input/tablet/kbtab.c -index d2ac7c2b5b82..2812f9236b7d 100644 ---- a/drivers/input/tablet/kbtab.c -+++ b/drivers/input/tablet/kbtab.c -@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *i - struct input_dev *input_dev; - int error = -ENOMEM; - -+ if (intf->cur_altsetting->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL); - input_dev = input_allocate_device(); - if (!kbtab || !input_dev) --- -2.12.2 - -From 549993001e7de0553d85c9022dc41d5b3ff7d1ff Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 16 Mar 2017 11:43:09 -0700 -Subject: [PATCH 153/251] Input: sur40 - validate number of endpoints before - using them -Content-Length: 1132 -Lines: 30 - -commit 92461f5d723037530c1f36cce93640770037812c upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer or accessing memory that lie beyond the end of the endpoint -array should a malicious device lack the expected endpoints. - -Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ") -Signed-off-by: Johan Hovold -Signed-off-by: Dmitry Torokhov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/input/touchscreen/sur40.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c -index 45b466e3bbe8..0146e2c74649 100644 ---- a/drivers/input/touchscreen/sur40.c -+++ b/drivers/input/touchscreen/sur40.c -@@ -500,6 +500,9 @@ static int sur40_probe(struct usb_interface *interface, - if (iface_desc->desc.bInterfaceClass != 0xFF) - return -ENODEV; - -+ if (iface_desc->desc.bNumEndpoints < 5) -+ return -ENODEV; -+ - /* Use endpoint #4 (0x86). */ - endpoint = &iface_desc->endpoint[4].desc; - if (endpoint->bEndpointAddress != TOUCH_ENDPOINT) --- -2.12.2 - -From 8f0f081647cc1c7e7ce6bea99a3b2ebb3604b1f1 Mon Sep 17 00:00:00 2001 -From: Dan Williams -Date: Thu, 9 Mar 2017 11:32:28 -0600 -Subject: [PATCH 157/251] USB: serial: option: add Quectel UC15, UC20, EC21, - and EC25 modems -Status: RO -Content-Length: 2146 -Lines: 50 - -commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream. - -Add Quectel UC15, UC20, EC21, and EC25. The EC20 is handled by -qcserial due to a USB VID/PID conflict with an existing Acer -device. - -Signed-off-by: Dan Williams -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/option.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c -index 42cc72e54c05..af67a0de6b5d 100644 ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -233,6 +233,14 @@ static void option_instat_callback(struct urb *urb); - #define BANDRICH_PRODUCT_1012 0x1012 - - #define QUALCOMM_VENDOR_ID 0x05C6 -+/* These Quectel products use Qualcomm's vendor ID */ -+#define QUECTEL_PRODUCT_UC20 0x9003 -+#define QUECTEL_PRODUCT_UC15 0x9090 -+ -+#define QUECTEL_VENDOR_ID 0x2c7c -+/* These Quectel products use Quectel's vendor ID */ -+#define QUECTEL_PRODUCT_EC21 0x0121 -+#define QUECTEL_PRODUCT_EC25 0x0125 - - #define CMOTECH_VENDOR_ID 0x16d8 - #define CMOTECH_PRODUCT_6001 0x6001 -@@ -1161,7 +1169,14 @@ static const struct usb_device_id option_ids[] = { - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ -- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */ -+ /* Quectel products using Qualcomm vendor ID */ -+ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, -+ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -+ /* Quectel products using Quectel vendor ID */ -+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21), -+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, --- -2.12.2 - -From 19f0fe67b9d04580c377efc568cc8630a5af06b4 Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Tue, 14 Mar 2017 12:09:56 +0100 -Subject: [PATCH 159/251] ACM gadget: fix endianness in notifications -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 1317 -Lines: 36 - -commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream. - -The gadget code exports the bitfield for serial status changes -over the wire in its internal endianness. The fix is to convert -to little endian before sending it over the wire. - -Signed-off-by: Oliver Neukum -Tested-by: 家瑋 -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/function/f_acm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_acm.c b/drivers/usb/gadget/function/f_acm.c -index 2fa1e80a3ce7..67e474b13fca 100644 ---- a/drivers/usb/gadget/function/f_acm.c -+++ b/drivers/usb/gadget/function/f_acm.c -@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struct f_acm *acm) - { - struct usb_composite_dev *cdev = acm->port.func.config->cdev; - int status; -+ __le16 serial_state; - - spin_lock(&acm->lock); - if (acm->notify_req) { - dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n", - acm->port_num, acm->serial_state); -+ serial_state = cpu_to_le16(acm->serial_state); - status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE, -- 0, &acm->serial_state, sizeof(acm->serial_state)); -+ 0, &serial_state, sizeof(acm->serial_state)); - } else { - acm->pending = true; - status = 0; --- -2.12.2 - -From 815321da2e267c5c44a2900b39ac92632a9d6e80 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:47:53 +0100 -Subject: [PATCH 168/251] uwb: i1480-dfu: fix NULL-deref at probe -Content-Length: 1114 -Lines: 33 - -commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Note that the dereference happens in the cmd and wait_init_done -callbacks which are called during probe. - -Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver") -Cc: Inaky Perez-Gonzalez -Cc: David Vrabel -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/uwb/i1480/dfu/usb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/uwb/i1480/dfu/usb.c b/drivers/uwb/i1480/dfu/usb.c -index 2bfc846ac071..6345e85822a4 100644 ---- a/drivers/uwb/i1480/dfu/usb.c -+++ b/drivers/uwb/i1480/dfu/usb.c -@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface *iface, const struct usb_device_id *id) - result); - } - -+ if (iface->cur_altsetting->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - result = -ENOMEM; - i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL); - if (i1480_usb == NULL) { --- -2.12.2 - -From 2c251e568e1a5dfbdab7156eaa848cd45b3cb127 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:47:52 +0100 -Subject: [PATCH 169/251] uwb: hwa-rc: fix NULL-deref at probe -Content-Length: 1047 -Lines: 33 - -commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Note that the dereference happens in the start callback which is called -during probe. - -Fixes: de520b8bd552 ("uwb: add HWA radio controller driver") -Cc: Inaky Perez-Gonzalez -Cc: David Vrabel -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/uwb/hwa-rc.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c -index 0257f35cfb9d..e75bbe5a10cd 100644 ---- a/drivers/uwb/hwa-rc.c -+++ b/drivers/uwb/hwa-rc.c -@@ -825,6 +825,9 @@ static int hwarc_probe(struct usb_interface *iface, - struct hwarc *hwarc; - struct device *dev = &iface->dev; - -+ if (iface->cur_altsetting->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - result = -ENOMEM; - uwb_rc = uwb_rc_alloc(); - if (uwb_rc == NULL) { --- -2.12.2 - -From dcf879cb9ed37f4e4cb242aaa17316d6c37404dc Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:40:22 +0100 -Subject: [PATCH 170/251] mmc: ushc: fix NULL-deref at probe -Content-Length: 1009 -Lines: 30 - -commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver") -Cc: David Vrabel -Signed-off-by: Johan Hovold -Signed-off-by: Ulf Hansson -Signed-off-by: Greg Kroah-Hartman ---- - drivers/mmc/host/ushc.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/mmc/host/ushc.c b/drivers/mmc/host/ushc.c -index d2c386f09d69..1d843357422e 100644 ---- a/drivers/mmc/host/ushc.c -+++ b/drivers/mmc/host/ushc.c -@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interface *intf, const struct usb_device_id *id - struct ushc_data *ushc; - int ret; - -+ if (intf->cur_altsetting->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev); - if (mmc == NULL) - return -ENOMEM; --- -2.12.2 - -From 8f189e1d0ecac38ac69b44b89f2561c3bcffacbd Mon Sep 17 00:00:00 2001 -From: Michael Engl -Date: Tue, 3 Oct 2017 13:57:00 +0100 -Subject: [PATCH 171/251] iio: adc: ti_am335x_adc: fix fifo overrun recovery -Content-Length: 2556 -Lines: 65 - -commit e83bb3e6f3efa21f4a9d883a25d0ecd9dfb431e1 upstream. - -The tiadc_irq_h(int irq, void *private) function is handling FIFO -overruns by clearing flags, disabling and enabling the ADC to -recover. - -If the ADC is running in continuous mode a FIFO overrun happens -regularly. If the disabling of the ADC happens concurrently with -a new conversion. It might happen that the enabling of the ADC -is ignored by the hardware. This stops the ADC permanently. No -more interrupts are triggered. - -According to the AM335x Reference Manual (SPRUH73H October 2011 - -Revised April 2013 - Chapter 12.4 and 12.5) it is necessary to -check the ADC FSM bits in REG_ADCFSM before enabling the ADC -again. Because the disabling of the ADC is done right after the -current conversion has been finished. - -To trigger this bug it is necessary to run the ADC in continuous -mode. The ADC values of all channels need to be read in an endless -loop. The bug appears within the first 6 hours (~5.4 million -handled FIFO overruns). The user space application will hang on -reading new values from the character device. - -Fixes: ca9a563805f7a ("iio: ti_am335x_adc: Add continuous sampling support") -Signed-off-by: Michael Engl -Signed-off-by: Jonathan Cameron -Signed-off-by: Greg Kroah-Hartman ---- - drivers/iio/adc/ti_am335x_adc.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/drivers/iio/adc/ti_am335x_adc.c b/drivers/iio/adc/ti_am335x_adc.c -index 0470fc843d4e..9b6854607d73 100644 ---- a/drivers/iio/adc/ti_am335x_adc.c -+++ b/drivers/iio/adc/ti_am335x_adc.c -@@ -151,7 +151,9 @@ static irqreturn_t tiadc_irq_h(int irq, void *private) - { - struct iio_dev *indio_dev = private; - struct tiadc_device *adc_dev = iio_priv(indio_dev); -- unsigned int status, config; -+ unsigned int status, config, adc_fsm; -+ unsigned short count = 0; -+ - status = tiadc_readl(adc_dev, REG_IRQSTATUS); - - /* -@@ -165,6 +167,15 @@ static irqreturn_t tiadc_irq_h(int irq, void *private) - tiadc_writel(adc_dev, REG_CTRL, config); - tiadc_writel(adc_dev, REG_IRQSTATUS, IRQENB_FIFO1OVRRUN - | IRQENB_FIFO1UNDRFLW | IRQENB_FIFO1THRES); -+ -+ /* wait for idle state. -+ * ADC needs to finish the current conversion -+ * before disabling the module -+ */ -+ do { -+ adc_fsm = tiadc_readl(adc_dev, REG_ADCFSM); -+ } while (adc_fsm != 0x10 && count++ < 100); -+ - tiadc_writel(adc_dev, REG_CTRL, (config | CNTRLREG_TSCSSENB)); - return IRQ_HANDLED; - } else if (status & IRQENB_FIFO1THRES) { --- -2.12.2 - -From 7413d1f8991e7d5c240d89a3feb35e2a54d27baf Mon Sep 17 00:00:00 2001 -From: Song Hongyan -Date: Wed, 22 Feb 2017 17:17:38 +0800 -Subject: [PATCH 172/251] iio: hid-sensor-trigger: Change get poll value - function order to avoid sensor properties losing after resume from S3 -Content-Length: 2044 -Lines: 48 - -commit 3bec247474469f769af41e8c80d3a100dd97dd76 upstream. - -In function _hid_sensor_power_state(), when hid_sensor_read_poll_value() -is called, sensor's all properties will be updated by the value from -sensor hardware/firmware. -In some implementation, sensor hardware/firmware will do a power cycle -during S3. In this case, after resume, once hid_sensor_read_poll_value() -is called, sensor's all properties which are kept by driver during S3 -will be changed to default value. -But instead, if a set feature function is called first, sensor -hardware/firmware will be recovered to the last status. So change the -sensor_hub_set_feature() calling order to behind of set feature function -to avoid sensor properties lose. - -Signed-off-by: Song Hongyan -Acked-by: Srinivas Pandruvada -Signed-off-by: Jonathan Cameron -Signed-off-by: Greg Kroah-Hartman ---- - drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c -index 595511022795..0a86ef43e781 100644 ---- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c -+++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c -@@ -51,8 +51,6 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state) - st->report_state.report_id, - st->report_state.index, - HID_USAGE_SENSOR_PROP_REPORTING_STATE_ALL_EVENTS_ENUM); -- -- poll_value = hid_sensor_read_poll_value(st); - } else { - int val; - -@@ -89,7 +87,9 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state) - sensor_hub_get_feature(st->hsdev, st->power_state.report_id, - st->power_state.index, - sizeof(state_val), &state_val); -- if (state && poll_value) -+ if (state) -+ poll_value = hid_sensor_read_poll_value(st); -+ if (poll_value > 0) - msleep_interruptible(poll_value * 2); - - return 0; --- -2.12.2 - -From c7d1545c48ffbf19185753c1d786e5aab950d3e3 Mon Sep 17 00:00:00 2001 -From: Sudip Mukherjee -Date: Mon, 6 Mar 2017 23:23:42 +0000 -Subject: [PATCH 173/251] parport: fix attempt to write duplicate procfiles -Content-Length: 1584 -Lines: 41 - -commit 03270c6ac6207fc55bbf9d20d195029dca210c79 upstream. - -Usually every parallel port will have a single pardev registered with -it. But ppdev driver is an exception. This userspace parallel port -driver allows to create multiple parrallel port devices for a single -parallel port. And as a result we were having a nice warning like: -"sysctl table check failed: -/dev/parport/parport0/devices/ppdev0/timeslice Sysctl already exists" - -Use the same logic as used in parport_register_device() and register -the proc files only once for each parallel port. - -Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem") -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1414656 -Bugzilla: https://bugs.archlinux.org/task/52322 -Tested-by: James Feeney -Signed-off-by: Sudip Mukherjee -Signed-off-by: Greg Kroah-Hartman ---- - drivers/parport/share.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/parport/share.c b/drivers/parport/share.c -index 5ce5ef211bdb..754f21fd9768 100644 ---- a/drivers/parport/share.c -+++ b/drivers/parport/share.c -@@ -936,8 +936,10 @@ parport_register_dev_model(struct parport *port, const char *name, - * pardevice fields. -arca - */ - port->ops->init_state(par_dev, par_dev->state); -- port->proc_device = par_dev; -- parport_device_proc_register(par_dev); -+ if (!test_and_set_bit(PARPORT_DEVPROC_REGISTERED, &port->devflags)) { -+ port->proc_device = par_dev; -+ parport_device_proc_register(par_dev); -+ } - - return par_dev; - --- -2.12.2 - -From 27d9bf096406439ce406c82291cfe09c6653f94c Mon Sep 17 00:00:00 2001 -From: Eric Biggers -Date: Wed, 15 Mar 2017 14:52:02 -0400 -Subject: [PATCH 174/251] ext4: mark inode dirty after converting inline - directory -Content-Length: 1573 -Lines: 42 - -commit b9cf625d6ecde0d372e23ae022feead72b4228a6 upstream. - -If ext4_convert_inline_data() was called on a directory with inline -data, the filesystem was left in an inconsistent state (as considered by -e2fsck) because the file size was not increased to cover the new block. -This happened because the inode was not marked dirty after i_disksize -was updated. Fix this by marking the inode dirty at the end of -ext4_finish_convert_inline_dir(). - -This bug was probably not noticed before because most users mark the -inode dirty afterwards for other reasons. But if userspace executed -FS_IOC_SET_ENCRYPTION_POLICY with invalid parameters, as exercised by -'kvm-xfstests -c adv generic/396', then the inode was never marked dirty -after updating i_disksize. - -Fixes: 3c47d54170b6a678875566b1b8d6dcf57904e49b -Signed-off-by: Eric Biggers -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/inline.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index d4be4e23bc21..dad8e7bdf0a6 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -1158,10 +1158,9 @@ static int ext4_finish_convert_inline_dir(handle_t *handle, - set_buffer_uptodate(dir_block); - err = ext4_handle_dirty_dirent_node(handle, inode, dir_block); - if (err) -- goto out; -+ return err; - set_buffer_verified(dir_block); --out: -- return err; -+ return ext4_mark_inode_dirty(handle, inode); - } - - static int ext4_convert_inline_data_nolock(handle_t *handle, --- -2.12.2 - -From 52e40a2fcc3952f1edd2f810c36d05eece984cba Mon Sep 17 00:00:00 2001 -From: Adrian Hunter -Date: Mon, 20 Mar 2017 19:50:29 +0200 -Subject: [PATCH 175/251] mmc: sdhci: Do not disable interrupts while waiting - for clock -Content-Length: 1383 -Lines: 40 - -commit e2ebfb2142acefecc2496e71360f50d25726040b upstream. - -Disabling interrupts for even a millisecond can cause problems for some -devices. That can happen when sdhci changes clock frequency because it -waits for the clock to become stable under a spin lock. - -The spin lock is not necessary here. Anything that is racing with changes -to the I/O state is already broken. The mmc core already provides -synchronization via "claiming" the host. - -Although the spin lock probably should be removed from the code paths that -lead to this point, such a patch would touch too much code to be suitable -for stable trees. Consequently, for this patch, just drop the spin lock -while waiting. - -Signed-off-by: Adrian Hunter -Signed-off-by: Ulf Hansson -Tested-by: Ludovic Desroches -Signed-off-by: Greg Kroah-Hartman ---- - drivers/mmc/host/sdhci.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c -index bda164089904..62d37d2ac557 100644 ---- a/drivers/mmc/host/sdhci.c -+++ b/drivers/mmc/host/sdhci.c -@@ -1274,7 +1274,9 @@ clock_set: - return; - } - timeout--; -- mdelay(1); -+ spin_unlock_irq(&host->lock); -+ usleep_range(900, 1100); -+ spin_lock_irq(&host->lock); - } - - clk |= SDHCI_CLOCK_CARD_EN; --- -2.12.2 - -From 55b6c187cf9d12d8e667ccfa5386bd162fc7ae2b Mon Sep 17 00:00:00 2001 -From: Koos Vriezen -Date: Wed, 1 Mar 2017 21:02:50 +0100 -Subject: [PATCH 177/251] iommu/vt-d: Fix NULL pointer dereference in - device_to_iommu -Content-Length: 2697 -Lines: 73 - -commit 5003ae1e735e6bfe4679d9bed6846274f322e77e upstream. - -The function device_to_iommu() in the Intel VT-d driver -lacks a NULL-ptr check, resulting in this oops at boot on -some platforms: - - BUG: unable to handle kernel NULL pointer dereference at 00000000000007ab - IP: [] device_to_iommu+0x11a/0x1a0 - PGD 0 - - [...] - - Call Trace: - ? find_or_alloc_domain.constprop.29+0x1a/0x300 - ? dw_dma_probe+0x561/0x580 [dw_dmac_core] - ? __get_valid_domain_for_dev+0x39/0x120 - ? __intel_map_single+0x138/0x180 - ? intel_alloc_coherent+0xb6/0x120 - ? sst_hsw_dsp_init+0x173/0x420 [snd_soc_sst_haswell_pcm] - ? mutex_lock+0x9/0x30 - ? kernfs_add_one+0xdb/0x130 - ? devres_add+0x19/0x60 - ? hsw_pcm_dev_probe+0x46/0xd0 [snd_soc_sst_haswell_pcm] - ? platform_drv_probe+0x30/0x90 - ? driver_probe_device+0x1ed/0x2b0 - ? __driver_attach+0x8f/0xa0 - ? driver_probe_device+0x2b0/0x2b0 - ? bus_for_each_dev+0x55/0x90 - ? bus_add_driver+0x110/0x210 - ? 