From: Sasha Levin Date: Mon, 11 Mar 2019 19:14:12 +0000 (-0400) Subject: autosel patches for 3.18 X-Git-Tag: v5.0.2~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f0d46f369053bb40bb785c599e1655ebd70424b;p=thirdparty%2Fkernel%2Fstable-queue.git autosel patches for 3.18 Signed-off-by: Sasha Levin --- diff --git a/queue-3.18/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch b/queue-3.18/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch new file mode 100644 index 00000000000..85205902c04 --- /dev/null +++ b/queue-3.18/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch @@ -0,0 +1,43 @@ +From ecb7688b1aac9d804356a12f3e9236396d68f34d Mon Sep 17 00:00:00 2001 +From: Peng Hao +Date: Sat, 29 Dec 2018 13:10:06 +0800 +Subject: ARM: pxa: ssp: unneeded to free devm_ allocated data + +[ Upstream commit ba16adeb346387eb2d1ada69003588be96f098fa ] + +devm_ allocated data will be automatically freed. The free +of devm_ allocated data is invalid. + +Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") +Signed-off-by: Peng Hao +[title's prefix changed] +Signed-off-by: Robert Jarzmik +Signed-off-by: Sasha Levin +--- + arch/arm/plat-pxa/ssp.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c +index 1f5ee17a10e8..50c051bb9f90 100644 +--- a/arch/arm/plat-pxa/ssp.c ++++ b/arch/arm/plat-pxa/ssp.c +@@ -239,8 +239,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + if (ssp == NULL) + return -ENODEV; + +- iounmap(ssp->mmio_base); +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + release_mem_region(res->start, resource_size(res)); + +@@ -250,7 +248,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + list_del(&ssp->node); + mutex_unlock(&ssp_lock); + +- kfree(ssp); + return 0; + } + +-- +2.19.1 + diff --git a/queue-3.18/autofs-drop-dentry-reference-only-when-it-is-never-u.patch b/queue-3.18/autofs-drop-dentry-reference-only-when-it-is-never-u.patch new file mode 100644 index 00000000000..f915b35fdfa --- /dev/null +++ b/queue-3.18/autofs-drop-dentry-reference-only-when-it-is-never-u.patch @@ -0,0 +1,46 @@ +From 625fcc85895a172c82e71be033b4a793d4482dc0 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 1 Feb 2019 14:21:26 -0800 +Subject: autofs: drop dentry reference only when it is never used + +[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ] + +autofs_expire_run() calls dput(dentry) to drop the reference count of +dentry. However, dentry is read via autofs_dentry_ino(dentry) after +that. This may result in a use-free-bug. The patch drops the reference +count of dentry only when it is never used. + +Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net +Signed-off-by: Pan Bian +Signed-off-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/autofs4/expire.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c +index 513b8e5d151c..4cd4b20c69db 100644 +--- a/fs/autofs4/expire.c ++++ b/fs/autofs4/expire.c +@@ -570,7 +570,6 @@ int autofs4_expire_run(struct super_block *sb, + pkt.len = dentry->d_name.len; + memcpy(pkt.name, dentry->d_name.name, pkt.len); + pkt.name[pkt.len] = '\0'; +- dput(dentry); + + if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) ) + ret = -EFAULT; +@@ -583,6 +582,8 @@ int autofs4_expire_run(struct super_block *sb, + complete_all(&ino->expire_complete); + spin_unlock(&sbi->fs_lock); + ++ dput(dentry); ++ + return ret; + } + +-- +2.19.1 + diff --git a/queue-3.18/autofs-fix-error-return-in-autofs_fill_super.patch b/queue-3.18/autofs-fix-error-return-in-autofs_fill_super.patch new file mode 100644 index 00000000000..3ecee5fff44 --- /dev/null +++ b/queue-3.18/autofs-fix-error-return-in-autofs_fill_super.patch @@ -0,0 +1,39 @@ +From cd0b4555547925a3582e7f56c30a6b6cfa2b99eb Mon Sep 17 00:00:00 2001 +From: Ian Kent +Date: Fri, 1 Feb 2019 14:21:29 -0800 +Subject: autofs: fix error return in autofs_fill_super() + +[ Upstream commit f585b283e3f025754c45bbe7533fc6e5c4643700 ] + +In autofs_fill_super() on error of get inode/make root dentry the return +should be ENOMEM as this is the only failure