From: Sasha Levin Date: Sat, 15 Jun 2019 23:17:06 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v5.1.11~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1cd4ef7633206e11520de9731cd7981df9f74b93;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch b/queue-4.14/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch new file mode 100644 index 00000000000..eb36ca52ba3 --- /dev/null +++ b/queue-4.14/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch @@ -0,0 +1,102 @@ +From 97f213d5b8850731c3bb1cd42c27a229748c8057 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 18:04:17 +0200 +Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls + +[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ] + +The snd_seq_ioctl_get_subscription() retrieves the port subscriber +information as a pointer, while the object isn't protected, hence it +may be deleted before the actual reference. This race was spotted by +syzkaller and may lead to a UAF. + +The fix is simply copying the data in the lookup function that +performs in the rwsem to protect against the deletion. + +Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 10 ++-------- + sound/core/seq/seq_ports.c | 13 ++++++++----- + sound/core/seq/seq_ports.h | 5 +++-- + 3 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 692631bd4a35..068880ac47b5 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1904,20 +1904,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client, + int result; + struct snd_seq_client *sender = NULL; + struct snd_seq_client_port *sport = NULL; +- struct snd_seq_subscribers *p; + + result = -EINVAL; + if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL) + goto __end; + if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL) + goto __end; +- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest); +- if (p) { +- result = 0; +- *subs = p->info; +- } else +- result = -ENOENT; +- ++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest, ++ subs); + __end: + if (sport) + snd_seq_port_unlock(sport); +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index d3fc73ac230b..c8fa4336bccd 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, + + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr) ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs) + { +- struct snd_seq_subscribers *s, *found = NULL; ++ struct snd_seq_subscribers *s; ++ int err = -ENOENT; + + down_read(&src_grp->list_mutex); + list_for_each_entry(s, &src_grp->list_head, src_list) { + if (addr_match(dest_addr, &s->info.dest)) { +- found = s; ++ *subs = s->info; ++ err = 0; + break; + } + } + up_read(&src_grp->list_mutex); +- return found; ++ return err; + } + + /* +diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h +index 26bd71f36c41..06003b36652e 100644 +--- a/sound/core/seq/seq_ports.h ++++ b/sound/core/seq/seq_ports.h +@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port, + struct snd_seq_port_subscribe *info); + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr); ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs); + + #endif +-- +2.20.1 + diff --git a/queue-4.14/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch b/queue-4.14/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch new file mode 100644 index 00000000000..e6f1eb251b1 --- /dev/null +++ b/queue-4.14/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch @@ -0,0 +1,53 @@ +From f8918b41fb28ed16edfe6e730623ce1492c65323 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 17:35:22 +0200 +Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex + +[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] + +ALSA OSS sequencer calls the ioctl function indirectly via +snd_seq_kernel_client_ctl(). While we already applied the protection +against races between the normal ioctls and writes via the client's +ioctl_mutex, this code path was left untouched. And this seems to be +the cause of still remaining some rare UAF as spontaneously triggered +by syzkaller. + +For the sake of robustness, wrap the ioctl_mutex also for the call via +snd_seq_kernel_client_ctl(), too. + +Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 3bcd7a2f0394..692631bd4a35 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2348,14 +2348,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; ++ int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) +- return handler->func(client, arg); ++ if (handler->cmd == cmd) { ++ mutex_lock(&client->ioctl_mutex); ++ err = handler->func(client, arg); ++ mutex_unlock(&client->ioctl_mutex); ++ return err; ++ } + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.14/arm64-mm-inhibit-huge-vmap-with-ptdump.patch b/queue-4.14/arm64-mm-inhibit-huge-vmap-with-ptdump.patch new file mode 100644 index 00000000000..f4c792bd4ea --- /dev/null +++ b/queue-4.14/arm64-mm-inhibit-huge-vmap-with-ptdump.patch @@ -0,0 +1,76 @@ +From a120d6592c3daa5925840efb3f72c74a05c3ace8 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 14 May 2019 14:30:06 +0530 +Subject: arm64/mm: Inhibit huge-vmap with ptdump + +[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ] + +The arm64 ptdump code can race with