From: Greg Kroah-Hartman Date: Tue, 10 Apr 2018 12:32:57 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.16.2~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13a55a563dee045691965ae9719d5a8f0c2197ea;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch acpica-events-add-runtime-stub-support-for-event-apis.patch af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch bcache-segregate-flash-only-volume-write-streams.patch bcache-stop-writeback-thread-after-detaching.patch bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch block-fix-an-error-code-in-add_partition.patch bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch bna-avoid-reading-past-end-of-buffer.patch bnx2x-allow-vfs-to-disable-txvlan-offload.patch bonding-don-t-update-slave-link-until-ready-to-commit.patch btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch cifs-silence-lockdep-splat-in-cifs_relock_file.patch cx25840-fix-unchecked-return-values.patch drm-omap-fix-tiled-buffer-stride-calculations.patch e1000e-fix-race-condition-around-skb_tstamp_tx.patch e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch edac-mv64x60-fix-an-error-handling-path.patch ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch fix-race-in-drivers-char-random.c-get_reg.patch fix-serial-console-on-sni-rm400-machines.patch hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch ib-srpt-fix-abort-handling.patch iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch ipsec-check-return-value-of-skb_to_sgvec-always.patch ipv6-avoid-dad-failures-for-addresses-with-nodad.patch kvm-nvmx-fix-handling-of-lmsw-instruction.patch kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch l2tp-fix-missing-print-session-offset-info.patch leds-pca955x-correct-i2c-functionality.patch libceph-null-deref-on-crush_decode-error-path.patch lockd-fix-lockd-shutdown-race.patch mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch mceusb-sporadic-rx-truncation-corruption-fix.patch mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch mips-mm-fixed-mappings-correct-initialisation.patch misdn-fix-a-sleep-in-atomic-bug.patch neighbour-update-neigh-timestamps-iff-update-is-effective.patch net-emac-fix-reset-timeout-with-ar8035-phy.patch net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch net-freescale-fix-potential-null-pointer-dereference.patch net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch net-mlx4-fix-the-check-in-attaching-steering-rules.patch net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch net-move-somaxconn-init-from-sysctl-code.patch net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch net-qca_spi-fix-alignment-issues-in-rx-path.patch net-x25-fix-one-potential-use-after-free-issue.patch netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch ovl-filter-trusted-xattr-for-non-admin.patch perf-core-correct-event-creation-with-perf_format_group.patch perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch perf-tests-decompress-kernel-module-before-objdump.patch perf-trace-add-mmap-alias-for-s390.patch pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch powercap-fix-an-error-code-in-powercap_register_zone.patch powerpc-don-t-clobber-tcr-when-setting-tcr.patch powerpc-spufs-fix-coredump-of-spu-contexts.patch qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch qlge-avoid-reading-past-end-of-buffer.patch ray_cs-avoid-reading-past-end-of-buffer.patch rtc-interface-validate-alarm-time-before-handling-rollover.patch rxrpc-check-return-value-of-skb_to_sgvec-always.patch s390-move-_text-symbol-to-address-higher-than-zero.patch scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch scsi-libsas-fix-error-when-getting-phy-events.patch scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch sh_eth-use-platform-device-for-printing-before-register_netdev.patch signal-arm-document-conflicts-with-si_user-and-sigfpe.patch signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch smb2-fix-share-type-handling.patch sparc64-ldc-abort-during-vds-iso-boot.patch staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch tags-honor-compiled_source-with-apart-output-directory.patch tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch usb-dwc3-keystone-check-return-value.patch usb-ene_usb6250-fix-first-command-execution.patch usb-ene_usb6250-fix-scsi-residue-overwriting.patch vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch virtio_net-check-return-value-of-skb_to_sgvec-always.patch virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch x86-tsc-provide-tsc-unstable-boot-parameter.patch xen-avoid-type-warning-in-xchg_xen_ulong.patch xfrm-fix-state-migration-copy-replay-sequence-numbers.patch --- diff --git a/queue-3.18/acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch b/queue-3.18/acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch new file mode 100644 index 00000000000..d106b8d81cc --- /dev/null +++ b/queue-3.18/acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch @@ -0,0 +1,67 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Bob Moore +Date: Mon, 5 Jun 2017 16:40:34 +0800 +Subject: ACPICA: Disassembler: Abort on an invalid/unknown AML opcode + +From: Bob Moore + + +[ Upstream commit 6f0527b77d9e0129dd8e50945b0d610ed943d6b2 ] + +ACPICA commit ed0389cb11a61e63c568ac1f67948fc6a7bd1aeb + +An invalid opcode indicates something seriously wrong with the +input AML file. The AML parser is immediately confused and lost, +causing the resulting parse tree to be ill-formed. The actual +disassembly can then cause numerous unrelated errors and faults. + +This change aborts the disassembly upon discovery of such an +opcode during the AML parse phase. + +Link: https://github.com/acpica/acpica/commit/ed0389cb +Signed-off-by: Bob Moore +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/psobject.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -118,6 +118,9 @@ static acpi_status acpi_ps_get_aml_opcod + (u32)(walk_state->aml_offset + + sizeof(struct acpi_table_header))); + ++ ACPI_ERROR((AE_INFO, ++ "Aborting disassembly, AML byte code is corrupt")); ++ + /* Dump the context surrounding the invalid opcode */ + + acpi_ut_dump_buffer(((u8 *)walk_state->parser_state. +@@ -126,6 +129,14 @@ static acpi_status acpi_ps_get_aml_opcod + sizeof(struct acpi_table_header) - + 16)); + acpi_os_printf(" */\n"); ++ ++ /* ++ * Just abort the disassembly, cannot continue because the ++ * parser is essentially lost. The disassembler can then ++ * randomly fail because an ill-constructed parse tree ++ * can result. ++ */ ++ return_ACPI_STATUS(AE_AML_BAD_OPCODE); + #endif + } + +@@ -290,6 +301,9 @@ acpi_ps_create_op(struct acpi_walk_state + if (status == AE_CTRL_PARSE_CONTINUE) { + return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE); + } ++ if (ACPI_FAILURE(status)) { ++ return_ACPI_STATUS(status); ++ } + + /* Create Op structure and append to parent's argument list */ + diff --git a/queue-3.18/acpica-events-add-runtime-stub-support-for-event-apis.patch b/queue-3.18/acpica-events-add-runtime-stub-support-for-event-apis.patch new file mode 100644 index 00000000000..b0718a7077e --- /dev/null +++ b/queue-3.18/acpica-events-add-runtime-stub-support-for-event-apis.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Lv Zheng +Date: Mon, 5 Jun 2017 16:40:02 +0800 +Subject: ACPICA: Events: Add runtime stub support for event APIs + +From: Lv Zheng + + +[ Upstream commit 861ba6351c520328e94a78c923b415faa9116287 ] + +ACPICA commit 99bc3beca92c6574ea1d69de42e54f872e6373ce + +It is reported that on Linux, RTC driver complains wrong errors on +hardware reduced platform: + [ 4.085420] ACPI Warning: Could not enable fixed event - real_time_clock (4) (20160422/evxface-654) + +This patch fixes this by correctly adding runtime reduced hardware check. +Reported by Chandan Tagore, fixed by Lv Zheng. + +Link: https://github.com/acpica/acpica/commit/99bc3bec +Tested-by: Chandan Tagore +Signed-off-by: Lv Zheng +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/evxfevnt.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/acpi/acpica/evxfevnt.c ++++ b/drivers/acpi/acpica/evxfevnt.c +@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event, + + ACPI_FUNCTION_TRACE(acpi_enable_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event + + ACPI_FUNCTION_TRACE(acpi_disable_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event) + + ACPI_FUNCTION_TRACE(acpi_clear_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { diff --git a/queue-3.18/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch b/queue-3.18/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch new file mode 100644 index 00000000000..e478ba688d0 --- /dev/null +++ b/queue-3.18/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Steffen Klassert +Date: Fri, 5 May 2017 07:40:42 +0200 +Subject: af_key: Fix slab-out-of-bounds in pfkey_compile_policy. + +From: Steffen Klassert + + +[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ] + +The sadb_x_sec_len is stored in the unit 'byte divided by eight'. +So we have to multiply this value by eight before we can do +size checks. Otherwise we may get a slab-out-of-bounds when +we memcpy the user sec_ctx. + +Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3301,7 +3301,7 @@ static struct xfrm_policy *pfkey_compile + p += pol->sadb_x_policy_len*8; + sec_ctx = (struct sadb_x_sec_ctx *)p; + if (len < pol->sadb_x_policy_len*8 + +- sec_ctx->sadb_x_sec_len) { ++ sec_ctx->sadb_x_sec_len*8) { + *dir = -EINVAL; + goto out; + } diff --git a/queue-3.18/arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch b/queue-3.18/arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch new file mode 100644 index 00000000000..c3d0b84e4bd --- /dev/null +++ b/queue-3.18/arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Suman Anna +Date: Tue, 16 May 2017 17:13:45 -0500 +Subject: ARM: davinci: da8xx: Create DSP device only when assigned memory + +From: Suman Anna + + +[ Upstream commit f97f03578b997a8ec2b9bc4928f958a865137268 ] + +The DSP device on Davinci platforms does not have an MMU and requires +specific DDR memory to boot. This memory is reserved using the rproc_mem +kernel boot parameter and is assigned to the device on non-DT boots. +The remoteproc core uses the DMA API and so will fall back to assigning +random memory if this memory is not assigned to the device, but the DSP +remote processor boot will not be successful in such cases. So, check +that memory has been reserved and assigned to the device specifically +before even creating the DSP device. + +Signed-off-by: Suman Anna +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/devices-da8xx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm/mach-davinci/devices-da8xx.c ++++ b/arch/arm/mach-davinci/devices-da8xx.c +@@ -761,6 +761,8 @@ static struct platform_device da8xx_dsp + .resource = da8xx_rproc_resources, + }; + ++static bool rproc_mem_inited __initdata; ++ + #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC) + + static phys_addr_t rproc_base __initdata; +@@ -799,6 +801,8 @@ void __init da8xx_rproc_reserve_cma(void + ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0); + if (ret) + pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret); ++ else ++ rproc_mem_inited = true; + } + + #else +@@ -813,6 +817,12 @@ int __init da8xx_register_rproc(void) + { + int ret; + ++ if (!rproc_mem_inited) { ++ pr_warn("%s: memory not reserved for DSP, not registering DSP device\n", ++ __func__); ++ return -ENOMEM; ++ } ++ + ret = platform_device_register(&da8xx_dsp); + if (ret) + pr_err("%s: can't register DSP device: %d\n", __func__, ret); diff --git a/queue-3.18/arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch b/queue-3.18/arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch new file mode 100644 index 00000000000..61067791c6f --- /dev/null +++ b/queue-3.18/arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Fabio Estevam +Date: Sun, 14 May 2017 11:50:50 -0300 +Subject: ARM: dts: imx6qdl-wandboard: Fix audio channel swap + +From: Fabio Estevam + + +[ Upstream commit 79935915300c5eb88a0e94fa9148a7505c14a02a ] + +When running a stress playback/stop loop test on a mx6wandboard channel +swaps can be noticed randomly. + +Increasing the SGTL5000 LRCLK pad strength to its maximum value fixes +the issue, so add the 'lrclk-strength' property to avoid the audio +channel swaps. + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +@@ -86,6 +86,7 @@ + clocks = <&clks 201>; + VDDA-supply = <®_2p5v>; + VDDIO-supply = <®_3p3v>; ++ lrclk-strength = <3>; + }; + }; + diff --git a/queue-3.18/arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch b/queue-3.18/arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch new file mode 100644 index 00000000000..610b9707f0b --- /dev/null +++ b/queue-3.18/arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Will Deacon +Date: Wed, 5 Apr 2017 11:14:05 +0100 +Subject: arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage + +From: Will Deacon + + +[ Upstream commit 5f16a046f8e144c294ef98cd29d9458b5f8273e5 ] + +FUTEX_OP_OPARG_SHIFT instructs the futex code to treat the 12-bit oparg +field as a shift value, potentially leading to a left shift value that +is negative or with an absolute value that is significantly larger then +the size of the type. UBSAN chokes with: + +================================================================================ +UBSAN: Undefined behaviour in ./arch/arm64/include/asm/futex.h:60:13 +shift exponent -1 is negative +CPU: 1 PID: 1449 Comm: syz-executor0 Not tainted 4.11.0-rc4-00005-g977eb52-dirty #11 +Hardware name: linux,dummy-virt (DT) +Call trace: +[] dump_backtrace+0x0/0x538 arch/arm64/kernel/traps.c:73 +[] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:228 +[] __dump_stack lib/dump_stack.c:16 [inline] +[] dump_stack+0x120/0x188 lib/dump_stack.c:52 +[] ubsan_epilogue+0x18/0x98 lib/ubsan.c:164 +[] __ubsan_handle_shift_out_of_bounds+0x250/0x294 lib/ubsan.c:421 +[] futex_atomic_op_inuser arch/arm64/include/asm/futex.h:60 [inline] +[] futex_wake_op kernel/futex.c:1489 [inline] +[] do_futex+0x137c/0x1740 kernel/futex.c:3231 +[] SYSC_futex kernel/futex.c:3281 [inline] +[] SyS_futex+0x114/0x268 kernel/futex.c:3249 +[] el0_svc_naked+0x24/0x28 +================================================================================ +syz-executor1 uses obsolete (PF_INET,SOCK_PACKET) +sock: process `syz-executor0' is using obsolete setsockopt SO_BSDCOMPAT + +This patch attempts to fix some of this by: + + * Making encoded_op an unsigned type, so we can shift it left even if + the top bit is set. + + * Casting to signed prior to shifting right when extracting oparg + and cmparg + + * Consider only the bottom 5 bits of oparg when using it as a left-shift + value. + +Whilst I think this catches all of the issues, I'd much prefer to remove +this stuff, as I think it's unused and the bugs are copy-pasted between +a bunch of architectures. + +Reviewed-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/futex.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -44,16 +44,16 @@ + : "memory") + + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) + { + int op = (encoded_op >> 28) & 7; + int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; ++ int oparg = (int)(encoded_op << 8) >> 20; ++ int cmparg = (int)(encoded_op << 20) >> 20; + int oldval = 0, ret, tmp; + + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; ++ oparg = 1U << (oparg & 0x1f); + + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + return -EFAULT; diff --git a/queue-3.18/async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch b/queue-3.18/async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch new file mode 100644 index 00000000000..9907750ab45 --- /dev/null +++ b/queue-3.18/async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Anup Patel +Date: Mon, 15 May 2017 10:34:53 +0530 +Subject: async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome() + +From: Anup Patel + + +[ Upstream commit baae03a0e2497f49704628fd0aaf993cf98e1b99 ] + +The DMA_PREP_FENCE is to be used when preparing Tx descriptor if output +of Tx descriptor is to be used by next/dependent Tx descriptor. + +The DMA_PREP_FENSE will not be set correctly in do_async_gen_syndrome() +when calling dma->device_prep_dma_pq() under following conditions: +1. ASYNC_TX_FENCE not set in submit->flags +2. DMA_PREP_FENCE not set in dma_flags +3. src_cnt (= (disks - 2)) is greater than dma_maxpq(dma, dma_flags) + +This patch fixes DMA_PREP_FENCE usage in do_async_gen_syndrome() taking +inspiration from do_async_xor() implementation. + +Signed-off-by: Anup Patel +Reviewed-by: Ray Jui +Reviewed-by: Scott Branden +Acked-by: Dan Williams +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/async_tx/async_pq.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/crypto/async_tx/async_pq.c ++++ b/crypto/async_tx/async_pq.c +@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *c + dma_addr_t dma_dest[2]; + int src_off = 0; + +- if (submit->flags & ASYNC_TX_FENCE) +- dma_flags |= DMA_PREP_FENCE; +- + while (src_cnt > 0) { + submit->flags = flags_orig; + pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags)); +@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *c + if (cb_fn_orig) + dma_flags |= DMA_PREP_INTERRUPT; + } ++ if (submit->flags & ASYNC_TX_FENCE) ++ dma_flags |= DMA_PREP_FENCE; + + /* Drivers force forward progress in case they can not provide + * a descriptor diff --git a/queue-3.18/ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch b/queue-3.18/ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch new file mode 100644 index 00000000000..319ef6077ec --- /dev/null +++ b/queue-3.18/ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Thomas Petazzoni +Date: Tue, 16 May 2017 14:06:12 +0200 +Subject: ata: libahci: properly propagate return value of platform_get_irq() + +From: Thomas Petazzoni + + +[ Upstream commit c034640a32f8456018d9c8c83799ead683046b95 ] + +When platform_get_irq() fails, it returns an error code, which +libahci_platform and replaces it by -EINVAL. This commit fixes that by +propagating the error code. It fixes the situation where +platform_get_irq() returns -EPROBE_DEFER because the interrupt +controller is not available yet, and generally looks like the right +thing to do. + +We pay attention to not show the "no irq" message when we are in an +EPROBE_DEFER situation, because the driver probing will be retried +later on, once the interrupt controller becomes available to provide +the interrupt. + +Signed-off-by: Thomas Petazzoni +Reviewed-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci_platform.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -419,8 +419,9 @@ int ahci_platform_init_host(struct platf + + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { +- dev_err(dev, "no irq\n"); +- return -EINVAL; ++ if (irq != -EPROBE_DEFER) ++ dev_err(dev, "no irq\n"); ++ return irq; + } + + /* prepare host */ diff --git a/queue-3.18/ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch b/queue-3.18/ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch new file mode 100644 index 00000000000..91972e8b2bd --- /dev/null +++ b/queue-3.18/ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Colin Ian King +Date: Wed, 3 May 2017 15:26:00 +0100 +Subject: ath5k: fix memory leak on buf on failed eeprom read + +From: Colin Ian King + + +[ Upstream commit 8fed6823e06e43ee9cf7c0ffecec2f9111ce6201 ] + +The AR5K_EEPROM_READ macro returns with -EIO if a read error +occurs causing a memory leak on the allocated buffer buf. Fix +this by explicitly calling ath5k_hw_nvram_read and exiting on +the via the freebuf label that performs the necessary free'ing +of buf when a read error occurs. + +Detected by CoverityScan, CID#1248782 ("Resource Leak") + +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath5k/debug.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath5k/debug.c ++++ b/drivers/net/wireless/ath/ath5k/debug.c +@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode + } + + for (i = 0; i < eesize; ++i) { +- AR5K_EEPROM_READ(i, val); ++ if (!ath5k_hw_nvram_read(ah, i, &val)) { ++ ret = -EIO; ++ goto freebuf; ++ } + buf[i] = val; + } + diff --git a/queue-3.18/bcache-segregate-flash-only-volume-write-streams.patch b/queue-3.18/bcache-segregate-flash-only-volume-write-streams.patch new file mode 100644 index 00000000000..9b43b241b54 --- /dev/null +++ b/queue-3.18/bcache-segregate-flash-only-volume-write-streams.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Tang Junhui +Date: Mon, 8 Jan 2018 12:21:21 -0800 +Subject: bcache: segregate flash only volume write streams + +From: Tang Junhui + + +[ Upstream commit 4eca1cb28d8b0574ca4f1f48e9331c5f852d43b9 ] + +In such scenario that there are some flash only volumes +, and some cached devices, when many tasks request these devices in +writeback mode, the write IOs may fall to the same bucket as bellow: +| cached data | flash data | cached data | cached data| flash data| +then after writeback of these cached devices, the bucket would +be like bellow bucket: +| free | flash data | free | free | flash data | + +So, there are many free space in this bucket, but since data of flash +only volumes still exists, so this bucket cannot be reclaimable, +which would cause waste of bucket space. + +In this patch, we segregate flash only volume write streams from +cached devices, so data from flash only volumes and cached devices +can store in different buckets. + +Compare to v1 patch, this patch do not add a additionally open bucket +list, and it is try best to segregate flash only volume write streams +from cached devices, sectors of flash only volumes may still be mixed +with dirty sectors of cached device, but the number is very small. + +[mlyle: fixed commit log formatting, permissions, line endings] + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/alloc.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -514,15 +514,21 @@ struct open_bucket { + + /* + * We keep multiple buckets open for writes, and try to segregate different +- * write streams for better cache utilization: first we look for a bucket where +- * the last write to it was sequential with the current write, and failing that +- * we look for a bucket that was last used by the same task. ++ * write streams for better cache utilization: first we try to segregate flash ++ * only volume write streams from cached devices, secondly we look for a bucket ++ * where the last write to it was sequential with the current write, and ++ * failing that we look for a bucket that was last used by the same task. + * + * The ideas is if you've got multiple tasks pulling data into the cache at the + * same time, you'll get better cache utilization if you try to segregate their + * data and preserve locality. + * +- * For example, say you've starting Firefox at the same time you're copying a ++ * For example, dirty sectors of flash only volume is not reclaimable, if their ++ * dirty sectors mixed with dirty sectors of cached device, such buckets will ++ * be marked as dirty and won't be reclaimed, though the dirty data of cached ++ * device have been written back to backend device. ++ * ++ * And say you've starting Firefox at the same time you're copying a + * bunch of files. Firefox will likely end up being fairly hot and stay in the + * cache awhile, but the data you copied might not be; if you wrote all that + * data to the same buckets it'd get invalidated at the same time. +@@ -539,7 +545,10 @@ static struct open_bucket *pick_data_buc + struct open_bucket *ret, *ret_task = NULL; + + list_for_each_entry_reverse(ret, &c->data_buckets, list) +- if (!bkey_cmp(&ret->key, search)) ++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) != ++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)])) ++ continue; ++ else if (!bkey_cmp(&ret->key, search)) + goto found; + else if (ret->last_write_point == write_point) + ret_task = ret; diff --git a/queue-3.18/bcache-stop-writeback-thread-after-detaching.patch b/queue-3.18/bcache-stop-writeback-thread-after-detaching.patch new file mode 100644 index 00000000000..866ccf99fc2 --- /dev/null +++ b/queue-3.18/bcache-stop-writeback-thread-after-detaching.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Tang Junhui +Date: Mon, 8 Jan 2018 12:21:19 -0800 +Subject: bcache: stop writeback thread after detaching + +From: Tang Junhui + + +[ Upstream commit 8d29c4426b9f8afaccf28de414fde8a722b35fdf ] + +Currently, when a cached device detaching from cache, writeback thread is +not stopped, and writeback_rate_update work is not canceled. For example, +after the following command: +echo 1 >/sys/block/sdb/bcache/detach +you can still see the writeback thread. Then you attach the device to the +cache again, bcache will create another writeback thread, for example, +after below command: +echo ba0fb5cd-658a-4533-9806-6ce166d883b9 > /sys/block/sdb/bcache/attach +then you will see 2 writeback threads. +This patch stops writeback thread and cancels writeback_rate_update work +when cached device detaching from cache. + +Compare with patch v1, this v2 patch moves code down into the register +lock for safety in case of any future changes as Coly and Mike suggested. + +[edit by mlyle: commit log spelling/formatting] + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -921,6 +921,12 @@ static void cached_dev_detach_finish(str + + mutex_lock(&bch_register_lock); + ++ cancel_delayed_work_sync(&dc->writeback_rate_update); ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) { ++ kthread_stop(dc->writeback_thread); ++ dc->writeback_thread = NULL; ++ } ++ + memset(&dc->sb.set_uuid, 0, 16); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE); + diff --git a/queue-3.18/bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch b/queue-3.18/bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch new file mode 100644 index 00000000000..59282e761ee --- /dev/null +++ b/queue-3.18/bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Dmitry Monakhov +Date: Wed, 10 May 2017 19:20:44 +0400 +Subject: bio-integrity: Do not allocate integrity context for bio w/o data + +From: Dmitry Monakhov + + +[ Upstream commit 3116a23bb30272d74ea81baf5d0ee23f602dd15b ] + +If bio has no data, such as ones from blkdev_issue_flush(), +then we have nothing to protect. + +This patch prevent bugon like follows: + +kfree_debugcheck: out of range ptr ac1fa1d106742a5ah +kernel BUG at mm/slab.c:2773! +invalid opcode: 0000 [#1] SMP +Modules linked in: bcache +CPU: 0 PID: 4428 Comm: xfs_io Tainted: G W 4.11.0-rc4-ext4-00041-g2ef0043-dirty #43 +Hardware name: Virtuozzo KVM, BIOS seabios-1.7.5-11.vz7.4 04/01/2014 +task: ffff880137786440 task.stack: ffffc90000ba8000 +RIP: 0010:kfree_debugcheck+0x25/0x2a +RSP: 0018:ffffc90000babde0 EFLAGS: 00010082 +RAX: 0000000000000034 RBX: ac1fa1d106742a5a RCX: 0000000000000007 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88013f3ccb40 +RBP: ffffc90000babde8 R08: 0000000000000000 R09: 0000000000000000 +R10: 00000000fcb76420 R11: 00000000725172ed R12: 0000000000000282 +R13: ffffffff8150e766 R14: ffff88013a145e00 R15: 0000000000000001 +FS: 00007fb09384bf40(0000) GS:ffff88013f200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fd0172f9e40 CR3: 0000000137fa9000 CR4: 00000000000006f0 +Call Trace: + kfree+0xc8/0x1b3 + bio_integrity_free+0xc3/0x16b + bio_free+0x25/0x66 + bio_put+0x14/0x26 + blkdev_issue_flush+0x7a/0x85 + blkdev_fsync+0x35/0x42 + vfs_fsync_range+0x8e/0x9f + vfs_fsync+0x1c/0x1e + do_fsync+0x31/0x4a + SyS_fsync+0x10/0x14 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: Dmitry Monakhov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/bio-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -165,6 +165,9 @@ bool bio_integrity_enabled(struct bio *b + if (!bio_is_rw(bio)) + return false; + ++ if (!bio_sectors(bio)) ++ return false; ++ + /* Already protected? */ + if (bio_integrity(bio)) + return false; diff --git a/queue-3.18/block-fix-an-error-code-in-add_partition.patch b/queue-3.18/block-fix-an-error-code-in-add_partition.patch new file mode 100644 index 00000000000..6621b5c5c5c --- /dev/null +++ b/queue-3.18/block-fix-an-error-code-in-add_partition.