0xffffffffa11ea000 - ? driver_register+0x52/0xc0 - ? 0xffffffffa11ea000 - ? do_one_initcall+0x32/0x130 - ? free_vmap_area_noflush+0x37/0x70 - ? kmem_cache_alloc+0x88/0xd0 - ? do_init_module+0x51/0x1c4 - ? load_module+0x1ee9/0x2430 - ? show_taint+0x20/0x20 - ? kernel_read_file+0xfd/0x190 - ? SyS_finit_module+0xa3/0xb0 - ? do_syscall_64+0x4a/0xb0 - ? entry_SYSCALL64_slow_path+0x25/0x25 - Code: 78 ff ff ff 4d 85 c0 74 ee 49 8b 5a 10 0f b6 9b e0 00 00 00 41 38 98 e0 00 00 00 77 da 0f b6 eb 49 39 a8 88 00 00 00 72 ce eb 8f <41> f6 82 ab 07 00 00 04 0f 85 76 ff ff ff 0f b6 4d 08 88 0e 49 - RIP [] device_to_iommu+0x11a/0x1a0 - RSP - CR2: 00000000000007ab - ---[ end trace 16f974b6d58d0aad ]--- - -Add the missing pointer check. - -Fixes: 1c387188c60f53b338c20eee32db055dfe022a9b ("iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions") -Signed-off-by: Koos Vriezen -Signed-off-by: Joerg Roedel -Signed-off-by: Greg Kroah-Hartman ---- - drivers/iommu/intel-iommu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index f0fc6f7b5d98..0628372f3591 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -908,7 +908,7 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf - * which we used for the IOMMU lookup. Strictly speaking - * we could do this for all PCI devices; we only need to - * get the BDF# from the scope table for ACPI matches. */ -- if (pdev->is_virtfn) -+ if (pdev && pdev->is_virtfn) - goto got_pdev; - - *bus = drhd->devices[i].bus; --- -2.12.2 - -From 17503963206584333b674740ba75b5079ea7e196 Mon Sep 17 00:00:00 2001 -From: Viresh Kumar -Date: Tue, 21 Mar 2017 11:36:06 +0530 -Subject: [PATCH 180/251] cpufreq: Restore policy min/max limits on CPU online -Content-Length: 1475 -Lines: 38 - -commit ff010472fb75670cb5c08671e820eeea3af59c87 upstream. - -On CPU online the cpufreq core restores the previous governor (or -the previous "policy" setting for ->setpolicy drivers), but it does -not restore the min/max limits at the same time, which is confusing, -inconsistent and real pain for users who set the limits and then -suspend/resume the system (using full suspend), in which case the -limits are reset on all CPUs except for the boot one. - -Fix this by making cpufreq_online() restore the limits when an inactive -policy is brought online. - -The commit log and patch are inspired from Rafael's earlier work. - -Reported-by: Rafael J. Wysocki -Signed-off-by: Viresh Kumar -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Greg Kroah-Hartman ---- - drivers/cpufreq/cpufreq.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index 86fa9fdc8323..38b363f4316b 100644 ---- a/drivers/cpufreq/cpufreq.c -+++ b/drivers/cpufreq/cpufreq.c -@@ -1186,6 +1186,9 @@ static int cpufreq_online(unsigned int cpu) - for_each_cpu(j, policy->related_cpus) - per_cpu(cpufreq_cpu_data, j) = policy; - write_unlock_irqrestore(&cpufreq_driver_lock, flags); -+ } else { -+ policy->min = policy->user_policy.min; -+ policy->max = policy->user_policy.max; - } - - if (cpufreq_driver->get && !cpufreq_driver->setpolicy) { --- -2.12.2 - -From 73dd1edf50a6bdf33046c2e4aa0b1ad4fef71a71 Mon Sep 17 00:00:00 2001 -From: Tomasz Majchrzak -Date: Thu, 28 Jul 2016 10:28:25 +0200 -Subject: [PATCH 181/251] raid10: increment write counter after bio is split -Content-Length: 1096 -Lines: 38 - -commit 9b622e2bbcf049c82e2550d35fb54ac205965f50 upstream. - -md pending write counter must be incremented after bio is split, -otherwise it gets decremented too many times in end bio callback and -becomes negative. - -Signed-off-by: Tomasz Majchrzak -Reviewed-by: Artur Paszkiewicz -Signed-off-by: Shaohua Li -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/raid10.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 122af340a531..a92979e704e3 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1072,6 +1072,8 @@ static void __make_request(struct mddev *mddev, struct bio *bio) - int max_sectors; - int sectors; - -+ md_write_start(mddev, bio); -+ - /* - * Register the new request and wait if the reconstruction - * thread has put up a bar for new requests. -@@ -1455,8 +1457,6 @@ static void make_request(struct mddev *mddev, struct bio *bio) - return; - } - -- md_write_start(mddev, bio); -- - do { - - /* --- -2.12.2 - -From c4cf86f69597d4547a736e3edd5b88ae61b68fa2 Mon Sep 17 00:00:00 2001 -From: "Darrick J. Wong" -Date: Mon, 5 Dec 2016 12:38:38 +1100 -Subject: [PATCH 183/251] xfs: don't allow di_size with high bit set -Content-Length: 1355 -Lines: 38 - -commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream. - -The on-disk field di_size is used to set i_size, which is a signed -integer of loff_t. If the high bit of di_size is set, we'll end up with -a negative i_size, which will cause all sorts of problems. Since the -VFS won't let us create a file with such length, we should catch them -here in the verifier too. - -Signed-off-by: Darrick J. Wong -Reviewed-by: Dave Chinner -Signed-off-by: Dave Chinner -Cc: Nikolay Borisov -Signed-off-by: Greg Kroah-Hartman ---- - fs/xfs/libxfs/xfs_inode_buf.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c -index 1aabfda669b0..7183b7ea065b 100644 ---- a/fs/xfs/libxfs/xfs_inode_buf.c -+++ b/fs/xfs/libxfs/xfs_inode_buf.c -@@ -299,6 +299,14 @@ xfs_dinode_verify( - if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC)) - return false; - -+ /* don't allow invalid i_size */ -+ if (be64_to_cpu(dip->di_size) & (1ULL << 63)) -+ return false; -+ -+ /* No zero-length symlinks. */ -+ if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0) -+ return false; -+ - /* only version 3 or greater inodes are extensively verified here */ - if (dip->di_version < 3) - return true; --- -2.12.2 - -From 7922c1becb36b61827a24ee32ffe7c39cf444efb Mon Sep 17 00:00:00 2001 -From: Eric Sandeen -Date: Tue, 8 Nov 2016 12:55:18 +1100 -Subject: [PATCH 184/251] xfs: fix up xfs_swap_extent_forks inline extent - handling -Content-Length: 3921 -Lines: 97 - -commit 4dfce57db6354603641132fac3c887614e3ebe81 upstream. - -There have been several reports over the years of NULL pointer -dereferences in xfs_trans_log_inode during xfs_fsr processes, -when the process is doing an fput and tearing down extents -on the temporary inode, something like: - -BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 -PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" - [exception RIP: xfs_trans_log_inode+0x10] - #9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] -#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] -#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] -#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] -#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] -#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 -#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 -#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 -#17 [ffff8800a57bbe88] dput at ffffffff811dd06c -#18 [ffff8800a57bbea8] __fput at ffffffff811c823b -#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e -#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 -#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c -#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d - -As it turns out, this is because the i_itemp pointer, along -with the d_ops pointer, has been overwritten with zeros -when we tear down the extents during truncate. When the in-core -inode fork on the temporary inode used by xfs_fsr was originally -set up during the extent swap, we mistakenly looked at di_nextents -to determine whether all extents fit inline, but this misses extents -generated by speculative preallocation; we should be using if_bytes -instead. - -This mistake corrupts the in-memory inode, and code in -xfs_iext_remove_inline eventually gets bad inputs, causing -it to memmove and memset incorrect ranges; this became apparent -because the two values in ifp->if_u2.if_inline_ext[1] contained -what should have been in d_ops and i_itemp; they were memmoved due -to incorrect array indexing and then the original locations -were zeroed with memset, again due to an array overrun. - -Fix this by properly using i_df.if_bytes to determine the number -of extents, not di_nextents. - -Thanks to dchinner for looking at this with me and spotting the -root cause. - -[nborisov: backported to 4.4] - -Cc: stable@vger.kernel.org -Signed-off-by: Eric Sandeen -Reviewed-by: Brian Foster -Signed-off-by: Dave Chinner -Signed-off-by: Nikolay Borisov -Signed-off-by: Greg Kroah-Hartman --- - fs/xfs/xfs_bmap_util.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) ---- - fs/xfs/xfs_bmap_util.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c -index dbae6490a79a..832764ee035a 100644 ---- a/fs/xfs/xfs_bmap_util.c -+++ b/fs/xfs/xfs_bmap_util.c -@@ -1713,6 +1713,7 @@ xfs_swap_extents( - xfs_trans_t *tp; - xfs_bstat_t *sbp = &sxp->sx_stat; - xfs_ifork_t *tempifp, *ifp, *tifp; -+ xfs_extnum_t nextents; - int src_log_flags, target_log_flags; - int error = 0; - int aforkblks = 0; -@@ -1899,7 +1900,8 @@ xfs_swap_extents( - * pointer. Otherwise it's already NULL or - * pointing to the extent. - */ -- if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) { -+ nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t); -+ if (nextents <= XFS_INLINE_EXTS) { - ifp->if_u1.if_extents = - ifp->if_u2.if_inline_ext; - } -@@ -1918,7 +1920,8 @@ xfs_swap_extents( - * pointer. Otherwise it's already NULL or - * pointing to the extent. - */ -- if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) { -+ nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t); -+ if (nextents <= XFS_INLINE_EXTS) { - tifp->if_u1.if_extents = - tifp->if_u2.if_inline_ext; - } --- -2.12.2 - -From 74c8dd066cc06da0a7ee1a4da0ba565e3536a53a Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Wed, 15 Mar 2017 14:26:04 +0100 -Subject: [PATCH 185/251] nl80211: fix dumpit error path RTNL deadlocks -Content-Length: 8374 -Lines: 326 - -commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream. - -Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out -to be perfectly accurate - there are various error paths that miss unlock -of the RTNL. - -To fix those, change the locking a bit to not be conditional in all those -nl80211_prepare_*_dump() functions, but make those require the RTNL to -start with, and fix the buggy error paths. This also let me use sparse -(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to -validate the changes. - -Reported-by: Sowmini Varadhan -Reported-by: Dmitry Vyukov -Signed-off-by: Johannes Berg -Signed-off-by: Greg Kroah-Hartman ---- - net/wireless/nl80211.c | 121 ++++++++++++++++++++++--------------------------- - 1 file changed, 53 insertions(+), 68 deletions(-) - -diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c -index 1f0de6d74daa..9d0953e5734f 100644 ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -492,21 +492,17 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, - { - int err; - -- rtnl_lock(); -- - if (!cb->args[0]) { - err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, - nl80211_fam.attrbuf, nl80211_fam.maxattr, - nl80211_policy); - if (err) -- goto out_unlock; -+ return err; - - *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), - nl80211_fam.attrbuf); -- if (IS_ERR(*wdev)) { -- err = PTR_ERR(*wdev); -- goto out_unlock; -- } -+ if (IS_ERR(*wdev)) -+ return PTR_ERR(*wdev); - *rdev = wiphy_to_rdev((*wdev)->wiphy); - /* 0 is the first index - add 1 to parse only once */ - cb->args[0] = (*rdev)->wiphy_idx + 1; -@@ -516,10 +512,8 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, - struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); - struct wireless_dev *tmp; - -- if (!wiphy) { -- err = -ENODEV; -- goto out_unlock; -- } -+ if (!wiphy) -+ return -ENODEV; - *rdev = wiphy_to_rdev(wiphy); - *wdev = NULL; - -@@ -530,21 +524,11 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb, - } - } - -- if (!*wdev) { -- err = -ENODEV; -- goto out_unlock; -- } -+ if (!*wdev) -+ return -ENODEV; - } - - return 0; -- out_unlock: -- rtnl_unlock(); -- return err; --} -- --static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev) --{ -- rtnl_unlock(); - } - - /* IE validation */ -@@ -3884,9 +3868,10 @@ static int nl80211_dump_station(struct sk_buff *skb, - int sta_idx = cb->args[2]; - int err; - -+ rtnl_lock(); - err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); - if (err) -- return err; -+ goto out_err; - - if (!wdev->netdev) { - err = -EINVAL; -@@ -3922,7 +3907,7 @@ static int nl80211_dump_station(struct sk_buff *skb, - cb->args[2] = sta_idx; - err = skb->len; - out_err: -- nl80211_finish_wdev_dump(rdev); -+ rtnl_unlock(); - - return err; - } -@@ -4639,9 +4624,10 @@ static int nl80211_dump_mpath(struct sk_buff *skb, - int path_idx = cb->args[2]; - int err; - -+ rtnl_lock(); - err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); - if (err) -- return err; -+ goto out_err; - - if (!rdev->ops->dump_mpath) { - err = -EOPNOTSUPP; -@@ -4675,7 +4661,7 @@ static int nl80211_dump_mpath(struct sk_buff *skb, - cb->args[2] = path_idx; - err = skb->len; - out_err: -- nl80211_finish_wdev_dump(rdev); -+ rtnl_unlock(); - return err; - } - -@@ -4835,9 +4821,10 @@ static int nl80211_dump_mpp(struct sk_buff *skb, - int path_idx = cb->args[2]; - int err; - -+ rtnl_lock(); - err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); - if (err) -- return err; -+ goto out_err; - - if (!rdev->ops->dump_mpp) { - err = -EOPNOTSUPP; -@@ -4870,7 +4857,7 @@ static int nl80211_dump_mpp(struct sk_buff *skb, - cb->args[2] = path_idx; - err = skb->len; - out_err: -- nl80211_finish_wdev_dump(rdev); -+ rtnl_unlock(); - return err; - } - -@@ -6806,9 +6793,12 @@ static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb) - int start = cb->args[2], idx = 0; - int err; - -+ rtnl_lock(); - err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); -- if (err) -+ if (err) { -+ rtnl_unlock(); - return err; -+ } - - wdev_lock(wdev); - spin_lock_bh(&rdev->bss_lock); -@@ -6831,7 +6821,7 @@ static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb) - wdev_unlock(wdev); - - cb->args[2] = idx; -- nl80211_finish_wdev_dump(rdev); -+ rtnl_unlock(); - - return skb->len; - } -@@ -6915,9 +6905,10 @@ static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb) - int res; - bool radio_stats; - -+ rtnl_lock(); - res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); - if (res) -- return res; -+ goto out_err; - - /* prepare_wdev_dump parsed the attributes */ - radio_stats = nl80211_fam.attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS]; -@@ -6958,7 +6949,7 @@ static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb) - cb->args[2] = survey_idx; - res = skb->len; - out_err: -- nl80211_finish_wdev_dump(rdev); -+ rtnl_unlock(); - return res; - } - -@@ -10158,17 +10149,13 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb, - void *data = NULL; - unsigned int data_len = 0; - -- rtnl_lock(); -- - if (cb->args[0]) { - /* subtract the 1 again here */ - struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); - struct wireless_dev *tmp; - -- if (!wiphy) { -- err = -ENODEV; -- goto out_unlock; -- } -+ if (!wiphy) -+ return -ENODEV; - *rdev = wiphy_to_rdev(wiphy); - *wdev = NULL; - -@@ -10189,13 +10176,11 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb, - nl80211_fam.attrbuf, nl80211_fam.maxattr, - nl80211_policy); - if (err) -- goto out_unlock; -+ return err; - - if (!nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID] || -- !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) { -- err = -EINVAL; -- goto out_unlock; -- } -+ !nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) -+ return -EINVAL; - - *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), - nl80211_fam.attrbuf); -@@ -10204,10 +10189,8 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb, - - *rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), - nl80211_fam.attrbuf); -- if (IS_ERR(*rdev)) { -- err = PTR_ERR(*rdev); -- goto out_unlock; -- } -+ if (IS_ERR(*rdev)) -+ return PTR_ERR(*rdev); - - vid = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_ID]); - subcmd = nla_get_u32(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_SUBCMD]); -@@ -10220,19 +10203,15 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb, - if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd) - continue; - -- if (!vcmd->dumpit) { -- err = -EOPNOTSUPP; -- goto out_unlock; -- } -+ if (!vcmd->dumpit) -+ return -EOPNOTSUPP; - - vcmd_idx = i; - break; - } - -- if (vcmd_idx < 0) { -- err = -EOPNOTSUPP; -- goto out_unlock; -- } -+ if (vcmd_idx < 0) -+ return -EOPNOTSUPP; - - if (nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]) { - data = nla_data(nl80211_fam.attrbuf[NL80211_ATTR_VENDOR_DATA]); -@@ -10249,9 +10228,6 @@ static int nl80211_prepare_vendor_dump(struct sk_buff *skb, - - /* keep rtnl locked in successful case */ - return 0; -- out_unlock: -- rtnl_unlock(); -- return err; - } - - static int nl80211_vendor_cmd_dump(struct sk_buff *skb, -@@ -10266,9 +10242,10 @@ static int nl80211_vendor_cmd_dump(struct sk_buff *skb, - int err; - struct nlattr *vendor_data; - -+ rtnl_lock(); - err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev); - if (err) -- return err; -+ goto out; - - vcmd_idx = cb->args[2]; - data = (void *)cb->args[3]; -@@ -10277,18 +10254,26 @@ static int nl80211_vendor_cmd_dump(struct sk_buff *skb, - - if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV | - WIPHY_VENDOR_CMD_NEED_NETDEV)) { -- if (!wdev) -- return -EINVAL; -+ if (!wdev) { -+ err = -EINVAL; -+ goto out; -+ } - if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV && -- !wdev->netdev) -- return -EINVAL; -+ !wdev->netdev) { -+ err = -EINVAL; -+ goto out; -+ } - - if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) { - if (wdev->netdev && -- !netif_running(wdev->netdev)) -- return -ENETDOWN; -- if (!wdev->netdev && !wdev->p2p_started) -- return -ENETDOWN; -+ !netif_running(wdev->netdev)) { -+ err = -ENETDOWN; -+ goto out; -+ } -+ if (!wdev->netdev && !wdev->p2p_started) { -+ err = -ENETDOWN; -+ goto out; -+ } - } - } - --- -2.12.2 - -From f154de03f4167664808b002495a877dbe91dd798 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Tue, 14 Mar 2017 17:55:45 +0100 -Subject: [PATCH 186/251] USB: usbtmc: add missing endpoint sanity check -Status: RO -Content-Length: 2168 -Lines: 61 - -commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream. - -USBTMC devices are required to have a bulk-in and a bulk-out endpoint, -but the driver failed to verify this, something which could lead to the -endpoint addresses being taken from uninitialised memory. - -Make sure to zero all private data as part of allocation, and add the -missing endpoint sanity check. - -Note that this also addresses a more recently introduced issue, where -the interrupt-in-presence flag would also be uninitialised whenever the -optional interrupt-in endpoint is not present. This in turn could lead -to an interrupt urb being allocated, initialised and submitted based on -uninitialised values. - -Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.") -Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver") -Signed-off-by: Johan Hovold -[ johan: backport to v4.4 ] -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/class/usbtmc.