concurrent modification of the +kernel page tables. At the time this was added, this was sound as: + +* Modifications to leaf entries could result in stale information being + logged, but would not result in a functional problem. + +* Boot time modifications to non-leaf entries (e.g. freeing of initmem) + were performed when the ptdump code cannot be invoked. + +* At runtime, modifications to non-leaf entries only occurred in the + vmalloc region, and these were strictly additive, as intermediate + entries were never freed. + +However, since commit: + + commit 324420bf91f6 ("arm64: add support for ioremap() block mappings") + +... it has been possible to create huge mappings in the vmalloc area at +runtime, and as part of this existing intermediate levels of table my be +removed and freed. + +It's possible for the ptdump code to race with this, and continue to +walk tables which have been freed (and potentially poisoned or +reallocated). As a result of this, the ptdump code may dereference bogus +addresses, which could be fatal. + +Since huge-vmap is a TLB and memory optimization, we can disable it when +the runtime ptdump code is in use to avoid this problem. + +Cc: Catalin Marinas +Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings") +Acked-by: Ard Biesheuvel +Signed-off-by: Mark Rutland +Signed-off-by: Anshuman Khandual +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 6ac0d32d60a5..abb9d2ecc675 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -899,13 +899,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) + + int __init arch_ioremap_pud_supported(void) + { +- /* only 4k granule supports level 1 block mappings */ +- return IS_ENABLED(CONFIG_ARM64_4K_PAGES); ++ /* ++ * Only 4k granule supports level 1 block mappings. ++ * SW table walks can't handle removal of intermediate entries. ++ */ ++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) && ++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int __init arch_ioremap_pmd_supported(void) + { +- return 1; ++ /* See arch_ioremap_pud_supported() */ ++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot) +-- +2.20.1 + diff --git a/queue-4.14/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch b/queue-4.14/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch new file mode 100644 index 00000000000..194c4ac87a8 --- /dev/null +++ b/queue-4.14/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch @@ -0,0 +1,46 @@ +From 3c92db0ab6524efd502a7bde35672b3f4c9ae500 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Fri, 12 Apr 2019 15:45:06 +0800 +Subject: Drivers: misc: fix out-of-bounds access in function + param_set_kgdbts_var + +[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ] + +There is an out-of-bounds access to "config[len - 1]" array when the +variable "len" is zero. + +See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug +in param_set_kgdboc_var()") for details. + +Signed-off-by: Young Xiao +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/kgdbts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index fc7efedbc4be..94cbc5c98cae 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -1134,7 +1134,7 @@ static void kgdbts_put_char(u8 chr) + + static int param_set_kgdbts_var(const char *kmessage, struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdbts: config string too long\n"); +@@ -1154,7 +1154,7 @@ static int param_set_kgdbts_var(const char *kmessage, struct kernel_param *kp) + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + /* Go and configure with the new params. */ +-- +2.20.1 + diff --git a/queue-4.14/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch b/queue-4.14/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch new file mode 100644 index 00000000000..3be06a85e27 --- /dev/null +++ b/queue-4.14/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch @@ -0,0 +1,69 @@ +From c111fe360701d62baa3e26ef6420bb2ec0342a7e Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 24 May 2019 16:06:23 +0200 +Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION + +[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ] + +kselftests exposed a problem in the s390 handling for memory slots. +Right now we only do proper memory slot handling for creation of new +memory slots. Neither MOVE, nor DELETION are handled properly. Let us +implement those. + +Signed-off-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index d6fe229ac20e..70a446ec347d 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3913,21 +3913,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm, + const struct kvm_memory_slot *new, + enum kvm_mr_change change) + { +- int rc; +- +- /* If the basics of the memslot do not change, we do not want +- * to update the gmap. Every update causes several unnecessary +- * segment translation exceptions. This is usually handled just +- * fine by the normal fault handler + gmap, but it will also +- * cause faults on the prefix page of running guest CPUs. +- */ +- if (old->userspace_addr == mem->userspace_addr && +- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr && +- old->npages * PAGE_SIZE == mem->memory_size) +- return; ++ int rc = 0; + +- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, +- mem->guest_phys_addr, mem->memory_size); ++ switch (change) { ++ case KVM_MR_DELETE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ break; ++ case KVM_MR_MOVE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ if (rc) ++ break; ++ /* FALLTHROUGH */ ++ case KVM_MR_CREATE: ++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, ++ mem->guest_phys_addr, mem->memory_size); ++ break; ++ case KVM_MR_FLAGS_ONLY: ++ break; ++ default: ++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change); ++ } + if (rc) + pr_warn("failed to commit memory region\n"); + return; +-- +2.20.1 + diff --git a/queue-4.14/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch b/queue-4.14/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch new file mode 100644 index 00000000000..6b73d6aaf31 --- /dev/null +++ b/queue-4.14/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch @@ -0,0 +1,48 @@ +From 4c3cb7edd7486fe181bd76a71258244b2b5697d9 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 17:34:30 +0200 +Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs + +[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ] + +According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of +each MSR may be written with any value, and the high-order 8 bits are +sign-extended according to the value of bit 31", but the fixed counters +in real hardware are limited to the width of the fixed counters ("bits +beyond the width of the fixed-function counter are reserved and must be +written as zeros"). Fix KVM to do the same. + +Reported-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu_intel.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index 5ab4a364348e..2729131fe9bf 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -235,11 +235,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + } + break; + default: +- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) || +- (pmc = get_fixed_pmc(pmu, msr))) { +- if (!msr_info->host_initiated) +- data = (s64)(s32)data; +- pmc->counter += data - pmc_read_counter(pmc); ++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) { ++ if (msr_info->host_initiated) ++ pmc->counter = data; ++ else ++ pmc->counter = (s32)data; ++ return 0; ++ } else if ((pmc = get_fixed_pmc(pmu, msr))) { ++ pmc->counter = data; + return 0; + } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) { + if (data == pmc->eventsel) +-- +2.20.1 + diff --git a/queue-4.14/libnvdimm-fix-compilation-warnings-with-w-1.patch b/queue-4.14/libnvdimm-fix-compilation-warnings-with-w-1.patch new file mode 100644 index 00000000000..cc8eb1a3f4b --- /dev/null +++ b/queue-4.14/libnvdimm-fix-compilation-warnings-with-w-1.patch @@ -0,0 +1,86 @@ +From b1a99bc130cbf8ec8485a0e416ebec725af43200 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 16 May 2019 12:04:53 -0400 +Subject: libnvdimm: Fix compilation warnings with W=1 + +[ Upstream commit c01dafad77fea8d64c4fdca0a6031c980842ad65 ] + +Several places (dimm_devs.c, core.c etc) include label.h but only +label.c uses NSINDEX_SIGNATURE, so move its definition to label.c +instead. + +In file included from drivers/nvdimm/dimm_devs.c:23: +drivers/nvdimm/label.h:41:19: warning: 'NSINDEX_SIGNATURE' defined but +not used [-Wunused-const-variable=] + +Also, some places abuse "/**" which is only reserved for the kernel-doc. + +drivers/nvdimm/bus.c:648: warning: cannot understand function prototype: +'struct attribute_group nd_device_attribute_group = ' +drivers/nvdimm/bus.c:677: warning: cannot understand function prototype: +'struct attribute_group nd_numa_attribute_group = ' + +Those are just some member assignments for the "struct attribute_group" +instances and it can't be expressed in the kernel-doc. + +Reviewed-by: Vishal Verma +Signed-off-by: Qian Cai +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 4 ++-- + drivers/nvdimm/label.c | 2 ++ + drivers/nvdimm/label.h | 2 -- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index a6746a1f20ae..2f1b54fab399 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -608,7 +608,7 @@ static struct attribute *nd_device_attributes[] = { + NULL, + }; + +-/** ++/* + * nd_device_attribute_group - generic attributes for all devices on an nd bus + */ + struct attribute_group nd_device_attribute_group = { +@@ -637,7 +637,7 @@ static umode_t nd_numa_attr_visible(struct kobject *kobj, struct attribute *a, + return a->mode; + } + +-/** ++/* + * nd_numa_attribute_group - NUMA attributes for all devices on an nd bus + */ + struct attribute_group nd_numa_attribute_group = { +diff --git a/drivers/nvdimm/label.c b/drivers/nvdimm/label.c +index 6a16017cc0d9..1fb3a2491131 100644 +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -25,6 +25,8 @@ static guid_t nvdimm_btt2_guid; + static guid_t nvdimm_pfn_guid; + static guid_t nvdimm_dax_guid; + ++static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0"; ++ + static u32 best_seq(u32 a, u32 b) + { + a &= NSINDEX_SEQ_MASK; +diff --git a/drivers/nvdimm/label.h b/drivers/nvdimm/label.h +index 1ebf4d3d01ba..9ed772db6900 100644 +--- a/drivers/nvdimm/label.h ++++ b/drivers/nvdimm/label.h +@@ -38,8 +38,6 @@ enum { + ND_NSINDEX_INIT = 0x1, + }; + +-static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0"; +- + /** + * struct nd_namespace_index - label set superblock + * @sig: NAMESPACE_INDEX\0 +-- +2.20.1 + diff --git a/queue-4.14/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch b/queue-4.14/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch new file mode 100644 index 00000000000..21a98fc4713 --- /dev/null +++ b/queue-4.14/nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch @@ -0,0 +1,36 @@ +From df90940ad9bf36549b0b354c5348d4996c3a5be6 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 17 May 2019 02:47:34 -0700 +Subject: nvme: remove the ifdef around nvme_nvm_ioctl + +[ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ] + +We already have a proper stub if lightnvm is not enabled, so don't bother +with the ifdef. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 65f3f1a34b6b..d98ffb1ce629 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1042,10 +1042,8 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode, + case NVME_IOCTL_SUBMIT_IO: + return nvme_submit_io(ns, (void __user *)arg); + default: +-#ifdef CONFIG_NVM + if (ns->ndev) + return nvme_nvm_ioctl(ns, cmd, arg); +-#endif + if (is_sed_ioctl(cmd)) + return sed_ioctl(ns->ctrl->opal_dev, cmd, + (void __user *) arg); +-- +2.20.1 + diff --git a/queue-4.14/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch b/queue-4.14/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch new file mode 100644 index 00000000000..a8ced5d36fd --- /dev/null +++ b/queue-4.14/platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch @@ -0,0 +1,52 @@ +From d724fa41ab032c3b720f44393c3344bb3502f7ce Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 29 Apr 2019 17:01:35 +0200 +Subject: platform/x86: pmc_atom: Add Lex 3I380D industrial PC to + critclk_systems DMI table + +[ Upstream commit 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 ] + +The Lex 3I380D industrial PC has 4 ethernet controllers on board +which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems +DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks +as CLK_CRITICAL and they will not get turned off. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Reported-and-tested-by: Semyon Verchenko +Signed-off-by: Hans de Goede +Acked-by: Andy Shevchenko +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index 50f2a125cd2c..e3e1f83a2dd7 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -428,12 +428,21 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc) + */ + static const struct dmi_system_id critclk_systems[] = { + { ++ /* pmc_plt_clk0 is used for an external HSIC USB HUB */ + .ident = "MPL CEC1x", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"), + DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"), + }, + }, ++ { ++ /* pmc_plt_clk0 - 3 are used for the 4 ethernet controllers */ ++ .ident = "Lex 3I380D", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"), ++ }, ++ }, + { /*sentinel*/ } + }; + +-- +2.20.1 + diff --git a/queue-4.14/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch b/queue-4.14/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch new file mode 100644 index 00000000000..8b3ff4d62d6 --- /dev/null +++ b/queue-4.14/platform-x86-pmc_atom-add-several-beckhoff-automatio.patch @@ -0,0 +1,59 @@ +From e2ee85b44a6f7429d9949ef6525b41655f4ab222 Mon Sep 17 00:00:00 2001 +From: Steffen Dirkwinkel +Date: Thu, 2 May 2019 15:03:51 +0200 +Subject: platform/x86: pmc_atom: Add several Beckhoff Automation boards to + critclk_systems DMI table + +[ Upstream commit d6423bd03031c020121da26c41a26bd5cc6d0da3 ] + +There are several Beckhoff Automation industrial PC boards which use +pmc_plt_clk* clocks for ethernet controllers. This adds affected boards +to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and +not turned off. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Signed-off-by: Steffen Dirkwinkel +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index e3e1f83a2dd7..d4d089c37944 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -443,6 +443,30 @@ static const struct dmi_system_id critclk_systems[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"), + }, + }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB3163", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB3163"), ++ }, ++ }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB6263", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB6263"), ++ }, ++ }, ++ { ++ /* pmc_plt_clk* - are used for ethernet controllers */ ++ .ident = "Beckhoff CB6363", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), ++ DMI_MATCH(DMI_BOARD_NAME, "CB6363"), ++ }, ++ }, + { /*sentinel*/ } + }; + +-- +2.20.1 + diff --git a/queue-4.14/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch b/queue-4.14/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch new file mode 100644 index 00000000000..3c2e3b594e3 --- /dev/null +++ b/queue-4.14/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch @@ -0,0 +1,50 @@ +From 