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Dan Carpenter +Date: Tue, 23 May 2017 17:28:36 +0300 +Subject: block: fix an error code in add_partition() + +From: Dan Carpenter + + +[ Upstream commit 7bd897cfce1eb373892d35d7f73201b0f9b221c4 ] + +We don't set an error code on this path. It means that we return NULL +instead of an error pointer and the caller does a NULL dereference. + +Fixes: 6d1d8050b4bc ("block, partition: add partition_meta_info to hd_struct") +Signed-off-by: Dan Carpenter +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partition-generic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -309,8 +309,10 @@ struct hd_struct *add_partition(struct g + + if (info) { + struct partition_meta_info *pinfo = alloc_part_info(disk); +- if (!pinfo) ++ if (!pinfo) { ++ err = -ENOMEM; + goto out_free_stats; ++ } + memcpy(pinfo, info, sizeof(*info)); + p->info = pinfo; + } diff --git a/queue-3.18/bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch b/queue-3.18/bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch new file mode 100644 index 00000000000..d3f6f57a507 --- /dev/null +++ b/queue-3.18/bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch @@ -0,0 +1,122 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Marcel Holtmann +Date: Fri, 9 Jun 2017 18:43:56 +0200 +Subject: Bluetooth: Send HCI Set Event Mask Page 2 command only when needed + +From: Marcel Holtmann + + +[ Upstream commit 313f6888c8fbb1bc8b36c9012ce4e1de848df696 ] + +The Broadcom BCM20702 Bluetooth controller in ThinkPad-T530 devices +report support for the Set Event Mask Page 2 command, but actually do +return an error when trying to use it. + + < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0 + > HCI Event: Command Complete (0x0e) plen 68 + Read Local Supported Commands (0x04|0x0002) ncmd 1 + Status: Success (0x00) + Commands: 162 entries + ... + Set Event Mask Page 2 (Octet 22 - Bit 2) + ... + + < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8 + Mask: 0x0000000000000000 + > HCI Event: Command Complete (0x0e) plen 4 + Set Event Mask Page 2 (0x03|0x0063) ncmd 1 + Status: Unknown HCI Command (0x01) + +Since these controllers do not support any feature that would require +the event mask page 2 to be modified, it is safe to not send this +command at all. The default value is all bits set to zero. + +T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=03 Dev#= 9 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0a5c ProdID=21e6 Rev= 1.12 +S: Manufacturer=Broadcom Corp +S: Product=BCM20702A0 +S: SerialNumber=F82FA8E8CFC0 +C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb +E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) + +Signed-off-by: Marcel Holtmann +Reported-by: Sedat Dilek +Tested-by: Sedat Dilek +Signed-off-by: Szymon Janc +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_core.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1635,6 +1635,7 @@ static void hci_set_event_mask_page_2(st + { + struct hci_dev *hdev = req->hdev; + u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; ++ bool changed = false; + + /* If Connectionless Slave Broadcast master role is supported + * enable all necessary events for it. +@@ -1644,6 +1645,7 @@ static void hci_set_event_mask_page_2(st + events[1] |= 0x80; /* Synchronization Train Complete */ + events[2] |= 0x10; /* Slave Page Response Timeout */ + events[2] |= 0x20; /* CSB Channel Map Change */ ++ changed = true; + } + + /* If Connectionless Slave Broadcast slave role is supported +@@ -1654,13 +1656,24 @@ static void hci_set_event_mask_page_2(st + events[2] |= 0x02; /* CSB Receive */ + events[2] |= 0x04; /* CSB Timeout */ + events[2] |= 0x08; /* Truncated Page Complete */ ++ changed = true; + } + + /* Enable Authenticated Payload Timeout Expired event if supported */ +- if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) ++ if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) { + events[2] |= 0x80; ++ changed = true; ++ } + +- hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events); ++ /* Some Broadcom based controllers indicate support for Set Event ++ * Mask Page 2 command, but then actually do not support it. Since ++ * the default value is all bits set to zero, the command is only ++ * required if the event mask has to be changed. In case no change ++ * to the event mask is needed, skip this command. ++ */ ++ if (changed) ++ hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, ++ sizeof(events), events); + } + + static void hci_init3_req(struct hci_request *req, unsigned long opt) diff --git a/queue-3.18/bna-avoid-reading-past-end-of-buffer.patch b/queue-3.18/bna-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..c2421695b6c --- /dev/null +++ b/queue-3.18/bna-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 15:25:32 -0700 +Subject: bna: Avoid reading past end of buffer + +From: Kees Cook + + +[ Upstream commit 9e4eb1ce472fbf7b007f23c88ec11c37265e401c ] + +Using memcpy() from a string that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. Instead, use strncpy() which will fill the trailing bytes +with zeros. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c ++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c +@@ -2856,7 +2856,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bf + static void + bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer) + { +- memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN); ++ strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN); + } + + static void diff --git a/queue-3.18/bnx2x-allow-vfs-to-disable-txvlan-offload.patch b/queue-3.18/bnx2x-allow-vfs-to-disable-txvlan-offload.patch new file mode 100644 index 00000000000..8ad0fd3b4e8 --- /dev/null +++ b/queue-3.18/bnx2x-allow-vfs-to-disable-txvlan-offload.patch @@ -0,0 +1,57 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Mintz, Yuval" +Date: Fri, 9 Jun 2017 17:17:01 +0300 +Subject: bnx2x: Allow vfs to disable txvlan offload + +From: "Mintz, Yuval" + + +[ Upstream commit 92f85f05caa51d844af6ea14ffbc7a786446a644 ] + +VF clients are configured as enforced, meaning firmware is validating +the correctness of their ethertype/vid during transmission. +Once txvlan is disabled, VF would start getting SKBs for transmission +here vlan is on the payload - but it'll pass the packet's ethertype +instead of the vid, leading to firmware declaring it as malicious. + +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -3876,15 +3876,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_b + /* when transmitting in a vf, start bd must hold the ethertype + * for fw to enforce it + */ ++ u16 vlan_tci = 0; + #ifndef BNX2X_STOP_ON_ERROR +- if (IS_VF(bp)) ++ if (IS_VF(bp)) { + #endif +- tx_start_bd->vlan_or_ethertype = +- cpu_to_le16(ntohs(eth->h_proto)); ++ /* Still need to consider inband vlan for enforced */ ++ if (__vlan_get_tag(skb, &vlan_tci)) { ++ tx_start_bd->vlan_or_ethertype = ++ cpu_to_le16(ntohs(eth->h_proto)); ++ } else { ++ tx_start_bd->bd_flags.as_bitfield |= ++ (X_ETH_INBAND_VLAN << ++ ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT); ++ tx_start_bd->vlan_or_ethertype = ++ cpu_to_le16(vlan_tci); ++ } + #ifndef BNX2X_STOP_ON_ERROR +- else ++ } else { + /* used by FW for packet accounting */ + tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod); ++ } + #endif + } + diff --git a/queue-3.18/bonding-don-t-update-slave-link-until-ready-to-commit.patch b/queue-3.18/bonding-don-t-update-slave-link-until-ready-to-commit.patch new file mode 100644 index 00000000000..c02928b316a --- /dev/null +++ b/queue-3.18/bonding-don-t-update-slave-link-until-ready-to-commit.patch @@ -0,0 +1,86 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Nithin Sujir +Date: Wed, 24 May 2017 19:45:17 -0700 +Subject: bonding: Don't update slave->link until ready to commit + +From: Nithin Sujir + + +[ Upstream commit 797a93647a48d6cb8a20641a86a71713a947f786 ] + +In the loadbalance arp monitoring scheme, when a slave link change is +detected, the slave->link is immediately updated and slave_state_changed +is set. Later down the function, the rtnl_lock is acquired and the +changes are committed, updating the bond link state. + +However, the acquisition of the rtnl_lock can fail. The next time the +monitor runs, since slave->link is already updated, it determines that +link is unchanged. This results in the bond link state permanently out +of sync with the slave link. + +This patch modifies bond_loadbalance_arp_mon() to handle link changes +identical to bond_ab_arp_{inspect/commit}(). The new link state is +maintained in slave->new_link until we're ready to commit at which point +it's copied into slave->link. + +NOTE: miimon_{inspect/commit}() has a more complex state machine +requiring the use of the bond_{propose,commit}_link_state() functions +which maintains the intermediate state in slave->link_new_state. The arp +monitors don't require that. + +Testing: This bug is very easy to reproduce with the following steps. +1. In a loop, toggle a slave link of a bond slave interface. +2. In a separate loop, do ifconfig up/down of an unrelated interface to +create contention for rtnl_lock. +Within a few iterations, the bond link goes out of sync with the slave +link. + +Signed-off-by: Nithin Nayak Sujir +Cc: Mahesh Bandewar +Cc: Jay Vosburgh +Acked-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2425,11 +2425,13 @@ static void bond_loadbalance_arp_mon(str + bond_for_each_slave_rcu(bond, slave, iter) { + unsigned long trans_start = dev_trans_start(slave->dev); + ++ slave->new_link = BOND_LINK_NOCHANGE; ++ + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, trans_start, 1) && + bond_time_in_interval(bond, slave->last_rx, 1)) { + +- slave->link = BOND_LINK_UP; ++ slave->new_link = BOND_LINK_UP; + slave_state_changed = 1; + + /* primary_slave has no meaning in round-robin +@@ -2456,7 +2458,7 @@ static void bond_loadbalance_arp_mon(str + if (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, slave->last_rx, 2)) { + +- slave->link = BOND_LINK_DOWN; ++ slave->new_link = BOND_LINK_DOWN; + slave_state_changed = 1; + + if (slave->link_failure_count < UINT_MAX) +@@ -2487,6 +2489,11 @@ static void bond_loadbalance_arp_mon(str + if (!rtnl_trylock()) + goto re_arm; + ++ bond_for_each_slave(bond, slave, iter) { ++ if (slave->new_link != BOND_LINK_NOCHANGE) ++ slave->link = slave->new_link; ++ } ++ + if (slave_state_changed) { + bond_slave_state_change(bond); + if (BOND_MODE(bond) == BOND_MODE_XOR) diff --git a/queue-3.18/btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch b/queue-3.18/btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch new file mode 100644 index 00000000000..ee8b1027d08 --- /dev/null +++ b/queue-3.18/btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Colin Ian King +Date: Tue, 9 May 2017 18:14:01 +0100 +Subject: btrfs: fix incorrect error return ret being passed to mapping_set_error + +From: Colin Ian King + + +[ Upstream commit bff5baf8aa37a97293725a16c03f49872249c07e ] + +The setting of return code ret should be based on the error code +passed into function end_extent_writepage and not on ret. Thanks +to Liu Bo for spotting this mistake in the original fix I submitted. + +Detected by CoverityScan, CID#1414312 ("Logically dead code") + +Fixes: 5dca6eea91653e ("Btrfs: mark mapping with error flag to report errors to userspace") +Signed-off-by: Colin Ian King +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2438,7 +2438,7 @@ int end_extent_writepage(struct page *pa + if (!uptodate) { + ClearPageUptodate(page); + SetPageError(page); +- ret = ret < 0 ? ret : -EIO; ++ ret = err < 0 ? err : -EIO; + mapping_set_error(page->mapping, ret); + } + return 0; diff --git a/queue-3.18/cifs-silence-lockdep-splat-in-cifs_relock_file.patch b/queue-3.18/cifs-silence-lockdep-splat-in-cifs_relock_file.patch new file mode 100644 index 00000000000..7ca74b0a174 --- /dev/null +++ b/queue-3.18/cifs-silence-lockdep-splat-in-cifs_relock_file.patch @@ -0,0 +1,87 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Rabin Vincent +Date: Wed, 3 May 2017 17:17:21 +0200 +Subject: CIFS: silence lockdep splat in cifs_relock_file() + +From: Rabin Vincent + + +[ Upstream commit 560d388950ceda5e7c7cdef7f3d9a8ff297bbf9d ] + +cifs_relock_file() can perform a down_write() on the inode's lock_sem even +though it was already performed in cifs_strict_readv(). Lockdep complains +about this. AFAICS, there is no problem here, and lockdep just needs to be +told that this nesting is OK. + + ============================================= + [ INFO: possible recursive locking detected ] + 4.11.0+ #20 Not tainted + --------------------------------------------- + cat/701 is trying to acquire lock: + (&cifsi->lock_sem){++++.+}, at: cifs_reopen_file+0x7a7/0xc00 + + but task is already holding lock: + (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&cifsi->lock_sem); + lock(&cifsi->lock_sem); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 1 lock held by cat/701: + #0: (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310 + + stack backtrace: + CPU: 0 PID: 701 Comm: cat Not tainted 4.11.0+ #20 + Call Trace: + dump_stack+0x85/0xc2 + __lock_acquire+0x17dd/0x2260 + ? trace_hardirqs_on_thunk+0x1a/0x1c + ? preempt_schedule_irq+0x6b/0x80 + lock_acquire+0xcc/0x260 + ? lock_acquire+0xcc/0x260 + ? cifs_reopen_file+0x7a7/0xc00 + down_read+0x2d/0x70 + ? cifs_reopen_file+0x7a7/0xc00 + cifs_reopen_file+0x7a7/0xc00 + ? printk+0x43/0x4b + cifs_readpage_worker+0x327/0x8a0 + cifs_readpage+0x8c/0x2a0 + generic_file_read_iter+0x692/0xd00 + cifs_strict_readv+0x29f/0x310 + generic_file_splice_read+0x11c/0x1c0 + do_splice_to+0xa5/0xc0 + splice_direct_to_actor+0xfa/0x350 + ? generic_pipe_buf_nosteal+0x10/0x10 + do_splice_direct+0xb5/0xe0 + do_sendfile+0x278/0x3a0 + SyS_sendfile64+0xc4/0xe0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + +Signed-off-by: Rabin Vincent +Acked-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -583,7 +583,7 @@ cifs_relock_file(struct cifsFileInfo *cf + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + int rc = 0; + +- down_read(&cinode->lock_sem); ++ down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING); + if (cinode->can_cache_brlcks) { + /* can cache locks - no need to relock */ + up_read(&cinode->lock_sem); diff --git a/queue-3.18/cx25840-fix-unchecked-return-values.patch b/queue-3.18/cx25840-fix-unchecked-return-values.patch new file mode 100644 index 00000000000..a0710cbe2ee --- /dev/null +++ b/queue-3.18/cx25840-fix-unchecked-return-values.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 10:06:36 -0300 +Subject: [media] cx25840: fix unchecked return values + +From: Pan Bian + + +[ Upstream commit 35378ce143071c2a6bad4b59a000e9b9f8f6ea67 ] + +In functions cx25840_initialize(), cx231xx_initialize(), and +cx23885_initialize(), the return value of create_singlethread_workqueue() +is used without validation. This may result in NULL dereference and cause +kernel crash. This patch fixes it. + +Signed-off-by: Pan Bian +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/cx25840/cx25840-core.c | 36 ++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2 + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + /* 6. */ + cx25840_write(client, 0x115, 0x8c); +@@ -631,11 +633,13 @@ static void cx23885_initialize(struct i2 + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + /* Call the cx23888 specific std setup func, we no longer rely on + * the generic cx24840 func. +@@ -746,11 +750,13 @@ static void cx231xx_initialize(struct i2 + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + cx25840_std_setup(client); + diff --git a/queue-3.18/drm-omap-fix-tiled-buffer-stride-calculations.patch b/queue-3.18/drm-omap-fix-tiled-buffer-stride-calculations.patch new file mode 100644 index 00000000000..5f2b80e6e68 --- /dev/null +++ b/queue-3.18/drm-omap-fix-tiled-buffer-stride-calculations.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Tomi Valkeinen +Date: Thu, 18 May 2017 11:51:51 +0300 +Subject: drm/omap: fix tiled buffer stride calculations + +From: Tomi Valkeinen + + +[ Upstream commit cc8dd7661ccc2d8dc88921da8e6cc7c2fcdb0341 ] + +omap_gem uses page alignment for buffer stride. The related calculations +are a bit off, though, as byte stride of 4096 gets aligned to 8192, +instead of 4096. + +This patch changes the code to use DIV_ROUND_UP(), which fixes those +calculations and makes them more readable. + +Signed-off-by: Tomi Valkeinen +Reviewed-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/omap_gem.c ++++ b/drivers/gpu/drm/omapdrm/omap_gem.c +@@ -158,7 +158,7 @@ static void evict_entry(struct drm_gem_o + size_t size = PAGE_SIZE * n; + loff_t off = mmap_offset(obj) + + (entry->obj_pgoff << PAGE_SHIFT); +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE); ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE); + + if (m > 1) { + int i; +@@ -415,7 +415,7 @@ static int fault_2d(struct drm_gem_objec + * into account in some of the math, so figure out virtual stride + * in pages + */ +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE); ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE); + + /* We don't use vmf->pgoff since that has the fake offset: */ + pgoff = ((unsigned long)vmf->virtual_address - diff --git a/queue-3.18/e1000e-fix-race-condition-around-skb_tstamp_tx.patch b/queue-3.18/e1000e-fix-race-condition-around-skb_tstamp_tx.patch new file mode 100644 index 00000000000..59fee768e25 --- /dev/null +++ b/queue-3.18/e1000e-fix-race-condition-around-skb_tstamp_tx.patch @@ -0,0 +1,72 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jacob Keller +Date: Wed, 3 May 2017 10:28:50 -0700 +Subject: e1000e: fix race condition around skb_tstamp_tx() + +From: Jacob Keller + + +[ Upstream commit 5012863b7347866764c4a4e58b62fb05346b0d06 ] + +The e1000e driver and related hardware has a limitation on Tx PTP +packets which requires we limit to timestamping a single packet at once. +We do this by verifying that we never request a new Tx timestamp while +we still have a tx_hwtstamp_skb pointer. + +Unfortunately the driver suffers from a race condition around this. The +tx_hwtstamp_skb pointer is not set to NULL until after skb_tstamp_tx() +is called. This function notifies the stack and applications of a new +timestamp. Even a well behaved application that only sends a new request +when the first one is finished might be woken up and possibly send +a packet before we can free the timestamp in the driver again. The +result is that we needlessly ignore some Tx timestamp requests in this +corner case. + +Fix this by assigning the tx_hwtstamp_skb pointer prior to calling +skb_tstamp_tx() and use a temporary pointer to hold the timestamped skb +until that function finishes. This ensures that the application is not +woken up until the driver is ready to begin timestamping a new packet. + +This ensures that well behaved applications do not accidentally race +with condition to skip Tx timestamps. Obviously an application which +sends multiple Tx timestamp requests at once will still only timestamp +one packet at a time. Unfortunately there is nothing we can do about +this. + +Reported-by: David Mirabito +Signed-off-by: Jacob Keller +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -1181,6 +1181,7 @@ static void e1000e_tx_hwtstamp_work(stru + struct e1000_hw *hw = &adapter->hw; + + if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) { ++ struct sk_buff *skb = adapter->tx_hwtstamp_skb; + struct skb_shared_hwtstamps shhwtstamps; + u64 txstmp; + +@@ -1189,9 +1190,14 @@ static void e1000e_tx_hwtstamp_work(stru + + e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp); + +- skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps); +- dev_kfree_skb_any(adapter->tx_hwtstamp_skb); ++ /* Clear the global tx_hwtstamp_skb pointer and force writes ++ * prior to notifying the stack of a Tx timestamp. ++ */ + adapter->tx_hwtstamp_skb = NULL; ++ wmb(); /* force write prior to skb_tstamp_tx */ ++ ++ skb_tstamp_tx(skb, &shhwtstamps); ++ dev_kfree_skb_any(skb); + } else if (time_after(jiffies, adapter->tx_hwtstamp_start + + adapter->tx_timeout_factor * HZ)) { + dev_kfree_skb_any(adapter->tx_hwtstamp_skb); diff --git a/queue-3.18/e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch b/queue-3.18/e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch new file mode 100644 index 00000000000..bc14a935732 --- /dev/null +++ b/queue-3.18/e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch @@ -0,0 +1,91 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Chris Wilson +Date: Wed, 31 May 2017 18:50:43 +0300 +Subject: e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails + +From: Chris Wilson + + +[ Upstream commit 833521ebc65b1c3092e5c0d8a97092f98eec595d ] + +An error during suspend (e100e_pm_suspend), + +[ 429.994338] ACPI : EC: event blocked +[ 429.994633] e1000e: EEE TX LPI TIMER: 00000011 +[ 430.955451] pci_pm_suspend(): e1000e_pm_suspend+0x0/0x30 [e1000e] returns -2 +[ 430.955454] dpm_run_callback(): pci_pm_suspend+0x0/0x140 returns -2 +[ 430.955458] PM: Device 0000:00:19.0 failed to suspend async: error -2 +[ 430.955581] PM: Some devices failed to suspend, or early wake event detected +[ 430.957709] ACPI : EC: event unblocked + +lead to complete failure: + +[ 432.585002] ------------[ cut here ]------------ +[ 432.585013] WARNING: CPU: 3 PID: 8372 at kernel/irq/manage.c:1478 __free_irq+0x9f/0x280 +[ 432.585015] Trying to free already-free IRQ 20 +[ 432.585016] Modules linked in: cdc_ncm usbnet x86_pkg_temp_thermal intel_powerclamp coretemp mii crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep lpc_ich snd_hda_core snd_pcm mei_me mei sdhci_pci sdhci i915 mmc_core e1000e ptp pps_core prime_numbers +[ 432.585042] CPU: 3 PID: 8372 Comm: kworker/u16:40 Tainted: G U 4.10.0-rc8-CI-Patchwork_3870+ #1 +[ 432.585044] Hardware name: LENOVO 2356GCG/2356GCG, BIOS G7ET31WW (1.13 ) 07/02/2012 +[ 432.585050] Workqueue: events_unbound async_run_entry_fn +[ 432.585051] Call Trace: +[ 432.585058] dump_stack+0x67/0x92 +[ 432.585062] __warn+0xc6/0xe0 +[ 432.585065] warn_slowpath_fmt+0x4a/0x50 +[ 432.585070] ? _raw_spin_lock_irqsave+0x49/0x60 +[ 432.585072] __free_irq+0x9f/0x280 +[ 432.585075] free_irq+0x34/0x80 +[ 432.585089] e1000_free_irq+0x65/0x70 [e1000e] +[ 432.585098] e1000e_pm_freeze+0x7a/0xb0 [e1000e] +[ 432.585106] e1000e_pm_suspend+0x21/0x30 [e1000e] +[ 432.585113] pci_pm_suspend+0x71/0x140 +[ 432.585118] dpm_run_callback+0x6f/0x330 +[ 432.585122] ? pci_pm_freeze+0xe0/0xe0 +[ 432.585125] __device_suspend+0xea/0x330 +[ 432.585128] async_suspend+0x1a/0x90 +[ 432.585132] async_run_entry_fn+0x34/0x160 +[ 432.585137] process_one_work+0x1f4/0x6d0 +[ 432.585140] ? process_one_work+0x16e/0x6d0 +[ 432.585143] worker_thread+0x49/0x4a0 +[ 432.585145] kthread+0x107/0x140 +[ 432.585148] ? process_one_work+0x6d0/0x6d0 +[ 432.585150] ? kthread_create_on_node+0x40/0x40 +[ 432.585154] ret_from_fork+0x2e/0x40 +[ 432.585156] ---[ end trace 6712df7f8c4b9124 ]--- + +The unwind failures stems from commit 2800209994f8 ("e1000e: Refactor PM +flows"), but it may be a later patch that introduced the non-recoverable +behaviour. + +Fixes: 2800209994f8 ("e1000e: Refactor PM flows") +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99847 +Signed-off-by: Chris Wilson +Signed-off-by: Jani Nikula +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -6363,12 +6363,17 @@ static int e1000e_pm_thaw(struct device + static int e1000e_pm_suspend(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ int rc; + + e1000e_flush_lpic(pdev); + + e1000e_pm_freeze(dev); + +- return __e1000_shutdown(pdev, false); ++ rc = __e1000_shutdown(pdev, false); ++ if (rc) ++ e1000e_pm_thaw(dev); ++ ++ return rc; + } + + static int e1000e_pm_resume(struct device *dev) diff --git a/queue-3.18/edac-mv64x60-fix-an-error-handling-path.patch b/queue-3.18/edac-mv64x60-fix-an-error-handling-path.patch new file mode 100644 index 00000000000..65d19441032 --- /dev/null +++ b/queue-3.18/edac-mv64x60-fix-an-error-handling-path.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Christophe JAILLET +Date: Sun, 7 Jan 2018 21:54:00 +0100 +Subject: EDAC, mv64x60: Fix an error handling path + +From: Christophe JAILLET + + +[ Upstream commit 68fa24f9121c04ef146b5158f538c8b32f285be5 ] + +We should not call edac_mc_del_mc() if a corresponding call to +edac_mc_add_mc() has not been performed yet. + +So here, we should go to err instead of err2 to branch at the right +place of the error handling path. + +Signed-off-by: Christophe JAILLET +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180107205400.14068-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/mv64x60_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/mv64x60_edac.c ++++ b/drivers/edac/mv64x60_edac.c +@@ -763,7 +763,7 @@ static int mv64x60_mc_err_probe(struct p + /* Non-ECC RAM? */ + printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__); + res = -ENODEV; +- goto err2; ++ goto err; + } + + edac_dbg(3, "init mci\n"); diff --git a/queue-3.18/ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch b/queue-3.18/ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch new file mode 100644 index 00000000000..fa27fc4e523 --- /dev/null +++ b/queue-3.18/ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Eryu Guan +Date: Wed, 24 May 2017 18:02:20 -0400 +Subject: ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() + +From: Eryu Guan + + +[ Upstream commit 624327f8794704c5066b11a52f9da6a09dce7f9a ] + +ext4_find_unwritten_pgoff() is used to search for offset of hole or +data in page range [index, end] (both inclusive), and the max number +of pages to search should be at least one, if end == index. +Otherwise the only page is missed and no hole or data is found, +which is not correct. + +When block size is smaller than page size, this can be demonstrated +by preallocating a file with size smaller than page size and writing +data to the last block. E.g. run this xfs_io command on a 1k block +size ext4 on x86_64 host. + + # xfs_io -fc "falloc 0 3k" -c "pwrite 2k 1k" \ + -c "seek -d 0" /mnt/ext4/testfile + wrote 1024/1024 bytes at offset 2048 + 1 KiB, 1 ops; 0.0000 sec (42.459 MiB/sec and 43478.2609 ops/sec) + Whence Result + DATA EOF + +Data at offset 2k was missed, and lseek(2) returned ENXIO. + +This is unconvered by generic/285 subtest 07 and 08 on ppc64 host, +where pagesize is 64k. Because a recent change to generic/285 +reduced the preallocated file size to smaller than 64k. + +Signed-off-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -300,7 +300,7 @@ static int ext4_find_unwritten_pgoff(str + int i, num; + unsigned long nr_pages; + +- num = min_t(pgoff_t, end - index, PAGEVEC_SIZE); ++ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1; + nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index, + (pgoff_t)num); + if (nr_pages == 0) diff --git a/queue-3.18/fix-race-in-drivers-char-random.c-get_reg.patch b/queue-3.18/fix-race-in-drivers-char-random.c-get_reg.patch new file mode 100644 index 00000000000..bd6e93121d8 --- /dev/null +++ b/queue-3.18/fix-race-in-drivers-char-random.c-get_reg.