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c -index deaddb950c20..24337ac3323f 100644 ---- a/drivers/usb/class/usbtmc.c -+++ b/drivers/usb/class/usbtmc.c -@@ -1105,7 +1105,7 @@ static int usbtmc_probe(struct usb_interface *intf, - - dev_dbg(&intf->dev, "%s called\n", __func__); - -- data = kmalloc(sizeof(*data), GFP_KERNEL); -+ data = kzalloc(sizeof(*data), GFP_KERNEL); - if (!data) - return -ENOMEM; - -@@ -1163,6 +1163,12 @@ static int usbtmc_probe(struct usb_interface *intf, - } - } - -+ if (!data->bulk_out || !data->bulk_in) { -+ dev_err(&intf->dev, "bulk endpoints not found\n"); -+ retcode = -ENODEV; -+ goto err_put; -+ } -+ - retcode = get_capabilities(data); - if (retcode) - dev_err(&intf->dev, "can't read capabilities\n"); -@@ -1186,6 +1192,7 @@ static int usbtmc_probe(struct usb_interface *intf, - error_register: - sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp); - sysfs_remove_group(&intf->dev.kobj, &data_attr_grp); -+err_put: - kref_put(&data->kref, usbtmc_delete); - return retcode; - } --- -2.12.2 - -From 6d43e485e0067b682466eb4e3aff8ff9a6822966 Mon Sep 17 00:00:00 2001 -From: "Darrick J. Wong" -Date: Wed, 25 Jan 2017 20:24:57 -0800 -Subject: [PATCH 187/251] xfs: clear _XBF_PAGES from buffers when readahead - page -Content-Length: 1594 -Lines: 42 - -commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream. - -If we try to allocate memory pages to back an xfs_buf that we're trying -to read, it's possible that we'll be so short on memory that the page -allocation fails. For a blocking read we'll just wait, but for -readahead we simply dump all the pages we've collected so far. - -Unfortunately, after dumping the pages we neglect to clear the -_XBF_PAGES state, which means that the subsequent call to xfs_buf_free -thinks that b_pages still points to pages we own. It then double-frees -the b_pages pages. - -This results in screaming about negative page refcounts from the memory -manager, which xfs oughtn't be triggering. To reproduce this case, -mount a filesystem where the size of the inodes far outweighs the -availalble memory (a ~500M inode filesystem on a VM with 300MB memory -did the trick here) and run bulkstat in parallel with other memory -eating processes to put a huge load on the system. The "check summary" -phase of xfs_scrub also works for this purpose. - -Signed-off-by: Darrick J. Wong -Reviewed-by: Eric Sandeen -Cc: Ivan Kozik -Signed-off-by: Greg Kroah-Hartman ---- - fs/xfs/xfs_buf.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c -index eb1b8c8acfcb..8146b0cf20ce 100644 ---- a/fs/xfs/xfs_buf.c -+++ b/fs/xfs/xfs_buf.c -@@ -375,6 +375,7 @@ retry: - out_free_pages: - for (i = 0; i < bp->b_page_count; i++) - __free_page(bp->b_pages[i]); -+ bp->b_flags &= ~_XBF_PAGES; - return error; - } - --- -2.12.2 - -From 4db313df49466185211ea7d6d675f8c4f6724e23 Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:02 +0530 -Subject: [PATCH 189/251] igb: Workaround for igb i210 firmware issue -Content-Length: 1454 -Lines: 38 - -From: Chris J Arges - -[ Upstream commit 4e684f59d760a2c7c716bb60190783546e2d08a1 ] - -Sometimes firmware may not properly initialize I347AT4_PAGE_SELECT causing -the probe of an igb i210 NIC to fail. This patch adds an addition zeroing -of this register during igb_get_phy_id to workaround this issue. - -Thanks for Jochen Henneberg for the idea and original patch. - -Signed-off-by: Chris J Arges -Tested-by: Aaron Brown -Signed-off-by: Jeff Kirsher -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/intel/igb/e1000_phy.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/ethernet/intel/igb/e1000_phy.c b/drivers/net/ethernet/intel/igb/e1000_phy.c -index 23ec28f43f6d..13ad20b250bc 100644 ---- a/drivers/net/ethernet/intel/igb/e1000_phy.c -+++ b/drivers/net/ethernet/intel/igb/e1000_phy.c -@@ -77,6 +77,10 @@ s32 igb_get_phy_id(struct e1000_hw *hw) - s32 ret_val = 0; - u16 phy_id; - -+ /* ensure PHY page selection to fix misconfigured i210 */ -+ if (hw->mac.type == e1000_i210) -+ phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0); -+ - ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id); - if (ret_val) - goto out; + __ilog2_u32(n) : \ + __ilog2_u64(n) \ -- 2.12.2 -From ca7e3bdc9c7e01d8040422d9eae0b9f07c81419e Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:03 +0530 -Subject: [PATCH 190/251] igb: add i211 to i210 PHY workaround -Content-Length: 1309 -Lines: 33 - -From: Todd Fujinaka - -[ Upstream commit 5bc8c230e2a993b49244f9457499f17283da9ec7 ] - -i210 and i211 share the same PHY but have different PCI IDs. Don't -forget i211 for any i210 workarounds. +From a5c3f390eb7799c3d1d92121382372b1fd365fa3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 26 Mar 2017 12:13:55 +0200 +Subject: [PATCH 133/251] Linux 4.4.57 +Status: RO +Content-Length: 301 +Lines: 18 -Signed-off-by: Todd Fujinaka -Tested-by: Aaron Brown -Signed-off-by: Jeff Kirsher -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman --- - drivers/net/ethernet/intel/igb/e1000_phy.c | 2 +- + Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/drivers/net/ethernet/intel/igb/e1000_phy.c b/drivers/net/ethernet/intel/igb/e1000_phy.c -index 13ad20b250bc..afaa98d1d4e4 100644 ---- a/drivers/net/ethernet/intel/igb/e1000_phy.c -+++ b/drivers/net/ethernet/intel/igb/e1000_phy.c -@@ -78,7 +78,7 @@ s32 igb_get_phy_id(struct e1000_hw *hw) - u16 phy_id; - - /* ensure PHY page selection to fix misconfigured i210 */ -- if (hw->mac.type == e1000_i210) -+ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211)) - phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0); - - ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id); --- -2.12.2 - -From e4ce31c0265dc6086fb4f13d88deef50d20cdb24 Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:04 +0530 -Subject: [PATCH 191/251] x86/hyperv: Handle unknown NMIs on one CPU when - unknown_nmi_panic -Content-Length: 4630 -Lines: 122 - -From: Vitaly Kuznetsov - -[ Upstream commit 59107e2f48831daedc46973ce4988605ab066de3 ] - -There is a feature in Hyper-V ('Debug-VM --InjectNonMaskableInterrupt') -which injects NMI to the guest. We may want to crash the guest and do kdump -on this NMI by enabling unknown_nmi_panic. To make kdump succeed we need to -allow the kdump kernel to re-establish VMBus connection so it will see -VMBus devices (storage, network,..). - -To properly unload VMBus making it possible to start over during kdump we -need to do the following: - - - Send an 'unload' message to the hypervisor. This can be done on any CPU - so we do this the crashing CPU. - - - Receive the 'unload finished' reply message. WS2012R2 delivers this - message to the CPU which was used to establish VMBus connection during - module load and this CPU may differ from the CPU sending 'unload'. - -Receiving a VMBus message means the following: - - - There is a per-CPU slot in memory for one message. This slot can in - theory be accessed by any CPU. - - - We get an interrupt on the CPU when a message was placed into the slot. - - - When we read the message we need to clear the slot and signal the fact - to the hypervisor. In case there are more messages to this CPU pending - the hypervisor will deliver the next message. The signaling is done by - writing to an MSR so this can only be done on the appropriate CPU. - -To avoid doing cross-CPU work on crash we have vmbus_wait_for_unload() -function which checks message slots for all CPUs in a loop waiting for the -'unload finished' messages. However, there is an issue which arises when -these conditions are met: - - - We're crashing on a CPU which is different from the one which was used - to initially contact the hypervisor. - - - The CPU which was used for the initial contact is blocked with interrupts - disabled and there is a message pending in the message slot. - -In this case we won't be able to read the 'unload finished' message on the -crashing CPU. This is reproducible when we receive unknown NMIs on all CPUs -simultaneously: the first CPU entering panic() will proceed to crash and -all other CPUs will stop themselves with interrupts disabled. - -The suggested solution is to handle unknown NMIs for Hyper-V guests on the -first CPU which gets them only. This will allow us to rely on VMBus -interrupt handler being able to receive the 'unload finish' message in -case it is delivered to a different CPU. - -The issue is not reproducible on WS2016 as Debug-VM delivers NMI to the -boot CPU only, WS2012R2 and earlier Hyper-V versions are affected. - -Signed-off-by: Vitaly Kuznetsov -Acked-by: K. Y. Srinivasan -Cc: devel@linuxdriverproject.org -Cc: Haiyang Zhang -Link: http://lkml.kernel.org/r/20161202100720.28121-1-vkuznets@redhat.com -Signed-off-by: Thomas Gleixner -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/mshyperv.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c -index cfc4a966e2b9..83b5f7a323a9 100644 ---- a/arch/x86/kernel/cpu/mshyperv.c -+++ b/arch/x86/kernel/cpu/mshyperv.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - - struct ms_hyperv_info ms_hyperv; - EXPORT_SYMBOL_GPL(ms_hyperv); -@@ -157,6 +158,26 @@ static unsigned char hv_get_nmi_reason(void) - return 0; - } - -+#ifdef CONFIG_X86_LOCAL_APIC -+/* -+ * Prior to WS2016 Debug-VM sends NMIs to all CPUs which makes -+ * it dificult to process CHANNELMSG_UNLOAD in case of crash. Handle -+ * unknown NMI on the first CPU which gets it. -+ */ -+static int hv_nmi_unknown(unsigned int val, struct pt_regs *regs) -+{ -+ static atomic_t nmi_cpu = ATOMIC_INIT(-1); -+ -+ if (!unknown_nmi_panic) -+ return NMI_DONE; -+ -+ if (atomic_cmpxchg(&nmi_cpu, -1, raw_smp_processor_id()) != -1) -+ return NMI_HANDLED; -+ -+ return NMI_DONE; -+} -+#endif -+ - static void __init ms_hyperv_init_platform(void) - { - /* -@@ -182,6 +203,9 @@ static void __init ms_hyperv_init_platform(void) - printk(KERN_INFO "HyperV: LAPIC Timer Frequency: %#x\n", - lapic_timer_frequency); - } -+ -+ register_nmi_handler(NMI_UNKNOWN, hv_nmi_unknown, NMI_FLAG_FIRST, -+ "hv_nmi_unknown"); - #endif +diff --git a/Makefile b/Makefile +index cf9303a5d621..841675e63a38 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 56 ++SUBLEVEL = 57 + EXTRAVERSION = + NAME = Blurry Fish Butt - if (ms_hyperv.features & HV_X64_MSR_TIME_REF_COUNT_AVAILABLE) -- 2.12.2 @@ -5530,235 +1724,6 @@ index 5cefca95734e..885f689ac870 100644 -- 2.12.2 -From d3607fc2976e34f6b067508b608fefaa66fbecee Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:17 +0530 -Subject: [PATCH 204/251] ACPI / blacklist: add _REV quirks for Dell Precision - 5520 and 3520 -Content-Length: 1499 -Lines: 50 - -From: Alex Hung - -[ Upstream commit 9523b9bf6dceef6b0215e90b2348cd646597f796 ] - -Precision 5520 and 3520 either hang at login and during suspend or reboot. - -It turns out that that adding them to acpi_rev_dmi_table[] helps to work -around those issues. - -Signed-off-by: Alex Hung -[ rjw: Changelog ] -Signed-off-by: Rafael J. Wysocki - -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/blacklist.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c -index 96809cd99ace..b2e9395e095c 100644 ---- a/drivers/acpi/blacklist.c -+++ b/drivers/acpi/blacklist.c -@@ -346,6 +346,22 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = { - DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343"), - }, - }, -+ { -+ .callback = dmi_enable_rev_override, -+ .ident = "DELL Precision 5520", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 5520"), -+ }, -+ }, -+ { -+ .callback = dmi_enable_rev_override, -+ .ident = "DELL Precision 3520", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 3520"), -+ }, -+ }, - #endif - {} - }; --- -2.12.2 - -From b8687d83b34cf372b943c5639d8960703aeb2b8e Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:18 +0530 -Subject: [PATCH 205/251] ACPI / blacklist: Make Dell Latitude 3350 ethernet - work -Content-Length: 1438 -Lines: 46 - -From: Michael Pobega - -[ Upstream commit 708f5dcc21ae9b35f395865fc154b0105baf4de4 ] - -The Dell Latitude 3350's ethernet card attempts to use a reserved -IRQ (18), resulting in ACPI being unable to enable the ethernet. - -Adding it to acpi_rev_dmi_table[] helps to work around this problem. - -Signed-off-by: Michael Pobega -[ rjw: Changelog ] -Signed-off-by: Rafael J. Wysocki - -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/blacklist.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c -index b2e9395e095c..2f24b578bcaf 100644 ---- a/drivers/acpi/blacklist.c -+++ b/drivers/acpi/blacklist.c -@@ -362,6 +362,18 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = { - DMI_MATCH(DMI_PRODUCT_NAME, "Precision 3520"), - }, - }, -+ /* -+ * Resolves a quirk with the Dell Latitude 3350 that -+ * causes the ethernet adapter to not function. -+ */ -+ { -+ .callback = dmi_enable_rev_override, -+ .ident = "DELL Latitude 3350", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude 3350"), -+ }, -+ }, - #endif - {} - }; --- -2.12.2 - -From ac601978a2aad7fbb617f0187268011b577a127f Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:19 +0530 -Subject: [PATCH 206/251] serial: 8250_pci: Detach low-level driver during PCI - error recovery -Content-Length: 3500 -Lines: 106 - -From: Gabriel Krisman Bertazi - -[ Upstream commit f209fa03fc9d131b3108c2e4936181eabab87416 ] - -During a PCI error recovery, like the ones provoked by EEH in the ppc64 -platform, all IO to the device must be blocked while the recovery is -completed. Current 8250_pci implementation only suspends the port -instead of detaching it, which doesn't prevent incoming accesses like -TIOCMGET and TIOCMSET calls from reaching the device. Those end up -racing with the EEH recovery, crashing it. Similar races were also -observed when opening the device and when shutting it down during -recovery. - -This patch implements a more robust IO blockage for the 8250_pci -recovery by unregistering the port at the beginning of the procedure and -re-adding it afterwards. Since the port is detached from the uart -layer, we can be sure that no request will make through to the device -during recovery. This is similar to the solution used by the JSM serial -driver. - -I thank Peter Hurley for valuable input on -this one over one year ago. - -Signed-off-by: Gabriel Krisman Bertazi -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/8250/8250_pci.c | 23 +++++++++++++++++++---- - 1 file changed, 19 insertions(+), 4 deletions(-) - -diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c -index 5b24ffd93649..83ff1724ec79 100644 ---- a/drivers/tty/serial/8250/8250_pci.c -+++ b/drivers/tty/serial/8250/8250_pci.c -@@ -57,6 +57,7 @@ struct serial_private { - unsigned int nr; - void __iomem *remapped_bar[PCI_NUM_BAR_RESOURCES]; - struct pci_serial_quirk *quirk; -+ const struct pciserial_board *board; - int line[0]; - }; - -@@ -4058,6 +4059,7 @@ pciserial_init_ports(struct pci_dev *dev, const struct pciserial_board *board) - } - } - priv->nr = i; -+ priv->board = board; - return priv; - - err_deinit: -@@ -4068,7 +4070,7 @@ err_out: - } - EXPORT_SYMBOL_GPL(pciserial_init_ports); - --void pciserial_remove_ports(struct serial_private *priv) -+void pciserial_detach_ports(struct serial_private *priv) - { - struct pci_serial_quirk *quirk; - int i; -@@ -4088,7 +4090,11 @@ void pciserial_remove_ports(struct serial_private *priv) - quirk = find_quirk(priv->dev); - if (quirk->exit) - quirk->exit(priv->dev); -+} - -+void pciserial_remove_ports(struct serial_private *priv) -+{ -+ pciserial_detach_ports(priv); - kfree(priv); - } - EXPORT_SYMBOL_GPL(pciserial_remove_ports); -@@ -5819,7 +5825,7 @@ static pci_ers_result_t serial8250_io_error_detected(struct pci_dev *dev, - return PCI_ERS_RESULT_DISCONNECT; - - if (priv) -- pciserial_suspend_ports(priv); -+ pciserial_detach_ports(priv); - - pci_disable_device(dev); - -@@ -5844,9 +5850,18 @@ static pci_ers_result_t serial8250_io_slot_reset(struct pci_dev *dev) - static void serial8250_io_resume(struct pci_dev *dev) - { - struct serial_private *priv = pci_get_drvdata(dev); -+ const struct pciserial_board *board; - -- if (priv) -- pciserial_resume_ports(priv); -+ if (!priv) -+ return; -+ -+ board = priv->board; -+ kfree(priv); -+ priv = pciserial_init_ports(dev, board); -+ -+ if (!IS_ERR(priv)) { -+ pci_set_drvdata(dev, priv); -+ } - } - - static const struct pci_error_handlers serial8250_err_handler = { --- -2.12.2 - From 540d6d756ff82a23eb5bb73aa8149bab15eb407a Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 11 Jan 2017 17:09:50 +0100 @@ -6733,168 +2698,6 @@ index b8d927c56494..a6b2f2138c9d 100644 -- 2.12.2 -From 3342857ac074768e14e361392ac09fbbd70d840e Mon Sep 17 00:00:00 2001 -From: Josh Poimboeuf -Date: Thu, 16 Mar 2017 08:56:28 -0500 -Subject: [PATCH 233/251] ACPI: Fix incompatibility with mcount-based function - graph tracing -Content-Length: 1960 -Lines: 51 - -commit 61b79e16c68d703dde58c25d3935d67210b7d71b upstream. - -Paul Menzel reported a warning: - - WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0 - Bad frame pointer: expected f6919d98, received f6919db0 - from func acpi_pm_device_sleep_wake return to c43b6f9d - -The warning means that function graph tracing is broken for the -acpi_pm_device_sleep_wake() function. That's because the ACPI Makefile -unconditionally sets the '-Os' gcc flag to optimize for size. That's an -issue because mcount-based function graph tracing is incompatible with -'-Os' on x86, thanks to the following gcc bug: - - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109 - -I have another patch pending which will ensure that mcount-based -function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on -x86. - -But this patch is needed in addition to that one because the ACPI -Makefile overrides that config option for no apparent reason. It has -had this flag since the beginning of git history, and there's no related -comment, so I don't know why it's there. As far as I can tell, there's -no reason for it to be there. The appropriate behavior is for it to -honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the -kernel. - -Reported-by: Paul Menzel -Signed-off-by: Josh Poimboeuf -Acked-by: Steven Rostedt (VMware) -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/Makefile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile -index 675eaf337178..b9cebca376f9 100644 ---- a/drivers/acpi/Makefile -+++ b/drivers/acpi/Makefile -@@ -2,7 +2,6 @@ - # Makefile for the Linux ACPI interpreter - # - --ccflags-y := -Os - ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT - - # --- -2.12.2 - -From 566a8711a7dd11960fa0bf3a4fd89c742eb359f3 Mon Sep 17 00:00:00 2001 -From: Joerg Roedel -Date: Wed, 22 Mar 2017 18:33:25 +0100 -Subject: [PATCH 234/251] ACPI: Do not create a platform_device for - IOAPIC/IOxAPIC -Content-Length: 1103 -Lines: 36 - -commit 08f63d97749185fab942a3a47ed80f5bd89b8b7d upstream. - -No platform-device is required for IO(x)APICs, so don't even -create them. - -[ rjw: This fixes a problem with leaking platform device objects - after IOAPIC/IOxAPIC hot-removal events.] - -Signed-off-by: Joerg Roedel -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/acpi_platform.