48b29c4ed2c642ef84f4c5a80df48e1c5ee93166 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 11 Apr 2019 19:58:32 +0200 +Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" + +[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ] + +This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32. + +The fix attempt was incorrect, leading to the mutex deadlock through +the close of OSS sequencer client. The proper fix needs more +consideration, so let's revert it now. + +Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex") +Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 068880ac47b5..7d2c07c1237c 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2342,19 +2342,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; +- int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) { +- mutex_lock(&client->ioctl_mutex); +- err = handler->func(client, arg); +- mutex_unlock(&client->ioctl_mutex); +- return err; +- } ++ if (handler->cmd == cmd) ++ return handler->func(client, arg); + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.14/s390-kasan-fix-strncpy_from_user-kasan-checks.patch b/queue-4.14/s390-kasan-fix-strncpy_from_user-kasan-checks.patch new file mode 100644 index 00000000000..1073269eea4 --- /dev/null +++ b/queue-4.14/s390-kasan-fix-strncpy_from_user-kasan-checks.patch @@ -0,0 +1,41 @@ +From 6f5268c3b81578c3c1eb913c9b69d94e6883986c Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 23 Apr 2019 15:36:36 +0200 +Subject: s390/kasan: fix strncpy_from_user kasan checks + +[ Upstream commit 01eb42afb45719cb41bb32c278e068073738899d ] + +arch/s390/lib/uaccess.c is built without kasan instrumentation. Kasan +checks are performed explicitly in copy_from_user/copy_to_user +functions. But since those functions could be inlined, calls from +files like uaccess.c with instrumentation disabled won't generate +kasan reports. This is currently the case with strncpy_from_user +function which was revealed by newly added kasan test. Avoid inlining of +copy_from_user/copy_to_user when the kernel is built with kasan support +to make sure kasan checks are fully functional. + +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/uaccess.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h +index cdd0f0d999e2..689eae8d3859 100644 +--- a/arch/s390/include/asm/uaccess.h ++++ b/arch/s390/include/asm/uaccess.h +@@ -67,8 +67,10 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n); + unsigned long __must_check + raw_copy_to_user(void __user *to, const void *from, unsigned long n); + ++#ifndef CONFIG_KASAN + #define INLINE_COPY_FROM_USER + #define INLINE_COPY_TO_USER ++#endif + + #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + +-- +2.20.1 + diff --git a/queue-4.14/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch b/queue-4.14/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch new file mode 100644 index 00000000000..0f79a943c57 --- /dev/null +++ b/queue-4.14/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch @@ -0,0 +1,37 @@ +From 927047a4c1e8684460ec89c2edab39e3a9a71135 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 4 May 2019 17:48:29 +0100 +Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation + +[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ] + +Currently an int is being shifted and the result is being cast to a u64 +which leads to undefined behaviour if the shift is more than 31 bits. Fix +this by casting the integer value 1 to u64 before the shift operation. + +Addresses-Coverity: ("Bad shift operation") +Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware") +Signed-off-by: Colin Ian King +Acked-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +index 26de61d65a4d..1bdff75ae903 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +@@ -830,7 +830,7 @@ ret_err_rqe: + ((u64)err_entry->data.err_warn_bitmap_hi << 32) | + (u64)err_entry->data.err_warn_bitmap_lo; + for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) { +- if (err_warn_bit_map & (u64) (1 << i)) { ++ if (err_warn_bit_map & ((u64)1 << i)) { + err_warn = i; + break; + } +-- +2.20.1 + diff --git a/queue-4.14/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch b/queue-4.14/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch new file mode 100644 index 00000000000..6dc619fafb3 --- /dev/null +++ b/queue-4.14/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch @@ -0,0 +1,38 @@ +From ea32a0df00cb3601b88c38b322dc19bec06d41f9 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:49 -0700 +Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ + +[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ] + +There was a missing qualification of a valid ndlp structure when calling to +send an RRQ for an abort. Add the check. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 57cddbc4a977..ddd29752d96d 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7065,7 +7065,10 @@ int + lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq) + { + struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport, +- rrq->nlp_DID); ++ rrq->nlp_DID); ++ if (!ndlp) ++ return 1; ++ + if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag)) + return lpfc_issue_els_rrq(rrq->vport, ndlp, + rrq->nlp_DID, rrq); +-- +2.20.1 + diff --git a/queue-4.14/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch b/queue-4.14/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch new file mode 100644 index 00000000000..d1a8a2f50f3 --- /dev/null +++ b/queue-4.14/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch @@ -0,0 +1,167 @@ +From ad5f6944e6efdb8fef07d35265ca25ac35dcf1fb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 20 Apr 2019 12:05:54 +0800 +Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead + +[ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ] + +KASAN reports this: + +BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi] +Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429 + +CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x1c4/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + memcpy+0x1f/0x50 mm/kasan/common.c:130 + qedi_dbg_err+0xda/0x330 [qedi] + ? 0xffffffffc12d0000 + qedi_init+0x118/0x1000 [qedi] + ? 0xffffffffc12d0000 + ? 0xffffffffc12d0000 + ? 0xffffffffc12d0000 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003 +RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc +R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 + +The buggy address belongs to the variable: + __func__.67584+0x0/0xffffffffffffd520 [qedi] + +Memory state around the buggy address: + ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa + ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa +> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa + ^ + ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa + ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa + +Currently the qedi_dbg_* family of functions can overrun the end of the +source string if it is less than the destination buffer length because of +the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc +and just use func instead as it is always a null terminated string. + +Reported-by: Hulk Robot +Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") +Signed-off-by: YueHaibing +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------ + 1 file changed, 8 insertions(+), 24 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c +index 8fd28b056f73..3383314a3882 100644 +--- a/drivers/scsi/qedi/qedi_dbg.c ++++ b/drivers/scsi/qedi/qedi_dbg.c +@@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + va_end(va); + } +@@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +@@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_notice("[%s]:[%s:%d]:%d: %pV", +- dev_name(&qedi->pdev->dev), nfunc, line, ++ dev_name(&qedi->pdev->dev), func, line, + qedi->host_no, &vaf); + else +- pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +@@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + { + va_list va; + struct va_format vaf; +- char nfunc[32]; +- +- memset(nfunc, 0, sizeof(nfunc)); +- memcpy(nfunc, func, sizeof(nfunc) - 1); + + va_start(va, fmt); + +@@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line, + + if (likely(qedi) && likely(qedi->pdev)) + pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev), +- nfunc, line, qedi->host_no, &vaf); ++ func, line, qedi->host_no, &vaf); + else +- pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf); ++ pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf); + + ret: + va_end(va); +-- +2.20.1 + diff --git a/queue-4.14/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch b/queue-4.14/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch new file mode 100644 index 00000000000..f81252441e3 --- /dev/null +++ b/queue-4.14/scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch @@ -0,0 +1,48 @@ +From 6f1feb686ee5bad4b349b2d13315fec906fc33aa Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 24 Apr 2019 16:02:56 +0800 +Subject: scsi: qedi: remove set but not used variables 'cdev' and 'udev' + +[ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect': +drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable] +drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable] + +These have never been used since introduction. + +Signed-off-by: YueHaibing +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index 0b7267e68336..94f3829b1974 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -817,8 +817,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + struct qedi_endpoint *qedi_ep; + struct sockaddr_in *addr; + struct sockaddr_in6 *addr6; +- struct qed_dev *cdev = NULL; +- struct qedi_uio_dev *udev = NULL; + struct iscsi_path path_req; + u32 msg_type = ISCSI_KEVENT_IF_DOWN; + u32 iscsi_cid = QEDI_CID_RESERVED; +@@ -838,8 +836,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + } + + qedi = iscsi_host_priv(shost); +- cdev = qedi->cdev; +- udev = qedi->udev; + + if (test_bit(QEDI_IN_OFFLINE, &qedi->flags) || + test_bit(QEDI_IN_RECOVERY, &qedi->flags)) { +-- +2.20.1 + diff --git a/queue-4.14/selftests-timers-add-missing-fflush-stdout-calls.patch b/queue-4.14/selftests-timers-add-missing-fflush-stdout-calls.patch new file mode 100644 index 00000000000..ac6388e8919 --- /dev/null +++ b/queue-4.14/selftests-timers-add-missing-fflush-stdout-calls.patch @@ -0,0 +1,167 @@ +From f14dfec35db0435aa52764c0a727f3d7ac7588ee Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 20 May 2019 15:37:49 -0700 +Subject: selftests/timers: Add missing fflush(stdout) calls + +[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ] + +When running under a pipe, some timer tests would not report output in +real-time because stdout flushes were missing after printf()s that lacked +a newline. This adds them to restore real-time status output that humans +can enjoy. + +Signed-off-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/timers/adjtick.c | 1 + + tools/testing/selftests/timers/leapcrash.c | 1 + + tools/testing/selftests/timers/mqueue-lat.c | 1 + + tools/testing/selftests/timers/nanosleep.c | 1 + + tools/testing/selftests/timers/nsleep-lat.c | 1 + + tools/testing/selftests/timers/raw_skew.c | 1 + + tools/testing/selftests/timers/set-tai.c | 1 + + tools/testing/selftests/timers/set-tz.c | 2 ++ + tools/testing/selftests/timers/threadtest.c | 1 + + tools/testing/selftests/timers/valid-adjtimex.c | 2 ++ + 10 files changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c +index 0caca3a06bd2..54d8d87f36b3 100644 +--- a/tools/testing/selftests/timers/adjtick.c ++++ b/tools/testing/selftests/timers/adjtick.c +@@ -136,6 +136,7 @@ int check_tick_adj(long tickval) + + eppm = get_ppm_drift(); + printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm); ++ fflush(stdout); + + tx1.modes = 0; + adjtimex(&tx1); +diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c +index 830c462f605d..dc80728ed191 100644 +--- a/tools/testing/selftests/timers/leapcrash.c ++++ b/tools/testing/selftests/timers/leapcrash.c +@@ -101,6 +101,7 @@ int main(void) + } + clear_time_state(); + printf("."); ++ fflush(stdout); + } + printf("[OK]\n"); + return ksft_exit_pass(); +diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c +index 1867db5d6f5e..7916cf5cc6ff 100644 +--- a/tools/testing/selftests/timers/mqueue-lat.c ++++ b/tools/testing/selftests/timers/mqueue-lat.c +@@ -102,6 +102,7 @@ int main(int argc, char **argv) + int ret; + + printf("Mqueue latency : "); ++ fflush(stdout); + + ret = mqueue_lat_test(); + if (ret < 0) { +diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c +index 8adb0bb51d4d..71b5441c2fd9 100644 +--- a/tools/testing/selftests/timers/nanosleep.c ++++ b/tools/testing/selftests/timers/nanosleep.c +@@ -142,6 +142,7 @@ int main(int argc, char **argv) + continue; + + printf("Nanosleep %-31s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c +index c3c3dc10db17..eb3e79ed7b4a 100644 +--- a/tools/testing/selftests/timers/nsleep-lat.c ++++ b/tools/testing/selftests/timers/nsleep-lat.c +@@ -155,6 +155,7 @@ int main(int argc, char **argv) + continue; + + printf("nsleep latency %-26s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c +index dcf73c5dab6e..b41d8dd0c40c 100644 +--- a/tools/testing/selftests/timers/raw_skew.c ++++ b/tools/testing/selftests/timers/raw_skew.c +@@ -112,6 +112,7 @@ int main(int argv, char **argc) + printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n"); + + printf("Estimating clock drift: "); ++ fflush(stdout); + sleep(120); + + get_monotonic_and_raw(&mon, &raw); +diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c +index 70fed27d8fd3..8c4179ee2ca2 100644 +--- a/tools/testing/selftests/timers/set-tai.c ++++ b/tools/testing/selftests/timers/set-tai.c +@@ -55,6 +55,7 @@ int main(int argc, char **argv) + printf("tai offset started at %i\n", ret); + + printf("Checking tai offsets can be properly set: "); ++ fflush(stdout); + for (i = 1; i <= 60; i++) { + ret = set_tai(i); + ret = get_tai(); +diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c +index 877fd5532fee..62bd33eb16f0 100644 +--- a/tools/testing/selftests/timers/set-tz.c ++++ b/tools/testing/selftests/timers/set-tz.c +@@ -65,6 +65,7 @@ int main(int argc, char **argv) + printf("tz_minuteswest started at %i, dst at %i\n", min, dst); + + printf("Checking tz_minuteswest can be properly set: "); ++ fflush(stdout); + for (i = -15*60; i < 15*60; i += 30) { + ret = set_tz(i, dst); + ret = get_tz_min(); +@@ -76,6 +77,7 @@ int main(int argc, char **argv) + printf("[OK]\n"); + + printf("Checking invalid tz_minuteswest values are caught: "); ++ fflush(stdout); + + if (!set_tz(-15*60-1, dst)) { + printf("[FAILED] %i didn't return failure!\n", -15*60-1); +diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c +index 759c9c06f1a0..cf3e48919874 100644 +--- a/tools/testing/selftests/timers/threadtest.c ++++ b/tools/testing/selftests/timers/threadtest.c +@@ -163,6 +163,7 @@ int main(int argc, char **argv) + strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start)); + printf("%s\n", buf); + printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime); ++ fflush(stdout); + + /* spawn */ + for (i = 0; i < thread_count; i++) +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index d9d3ab93b31a..5397de708d3c 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -123,6 +123,7 @@ int validate_freq(void) + /* Set the leap second insert flag */ + + printf("Testing ADJ_FREQ... "); ++ fflush(stdout); + for (i = 0; i < NUM_FREQ_VALID; i++) { + tx.modes = ADJ_FREQUENCY; + tx.freq = valid_freq[i]; +@@ -250,6 +251,7 @@ int set_bad_offset(long sec, long usec, int use_nano) + int validate_set_offset(void) + { + printf("Testing ADJ_SETOFFSET... "); ++ fflush(stdout); + + /* Test valid values */ + if (set_offset(NSEC_PER_SEC - 1, 1)) +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 003109803a8..e913fe6191c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -19,3 +19,22 @@ cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch asoc-cs42xx8-add-regcache-mask-dirty.patch asoc-fsl_asrc-fix-the-issue-about-unsupported-rate.patch drm-i915-sdvo-implement-proper-hdmi-audio-support-for-sdvo.patch +x86-uaccess-kcov-disable-stack-protector.patch +alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch +alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch +revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch +s390-kasan-fix-strncpy_from_user-kasan-checks.patch +drivers-misc-fix-out-of-bounds-access-in-function-pa.patch +scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch +scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch +scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch +arm64-mm-inhibit-huge-vmap-with-ptdump.patch +nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch +platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch +platform-x86-pmc_atom-add-several-beckhoff-automatio.patch +scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch +libnvdimm-fix-compilation-warnings-with-w-1.patch +selftests-timers-add-missing-fflush-stdout-calls.patch +usbnet-ipheth-fix-racing-condition.patch +kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch +kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch diff --git a/queue-4.14/usbnet-ipheth-fix-racing-condition.patch b/queue-4.14/usbnet-ipheth-fix-racing-condition.patch new file mode 100644 index 00000000000..bcc9a5051bb --- /dev/null +++ b/queue-4.14/usbnet-ipheth-fix-racing-condition.patch @@ -0,0 +1,62 @@ +From e7ad2978a74f8a94bfccc501f785c1d9cbbec2eb Mon Sep 17 00:00:00 2001 +From: Bernd Eckstein <3erndeckstein@gmail.com> +Date: Mon, 20 May 2019 17:31:09 +0200 +Subject: usbnet: ipheth: fix racing condition + +[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ] + +Fix a racing condition in ipheth.c that can lead to slow performance. + +Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback +ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called. +When this happens, the queue is stopped longer than it needs to be, +thus reducing network performance. + +Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order +is always correct. In case, usb_submit_urb() fails, the queue is woken up +again as callback will not fire. + +Testing: This racing condition is usually not noticeable, as it has to +occur very frequently to slowdown the network. The callback from the USB +is usually triggered slow enough, so the situation does not appear. +However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10, +the we loose the race quite often and the following speedup can be noticed: + +Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s +With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s + +Signed-off-by: Oliver Zweigle +Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index 3d8a70d3ea9b..3d71f1716390 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net) + dev); + dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + ++ netif_stop_queue(net); + retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC); + if (retval) { + dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n", + __func__, retval); + dev->net->stats.tx_errors++; + dev_kfree_skb_any(skb); ++ netif_wake_queue(net); + } else { + dev->net->stats.tx_packets++; + dev->net->stats.tx_bytes += skb->len; + dev_consume_skb_any(skb); +- netif_stop_queue(net); + } + + return NETDEV_TX_OK; +-- +2.20.1 + diff --git a/queue-4.14/x86-uaccess-kcov-disable-stack-protector.patch b/queue-4.14/x86-uaccess-kcov-disable-stack-protector.patch new file mode 100644 index 00000000000..13369b420c1 --- /dev/null +++ b/queue-4.14/x86-uaccess-kcov-disable-stack-protector.patch @@ -0,0 +1,42 @@ +From 42471536684223f24c8733b0378145017b914389 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Mar 2019 19:54:25 +0100 +Subject: x86/uaccess, kcov: Disable stack protector + +[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ] + +New tooling noticed this mishap: + + kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled + kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled + +All the other instrumentation (KASAN,UBSAN) also have stack protector +disabled. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/Makefile b/kernel/Makefile +index 172d151d429c..3085141c055c 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -30,6 +30,7 @@ KCOV_INSTRUMENT_extable.o := n + # Don't self-instrument. + KCOV_INSTRUMENT_kcov.o := n + KASAN_SANITIZE_kcov.o := n ++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) + + # cond_syscall is currently not LTO compatible + CFLAGS_sys_ni.o = $(DISABLE_LTO) +-- +2.20.1 +