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Michael Schmitz +Date: Sun, 30 Apr 2017 19:49:21 +1200 +Subject: fix race in drivers/char/random.c:get_reg() + +From: Michael Schmitz + + +[ Upstream commit 9dfa7bba35ac08a63565d58c454dccb7e1bb0a08 ] + +get_reg() can be reentered on architectures with prioritized interrupts +(m68k in this case), causing f->reg_index to be incremented after the +range check. Out of bounds memory access past the pt_regs struct results. +This will go mostly undetected unless access is beyond end of memory. + +Prevent the race by disabling interrupts in get_reg(). + +Tested on m68k (Atari Falcon, and ARAnyM emulator). + +Kudos to Geert Uytterhoeven for helping to trace this race. + +Signed-off-by: Michael Schmitz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/random.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -863,12 +863,16 @@ static void add_interrupt_bench(cycles_t + static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs) + { + __u32 *ptr = (__u32 *) regs; ++ unsigned long flags; + + if (regs == NULL) + return 0; ++ local_irq_save(flags); + if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32)) + f->reg_idx = 0; +- return *(ptr + f->reg_idx++); ++ ptr += f->reg_idx++; ++ local_irq_restore(flags); ++ return *ptr; + } + + void add_interrupt_randomness(int irq, int irq_flags) diff --git a/queue-3.18/fix-serial-console-on-sni-rm400-machines.patch b/queue-3.18/fix-serial-console-on-sni-rm400-machines.patch new file mode 100644 index 00000000000..83a776cd459 --- /dev/null +++ b/queue-3.18/fix-serial-console-on-sni-rm400-machines.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Thomas Bogendoerfer +Date: Wed, 31 May 2017 22:21:03 +0200 +Subject: Fix serial console on SNI RM400 machines + +From: Thomas Bogendoerfer + + +[ Upstream commit e279e6d98e0cf2c2fe008b3c29042b92f0e17b1d ] + +sccnxp driver doesn't get the correct uart clock rate, if CONFIG_HAVE_CLOCK +is disabled. Correct usage of clk API to make it work with/without it. + +Fixes: 90efa75f7ab0 (serial: sccnxp: Using CLK API for getting UART clock) + +Suggested-by: Russell King - ARM Linux +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sccnxp.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/sccnxp.c ++++ b/drivers/tty/serial/sccnxp.c +@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_ + + clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(clk)) { +- if (PTR_ERR(clk) == -EPROBE_DEFER) { +- ret = -EPROBE_DEFER; ++ ret = PTR_ERR(clk); ++ if (ret == -EPROBE_DEFER) + goto err_out; +- } ++ uartclk = 0; ++ } else { ++ clk_prepare_enable(clk); ++ uartclk = clk_get_rate(clk); ++ } ++ ++ if (!uartclk) { + dev_notice(&pdev->dev, "Using default clock frequency\n"); + uartclk = s->chip->freq_std; +- } else +- uartclk = clk_get_rate(clk); ++ } + + /* Check input frequency */ + if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) { diff --git a/queue-3.18/hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch b/queue-3.18/hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch new file mode 100644 index 00000000000..18fff366c10 --- /dev/null +++ b/queue-3.18/hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Firo Yang +Date: Fri, 26 May 2017 22:37:38 +0800 +Subject: hdlcdrv: Fix divide by zero in hdlcdrv_ioctl + +From: Firo Yang + + +[ Upstream commit fb3ce90b7d7761b6f7f28f0ff5c456ef6b5229a1 ] + +syszkaller fuzzer triggered a divide by zero, when set calibration +through ioctl(). + +To fix it, test 'bitrate' if it is negative or 0, just return -EINVAL. + +Reported-by: Andrey Konovalov +Signed-off-by: Firo Yang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/hdlcdrv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/hamradio/hdlcdrv.c ++++ b/drivers/net/hamradio/hdlcdrv.c +@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_devi + case HDLCDRVCTL_CALIBRATE: + if(!capable(CAP_SYS_RAWIO)) + return -EPERM; ++ if (s->par.bitrate <= 0) ++ return -EINVAL; + if (bi.data.calibrate > INT_MAX / s->par.bitrate) + return -EINVAL; + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; diff --git a/queue-3.18/ib-srpt-fix-abort-handling.patch b/queue-3.18/ib-srpt-fix-abort-handling.patch new file mode 100644 index 00000000000..b98ef1728e3 --- /dev/null +++ b/queue-3.18/ib-srpt-fix-abort-handling.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Bart Van Assche +Date: Thu, 4 May 2017 15:50:53 -0700 +Subject: IB/srpt: Fix abort handling + +From: Bart Van Assche + + +[ Upstream commit 55d694275f41a1c0eef4ef49044ff29bc3999490 ] + +Let the target core check the CMD_T_ABORTED flag instead of the SRP +target driver. Hence remove the transport_check_aborted_status() +call. Since state == SRPT_STATE_CMD_RSP_SENT is something that really +should not happen, do not try to recover if srpt_queue_response() is +called for an I/O context that is in that state. This patch is a bug +fix because the srpt_abort_cmd() call is misplaced - if that function +is called from srpt_queue_response() it should either be called +before the command state is changed or after the response has been +sent. + +Signed-off-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Cc: Doug Ledford +Cc: Christoph Hellwig +Cc: Andy Grover +Cc: David Disseldorp +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2986,12 +2986,8 @@ static void srpt_queue_response(struct s + } + spin_unlock_irqrestore(&ioctx->spinlock, flags); + +- if (unlikely(transport_check_aborted_status(&ioctx->cmd, false) +- || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) { +- atomic_inc(&ch->req_lim_delta); +- srpt_abort_cmd(ioctx); ++ if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) + return; +- } + + dir = ioctx->cmd.data_direction; + diff --git a/queue-3.18/iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch b/queue-3.18/iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch new file mode 100644 index 00000000000..cdc323eb911 --- /dev/null +++ b/queue-3.18/iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Lorenzo Bianconi +Date: Tue, 6 Jun 2017 22:51:24 +0200 +Subject: iio: magnetometer: st_magn_spi: fix spi_device_id table + +From: Lorenzo Bianconi + + +[ Upstream commit c83761ff0aac954aa368c623bb0f0d1a3214e834 ] + +Remove LSM303DLHC, LSM303DLM from st_magn_id_table since LSM303DL series +does not support spi interface + +Fixes: 872e79add756 (iio: magn: Add STMicroelectronics magn driver) +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/st_magn_spi.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/iio/magnetometer/st_magn_spi.c ++++ b/drivers/iio/magnetometer/st_magn_spi.c +@@ -49,8 +49,6 @@ static int st_magn_spi_remove(struct spi + } + + static const struct spi_device_id st_magn_id_table[] = { +- { LSM303DLHC_MAGN_DEV_NAME }, +- { LSM303DLM_MAGN_DEV_NAME }, + { LIS3MDL_MAGN_DEV_NAME }, + {}, + }; diff --git a/queue-3.18/ipsec-check-return-value-of-skb_to_sgvec-always.patch b/queue-3.18/ipsec-check-return-value-of-skb_to_sgvec-always.patch new file mode 100644 index 00000000000..e0b04b03a87 --- /dev/null +++ b/queue-3.18/ipsec-check-return-value-of-skb_to_sgvec-always.patch @@ -0,0 +1,128 @@ +From 3f29770723fe498a5c5f57c3a31a996ebdde03e1 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:23 +0200 +Subject: ipsec: check return value of skb_to_sgvec always + +From: Jason A. Donenfeld + +commit 3f29770723fe498a5c5f57c3a31a996ebdde03e1 upstream. + +Signed-off-by: Jason A. Donenfeld +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: David S. Miller +[nc: Adjust context due to lack of 000ae7b2690e2 and fca11ebde3f0] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ah4.c | 8 ++++++-- + net/ipv4/esp4.c | 12 ++++++++---- + net/ipv6/ah6.c | 8 ++++++-- + net/ipv6/esp6.c | 12 ++++++++---- + 4 files changed, 28 insertions(+), 12 deletions(-) + +--- a/net/ipv4/ah4.c ++++ b/net/ipv4/ah4.c +@@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state * + ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +@@ -391,7 +393,9 @@ static int ah_input(struct xfrm_state *x + skb_push(skb, ihl); + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -239,9 +239,11 @@ static int esp_output(struct xfrm_state + esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, +- esph->enc_data + crypto_aead_ivsize(aead) - skb->data, +- clen + alen); ++ err = skb_to_sgvec(skb, sg, ++ esph->enc_data + crypto_aead_ivsize(aead) - skb->data, ++ clen + alen); ++ if (unlikely(err < 0)) ++ goto error; + + if ((x->props.flags & XFRM_STATE_ESN)) { + sg_init_table(asg, 3); +@@ -426,7 +428,9 @@ static int esp_input(struct xfrm_state * + iv = esph->enc_data; + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen); ++ err = skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen); ++ if (unlikely(err < 0)) ++ goto out; + + if ((x->props.flags & XFRM_STATE_ESN)) { + sg_init_table(asg, 3); +--- a/net/ipv6/ah6.c ++++ b/net/ipv6/ah6.c +@@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state + ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +@@ -601,7 +603,9 @@ static int ah6_input(struct xfrm_state * + ip6h->hop_limit = 0; + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -231,9 +231,11 @@ static int esp6_output(struct xfrm_state + esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, +- esph->enc_data + crypto_aead_ivsize(aead) - skb->data, +- clen + alen); ++ err = skb_to_sgvec(skb, sg, ++ esph->enc_data + crypto_aead_ivsize(aead) - skb->data, ++ clen + alen); ++ if (unlikely(err < 0)) ++ goto error; + + if ((x->props.flags & XFRM_STATE_ESN)) { + sg_init_table(asg, 3); +@@ -381,7 +383,9 @@ static int esp6_input(struct xfrm_state + iv = esph->enc_data; + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen); ++ ret = skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen); ++ if (unlikely(ret < 0)) ++ goto out; + + if ((x->props.flags & XFRM_STATE_ESN)) { + sg_init_table(asg, 3); diff --git a/queue-3.18/ipv6-avoid-dad-failures-for-addresses-with-nodad.patch b/queue-3.18/ipv6-avoid-dad-failures-for-addresses-with-nodad.patch new file mode 100644 index 00000000000..5cb06e2bd19 --- /dev/null +++ b/queue-3.18/ipv6-avoid-dad-failures-for-addresses-with-nodad.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Mahesh Bandewar +Date: Fri, 12 May 2017 17:03:39 -0700 +Subject: ipv6: avoid dad-failures for addresses with NODAD + +From: Mahesh Bandewar + + +[ Upstream commit 66eb9f86e50547ec2a8ff7a75997066a74ef584b ] + +Every address gets added with TENTATIVE flag even for the addresses with +IFA_F_NODAD flag and dad-work is scheduled for them. During this DAD process +we realize it's an address with NODAD and complete the process without +sending any probe. However the TENTATIVE flags stays on the +address for sometime enough to cause misinterpretation when we receive a NS. +While processing NS, if the address has TENTATIVE flag, we mark it DADFAILED +and endup with an address that was originally configured as NODAD with +DADFAILED. + +We can't avoid scheduling dad_work for addresses with NODAD but we can +avoid adding TENTATIVE flag to avoid this racy situation. + +Signed-off-by: Mahesh Bandewar +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -863,7 +863,10 @@ ipv6_add_addr(struct inet6_dev *idev, co + INIT_HLIST_NODE(&ifa->addr_lst); + ifa->scope = scope; + ifa->prefix_len = pfxlen; +- ifa->flags = flags | IFA_F_TENTATIVE; ++ ifa->flags = flags; ++ /* No need to add the TENTATIVE flag for addresses with NODAD */ ++ if (!(flags & IFA_F_NODAD)) ++ ifa->flags |= IFA_F_TENTATIVE; + ifa->valid_lft = valid_lft; + ifa->prefered_lft = prefered_lft; + ifa->cstamp = ifa->tstamp = jiffies; diff --git a/queue-3.18/kvm-nvmx-fix-handling-of-lmsw-instruction.patch b/queue-3.18/kvm-nvmx-fix-handling-of-lmsw-instruction.patch new file mode 100644 index 00000000000..5b41674ef7e --- /dev/null +++ b/queue-3.18/kvm-nvmx-fix-handling-of-lmsw-instruction.patch @@ -0,0 +1,58 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Jan H. Schönherr" +Date: Sat, 20 May 2017 13:22:56 +0200 +Subject: KVM: nVMX: Fix handling of lmsw instruction + +From: "Jan H. Schönherr" + + +[ Upstream commit e1d39b17e044e8ae819827810d87d809ba5f58c0 ] + +The decision whether or not to exit from L2 to L1 on an lmsw instruction is +based on bogus values: instead of using the information encoded within the +exit qualification, it uses the data also used for the mov-to-cr +instruction, which boils down to using whatever is in %eax at that point. + +Use the correct values instead. + +Without this fix, an L1 may not get notified when a 32-bit Linux L2 +switches its secondary CPUs to protected mode; the L1 is only notified on +the next modification of CR0. This short time window poses a problem, when +there is some other reason to exit to L1 in between. Then, L2 will be +resumed in real mode and chaos ensues. + +Signed-off-by: Jan H. Schönherr +Reviewed-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6935,11 +6935,13 @@ static bool nested_vmx_exit_handled_cr(s + { + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); + int cr = exit_qualification & 15; +- int reg = (exit_qualification >> 8) & 15; +- unsigned long val = kvm_register_readl(vcpu, reg); ++ int reg; ++ unsigned long val; + + switch ((exit_qualification >> 4) & 3) { + case 0: /* mov to cr */ ++ reg = (exit_qualification >> 8) & 15; ++ val = kvm_register_readl(vcpu, reg); + switch (cr) { + case 0: + if (vmcs12->cr0_guest_host_mask & +@@ -6994,6 +6996,7 @@ static bool nested_vmx_exit_handled_cr(s + * lmsw can change bits 1..3 of cr0, and only set bit 0 of + * cr0. Other attempted changes are ignored, with no exit. + */ ++ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f; + if (vmcs12->cr0_guest_host_mask & 0xe & + (val ^ vmcs12->cr0_read_shadow)) + return 1; diff --git a/queue-3.18/kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch b/queue-3.18/kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch new file mode 100644 index 00000000000..aa567e532f4 --- /dev/null +++ b/queue-3.18/kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch @@ -0,0 +1,138 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Paul Mackerras +Date: Thu, 11 May 2017 11:33:30 +1000 +Subject: KVM: PPC: Book3S PR: Check copy_to/from_user return values + +From: Paul Mackerras + + +[ Upstream commit 67325e988faea735d663799b6d152b5f4254093c ] + +The PR KVM implementation of the PAPR HPT hypercalls (H_ENTER etc.) +access an image of the HPT in userspace memory using copy_from_user +and copy_to_user. Recently, the declarations of those functions were +annotated to indicate that the return value must be checked. Since +this code doesn't currently check the return value, this causes +compile warnings like the ones shown below, and since on PPC the +default is to compile arch/powerpc with -Werror, this causes the +build to fail. + +To fix this, we check the return values, and if non-zero, fail the +hypercall being processed with a H_FUNCTION error return value. +There is really no good error return value to use since PAPR didn't +envisage the possibility that the hypervisor may not be able to access +the guest's HPT, and H_FUNCTION (function not supported) seems as +good as any. + +The typical compile warnings look like this: + + CC arch/powerpc/kvm/book3s_pr_papr.o +/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c: In function ‘kvmppc_h_pr_enter’: +/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:53:2: error: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result [-Werror=unused-result] + copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)); + ^ +/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:74:2: error: ignoring return value of ‘copy_to_user’, declared with attribute warn_unused_result [-Werror=unused-result] + copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE); + ^ + +... etc. + +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_pr_papr.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/kvm/book3s_pr_papr.c ++++ b/arch/powerpc/kvm/book3s_pr_papr.c +@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_ + pteg_addr = get_pteg_addr(vcpu, pte_index); + + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg))) ++ goto done; + hpte = pteg; + + ret = H_PTEG_FULL; +@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_ + hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6)); + hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7)); + pteg_addr += i * HPTE_SIZE; +- copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE)) ++ goto done; + kvmppc_set_gpr(vcpu, 4, pte_index | i); + ret = H_SUCCESS; + +@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm + + pteg = get_pteg_addr(vcpu, pte_index); + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) ++ goto done; + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm + ((flags & H_ANDCOND) && (pte[0] & avpn) != 0)) + goto done; + +- copy_to_user((void __user *)pteg, &v, sizeof(v)); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) ++ goto done; + + rb = compute_tlbie_rb(pte[0], pte[1], pte_index); + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false); +@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struc + } + + pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) { ++ ret = H_FUNCTION; ++ break; ++ } + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struc + tsh |= H_BULK_REMOVE_NOT_FOUND; + } else { + /* Splat the pteg in (userland) hpt */ +- copy_to_user((void __user *)pteg, &v, sizeof(v)); ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) { ++ ret = H_FUNCTION; ++ break; ++ } + + rb = compute_tlbie_rb(pte[0], pte[1], + tsh & H_BULK_REMOVE_PTEX); +@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kv + + pteg = get_pteg_addr(vcpu, pte_index); + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) ++ goto done; + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kv + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false); + pte[0] = (__force u64)cpu_to_be64(pte[0]); + pte[1] = (__force u64)cpu_to_be64(pte[1]); +- copy_to_user((void __user *)pteg, pte, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg, pte, sizeof(pte))) ++ goto done; + ret = H_SUCCESS; + + done: diff --git a/queue-3.18/kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch b/queue-3.18/kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch new file mode 100644 index 00000000000..2f6a8a3d5f7 --- /dev/null +++ b/queue-3.18/kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch @@ -0,0 +1,89 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Roman Pen +Date: Thu, 1 Jun 2017 10:55:03 +0200 +Subject: KVM: SVM: do not zero out segment attributes if segment is unusable or not present + +From: Roman Pen + + +[ Upstream commit d9c1b5431d5f0e07575db785a022bce91051ac1d ] + +This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt +was taken on userspace stack. The root cause lies in the specific AMD CPU +behaviour which manifests itself as unusable segment attributes on SYSRET. +The corresponding work around for the kernel is the following: + +61f01dd941ba ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue") + +In other turn virtualization side treated unusable segment incorrectly and +restored CPL from SS attributes, which were zeroed out few lines above. + +In current patch it is assured only that P bit is cleared in VMCB.save state +and segment attributes are not zeroed out if segment is not presented or is +unusable, therefore CPL can be safely restored from DPL field. + +This is only one part of the fix, since QEMU side should be fixed accordingly +not to zero out attributes on its side. Corresponding patch will follow. + +[1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com + +Signed-off-by: Roman Pen +Signed-off-by: Mikhail Sennikovskii +Cc: Paolo Bonzini +Cc: Radim KrÄmář +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1467,6 +1467,7 @@ static void svm_get_segment(struct kvm_v + */ + if (var->unusable) + var->db = 0; ++ /* This is symmetric with svm_set_segment() */ + var->dpl = to_svm(vcpu)->vmcb->save.cpl; + break; + } +@@ -1611,18 +1612,14 @@ static void svm_set_segment(struct kvm_v + s->base = var->base; + s->limit = var->limit; + s->selector = var->selector; +- if (var->unusable) +- s->attrib = 0; +- else { +- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK); +- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT; +- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT; +- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT; +- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT; +- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT; +- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT; +- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT; +- } ++ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK); ++ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT; ++ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT; ++ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT; ++ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT; ++ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT; ++ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT; ++ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT; + + /* + * This is always accurate, except if SYSRET returned to a segment +@@ -1631,7 +1628,8 @@ static void svm_set_segment(struct kvm_v + * would entail passing the CPL to userspace and back. + */ + if (seg == VCPU_SREG_SS) +- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3; ++ /* This is symmetric with svm_get_segment() */ ++ svm->vmcb->save.cpl = (var->dpl & 3); + + mark_dirty(svm->vmcb, VMCB_SEG); + } diff --git a/queue-3.18/l2tp-fix-missing-print-session-offset-info.patch b/queue-3.18/l2tp-fix-missing-print-session-offset-info.patch new file mode 100644 index 00000000000..c4aaa4defbb --- /dev/null +++ b/queue-3.18/l2tp-fix-missing-print-session-offset-info.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Hangbin Liu +Date: Fri, 22 Dec 2017 15:10:17 +0100 +Subject: l2tp: fix missing print session offset info + +From: Hangbin Liu + + +[ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ] + +Report offset parameter in L2TP_CMD_SESSION_GET command if +it has been configured by userspace + +Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP") +Reported-by: Jianlin Shi +Signed-off-by: Hangbin Liu +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -633,6 +633,8 @@ static int l2tp_nl_session_send(struct s + + if ((session->ifname[0] && + nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) || ++ (session->offset && ++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) || + (session->cookie_len && + nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len, + &session->cookie[0])) || diff --git a/queue-3.18/leds-pca955x-correct-i2c-functionality.patch b/queue-3.18/leds-pca955x-correct-i2c-functionality.patch new file mode 100644 index 00000000000..195e8d5216b --- /dev/null +++ b/queue-3.18/leds-pca955x-correct-i2c-functionality.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Tin Huynh +Date: Mon, 22 May 2017 16:19:20 +0700 +Subject: leds: pca955x: Correct I2C Functionality + +From: Tin Huynh + + +[ Upstream commit aace34c0bb8ea3c8bdcec865b6a4be4db0a68e33 ] + +The driver checks an incorrect flag of functionality of adapter. +When a driver requires i2c_smbus_read_byte_data and +i2c_smbus_write_byte_data, it should check I2C_FUNC_SMBUS_BYTE_DATA +instead I2C_FUNC_I2C. +This patch fixes the problem. + +Signed-off-by: Tin Huynh +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-pca955x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/leds/leds-pca955x.c ++++ b/drivers/leds/leds-pca955x.c +@@ -281,7 +281,7 @@ static int pca955x_probe(struct i2c_clie + "slave address 0x%02x\n", + id->name, chip->bits, client->addr); + +- if (!i2c_check_functionality(adapter, I2C_FUNC_I2C)) ++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA)) + return -EIO; + + if (pdata) { diff --git a/queue-3.18/libceph-null-deref-on-crush_decode-error-path.patch b/queue-3.18/libceph-null-deref-on-crush_decode-error-path.patch new file mode 100644 index 00000000000..b13f2d83c6b --- /dev/null +++ b/queue-3.18/libceph-null-deref-on-crush_decode-error-path.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Dan Carpenter +Date: Tue, 23 May 2017 17:25:10 +0300 +Subject: libceph: NULL deref on crush_decode() error path + +From: Dan Carpenter + + +[ Upstream commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 ] + +If there is not enough space then ceph_decode_32_safe() does a goto bad. +We need to return an error code in that situation. The current code +returns ERR_PTR(0) which is NULL. The callers are not expecting that +and it results in a NULL dereference. + +Fixes: f24e9980eb86 ("ceph: OSD client") +Signed-off-by: Dan Carpenter +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -270,6 +270,7 @@ static struct crush_map *crush_decode(vo + u32 yes; + struct crush_rule *r; + ++ err = -EINVAL; + ceph_decode_32_safe(p, end, yes, bad); + if (!yes) { + dout("crush_decode NO rule %d off %x %p to %p\n", diff --git a/queue-3.18/lockd-fix-lockd-shutdown-race.patch b/queue-3.18/lockd-fix-lockd-shutdown-race.patch new file mode 100644 index 00000000000..9b77c76955f --- /dev/null +++ b/queue-3.18/lockd-fix-lockd-shutdown-race.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "J. Bruce Fields" +Date: Tue, 28 Mar 2017 21:25:08 -0400 +Subject: lockd: fix lockd shutdown race + +From: "J. Bruce Fields" + + +[ Upstream commit efda760fe95ea15291853c8fa9235c32d319cd98 ] + +As reported by David Jeffery: "a signal was sent to lockd while lockd +was shutting down from a request to stop nfs. The signal causes lockd +to call restart_grace() which puts the lockd_net structure on the grace +list. If this signal is received at the wrong time, it will occur after +lockd_down_net() has called locks_end_grace() but before +lockd_down_net() stops the lockd thread. This leads to lockd putting +the lockd_net structure back on the grace list, then exiting without +anything removing it from the list." + +So, perform the final locks_end_grace() from the the lockd thread; this +ensures it's serialized with respect to restart_grace(). + +Reported-by: David Jeffery +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/lockd/svc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -129,6 +129,8 @@ lockd(void *vrqstp) + { + int err = 0; + struct svc_rqst *rqstp = vrqstp; ++ struct net *net = &init_net; ++ struct lockd_net *ln = net_generic(net, lockd_net_id); + + /* try_to_freeze() is called from svc_recv() */ + set_freezable(); +@@ -173,6 +175,8 @@ lockd(void *vrqstp) + if (nlmsvc_ops) + nlmsvc_invalidate_all(); + nlm_shutdown_hosts(); ++ cancel_delayed_work_sync(&ln->grace_period_end); ++ locks_end_grace(&ln->lockd_manager); + return 0; + } + +@@ -267,8 +271,6 @@ static void lockd_down_net(struct svc_se + if (ln->nlmsvc_users) { + if (--ln->nlmsvc_users == 0) { + nlm_shutdown_hosts_net(net); +- cancel_delayed_work_sync(&ln->grace_period_end); +- locks_end_grace(&ln->lockd_manager); + svc_shutdown_net(serv, net); + dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net); + } diff --git a/queue-3.18/mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch b/queue-3.18/mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch new file mode 100644 index 00000000000..3e95bef02e2 --- /dev/null +++ b/queue-3.18/mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Luca Coelho +Date: Tue, 2 May 2017 17:56:21 +0300 +Subject: mac80211: bail out from prep_connection() if a reconfig is ongoing + +From: Luca Coelho + + +[ Upstream commit f8860ce836f2d502b07ef99559707fe55d90f5bc ] + +If ieee80211_hw_restart() is called during authentication, the +authentication process will continue, causing the driver to be called +in a wrong state. This ultimately causes an oops in the iwlwifi +driver (at least). + +This fixes bugzilla 195299 partly. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195299 +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3995,6 +3995,10 @@ static int ieee80211_prep_connection(str + if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) + return -EINVAL; + ++ /* If a reconfig is happening, bail out */ ++ if (local->in_reconfig) ++ return -EBUSY; ++ + if (assoc) { + rcu_read_lock(); + have_sta = sta_info_get(sdata, cbss->bssid); diff --git a/queue-3.18/mceusb-sporadic-rx-truncation-corruption-fix.patch b/queue-3.18/mceusb-sporadic-rx-truncation-corruption-fix.patch new file mode 100644 index 00000000000..e397110f76d --- /dev/null +++ b/queue-3.18/mceusb-sporadic-rx-truncation-corruption-fix.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: A Sun +Date: Sun, 26 Mar 2017 15:33:07 -0300 +Subject: [media] mceusb: sporadic RX truncation corruption fix + +From: A Sun + + +[ Upstream commit 8e175b22e8640bf3a58e071af54190b909e4a944 ] + +Intermittent RX truncation and loss of IR received data. This resulted +in receive stream synchronization errors where driver attempted to +incorrectly parse IR data (eg 0x90 below) as command response. + +[ 3969.139898] mceusb 1-1.2:1.0: processed IR data +[ 3969.151315] mceusb 1-1.2:1.0: rx data: 00 90 (length=2) +[ 3969.151321] mceusb 1-1.2:1.0: Unknown command 0x00 0x90 +[ 3969.151336] mceusb 1-1.2:1.0: rx data: 98 0a 8d 0a 8e 0a 8e 0a 8e 0a 8e 0a 9a 0a 8e 0a 0b 3a 8e 00 80 41 59 00 00 (length=25) +[ 3969.151341] mceusb 1-1.2:1.0: Raw IR data, 24 pulse/space samples +[ 3969.151348] mceusb 1-1.2:1.0: Storing space with duration 500000 + +Bug trigger appears to be normal, but heavy, IR receiver use. + +Signed-off-by: A Sun +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1370,8 +1370,13 @@ static int mceusb_dev_probe(struct usb_i + goto rc_dev_fail; + + /* wire up inbound data handler */ +- usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, +- mceusb_dev_recv, ir, ep_in->bInterval); ++ if (usb_endpoint_xfer_int(ep_in)) ++ usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, ++ mceusb_dev_recv, ir, ep_in->bInterval); ++ else ++ usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, ++ mceusb_dev_recv, ir); ++ + ir->urb_in->transfer_dma = ir->dma_in; + ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + diff --git a/queue-3.18/mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch b/queue-3.18/mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch new file mode 100644 index 00000000000..e3f66a2698b --- /dev/null +++ b/queue-3.18/mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Marcin Nowakowski +Date: Thu, 8 Jun 2017 15:20:32 +0200 +Subject: MIPS: kprobes: flush_insn_slot should flush only if probe initialised + +From: Marcin Nowakowski + + +[ Upstream commit 698b851073ddf5a894910d63ca04605e0473414e ] + +When ftrace is used with kprobes, it is possible for a kprobe to contain +an invalid location (ie. only initialised to 0 and not to a specific +location in the code). Trying to perform a cache flush on such location +leads to a crash r4k_flush_icache_range(). + +Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.") +Signed-off-by: Marcin Nowakowski +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16296/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/kprobes.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/mips/include/asm/kprobes.h ++++ b/arch/mips/include/asm/kprobes.h +@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_op + + #define flush_insn_slot(p) \ + do { \ +- flush_icache_range((unsigned long)p->addr, \ ++ if (p->addr) \ ++ flush_icache_range((unsigned long)p->addr, \ + (unsigned long)p->addr + \ + (MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \ + } while (0) diff --git a/queue-3.18/mips-mm-fixed-mappings-correct-initialisation.patch b/queue-3.18/mips-mm-fixed-mappings-correct-initialisation.patch new file mode 100644 index 00000000000..124c223519e --- /dev/null +++ b/queue-3.18/mips-mm-fixed-mappings-correct-initialisation.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Marcin Nowakowski +Date: Tue, 11 Apr 2017 09:00:34 +0200 +Subject: MIPS: mm: fixed mappings: correct initialisation + +From: Marcin Nowakowski + + +[ Upstream commit 71eb989ab5a110df8bcbb9609bacde73feacbedd ] + +fixrange_init operates at PMD-granularity and expects the addresses to +be PMD-size aligned, but currently that might not be the case for +PKMAP_BASE unless it is defined properly, so ensure a correct alignment +is used before passing the address to fixrange_init. + +fixed mappings: only align the start address that is passed to +fixrange_init rather than the value before adding the size, as we may +end up with uninitialised upper part of the range. + +Signed-off-by: Marcin Nowakowski +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15948/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/pgtable-32.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/mips/mm/pgtable-32.c ++++ b/arch/mips/mm/pgtable-32.c +@@ -51,15 +51,15 @@ void __init pagetable_init(void) + /* + * Fixed mappings: + */ +- vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK; +- fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base); ++ vaddr = __fix_to_virt(__end_of_fixed_addresses - 1); ++ fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base); + + #ifdef CONFIG_HIGHMEM + /* + * Permanent kmaps: + */ + vaddr = PKMAP_BASE; +- fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base); ++ fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base); + + pgd = swapper_pg_dir + __pgd_offset(vaddr); + pud = pud_offset(pgd, vaddr); diff --git a/queue-3.18/misdn-fix-a-sleep-in-atomic-bug.patch b/queue-3.18/misdn-fix-a-sleep-in-atomic-bug.patch new file mode 100644 index 00000000000..716b10f6999 --- /dev/null +++ b/queue-3.18/misdn-fix-a-sleep-in-atomic-bug.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jia-Ju Bai +Date: Wed, 31 May 2017 15:08:25 +0800 +Subject: mISDN: Fix a sleep-in-atomic bug + +From: Jia-Ju Bai + + +[ Upstream commit 93818da5eed63fbc17b64080406ea53b86b23309 ] + +The driver may sleep under a read spin lock, and the function call path is: +send_socklist (acquire the lock by read_lock) + skb_copy(GFP_KERNEL) --> may sleep + +To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC". + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/mISDN/stack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/isdn/mISDN/stack.c ++++ b/drivers/isdn/mISDN/stack.c +@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl + if (sk->sk_state != MISDN_BOUND) + continue; + if (!cskb) +- cskb = skb_copy(skb, GFP_KERNEL); ++ cskb = skb_copy(skb, GFP_ATOMIC); + if (!cskb) { + printk(KERN_WARNING "%s no skb\n", __func__); + break; diff --git a/queue-3.18/neighbour-update-neigh-timestamps-iff-update-is-effective.patch b/queue-3.18/neighbour-update-neigh-timestamps-iff-update-is-effective.patch new file mode 100644 index 00000000000..a78499f5000 --- /dev/null +++ b/queue-3.18/neighbour-update-neigh-timestamps-iff-update-is-effective.patch @@ -0,0 +1,95 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Ihar Hrachyshka +Date: Tue, 16 May 2017 08:44:24 -0700 +Subject: neighbour: update neigh timestamps iff update is effective + +From: Ihar Hrachyshka + + +[ Upstream commit 77d7123342dcf6442341b67816321d71da8b2b16 ] + +It's a common practice to send gratuitous ARPs after moving an +IP address to another device to speed up healing of a service. To +fulfill service availability constraints, the timing of network peers +updating their caches to point to a new location of an IP address can be +particularly important. + +Sometimes neigh_update calls won't touch neither lladdr nor state, for +example if an update arrives in locktime interval. The neigh->updated +value is tested by the protocol specific neigh code, which in turn +will influence whether NEIGH_UPDATE_F_OVERRIDE gets set in the +call to neigh_update() or not. As a result, we may effectively ignore +the update request, bailing out of touching the neigh entry, except that +we still bump its timestamps inside neigh_update. + +This may be a problem for updates arriving in quick succession. For +example, consider the following scenario: + +A service is moved to another device with its IP address. The new device +sends three gratuitous ARP requests into the network with ~1 seconds +interval between them. Just before the first request arrives to one of +network peer nodes, its neigh entry for the IP address transitions from +STALE to DELAY. This transition, among other things, updates +neigh->updated. Once the kernel receives the first gratuitous ARP, it +ignores it because its arrival time is inside the locktime interval. The +kernel still bumps neigh->updated. Then the second gratuitous ARP +request arrives, and it's also ignored because it's still in the (new) +locktime interval. Same happens for the third request. The node +eventually heals itself (after delay_first_probe_time seconds since the +initial transition to DELAY state), but it just wasted some time and +require a new ARP request/reply round trip. This unfortunate behaviour +both puts more load on the network, as well as reduces service +availability. + +This patch changes neigh_update so that it bumps neigh->updated (as well +as neigh->confirmed) only once we are sure that either lladdr or entry +state will change). In the scenario described above, it means that the +second gratuitous ARP request will actually update the entry lladdr. + +Ideally, we would update the neigh entry on the very first gratuitous +ARP request. The locktime mechanism is designed to ignore ARP updates in +a short timeframe after a previous ARP update was honoured by the kernel +layer. This would require tracking timestamps for state transitions +separately from timestamps when actual updates are received. This would +probably involve changes in neighbour struct. Therefore, the patch +doesn't tackle the issue of the first gratuitous APR ignored, leaving +it for a follow-up. + +Signed-off-by: Ihar Hrachyshka +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1147,10 +1147,6 @@ int neigh_update(struct neighbour *neigh + lladdr = neigh->ha; + } + +- if (new & NUD_CONNECTED) +- neigh->confirmed = jiffies; +- neigh->updated = jiffies; +- + /* If entry was valid and address is not changed, + do not change entry state, if new one is STALE. + */ +@@ -1174,6 +1170,16 @@ int neigh_update(struct neighbour *neigh + } + } + ++ /* Update timestamps only once we know we will make a change to the ++ * neighbour entry. Otherwise we risk to move the locktime window with ++ * noop updates and ignore relevant ARP updates. ++ */ ++ if (new != old || lladdr != neigh->ha) { ++ if (new & NUD_CONNECTED) ++ neigh->confirmed = jiffies; ++ neigh->updated = jiffies; ++ } ++ + if (new != old) { + neigh_del_timer(neigh); + if (new & NUD_IN_TIMER) diff --git a/queue-3.18/net-emac-fix-reset-timeout-with-ar8035-phy.patch b/queue-3.18/net-emac-fix-reset-timeout-with-ar8035-phy.patch new file mode 100644 index 00000000000..db2cd11bae1 --- /dev/null +++ b/queue-3.18/net-emac-fix-reset-timeout-with-ar8035-phy.patch @@ -0,0 +1,119 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Christian Lamparter +Date: Wed, 7 Jun 2017 15:51:15 +0200 +Subject: net: emac: fix reset timeout with AR8035 phy + +From: Christian Lamparter + + +[ Upstream commit 19d90ece81da802207a9b91ce95a29fbdc40626e ] + +This patch fixes a problem where the AR8035 PHY can't be +detected on an Cisco Meraki MR24, if the ethernet cable is +not connected on boot. + +Russell Senior provided steps to reproduce the issue: +|Disconnect ethernet cable, apply power, wait until device has booted, +|plug in ethernet, check for interfaces, no eth0 is listed. +| +|This appears to be a problem during probing of the AR8035 Phy chip. +|When ethernet has no link, the phy detection fails, and eth0 is not +|created. Plugging ethernet later has no effect, because there is no +|interface as far as the kernel is concerned. The relevant part of +|the boot log looks like this: +|this is the failing case: +| +|[ 0.876611] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode +|[ 0.882532] /plb/opb/ethernet@ef600c00: reset timeout +|[ 0.888546] /plb/opb/ethernet@ef600c00: can't find PHY! +|and the succeeding case: +| +|[ 0.876672] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode +|[ 0.883952] eth0: EMAC-0 /plb/opb/ethernet@ef600c00, MAC 00:01:.. +|[ 0.890822] eth0: found Atheros 8035 Gigabit Ethernet PHY (0x01) + +Based on the comment and the commit message of +commit 23fbb5a87c56 ("emac: Fix EMAC soft reset on 460EX/GT"). +This is because the AR8035 PHY doesn't provide the TX Clock, +if the ethernet cable is not attached. This causes the reset +to timeout and the PHY detection code in emac_init_phy() is +unable to detect the AR8035 PHY. As a result, the emac driver +bails out early and the user left with no ethernet. + +In order to stay compatible with existing configurations, the driver +tries the current reset approach at first. Only if the first attempt +timed out, it does perform one more retry with the clock temporarily +switched to the internal source for just the duration of the reset. + +LEDE-Bug: #687 + +Cc: Chris Blake +Reported-by: Russell Senior +Fixes: 23fbb5a87c56e98 ("emac: Fix EMAC soft reset on 460EX/GT") +Signed-off-by: Christian Lamparter +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/emac/core.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/ibm/emac/core.c ++++ b/drivers/net/ethernet/ibm/emac/core.c +@@ -349,6 +349,7 @@ static int emac_reset(struct emac_instan + { + struct emac_regs __iomem *p = dev->emacp; + int n = 20; ++ bool __maybe_unused try_internal_clock = false; + + DBG(dev, "reset" NL); + +@@ -361,6 +362,7 @@ static int emac_reset(struct emac_instan + } + + #ifdef CONFIG_PPC_DCR_NATIVE ++do_retry: + /* + * PPC460EX/GT Embedded Processor Advanced User's Manual + * section 28.10.1 Mode Register 0 (EMACx_MR0) states: +@@ -368,10 +370,19 @@ static int emac_reset(struct emac_instan + * of the EMAC. If none is present, select the internal clock + * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1). + * After a soft reset, select the external clock. ++ * ++ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the ++ * ethernet cable is not attached. This causes the reset to timeout ++ * and the PHY detection code in emac_init_phy() is unable to ++ * communicate and detect the AR8035-A PHY. As a result, the emac ++ * driver bails out early and the user has no ethernet. ++ * In order to stay compatible with existing configurations, the ++ * driver will temporarily switch to the internal clock, after ++ * the first reset fails. + */ + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) { +- if (dev->phy_address == 0xffffffff && +- dev->phy_map == 0xffffffff) { ++ if (try_internal_clock || (dev->phy_address == 0xffffffff && ++ dev->phy_map == 0xffffffff)) { + /* No PHY: select internal loop clock before reset */ + dcri_clrset(SDR0, SDR0_ETH_CFG, + 0, SDR0_ETH_CFG_ECS << dev->cell_index); +@@ -389,8 +400,15 @@ static int emac_reset(struct emac_instan + + #ifdef CONFIG_PPC_DCR_NATIVE + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) { +- if (dev->phy_address == 0xffffffff && +- dev->phy_map == 0xffffffff) { ++ if (!n && !try_internal_clock) { ++ /* first attempt has timed out. */ ++ n = 20; ++ try_internal_clock = true; ++ goto do_retry; ++ } ++ ++ if (try_internal_clock || (dev->phy_address == 0xffffffff && ++ dev->phy_map == 0xffffffff)) { + /* No PHY: restore external clock source after reset */ + dcri_clrset(SDR0, SDR0_ETH_CFG, + SDR0_ETH_CFG_ECS << dev->cell_index, 0); diff --git a/queue-3.18/net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch b/queue-3.18/net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch new file mode 100644 index 00000000000..548d82a30e8 --- /dev/null +++ b/queue-3.18/net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Grygorii Strashko +Date: Mon, 8 May 2017 14:21:21 -0500 +Subject: net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control + +From: Grygorii Strashko + + +[ Upstream commit 48f5bccc60675f8426a6159935e8636a1fd89f56 ] + +When users set flow control using ethtool the bits are set properly in the +CPGMAC_SL MACCONTROL register, but the FIFO depth in the respective Port n +Maximum FIFO Blocks (Pn_MAX_BLKS) registers remains set to the minimum size +reset value. When receive flow control is enabled on a port, the port's +associated FIFO block allocation must be adjusted. The port RX allocation +must increase to accommodate the flow control runout. The TRM recommends +numbers of 5 or 6. + +Hence, apply required Port FIFO configuration to +Pn_MAX_BLKS.Pn_TX_MAX_BLKS=0xF and Pn_MAX_BLKS.Pn_RX_MAX_BLKS=0x5 during +interface initialization. + +Cc: Schuyler Patton +Signed-off-by: Grygorii Strashko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -293,6 +293,10 @@ struct cpsw_ss_regs { + /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */ + #define CPSW_V1_SEQ_ID_OFS_SHIFT 16 + ++#define CPSW_MAX_BLKS_TX 15 ++#define CPSW_MAX_BLKS_TX_SHIFT 4 ++#define CPSW_MAX_BLKS_RX 5 ++ + struct cpsw_host_regs { + u32 max_blks; + u32 blk_cnt; +@@ -1120,11 +1124,23 @@ static void cpsw_slave_open(struct cpsw_ + switch (priv->version) { + case CPSW_VERSION_1: + slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP); ++ /* Increase RX FIFO size to 5 for supporting fullduplex ++ * flow control mode ++ */ ++ slave_write(slave, ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) | ++ CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS); + break; + case CPSW_VERSION_2: + case CPSW_VERSION_3: + case CPSW_VERSION_4: + slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP); ++ /* Increase RX FIFO size to 5 for supporting fullduplex ++ * flow control mode ++ */ ++ slave_write(slave, ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) | ++ CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS); + break; + } + diff --git a/queue-3.18/net-freescale-fix-potential-null-pointer-dereference.patch b/queue-3.18/net-freescale-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..90069cb7c00 --- /dev/null +++ b/queue-3.18/net-freescale-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 30 May 2017 17:38:43 -0500 +Subject: net: freescale: fix potential null pointer dereference + +From: "Gustavo A. R. Silva" + + +[ Upstream commit 06d2d6431bc8d41ef5ffd8bd4b52cea9f72aed22 ] + +Add NULL check before dereferencing pointer _id_ in order to avoid +a potential NULL pointer dereference. + +Addresses-Coverity-ID: 1397995 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fsl_pq_mdio.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c ++++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c +@@ -370,7 +370,7 @@ static int fsl_pq_mdio_probe(struct plat + { + const struct of_device_id *id = + of_match_device(fsl_pq_mdio_match, &pdev->dev); +- const struct fsl_pq_mdio_data *data = id->data; ++ const struct fsl_pq_mdio_data *data; + struct device_node *np = pdev->dev.of_node; + struct resource res; + struct device_node *tbi; +@@ -378,6 +378,13 @@ static int fsl_pq_mdio_probe(struct plat + struct mii_bus *new_bus; + int err; + ++ if (!id) { ++ dev_err(&pdev->dev, "Failed to match device\n"); ++ return -ENODEV; ++ } ++ ++ data = id->data; ++ + dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible); + + new_bus = mdiobus_alloc_size(sizeof(*priv)); diff --git a/queue-3.18/net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch b/queue-3.18/net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch new file mode 100644 index 00000000000..fe29cef800e --- /dev/null +++ b/queue-3.18/net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: linzhang +Date: Thu, 25 May 2017 14:07:18 +0800 +Subject: net: llc: add lock_sock in llc_ui_bind to avoid a race condition + +From: linzhang + + +[ Upstream commit 0908cf4dfef35fc6ac12329007052ebe93ff1081 ] + +There is a race condition in llc_ui_bind if two or more processes/threads +try to bind a same socket. + +If more processes/threads bind a same socket success that will lead to +two problems, one is this action is not what we expected, another is +will lead to kernel in unstable status or oops(in my simple test case, +cause llc2.ko can't unload). + +The current code is test SOCK_ZAPPED bit to avoid a process to +bind a same socket twice but that is can't avoid more processes/threads +try to bind a same socket at the same time. + +So, add lock_sock in llc_ui_bind like others, such as llc_ui_connect. + +Signed-off-by: Lin Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -309,6 +309,8 @@ static int llc_ui_bind(struct socket *so + int rc = -EINVAL; + + dprintk("%s: binding %02X\n", __func__, addr->sllc_sap); ++ ++ lock_sock(sk); + if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr))) + goto out; + rc = -EAFNOSUPPORT; +@@ -380,6 +382,7 @@ static int llc_ui_bind(struct socket *so + out_put: + llc_sap_put(sap); + out: ++ release_sock(sk); + return rc; + } + diff --git a/queue-3.18/net-mlx4-fix-the-check-in-attaching-steering-rules.patch b/queue-3.18/net-mlx4-fix-the-check-in-attaching-steering-rules.patch new file mode 100644 index 00000000000..b39e4984437 --- /dev/null +++ b/queue-3.18/net-mlx4-fix-the-check-in-attaching-steering-rules.patch @@ -0,0 +1,123 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Talat Batheesh +Date: Sun, 4 Jun 2017 14:30:07 +0300 +Subject: net/mlx4: Fix the check in attaching steering rules + +From: Talat Batheesh + + +[ Upstream commit 6dc06c08bef1c746ff8da33dab677cfbacdcad32 ] + +Our previous patch (cited below) introduced a regression +for RAW Eth QPs. + +Fix it by checking if the QP number provided by user-space +exists, hence allowing steering rules to be added for valid +QPs only. + +Fixes: 89c557687a32 ("net/mlx4_en: Avoid adding steering rules with invalid ring") +Reported-by: Or Gerlitz +Signed-off-by: Talat Batheesh +Signed-off-by: Tariq Toukan +Acked-by: Or Gerlitz +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 ----- + drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 +++++++++++---- + drivers/net/ethernet/mellanox/mlx4/qp.c | 13 +++++++++++++ + include/linux/mlx4/qp.h | 1 + + 4 files changed, 25 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -946,11 +946,6 @@ static int mlx4_en_flow_replace(struct n + qpn = priv->drop_qp.qpn; + else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) { + qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1); +- if (qpn < priv->rss_map.base_qpn || +- qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) { +- en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn); +- return -EINVAL; +- } + } else { + if (cmd->fs.ring_cookie >= priv->rx_ring_num) { + en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n", +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -35,6 +35,7 @@ + #include + + #include ++#include + #include + + #include "mlx4.h" +@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *de + if (IS_ERR(mailbox)) + return PTR_ERR(mailbox); + ++ if (!mlx4_qp_lookup(dev, rule->qpn)) { ++ mlx4_err_rule(dev, "QP doesn't exist\n", rule); ++ ret = -EINVAL; ++ goto out; ++ } ++ + trans_rule_ctrl_to_hw(rule, mailbox->buf); + + size += sizeof(struct mlx4_net_trans_rule_hw_ctrl); + + list_for_each_entry(cur, &rule->list, list) { + ret = parse_trans_rule(dev, cur, mailbox->buf + size); +- if (ret < 0) { +- mlx4_free_cmd_mailbox(dev, mailbox); +- return ret; +- } ++ if (ret < 0) ++ goto out; ++ + size += ret; + } + +@@ -1006,6 +1012,7 @@ int mlx4_flow_attach(struct mlx4_dev *de + else if (ret) + mlx4_err_rule(dev, "Fail to register network rule\n", rule); + ++out: + mlx4_free_cmd_mailbox(dev, mailbox); + + return ret; +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -358,6 +358,19 @@ static void mlx4_qp_free_icm(struct mlx4 + __mlx4_qp_free_icm(dev, qpn); + } + ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn) ++{ ++ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table; ++ struct mlx4_qp *qp; ++ ++ spin_lock(&qp_table->lock); ++ ++ qp = __mlx4_qp_lookup(dev, qpn); ++ ++ spin_unlock(&qp_table->lock); ++ return qp; ++} ++ + int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp) + { + struct mlx4_priv *priv = mlx4_priv(dev); +--- a/include/linux/mlx4/qp.h ++++ b/include/linux/mlx4/qp.h +@@ -437,6 +437,7 @@ struct mlx4_update_qp_params { + u32 flags; + }; + ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn); + int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn, + enum mlx4_update_qp_attr attr, + struct mlx4_update_qp_params *params); diff --git a/queue-3.18/net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch b/queue-3.18/net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch new file mode 100644 index 00000000000..cec6837cfba --- /dev/null +++ b/queue-3.18/net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Talat Batheesh +Date: Tue, 9 May 2017 14:45:23 +0300 +Subject: net/mlx4_en: Avoid adding steering rules with invalid ring + +From: Talat Batheesh + + +[ Upstream commit 89c557687a32c294e9d25670a96e9287c09f2d5f ] + +Inserting steering rules with illegal ring is an invalid operation, +block it. + +Fixes: 820672812f82 ('net/mlx4_en: Manage flow steering rules with ethtool') +Signed-off-by: Talat Batheesh +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -946,6 +946,11 @@ static int mlx4_en_flow_replace(struct n + qpn = priv->drop_qp.qpn; + else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) { + qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1); ++ if (qpn < priv->rss_map.base_qpn || ++ qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) { ++ en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn); ++ return -EINVAL; ++ } + } else { + if (cmd->fs.ring_cookie >= priv->rx_ring_num) { + en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n", diff --git a/queue-3.18/net-move-somaxconn-init-from-sysctl-code.patch b/queue-3.18/net-move-somaxconn-init-from-sysctl-code.patch new file mode 100644 index 00000000000..1605d74054f --- /dev/null +++ b/queue-3.18/net-move-somaxconn-init-from-sysctl-code.patch @@ -0,0 +1,69 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Roman Kapl +Date: Wed, 24 May 2017 10:22:22 +0200 +Subject: net: move somaxconn init from sysctl code + +From: Roman Kapl + + +[ Upstream commit 7c3f1875c66fbc19762760097cabc91849ea0bbb ] + +The default value for somaxconn is set in sysctl_core_net_init(), but this +function is not called when kernel is configured without CONFIG_SYSCTL. + +This results in the kernel not being able to accept TCP connections, +because the backlog has zero size. Usually, the user ends up with: +"TCP: request_sock_TCP: Possible SYN flooding on port 7. Dropping request. Check SNMP counters." +If SYN cookies are not enabled the connection is rejected. + +Before ef547f2ac16 (tcp: remove max_qlen_log), the effects were less +severe, because the backlog was always at least eight slots long. + +Signed-off-by: Roman Kapl +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net_namespace.c | 19 +++++++++++++++++++ + net/core/sysctl_net_core.c | 2 -- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -188,6 +188,25 @@ out_undo: + goto out; + } + ++static int __net_init net_defaults_init_net(struct net *net) ++{ ++ net->core.sysctl_somaxconn = SOMAXCONN; ++ return 0; ++} ++ ++static struct pernet_operations net_defaults_ops = { ++ .init = net_defaults_init_net, ++}; ++ ++static __init int net_defaults_init(void) ++{ ++ if (register_pernet_subsys(&net_defaults_ops)) ++ panic("Cannot initialize net default settings"); ++ ++ return 0; ++} ++ ++core_initcall(net_defaults_init); + + #ifdef CONFIG_NET_NS + static struct kmem_cache *net_cachep; +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -395,8 +395,6 @@ static __net_init int sysctl_core_net_in + { + struct ctl_table *tbl; + +- net->core.sysctl_somaxconn = SOMAXCONN; +- + tbl = netns_core_table; + if (!net_eq(net, &init_net)) { + tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL); diff --git a/queue-3.18/net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch b/queue-3.18/net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch new file mode 100644 index 00000000000..cacc8ae3983 --- /dev/null +++ b/queue-3.18/net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Russell King +Date: Mon, 5 Jun 2017 12:22:55 +0100 +Subject: net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support + +From: Russell King + + +[ Upstream commit 41408ad519f7a2a1c5229e61f2a97f4df1b61adc ] + +Avoid calling genphy_aneg_done() for PHYs that do not implement the +Clause 22 register set. + +Clause 45 PHYs may implement the Clause 22 register set along with the +Clause 22 extension MMD. Hence, we can't simply block access to the +Clause 22 functions based on the PHY being a Clause 45 PHY. + +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -123,6 +123,12 @@ static inline int phy_aneg_done(struct p + if (phydev->drv->aneg_done) + return phydev->drv->aneg_done(phydev); + ++ /* Avoid genphy_aneg_done() if the Clause 45 PHY does not ++ * implement Clause 22 registers ++ */ ++ if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0))) ++ return -EINVAL; ++ + return genphy_aneg_done(phydev); + } + diff --git a/queue-3.18/net-qca_spi-fix-alignment-issues-in-rx-path.patch b/queue-3.18/net-qca_spi-fix-alignment-issues-in-rx-path.patch new file mode 100644 index 00000000000..2e9e5a84737 --- /dev/null +++ b/queue-3.18/net-qca_spi-fix-alignment-issues-in-rx-path.