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/acpi/acpi_platform.c b/drivers/acpi/acpi_platform.c -index 296b7a14893a..5365ff6e69c1 100644 ---- a/drivers/acpi/acpi_platform.c -+++ b/drivers/acpi/acpi_platform.c -@@ -24,9 +24,11 @@ - ACPI_MODULE_NAME("platform"); - - static const struct acpi_device_id forbidden_id_list[] = { -- {"PNP0000", 0}, /* PIC */ -- {"PNP0100", 0}, /* Timer */ -- {"PNP0200", 0}, /* AT DMA Controller */ -+ {"PNP0000", 0}, /* PIC */ -+ {"PNP0100", 0}, /* Timer */ -+ {"PNP0200", 0}, /* AT DMA Controller */ -+ {"ACPI0009", 0}, /* IOxAPIC */ -+ {"ACPI000A", 0}, /* IOAPIC */ - {"", 0}, - }; - --- -2.12.2 - -From 3eb392056aeb4a0beca5fcead9ad3d6b6ff0816e Mon Sep 17 00:00:00 2001 -From: Peter Xu -Date: Wed, 15 Mar 2017 16:01:17 +0800 -Subject: [PATCH 238/251] KVM: x86: clear bus pointer when destroyed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 1484 -Lines: 46 - -commit df630b8c1e851b5e265dc2ca9c87222e342c093b upstream. - -When releasing the bus, let's clear the bus pointers to mark it out. If -any further device unregister happens on this bus, we know that we're -done if we found the bus being released already. - -Signed-off-by: Peter Xu -Signed-off-by: Radim Krčmář -Signed-off-by: Greg Kroah-Hartman ---- - virt/kvm/kvm_main.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 336ed267c407..1ac5b7be7282 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -654,8 +654,10 @@ static void kvm_destroy_vm(struct kvm *kvm) - list_del(&kvm->vm_list); - spin_unlock(&kvm_lock); - kvm_free_irq_routing(kvm); -- for (i = 0; i < KVM_NR_BUSES; i++) -+ for (i = 0; i < KVM_NR_BUSES; i++) { - kvm_io_bus_destroy(kvm->buses[i]); -+ kvm->buses[i] = NULL; -+ } - kvm_coalesced_mmio_free(kvm); - #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER) - mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm); -@@ -3376,6 +3378,14 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, - struct kvm_io_bus *new_bus, *bus; - - bus = kvm->buses[bus_idx]; -+ -+ /* -+ * It's possible the bus being released before hand. If so, -+ * we're done here. -+ */ -+ if (!bus) -+ return 0; -+ - r = -ENOENT; - for (i = 0; i < bus->dev_count; i++) - if (bus->range[i].dev == dev) { --- -2.12.2 - From ef55c3df5dbd60eb3daab7797feac850bd1e6fe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= Date: Fri, 24 Mar 2017 19:01:09 +0900 @@ -7165,181 +2968,6 @@ index 2e7f60c9fc5d..51cdc46a87e2 100644 -- 2.12.2 -From 42462d23e60b89a3c2f7d8d63f5f4e464ba77727 Mon Sep 17 00:00:00 2001 -From: David Hildenbrand -Date: Thu, 23 Mar 2017 18:24:19 +0100 -Subject: [PATCH 246/251] KVM: kvm_io_bus_unregister_dev() should never fail -Content-Length: 5392 -Lines: 167 - -commit 90db10434b163e46da413d34db8d0e77404cc645 upstream. - -No caller currently checks the return value of -kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on -freeing their device. A stale reference will remain in the io_bus, -getting at least used again, when the iobus gets teared down on -kvm_destroy_vm() - leading to use after free errors. - -There is nothing the callers could do, except retrying over and over -again. - -So let's simply remove the bus altogether, print an error and make -sure no one can access this broken bus again (returning -ENOMEM on any -attempt to access it). - -Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU") -Reported-by: Dmitry Vyukov -Reviewed-by: Cornelia Huck -Signed-off-by: David Hildenbrand -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/kvm_host.h | 4 ++-- - virt/kvm/eventfd.c | 3 ++- - virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++----------------- - 3 files changed, 27 insertions(+), 20 deletions(-) - -diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index c923350ca20a..d7ce4e3280db 100644 ---- a/include/linux/kvm_host.h -+++ b/include/linux/kvm_host.h -@@ -182,8 +182,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr, - int len, void *val); - int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, - int len, struct kvm_io_device *dev); --int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, -- struct kvm_io_device *dev); -+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, -+ struct kvm_io_device *dev); - - #ifdef CONFIG_KVM_ASYNC_PF - struct kvm_async_pf { -diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c -index 46dbc0a7dfc1..49001fa84ead 100644 ---- a/virt/kvm/eventfd.c -+++ b/virt/kvm/eventfd.c -@@ -868,7 +868,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx, - continue; - - kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); -- kvm->buses[bus_idx]->ioeventfd_count--; -+ if (kvm->buses[bus_idx]) -+ kvm->buses[bus_idx]->ioeventfd_count--; - ioeventfd_release(p); - ret = 0; - break; -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index 1ac5b7be7282..cb092bd9965b 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -655,7 +655,8 @@ static void kvm_destroy_vm(struct kvm *kvm) - spin_unlock(&kvm_lock); - kvm_free_irq_routing(kvm); - for (i = 0; i < KVM_NR_BUSES; i++) { -- kvm_io_bus_destroy(kvm->buses[i]); -+ if (kvm->buses[i]) -+ kvm_io_bus_destroy(kvm->buses[i]); - kvm->buses[i] = NULL; - } - kvm_coalesced_mmio_free(kvm); -@@ -3273,6 +3274,8 @@ int kvm_io_bus_write(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr, - }; - - bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu); -+ if (!bus) -+ return -ENOMEM; - r = __kvm_io_bus_write(vcpu, bus, &range, val); - return r < 0 ? r : 0; - } -@@ -3290,6 +3293,8 @@ int kvm_io_bus_write_cookie(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, - }; - - bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu); -+ if (!bus) -+ return -ENOMEM; - - /* First try the device referenced by cookie. */ - if ((cookie >= 0) && (cookie < bus->dev_count) && -@@ -3340,6 +3345,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr, - }; - - bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu); -+ if (!bus) -+ return -ENOMEM; - r = __kvm_io_bus_read(vcpu, bus, &range, val); - return r < 0 ? r : 0; - } -@@ -3352,6 +3359,9 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, - struct kvm_io_bus *new_bus, *bus; - - bus = kvm->buses[bus_idx]; -+ if (!bus) -+ return -ENOMEM; -+ - /* exclude ioeventfd which is limited by maximum fd */ - if (bus->dev_count - bus->ioeventfd_count > NR_IOBUS_DEVS - 1) - return -ENOSPC; -@@ -3371,45 +3381,41 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, - } - - /* Caller must hold slots_lock. */ --int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, -- struct kvm_io_device *dev) -+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, -+ struct kvm_io_device *dev) - { -- int i, r; -+ int i; - struct kvm_io_bus *new_bus, *bus; - - bus = kvm->buses[bus_idx]; -- -- /* -- * It's possible the bus being released before hand. If so, -- * we're done here. -- */ - if (!bus) -- return 0; -+ return; - -- r = -ENOENT; - for (i = 0; i < bus->dev_count; i++) - if (bus->range[i].dev == dev) { -- r = 0; - break; - } - -- if (r) -- return r; -+ if (i == bus->dev_count) -+ return; - - new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) * - sizeof(struct kvm_io_range)), GFP_KERNEL); -- if (!new_bus) -- return -ENOMEM; -+ if (!new_bus) { -+ pr_err("kvm: failed to shrink bus, removing it completely\n"); -+ goto broken; -+ } - - memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); - new_bus->dev_count--; - memcpy(new_bus->range + i, bus->range + i + 1, - (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); - -+broken: - rcu_assign_pointer(kvm->buses[bus_idx], new_bus); - synchronize_srcu_expedited(&kvm->srcu); - kfree(bus); -- return r; -+ return; - } - - static struct notifier_block kvm_cpu_notifier = { --- -2.12.2 - From 063d30f187f5c492aa4a6cca88b8afa08f5a170c Mon Sep 17 00:00:00 2001 From: Alexandre Belloni Date: Tue, 25 Oct 2016 11:37:59 +0200 @@ -10376,75 +6004,3 @@ index acbb0e73d3a2..7d7f99b0db47 100644 -- 2.12.2 -From d4ad442b9982fba9eab0f9003c8cd185a1afeff6 Mon Sep 17 00:00:00 2001 -From: Marc Zyngier -Date: Thu, 16 Mar 2017 18:20:50 +0000 -Subject: [PATCH 10/52] arm/arm64: KVM: Take mmap_sem in - kvm_arch_prepare_memory_region -Status: RO -Content-Length: 2022 -Lines: 62 - -commit 72f310481a08db821b614e7b5d00febcc9064b36 upstream. - -We don't hold the mmap_sem while searching for VMAs (via find_vma), in -kvm_arch_prepare_memory_region, which can end up in expected failures. - -Fixes: commit 8eef91239e57 ("arm/arm64: KVM: map MMIO regions at creation time") -Cc: Ard Biesheuvel -Cc: Eric Auger -Reviewed-by: Christoffer Dall -[ Handle dirty page logging failure case ] -Signed-off-by: Suzuki K Poulose -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/kvm/mmu.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c -index 5366a736151e..f91ee2f27b41 100644 ---- a/arch/arm/kvm/mmu.c -+++ b/arch/arm/kvm/mmu.c -@@ -1761,6 +1761,7 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm, - (KVM_PHYS_SIZE >> PAGE_SHIFT)) - return -EFAULT; - -+ down_read(¤t->mm->mmap_sem); - /* - * A memory region could potentially cover multiple VMAs, and any holes - * between them, so iterate over all of them to find out if we can map -@@ -1804,8 +1805,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm, - pa += vm_start - vma->vm_start; - - /* IO region dirty page logging not allowed */ -- if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) -- return -EINVAL; -+ if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) { -+ ret = -EINVAL; -+ goto out; -+ } - - ret = kvm_phys_addr_ioremap(kvm, gpa, pa, - vm_end - vm_start, -@@ -1817,7 +1820,7 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm, - } while (hva < reg_end); - - if (change == KVM_MR_FLAGS_ONLY) -- return ret; -+ goto out; - - spin_lock(&kvm->mmu_lock); - if (ret) -@@ -1825,6 +1828,8 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm, - else - stage2_flush_memslot(kvm, memslot); - spin_unlock(&kvm->mmu_lock); -+out: -+ up_read(¤t->mm->mmap_sem); - return ret; - } - --- -2.12.2 - diff --git a/queue-3.18/acm-gadget-fix-endianness-in-notifications.patch b/queue-3.18/acm-gadget-fix-endianness-in-notifications.patch new file mode 100644 index 00000000000..99dda89b526 --- /dev/null +++ b/queue-3.18/acm-gadget-fix-endianness-in-notifications.patch @@ -0,0 +1,43 @@ +From cdd7928df0d2efaa3270d711963773a08a4cc8ab Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 14 Mar 2017 12:09:56 +0100 +Subject: ACM gadget: fix endianness in notifications +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver Neukum + +commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream. + +The gadget code exports the bitfield for serial status changes +over the wire in its internal endianness. The fix is to convert +to little endian before sending it over the wire. + +Signed-off-by: Oliver Neukum +Tested-by: 家瑋 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_acm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_acm.c ++++ b/drivers/usb/gadget/function/f_acm.c +@@ -540,13 +540,15 @@ static int acm_notify_serial_state(struc + { + struct usb_composite_dev *cdev = acm->port.func.config->cdev; + int status; ++ __le16 serial_state; + + spin_lock(&acm->lock); + if (acm->notify_req) { + dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n", + acm->port_num, acm->serial_state); ++ serial_state = cpu_to_le16(acm->serial_state); + status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE, +- 0, &acm->serial_state, sizeof(acm->serial_state)); ++ 0, &serial_state, sizeof(acm->serial_state)); + } else { + acm->pending = true; + status = 0; diff --git a/queue-3.18/acpi-do-not-create-a-platform_device-for-ioapic-ioxapic.patch b/queue-3.18/acpi-do-not-create-a-platform_device-for-ioapic-ioxapic.patch new file mode 100644 index 00000000000..f70e5a7e99a --- /dev/null +++ b/queue-3.18/acpi-do-not-create-a-platform_device-for-ioapic-ioxapic.patch @@ -0,0 +1,40 @@ +From 08f63d97749185fab942a3a47ed80f5bd89b8b7d Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Wed, 22 Mar 2017 18:33:25 +0100 +Subject: ACPI: Do not create a platform_device for IOAPIC/IOxAPIC + +From: Joerg Roedel + +commit 08f63d97749185fab942a3a47ed80f5bd89b8b7d upstream. + +No platform-device is required for IO(x)APICs, so don't even +create them. + +[ rjw: This fixes a problem with leaking platform device objects + after IOAPIC/IOxAPIC hot-removal events.] + +Signed-off-by: Joerg Roedel +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_platform.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/acpi_platform.c ++++ b/drivers/acpi/acpi_platform.c +@@ -24,9 +24,11 @@ + ACPI_MODULE_NAME("platform"); + + static const struct acpi_device_id forbidden_id_list[] = { +- {"PNP0000", 0}, /* PIC */ +- {"PNP0100", 0}, /* Timer */ +- {"PNP0200", 0}, /* AT DMA Controller */ ++ {"PNP0000", 0}, /* PIC */ ++ {"PNP0100", 0}, /* Timer */ ++ {"PNP0200", 0}, /* AT DMA Controller */ ++ {"ACPI0009", 0}, /* IOxAPIC */ ++ {"ACPI000A", 0}, /* IOAPIC */ + {"", 0}, + }; + diff --git a/queue-3.18/acpi-fix-incompatibility-with-mcount-based-function-graph-tracing.patch b/queue-3.18/acpi-fix-incompatibility-with-mcount-based-function-graph-tracing.patch new file mode 100644 index 00000000000..69a6661cb51 --- /dev/null +++ b/queue-3.18/acpi-fix-incompatibility-with-mcount-based-function-graph-tracing.patch @@ -0,0 +1,55 @@ +From 61b79e16c68d703dde58c25d3935d67210b7d71b Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Thu, 16 Mar 2017 08:56:28 -0500 +Subject: ACPI: Fix incompatibility with mcount-based function graph tracing + +From: Josh Poimboeuf + +commit 61b79e16c68d703dde58c25d3935d67210b7d71b upstream. + +Paul Menzel reported a warning: + + WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0 + Bad frame pointer: expected f6919d98, received f6919db0 + from func acpi_pm_device_sleep_wake return to c43b6f9d + +The warning means that function graph tracing is broken for the +acpi_pm_device_sleep_wake() function. That's because the ACPI Makefile +unconditionally sets the '-Os' gcc flag to optimize for size. That's an +issue because mcount-based function graph tracing is incompatible with +'-Os' on x86, thanks to the following gcc bug: + + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109 + +I have another patch pending which will ensure that mcount-based +function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on +x86. + +But this patch is needed in addition to that one because the ACPI +Makefile overrides that config option for no apparent reason. It has +had this flag since the beginning of git history, and there's no related +comment, so I don't know why it's there. As far as I can tell, there's +no reason for it to be there. The appropriate behavior is for it to +honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the +kernel. + +Reported-by: Paul Menzel +Signed-off-by: Josh Poimboeuf +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/Makefile | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/acpi/Makefile ++++ b/drivers/acpi/Makefile +@@ -2,7 +2,6 @@ + # Makefile for the Linux ACPI interpreter + # + +-ccflags-y := -Os + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT + + # diff --git a/queue-3.18/arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch b/queue-3.18/arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch new file mode 100644 index 00000000000..d4c57e5bccb --- /dev/null +++ b/queue-3.18/arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch @@ -0,0 +1,44 @@ +From 72f310481a08db821b614e7b5d00febcc9064b36 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 16 Mar 2017 18:20:50 +0000 +Subject: arm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region + +From: Marc Zyngier + +commit 72f310481a08db821b614e7b5d00febcc9064b36 upstream. + +We don't hold the mmap_sem while searching for VMAs (via find_vma), in +kvm_arch_prepare_memory_region, which can end up in expected failures. + +Fixes: commit 8eef91239e57 ("arm/arm64: KVM: map MMIO regions at creation time") +Cc: Ard Biesheuvel +Cc: Eric Auger +Reviewed-by: Christoffer Dall +[ Handle dirty page logging failure case ] +Signed-off-by: Suzuki K Poulose +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -1407,6 +1407,7 @@ int kvm_arch_prepare_memory_region(struc + (KVM_PHYS_SIZE >> PAGE_SHIFT)) + return -EFAULT; + ++ down_read(¤t->mm->mmap_sem); + /* + * A memory region could potentially cover multiple VMAs, and any holes + * between them, so iterate over all of them to find out if we can map +@@ -1464,6 +1465,8 @@ int kvm_arch_prepare_memory_region(struc + else + stage2_flush_memslot(kvm, memslot); + spin_unlock(&kvm->mmu_lock); ++ ++ up_read(¤t->mm->mmap_sem); + return ret; + } + diff --git a/queue-3.18/ext4-mark-inode-dirty-after-converting-inline-directory.patch b/queue-3.18/ext4-mark-inode-dirty-after-converting-inline-directory.patch new file mode 100644 index 00000000000..9f5bc151b83 --- /dev/null +++ b/queue-3.18/ext4-mark-inode-dirty-after-converting-inline-directory.patch @@ -0,0 +1,46 @@ +From b9cf625d6ecde0d372e23ae022feead72b4228a6 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 15 Mar 2017 14:52:02 -0400 +Subject: ext4: mark inode dirty after converting inline directory + +From: Eric Biggers + +commit b9cf625d6ecde0d372e23ae022feead72b4228a6 upstream. + +If ext4_convert_inline_data() was called on a directory with inline +data, the filesystem was left in an inconsistent state (as considered by +e2fsck) because the file size was not increased to cover the new block. +This happened because the inode was not marked dirty after i_disksize +was updated. Fix this by marking the inode dirty at the end of +ext4_finish_convert_inline_dir(). + +This bug was probably not noticed before because most users mark the +inode dirty afterwards for other reasons. But if userspace executed +FS_IOC_SET_ENCRYPTION_POLICY with invalid parameters, as exercised by +'kvm-xfstests -c adv generic/396', then the inode was never marked dirty +after updating i_disksize. + +Fixes: 3c47d54170b6a678875566b1b8d6dcf57904e49b +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1148,10 +1148,9 @@ static int ext4_finish_convert_inline_di + set_buffer_uptodate(dir_block); + err = ext4_handle_dirty_dirent_node(handle, inode, dir_block); + if (err) +- goto out; ++ return err; + set_buffer_verified(dir_block); +-out: +- return err; ++ return ext4_mark_inode_dirty(handle, inode); + } + + static int ext4_convert_inline_data_nolock(handle_t *handle, diff --git a/queue-3.18/igb-add-i211-to-i210-phy-workaround.patch b/queue-3.18/igb-add-i211-to-i210-phy-workaround.patch new file mode 100644 index 00000000000..2b78612f3cd --- /dev/null +++ b/queue-3.18/igb-add-i211-to-i210-phy-workaround.patch @@ -0,0 +1,32 @@ +From 5bc8c230e2a993b49244f9457499f17283da9ec7 Mon Sep 17 00:00:00 2001 +From: Todd Fujinaka +Date: Mon, 28 Nov 2016 09:09:57 -0800 +Subject: igb: add i211 to i210 PHY workaround + +From: Todd Fujinaka + +commit 5bc8c230e2a993b49244f9457499f17283da9ec7 upstream. + +i210 and i211 share the same PHY but have different PCI IDs. Don't +forget i211 for any i210 workarounds. + +Signed-off-by: Todd Fujinaka +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/e1000_phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/e1000_phy.c ++++ b/drivers/net/ethernet/intel/igb/e1000_phy.c +@@ -84,7 +84,7 @@ s32 igb_get_phy_id(struct e1000_hw *hw) + u16 phy_id; + + /* ensure PHY page selection to fix misconfigured i210 */ +- if (hw->mac.type == e1000_i210) ++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211)) + phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0); + + ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id); diff --git a/queue-3.18/igb-workaround-for-igb-i210-firmware-issue.patch b/queue-3.18/igb-workaround-for-igb-i210-firmware-issue.patch new file mode 100644 index 00000000000..6c7b983ec7d --- /dev/null +++ b/queue-3.18/igb-workaround-for-igb-i210-firmware-issue.patch @@ -0,0 +1,37 @@ +From 4e684f59d760a2c7c716bb60190783546e2d08a1 Mon Sep 17 00:00:00 2001 +From: Chris J Arges +Date: Wed, 2 Nov 2016 09:13:42 -0500 +Subject: igb: Workaround for igb i210 firmware issue + +From: Chris J Arges + +commit 4e684f59d760a2c7c716bb60190783546e2d08a1 upstream. + +Sometimes firmware may not properly initialize I347AT4_PAGE_SELECT causing +the probe of an igb i210 NIC to fail. This patch adds an addition zeroing +of this register during igb_get_phy_id to workaround this issue. + +Thanks for Jochen Henneberg for the idea and original patch. + +Signed-off-by: Chris J Arges +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/e1000_phy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/intel/igb/e1000_phy.c ++++ b/drivers/net/ethernet/intel/igb/e1000_phy.c +@@ -83,6 +83,10 @@ s32 igb_get_phy_id(struct e1000_hw *hw) + s32 ret_val = 0; + u16 phy_id; + ++ /* ensure PHY page selection to fix misconfigured i210 */ ++ if (hw->mac.type == e1000_i210) ++ phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0); ++ + ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id); + if (ret_val) + goto out; diff --git a/queue-3.18/iio-adc-ti_am335x_adc-fix-fifo-overrun-recovery.patch b/queue-3.18/iio-adc-ti_am335x_adc-fix-fifo-overrun-recovery.patch new file mode 100644 index 00000000000..9e3869cb7a1 --- /dev/null +++ b/queue-3.18/iio-adc-ti_am335x_adc-fix-fifo-overrun-recovery.patch @@ -0,0 +1,70 @@ +From e83bb3e6f3efa21f4a9d883a25d0ecd9dfb431e1 Mon Sep 17 00:00:00 2001 +From: Michael Engl +Date: Tue, 3 Oct 2017 13:57:00 +0100 +Subject: iio: adc: ti_am335x_adc: fix fifo overrun recovery + +From: Michael Engl + +commit e83bb3e6f3efa21f4a9d883a25d0ecd9dfb431e1 upstream. + +The tiadc_irq_h(int irq, void *private) function is handling FIFO +overruns by clearing flags, disabling and enabling the ADC to +recover. + +If the ADC is running in continuous mode a FIFO overrun happens +regularly. If the disabling of the ADC happens concurrently with +a new conversion. It might happen that the enabling of the ADC +is ignored by the hardware. This stops the ADC permanently. No +more interrupts are triggered. + +According to the AM335x Reference Manual (SPRUH73H October 2011 - +Revised April 2013 - Chapter 12.4 and 12.5) it is necessary to +check the ADC FSM bits in REG_ADCFSM before enabling the ADC +again. Because the disabling of the ADC is done right after the +current conversion has been finished. + +To trigger this bug it is necessary to run the ADC in continuous +mode. The ADC values of all channels need to be read in an endless +loop. The bug appears within the first 6 hours (~5.4 million +handled FIFO overruns). The user space application will hang on +reading new values from the character device. + +Fixes: ca9a563805f7a ("iio: ti_am335x_adc: Add continuous sampling +support") +Signed-off-by: Michael Engl +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti_am335x_adc.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti_am335x_adc.c ++++ b/drivers/iio/adc/ti_am335x_adc.c +@@ -122,7 +122,9 @@ static irqreturn_t tiadc_irq_h(int irq, + { + struct iio_dev *indio_dev = private; + struct tiadc_device *adc_dev = iio_priv(indio_dev); +- unsigned int status, config; ++ unsigned int status, config, adc_fsm; ++ unsigned short count = 0; ++ + status = tiadc_readl(adc_dev, REG_IRQSTATUS); + + /* +@@ -136,6 +138,15 @@ static irqreturn_t tiadc_irq_h(int irq, + tiadc_writel(adc_dev, REG_CTRL, config); + tiadc_writel(adc_dev, REG_IRQSTATUS, IRQENB_FIFO1OVRRUN + | IRQENB_FIFO1UNDRFLW | IRQENB_FIFO1THRES); ++ ++ /* wait for idle state. ++ * ADC needs to finish the current conversion ++ * before disabling the module ++ */ ++ do { ++ adc_fsm = tiadc_readl(adc_dev, REG_ADCFSM); ++ } while (adc_fsm != 0x10 && count++ < 100); ++ + tiadc_writel(adc_dev, REG_CTRL, (config | CNTRLREG_TSCSSENB)); + return IRQ_HANDLED; + } else if (status & IRQENB_FIFO1THRES) { diff --git a/queue-3.18/input-cm109-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-cm109-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..1b7036362c8 --- /dev/null +++ b/queue-3.18/input-cm109-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From ac2ee9ba953afe88f7a673e1c0c839227b1d7891 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:35:12 -0700 +Subject: Input: cm109 - validate number of endpoints before using them + +From: Johan Hovold + +commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/cm109.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/cm109.c ++++ b/drivers/input/misc/cm109.c +@@ -675,6 +675,10 @@ static int cm109_usb_probe(struct usb_in + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ ++ if (interface->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &interface->endpoint[0].desc; + + if (!usb_endpoint_is_int_in(endpoint)) diff --git a/queue-3.18/input-hanwang-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-hanwang-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..c97f2800495 --- /dev/null +++ b/queue-3.18/input-hanwang-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,33 @@ +From ba340d7b83703768ce566f53f857543359aa1b98 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:39:29 -0700 +Subject: Input: hanwang - validate number of endpoints before using them + +From: Johan Hovold + +commit ba340d7b83703768ce566f53f857543359aa1b98 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/hanwang.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/tablet/hanwang.c ++++ b/drivers/input/tablet/hanwang.c +@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_inte + int error; + int i; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL); + input_dev = input_allocate_device(); + if (!hanwang || !input_dev) { diff --git a/queue-3.18/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch b/queue-3.18/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch new file mode 100644 index 00000000000..252ab274579 --- /dev/null +++ b/queue-3.18/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch @@ -0,0 +1,40 @@ +From 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 7 Mar 2017 09:31:29 -0800 +Subject: Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 + +From: Kai-Heng Feng + +commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream. + +The aux port does not get detected without noloop quirk, so external PS/2 +mouse cannot work as result. + +The PS/2 mouse can work with this quirk. + +BugLink: https://bugs.launchpad.net/bugs/1591053 +Signed-off-by: Kai-Heng Feng +Reviewed-by: Marcos Paulo de Souza +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -120,6 +120,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Dell Embedded Box PC 3000 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"), ++ }, ++ }, ++ { + /* OQO Model 01 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "OQO"), diff --git a/queue-3.18/input-iforce-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-iforce-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..d93dffa2ead --- /dev/null +++ b/queue-3.18/input-iforce-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,33 @@ +From 59cf8bed44a79ec42303151dd014fdb6434254bb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:34:02 -0700 +Subject: Input: iforce - validate number of endpoints before using them + +From: Johan Hovold + +commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory that lie beyond the end of the endpoint +array should a malicious device lack the expected endpoints. + +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/iforce/iforce-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/iforce/iforce-usb.c ++++ b/drivers/input/joystick/iforce/iforce-usb.c +@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_i + + interface = intf->cur_altsetting; + ++ if (interface->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + epirq = &interface->endpoint[0].desc; + epout = &interface->endpoint[1].desc; + diff --git a/queue-3.18/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..725bacfaa12 --- /dev/null +++ b/queue-3.18/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 1916d319271664241b7aa0cd2b05e32bdb310ce9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:36:13 -0700 +Subject: Input: ims-pcu - validate number of endpoints before using them + +From: Johan Hovold + +commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack control-interface endpoints. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/ims-pcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct + return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; ++ ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + pcu->ep_ctrl = &alt->endpoint[0].desc; + pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl); + diff --git a/queue-3.18/input-kbtab-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-kbtab-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..35c645a1da1 --- /dev/null +++ b/queue-3.18/input-kbtab-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,32 @@ +From cb1b494663e037253337623bf1ef2df727883cb7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:41:55 -0700 +Subject: Input: kbtab - validate number of endpoints before using them + +From: Johan Hovold + +commit cb1b494663e037253337623bf1ef2df727883cb7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/kbtab.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/tablet/kbtab.c ++++ b/drivers/input/tablet/kbtab.c +@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interf + struct input_dev *input_dev; + int error = -ENOMEM; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL); + input_dev = input_allocate_device(); + if (!kbtab || !input_dev) diff --git a/queue-3.18/input-sur40-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-sur40-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..0ae75af87f3 --- /dev/null +++ b/queue-3.18/input-sur40-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 92461f5d723037530c1f36cce93640770037812c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:43:09 -0700 +Subject: Input: sur40 - validate number of endpoints before using them + +From: Johan Hovold + +commit 92461f5d723037530c1f36cce93640770037812c upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory that lie beyond the end of the endpoint +array should a malicious device lack the expected endpoints. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -361,6 +361,9 @@ static int sur40_probe(struct usb_interf + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; + ++ if (iface_desc->desc.bNumEndpoints < 5) ++ return -ENODEV; ++ + /* Use endpoint #4 (0x86). */ + endpoint = &iface_desc->endpoint[4].desc; + if (endpoint->bEndpointAddress != TOUCH_ENDPOINT) diff --git a/queue-3.18/input-yealink-validate-number-of-endpoints-before-using-them.patch b/queue-3.18/input-yealink-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..ed8a6543ea9 --- /dev/null +++ b/queue-3.18/input-yealink-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:37:01 -0700 +Subject: Input: yealink - validate number of endpoints before using them + +From: Johan Hovold + +commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/yealink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/yealink.c ++++ b/drivers/input/misc/yealink.c +@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interfac + int ret, pipe, i; + + interface = intf->cur_altsetting; ++ ++ if (interface->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -ENODEV; diff --git a/queue-3.18/iommu-vt-d-fix-null-pointer-dereference-in-device_to_iommu.patch b/queue-3.18/iommu-vt-d-fix-null-pointer-dereference-in-device_to_iommu.patch new file mode 100644 index 00000000000..5751414e16d --- /dev/null +++ b/queue-3.18/iommu-vt-d-fix-null-pointer-dereference-in-device_to_iommu.patch @@ -0,0 +1,77 @@ +From 5003ae1e735e6bfe4679d9bed6846274f322e77e Mon Sep 17 00:00:00 2001 +From: Koos Vriezen +Date: Wed, 1 Mar 2017 21:02:50 +0100 +Subject: iommu/vt-d: Fix NULL pointer dereference in device_to_iommu + +From: Koos Vriezen + +commit 5003ae1e735e6bfe4679d9bed6846274f322e77e upstream. + +The function device_to_iommu() in the Intel VT-d driver +lacks a NULL-ptr check, resulting in this oops at boot on +some platforms: + + BUG: unable to handle kernel NULL pointer dereference at 00000000000007ab + IP: [] device_to_iommu+0x11a/0x1a0 + PGD 0 + + [...] + + Call Trace: + ? find_or_alloc_domain.constprop.29+0x1a/0x300 + ? dw_dma_probe+0x561/0x580 [dw_dmac_core] + ? __get_valid_domain_for_dev+0x39/0x120 + ? __intel_map_single+0x138/0x180 + ? intel_alloc_coherent+0xb6/0x120 + ? sst_hsw_dsp_init+0x173/0x420 [snd_soc_sst_haswell_pcm] + ? mutex_lock+0x9/0x30 + ? kernfs_add_one+0xdb/0x130 + ? devres_add+0x19/0x60 + ? hsw_pcm_dev_probe+0x46/0xd0 [snd_soc_sst_haswell_pcm] + ? platform_drv_probe+0x30/0x90 + ? driver_probe_device+0x1ed/0x2b0 + ? __driver_attach+0x8f/0xa0 + ? driver_probe_device+0x2b0/0x2b0 + ? bus_for_each_dev+0x55/0x90 + ? bus_add_driver+0x110/0x210 + ? 0xffffffffa11ea000 + ? driver_register+0x52/0xc0 + ? 0xffffffffa11ea000 + ? do_one_initcall+0x32/0x130 + ? free_vmap_area_noflush+0x37/0x70 + ? kmem_cache_alloc+0x88/0xd0 + ? do_init_module+0x51/0x1c4 + ? load_module+0x1ee9/0x2430 + ? show_taint+0x20/0x20 + ? kernel_read_file+0xfd/0x190 + ? SyS_finit_module+0xa3/0xb0 + ? do_syscall_64+0x4a/0xb0 + ? entry_SYSCALL64_slow_path+0x25/0x25 + Code: 78 ff ff ff 4d 85 c0 74 ee 49 8b 5a 10 0f b6 9b e0 00 00 00 41 38 98 e0 00 00 00 77 da 0f b6 eb 49 39 a8 88 00 00 00 72 ce eb 8f <41> f6 82 ab 07 00 00 04 0f 85 76 ff ff ff 0f b6 4d 08 88 0e 49 + RIP [] device_to_iommu+0x11a/0x1a0 + RSP + CR2: 00000000000007ab + ---[ end trace 16f974b6d58d0aad ]--- + +Add the missing pointer check. + +Fixes: 1c387188c60f53b338c20eee32db055dfe022a9b ("iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions") +Signed-off-by: Koos Vriezen +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -719,7 +719,7 @@ static struct intel_iommu *device_to_iom + * which we used for the IOMMU lookup. Strictly speaking + * we could do this for all PCI devices; we only need to + * get the BDF# from the scope table for ACPI matches. */ +- if (pdev->is_virtfn) ++ if (pdev && pdev->is_virtfn) + goto got_pdev; + + *bus = drhd->devices[i].bus; diff --git a/queue-3.18/ipv4-provide-stronger-user-input-validation-in-nl_fib_input.patch b/queue-3.18/ipv4-provide-stronger-user-input-validation-in-nl_fib_input.patch new file mode 100644 index 00000000000..81e7c3d9b08 --- /dev/null +++ b/queue-3.18/ipv4-provide-stronger-user-input-validation-in-nl_fib_input.patch @@ -0,0 +1,39 @@ +From c64c0b3cac4c5b8cb093727d2c19743ea3965c0b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 21 Mar 2017 19:22:28 -0700 +Subject: ipv4: provide stronger user input validation in nl_fib_input() + +From: Eric Dumazet + +commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b upstream. + +Alexander reported a KMSAN splat caused by reads of uninitialized +field (tb_id_in) from user provided struct fib_result_nl + +It turns out nl_fib_input() sanity tests on user input is a bit +wrong : + +User can pretend nlh->nlmsg_len is big enough, but provide +at sendmsg() time a too small buffer. + +Reported-by: Alexander Potapenko +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/fib_frontend.