case of the called +functions. + +Link: http://lkml.kernel.org/r/154725123240.11260.796773942606871359.stgit@pluto-themaw-net +Signed-off-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/autofs4/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c +index 1c55388ae633..512f70fade24 100644 +--- a/fs/autofs4/inode.c ++++ b/fs/autofs4/inode.c +@@ -256,8 +256,10 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) + } + root_inode = autofs4_get_inode(s, S_IFDIR | 0755); + root = d_make_root(root_inode); +- if (!root) ++ if (!root) { ++ ret = -ENOMEM; + goto fail_ino; ++ } + pipe = NULL; + + root->d_fsdata = ino; +-- +2.19.1 + diff --git a/queue-3.18/cifs-fix-computation-for-max_smb2_hdr_size.patch b/queue-3.18/cifs-fix-computation-for-max_smb2_hdr_size.patch new file mode 100644 index 00000000000..cc457c4d0e3 --- /dev/null +++ b/queue-3.18/cifs-fix-computation-for-max_smb2_hdr_size.patch @@ -0,0 +1,35 @@ +From b003cfb0dd0dc778e35be070cedba60cc729b71f Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 29 Jan 2019 12:46:16 +1000 +Subject: cifs: fix computation for MAX_SMB2_HDR_SIZE + +[ Upstream commit 58d15ed1203f4d858c339ea4d7dafa94bd2a56d3 ] + +The size of the fixed part of the create response is 88 bytes not 56. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index 05c322d9e1e7..c68c31c9fedf 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -82,8 +82,8 @@ + + #define NUMBER_OF_SMB2_COMMANDS 0x0013 + +-/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */ +-#define MAX_SMB2_HDR_SIZE 0x00b0 ++/* 52 transform hdr + 64 hdr + 88 create rsp */ ++#define MAX_SMB2_HDR_SIZE 204 + + #define SMB2_PROTO_NUMBER __constant_cpu_to_le32(0x424d53fe) + +-- +2.19.1 + diff --git a/queue-3.18/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch b/queue-3.18/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch new file mode 100644 index 00000000000..2fcae4e609a --- /dev/null +++ b/queue-3.18/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch @@ -0,0 +1,121 @@ +From 062a049b4c3005f3b769000cd64ac6d9ae93fce9 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 30 Jan 2019 21:48:44 +0200 +Subject: dmaengine: dmatest: Abort test in case of mapping error + +[ Upstream commit 6454368a804c4955ccd116236037536f81e5b1f1 ] + +In case of mapping error the DMA addresses are invalid and continuing +will screw system memory or potentially something else. + +[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349 KB/s (0) +... +[ 240.912725] check: Corrupted low memory at 00000000c7c75ac9 (2940 phys) = 5656000000000000 +[ 240.921998] check: Corrupted low memory at 000000005715a1cd (2948 phys) = 279f2aca5595ab2b +[ 240.931280] check: Corrupted low memory at 000000002f4024c0 (2950 phys) = 5e5624f349e793cf +... + +Abort any test if mapping failed. + +Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data") +Cc: Dan Williams +Signed-off-by: Andy Shevchenko +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index a8d7809e2f4c..5495ba6cf452 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -548,11 +548,9 @@ static int dmatest_func(void *data) + srcs[i] = um->addr[i] + src_off; + ret = dma_mapping_error(dev->dev, um->addr[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("src mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->to_cnt++; + } +@@ -567,11 +565,9 @@ static int dmatest_func(void *data) + DMA_BIDIRECTIONAL); + ret = dma_mapping_error(dev->dev, dsts[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("dst mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->bidi_cnt++; + } +@@ -596,12 +592,10 @@ static int dmatest_func(void *data) + } + + if (!tx) { +- dmaengine_unmap_put(um); + result("prep error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + done.done = false; +@@ -610,12 +604,10 @@ static int dmatest_func(void *data) + cookie = tx->tx_submit(tx); + + if (dma_submit_error(cookie)) { +- dmaengine_unmap_put(um); + result("submit error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + dma_async_issue_pending(chan); + +@@ -636,16 +628,14 @@ static int dmatest_func(void *data) + dmaengine_unmap_put(um); + result("test timed out", total_tests, src_off, dst_off, + len, 0); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } else if (status != DMA_COMPLETE) { + dmaengine_unmap_put(um); + result(status == DMA_ERROR ? + "completion error status" : + "completion busy status", total_tests, src_off, + dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + dmaengine_unmap_put(um); +@@ -684,6 +674,12 @@ static int dmatest_func(void *data) + verbose_result("test passed", total_tests, src_off, + dst_off, len, 0); + } ++ ++ continue; ++ ++error_unmap_continue: ++ dmaengine_unmap_put(um); ++ failed_tests++; + } + runtime = ktime_us_delta(ktime_get(), ktime); + +-- +2.19.1 + diff --git a/queue-3.18/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch b/queue-3.18/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch new file mode 100644 index 00000000000..eeed11ce3eb --- /dev/null +++ b/queue-3.18/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch @@ -0,0 +1,78 @@ +From 49062616b2edde9e6728c3506c5ee782016c1fc9 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Thu, 24 Jan 2019 04:16:45 +0000 +Subject: iommu/amd: Fix IOMMU page flush when detach device from a domain + +[ Upstream commit 9825bd94e3a2baae1f4874767ae3a7d4c049720e ] + +When a VM is terminated, the VFIO driver detaches all pass-through +devices from VFIO domain by clearing domain id and page table root +pointer from each device table entry (DTE), and then invalidates +the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages. + +Currently, the IOMMU driver keeps track of which IOMMU and how many +devices are attached to the domain. When invalidate IOMMU pages, +the driver checks if the IOMMU is still attached to the domain before +issuing the invalidate page command. + +However, since VFIO has already detached all devices from the domain, +the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as +there is no IOMMU attached to the domain. This results in data +corruption and could cause the PCI device to end up in indeterministic +state. + +Fix this by invalidate IOMMU pages when detach a device, and +before decrementing the per-domain device reference counts. + +Cc: Boris Ostrovsky +Suggested-by: Joerg Roedel +Co-developed-by: Brijesh Singh +Signed-off-by: Brijesh Singh +Signed-off-by: Suravee Suthikulpanit +Fixes: 6de8ad9b9ee0 ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 5cf388ad1555..48a73c48876b 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2132,14 +2132,11 @@ static void do_attach(struct iommu_dev_data *dev_data, + + static void do_detach(struct iommu_dev_data *dev_data) + { ++ struct protection_domain *domain = dev_data->domain; + struct amd_iommu *iommu; + + iommu = amd_iommu_rlookup_table[dev_data->devid]; + +- /* decrease reference counters */ +- dev_data->domain->dev_iommu[iommu->index] -= 1; +- dev_data->domain->dev_cnt -= 1; +- + /* Update data structures */ + dev_data->domain = NULL; + list_del(&dev_data->list); +@@ -2147,6 +2144,16 @@ static void do_detach(struct iommu_dev_data *dev_data) + + /* Flush the DTE entry */ + device_flush_dte(dev_data); ++ ++ /* Flush IOTLB */ ++ domain_flush_tlb_pde(domain); ++ ++ /* Wait for the flushes to finish */ ++ domain_flush_complete(domain); ++ ++ /* decrease reference counters - needs to happen after the flushes */ ++ domain->dev_iommu[iommu->index] -= 1; ++ domain->dev_cnt -= 1; + } + + /* +-- +2.19.1 + diff --git a/queue-3.18/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch b/queue-3.18/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch new file mode 100644 index 00000000000..ad7722b379c --- /dev/null +++ b/queue-3.18/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch @@ -0,0 +1,91 @@ +From 72b214f9b23b1e9819df887e01b9126496e0cca9 Mon Sep 17 00:00:00 2001 +From: ZhangXiaoxu +Date: Thu, 10 Jan 2019 16:39:06 +0800 +Subject: ipvs: Fix signed integer overflow when setsockopt timeout + +[ Upstream commit 53ab60baa1ac4f20b080a22c13b77b6373922fd7 ] + +There is a UBSAN bug report as below: +UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21 +signed integer overflow: +-2147483647 * 1000 cannot be represented in type 'int' + +Reproduce program: + #include + #include + #include + + #define IPPROTO_IP 0 + #define IPPROTO_RAW 255 + + #define IP_VS_BASE_CTL (64+1024+64) + #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10) + + /* The argument to IP_VS_SO_GET_TIMEOUT */ + struct ipvs_timeout_t { + int tcp_timeout; + int tcp_fin_timeout; + int udp_timeout; + }; + + int main() { + int ret = -1; + int sockfd = -1; + struct ipvs_timeout_t to; + + sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (sockfd == -1) { + printf("socket init error\n"); + return -1; + } + + to.tcp_timeout = -2147483647; + to.tcp_fin_timeout = -2147483647; + to.udp_timeout = -2147483647; + + ret = setsockopt(sockfd, + IPPROTO_IP, + IP_VS_SO_SET_TIMEOUT, + (char *)(&to), + sizeof(to)); + + printf("setsockopt return %d\n", ret); + return ret; + } + +Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'. + +Signed-off-by: ZhangXiaoxu +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 9b1452e8e868..444a0cb33e97 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2182,6 +2182,18 @@ static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u) + u->tcp_fin_timeout, + u->udp_timeout); + ++#ifdef CONFIG_IP_VS_PROTO_TCP ++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) || ++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) { ++ return -EINVAL; ++ } ++#endif ++ ++#ifdef CONFIG_IP_VS_PROTO_UDP ++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ)) ++ return -EINVAL; ++#endif ++ + #ifdef CONFIG_IP_VS_PROTO_TCP + if (u->tcp_timeout) { + pd = ip_vs_proto_data_get(net, IPPROTO_TCP); +-- +2.19.1 + diff --git a/queue-3.18/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch b/queue-3.18/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch new file mode 100644 index 00000000000..34c89627e72 --- /dev/null +++ b/queue-3.18/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch @@ -0,0 +1,55 @@ +From d471f63f1513b644045aae15065e8fd217be32d9 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 28 Jan 2019 16:59:35 +0100 +Subject: irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable + +[ Upstream commit 2380a22b60ce6f995eac806e69c66e397b59d045 ] + +Resetting bit 4 disables the interrupt delivery to the "secure +processor" core. This breaks the keyboard on a OLPC XO 1.75 laptop, +where the firmware running on the "secure processor" bit-bangs the +PS/2 protocol over the GPIO lines. + +It is not clear what the rest of the bits are and Marvell was unhelpful +when asked for documentation. Aside from the SP bit, there are probably +priority bits. + +Leaving the unknown bits as the firmware set them up seems to be a wiser +course of action compared to just turning them off. + +Signed-off-by: Lubomir Rintel +Acked-by: Pavel Machek +[maz: fixed-up subject and commit message] +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mmp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c +index c0da57bdb89d..7924d21c86ec 100644 +--- a/drivers/irqchip/irq-mmp.c ++++ b/drivers/irqchip/irq-mmp.c +@@ -35,6 +35,9 @@ + #define SEL_INT_PENDING (1 << 6) + #define SEL_INT_NUM_MASK 0x3f + ++#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5) ++#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6) ++ + struct icu_chip_data { + int nr_irqs; + unsigned int virq_base; +@@ -191,7 +194,8 @@ static struct mmp_intc_conf mmp_conf = { + static struct mmp_intc_conf mmp2_conf = { + .conf_enable = 0x20, + .conf_disable = 0x0, +- .conf_mask = 0x7f, ++ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ | ++ MMP2_ICU_INT_ROUTE_PJ4_FIQ, + }; + + static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs) +-- +2.19.1 + diff --git a/queue-3.18/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch b/queue-3.18/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch new file mode 100644 index 00000000000..5a201e8cbd0 --- /dev/null +++ b/queue-3.18/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch @@ -0,0 +1,90 @@ +From 101e03d1c6833a88f1653b995557194bebd55ce8 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 1 Feb 2019 14:20:34 -0800 +Subject: mm, memory_hotplug: is_mem_section_removable do not pass the end of a + zone + +[ Upstream commit efad4e475c312456edb3c789d0996d12ed744c13 ] + +Patch series "mm, memory_hotplug: fix uninitialized pages fallouts", v2. + +Mikhail Zaslonko has posted fixes for the two bugs quite some time ago +[1]. I have pushed back on those fixes because I believed that it is +much better to plug the problem at the initialization time rather than +play whack-a-mole all over the hotplug code and find all the places +which expect the full memory section to be initialized. + +We have ended up with commit 2830bf6f05fb ("mm, memory_hotplug: +initialize struct pages for the full memory section") merged and cause a +regression [2][3]. The reason is that there might be memory layouts +when two NUMA nodes share the same memory section so the merged fix is +simply incorrect. + +In order to plug this hole we really have to be zone range aware in +those handlers. I have split up the original patch into two. One is +unchanged (patch 2) and I took a different approach for `removable' +crash. + +[1] http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com +[2] https://bugzilla.redhat.com/show_bug.cgi?id=1666948 +[3] http://lkml.kernel.org/r/20190125163938.GA20411@dhcp22.suse.cz + +This patch (of 2): + +Mikhail has reported the following VM_BUG_ON triggered when reading sysfs +removable state of a memory block: + + page:000003d08300c000 is uninitialized and poisoned + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + Call Trace: + is_mem_section_removable+0xb4/0x190 + show_mem_removable+0x9a/0xd8 + dev_attr_show+0x34/0x70 + sysfs_kf_seq_show+0xc8/0x148 + seq_read+0x204/0x480 + __vfs_read+0x32/0x178 + vfs_read+0x82/0x138 + ksys_read+0x5a/0xb0 + system_call+0xdc/0x2d8 + Last Breaking-Event-Address: + is_mem_section_removable+0xb4/0x190 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +The reason is that the memory block spans the zone boundary and we are +stumbling over an unitialized struct page. Fix this by enforcing zone +range in is_mem_section_removable so that we never run away from a zone. + +Link: http://lkml.kernel.org/r/20190128144506.15603-2-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Mikhail Zaslonko +Debugged-by: Mikhail Zaslonko +Tested-by: Gerald Schaefer +Tested-by: Mikhail Gavrilov +Reviewed-by: Oscar Salvador +Cc: Pavel Tatashin +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 05014e89efae..3fb2067c36a4 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1321,7 +1321,8 @@ static struct page *next_active_pageblock(struct page *page) + int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) + { + struct page *page = pfn_to_page(start_pfn); +- struct page *end_page = page + nr_pages; ++ unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page))); ++ struct page *end_page = pfn_to_page(end_pfn); + + /* Check the starting page of each pageblock within the range */ + for (; page < end_page; page = next_active_pageblock(page)) { +-- +2.19.1 + diff --git a/queue-3.18/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch b/queue-3.18/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch new file mode 100644 index 00000000000..f27b00c84c1 --- /dev/null +++ b/queue-3.18/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch @@ -0,0 +1,40 @@ +From afcc1939458e017b5b34c92430fda471cedf764b Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Fri, 25 Jan 2019 11:02:22 +0900 +Subject: net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case + +[ Upstream commit 6571ebce112a21ec9be68ef2f53b96fcd41fd81b ] + +If fill_level was not zero and status was not BUSY, +result of "tx_prod - tx_cons - inuse" might be zero. +Subtracting 1 unconditionally results invalid negative return value +on this case. +Make sure not to return an negative value. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Reviewed-by: Dalon L Westergreen +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_msgdma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_msgdma.c b/drivers/net/ethernet/altera/altera_msgdma.c +index 0fb986ba3290..0ae723f75341 100644 +--- a/drivers/net/ethernet/altera/altera_msgdma.c ++++ b/drivers/net/ethernet/altera/altera_msgdma.c +@@ -145,7 +145,8 @@ u32 msgdma_tx_completions(struct altera_tse_private *priv) + & 0xffff; + + if (inuse) { /* Tx FIFO is not empty */ +- ready = priv->tx_prod - priv->tx_cons - inuse - 1; ++ ready = max_t(int, ++ priv->tx_prod - priv->tx_cons - inuse - 1, 0); + } else { + /* Check for buffered last packet */ + status = csrrd32(priv->tx_dma_csr, msgdma_csroffs(status)); +-- +2.19.1 + diff --git a/queue-3.18/nfs-fix-null-pointer-dereference-of-dev_name.patch b/queue-3.18/nfs-fix-null-pointer-dereference-of-dev_name.patch new file mode 100644 index 00000000000..12c3a1f8de7 --- /dev/null +++ b/queue-3.18/nfs-fix-null-pointer-dereference-of-dev_name.patch @@ -0,0 +1,56 @@ +From 83aa598ebd2479549323ebd97060afdcc984a7e2 Mon Sep 17 00:00:00 2001 +From: Yao Liu +Date: Mon, 28 Jan 2019 19:44:14 +0800 +Subject: nfs: Fix NULL pointer dereference of dev_name + +[ Upstream commit 80ff00172407e0aad4b10b94ef0816fc3e7813cb ] + +There is a NULL pointer dereference of dev_name in nfs_parse_devname() + +The oops looks something like: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + ... + RIP: 0010:nfs_fs_mount+0x3b6/0xc20 [nfs] + ... + Call Trace: + ? ida_alloc_range+0x34b/0x3d0 + ? nfs_clone_super+0x80/0x80 [nfs] + ? nfs_free_parsed_mount_data+0x60/0x60 [nfs] + mount_fs+0x52/0x170 + ? __init_waitqueue_head+0x3b/0x50 + vfs_kern_mount+0x6b/0x170 + do_mount+0x216/0xdc0 + ksys_mount+0x83/0xd0 + __x64_sys_mount+0x25/0x30 + do_syscall_64+0x65/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix this by adding a NULL check on dev_name + +Signed-off-by: Yao Liu +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 655ac3a196e4..d2fcd6e9d675 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1876,6 +1876,11 @@ static int nfs_parse_devname(const char *dev_name, + size_t len; + char *end; + ++ if (unlikely(!dev_name || !*dev_name)) { ++ dfprintk(MOUNT, "NFS: device name not specified\n"); ++ return -EINVAL; ++ } ++ + /* Is the host name protected with square brakcets? */ + if (*dev_name == '[') { + end = strchr(++dev_name, ']'); +-- +2.19.1 + diff --git a/queue-3.18/perf-symbols-filter-out-hidden-symbols-from-labels.patch b/queue-3.18/perf-symbols-filter-out-hidden-symbols-from-labels.patch new file mode 100644 index 00000000000..973580e31a0 --- /dev/null +++ b/queue-3.18/perf-symbols-filter-out-hidden-symbols-from-labels.patch @@ -0,0 +1,94 @@ +From ae736424ef99bd1fa74c25263c3c68ea7080087c Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 28 Jan 2019 14:35:26 +0100 +Subject: perf symbols: Filter out hidden symbols from labels + +[ Upstream commit 59a17706915fe5ea6f711e1f92d4fb706bce07fe ] + +When perf is built with the annobin plugin (RHEL8 build) extra symbols +are added to its binary: + + # nm perf | grep annobin | head -10 + 0000000000241100 t .annobin_annotate.c + 0000000000326490 t .annobin_annotate.c + 0000000000249255 t .annobin_annotate.c_end + 00000000003283a8 t .annobin_annotate.c_end + 00000000001bce18 t .annobin_annotate.c_end.hot + 00000000001bce18 t .annobin_annotate.c_end.hot + 00000000001bc3e2 t .annobin_annotate.c_end.unlikely + 00000000001bc400 t .annobin_annotate.c_end.unlikely + 00000000001bce18 t .annobin_annotate.c.hot + 00000000001bce18 t .annobin_annotate.c.hot + ... + +Those symbols have no use for report or annotation and should be +skipped. Moreover they interfere with the DWARF unwind test on the PPC +arch, where they are mixed with checked symbols and then the test fails: + + # perf test dwarf -v + 59: Test dwarf