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Stefan Wahren +Date: Tue, 9 May 2017 15:40:38 +0200 +Subject: net: qca_spi: Fix alignment issues in rx path + +From: Stefan Wahren + + +[ Upstream commit 8d66c30b12ed3cb533696dea8b9a9eadd5da426a ] + +The qca_spi driver causes alignment issues on ARM devices. +So fix this by using netdev_alloc_skb_ip_align(). + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -297,8 +297,9 @@ qcaspi_receive(struct qcaspi *qca) + + /* Allocate rx SKB if we don't have one available. */ + if (!qca->rx_skb) { +- qca->rx_skb = netdev_alloc_skb(net_dev, +- net_dev->mtu + VLAN_ETH_HLEN); ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, ++ net_dev->mtu + ++ VLAN_ETH_HLEN); + if (!qca->rx_skb) { + netdev_dbg(net_dev, "out of RX resources\n"); + qca->stats.out_of_mem++; +@@ -378,7 +379,7 @@ qcaspi_receive(struct qcaspi *qca) + qca->rx_skb, qca->rx_skb->dev); + qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY; + netif_rx_ni(qca->rx_skb); +- qca->rx_skb = netdev_alloc_skb(net_dev, ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, + net_dev->mtu + VLAN_ETH_HLEN); + if (!qca->rx_skb) { + netdev_dbg(net_dev, "out of RX resources\n"); +@@ -760,7 +761,8 @@ qcaspi_netdev_init(struct net_device *de + if (!qca->rx_buffer) + return -ENOBUFS; + +- qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN); ++ qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu + ++ VLAN_ETH_HLEN); + if (!qca->rx_skb) { + kfree(qca->rx_buffer); + netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n"); diff --git a/queue-3.18/net-x25-fix-one-potential-use-after-free-issue.patch b/queue-3.18/net-x25-fix-one-potential-use-after-free-issue.patch new file mode 100644 index 00000000000..8dc67cb49b3 --- /dev/null +++ b/queue-3.18/net-x25-fix-one-potential-use-after-free-issue.patch @@ -0,0 +1,109 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: linzhang +Date: Wed, 17 May 2017 12:05:07 +0800 +Subject: net: x25: fix one potential use-after-free issue + +From: linzhang + + +[ Upstream commit 64df6d525fcff1630098db9238bfd2b3e092d5c1 ] + +The function x25_init is not properly unregister related resources +on error handler.It is will result in kernel oops if x25_init init +failed, so add properly unregister call on error handler. + +Also, i adjust the coding style and make x25_register_sysctl properly +return failure. + +Signed-off-by: linzhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/x25.h | 4 ++-- + net/x25/af_x25.c | 24 ++++++++++++++++-------- + net/x25/sysctl_net_x25.c | 5 ++++- + 3 files changed, 22 insertions(+), 11 deletions(-) + +--- a/include/net/x25.h ++++ b/include/net/x25.h +@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *); + + /* sysctl_net_x25.c */ + #ifdef CONFIG_SYSCTL +-void x25_register_sysctl(void); ++int x25_register_sysctl(void); + void x25_unregister_sysctl(void); + #else +-static inline void x25_register_sysctl(void) {}; ++static inline int x25_register_sysctl(void) { return 0; }; + static inline void x25_unregister_sysctl(void) {}; + #endif /* CONFIG_SYSCTL */ + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1796,32 +1796,40 @@ void x25_kill_by_neigh(struct x25_neigh + + static int __init x25_init(void) + { +- int rc = proto_register(&x25_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&x25_proto, 0); ++ if (rc) + goto out; + + rc = sock_register(&x25_family_ops); +- if (rc != 0) ++ if (rc) + goto out_proto; + + dev_add_pack(&x25_packet_type); + + rc = register_netdevice_notifier(&x25_dev_notifier); +- if (rc != 0) ++ if (rc) + goto out_sock; + +- pr_info("Linux Version 0.2\n"); ++ rc = x25_register_sysctl(); ++ if (rc) ++ goto out_dev; + +- x25_register_sysctl(); + rc = x25_proc_init(); +- if (rc != 0) +- goto out_dev; ++ if (rc) ++ goto out_sysctl; ++ ++ pr_info("Linux Version 0.2\n"); ++ + out: + return rc; ++out_sysctl: ++ x25_unregister_sysctl(); + out_dev: + unregister_netdevice_notifier(&x25_dev_notifier); + out_sock: ++ dev_remove_pack(&x25_packet_type); + sock_unregister(AF_X25); + out_proto: + proto_unregister(&x25_proto); +--- a/net/x25/sysctl_net_x25.c ++++ b/net/x25/sysctl_net_x25.c +@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = { + { 0, }, + }; + +-void __init x25_register_sysctl(void) ++int __init x25_register_sysctl(void) + { + x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table); ++ if (!x25_table_header) ++ return -ENOMEM; ++ return 0; + } + + void x25_unregister_sysctl(void) diff --git a/queue-3.18/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch b/queue-3.18/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch new file mode 100644 index 00000000000..dbc3401e7b6 --- /dev/null +++ b/queue-3.18/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Liping Zhang +Date: Sun, 21 May 2017 07:22:49 +0800 +Subject: netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize + +From: Liping Zhang + + +[ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ] + +If nf_conntrack_htable_size was adjusted by the user during the ct +dump operation, we may invoke nf_ct_put twice for the same ct, i.e. +the "last" ct. This will cause the ct will be freed but still linked +in hash buckets. + +It's very easy to reproduce the problem by the following commands: + # while : ; do + echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets + done + # while : ; do + conntrack -L + done + # iperf -s 127.0.0.1 & + # iperf -c 127.0.0.1 -P 60 -t 36000 + +After a while, the system will hang like this: + NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184] + NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382] + ... + +So at last if we find cb->args[1] is equal to "last", this means hash +resize happened, then we can set cb->args[1] to 0 to fix the above +issue. + +Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping") +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_netlink.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -828,8 +828,13 @@ restart: + } + out: + local_bh_enable(); +- if (last) ++ if (last) { ++ /* nf ct hash resize happened, now clear the leftover. */ ++ if ((struct nf_conn *)cb->args[1] == last) ++ cb->args[1] = 0; ++ + nf_ct_put(last); ++ } + + return skb->len; + } diff --git a/queue-3.18/netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch b/queue-3.18/netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch new file mode 100644 index 00000000000..6c6764e0548 --- /dev/null +++ b/queue-3.18/netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Colin Ian King +Date: Tue, 9 May 2017 17:19:42 +0100 +Subject: netxen_nic: set rcode to the return status from the call to netxen_issue_cmd + +From: Colin Ian King + + +[ Upstream commit 0fe20fafd1791f993806d417048213ec57b81045 ] + +Currently rcode is being initialized to NX_RCODE_SUCCESS and later it +is checked to see if it is not NX_RCODE_SUCCESS which is never true. It +appears that there is an unintentional missing assignment of rcode from +the return of the call to netxen_issue_cmd() that was dropped in +an earlier fix, so add it in. + +Detected by CoverityScan, CID#401900 ("Logically dead code") + +Fixes: 2dcd5d95ad6b2 ("netxen_nic: fix cdrp race condition") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c +@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter + cmd.req.arg3 = 0; + + if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE) +- netxen_issue_cmd(adapter, &cmd); ++ rcode = netxen_issue_cmd(adapter, &cmd); + + if (rcode != NX_RCODE_SUCCESS) + return -EIO; diff --git a/queue-3.18/nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch b/queue-3.18/nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch new file mode 100644 index 00000000000..9183167e238 --- /dev/null +++ b/queue-3.18/nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch @@ -0,0 +1,84 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Trond Myklebust +Date: Thu, 4 May 2017 13:44:04 -0400 +Subject: NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION + +From: Trond Myklebust + + +[ Upstream commit 0048fdd06614a4ea088f9fcad11511956b795698 ] + +If the server returns NFS4ERR_CONN_NOT_BOUND_TO_SESSION because we +are trunking, then RECLAIM_COMPLETE must handle that by calling +nfs4_schedule_session_recovery() and then retrying. + +Reported-by: Chuck Lever +Signed-off-by: Trond Myklebust +Tested-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 7 ++++++- + fs/nfs/nfs4state.c | 10 +++++++--- + 2 files changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7429,6 +7429,12 @@ static int nfs41_reclaim_complete_handle + /* fall through */ + case -NFS4ERR_RETRY_UNCACHED_REP: + return -EAGAIN; ++ case -NFS4ERR_BADSESSION: ++ case -NFS4ERR_DEADSESSION: ++ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION: ++ nfs4_schedule_session_recovery(clp->cl_session, ++ task->tk_status); ++ break; + default: + nfs4_schedule_lease_recovery(clp); + } +@@ -7507,7 +7513,6 @@ static int nfs41_proc_reclaim_complete(s + if (status == 0) + status = task->tk_status; + rpc_put_task(task); +- return 0; + out: + dprintk("<-- %s status=%d\n", __func__, status); + return status; +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1563,13 +1563,14 @@ static void nfs4_state_start_reclaim_reb + nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot); + } + +-static void nfs4_reclaim_complete(struct nfs_client *clp, ++static int nfs4_reclaim_complete(struct nfs_client *clp, + const struct nfs4_state_recovery_ops *ops, + struct rpc_cred *cred) + { + /* Notify the server we're done reclaiming our state */ + if (ops->reclaim_complete) +- (void)ops->reclaim_complete(clp, cred); ++ return ops->reclaim_complete(clp, cred); ++ return 0; + } + + static void nfs4_clear_reclaim_server(struct nfs_server *server) +@@ -1616,13 +1617,16 @@ static void nfs4_state_end_reclaim_reboo + { + const struct nfs4_state_recovery_ops *ops; + struct rpc_cred *cred; ++ int err; + + if (!nfs4_state_clear_reclaim_reboot(clp)) + return; + ops = clp->cl_mvops->reboot_recovery_ops; + cred = nfs4_get_clid_cred(clp); +- nfs4_reclaim_complete(clp, ops, cred); ++ err = nfs4_reclaim_complete(clp, ops, cred); + put_rpccred(cred); ++ if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION) ++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state); + } + + static void nfs_delegation_clear_all(struct nfs_client *clp) diff --git a/queue-3.18/ovl-filter-trusted-xattr-for-non-admin.patch b/queue-3.18/ovl-filter-trusted-xattr-for-non-admin.patch new file mode 100644 index 00000000000..e12cfb5fc6a --- /dev/null +++ b/queue-3.18/ovl-filter-trusted-xattr-for-non-admin.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Miklos Szeredi +Date: Mon, 29 May 2017 15:15:27 +0200 +Subject: ovl: filter trusted xattr for non-admin + +From: Miklos Szeredi + + +[ Upstream commit a082c6f680da298cf075886ff032f32ccb7c5e1a ] + +Filesystems filter out extended attributes in the "trusted." domain for +unprivlieged callers. + +Overlay calls underlying filesystem's method with elevated privs, so need +to do the filtering in overlayfs too. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/inode.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -258,6 +258,16 @@ ssize_t ovl_getxattr(struct dentry *dent + return vfs_getxattr(realpath.dentry, name, value, size); + } + ++static bool ovl_can_list(const char *s) ++{ ++ /* List all non-trusted xatts */ ++ if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0) ++ return true; ++ ++ /* Never list trusted.overlay, list other trusted for superuser only */ ++ return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); ++} ++ + ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) + { + struct path realpath; +@@ -282,7 +292,7 @@ ssize_t ovl_listxattr(struct dentry *den + return -EIO; + + len -= slen; +- if (ovl_is_private_xattr(s)) { ++ if (!ovl_can_list(s)) { + res -= slen; + memmove(s, s + slen, len); + } else { diff --git a/queue-3.18/perf-core-correct-event-creation-with-perf_format_group.patch b/queue-3.18/perf-core-correct-event-creation-with-perf_format_group.patch new file mode 100644 index 00000000000..54bb68d97cc --- /dev/null +++ b/queue-3.18/perf-core-correct-event-creation-with-perf_format_group.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Peter Zijlstra +Date: Tue, 30 May 2017 11:45:12 +0200 +Subject: perf/core: Correct event creation with PERF_FORMAT_GROUP + +From: Peter Zijlstra + + +[ Upstream commit ba5213ae6b88fb170c4771fef6553f759c7d8cdd ] + +Andi was asking about PERF_FORMAT_GROUP vs inherited events, which led +to the discovery of a bug from commit: + + 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff") + + - PERF_SAMPLE_GROUP = 1U << 4, + + PERF_SAMPLE_READ = 1U << 4, + + - if (attr->inherit && (attr->sample_type & PERF_SAMPLE_GROUP)) + + if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP)) + +is a clear fail :/ + +While this changes user visible behaviour; it was previously possible +to create an inherited event with PERF_SAMPLE_READ; this is deemed +acceptible because its results were always incorrect. + +Reported-by: Andi Kleen +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff") +Link: http://lkml.kernel.org/r/20170530094512.dy2nljns2uq7qa3j@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4861,9 +4861,6 @@ static void perf_output_read_one(struct + __output_copy(handle, values, n * sizeof(u64)); + } + +-/* +- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult. +- */ + static void perf_output_read_group(struct perf_output_handle *handle, + struct perf_event *event, + u64 enabled, u64 running) +@@ -4908,6 +4905,13 @@ static void perf_output_read_group(struc + #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\ + PERF_FORMAT_TOTAL_TIME_RUNNING) + ++/* ++ * XXX PERF_SAMPLE_READ vs inherited events seems difficult. ++ * ++ * The problem is that its both hard and excessively expensive to iterate the ++ * child list, not to mention that its impossible to IPI the children running ++ * on another CPU, from interrupt/NMI context. ++ */ + static void perf_output_read(struct perf_output_handle *handle, + struct perf_event *event) + { +@@ -7194,9 +7198,10 @@ perf_event_alloc(struct perf_event_attr + local64_set(&hwc->period_left, hwc->sample_period); + + /* +- * we currently do not support PERF_FORMAT_GROUP on inherited events ++ * We currently do not support PERF_SAMPLE_READ on inherited events. ++ * See perf_output_read(). + */ +- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP)) ++ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ)) + goto err_ns; + + pmu = perf_init_event(event); diff --git a/queue-3.18/perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch b/queue-3.18/perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch new file mode 100644 index 00000000000..95dac706c39 --- /dev/null +++ b/queue-3.18/perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Milian Wolff +Date: Fri, 2 Jun 2017 16:37:52 +0200 +Subject: perf report: Ensure the perf DSO mapping matches what libdw sees + +From: Milian Wolff + + +[ Upstream commit 2538b9e2450ae255337c04356e9e0f8cb9ec48d9 ] + +In some situations the libdw unwinder stopped working properly. I.e. +with libunwind we see: + +~~~~~ +heaptrack_gui 2228 135073.400112: 641314 cycles: + e8ed _dl_fixup (/usr/lib/ld-2.25.so) + 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so) + ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) + 608f3 _GLOBAL__sub_I_kdynamicjobtracker.cpp (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) + f199 call_init.part.0 (/usr/lib/ld-2.25.so) + f2a5 _dl_init (/usr/lib/ld-2.25.so) + db9 _dl_start_user (/usr/lib/ld-2.25.so) +~~~~~ + +But with libdw and without this patch this sample is not properly +unwound: + +~~~~~ +heaptrack_gui 2228 135073.400112: 641314 cycles: + e8ed _dl_fixup (/usr/lib/ld-2.25.so) + 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so) + ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) +~~~~~ + +Debug output showed me that libdw found a module for the last frame +address, but it thinks it belongs to /usr/lib/ld-2.25.so. This patch +double-checks what libdw sees and what perf knows. If the mappings +mismatch, we now report the elf known to perf. This fixes the situation +above, and the libdw unwinder produces the same stack as libunwind. + +Signed-off-by: Milian Wolff +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lkml.kernel.org/r/20170602143753.16907-1-milian.wolff@kdab.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/unwind-libdw.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/perf/util/unwind-libdw.c ++++ b/tools/perf/util/unwind-libdw.c +@@ -37,6 +37,14 @@ static int __report_module(struct addr_l + return 0; + + mod = dwfl_addrmodule(ui->dwfl, ip); ++ if (mod) { ++ Dwarf_Addr s; ++ ++ dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL); ++ if (s != al->map->start) ++ mod = 0; ++ } ++ + if (!mod) + mod = dwfl_report_elf(ui->dwfl, dso->short_name, + dso->long_name, -1, al->map->start, diff --git a/queue-3.18/perf-tests-decompress-kernel-module-before-objdump.patch b/queue-3.18/perf-tests-decompress-kernel-module-before-objdump.patch new file mode 100644 index 00000000000..1a5c16eb8d2 --- /dev/null +++ b/queue-3.18/perf-tests-decompress-kernel-module-before-objdump.patch @@ -0,0 +1,67 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Namhyung Kim +Date: Thu, 8 Jun 2017 16:31:07 +0900 +Subject: perf tests: Decompress kernel module before objdump + +From: Namhyung Kim + + +[ Upstream commit 94df1040b1e6aacd8dec0ba3c61d7e77cd695f26 ] + +If a kernel modules is compressed, it should be decompressed before +running objdump to parse binary data correctly. This fixes a failure of +object code reading test for me. + +Signed-off-by: Namhyung Kim +Acked-by: Adrian Hunter +Acked-by: Jiri Olsa +Cc: David Ahern +Cc: Peter Zijlstra +Cc: Wang Nan +Cc: kernel-team@lge.com +Link: http://lkml.kernel.org/r/20170608073109.30699-8-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/code-reading.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/tools/perf/tests/code-reading.c ++++ b/tools/perf/tests/code-reading.c +@@ -141,6 +141,8 @@ static int read_object_code(u64 addr, si + unsigned char buf2[BUFSZ]; + size_t ret_len; + u64 objdump_addr; ++ const char *objdump_name; ++ char decomp_name[KMOD_DECOMP_LEN]; + int ret; + + pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr); +@@ -202,9 +204,25 @@ static int read_object_code(u64 addr, si + state->done[state->done_cnt++] = al.map->start; + } + ++ objdump_name = al.map->dso->long_name; ++ if (dso__needs_decompress(al.map->dso)) { ++ if (dso__decompress_kmodule_path(al.map->dso, objdump_name, ++ decomp_name, ++ sizeof(decomp_name)) < 0) { ++ pr_debug("decompression failed\n"); ++ return -1; ++ } ++ ++ objdump_name = decomp_name; ++ } ++ + /* Read the object code using objdump */ + objdump_addr = map__rip_2objdump(al.map, al.addr); +- ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len); ++ ret = read_via_objdump(objdump_name, objdump_addr, buf2, len); ++ ++ if (dso__needs_decompress(al.map->dso)) ++ unlink(objdump_name); ++ + if (ret > 0) { + /* + * The kernel maps are inaccurate - assume objdump is right in diff --git a/queue-3.18/perf-trace-add-mmap-alias-for-s390.patch b/queue-3.18/perf-trace-add-mmap-alias-for-s390.patch new file mode 100644 index 00000000000..d7ffa6ed894 --- /dev/null +++ b/queue-3.18/perf-trace-add-mmap-alias-for-s390.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jiri Olsa +Date: Wed, 31 May 2017 13:35:57 +0200 +Subject: perf trace: Add mmap alias for s390 + +From: Jiri Olsa + + +[ Upstream commit 54265664c15a68905d8d67d19205e9a767636434 ] + +The s390 architecture maps sys_mmap (nr 90) into sys_old_mmap. For this +reason perf trace can't find the proper syscall event to get args format +from and displays it wrongly as 'continued'. + +To fix that fill the "alias" field with "old_mmap" for trace's mmap record +to get the correct translation. + +Before: + 0.042 ( 0.011 ms): vest/43052 fstat(statbuf: 0x3ffff89fd90 ) = 0 + 0.042 ( 0.028 ms): vest/43052 ... [continued]: mmap()) = 0x3fffd6e2000 + 0.072 ( 0.025 ms): vest/43052 read(buf: 0x3fffd6e2000, count: 4096 ) = 6 + +After: + 0.045 ( 0.011 ms): fstat(statbuf: 0x3ffff8a0930 ) = 0 + 0.057 ( 0.018 ms): mmap(arg: 0x3ffff8a0858 ) = 0x3fffd14a000 + 0.076 ( 0.025 ms): read(buf: 0x3fffd14a000, count: 4096 ) = 6 + +Signed-off-by: Jiri Olsa +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20170531113557.19175-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-trace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1020,6 +1020,10 @@ static struct syscall_fmt { + { .name = "mlockall", .errmsg = true, + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, }, + { .name = "mmap", .hexret = true, ++/* The standard mmap maps to old_mmap on s390x */ ++#if defined(__s390x__) ++ .alias = "old_mmap", ++#endif + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ + [2] = SCA_MMAP_PROT, /* prot */ + [3] = SCA_MMAP_FLAGS, /* flags */ diff --git a/queue-3.18/pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch b/queue-3.18/pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch new file mode 100644 index 00000000000..2f02d867cdb --- /dev/null +++ b/queue-3.18/pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Kirill Tkhai +Date: Mon, 8 May 2017 15:56:34 -0700 +Subject: pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid() + +From: Kirill Tkhai + + +[ Upstream commit 8896c23d2ef803f1883fea73117a435925c2b4c4 ] + +alloc_pidmap() advances pid_namespace::last_pid. When first pid +allocation fails, then next created process will have pid 2 and +pid_ns_prepare_proc() won't be called. So, pid_namespace::proc_mnt will +never be initialized (not to mention that there won't be a child +reaper). + +I saw crash stack of such case on kernel 3.10: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: proc_flush_task+0x8f/0x1b0 + Call Trace: + release_task+0x3f/0x490 + wait_consider_task.part.10+0x7ff/0xb00 + do_wait+0x11f/0x280 + SyS_wait4+0x7d/0x110 + +We may fix this by restore of last_pid in 0 or by prohibiting of futher +allocations. Since there was a similar issue in Oleg Nesterov's commit +314a8ad0f18a ("pidns: fix free_pid() to handle the first fork failure"). +and it was fixed via prohibiting allocation, let's follow this way, and +do the same. + +Link: http://lkml.kernel.org/r/149201021004.4863.6762095011554287922.stgit@localhost.localdomain +Signed-off-by: Kirill Tkhai +Acked-by: Cyrill Gorcunov +Cc: Andrei Vagin +Cc: Andreas Gruenbacher +Cc: Kees Cook +Cc: Michael Kerrisk +Cc: Al Viro +Cc: Oleg Nesterov +Cc: Paul Moore +Cc: Eric Biederman +Cc: Andy Lutomirski +Cc: Ingo Molnar +Cc: Serge Hallyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/pid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -316,8 +316,10 @@ struct pid *alloc_pid(struct pid_namespa + } + + if (unlikely(is_child_reaper(pid))) { +- if (pid_ns_prepare_proc(ns)) ++ if (pid_ns_prepare_proc(ns)) { ++ disable_pid_allocation(ns); + goto out_free; ++ } + } + + get_pid_ns(ns); diff --git a/queue-3.18/powercap-fix-an-error-code-in-powercap_register_zone.patch b/queue-3.18/powercap-fix-an-error-code-in-powercap_register_zone.patch new file mode 100644 index 00000000000..201205d825a --- /dev/null +++ b/queue-3.18/powercap-fix-an-error-code-in-powercap_register_zone.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Dan Carpenter +Date: Wed, 10 May 2017 22:40:06 +0300 +Subject: PowerCap: Fix an error code in powercap_register_zone() + +From: Dan Carpenter + + +[ Upstream commit 216c4e9db4c9d1d2a382b42880442dc632cd47d9 ] + +In the current code we accidentally return the successful result from +idr_alloc() instead of a negative error pointer. The caller is looking +for an error pointer and so it treats the returned value as a valid +pointer. + +This one might be a bit serious because if it lets people get around the +kernel's protection for remapping NULL. I'm not sure. + +Fixes: 75d2364ea0ca (PowerCap: Add class driver) +Signed-off-by: Dan Carpenter +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/powercap/powercap_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_ + + power_zone->id = result; + idr_init(&power_zone->idr); ++ result = -ENOMEM; + power_zone->name = kstrdup(name, GFP_KERNEL); + if (!power_zone->name) + goto err_name_alloc; diff --git a/queue-3.18/powerpc-don-t-clobber-tcr-when-setting-tcr.patch b/queue-3.18/powerpc-don-t-clobber-tcr-when-setting-tcr.patch new file mode 100644 index 00000000000..6222849f5b2 --- /dev/null +++ b/queue-3.18/powerpc-don-t-clobber-tcr-when-setting-tcr.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Ivan Mikhaylov +Date: Fri, 19 May 2017 18:47:05 +0300 +Subject: powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE] + +From: Ivan Mikhaylov + + +[ Upstream commit 6e2f03e292ef46eed2b31b0a344a91d514f9cd81 ] + +Prevent a kernel panic caused by unintentionally clearing TCR watchdog +bits. At this point in the kernel boot, the watchdog may have already +been enabled by u-boot. The original code's attempt to write to the TCR +register results in an inadvertent clearing of the watchdog +configuration bits, causing the 476 to reset. + +Signed-off-by: Ivan Mikhaylov +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/time.