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -961,7 +961,8 @@ static void nl_fib_input(struct sk_buff + + net = sock_net(skb->sk); + nlh = nlmsg_hdr(skb); +- if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len || ++ if (skb->len < nlmsg_total_size(sizeof(*frn)) || ++ skb->len < nlh->nlmsg_len || + nlmsg_len(nlh) < sizeof(*frn)) + return; + diff --git a/queue-3.18/isdn-gigaset-fix-null-deref-at-probe.patch b/queue-3.18/isdn-gigaset-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..01bd36444d8 --- /dev/null +++ b/queue-3.18/isdn-gigaset-fix-null-deref-at-probe.patch @@ -0,0 +1,35 @@ +From 68c32f9c2a36d410aa242e661506e5b2c2764179 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:39:01 +0100 +Subject: isdn/gigaset: fix NULL-deref at probe + +From: Johan Hovold + +commit 68c32f9c2a36d410aa242e661506e5b2c2764179 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: cf7776dc05b8 ("[PATCH] isdn4linux: Siemens Gigaset drivers - +direct USB connection") +Cc: Hansjoerg Lipp +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/bas-gigaset.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -2317,6 +2317,9 @@ static int gigaset_probe(struct usb_inte + return -ENODEV; + } + ++ if (hostif->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + dev_info(&udev->dev, + "%s: Device matched (Vendor: 0x%x, Product: 0x%x)\n", + __func__, le16_to_cpu(udev->descriptor.idVendor), diff --git a/queue-3.18/kvm-kvm_io_bus_unregister_dev-should-never-fail.patch b/queue-3.18/kvm-kvm_io_bus_unregister_dev-should-never-fail.patch new file mode 100644 index 00000000000..285e4b59014 --- /dev/null +++ b/queue-3.18/kvm-kvm_io_bus_unregister_dev-should-never-fail.patch @@ -0,0 +1,167 @@ +From 90db10434b163e46da413d34db8d0e77404cc645 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 23 Mar 2017 18:24:19 +0100 +Subject: KVM: kvm_io_bus_unregister_dev() should never fail + +From: David Hildenbrand + +commit 90db10434b163e46da413d34db8d0e77404cc645 upstream. + +No caller currently checks the return value of +kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on +freeing their device. A stale reference will remain in the io_bus, +getting at least used again, when the iobus gets teared down on +kvm_destroy_vm() - leading to use after free errors. + +There is nothing the callers could do, except retrying over and over +again. + +So let's simply remove the bus altogether, print an error and make +sure no one can access this broken bus again (returning -ENOMEM on any +attempt to access it). + +Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU") +Reported-by: Dmitry Vyukov +Reviewed-by: Cornelia Huck +Signed-off-by: David Hildenbrand +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kvm_host.h | 4 ++-- + virt/kvm/eventfd.c | 3 ++- + virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++----------------- + 3 files changed, 27 insertions(+), 20 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -177,8 +177,8 @@ int kvm_io_bus_read(struct kvm *kvm, enu + void *val); + int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, + int len, struct kvm_io_device *dev); +-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, +- struct kvm_io_device *dev); ++void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, ++ struct kvm_io_device *dev); + + #ifdef CONFIG_KVM_ASYNC_PF + struct kvm_async_pf { +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -866,7 +866,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *k + continue; + + kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); +- kvm->buses[bus_idx]->ioeventfd_count--; ++ if (kvm->buses[bus_idx]) ++ kvm->buses[bus_idx]->ioeventfd_count--; + ioeventfd_release(p); + ret = 0; + break; +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -615,7 +615,8 @@ static void kvm_destroy_vm(struct kvm *k + spin_unlock(&kvm_lock); + kvm_free_irq_routing(kvm); + for (i = 0; i < KVM_NR_BUSES; i++) { +- kvm_io_bus_destroy(kvm->buses[i]); ++ if (kvm->buses[i]) ++ kvm_io_bus_destroy(kvm->buses[i]); + kvm->buses[i] = NULL; + } + kvm_coalesced_mmio_free(kvm); +@@ -2980,6 +2981,8 @@ int kvm_io_bus_write(struct kvm *kvm, en + }; + + bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu); ++ if (!bus) ++ return -ENOMEM; + r = __kvm_io_bus_write(bus, &range, val); + return r < 0 ? r : 0; + } +@@ -2997,6 +3000,8 @@ int kvm_io_bus_write_cookie(struct kvm * + }; + + bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu); ++ if (!bus) ++ return -ENOMEM; + + /* First try the device referenced by cookie. */ + if ((cookie >= 0) && (cookie < bus->dev_count) && +@@ -3047,6 +3052,8 @@ int kvm_io_bus_read(struct kvm *kvm, enu + }; + + bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu); ++ if (!bus) ++ return -ENOMEM; + r = __kvm_io_bus_read(bus, &range, val); + return r < 0 ? r : 0; + } +@@ -3059,6 +3066,9 @@ int kvm_io_bus_register_dev(struct kvm * + struct kvm_io_bus *new_bus, *bus; + + bus = kvm->buses[bus_idx]; ++ if (!bus) ++ return -ENOMEM; ++ + /* exclude ioeventfd which is limited by maximum fd */ + if (bus->dev_count - bus->ioeventfd_count > NR_IOBUS_DEVS - 1) + return -ENOSPC; +@@ -3078,45 +3088,41 @@ int kvm_io_bus_register_dev(struct kvm * + } + + /* Caller must hold slots_lock. */ +-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, +- struct kvm_io_device *dev) ++void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, ++ struct kvm_io_device *dev) + { +- int i, r; ++ int i; + struct kvm_io_bus *new_bus, *bus; + + bus = kvm->buses[bus_idx]; +- +- /* +- * It's possible the bus being released before hand. If so, +- * we're done here. +- */ + if (!bus) +- return 0; ++ return; + +- r = -ENOENT; + for (i = 0; i < bus->dev_count; i++) + if (bus->range[i].dev == dev) { +- r = 0; + break; + } + +- if (r) +- return r; ++ if (i == bus->dev_count) ++ return; + + new_bus = kzalloc(sizeof(*bus) + ((bus->dev_count - 1) * + sizeof(struct kvm_io_range)), GFP_KERNEL); +- if (!new_bus) +- return -ENOMEM; ++ if (!new_bus) { ++ pr_err("kvm: failed to shrink bus, removing it completely\n"); ++ goto broken; ++ } + + memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range)); + new_bus->dev_count--; + memcpy(new_bus->range + i, bus->range + i + 1, + (new_bus->dev_count - i) * sizeof(struct kvm_io_range)); + ++broken: + rcu_assign_pointer(kvm->buses[bus_idx], new_bus); + synchronize_srcu_expedited(&kvm->srcu); + kfree(bus); +- return r; ++ return; + } + + static struct notifier_block kvm_cpu_notifier = { diff --git a/queue-3.18/kvm-ppc-book3s-pr-fix-illegal-opcode-emulation.patch b/queue-3.18/kvm-ppc-book3s-pr-fix-illegal-opcode-emulation.patch new file mode 100644 index 00000000000..91fca5b2be8 --- /dev/null +++ b/queue-3.18/kvm-ppc-book3s-pr-fix-illegal-opcode-emulation.patch @@ -0,0 +1,50 @@ +From 708e75a3ee750dce1072134e630d66c4e6eaf63c Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 18 May 2016 21:01:20 +0200 +Subject: KVM: PPC: Book3S PR: Fix illegal opcode emulation + +From: Thomas Huth + +commit 708e75a3ee750dce1072134e630d66c4e6eaf63c upstream. + +If kvmppc_handle_exit_pr() calls kvmppc_emulate_instruction() to emulate +one instruction (in the BOOK3S_INTERRUPT_H_EMUL_ASSIST case), it calls +kvmppc_core_queue_program() afterwards if kvmppc_emulate_instruction() +returned EMULATE_FAIL, so the guest gets an program interrupt for the +illegal opcode. +However, the kvmppc_emulate_instruction() also tried to inject a +program exception for this already, so the program interrupt gets +injected twice and the return address in srr0 gets destroyed. +All other callers of kvmppc_emulate_instruction() are also injecting +a program interrupt, and since the callers have the right knowledge +about the srr1 flags that should be used, it is the function +kvmppc_emulate_instruction() that should _not_ inject program +interrupts, so remove the kvmppc_core_queue_program() here. + +This fixes the issue discovered by Laurent Vivier with kvm-unit-tests +where the logs are filled with these messages when the test tries +to execute an illegal instruction: + + Couldn't emulate instruction 0x00000000 (op 0 xop 0) + kvmppc_handle_exit_pr: emulation at 700 failed (00000000) + +Signed-off-by: Thomas Huth +Reviewed-by: Alexander Graf +Tested-by: Laurent Vivier +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/emulate.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/kvm/emulate.c ++++ b/arch/powerpc/kvm/emulate.c +@@ -302,7 +302,6 @@ int kvmppc_emulate_instruction(struct kv + advance = 0; + printk(KERN_ERR "Couldn't emulate instruction 0x%08x " + "(op %d xop %d)\n", inst, get_op(inst), get_xop(inst)); +- kvmppc_core_queue_program(vcpu, 0); + } + } + diff --git a/queue-3.18/kvm-x86-clear-bus-pointer-when-destroyed.patch b/queue-3.18/kvm-x86-clear-bus-pointer-when-destroyed.patch new file mode 100644 index 00000000000..c44e6971d41 --- /dev/null +++ b/queue-3.18/kvm-x86-clear-bus-pointer-when-destroyed.patch @@ -0,0 +1,53 @@ +From df630b8c1e851b5e265dc2ca9c87222e342c093b Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 15 Mar 2017 16:01:17 +0800 +Subject: KVM: x86: clear bus pointer when destroyed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Xu + +commit df630b8c1e851b5e265dc2ca9c87222e342c093b upstream. + +When releasing the bus, let's clear the bus pointers to mark it out. If +any further device unregister happens on this bus, we know that we're +done if we found the bus being released already. + +Signed-off-by: Peter Xu +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -614,8 +614,10 @@ static void kvm_destroy_vm(struct kvm *k + list_del(&kvm->vm_list); + spin_unlock(&kvm_lock); + kvm_free_irq_routing(kvm); +- for (i = 0; i < KVM_NR_BUSES; i++) ++ for (i = 0; i < KVM_NR_BUSES; i++) { + kvm_io_bus_destroy(kvm->buses[i]); ++ kvm->buses[i] = NULL; ++ } + kvm_coalesced_mmio_free(kvm); + #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER) + mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm); +@@ -3083,6 +3085,14 @@ int kvm_io_bus_unregister_dev(struct kvm + struct kvm_io_bus *new_bus, *bus; + + bus = kvm->buses[bus_idx]; ++ ++ /* ++ * It's possible the bus being released before hand. If so, ++ * we're done here. ++ */ ++ if (!bus) ++ return 0; ++ + r = -ENOENT; + for (i = 0; i < bus->dev_count; i++) + if (bus->range[i].dev == dev) { diff --git a/queue-3.18/md-raid1-10-fix-potential-deadlock.patch b/queue-3.18/md-raid1-10-fix-potential-deadlock.patch new file mode 100644 index 00000000000..203bc48ad71 --- /dev/null +++ b/queue-3.18/md-raid1-10-fix-potential-deadlock.patch @@ -0,0 +1,90 @@ +From 61eb2b43b99ebdc9bc6bc83d9792257b243e7cb3 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Tue, 28 Feb 2017 13:00:20 -0800 +Subject: md/raid1/10: fix potential deadlock + +From: Shaohua Li + +commit 61eb2b43b99ebdc9bc6bc83d9792257b243e7cb3 upstream. + +Neil Brown pointed out a potential deadlock in raid 10 code with +bio_split/chain. The raid1 code could have the same issue, but recent +barrier rework makes it less likely to happen. The deadlock happens in +below sequence: + +1. generic_make_request(bio), this will set current->bio_list +2. raid10_make_request will split bio to bio1 and bio2 +3. __make_request(bio1), wait_barrer, add underlayer disk bio to +current->bio_list +4. __make_request(bio2), wait_barrer + +If raise_barrier happens between 3 & 4, since wait_barrier runs at 3, +raise_barrier waits for IO completion from 3. And since raise_barrier +sets barrier, 4 waits for raise_barrier. But IO from 3 can't be +dispatched because raid10_make_request() doesn't finished yet. + +The solution is to adjust the IO ordering. Quotes from Neil: +" +It is much safer to: + + if (need to split) { + split = bio_split(bio, ...) + bio_chain(...) + make_request_fn(split); + generic_make_request(bio); + } else + make_request_fn(mddev, bio); + +This way we first process the initial section of the bio (in 'split') +which will queue some requests to the underlying devices. These +requests will be queued in generic_make_request. +Then we queue the remainder of the bio, which will be added to the end +of the generic_make_request queue. +Then we return. +generic_make_request() will pop the lower-level device requests off the +queue and handle them first. Then it will process the remainder +of the original bio once the first section has been fully processed. +" + +Note, this only happens in read path. In write path, the bio is flushed to +underlaying disks either by blk flush (from schedule) or offladed to raid1/10d. +It's queued in current->bio_list. + +Cc: Coly Li +Suggested-by: NeilBrown +Reviewed-by: Jack Wang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1578,7 +1578,25 @@ static void make_request(struct mddev *m + split = bio; + } + ++ /* ++ * If a bio is splitted, the first part of bio will pass ++ * barrier but the bio is queued in current->bio_list (see ++ * generic_make_request). If there is a raise_barrier() called ++ * here, the second part of bio can't pass barrier. But since ++ * the first part bio isn't dispatched to underlaying disks ++ * yet, the barrier is never released, hence raise_barrier will ++ * alays wait. We have a deadlock. ++ * Note, this only happens in read path. For write path, the ++ * first part of bio is dispatched in a schedule() call ++ * (because of blk plug) or offloaded to raid10d. ++ * Quitting from the function immediately can change the bio ++ * order queued in bio_list and avoid the deadlock. ++ */ + __make_request(mddev, split); ++ if (split != bio && bio_data_dir(bio) == READ) { ++ generic_make_request(bio); ++ break; ++ } + } while (split != bio); + + /* In case raid10d snuck in to freeze_array */ diff --git a/queue-3.18/mmc-sdhci-do-not-disable-interrupts-while-waiting-for-clock.patch b/queue-3.18/mmc-sdhci-do-not-disable-interrupts-while-waiting-for-clock.patch new file mode 100644 index 00000000000..334f5725bf3 --- /dev/null +++ b/queue-3.18/mmc-sdhci-do-not-disable-interrupts-while-waiting-for-clock.patch @@ -0,0 +1,44 @@ +From e2ebfb2142acefecc2496e71360f50d25726040b Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 20 Mar 2017 19:50:29 +0200 +Subject: mmc: sdhci: Do not disable interrupts while waiting for clock + +From: Adrian Hunter + +commit e2ebfb2142acefecc2496e71360f50d25726040b upstream. + +Disabling interrupts for even a millisecond can cause problems for some +devices. That can happen when sdhci changes clock frequency because it +waits for the clock to become stable under a spin lock. + +The spin lock is not necessary here. Anything that is racing with changes +to the I/O state is already broken. The mmc core already provides +synchronization via "claiming" the host. + +Although the spin lock probably should be removed from the code paths that +lead to this point, such a patch would touch too much code to be suitable +for stable trees. Consequently, for this patch, just drop the spin lock +while waiting. + +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Tested-by: Ludovic Desroches +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1232,7 +1232,9 @@ clock_set: + return; + } + timeout--; +- mdelay(1); ++ spin_unlock_irq(&host->lock); ++ usleep_range(900, 1100); ++ spin_lock_irq(&host->lock); + } + + clk |= SDHCI_CLOCK_CARD_EN; diff --git a/queue-3.18/mmc-ushc-fix-null-deref-at-probe.patch b/queue-3.18/mmc-ushc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..ca5b219b5e5 --- /dev/null +++ b/queue-3.18/mmc-ushc-fix-null-deref-at-probe.patch @@ -0,0 +1,34 @@ +From 181302dc7239add8ab1449c23ecab193f52ee6ab Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:40:22 +0100 +Subject: mmc: ushc: fix NULL-deref at probe + +From: Johan Hovold + +commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver") +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/ushc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/ushc.c ++++ b/drivers/mmc/host/ushc.c +@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interfa + struct ushc_data *ushc; + int ret; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev); + if (mmc == NULL) + return -ENOMEM; diff --git a/queue-3.18/net-bcmgenet-do-not-suspend-phy-if-wake-on-lan-is-enabled.patch b/queue-3.18/net-bcmgenet-do-not-suspend-phy-if-wake-on-lan-is-enabled.patch new file mode 100644 index 00000000000..a4cd9f97331 --- /dev/null +++ b/queue-3.18/net-bcmgenet-do-not-suspend-phy-if-wake-on-lan-is-enabled.patch @@ -0,0 +1,43 @@ +From 5371bbf4b295eea334ed453efa286afa2c3ccff3 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Wed, 15 Mar 2017 12:57:21 -0700 +Subject: net: bcmgenet: Do not suspend PHY if Wake-on-LAN is enabled + +From: Florian Fainelli + +commit 5371bbf4b295eea334ed453efa286afa2c3ccff3 upstream. + +Suspending the PHY would be putting it in a low power state where it +may no longer allow us to do Wake-on-LAN. + +Fixes: cc013fb48898 ("net: bcmgenet: correctly suspend and resume PHY device") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2695,7 +2695,8 @@ static int bcmgenet_suspend(struct devic + + bcmgenet_netif_stop(dev); + +- phy_suspend(priv->phydev); ++ if (!device_may_wakeup(d)) ++ phy_suspend(priv->phydev); + + netif_device_detach(dev); + +@@ -2784,7 +2785,8 @@ static int bcmgenet_resume(struct device + + netif_device_attach(dev); + +- phy_resume(priv->phydev); ++ if (!device_may_wakeup(d)) ++ phy_resume(priv->phydev); + + bcmgenet_netif_start(dev); + diff --git a/queue-3.18/net-mlx5-increase-number-of-max-qps-in-default-profile.patch b/queue-3.18/net-mlx5-increase-number-of-max-qps-in-default-profile.patch new file mode 100644 index 00000000000..fdc4a9396ec --- /dev/null +++ b/queue-3.18/net-mlx5-increase-number-of-max-qps-in-default-profile.patch @@ -0,0 +1,34 @@ +From 5f40b4ed975c26016cf41953b7510fe90718e21c Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Tue, 21 Mar 2017 15:59:17 +0200 +Subject: net/mlx5: Increase number of max QPs in default profile + +From: Maor Gottlieb + +commit 5f40b4ed975c26016cf41953b7510fe90718e21c upstream. + +With ConnectX-4 sharing SRQs from the same space as QPs, we hit a +limit preventing some applications to allocate needed QPs amount. +Double the size to 256K. + +Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters') +Signed-off-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -86,7 +86,7 @@ static struct mlx5_profile profile[] = { + [2] = { + .mask = MLX5_PROF_MASK_QP_SIZE | + MLX5_PROF_MASK_MR_CACHE, +- .log_max_qp = 17, ++ .log_max_qp = 18, + .mr_cache[0] = { + .size = 500, + .limit = 250 diff --git a/queue-3.18/net-properly-release-sk_frag.page.patch b/queue-3.18/net-properly-release-sk_frag.page.patch new file mode 100644 index 00000000000..017c2a4dd6f --- /dev/null +++ b/queue-3.18/net-properly-release-sk_frag.page.patch @@ -0,0 +1,52 @@ +From 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 15 Mar 2017 13:21:28 -0700 +Subject: net: properly release sk_frag.page + +From: Eric Dumazet + +commit 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 upstream. + +I mistakenly added the code to release sk->sk_frag in +sk_common_release() instead of sk_destruct() + +TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call +sk_common_release() at close time, thus leaking one (order-3) page. + +iSCSI is using such sockets. + +Fixes: 5640f7685831 ("net: use a per task frag allocator") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/sock.