unwind : + --- start --- + test child forked, pid 8515 + unwind: .annobin_dwarf_unwind.c:ip = 0x10dba40dc (0x2740dc) + ... + got: .annobin_dwarf_unwind.c 0x10dba40dc, expecting test__arch_unwind_sample + unwind: failed with 'no error' + +The annobin symbols are defined as NOTYPE/LOCAL/HIDDEN: + + # readelf -s ./perf | grep annobin | head -1 + 40: 00000000001bce4f 0 NOTYPE LOCAL HIDDEN 13 .annobin_init.c + +They can still pass the check for the label symbol. Adding check for +HIDDEN and INTERNAL (as suggested by Nick below) visibility and filter +out such symbols. + +> Just to be awkward, if you are going to ignore STV_HIDDEN +> symbols then you should probably also ignore STV_INTERNAL ones +> as well... Annobin does not generate them, but you never know, +> one day some other tool might create some. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Masami Hiramatsu +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Nick Clifton +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190128133526.GD15461@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 194300a08197..04100626ca51 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -48,6 +48,11 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym) + return GELF_ST_TYPE(sym->st_info); + } + ++static inline uint8_t elf_sym__visibility(const GElf_Sym *sym) ++{ ++ return GELF_ST_VISIBILITY(sym->st_other); ++} ++ + #ifndef STT_GNU_IFUNC + #define STT_GNU_IFUNC 10 + #endif +@@ -72,7 +77,9 @@ static inline int elf_sym__is_label(const GElf_Sym *sym) + return elf_sym__type(sym) == STT_NOTYPE && + sym->st_name != 0 && + sym->st_shndx != SHN_UNDEF && +- sym->st_shndx != SHN_ABS; ++ sym->st_shndx != SHN_ABS && ++ elf_sym__visibility(sym) != STV_HIDDEN && ++ elf_sym__visibility(sym) != STV_INTERNAL; + } + + static bool elf_sym__is_a(GElf_Sym *sym, enum map_type type) +-- +2.19.1 + diff --git a/queue-3.18/perf-tools-handle-topology-headers-with-no-cpu.patch b/queue-3.18/perf-tools-handle-topology-headers-with-no-cpu.patch new file mode 100644 index 00000000000..ea51a91fc37 --- /dev/null +++ b/queue-3.18/perf-tools-handle-topology-headers-with-no-cpu.patch @@ -0,0 +1,67 @@ +From d06e8eda25bdbe088b2876d40f416ba4f20b4d49 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Sat, 19 Jan 2019 00:12:39 -0800 +Subject: perf tools: Handle TOPOLOGY headers with no CPU + +[ Upstream commit 1497e804d1a6e2bd9107ddf64b0310449f4673eb ] + +This patch fixes an issue in cpumap.c when used with the TOPOLOGY +header. In some configurations, some NUMA nodes may have no CPU (empty +cpulist). Yet a cpumap map must be created otherwise perf abort with an +error. This patch handles this case by creating a dummy map. + + Before: + + $ perf record -o - -e cycles noploop 2 | perf script -i - + 0x6e8 [0x6c]: failed to process type: 80 + + After: + + $ perf record -o - -e cycles noploop 2 | perf script -i - + noploop for 2 seconds + +Signed-off-by: Stephane Eranian +Acked-by: Jiri Olsa +Cc: Andi Kleen +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/cpumap.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c +index c4e55b71010c..2ccfeb78fd5d 100644 +--- a/tools/perf/util/cpumap.c ++++ b/tools/perf/util/cpumap.c +@@ -121,7 +121,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + if (!cpu_list) + return cpu_map__read_all_cpu_map(); + +- if (!isdigit(*cpu_list)) ++ /* ++ * must handle the case of empty cpumap to cover ++ * TOPOLOGY header for NUMA nodes with no CPU ++ * ( e.g., because of CPU hotplug) ++ */ ++ if (!isdigit(*cpu_list) && *cpu_list != '\0') + goto out; + + while (isdigit(*cpu_list)) { +@@ -168,8 +173,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + + if (nr_cpus > 0) + cpus = cpu_map__trim_new(nr_cpus, tmp_cpus); +- else ++ else if (*cpu_list != '\0') + cpus = cpu_map__default_new(); ++ else ++ cpus = cpu_map__dummy_new(); + invalid: + free(tmp_cpus); + out: +-- +2.19.1 + diff --git a/queue-3.18/platform-x86-fix-unmet-dependency-warning-for-samsun.patch