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -646,12 +646,20 @@ static int __init get_freq(char *name, i + static void start_cpu_decrementer(void) + { + #if defined(CONFIG_BOOKE) || defined(CONFIG_40x) ++ unsigned int tcr; ++ + /* Clear any pending timer interrupts */ + mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS); + +- /* Enable decrementer interrupt */ +- mtspr(SPRN_TCR, TCR_DIE); +-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */ ++ tcr = mfspr(SPRN_TCR); ++ /* ++ * The watchdog may have already been enabled by u-boot. So leave ++ * TRC[WP] (Watchdog Period) alone. ++ */ ++ tcr &= TCR_WP_MASK; /* Clear all bits except for TCR[WP] */ ++ tcr |= TCR_DIE; /* Enable decrementer */ ++ mtspr(SPRN_TCR, tcr); ++#endif + } + + void __init generic_calibrate_decr(void) diff --git a/queue-3.18/powerpc-spufs-fix-coredump-of-spu-contexts.patch b/queue-3.18/powerpc-spufs-fix-coredump-of-spu-contexts.patch new file mode 100644 index 00000000000..9a22496af74 --- /dev/null +++ b/queue-3.18/powerpc-spufs-fix-coredump-of-spu-contexts.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Michael Ellerman +Date: Mon, 29 May 2017 20:26:07 +1000 +Subject: powerpc/spufs: Fix coredump of SPU contexts + +From: Michael Ellerman + + +[ Upstream commit 99acc9bede06bbb2662aafff51f5b9e529fa845e ] + +If a process dumps core while it has SPU contexts active then we have +code to also dump information about the SPU contexts. + +Unfortunately it's been broken for 3 1/2 years, and we didn't notice. In +commit 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers") the nread +variable was removed and rc used instead. That means when the loop exits +successfully, rc has the number of bytes read, but it's then used as the +return value for the function, which should return 0 on success. + +So fix it by setting rc = 0 before returning in the success case. + +Fixes: 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers") +Signed-off-by: Michael Ellerman +Acked-by: Jeremy Kerr +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/cell/spufs/coredump.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/platforms/cell/spufs/coredump.c ++++ b/arch/powerpc/platforms/cell/spufs/coredump.c +@@ -174,6 +174,8 @@ static int spufs_arch_write_note(struct + if (!dump_skip(cprm, + roundup(cprm->written - total + sz, 4) - cprm->written)) + goto Eio; ++ ++ rc = 0; + out: + free_page((unsigned long)buf); + return rc; diff --git a/queue-3.18/qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch b/queue-3.18/qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch new file mode 100644 index 00000000000..c63080b3933 --- /dev/null +++ b/queue-3.18/qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jia-Ju Bai +Date: Thu, 1 Jun 2017 16:18:10 +0800 +Subject: qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M + +From: Jia-Ju Bai + + +[ Upstream commit 5ea6d691aac6c93b790f0905e3460d44cc4c449b ] + +The driver may sleep under a write spin lock, and the function +call path is: +qlcnic_82xx_hw_write_wx_2M (acquire the lock by write_lock_irqsave) + crb_win_lock + qlcnic_pcie_sem_lock + usleep_range +qlcnic_82xx_hw_read_wx_2M (acquire the lock by write_lock_irqsave) + crb_win_lock + qlcnic_pcie_sem_lock + usleep_range + +To fix it, the usleep_range is replaced with udelay. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c +@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapt + } + return -EIO; + } +- usleep_range(1000, 1500); ++ udelay(1200); + } + + if (id_reg) diff --git a/queue-3.18/qlge-avoid-reading-past-end-of-buffer.patch b/queue-3.18/qlge-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..295bed05f50 --- /dev/null +++ b/queue-3.18/qlge-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 15:34:34 -0700 +Subject: qlge: Avoid reading past end of buffer + +From: Kees Cook + + +[ Upstream commit df5303a8aa9a0a6934f4cea7427f1edf771f21c2 ] + +Using memcpy() from a string that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. Instead, use strncpy() which will fill the trailing bytes +with zeros. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c +@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev + sizeof(struct mpi_coredump_global_header); + mpi_coredump->mpi_global_header.imageSize = + sizeof(struct ql_mpi_coredump); +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", + sizeof(mpi_coredump->mpi_global_header.idString)); + + /* Get generic NIC reg dump */ +@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_ad + sizeof(struct mpi_coredump_global_header); + mpi_coredump->mpi_global_header.imageSize = + sizeof(struct ql_reg_dump); +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", + sizeof(mpi_coredump->mpi_global_header.idString)); + + diff --git a/queue-3.18/ray_cs-avoid-reading-past-end-of-buffer.patch b/queue-3.18/ray_cs-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..900d2aa0c71 --- /dev/null +++ b/queue-3.18/ray_cs-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 15:38:41 -0700 +Subject: ray_cs: Avoid reading past end of buffer + +From: Kees Cook + + +[ Upstream commit e48d661eb13f2f83861428f001c567fdb3f317e8 ] + +Using memcpy() from a buffer that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. In this case, the source was made longer, since it did not +match the destination structure size. Additionally removes a needless cast. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ray_cs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_pa + 0x04, 0x08, /* Noise gain, limit offset */ + 0x28, 0x28, /* det rssi, med busy offsets */ + 7, /* det sync thresh */ +- 0, 2, 2 /* test mode, min, max */ ++ 0, 2, 2, /* test mode, min, max */ ++ 0, /* rx/tx delay */ ++ 0, 0, 0, 0, 0, 0, /* current BSS id */ ++ 0 /* hop set */ + }; + + /*===========================================================================*/ +@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_ + * a_beacon_period = hops a_beacon_period = KuS + *//* 64ms = 010000 */ + if (local->fw_ver == 0x55) { +- memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms, ++ memcpy(&local->sparm.b4, b4_default_startup_parms, + sizeof(struct b4_startup_params)); + /* Translate sane kus input values to old build 4/5 format */ + /* i = hop time in uS truncated to 3 bytes */ diff --git a/queue-3.18/rtc-interface-validate-alarm-time-before-handling-rollover.patch b/queue-3.18/rtc-interface-validate-alarm-time-before-handling-rollover.patch new file mode 100644 index 00000000000..f4643454055 --- /dev/null +++ b/queue-3.18/rtc-interface-validate-alarm-time-before-handling-rollover.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Vaibhav Jain +Date: Fri, 19 May 2017 22:18:55 +0530 +Subject: rtc: interface: Validate alarm-time before handling rollover + +From: Vaibhav Jain + + +[ Upstream commit da96aea0ed177105cb13ee83b328f6c61e061d3f ] + +In function __rtc_read_alarm() its possible for an alarm time-stamp to +be invalid even after replacing missing components with current +time-stamp. The condition 'alarm->time.tm_year < 70' will trigger this +case and will cause the call to 'rtc_tm_to_time64(&alarm->time)' +return a negative value for variable t_alm. + +While handling alarm rollover this negative t_alm (assumed to seconds +offset from '1970-01-01 00:00:00') is converted back to rtc_time via +rtc_time64_to_tm() which results in this error log with seemingly +garbage values: + +"rtc rtc0: invalid alarm value: -2-1--1041528741 +2005511117:71582844:32" + +This error was generated when the rtc driver (rtc-opal in this case) +returned an alarm time-stamp of '00-00-00 00:00:00' to indicate that +the alarm is disabled. Though I have submitted a separate fix for the +rtc-opal driver, this issue may potentially impact other +existing/future rtc drivers. + +To fix this issue the patch validates the alarm time-stamp just after +filling up the missing datetime components and if rtc_valid_tm() still +reports it to be invalid then bails out of the function without +handling the rollover. + +Reported-by: Steve Best +Signed-off-by: Vaibhav Jain +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -249,6 +249,13 @@ int __rtc_read_alarm(struct rtc_device * + missing = year; + } + ++ /* Can't proceed if alarm is still invalid after replacing ++ * missing fields. ++ */ ++ err = rtc_valid_tm(&alarm->time); ++ if (err) ++ goto done; ++ + /* with luck, no rollover is needed */ + rtc_tm_to_time(&now, &t_now); + rtc_tm_to_time(&alarm->time, &t_alm); +@@ -300,9 +307,9 @@ int __rtc_read_alarm(struct rtc_device * + dev_warn(&rtc->dev, "alarm rollover not handled\n"); + } + +-done: + err = rtc_valid_tm(&alarm->time); + ++done: + if (err) { + dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n", + alarm->time.tm_year + 1900, alarm->time.tm_mon + 1, diff --git a/queue-3.18/rxrpc-check-return-value-of-skb_to_sgvec-always.patch b/queue-3.18/rxrpc-check-return-value-of-skb_to_sgvec-always.patch new file mode 100644 index 00000000000..292c8c863c7 --- /dev/null +++ b/queue-3.18/rxrpc-check-return-value-of-skb_to_sgvec-always.patch @@ -0,0 +1,84 @@ +From 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:24 +0200 +Subject: rxrpc: check return value of skb_to_sgvec always + +From: Jason A. Donenfeld + +commit 89a5ea99662505d2d61f2a3030a6896c2cb3cdb0 upstream. + +Signed-off-by: Jason A. Donenfeld +Acked-by: David Howells +Signed-off-by: David S. Miller +[natechancellor: backport to 3.18] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxkad.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -209,7 +209,7 @@ static int rxkad_secure_packet_encrypt(c + struct sk_buff *trailer; + unsigned int len; + u16 check; +- int nsg; ++ int nsg, err; + + sp = rxrpc_skb(skb); + +@@ -240,7 +240,9 @@ static int rxkad_secure_packet_encrypt(c + len &= ~(call->conn->size_align - 1); + + sg_init_table(sg, nsg); +- skb_to_sgvec(skb, sg, 0, len); ++ err = skb_to_sgvec(skb, sg, 0, len); ++ if (unlikely(err < 0)) ++ return err; + crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); + + _leave(" = 0"); +@@ -336,7 +338,7 @@ static int rxkad_verify_packet_auth(cons + struct sk_buff *trailer; + u32 data_size, buf; + u16 check; +- int nsg; ++ int nsg, ret; + + _enter(""); + +@@ -348,7 +350,9 @@ static int rxkad_verify_packet_auth(cons + goto nomem; + + sg_init_table(sg, nsg); +- skb_to_sgvec(skb, sg, 0, 8); ++ ret = skb_to_sgvec(skb, sg, 0, 8); ++ if (unlikely(ret < 0)) ++ return ret; + + /* start the decryption afresh */ + memset(&iv, 0, sizeof(iv)); +@@ -411,7 +415,7 @@ static int rxkad_verify_packet_encrypt(c + struct sk_buff *trailer; + u32 data_size, buf; + u16 check; +- int nsg; ++ int nsg, ret; + + _enter(",{%d}", skb->len); + +@@ -430,7 +434,12 @@ static int rxkad_verify_packet_encrypt(c + } + + sg_init_table(sg, nsg); +- skb_to_sgvec(skb, sg, 0, skb->len); ++ ret = skb_to_sgvec(skb, sg, 0, skb->len); ++ if (unlikely(ret < 0)) { ++ if (sg != _sg) ++ kfree(sg); ++ return ret; ++ } + + /* decrypt from the session key */ + token = call->conn->key->payload.data; diff --git a/queue-3.18/s390-move-_text-symbol-to-address-higher-than-zero.patch b/queue-3.18/s390-move-_text-symbol-to-address-higher-than-zero.patch new file mode 100644 index 00000000000..b9ec7b272ae --- /dev/null +++ b/queue-3.18/s390-move-_text-symbol-to-address-higher-than-zero.patch @@ -0,0 +1,58 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Heiko Carstens +Date: Thu, 4 May 2017 09:42:22 +0200 +Subject: s390: move _text symbol to address higher than zero + +From: Heiko Carstens + + +[ Upstream commit d04a4c76f71dd5335f8e499b59617382d84e2b8d ] + +The perf tool assumes that kernel symbols are never present at address +zero. In fact it assumes if functions that map symbols to addresses +return zero, that the symbol was not found. + +Given that s390's _text symbol historically is located at address zero +this yields at least a couple of false errors and warnings in one of +perf's test cases about not present symbols ("perf test 1"). + +To fix this simply move the _text symbol to address 0x200, just behind +the initial psw and channel program located at the beginning of the +kernel image. This is now hard coded within the linker script. + +I tried a nicer solution which moves the initial psw and channel +program into an own section. However that would move the symbols +within the "real" head.text section to different addresses, since the +".org" statements within head.S are relative to the head.text +section. If there is a new section in front, everything else will be +moved. Alternatively I could have adjusted all ".org" statements. But +this current solution seems to be the easiest one, since nobody really +cares where the _text symbol is actually located. + +Reported-by: Zvonko Kosic +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/vmlinux.lds.S | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -28,8 +28,14 @@ SECTIONS + { + . = 0x00000000; + .text : { +- _text = .; /* Text and read-only data */ ++ /* Text and read-only data */ + HEAD_TEXT ++ /* ++ * E.g. perf doesn't like symbols starting at address zero, ++ * therefore skip the initial PSW and channel program located ++ * at address zero and let _text start at 0x200. ++ */ ++ _text = 0x200; + TEXT_TEXT + SCHED_TEXT + LOCK_TEXT diff --git a/queue-3.18/scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch b/queue-3.18/scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch new file mode 100644 index 00000000000..12924be4308 --- /dev/null +++ b/queue-3.18/scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch @@ -0,0 +1,101 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Maurizio Lombardi +Date: Wed, 24 May 2017 14:09:44 +0200 +Subject: scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() + +From: Maurizio Lombardi + + +[ Upstream commit c2dd893a3b0772d1c680e109b9d5715d7f73022b ] + +If multiple tasks attempt to read the stats, it may happen that the +start_req_done completion is re-initialized while still being used by +another task, causing a list corruption. + +This patch fixes the bug by adding a mutex to serialize the calls to +bnx2fc_get_host_stats(). + +WARNING: at lib/list_debug.c:48 list_del+0x6e/0xa0() (Not tainted) +Hardware name: PowerEdge R820 +list_del corruption. prev->next should be ffff882035627d90, but was ffff884069541588 + +Pid: 40267, comm: perl Not tainted 2.6.32-642.3.1.el6.x86_64 #1 +Call Trace: + [] ? warn_slowpath_common+0x91/0xe0 + [] ? warn_slowpath_fmt+0x46/0x60 + [] ? list_del+0x6e/0xa0 + [] ? wait_for_common+0x14d/0x180 + [] ? default_wake_function+0x0/0x20 + [] ? wait_for_completion_timeout+0x13/0x20 + [] ? bnx2fc_get_host_stats+0xa1/0x280 [bnx2fc] + [] ? fc_stat_show+0x90/0xc0 [scsi_transport_fc] + [] ? show_fcstat_tx_frames+0x16/0x20 [scsi_transport_fc] + [] ? dev_attr_show+0x27/0x50 + [] ? __get_free_pages+0xe/0x50 + [] ? sysfs_read_file+0x111/0x200 + [] ? vfs_read+0xb5/0x1a0 + [] ? fget_light_pos+0x16/0x50 + [] ? sys_read+0x51/0xb0 + [] ? __audit_syscall_exit+0x25e/0x290 + [] ? system_call_fastpath+0x16/0x1b + +Signed-off-by: Maurizio Lombardi +Acked-by: Chad Dupuis +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2fc/bnx2fc.h | 1 + + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/bnx2fc/bnx2fc.h ++++ b/drivers/scsi/bnx2fc/bnx2fc.h +@@ -191,6 +191,7 @@ struct bnx2fc_hba { + struct bnx2fc_cmd_mgr *cmd_mgr; + spinlock_t hba_lock; + struct mutex hba_mutex; ++ struct mutex hba_stats_mutex; + unsigned long adapter_state; + #define ADAPTER_STATE_UP 0 + #define ADAPTER_STATE_GOING_DOWN 1 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -641,15 +641,17 @@ static struct fc_host_statistics *bnx2fc + if (!fw_stats) + return NULL; + ++ mutex_lock(&hba->hba_stats_mutex); ++ + bnx2fc_stats = fc_get_host_stats(shost); + + init_completion(&hba->stat_req_done); + if (bnx2fc_send_stat_req(hba)) +- return bnx2fc_stats; ++ goto unlock_stats_mutex; + rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ)); + if (!rc) { + BNX2FC_HBA_DBG(lport, "FW stat req timed out\n"); +- return bnx2fc_stats; ++ goto unlock_stats_mutex; + } + BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt); + bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt; +@@ -671,6 +673,9 @@ static struct fc_host_statistics *bnx2fc + + memcpy(&hba->prev_stats, hba->stats_buffer, + sizeof(struct fcoe_statistics_params)); ++ ++unlock_stats_mutex: ++ mutex_unlock(&hba->hba_stats_mutex); + return bnx2fc_stats; + } + +@@ -1303,6 +1308,7 @@ static struct bnx2fc_hba *bnx2fc_hba_cre + } + spin_lock_init(&hba->hba_lock); + mutex_init(&hba->hba_mutex); ++ mutex_init(&hba->hba_stats_mutex); + + hba->cnic = cnic; + diff --git a/queue-3.18/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch b/queue-3.18/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch new file mode 100644 index 00000000000..89dd0a84684 --- /dev/null +++ b/queue-3.18/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch @@ -0,0 +1,104 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Rafael David Tinoco +Date: Thu, 7 Dec 2017 19:59:13 -0200 +Subject: scsi: libiscsi: Allow sd_shutdown on bad transport + +From: Rafael David Tinoco + + +[ Upstream commit d754941225a7dbc61f6dd2173fa9498049f9a7ee ] + +If, for any reason, userland shuts down iscsi transport interfaces +before proper logouts - like when logging in to LUNs manually, without +logging out on server shutdown, or when automated scripts can't +umount/logout from logged LUNs - kernel will hang forever on its +sd_sync_cache() logic, after issuing the SYNCHRONIZE_CACHE cmd to all +still existent paths. + +PID: 1 TASK: ffff8801a69b8000 CPU: 1 COMMAND: "systemd-shutdow" + #0 [ffff8801a69c3a30] __schedule at ffffffff8183e9ee + #1 [ffff8801a69c3a80] schedule at ffffffff8183f0d5 + #2 [ffff8801a69c3a98] schedule_timeout at ffffffff81842199 + #3 [ffff8801a69c3b40] io_schedule_timeout at ffffffff8183e604 + #4 [ffff8801a69c3b70] wait_for_completion_io_timeout at ffffffff8183fc6c + #5 [ffff8801a69c3bd0] blk_execute_rq at ffffffff813cfe10 + #6 [ffff8801a69c3c88] scsi_execute at ffffffff815c3fc7 + #7 [ffff8801a69c3cc8] scsi_execute_req_flags at ffffffff815c60fe + #8 [ffff8801a69c3d30] sd_sync_cache at ffffffff815d37d7 + #9 [ffff8801a69c3da8] sd_shutdown at ffffffff815d3c3c + +This happens because iscsi_eh_cmd_timed_out(), the transport layer +timeout helper, would tell the queue timeout function (scsi_times_out) +to reset the request timer over and over, until the session state is +back to logged in state. Unfortunately, during server shutdown, this +might never happen again. + +Other option would be "not to handle" the issue in the transport +layer. That would trigger the error handler logic, which would also need +the session state to be logged in again. + +Best option, for such case, is to tell upper layers that the command was +handled during the transport layer error handler helper, marking it as +DID_NO_CONNECT, which will allow completion and inform about the +problem. + +After the session was marked as ISCSI_STATE_FAILED, due to the first +timeout during the server shutdown phase, all subsequent cmds will fail +to be queued, allowing upper logic to fail faster. + +Signed-off-by: Rafael David Tinoco +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host + */ + switch (session->state) { + case ISCSI_STATE_FAILED: ++ /* ++ * cmds should fail during shutdown, if the session ++ * state is bad, allowing completion to happen ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ reason = FAILURE_SESSION_FAILED; ++ sc->result = DID_NO_CONNECT << 16; ++ break; ++ } + case ISCSI_STATE_IN_RECOVERY: + reason = FAILURE_SESSION_IN_RECOVERY; + sc->result = DID_IMM_RETRY << 16; +@@ -1999,6 +2008,19 @@ static enum blk_eh_timer_return iscsi_eh + + if (session->state != ISCSI_STATE_LOGGED_IN) { + /* ++ * During shutdown, if session is prematurely disconnected, ++ * recovery won't happen and there will be hung cmds. Not ++ * handling cmds would trigger EH, also bad in this case. ++ * Instead, handle cmd, allow completion to happen and let ++ * upper layer to deal with the result. ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ sc->result = DID_NO_CONNECT << 16; ++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n"); ++ rc = BLK_EH_HANDLED; ++ goto done; ++ } ++ /* + * We are probably in the middle of iscsi recovery so let + * that complete and handle the error. + */ +@@ -2102,7 +2124,7 @@ done: + task->last_timeout = jiffies; + spin_unlock(&session->frwd_lock); + ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ? +- "timer reset" : "nh"); ++ "timer reset" : "shutdown or nh"); + return rc; + } + diff --git a/queue-3.18/scsi-libsas-fix-error-when-getting-phy-events.patch b/queue-3.18/scsi-libsas-fix-error-when-getting-phy-events.patch new file mode 100644 index 00000000000..446a5e5d4d4 --- /dev/null +++ b/queue-3.18/scsi-libsas-fix-error-when-getting-phy-events.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jason Yan +Date: Thu, 4 Jan 2018 21:04:32 +0800 +Subject: scsi: libsas: fix error when getting phy events + +From: Jason Yan + + +[ Upstream commit 2b23d9509fd7174b362482cf5f3b5f9a2265bc33 ] + +The intend purpose here was to goto out if smp_execute_task() returned +error. Obviously something got screwed up. We will never get these link +error statistics below: + +~:/sys/class/sas_phy/phy-1:0:12 # cat invalid_dword_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat running_disparity_error_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat loss_of_dword_sync_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat phy_reset_problem_count +0 + +Obviously we should goto error handler if smp_execute_task() returns +non-zero. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Jason Yan +CC: John Garry +CC: chenqilin +CC: chenxiang +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -675,7 +675,7 @@ int sas_smp_get_phy_events(struct sas_ph + res = smp_execute_task(dev, req, RPEL_REQ_SIZE, + resp, RPEL_RESP_SIZE); + +- if (!res) ++ if (res) + goto out; + + phy->invalid_dword_count = scsi_to_u32(&resp[12]); diff --git a/queue-3.18/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch b/queue-3.18/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch new file mode 100644 index 00000000000..41e273d4030 --- /dev/null +++ b/queue-3.18/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jason Yan +Date: Thu, 4 Jan 2018 21:04:31 +0800 +Subject: scsi: libsas: fix memory leak in sas_smp_get_phy_events() + +From: Jason Yan + + +[ Upstream commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 ] + +We've got a memory leak with the following producer: + +while true; +do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null; +done + +The buffer req is allocated and not freed after we return. Fix it. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Jason Yan +CC: John Garry +CC: chenqilin +CC: chenxiang +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_ph + phy->phy_reset_problem_count = scsi_to_u32(&resp[24]); + + out: ++ kfree(req); + kfree(resp); + return res; + diff --git a/queue-3.18/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch b/queue-3.18/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch new file mode 100644 index 00000000000..719f803f41e --- /dev/null +++ b/queue-3.18/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: chenxiang +Date: Thu, 4 Jan 2018 21:04:33 +0800 +Subject: scsi: libsas: initialize sas_phy status according to response of DISCOVER + +From: chenxiang + + +[ Upstream commit affc67788fe5dfffad5cda3d461db5cf2b2ff2b0 ] + +The status of SAS PHY is in sas_phy->enabled. There is an issue that the +status of a remote SAS PHY may be initialized incorrectly: if disable +remote SAS PHY through sysfs interface (such as echo 0 > +/sys/class/sas_phy/phy-1:0:0/enable), then reboot the system, and we +will find the status of remote SAS PHY which is disabled before is +1 (cat /sys/class/sas_phy/phy-1:0:0/enable). But actually the status of +remote SAS PHY is disabled and the device attached is not found. + +In SAS protocol, NEGOTIATED LOGICAL LINK RATE field of DISCOVER response +is 0x1 when remote SAS PHY is disabled. So initialize sas_phy->enabled +according to the value of NEGOTIATED LOGICAL LINK RATE field. + +Signed-off-by: chenxiang +Reviewed-by: John Garry +Signed-off-by: Jason Yan +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain + phy->phy->minimum_linkrate = dr->pmin_linkrate; + phy->phy->maximum_linkrate = dr->pmax_linkrate; + phy->phy->negotiated_linkrate = phy->linkrate; ++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED); + + skip: + if (new_phy) diff --git a/queue-3.18/sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch b/queue-3.18/sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch new file mode 100644 index 00000000000..c89f1cb9f3c --- /dev/null +++ b/queue-3.18/sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Xin Long +Date: Sat, 10 Jun 2017 14:56:56 +0800 +Subject: sctp: fix recursive locking warning in sctp_do_peeloff + +From: Xin Long + + +[ Upstream commit 6dfe4b97e08ec3d1a593fdaca099f0ef0a3a19e6 ] + +Dmitry got the following recursive locking report while running syzkaller +fuzzer, the Call Trace: + __dump_stack lib/dump_stack.c:16 [inline] + dump_stack+0x2ee/0x3ef lib/dump_stack.c:52 + print_deadlock_bug kernel/locking/lockdep.c:1729 [inline] + check_deadlock kernel/locking/lockdep.c:1773 [inline] + validate_chain kernel/locking/lockdep.c:2251 [inline] + __lock_acquire+0xef2/0x3430 kernel/locking/lockdep.c:3340 + lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755 + lock_sock_nested+0xcb/0x120 net/core/sock.c:2536 + lock_sock include/net/sock.h:1460 [inline] + sctp_close+0xcd/0x9d0 net/sctp/socket.c:1497 + inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 + inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 + sock_release+0x8d/0x1e0 net/socket.c:597 + __sock_create+0x38b/0x870 net/socket.c:1226 + sock_create+0x7f/0xa0 net/socket.c:1237 + sctp_do_peeloff+0x1a2/0x440 net/sctp/socket.c:4879 + sctp_getsockopt_peeloff net/sctp/socket.c:4914 [inline] + sctp_getsockopt+0x111a/0x67e0 net/sctp/socket.c:6628 + sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2690 + SYSC_getsockopt net/socket.c:1817 [inline] + SyS_getsockopt+0x240/0x380 net/socket.c:1799 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +This warning is caused by the lock held by sctp_getsockopt() is on one +socket, while the other lock that sctp_close() is getting later is on +the newly created (which failed) socket during peeloff operation. + +This patch is to avoid this warning by use lock_sock with subclass +SINGLE_DEPTH_NESTING as Wang Cong and Marcelo's suggestion. + +Reported-by: Dmitry Vyukov +Suggested-by: Marcelo Ricardo Leitner +Suggested-by: Cong Wang +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1513,7 +1513,7 @@ static void sctp_close(struct sock *sk, + + pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout); + +- lock_sock(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + sk->sk_shutdown = SHUTDOWN_MASK; + sk->sk_state = SCTP_SS_CLOSING; + +@@ -1564,7 +1564,7 @@ static void sctp_close(struct sock *sk, + * held and that should be grabbed before socket lock. + */ + spin_lock_bh(&net->sctp.addr_wq_lock); +- bh_lock_sock(sk); ++ bh_lock_sock_nested(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() + * and we have just a little more cleanup. diff --git a/queue-3.18/selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch b/queue-3.18/selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch new file mode 100644 index 00000000000..1079b5cd5e2 --- /dev/null +++ b/queue-3.18/selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Michael Ellerman +Date: Fri, 19 May 2017 11:29:04 +1000 +Subject: selftests/powerpc: Fix TM resched DSCR test with some compilers + +From: Michael Ellerman + + +[ Upstream commit fe06fe860250a4f01d0eaf70a2563b1997174a74 ] + +The tm-resched-dscr test has started failing sometimes, depending on +what compiler it's built with, eg: + + test: tm_resched_dscr + Check DSCR TM context switch: tm-resched-dscr: tm-resched-dscr.c:76: test_body: Assertion `rv' failed. + !! child died by signal 6 + +When it fails we see that the compiler doesn't initialise rv to 1 before +entering the inline asm block. Although that's counter intuitive, it +is allowed because we tell the compiler that the inline asm will write +to rv (using "=r"), meaning the original value is irrelevant. + +Marking it as a read/write parameter would presumably work, but it seems +simpler to fix it by setting the initial value of rv in the inline asm. + +Fixes: 96d016108640 ("powerpc: Correct DSCR during TM context switch") +Signed-off-by: Michael Ellerman +Acked-by: Michael Neuling +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c ++++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c +@@ -45,12 +45,12 @@ int test_body(void) + printf("Check DSCR TM context switch: "); + fflush(stdout); + for (;;) { +- rv = 1; + asm __volatile__ ( + /* set a known value into the DSCR */ + "ld 3, %[dscr1];" + "mtspr %[sprn_dscr], 3;" + ++ "li %[rv], 1;" + /* start and suspend a transaction */ + TBEGIN + "beq 1f;" diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..134e53bbb43 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,103 @@ +nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch +ib-srpt-fix-abort-handling.patch +af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch +mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch +bna-avoid-reading-past-end-of-buffer.patch +qlge-avoid-reading-past-end-of-buffer.patch +net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch +lockd-fix-lockd-shutdown-race.patch +pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch +s390-move-_text-symbol-to-address-higher-than-zero.patch +net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch +cifs-silence-lockdep-splat-in-cifs_relock_file.patch +net-qca_spi-fix-alignment-issues-in-rx-path.patch +netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch +kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch +vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch +smb2-fix-share-type-handling.patch +powercap-fix-an-error-code-in-powercap_register_zone.patch +staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch +x86-tsc-provide-tsc-unstable-boot-parameter.patch +arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch +ipv6-avoid-dad-failures-for-addresses-with-nodad.patch +async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch +usb-dwc3-keystone-check-return-value.patch +btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch +ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch +neighbour-update-neigh-timestamps-iff-update-is-effective.patch +usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch +usb-ene_usb6250-fix-first-command-execution.patch +net-x25-fix-one-potential-use-after-free-issue.patch +usb-ene_usb6250-fix-scsi-residue-overwriting.patch +sh_eth-use-platform-device-for-printing-before-register_netdev.patch +ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch +selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch +xfrm-fix-state-migration-copy-replay-sequence-numbers.patch +arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch +ray_cs-avoid-reading-past-end-of-buffer.patch +leds-pca955x-correct-i2c-functionality.patch +block-fix-an-error-code-in-add_partition.patch +libceph-null-deref-on-crush_decode-error-path.patch +netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch +scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch +fix-race-in-drivers-char-random.c-get_reg.patch +ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch +net-move-somaxconn-init-from-sysctl-code.patch +bonding-don-t-update-slave-link-until-ready-to-commit.patch +kvm-nvmx-fix-handling-of-lmsw-instruction.patch +net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch +l2tp-fix-missing-print-session-offset-info.patch +scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch +vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch +wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch +hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch +ovl-filter-trusted-xattr-for-non-admin.patch +powerpc-don-t-clobber-tcr-when-setting-tcr.patch +arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch +rtc-interface-validate-alarm-time-before-handling-rollover.patch +net-freescale-fix-potential-null-pointer-dereference.patch +kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch +powerpc-spufs-fix-coredump-of-spu-contexts.patch +perf-trace-add-mmap-alias-for-s390.patch +qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch +misdn-fix-a-sleep-in-atomic-bug.patch +drm-omap-fix-tiled-buffer-stride-calculations.patch +fix-serial-console-on-sni-rm400-machines.patch +bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch +skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch +net-mlx4-fix-the-check-in-attaching-steering-rules.patch +perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch +tags-honor-compiled_source-with-apart-output-directory.patch +e1000e-fix-race-condition-around-skb_tstamp_tx.patch +cx25840-fix-unchecked-return-values.patch +mceusb-sporadic-rx-truncation-corruption-fix.patch +net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch +e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch +perf-core-correct-event-creation-with-perf_format_group.patch +mips-mm-fixed-mappings-correct-initialisation.patch +mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch +net-emac-fix-reset-timeout-with-ar8035-phy.patch +perf-tests-decompress-kernel-module-before-objdump.patch +xen-avoid-type-warning-in-xchg_xen_ulong.patch +bnx2x-allow-vfs-to-disable-txvlan-offload.patch +sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch +sparc64-ldc-abort-during-vds-iso-boot.patch +iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch +bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch +acpica-events-add-runtime-stub-support-for-event-apis.patch +acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch +vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch +bcache-stop-writeback-thread-after-detaching.patch +bcache-segregate-flash-only-volume-write-streams.patch +scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch +scsi-libsas-fix-error-when-getting-phy-events.patch +scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch +tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch +edac-mv64x60-fix-an-error-handling-path.patch +signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch +signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch +signal-arm-document-conflicts-with-si_user-and-sigfpe.patch +ipsec-check-return-value-of-skb_to_sgvec-always.patch +rxrpc-check-return-value-of-skb_to_sgvec-always.patch +virtio_net-check-return-value-of-skb_to_sgvec-always.patch +virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch diff --git a/queue-3.18/sh_eth-use-platform-device-for-printing-before-register_netdev.patch b/queue-3.18/sh_eth-use-platform-device-for-printing-before-register_netdev.patch new file mode 100644 index 00000000000..9a87b0a20b6 --- /dev/null +++ b/queue-3.18/sh_eth-use-platform-device-for-printing-before-register_netdev.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Geert Uytterhoeven +Date: Thu, 18 May 2017 15:01:34 +0200 +Subject: sh_eth: Use platform device for printing before register_netdev() + +From: Geert Uytterhoeven + + +[ Upstream commit 5f5c5449acad0cd3322e53e1ac68c044483b0aa5 ] + +The MDIO initialization failure message is printed using the network +device, before it has been registered, leading to: + + (null): failed to initialise MDIO + +Use the platform device instead to fix this: + + sh-eth ee700000.ethernet: failed to initialise MDIO + +Fixes: daacf03f0bbfefee ("sh_eth: Register MDIO bus before registering the network device") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2933,7 +2933,7 @@ static int sh_eth_drv_probe(struct platf + /* MDIO bus init */ + ret = sh_mdio_init(mdp, pd); + if (ret) { +- dev_err(&ndev->dev, "failed to initialise MDIO\n"); ++ dev_err(&pdev->dev, "failed to initialise MDIO\n"); + goto out_release; + } + diff --git a/queue-3.18/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch b/queue-3.18/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch new file mode 100644 index 00000000000..b57e9c963c7 --- /dev/null +++ b/queue-3.18/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Eric W. Biederman" +Date: Thu, 17 Aug 2017 17:07:46 -0500 +Subject: signal/arm: Document conflicts with SI_USER and SIGFPE + +From: "Eric W. Biederman" + + +[ Upstream commit 7771c66457004977b616bab785209f49d164f527 ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +that uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME, siginfo_layout will now return SIL_FAULT and the +appropriate fields will be reliably copied. + +Possible ABI fixes includee: +- Send the signal without siginfo +- Don't generate a signal +- Possibly assign and use an appropriate si_code +- Don't handle cases which can't happen + +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Ref: 451436b7bbb2 ("[ARM] Add support code for ARM hardware vector floating point") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/uapi/asm/siginfo.h | 13 +++++++++++++ + arch/arm/vfp/vfpmodule.c | 2 +- + 2 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 arch/arm/include/uapi/asm/siginfo.h + +--- /dev/null ++++ b/arch/arm/include/uapi/asm/siginfo.h +@@ -0,0 +1,13 @@ ++#ifndef __ASM_SIGINFO_H ++#define __ASM_SIGINFO_H ++ ++#include ++ ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++#endif +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -261,7 +261,7 @@ static void vfp_raise_exceptions(u32 exc + + if (exceptions == VFP_EXCEPTION_ERROR) { + vfp_panic("unhandled bounce", inst); +- vfp_raise_sigfpe(0, regs); ++ vfp_raise_sigfpe(FPE_FIXME, regs); + return; + } + diff --git a/queue-3.18/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch b/queue-3.18/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch new file mode 100644 index 00000000000..61cb0d66737 --- /dev/null +++ b/queue-3.18/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch @@ -0,0 +1,66 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Eric W. Biederman" +Date: Tue, 1 Aug 2017 10:37:40 -0500 +Subject: signal/metag: Document a conflict with SI_USER with SIGFPE + +From: "Eric W. Biederman" + + +[ Upstream commit b80328be53c215346b153769267b38f531d89b4f ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +hat uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME siginfo_layout will now return SIL_FAULT and the +appropriate fields will reliably be copied. + +Possible ABI fixes includee: + - Send the signal without siginfo + - Don't generate a signal + - Possibly assign and use an appropriate si_code + - Don't handle cases which can't happen + +Cc: James Hogan +Cc: linux-metag@vger.kernel.org +Ref: ac919f0883e5 ("metag: Traps") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/metag/include/uapi/asm/siginfo.h | 7 +++++++ + arch/metag/kernel/traps.c | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/metag/include/uapi/asm/siginfo.h ++++ b/arch/metag/include/uapi/asm/siginfo.h +@@ -5,4 +5,11 @@ + + #include + ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ + #endif +--- a/arch/metag/kernel/traps.c ++++ b/arch/metag/kernel/traps.c +@@ -732,7 +732,7 @@ TBIRES fpe_handler(TBIRES State, int Sig + else if (error_state & TXSTAT_FPE_INEXACT_BIT) + info.si_code = FPE_FLTRES; + else +- info.si_code = 0; ++ info.si_code = FPE_FIXME; + info.si_errno = 0; + info.si_addr = (__force void __user *)regs->ctx.CurrPC; + force_sig_info(SIGFPE, &info, current); diff --git a/queue-3.18/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch b/queue-3.18/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch new file mode 100644 index 00000000000..4741e32ab9e --- /dev/null +++ b/queue-3.18/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch @@ -0,0 +1,114 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Eric W. Biederman" +Date: Sat, 19 Aug 2017 15:26:01 -0500 +Subject: signal/powerpc: Document conflicts with SI_USER and SIGFPE and SIGTRAP + +From: "Eric W. Biederman" + + +[ Upstream commit cf4674c46c66e45f238f8f7e81af2a444b970c0a ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +that uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME and TRAP_FIXME, siginfo_layout() will now return +SIL_FAULT and the appropriate fields will be reliably copied. + +Possible ABI fixes includee: +- Send the signal without siginfo +- Don't generate a signal +- Possibly assign and use an appropriate si_code +- Don't handle cases which can't happen +Cc: Paul Mackerras +Cc: Kumar Gala +Cc: Michael Ellerman +Cc: Benjamin Herrenschmidt +Cc: linuxppc-dev@lists.ozlabs.org +Ref: 9bad068c24d7 ("[PATCH] ppc32: support for e500 and 85xx") +Ref: 0ed70f6105ef ("PPC32: Provide proper siginfo information on various exceptions.") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/uapi/asm/siginfo.h | 15 +++++++++++++++ + arch/powerpc/kernel/traps.c | 10 +++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/uapi/asm/siginfo.h ++++ b/arch/powerpc/include/uapi/asm/siginfo.h +@@ -17,4 +17,19 @@ + #undef NSIGTRAP + #define NSIGTRAP 4 + ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++/* ++ * SIGTRAP si_codes ++ */ ++#ifdef __KERNEL__ ++#define TRAP_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++ + #endif /* _ASM_POWERPC_SIGINFO_H */ +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -769,7 +769,7 @@ void unknown_exception(struct pt_regs *r + printk("Bad trap at PC: %lx, SR: %lx, vector=%lx\n", + regs->nip, regs->msr, regs->trap); + +- _exception(SIGTRAP, regs, 0, 0); ++ _exception(SIGTRAP, regs, TRAP_FIXME, 0); + + exception_exit(prev_state); + } +@@ -791,7 +791,7 @@ bail: + + void RunModeException(struct pt_regs *regs) + { +- _exception(SIGTRAP, regs, 0, 0); ++ _exception(SIGTRAP, regs, TRAP_FIXME, 0); + } + + void __kprobes single_step_exception(struct pt_regs *regs) +@@ -826,7 +826,7 @@ static void emulate_single_step(struct p + + static inline int __parse_fpscr(unsigned long fpscr) + { +- int ret = 0; ++ int ret = FPE_FIXME; + + /* Invalid operation */ + if ((fpscr & FPSCR_VE) && (fpscr & FPSCR_VX)) +@@ -1742,7 +1742,7 @@ void SPEFloatingPointException(struct pt + extern int do_spe_mathemu(struct pt_regs *regs); + unsigned long spefscr; + int fpexc_mode; +- int code = 0; ++ int code = FPE_FIXME; + int err; + + flush_spe_to_thread(current); +@@ -1811,7 +1811,7 @@ void SPEFloatingPointRoundException(stru + printk(KERN_ERR "unrecognized spe instruction " + "in %s at %lx\n", current->comm, regs->nip); + } else { +- _exception(SIGFPE, regs, 0, regs->nip); ++ _exception(SIGFPE, regs, FPE_FIXME, regs->nip); + return; + } + } diff --git a/queue-3.18/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch b/queue-3.18/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch new file mode 100644 index 00000000000..5845243d349 --- /dev/null +++ b/queue-3.18/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch @@ -0,0 +1,183 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:22 +0200 +Subject: skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow + +From: "Jason A. Donenfeld" + + +[ Upstream commit 48a1df65334b74bd7531f932cca5928932abf769 ] + +This is a defense-in-depth measure in response to bugs like +4d6fa57b4dab ("macsec: avoid heap overflow in skb_to_sgvec"). There's +not only a potential overflow of sglist items, but also a stack overflow +potential, so we fix this by limiting the amount of recursion this function +is allowed to do. Not actually providing a bounded base case is a future +disaster that we can easily avoid here. + +As a small matter of house keeping, we take this opportunity to move the +documentation comment over the actual function the documentation is for. + +While this could be implemented by using an explicit stack of skbuffs, +when implementing this, the function complexity increased considerably, +and I don't think such complexity and bloat is actually worth it. So, +instead I built this and tested it on x86, x86_64, ARM, ARM64, and MIPS, +and measured the stack usage there. I also reverted the recent MIPS +changes that give it a separate IRQ stack, so that I could experience +some worst-case situations. I found that limiting it to 24 layers deep +yielded a good stack usage with room for safety, as well as being much +deeper than any driver actually ever creates. + +Signed-off-by: Jason A. Donenfeld +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: David Howells +Cc: Sabrina Dubroca +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 8 +++--- + net/core/skbuff.c | 65 +++++++++++++++++++++++++++++++------------------ + 2 files changed, 46 insertions(+), 27 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -845,10 +845,10 @@ struct sk_buff *skb_realloc_headroom(str + unsigned int headroom); + struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom, + int newtailroom, gfp_t priority); +-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, +- int offset, int len); +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, +- int len); ++int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, ++ int offset, int len); ++int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, ++ int offset, int len); + int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer); + int skb_pad(struct sk_buff *skb, int pad); + #define dev_kfree_skb(a) consume_skb(a) +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3285,24 +3285,18 @@ void __init skb_init(void) + NULL); + } + +-/** +- * skb_to_sgvec - Fill a scatter-gather list from a socket buffer +- * @skb: Socket buffer containing the buffers to be mapped +- * @sg: The scatter-gather list to map into +- * @offset: The offset into the buffer's contents to start mapping +- * @len: Length of buffer space to be mapped +- * +- * Fill the specified scatter-gather list with mappings/pointers into a +- * region of the buffer space attached to a socket buffer. +- */ + static int +-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) ++__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len, ++ unsigned int recursion_level) + { + int start = skb_headlen(skb); + int i, copy = start - offset; + struct sk_buff *frag_iter; + int elt = 0; + ++ if (unlikely(recursion_level >= 24)) ++ return -EMSGSIZE; ++ + if (copy > 0) { + if (copy > len) + copy = len; +@@ -3321,6 +3315,8 @@ __skb_to_sgvec(struct sk_buff *skb, stru + end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]); + if ((copy = end - offset) > 0) { + skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; ++ if (unlikely(elt && sg_is_last(&sg[elt - 1]))) ++ return -EMSGSIZE; + + if (copy > len) + copy = len; +@@ -3335,16 +3331,22 @@ __skb_to_sgvec(struct sk_buff *skb, stru + } + + skb_walk_frags(skb, frag_iter) { +- int end; ++ int end, ret; + + WARN_ON(start > offset + len); + + end = start + frag_iter->len; + if ((copy = end - offset) > 0) { ++ if (unlikely(elt && sg_is_last(&sg[elt - 1]))) ++ return -EMSGSIZE; ++ + if (copy > len) + copy = len; +- elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start, +- copy); ++ ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start, ++ copy, recursion_level + 1); ++ if (unlikely(ret < 0)) ++ return ret; ++ elt += ret; + if ((len -= copy) == 0) + return elt; + offset += copy; +@@ -3355,6 +3357,31 @@ __skb_to_sgvec(struct sk_buff *skb, stru + return elt; + } + ++/** ++ * skb_to_sgvec - Fill a scatter-gather list from a socket buffer ++ * @skb: Socket buffer containing the buffers to be mapped ++ * @sg: The scatter-gather list to map into ++ * @offset: The offset into the buffer's contents to start mapping ++ * @len: Length of buffer space to be mapped ++ * ++ * Fill the specified scatter-gather list with mappings/pointers into a ++ * region of the buffer space attached to a socket buffer. Returns either ++ * the number of scatterlist items used, or -EMSGSIZE if the contents ++ * could not fit. ++ */ ++int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) ++{ ++ int nsg = __skb_to_sgvec(skb, sg, offset, len, 0); ++ ++ if (nsg <= 0) ++ return nsg; ++ ++ sg_mark_end(&sg[nsg - 1]); ++ ++ return nsg; ++} ++EXPORT_SYMBOL_GPL(skb_to_sgvec); ++ + /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given + * sglist without mark the sg which contain last skb data as the end. + * So the caller can mannipulate sg list as will when padding new data after +@@ -3377,19 +3404,11 @@ __skb_to_sgvec(struct sk_buff *skb, stru + int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, + int offset, int len) + { +- return __skb_to_sgvec(skb, sg, offset, len); ++ return __skb_to_sgvec(skb, sg, offset, len, 0); + } + EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark); + +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) +-{ +- int nsg = __skb_to_sgvec(skb, sg, offset, len); + +- sg_mark_end(&sg[nsg - 1]); +- +- return nsg; +-} +-EXPORT_SYMBOL_GPL(skb_to_sgvec); + + /** + * skb_cow_data - Check that a socket buffer's data buffers are writable diff --git a/queue-3.18/smb2-fix-share-type-handling.patch b/queue-3.18/smb2-fix-share-type-handling.patch new file mode 100644 index 00000000000..9d07276dfc0 --- /dev/null +++ b/queue-3.18/smb2-fix-share-type-handling.patch @@ -0,0 +1,57 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Christophe JAILLET +Date: Fri, 12 May 2017 17:59:32 +0200 +Subject: SMB2: Fix share type handling + +From: Christophe JAILLET + + +[ Upstream commit cd1230070ae1c12fd34cf6a557bfa81bf9311009 ] + +In fs/cifs/smb2pdu.h, we have: +#define SMB2_SHARE_TYPE_DISK 0x01 +#define SMB2_SHARE_TYPE_PIPE 0x02 +#define SMB2_SHARE_TYPE_PRINT 0x03 + +Knowing that, with the current code, the SMB2_SHARE_TYPE_PRINT case can +never trigger and printer share would be interpreted as disk share. + +So, test the ShareType value for equality instead. + +Fixes: faaf946a7d5b ("CIFS: Add tree connect/disconnect capability for SMB2") +Signed-off-by: Christophe JAILLET +Acked-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -921,15 +921,19 @@ SMB2_tcon(const unsigned int xid, struct + goto tcon_exit; + } + +- if (rsp->ShareType & SMB2_SHARE_TYPE_DISK) ++ switch (rsp->ShareType) { ++ case SMB2_SHARE_TYPE_DISK: + cifs_dbg(FYI, "connection to disk share\n"); +- else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) { ++ break; ++ case SMB2_SHARE_TYPE_PIPE: + tcon->ipc = true; + cifs_dbg(FYI, "connection to pipe share\n"); +- } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) { +- tcon->print = true; ++ break; ++ case SMB2_SHARE_TYPE_PRINT: ++ tcon->ipc = true; + cifs_dbg(FYI, "connection to printer\n"); +- } else { ++ break; ++ default: + cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType); + rc = -EOPNOTSUPP; + goto tcon_error_exit; diff --git a/queue-3.18/sparc64-ldc-abort-during-vds-iso-boot.patch b/queue-3.18/sparc64-ldc-abort-during-vds-iso-boot.patch new file mode 100644 index 00000000000..1879c72c511 --- /dev/null +++ b/queue-3.18/sparc64-ldc-abort-during-vds-iso-boot.patch @@ -0,0 +1,58 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jag Raman +Date: Fri, 9 Jun 2017 12:29:31 -0400 +Subject: sparc64: ldc abort during vds iso boot + +From: Jag Raman + + +[ Upstream commit 6c95483b768c62f8ee933ae08a1bdbcb78b5410f ] + +Orabug: 20902628 + +When an ldc control-only packet is received during data exchange in +read_nonraw(), a new rx head is calculated but the rx queue head is not +actually advanced (rx_set_head() is not called) and a branch is taken to +'no_data' at which point two things can happen depending on the value +of the newly calculated rx head and the current rx tail: + +- If the rx queue is determined to be not empty, then the wrong packet + is picked up. + +- If the rx queue is determined to be empty, then a read error (EAGAIN) + is eventually returned since it is falsely assumed that more data was + expected. + +The fix is to update the rx head and return in case of a control only +packet during data exchange. + +Signed-off-by: Jagannathan Raman +Reviewed-by: Aaron Young +Reviewed-by: Alexandre Chartre +Reviewed-by: Bijan Mottahedeh +Reviewed-by: Liam Merwick +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/ldc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/sparc/kernel/ldc.c ++++ b/arch/sparc/kernel/ldc.c +@@ -1693,9 +1693,14 @@ static int read_nonraw(struct ldc_channe + + lp->rcv_nxt = p->seqid; + ++ /* ++ * If this is a control-only packet, there is nothing ++ * else to do but advance the rx queue since the packet ++ * was already processed above. ++ */ + if (!(p->type & LDC_DATA)) { + new = rx_advance(lp, new); +- goto no_data; ++ break; + } + if (p->stype & (LDC_ACK | LDC_NACK)) { + err = data_ack_nack(lp, p); diff --git a/queue-3.18/staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch b/queue-3.18/staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch new file mode 100644 index 00000000000..9d80d3b1a11 --- /dev/null +++ b/queue-3.18/staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Andrea della Porta +Date: Sat, 29 Apr 2017 07:30:23 +0100 +Subject: staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning + +From: Andrea della Porta + + +[ Upstream commit dea20579a69ab68cdca6adf79bb7c0c162eb9b72 ] + +staging: wlan-ng: prism2mgmt.c: This patches fixes a double endian conversion. +cpu_to_le16() was called twice first in prism2mgmt_scan and again inside +hfa384x_drvr_setconfig16() for the same variable, hence it was swapped +twice. Incidentally, it also fixed the following sparse warning: + +drivers/staging/wlan-ng/prism2mgmt.c:173:30: warning: incorrect type in assignment (different base types) +drivers/staging/wlan-ng/prism2mgmt.c:173:30: expected unsigned short [unsigned] [usertype] word +drivers/staging/wlan-ng/prism2mgmt.c:173:30: got restricted __le16 [usertype] + +Unfortunately, only compile tested. + +Signed-off-by: Andrea della Porta +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -169,7 +169,7 @@ int prism2mgmt_scan(wlandevice_t *wlande + hw->ident_sta_fw.variant) > + HFA384x_FIRMWARE_VERSION(1, 5, 0)) { + if (msg->scantype.data != P80211ENUM_scantype_active) +- word = cpu_to_le16(msg->maxchanneltime.data); ++ word = msg->maxchanneltime.data; + else + word = 0; + diff --git a/queue-3.18/tags-honor-compiled_source-with-apart-output-directory.patch b/queue-3.18/tags-honor-compiled_source-with-apart-output-directory.patch new file mode 100644 index 00000000000..9326e7295a7 --- /dev/null +++ b/queue-3.18/tags-honor-compiled_source-with-apart-output-directory.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Robert Jarzmik +Date: Mon, 5 Jun 2017 13:59:15 +0200 +Subject: tags: honor COMPILED_SOURCE with apart output directory + +From: Robert Jarzmik + + +[ Upstream commit cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7 ] + +When the kernel is compiled with an "O=" argument, the object files are +not in the source tree, but in the build tree. + +This patch fixes O= build by looking for object files in the build tree. + +Fixes: 923e02ecf3f8 ("scripts/tags.sh: Support compiled source") +Signed-off-by: Robert Jarzmik +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/tags.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -106,6 +106,7 @@ all_compiled_sources() + case "$i" in + *.[cS]) + j=${i/\.