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1420,6 +1420,11 @@ static void __sk_free(struct sock *sk) + pr_debug("%s: optmem leakage (%d bytes) detected\n", + __func__, atomic_read(&sk->sk_omem_alloc)); + ++ if (sk->sk_frag.page) { ++ put_page(sk->sk_frag.page); ++ sk->sk_frag.page = NULL; ++ } ++ + if (sk->sk_peer_cred) + put_cred(sk->sk_peer_cred); + put_pid(sk->sk_peer_pid); +@@ -2598,11 +2603,6 @@ void sk_common_release(struct sock *sk) + + sk_refcnt_debug_release(sk); + +- if (sk->sk_frag.page) { +- put_page(sk->sk_frag.page); +- sk->sk_frag.page = NULL; +- } +- + sock_put(sk); + } + EXPORT_SYMBOL(sk_common_release); diff --git a/queue-3.18/net-sched-actions-decrement-module-reference-count-after-table-flush.patch b/queue-3.18/net-sched-actions-decrement-module-reference-count-after-table-flush.patch new file mode 100644 index 00000000000..2b733062dc8 --- /dev/null +++ b/queue-3.18/net-sched-actions-decrement-module-reference-count-after-table-flush.patch @@ -0,0 +1,94 @@ +From edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 Mon Sep 17 00:00:00 2001 +From: Roman Mashak +Date: Fri, 24 Feb 2017 11:00:32 -0500 +Subject: net sched actions: decrement module reference count after table flush. + +From: Roman Mashak + +commit edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 upstream. + +When tc actions are loaded as a module and no actions have been installed, +flushing them would result in actions removed from the memory, but modules +reference count not being decremented, so that the modules would not be +unloaded. + +Following is example with GACT action: + +% sudo modprobe act_gact +% lsmod +Module Size Used by +act_gact 16384 0 +% +% sudo tc actions ls action gact +% +% sudo tc actions flush action gact +% lsmod +Module Size Used by +act_gact 16384 1 +% sudo tc actions flush action gact +% lsmod +Module Size Used by +act_gact 16384 2 +% sudo rmmod act_gact +rmmod: ERROR: Module act_gact is in use +.... + +After the fix: +% lsmod +Module Size Used by +act_gact 16384 0 +% +% sudo tc actions add action pass index 1 +% sudo tc actions add action pass index 2 +% sudo tc actions add action pass index 3 +% lsmod +Module Size Used by +act_gact 16384 3 +% +% sudo tc actions flush action gact +% lsmod +Module Size Used by +act_gact 16384 0 +% +% sudo tc actions flush action gact +% lsmod +Module Size Used by +act_gact 16384 0 +% sudo rmmod act_gact +% lsmod +Module Size Used by +% + +Fixes: f97017cdefef ("net-sched: Fix actions flushing") +Signed-off-by: Roman Mashak +Signed-off-by: Jamal Hadi Salim +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/act_api.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -801,10 +801,8 @@ static int tca_action_flush(struct net * + goto out_module_put; + + err = a.ops->walk(skb, &dcb, RTM_DELACTION, &a); +- if (err < 0) ++ if (err <= 0) + goto out_module_put; +- if (err == 0) +- goto noflush_out; + + nla_nest_end(skb, nest); + +@@ -821,7 +819,6 @@ static int tca_action_flush(struct net * + out_module_put: + module_put(a.ops->owner); + err_out: +-noflush_out: + kfree_skb(skb); + return err; + } diff --git a/queue-3.18/net-unix-properly-re-increment-inflight-counter-of-gc-discarded-candidates.patch b/queue-3.18/net-unix-properly-re-increment-inflight-counter-of-gc-discarded-candidates.patch new file mode 100644 index 00000000000..b408098bb77 --- /dev/null +++ b/queue-3.18/net-unix-properly-re-increment-inflight-counter-of-gc-discarded-candidates.patch @@ -0,0 +1,112 @@ +From 7df9c24625b9981779afb8fcdbe2bb4765e61147 Mon Sep 17 00:00:00 2001 +From: Andrey Ulanov +Date: Tue, 14 Mar 2017 20:16:42 -0700 +Subject: net: unix: properly re-increment inflight counter of GC discarded candidates + +From: Andrey Ulanov + +commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 upstream. + +Dmitry has reported that a BUG_ON() condition in unix_notinflight() +may be triggered by a simple code that forwards unix socket in an +SCM_RIGHTS message. +That is caused by incorrect unix socket GC implementation in unix_gc(). + +The GC first collects list of candidates, then (a) decrements their +"children's" inflight counter, (b) checks which inflight counters are +now 0, and then (c) increments all inflight counters back. +(a) and (c) are done by calling scan_children() with inc_inflight or +dec_inflight as the second argument. + +Commit 6209344f5a37 ("net: unix: fix inflight counting bug in garbage +collector") changed scan_children() such that it no longer considers +sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block +of code that that unsets this flag _before_ invoking +scan_children(, dec_iflight, ). This may lead to incorrect inflight +counters for some sockets. + +This change fixes this bug by changing order of operations: +UNIX_GC_CANDIDATE is now unset only after all inflight counters are +restored to the original state. + + kernel BUG at net/unix/garbage.c:149! + RIP: 0010:[] [] + unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149 + Call Trace: + [] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487 + [] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496 + [] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655 + [] skb_release_all+0x1a/0x60 net/core/skbuff.c:668 + [] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684 + [] kfree_skb+0x184/0x570 net/core/skbuff.c:705 + [] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559 + [] unix_release+0x49/0x90 net/unix/af_unix.c:836 + [] sock_release+0x92/0x1f0 net/socket.c:570 + [] sock_close+0x1b/0x20 net/socket.c:1017 + [] __fput+0x34e/0x910 fs/file_table.c:208 + [] ____fput+0x1a/0x20 fs/file_table.c:244 + [] task_work_run+0x1a0/0x280 kernel/task_work.c:116 + [< inline >] exit_task_work include/linux/task_work.h:21 + [] do_exit+0x183a/0x2640 kernel/exit.c:828 + [] do_group_exit+0x14e/0x420 kernel/exit.c:931 + [] get_signal+0x663/0x1880 kernel/signal.c:2307 + [] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807 + [] exit_to_usermode_loop+0x1ea/0x2d0 + arch/x86/entry/common.c:156 + [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 + [] syscall_return_slowpath+0x4d3/0x570 + arch/x86/entry/common.c:259 + [] entry_SYSCALL_64_fastpath+0xc4/0xc6 + +Link: https://lkml.org/lkml/2017/3/6/252 +Signed-off-by: Andrey Ulanov +Reported-by: Dmitry Vyukov +Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector") +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/unix/garbage.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -152,6 +152,7 @@ void unix_notinflight(struct file *fp) + if (s) { + struct unix_sock *u = unix_sk(s); + ++ BUG_ON(!atomic_long_read(&u->inflight)); + BUG_ON(list_empty(&u->link)); + if (atomic_long_dec_and_test(&u->inflight)) + list_del_init(&u->link); +@@ -358,6 +359,14 @@ void unix_gc(void) + } + list_del(&cursor); + ++ /* Now gc_candidates contains only garbage. Restore original ++ * inflight counters for these as well, and remove the skbuffs ++ * which are creating the cycle(s). ++ */ ++ skb_queue_head_init(&hitlist); ++ list_for_each_entry(u, &gc_candidates, link) ++ scan_children(&u->sk, inc_inflight, &hitlist); ++ + /* + * not_cycle_list contains those sockets which do not make up a + * cycle. Restore these to the inflight list. +@@ -368,15 +377,6 @@ void unix_gc(void) + list_move_tail(&u->link, &gc_inflight_list); + } + +- /* +- * Now gc_candidates contains only garbage. Restore original +- * inflight counters for these as well, and remove the skbuffs +- * which are creating the cycle(s). +- */ +- skb_queue_head_init(&hitlist); +- list_for_each_entry(u, &gc_candidates, link) +- scan_children(&u->sk, inc_inflight, &hitlist); +- + spin_unlock(&unix_gc_lock); + + /* Here we are. Hitlist is filled. Die. */ diff --git a/queue-3.18/percpu-acquire-pcpu_lock-when-updating-pcpu_nr_empty_pop_pages.patch b/queue-3.18/percpu-acquire-pcpu_lock-when-updating-pcpu_nr_empty_pop_pages.patch new file mode 100644 index 00000000000..2e6060e2ee1 --- /dev/null +++ b/queue-3.18/percpu-acquire-pcpu_lock-when-updating-pcpu_nr_empty_pop_pages.patch @@ -0,0 +1,37 @@ +From 320661b08dd6f1746d5c7ab4eb435ec64b97cd45 Mon Sep 17 00:00:00 2001 +From: Tahsin Erdogan +Date: Sat, 25 Feb 2017 13:00:19 -0800 +Subject: percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages + +From: Tahsin Erdogan + +commit 320661b08dd6f1746d5c7ab4eb435ec64b97cd45 upstream. + +Update to pcpu_nr_empty_pop_pages in pcpu_alloc() is currently done +without holding pcpu_lock. This can lead to bad updates to the variable. +Add missing lock calls. + +Fixes: b539b87fed37 ("percpu: implmeent pcpu_nr_empty_pop_pages and chunk->nr_populated") +Signed-off-by: Tahsin Erdogan +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + mm/percpu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -1012,8 +1012,11 @@ area_found: + mutex_unlock(&pcpu_alloc_mutex); + } + +- if (chunk != pcpu_reserved_chunk) ++ if (chunk != pcpu_reserved_chunk) { ++ spin_lock_irqsave(&pcpu_lock, flags); + pcpu_nr_empty_pop_pages -= occ_pages; ++ spin_unlock_irqrestore(&pcpu_lock, flags); ++ } + + if (pcpu_nr_empty_pop_pages < PCPU_EMPTY_POP_PAGES_LOW) + pcpu_schedule_balance_work(); diff --git a/queue-3.18/perf-core-fix-event-inheritance-on-fork.patch b/queue-3.18/perf-core-fix-event-inheritance-on-fork.patch new file mode 100644 index 00000000000..9cef716a8be --- /dev/null +++ b/queue-3.18/perf-core-fix-event-inheritance-on-fork.patch @@ -0,0 +1,66 @@ +From e7cc4865f0f31698ef2f7aac01a50e78968985b7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 16 Mar 2017 13:47:49 +0100 +Subject: perf/core: Fix event inheritance on fork() + +From: Peter Zijlstra + +commit e7cc4865f0f31698ef2f7aac01a50e78968985b7 upstream. + +While hunting for clues to a use-after-free, Oleg spotted that +perf_event_init_context() can loose an error value with the result +that fork() can succeed even though we did not fully inherit the perf +event context. + +Spotted-by: Oleg Nesterov +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Dmitry Vyukov +Cc: Frederic Weisbecker +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: oleg@redhat.com +Fixes: 889ff0150661 ("perf/core: Split context's event group list into pinned and non-pinned lists") +Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8058,7 +8058,7 @@ static int perf_event_init_context(struc + ret = inherit_task_group(event, parent, parent_ctx, + child, ctxn, &inherited_all); + if (ret) +- break; ++ goto out_unlock; + } + + /* +@@ -8074,7 +8074,7 @@ static int perf_event_init_context(struc + ret = inherit_task_group(event, parent, parent_ctx, + child, ctxn, &inherited_all); + if (ret) +- break; ++ goto out_unlock; + } + + raw_spin_lock_irqsave(&parent_ctx->lock, flags); +@@ -8102,6 +8102,7 @@ static int perf_event_init_context(struc + } + + raw_spin_unlock_irqrestore(&parent_ctx->lock, flags); ++out_unlock: + mutex_unlock(&parent_ctx->mutex); + + perf_unpin_context(parent_ctx); diff --git a/queue-3.18/serial-8250_pci-detach-low-level-driver-during-pci-error-recovery.patch b/queue-3.18/serial-8250_pci-detach-low-level-driver-during-pci-error-recovery.patch new file mode 100644 index 00000000000..655187fc3bf --- /dev/null +++ b/queue-3.18/serial-8250_pci-detach-low-level-driver-during-pci-error-recovery.patch @@ -0,0 +1,104 @@ +From f209fa03fc9d131b3108c2e4936181eabab87416 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Mon, 28 Nov 2016 19:34:42 -0200 +Subject: serial: 8250_pci: Detach low-level driver during PCI error recovery + +From: Gabriel Krisman Bertazi + +commit f209fa03fc9d131b3108c2e4936181eabab87416 upstream. + +During a PCI error recovery, like the ones provoked by EEH in the ppc64 +platform, all IO to the device must be blocked while the recovery is +completed. Current 8250_pci implementation only suspends the port +instead of detaching it, which doesn't prevent incoming accesses like +TIOCMGET and TIOCMSET calls from reaching the device. Those end up +racing with the EEH recovery, crashing it. Similar races were also +observed when opening the device and when shutting it down during +recovery. + +This patch implements a more robust IO blockage for the 8250_pci +recovery by unregistering the port at the beginning of the procedure and +re-adding it afterwards. Since the port is detached from the uart +layer, we can be sure that no request will make through to the device +during recovery. This is similar to the solution used by the JSM serial +driver. + +I thank Peter Hurley for valuable input on +this one over one year ago. + +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -56,6 +56,7 @@ struct serial_private { + unsigned int nr; + void __iomem *remapped_bar[PCI_NUM_BAR_RESOURCES]; + struct pci_serial_quirk *quirk; ++ const struct pciserial_board *board; + int line[0]; + }; + +@@ -3868,6 +3869,7 @@ pciserial_init_ports(struct pci_dev *dev + } + } + priv->nr = i; ++ priv->board = board; + return priv; + + err_deinit: +@@ -3878,7 +3880,7 @@ err_out: + } + EXPORT_SYMBOL_GPL(pciserial_init_ports); + +-void pciserial_remove_ports(struct serial_private *priv) ++void pciserial_detach_ports(struct serial_private *priv) + { + struct pci_serial_quirk *quirk; + int i; +@@ -3898,7 +3900,11 @@ void pciserial_remove_ports(struct seria + quirk = find_quirk(priv->dev); + if (quirk->exit) + quirk->exit(priv->dev); ++} + ++void pciserial_remove_ports(struct serial_private *priv) ++{ ++ pciserial_detach_ports(priv); + kfree(priv); + } + EXPORT_SYMBOL_GPL(pciserial_remove_ports); +@@ -5505,7 +5511,7 @@ static pci_ers_result_t serial8250_io_er + return PCI_ERS_RESULT_DISCONNECT; + + if (priv) +- pciserial_suspend_ports(priv); ++ pciserial_detach_ports(priv); + + pci_disable_device(dev); + +@@ -5530,9 +5536,18 @@ static pci_ers_result_t serial8250_io_sl + static void serial8250_io_resume(struct pci_dev *dev) + { + struct serial_private *priv = pci_get_drvdata(dev); ++ const struct pciserial_board *board; + +- if (priv) +- pciserial_resume_ports(priv); ++ if (!priv) ++ return; ++ ++ board = priv->board; ++ kfree(priv); ++ priv = pciserial_init_ports(dev, board); ++ ++ if (!IS_ERR(priv)) { ++ pci_set_drvdata(dev, priv); ++ } + } + + static const struct pci_error_handlers serial8250_err_handler = { diff --git a/queue-3.18/series b/queue-3.18/series index 56a9e951bfd..a20b93f256c 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -63,3 +63,45 @@ catc-combine-failure-cleanup-code-in-catc_probe.patch catc-use-heap-buffer-for-memory-size-test.patch net-ipv6-check-route-protocol-when-deleting-routes.patch sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch +net-sched-actions-decrement-module-reference-count-after-table-flush.patch +kvm-ppc-book3s-pr-fix-illegal-opcode-emulation.patch +kvm-x86-clear-bus-pointer-when-destroyed.patch +kvm-kvm_io_bus_unregister_dev-should-never-fail.patch +arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch +perf-core-fix-event-inheritance-on-fork.patch +md-raid1-10-fix-potential-deadlock.patch +target-fix-verify_16-handling-in-sbc_parse_cdb.patch +isdn-gigaset-fix-null-deref-at-probe.patch +percpu-acquire-pcpu_lock-when-updating-pcpu_nr_empty_pop_pages.patch +ipv4-provide-stronger-user-input-validation-in-nl_fib_input.patch +input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch +input-iforce-validate-number-of-endpoints-before-using-them.patch +input-ims-pcu-validate-number-of-endpoints-before-using-them.patch +input-hanwang-validate-number-of-endpoints-before-using-them.patch +input-yealink-validate-number-of-endpoints-before-using-them.patch +input-cm109-validate-number-of-endpoints-before-using-them.patch +input-kbtab-validate-number-of-endpoints-before-using-them.patch +input-sur40-validate-number-of-endpoints-before-using-them.patch +acm-gadget-fix-endianness-in-notifications.patch +net-mlx5-increase-number-of-max-qps-in-default-profile.patch +net-bcmgenet-do-not-suspend-phy-if-wake-on-lan-is-enabled.patch +net-properly-release-sk_frag.page.patch +net-unix-properly-re-increment-inflight-counter-of-gc-discarded-candidates.patch +socket-bpf-fix-sk_filter-use-after-free-in-sk_clone_lock.patch +tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch +mmc-ushc-fix-null-deref-at-probe.patch +uwb-hwa-rc-fix-null-deref-at-probe.patch +uwb-i1480-dfu-fix-null-deref-at-probe.patch +usb-usbtmc-add-missing-endpoint-sanity-check.patch +iio-adc-ti_am335x_adc-fix-fifo-overrun-recovery.patch +ext4-mark-inode-dirty-after-converting-inline-directory.patch +mmc-sdhci-do-not-disable-interrupts-while-waiting-for-clock.patch +iommu-vt-d-fix-null-pointer-dereference-in-device_to_iommu.patch +igb-workaround-for-igb-i210-firmware-issue.patch +igb-add-i211-to-i210-phy-workaround.patch +xfs-don-t-allow-di_size-with-high-bit-set.patch +xfs-fix-up-xfs_swap_extent_forks-inline-extent-handling.patch +xfs-clear-_xbf_pages-from-buffers-when-readahead-page.patch +acpi-fix-incompatibility-with-mcount-based-function-graph-tracing.patch +acpi-do-not-create-a-platform_device-for-ioapic-ioxapic.patch +serial-8250_pci-detach-low-level-driver-during-pci-error-recovery.patch diff --git a/queue-3.18/socket-bpf-fix-sk_filter-use-after-free-in-sk_clone_lock.patch b/queue-3.18/socket-bpf-fix-sk_filter-use-after-free-in-sk_clone_lock.patch new file mode 100644 index 00000000000..827de872991 --- /dev/null +++ b/queue-3.18/socket-bpf-fix-sk_filter-use-after-free-in-sk_clone_lock.patch @@ -0,0 +1,65 @@ +From 95aa915c2f04c27bb3935c8b9446435f40f17f9d Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 22 Mar 2017 13:08:08 +0100 +Subject: socket, bpf: fix sk_filter use after free in sk_clone_lock + +From: Daniel Borkmann + +commit 95aa915c2f04c27bb3935c8b9446435f40f17f9d upstream. + +In sk_clone_lock(), we create a new socket and inherit most of the +parent's members via sock_copy() which memcpy()'s various sections. +Now, in case the parent socket had a BPF socket filter attached, +then newsk->sk_filter points to the same instance as the original +sk->sk_filter. + +sk_filter_charge() is then called on the newsk->sk_filter to take a +reference and should that fail due to hitting max optmem, we bail +out and release the newsk instance. + +The issue is that commit 278571baca2a ("net: filter: simplify socket +charging") wrongly combined the dismantle path with the failure path +of xfrm_sk_clone_policy(). This means, even when charging failed, we +call sk_free_unlock_clone() on the newsk, which then still points to +the same sk_filter as the original sk. + +Thus, sk_free_unlock_clone() calls into __sk_destruct() eventually +where it tests for present sk_filter and calls sk_filter_uncharge() +on it, which potentially lets sk_omem_alloc wrap around and releases +the eBPF prog and sk_filter structure from the (still intact) parent. + +Fix it by making sure that when sk_filter_charge() failed, we reset +newsk->sk_filter back to NULL before passing to sk_free_unlock_clone(), +so that we don't mess with the parents sk_filter. + +Only if xfrm_sk_clone_policy() fails, we did reach the point where +either the parent's filter was NULL and as a result newsk's as well +or where we previously had a successful sk_filter_charge(), thus for +that case, we do need sk_filter_uncharge() to release the prior taken +reference on sk_filter. + +Fixes: 278571baca2a ("net: filter: simplify socket charging") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/sock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1529,6 +1529,12 @@ struct sock *sk_clone_lock(const struct + is_charged = sk_filter_charge(newsk, filter); + + if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk))) { ++ /* We need to make sure that we don't uncharge the new ++ * socket if we couldn't charge it in the first place ++ * as otherwise we uncharge the parent's filter. ++ */ ++ if (!is_charged) ++ RCU_INIT_POINTER(newsk->sk_filter, NULL); + /* It is still raw copy of parent, so invalidate + * destructor and make plain sk_free() */ + newsk->sk_destruct = NULL; diff --git a/queue-3.18/target-fix-verify_16-handling-in-sbc_parse_cdb.patch b/queue-3.18/target-fix-verify_16-handling-in-sbc_parse_cdb.patch new file mode 100644 index 00000000000..5282d25d624 --- /dev/null +++ b/queue-3.18/target-fix-verify_16-handling-in-sbc_parse_cdb.patch @@ -0,0 +1,46 @@ +From 13603685c1f12c67a7a2427f00b63f39a2b6f7c9 Mon Sep 17 00:00:00 2001 +From: Max Lohrmann +Date: Tue, 7 Mar 2017 22:09:56 -0800 +Subject: target: Fix VERIFY_16 handling in sbc_parse_cdb + +From: Max Lohrmann + +commit 13603685c1f12c67a7a2427f00b63f39a2b6f7c9 upstream. + +As reported by Max, the Windows 2008 R2 chkdsk utility expects +VERIFY_16 to be supported, and does not handle the returned +CHECK_CONDITION properly, resulting in an infinite loop. + +The kernel will log huge amounts of this error: + +kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending +CHECK_CONDITION. + +Signed-off-by: Max Lohrmann +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_sbc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -946,9 +946,15 @@ sbc_parse_cdb(struct se_cmd *cmd, struct + return ret; + break; + case VERIFY: ++ case VERIFY_16: + size = 0; +- sectors = transport_get_sectors_10(cdb); +- cmd->t_task_lba = transport_lba_32(cdb); ++ if (cdb[0] == VERIFY) { ++ sectors = transport_get_sectors_10(cdb); ++ cmd->t_task_lba = transport_lba_32(cdb); ++ } else { ++ sectors = transport_get_sectors_16(cdb); ++ cmd->t_task_lba = transport_lba_64(cdb); ++ } + cmd->execute_cmd = sbc_emulate_noop; + goto check_lba; + case REZERO_UNIT: diff --git a/queue-3.18/tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch b/queue-3.18/tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch new file mode 100644 index 00000000000..0b915a27876 --- /dev/null +++ b/queue-3.18/tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch @@ -0,0 +1,55 @@ +From 15bb7745e94a665caf42bfaabf0ce062845b533b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 22 Mar 2017 08:10:21 -0700 +Subject: tcp: initialize icsk_ack.lrcvtime at session start time + +From: Eric Dumazet + +commit 15bb7745e94a665caf42bfaabf0ce062845b533b upstream. + +icsk_ack.lrcvtime has a 0 value at socket creation time. + +tcpi_last_data_recv can have bogus value if no payload is ever received. + +This patch initializes icsk_ack.lrcvtime for active sessions +in tcp_finish_connect(), and for passive sessions in +tcp_create_openreq_child() + +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_input.c | 2 +- + net/ipv4/tcp_minisocks.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5293,6 +5293,7 @@ void tcp_finish_connect(struct sock *sk, + struct inet_connection_sock *icsk = inet_csk(sk); + + tcp_set_state(sk, TCP_ESTABLISHED); ++ icsk->icsk_ack.lrcvtime = tcp_time_stamp; + + if (skb != NULL) { + icsk->icsk_af_ops->sk_rx_dst_set(sk, skb); +@@ -5496,7 +5497,6 @@ static int tcp_rcv_synsent_state_process + * to stand against the temptation 8) --ANK + */ + inet_csk_schedule_ack(sk); +- icsk->icsk_ack.lrcvtime = tcp_time_stamp; + tcp_enter_quickack_mode(sk); + inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK, + TCP_DELACK_MAX, TCP_RTO_MAX); +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -432,6 +432,7 @@ struct sock *tcp_create_openreq_child(st + newtp->srtt_us = 0; + newtp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT); + newicsk->icsk_rto = TCP_TIMEOUT_INIT; ++ newicsk->icsk_ack.lrcvtime = tcp_time_stamp; + + newtp->packets_out = 0; + newtp->retrans_out = 0; diff --git a/queue-3.18/usb-usbtmc-add-missing-endpoint-sanity-check.patch b/queue-3.18/usb-usbtmc-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..958f17738a1 --- /dev/null +++ b/queue-3.18/usb-usbtmc-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,56 @@ +From f154de03f4167664808b002495a877dbe91dd798 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Mar 2017 17:55:45 +0100 +Subject: USB: usbtmc: add missing endpoint sanity check + +From: Johan Hovold + +commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream. + +USBTMC devices are required to have a bulk-in and a bulk-out endpoint, +but the driver failed to verify this, something which could lead to the +endpoint addresses being taken from uninitialised memory. + +Make sure to zero all private data as part of allocation, and add the +missing endpoint sanity check. + +Note that this also addresses a more recently introduced issue, where +the interrupt-in-presence flag would also be uninitialised whenever the +optional interrupt-in endpoint is not present. This in turn could lead +to an interrupt urb being allocated, initialised and submitted based on +uninitialised values. + +Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.") +Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver") +Signed-off-by: Johan Hovold +[ johan: backport to v4.4 ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usbtmc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1164,6 +1164,12 @@ static int usbtmc_probe(struct usb_inter + } + } + ++ if (!data->bulk_out || !data->bulk_in) { ++ dev_err(&intf->dev, "bulk endpoints not found\n"); ++ retcode = -ENODEV; ++ goto err_put; ++ } ++ + retcode = get_capabilities(data); + if (retcode) + dev_err(&intf->dev, "can't read capabilities\n"); +@@ -1187,6 +1193,7 @@ static int usbtmc_probe(struct usb_inter + error_register: + sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp); + sysfs_remove_group(&intf->dev.kobj, &data_attr_grp); ++err_put: + kref_put(&data->kref, usbtmc_delete); + return retcode; + } diff --git a/queue-3.18/uwb-hwa-rc-fix-null-deref-at-probe.patch b/queue-3.18/uwb-hwa-rc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..faa92f9bd55 --- /dev/null +++ b/queue-3.18/uwb-hwa-rc-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From daf229b15907fbfdb6ee183aac8ca428cb57e361 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:52 +0100 +Subject: uwb: hwa-rc: fix NULL-deref at probe + +From: Johan Hovold + +commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Note that the dereference happens in the start callback which is called +during probe. + +Fixes: de520b8bd552 ("uwb: add HWA radio controller driver") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/hwa-rc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -825,6 +825,9 @@ static int hwarc_probe(struct usb_interf + struct hwarc *hwarc; + struct device *dev = &iface->dev; + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + result = -ENOMEM; + uwb_rc = uwb_rc_alloc(); + if (uwb_rc == NULL) { diff --git a/queue-3.18/uwb-i1480-dfu-fix-null-deref-at-probe.patch b/queue-3.18/uwb-i1480-dfu-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..297901ebbae --- /dev/null +++ b/queue-3.18/uwb-i1480-dfu-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From 4ce362711d78a4999011add3115b8f4b0bc25e8c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:53 +0100 +Subject: uwb: i1480-dfu: fix NULL-deref at probe + +From: Johan Hovold + +commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Note that the dereference happens in the cmd and wait_init_done +callbacks which are called during probe. + +Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/i1480/dfu/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/uwb/i1480/dfu/usb.c ++++ b/drivers/uwb/i1480/dfu/usb.c +@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface + result); + } + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + result = -ENOMEM; + i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL); + if (i1480_usb == NULL) { diff --git a/queue-3.18/xfs-clear-_xbf_pages-from-buffers-when-readahead-page.patch b/queue-3.18/xfs-clear-_xbf_pages-from-buffers-when-readahead-page.patch new file mode 100644 index 00000000000..fd97559c6af --- /dev/null +++ b/queue-3.18/xfs-clear-_xbf_pages-from-buffers-when-readahead-page.patch @@ -0,0 +1,45 @@ +From 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 25 Jan 2017 20:24:57 -0800 +Subject: xfs: clear _XBF_PAGES from buffers when readahead page + +From: Darrick J. Wong + +commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream. + +If we try to allocate memory pages to back an xfs_buf that we're trying +to read, it's possible that we'll be so short on memory that the page +allocation fails. For a blocking read we'll just wait, but for +readahead we simply dump all the pages we've collected so far. + +Unfortunately, after dumping the pages we neglect to clear the +_XBF_PAGES state, which means that the subsequent call to xfs_buf_free +thinks that b_pages still points to pages we own. It then double-frees +the b_pages pages. + +This results in screaming about negative page refcounts from the memory +manager, which xfs oughtn't be triggering. To reproduce this case, +mount a filesystem where the size of the inodes far outweighs the +availalble memory (a ~500M inode filesystem on a VM with 300MB memory +did the trick here) and run bulkstat in parallel with other memory +eating processes to put a huge load on the system. The "check summary" +phase of xfs_scrub also works for this purpose. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Eric Sandeen +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_buf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -376,6 +376,7 @@ retry: + out_free_pages: + for (i = 0; i < bp->b_page_count; i++) + __free_page(bp->b_pages[i]); ++ bp->b_flags &= ~_XBF_PAGES; + return error; + } + diff --git a/queue-3.18/xfs-don-t-allow-di_size-with-high-bit-set.patch b/queue-3.18/xfs-don-t-allow-di_size-with-high-bit-set.patch new file mode 100644 index 00000000000..3d1022f2df6 --- /dev/null +++ b/queue-3.18/xfs-don-t-allow-di_size-with-high-bit-set.patch @@ -0,0 +1,41 @@ +From ef388e2054feedaeb05399ed654bdb06f385d294 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Mon, 5 Dec 2016 12:38:38 +1100 +Subject: xfs: don't allow di_size with high bit set + +From: Darrick J. Wong + +commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream. + +The on-disk field di_size is used to set i_size, which is a signed +integer of loff_t. If the high bit of di_size is set, we'll end up with +a negative i_size, which will cause all sorts of problems. Since the +VFS won't let us create a file with such length, we should catch them +here in the verifier too. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Dave Chinner +Signed-off-by: Dave Chinner +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/libxfs/xfs_inode_buf.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/xfs/libxfs/xfs_inode_buf.c ++++ b/fs/xfs/libxfs/xfs_inode_buf.c +@@ -304,6 +304,14 @@ xfs_dinode_verify( + if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC)) + return false; + ++ /* don't allow invalid i_size */ ++ if (be64_to_cpu(dip->di_size) & (1ULL << 63)) ++ return false; ++ ++ /* No zero-length symlinks. */ ++ if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0) ++ return false; ++ + /* only version 3 or greater inodes are extensively verified here */ + if (dip->di_version < 3) + return true; diff --git a/queue-3.18/xfs-fix-up-xfs_swap_extent_forks-inline-extent-handling.patch b/queue-3.18/xfs-fix-up-xfs_swap_extent_forks-inline-extent-handling.patch new file mode 100644 index 00000000000..52f92dcd43c --- /dev/null +++ b/queue-3.18/xfs-fix-up-xfs_swap_extent_forks-inline-extent-handling.patch @@ -0,0 +1,97 @@ +From 7922c1becb36b61827a24ee32ffe7c39cf444efb Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Tue, 8 Nov 2016 12:55:18 +1100 +Subject: xfs: fix up xfs_swap_extent_forks inline extent handling + +From: Eric Sandeen + +commit 4dfce57db6354603641132fac3c887614e3ebe81 upstream. + +There have been several reports over the years of NULL pointer +dereferences in xfs_trans_log_inode during xfs_fsr processes, +when the process is doing an fput and tearing down extents +on the temporary inode, something like: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 +PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" + [exception RIP: xfs_trans_log_inode+0x10] + #9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] +#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] +#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] +#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] +#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] +#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 +#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 +#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 +#17 [ffff8800a57bbe88] dput at ffffffff811dd06c +#18 [ffff8800a57bbea8] __fput at ffffffff811c823b +#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e +#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 +#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c +#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d + +As it turns out, this is because the i_itemp pointer, along +with the d_ops pointer, has been overwritten with zeros +when we tear down the extents during truncate. When the in-core +inode fork on the temporary inode used by xfs_fsr was originally +set up during the extent swap, we mistakenly looked at di_nextents +to determine whether all extents fit inline, but this misses extents +generated by speculative preallocation; we should be using if_bytes +instead. + +This mistake corrupts the in-memory inode, and code in +xfs_iext_remove_inline eventually gets bad inputs, causing +it to memmove and memset incorrect ranges; this became apparent +because the two values in ifp->if_u2.if_inline_ext[1] contained +what should have been in d_ops and i_itemp; they were memmoved due +to incorrect array indexing and then the original locations +were zeroed with memset, again due to an array overrun. + +Fix this by properly using i_df.if_bytes to determine the number +of extents, not di_nextents. + +Thanks to dchinner for looking at this with me and spotting the +root cause. + +[nborisov: backported to 4.4] + +Signed-off-by: Eric Sandeen +Reviewed-by: Brian Foster +Signed-off-by: Dave Chinner +Signed-off-by: Nikolay Borisov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_bmap_util.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -1622,6 +1622,7 @@ xfs_swap_extents( + xfs_trans_t *tp; + xfs_bstat_t *sbp = &sxp->sx_stat; + xfs_ifork_t *tempifp, *ifp, *tifp; ++ xfs_extnum_t nextents; + int src_log_flags, target_log_flags; + int error = 0; + int aforkblks = 0; +@@ -1802,7 +1803,8 @@ xfs_swap_extents( + * pointer. Otherwise it's already NULL or + * pointing to the extent. + */ +- if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) { ++ nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t); ++ if (nextents <= XFS_INLINE_EXTS) { + ifp->if_u1.if_extents = + ifp->if_u2.if_inline_ext; + } +@@ -1821,7 +1823,8 @@ xfs_swap_extents( + * pointer. Otherwise it's already NULL or + * pointing to the extent. + */ +- if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) { ++ nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t); ++ if (nextents <= XFS_INLINE_EXTS) { + tifp->if_u1.if_extents = + tifp->if_u2.if_inline_ext; + }