[cS]/\.o} ++ j="${j#$tree}" + if [ -e $j ]; then + echo $i + fi diff --git a/queue-3.18/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch b/queue-3.18/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch new file mode 100644 index 00000000000..8810ba65a6c --- /dev/null +++ b/queue-3.18/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch @@ -0,0 +1,119 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Tony Lindgren +Date: Wed, 3 Jan 2018 10:18:03 -0800 +Subject: tty: n_gsm: Allow ADM response in addition to UA for control dlci + +From: Tony Lindgren + + +[ Upstream commit ea3d8465ab9b3e01be329ac5195970a84bef76c5 ] + +Some devices have the control dlci stay in ADM mode instead of the UA +mode. This can seen at least on droid 4 when trying to open the ts +27.010 mux port. Enabling n_gsm debug mode shows the control dlci +always respond with DM to SABM instead of UA: + +# modprobe n_gsm debug=0xff +# ldattach -d GSM0710 /dev/ttyS0 & +gsmld_output: 00000000: f9 03 3f 01 1c f9 +--> 0) C: SABM(P) +gsmld_receive: 00000000: f9 03 1f 01 36 f9 +<-- 0) C: DM(P) +... +$ minicom -D /dev/gsmtty1 +minicom: cannot open /dev/gsmtty1: No error information +$ strace minicom -D /dev/gsmtty1 +... +open("/dev/gsmtty1", O_RDWR|O_NOCTTY|O_NONBLOCK|O_LARGEFILE) = -1 EL2HLT + +Note that this is different issue from other n_gsm -EL2HLT issues such +as timeouts when the control dlci does not respond at all. + +The ADM mode seems to be a quite common according to "RF Wireless World" +article "GSM Issue-UE sends SABM and gets a DM response instead of +UA response": + + This issue is most commonly observed in GSM networks where in UE sends + SABM and expects network to send UA response but it ends up receiving + DM response from the network. SABM stands for Set asynchronous balanced + mode, UA stands for Unnumbered Acknowledge and DA stands for + Disconnected Mode. + + An RLP entity can be in one of two modes: + - Asynchronous Balanced Mode (ABM) + - Asynchronous Disconnected Mode (ADM) + +Currently Linux kernel closes the control dlci after several retries +in gsm_dlci_t1() on DM. This causes n_gsm /dev/gsmtty ports to produce +error code -EL2HLT when trying to open them as the closing of control +dlci has already set gsm->dead. + +Let's fix the issue by allowing control dlci stay in ADM mode after the +retries so the /dev/gsmtty ports can be opened and used. It seems that +it might take several attempts to get any response from the control +dlci, so it's best to allow ADM mode only after the SABM retries are +done. + +Note that for droid 4 additional patches are needed to mux the ttyS0 +pins and to toggle RTS gpio_149 to wake up the mdm6600 modem are also +needed to use n_gsm. And the mdm6600 modem needs to be powered on. + +Cc: linux-serial@vger.kernel.org +Cc: Alan Cox +Cc: Jiri Prchal +Cc: Jiri Slaby +Cc: Marcel Partap +Cc: Michael Scott +Cc: Peter Hurley +Cc: Russ Gorby +Cc: Sascha Hauer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1467,6 +1467,10 @@ static void gsm_dlci_open(struct gsm_dlc + * in which case an opening port goes back to closed and a closing port + * is simply put into closed state (any further frames from the other + * end will get a DM response) ++ * ++ * Some control dlci can stay in ADM mode with other dlci working just ++ * fine. In that case we can just keep the control dlci open after the ++ * DLCI_OPENING retries time out. + */ + + static void gsm_dlci_t1(unsigned long data) +@@ -1480,8 +1484,15 @@ static void gsm_dlci_t1(unsigned long da + if (dlci->retries) { + gsm_command(dlci->gsm, dlci->addr, SABM|PF); + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); +- } else ++ } else if (!dlci->addr && gsm->control == (DM | PF)) { ++ if (debug & 8) ++ pr_info("DLCI %d opening in ADM mode.\n", ++ dlci->addr); ++ gsm_dlci_open(dlci); ++ } else { + gsm_dlci_close(dlci); ++ } ++ + break; + case DLCI_CLOSING: + dlci->retries--; +@@ -1499,8 +1510,8 @@ static void gsm_dlci_t1(unsigned long da + * @dlci: DLCI to open + * + * Commence opening a DLCI from the Linux side. We issue SABM messages +- * to the modem which should then reply with a UA, at which point we +- * will move into open state. Opening is done asynchronously with retry ++ * to the modem which should then reply with a UA or ADM, at which point ++ * we will move into open state. Opening is done asynchronously with retry + * running off timers and the responses. + */ + diff --git a/queue-3.18/usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch b/queue-3.18/usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch new file mode 100644 index 00000000000..3b550fe8d41 --- /dev/null +++ b/queue-3.18/usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch @@ -0,0 +1,94 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Jisheng Zhang +Date: Wed, 26 Apr 2017 16:59:34 +0800 +Subject: usb: chipidea: properly handle host or gadget initialization failure + +From: Jisheng Zhang + + +[ Upstream commit c4a0bbbdb7f6e3c37fa6deb3ef28c5ed99da6175 ] + +If ci_hdrc_host_init() or ci_hdrc_gadget_init() returns error and the +error != -ENXIO, as Peter pointed out, "it stands for initialization +for host or gadget has failed", so we'd better return failure rather +continue. + +And before destroying the otg, i.e ci_hdrc_otg_destroy(ci), we should +also check ci->roles[CI_ROLE_GADGET]. + +Signed-off-by: Jisheng Zhang +Signed-off-by: Peter Chen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -553,7 +553,7 @@ static inline void ci_role_destroy(struc + { + ci_hdrc_gadget_destroy(ci); + ci_hdrc_host_destroy(ci); +- if (ci->is_otg) ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) + ci_hdrc_otg_destroy(ci); + } + +@@ -653,20 +653,28 @@ static int ci_hdrc_probe(struct platform + /* initialize role(s) before the interrupt is requested */ + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) { + ret = ci_hdrc_host_init(ci); +- if (ret) +- dev_info(dev, "doesn't support host\n"); ++ if (ret) { ++ if (ret == -ENXIO) ++ dev_info(dev, "doesn't support host\n"); ++ else ++ goto deinit_phy; ++ } + } + + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) { + ret = ci_hdrc_gadget_init(ci); +- if (ret) +- dev_info(dev, "doesn't support gadget\n"); ++ if (ret) { ++ if (ret == -ENXIO) ++ dev_info(dev, "doesn't support gadget\n"); ++ else ++ goto deinit_host; ++ } + } + + if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) { + dev_err(dev, "no supported roles\n"); + ret = -ENODEV; +- goto deinit_phy; ++ goto deinit_gadget; + } + + if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) { +@@ -676,7 +684,7 @@ static int ci_hdrc_probe(struct platform + ret = ci_hdrc_otg_init(ci); + if (ret) { + dev_err(dev, "init otg fails, ret = %d\n", ret); +- goto stop; ++ goto deinit_gadget; + } + } + +@@ -727,7 +735,12 @@ static int ci_hdrc_probe(struct platform + + free_irq(ci->irq, ci); + stop: +- ci_role_destroy(ci); ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) ++ ci_hdrc_otg_destroy(ci); ++deinit_gadget: ++ ci_hdrc_gadget_destroy(ci); ++deinit_host: ++ ci_hdrc_host_destroy(ci); + deinit_phy: + usb_phy_shutdown(ci->transceiver); + diff --git a/queue-3.18/usb-dwc3-keystone-check-return-value.patch b/queue-3.18/usb-dwc3-keystone-check-return-value.patch new file mode 100644 index 00000000000..1598d7dae8a --- /dev/null +++ b/queue-3.18/usb-dwc3-keystone-check-return-value.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 13:55:13 +0800 +Subject: usb: dwc3: keystone: check return value + +From: Pan Bian + + +[ Upstream commit 018047a1dba7636e1f7fdae2cc290a528991d648 ] + +Function devm_clk_get() returns an ERR_PTR when it fails. However, in +function kdwc3_probe(), its return value is not checked, which may +result in a bad memory access bug. This patch fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-keystone.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-keystone.c ++++ b/drivers/usb/dwc3/dwc3-keystone.c +@@ -117,6 +117,10 @@ static int kdwc3_probe(struct platform_d + dev->dma_mask = &kdwc3_dma_mask; + + kdwc->clk = devm_clk_get(kdwc->dev, "usb"); ++ if (IS_ERR(kdwc->clk)) { ++ dev_err(kdwc->dev, "unable to get usb clock\n"); ++ return PTR_ERR(kdwc->clk); ++ } + + error = clk_prepare_enable(kdwc->clk); + if (error < 0) { diff --git a/queue-3.18/usb-ene_usb6250-fix-first-command-execution.patch b/queue-3.18/usb-ene_usb6250-fix-first-command-execution.patch new file mode 100644 index 00000000000..d83929e282f --- /dev/null +++ b/queue-3.18/usb-ene_usb6250-fix-first-command-execution.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Alan Stern +Date: Tue, 16 May 2017 11:47:42 -0400 +Subject: USB: ene_usb6250: fix first command execution + +From: Alan Stern + + +[ Upstream commit 4b309f1c4972c8f09e03ac64fc63510dbf5591a4 ] + +In the ene_usb6250 sub-driver for usb-storage, the ene_transport() +routine is supposed to initialize the driver before executing the +current command, if the initialization has not already been performed. +However, a bug in the routine causes it to skip the command after +doing the initialization. Also, the routine does not return an +appropriate error code if either the initialization or the command +fails. + +As a result of the first bug, the first command (a SCSI INQUIRY) is +not carried out. The results can be seen in the system log, in the +form of a warning message and empty or garbage INQUIRY data: + +Apr 18 22:40:08 notebook2 kernel: scsi host6: scsi scan: INQUIRY result too short (5), using 36 +Apr 18 22:40:08 notebook2 kernel: scsi 6:0:0:0: Direct-Access PQ: 0 ANSI: 0 + +This patch fixes both errors. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Andreas Hartmann +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/ene_ub6250.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -2303,21 +2303,22 @@ static int ms_scsi_irp(struct us_data *u + + static int ene_transport(struct scsi_cmnd *srb, struct us_data *us) + { +- int result = 0; ++ int result = USB_STOR_XFER_GOOD; + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra); + + /*US_DEBUG(usb_stor_show_command(us, srb)); */ + scsi_set_resid(srb, 0); +- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) { ++ if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) + result = ene_init(us); +- } else { ++ if (result == USB_STOR_XFER_GOOD) { ++ result = USB_STOR_TRANSPORT_ERROR; + if (info->SD_Status.Ready) + result = sd_scsi_irp(us, srb); + + if (info->MS_Status.Ready) + result = ms_scsi_irp(us, srb); + } +- return 0; ++ return result; + } + + diff --git a/queue-3.18/usb-ene_usb6250-fix-scsi-residue-overwriting.patch b/queue-3.18/usb-ene_usb6250-fix-scsi-residue-overwriting.patch new file mode 100644 index 00000000000..2d301a82894 --- /dev/null +++ b/queue-3.18/usb-ene_usb6250-fix-scsi-residue-overwriting.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Alan Stern +Date: Tue, 16 May 2017 11:47:52 -0400 +Subject: USB: ene_usb6250: fix SCSI residue overwriting + +From: Alan Stern + + +[ Upstream commit aa18c4b6e0e39bfb00af48734ec24bc189ac9909 ] + +In the ene_usb6250 sub-driver for usb-storage, the SCSI residue is not +reported correctly. The residue is initialized to 0, but this value +is overwritten whenever the driver sends firmware to the card reader +before performing the current command. As a result, a valid READ or +WRITE operation appears to have failed, causing the SCSI core to retry +the command multiple times and eventually fail. + +This patch fixes the problem by resetting the SCSI residue to 0 after +sending firmware to the device. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Andreas Hartmann +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/ene_ub6250.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -1950,6 +1950,8 @@ static int ene_load_bincode(struct us_da + bcb->CDB[0] = 0xEF; + + result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0); ++ if (us->srb != NULL) ++ scsi_set_resid(us->srb, 0); + info->BIN_FLAG = flag; + kfree(buf); + diff --git a/queue-3.18/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch b/queue-3.18/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch new file mode 100644 index 00000000000..6a0ee23efae --- /dev/null +++ b/queue-3.18/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch @@ -0,0 +1,105 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: "Pieter \\\"PoroCYon\\\" Sluys" +Date: Thu, 4 Jan 2018 16:53:50 +0100 +Subject: vfb: fix video mode and line_length being set when loaded + +From: "Pieter \\\"PoroCYon\\\" Sluys" + + +[ Upstream commit 7b9faf5df0ac495a1a3d7cdb64921c179f9008ac ] + +Currently, when loading the vfb module, the newly created fbdev +has a line_length of 0, and its video mode would be PSEUDOCOLOR +regardless of color depth. (The former could be worked around by +calling the FBIOPUT_VSCREENINFO ioctl with having the FBACTIVIATE_FORCE +flag set.) This patch automatically sets the line_length correctly, +and the video mode is derived from the bit depth now as well. + +Thanks to Geert Uytterhoeven for confirming the bug and helping me with +the patch. + +Output of `fbset -i' before the patch: +mode "1366x768-60" + # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz + geometry 1366 768 1366 768 32 + timings 13806 120 10 14 3 32 5 + rgba 8/0,8/8,8/16,8/24 +endmode + +Frame buffer device information: + Name : Virtual FB + Address : 0xffffaa1405d85000 + Size : 4196352 + Type : PACKED PIXELS + Visual : PSEUDOCOLOR + XPanStep : 1 + YPanStep : 1 + YWrapStep : 1 + LineLength : 0 <-- note this + Accelerator : No + +After: +mode "1366x768-60" + # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz + geometry 1366 768 1366 768 32 + timings 13806 120 10 14 3 32 5 + rgba 8/0,8/8,8/16,8/24 +endmode + +Frame buffer device information: + Name : Virtual FB + Address : 0xffffaa1405d85000 + Size : 4196352 + Type : PACKED PIXELS + Visual : TRUECOLOR + XPanStep : 1 + YPanStep : 1 + YWrapStep : 1 + LineLength : 5464 + Accelerator : No + +Signed-off-by: "Pieter \"PoroCYon\" Sluys" +Reviewed-by: Geert Uytterhoeven +[b.zolnierkie: minor fixups] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/vfb.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/video/fbdev/vfb.c ++++ b/drivers/video/fbdev/vfb.c +@@ -284,8 +284,23 @@ static int vfb_check_var(struct fb_var_s + */ + static int vfb_set_par(struct fb_info *info) + { ++ switch (info->var.bits_per_pixel) { ++ case 1: ++ info->fix.visual = FB_VISUAL_MONO01; ++ break; ++ case 8: ++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR; ++ break; ++ case 16: ++ case 24: ++ case 32: ++ info->fix.visual = FB_VISUAL_TRUECOLOR; ++ break; ++ } ++ + info->fix.line_length = get_line_length(info->var.xres_virtual, + info->var.bits_per_pixel); ++ + return 0; + } + +@@ -526,6 +541,8 @@ static int vfb_probe(struct platform_dev + goto err2; + platform_set_drvdata(dev, info); + ++ vfb_set_par(info); ++ + fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n", + videomemorysize >> 10); + return 0; diff --git a/queue-3.18/virtio_net-check-return-value-of-skb_to_sgvec-always.patch b/queue-3.18/virtio_net-check-return-value-of-skb_to_sgvec-always.patch new file mode 100644 index 00000000000..e8065d9f64f --- /dev/null +++ b/queue-3.18/virtio_net-check-return-value-of-skb_to_sgvec-always.patch @@ -0,0 +1,50 @@ +From e2fcad58fd230f635a74e4e983c6f4ea893642d2 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:26 +0200 +Subject: virtio_net: check return value of skb_to_sgvec always + +From: Jason A. Donenfeld + +commit e2fcad58fd230f635a74e4e983c6f4ea893642d2 upstream. + +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Sergei Shtylyov +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Signed-off-by: David S. Miller +[natechancellor: backport to 3.18] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -854,7 +854,7 @@ static int xmit_skb(struct send_queue *s + struct skb_vnet_hdr *hdr; + const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest; + struct virtnet_info *vi = sq->vq->vdev->priv; +- unsigned num_sg; ++ int num_sg; + unsigned hdr_len; + bool can_push; + +@@ -906,11 +906,16 @@ static int xmit_skb(struct send_queue *s + if (can_push) { + __skb_push(skb, hdr_len); + num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len); ++ if (unlikely(num_sg < 0)) ++ return num_sg; + /* Pull header back to avoid skew in tx bytes calculations. */ + __skb_pull(skb, hdr_len); + } else { + sg_set_buf(sq->sg, hdr, hdr_len); +- num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1; ++ num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len); ++ if (unlikely(num_sg < 0)) ++ return num_sg; ++ num_sg++; + } + return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC); + } diff --git a/queue-3.18/virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch b/queue-3.18/virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch new file mode 100644 index 00000000000..9fd7c189f83 --- /dev/null +++ b/queue-3.18/virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch @@ -0,0 +1,44 @@ +From natechancellor@gmail.com Tue Apr 10 14:13:23 2018 +From: Nathan Chancellor +Date: Mon, 9 Apr 2018 18:21:44 -0700 +Subject: virtio_net: check return value of skb_to_sgvec in one more location +To: Greg Kroah-Hartman , stable@vger.kernel.org +Cc: Nathan Chancellor , "Jason A . Donenfeld" , Sergei Shtylyov , "Michael S. Tsirkin" , Jason Wang , "David S . Miller" +Message-ID: <20180410012150.6573-4-natechancellor@gmail.com> + +From: Nathan Chancellor + +Kernels that do not have f6b10209b90d ("virtio-net: switch to use +build_skb() for small buffer") will have an extra call to skb_to_sgvec +that is not handled by e2fcad58fd23 ("virtio_net: check return value of +skb_to_sgvec always"). Since the former does not appear to be stable +material, just fix the call up directly. + +Cc: Jason A. Donenfeld +Cc: Sergei Shtylyov +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: David S. Miller +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/virtio_net.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -551,7 +551,12 @@ static int add_recvbuf_small(struct rece + hdr = skb_vnet_hdr(skb); + sg_init_table(rq->sg, MAX_SKB_FRAGS + 2); + sg_set_buf(rq->sg, &hdr->hdr, sizeof hdr->hdr); +- skb_to_sgvec(skb, rq->sg + 1, 0, skb->len); ++ ++ err = skb_to_sgvec(skb, rq->sg + 1, 0, skb->len); ++ if (unlikely(err < 0)) { ++ dev_kfree_skb(skb); ++ return err; ++ } + + err = virtqueue_add_inbuf(rq->vq, rq->sg, 2, skb, gfp); + if (err < 0) diff --git a/queue-3.18/vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch b/queue-3.18/vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch new file mode 100644 index 00000000000..4d3dcf15cbe --- /dev/null +++ b/queue-3.18/vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Neil Horman +Date: Fri, 12 May 2017 12:00:01 -0400 +Subject: vmxnet3: ensure that adapter is in proper state during force_close + +From: Neil Horman + + +[ Upstream commit 1c4d5f51a812a82de97beee24f48ed05c65ebda5 ] + +There are several paths in vmxnet3, where settings changes cause the +adapter to be brought down and back up (vmxnet3_set_ringparam among +them). Should part of the reset operation fail, these paths call +vmxnet3_force_close, which enables all napi instances prior to calling +dev_close (with the expectation that vmxnet3_close will then properly +disable them again). However, vmxnet3_force_close neglects to clear +VMXNET3_STATE_BIT_QUIESCED prior to calling dev_close. As a result +vmxnet3_quiesce_dev (called from vmxnet3_close), returns early, and +leaves all the napi instances in a enabled state while the device itself +is closed. If a device in this state is activated again, napi_enable +will be called on already enabled napi_instances, leading to a BUG halt. + +The fix is to simply enausre that the QUIESCED bit is cleared in +vmxnet3_force_close to allow quesence to be completed properly on close. + +Signed-off-by: Neil Horman +CC: Shrikrishna Khare +CC: "VMware, Inc." +CC: "David S. Miller" +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -2648,6 +2648,11 @@ vmxnet3_force_close(struct vmxnet3_adapt + /* we need to enable NAPI, otherwise dev_close will deadlock */ + for (i = 0; i < adapter->num_rx_queues; i++) + napi_enable(&adapter->rx_queue[i].napi); ++ /* ++ * Need to clear the quiesce bit to ensure that vmxnet3_close ++ * can quiesce the device properly ++ */ ++ clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state); + dev_close(adapter->netdev); + } + diff --git a/queue-3.18/vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch b/queue-3.18/vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch new file mode 100644 index 00000000000..a0b6dfe9a0f --- /dev/null +++ b/queue-3.18/vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Roopa Prabhu +Date: Sun, 11 Jun 2017 16:32:50 -0700 +Subject: vxlan: dont migrate permanent fdb entries during learn + +From: Roopa Prabhu + + +[ Upstream commit e0090a9e979de5202c7d16c635dea2f005221073 ] + +This patch fixes vxlan_snoop to not move permanent fdb entries +on learn events. This is consistent with the bridge fdb +handling of permanent entries. + +Fixes: 26a41ae60438 ("vxlan: only migrate dynamic FDB entries") +Signed-off-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -985,7 +985,7 @@ static bool vxlan_snoop(struct net_devic + return false; + + /* Don't migrate static entries, drop packets */ +- if (f->state & NUD_NOARP) ++ if (f->state & (NUD_PERMANENT | NUD_NOARP)) + return true; + + if (net_ratelimit()) diff --git a/queue-3.18/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch b/queue-3.18/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch new file mode 100644 index 00000000000..b29d9e6d2bb --- /dev/null +++ b/queue-3.18/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Colin Ian King +Date: Tue, 26 Dec 2017 17:33:18 +0000 +Subject: wl1251: check return from call to wl1251_acx_arp_ip_filter + +From: Colin Ian King + + +[ Upstream commit ac1181c60822292176ab96912208ec9f9819faf8 ] + +Currently the less than zero error check on ret is incorrect +as it is checking a far earlier ret assignment rather than the +return from the call to wl1251_acx_arp_ip_filter. Fix this by +adding in the missing assginment. + +Detected by CoverityScan, CID#1164835 ("Logically dead code") + +Fixes: 204cc5c44fb6 ("wl1251: implement hardware ARP filtering") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wl1251/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/ti/wl1251/main.c ++++ b/drivers/net/wireless/ti/wl1251/main.c +@@ -1200,8 +1200,7 @@ static void wl1251_op_bss_info_changed(s + WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS); + + enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc; +- wl1251_acx_arp_ip_filter(wl, enable, addr); +- ++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr); + if (ret < 0) + goto out_sleep; + } diff --git a/queue-3.18/x86-tsc-provide-tsc-unstable-boot-parameter.patch b/queue-3.18/x86-tsc-provide-tsc-unstable-boot-parameter.patch new file mode 100644 index 00000000000..324815253c5 --- /dev/null +++ b/queue-3.18/x86-tsc-provide-tsc-unstable-boot-parameter.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Peter Zijlstra +Date: Thu, 13 Apr 2017 14:56:44 +0200 +Subject: x86/tsc: Provide 'tsc=unstable' boot parameter + +From: Peter Zijlstra + + +[ Upstream commit 8309f86cd41e8714526867177facf7a316d9be53 ] + +Since the clocksource watchdog will only detect broken TSC after the +fact, all TSC based clocks will likely have observed non-continuous +values before/when switching away from TSC. + +Therefore only thing to fully avoid random clock movement when your +BIOS randomly mucks with TSC values from SMI handlers is reporting the +TSC as unstable at boot. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -356,6 +356,8 @@ static int __init tsc_setup(char *str) + tsc_clocksource_reliable = 1; + if (!strncmp(str, "noirqtime", 9)) + no_sched_irq_time = 1; ++ if (!strcmp(str, "unstable")) ++ mark_tsc_unstable("boot parameter"); + return 1; + } + diff --git a/queue-3.18/xen-avoid-type-warning-in-xchg_xen_ulong.patch b/queue-3.18/xen-avoid-type-warning-in-xchg_xen_ulong.patch new file mode 100644 index 00000000000..6a9891abde3 --- /dev/null +++ b/queue-3.18/xen-avoid-type-warning-in-xchg_xen_ulong.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Arnd Bergmann +Date: Thu, 8 Jun 2017 10:53:10 +0200 +Subject: xen: avoid type warning in xchg_xen_ulong + +From: Arnd Bergmann + + +[ Upstream commit 9cc91f212111cdcbefa02dcdb7dd443f224bf52c ] + +The improved type-checking version of container_of() triggers a warning for +xchg_xen_ulong, pointing out that 'xen_ulong_t' is unsigned, but atomic64_t +contains a signed value: + +drivers/xen/events/events_2l.c: In function 'evtchn_2l_handle_events': +drivers/xen/events/events_2l.c:187:1020: error: call to '__compiletime_assert_187' declared with attribute error: pointer type mismatch in container_of() + +This adds a cast to work around the warning. + +Cc: Ian Abbott +Fixes: 85323a991d40 ("xen: arm: mandate EABI and use generic atomic operations.") +Fixes: daa2ac80834d ("kernel.h: handle pointers to arrays better in container_of()") +Signed-off-by: Arnd Bergmann +Signed-off-by: Stefano Stabellini +Reviewed-by: Stefano Stabellini +Acked-by: Ian Abbott +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/xen/events.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/include/asm/xen/events.h ++++ b/arch/arm/include/asm/xen/events.h +@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(stru + return raw_irqs_disabled_flags(regs->ARM_cpsr); + } + +-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \ ++#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\ + atomic64_t, \ + counter), (val)) + diff --git a/queue-3.18/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch b/queue-3.18/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch new file mode 100644 index 00000000000..3a48b0a654f --- /dev/null +++ b/queue-3.18/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Apr 10 13:58:07 CEST 2018 +From: Antony Antony +Date: Fri, 19 May 2017 12:47:00 +0200 +Subject: xfrm: fix state migration copy replay sequence numbers + +From: Antony Antony + + +[ Upstream commit a486cd23661c9387fb076c3f6ae8b2aa9d20d54a ] + +During xfrm migration copy replay and preplay sequence numbers +from the previous state. + +Here is a tcpdump output showing the problem. +10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder. +After the migration it sent wrong sequence number, reset to 1. +The migration is from 10.0.0.52 to 10.0.0.53. + +IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136 +IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136 +IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136 +IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136 + +IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I] +IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R] +IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I] +IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R] + +IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136 + +NOTE: next sequence is wrong 0x1 + +IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136 +IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136 +IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136 + +Signed-off-by: Antony Antony +Reviewed-by: Richard Guy Briggs +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_state.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1208,6 +1208,8 @@ static struct xfrm_state *xfrm_state_clo + x->curlft.add_time = orig->curlft.add_time; + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; ++ x->replay = orig->replay; ++ x->preplay = orig->preplay; + + return x; +