b/queue-3.18/platform-x86-fix-unmet-dependency-warning-for-samsun.patch new file mode 100644 index 00000000000..c2a25306086 --- /dev/null +++ b/queue-3.18/platform-x86-fix-unmet-dependency-warning-for-samsun.patch @@ -0,0 +1,43 @@ +From 33ddf4e8f2bcd86e871435b04b6c6ed72a4a16f4 Mon Sep 17 00:00:00 2001 +From: Sinan Kaya +Date: Thu, 24 Jan 2019 19:31:01 +0000 +Subject: platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 + +[ Upstream commit 0ee4b5f801b73b83a9fb3921d725f2162fd4a2e5 ] + +Add BACKLIGHT_LCD_SUPPORT for SAMSUNG_Q10 to fix the +warning: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE. + +SAMSUNG_Q10 selects BACKLIGHT_CLASS_DEVICE but BACKLIGHT_CLASS_DEVICE +depends on BACKLIGHT_LCD_SUPPORT. + +Copy BACKLIGHT_LCD_SUPPORT dependency into SAMSUNG_Q10 to fix: + +WARNING: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE + Depends on [n]: HAS_IOMEM [=y] && BACKLIGHT_LCD_SUPPORT [=n] + Selected by [y]: + - SAMSUNG_Q10 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] + +Signed-off-by: Sinan Kaya +Acked-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index a2eabe6ff9ad..99913af2338c 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -806,6 +806,7 @@ config INTEL_OAKTRAIL + config SAMSUNG_Q10 + tristate "Samsung Q10 Extras" + depends on ACPI ++ depends on BACKLIGHT_LCD_SUPPORT + select BACKLIGHT_CLASS_DEVICE + ---help--- + This driver provides support for backlight control on Samsung Q10 +-- +2.19.1 + diff --git a/queue-3.18/s390-qeth-fix-use-after-free-in-error-path.patch b/queue-3.18/s390-qeth-fix-use-after-free-in-error-path.patch new file mode 100644 index 00000000000..34762672931 --- /dev/null +++ b/queue-3.18/s390-qeth-fix-use-after-free-in-error-path.patch @@ -0,0 +1,70 @@ +From 66ada40b315feccd4b1949cfd67761caafa4e9c3 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 4 Feb 2019 17:40:07 +0100 +Subject: s390/qeth: fix use-after-free in error path + +[ Upstream commit afa0c5904ba16d59b0454f7ee4c807dae350f432 ] + +The error path in qeth_alloc_qdio_buffers() that takes care of +cleaning up the Output Queues is buggy. It first frees the queue, but +then calls qeth_clear_outq_buffers() with that very queue struct. + +Make the call to qeth_clear_outq_buffers() part of the free action +(in the correct order), and while at it fix the naming of the helper. + +Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks") +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core_main.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 2ac6d6665834..a874b821d239 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -2423,11 +2423,12 @@ static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *q, int bidx) + return rc; + } + +-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q) ++static void qeth_free_output_queue(struct qeth_qdio_out_q *q) + { + if (!q) + return; + ++ qeth_clear_outq_buffers(q, 1); + qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q); + kfree(q); + } +@@ -2500,10 +2501,8 @@ static int qeth_alloc_qdio_buffers(struct qeth_card *card) + card->qdio.out_qs[i]->bufs[j] = NULL; + } + out_freeoutq: +- while (i > 0) { +- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]); +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- } ++ while (i > 0) ++ qeth_free_output_queue(card->qdio.out_qs[--i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + out_freepool: +@@ -2536,10 +2535,8 @@ static void qeth_free_qdio_buffers(struct qeth_card *card) + qeth_free_buffer_pool(card); + /* free outbound qdio_qs */ + if (card->qdio.out_qs) { +- for (i = 0; i < card->qdio.no_out_queues; ++i) { +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- qeth_free_qdio_out_buf(card->qdio.out_qs[i]); +- } ++ for (i = 0; i < card->qdio.no_out_queues; i++) ++ qeth_free_output_queue(card->qdio.out_qs[i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + } +-- +2.19.1 + diff --git a/queue-3.18/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch b/queue-3.18/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch new file mode 100644 index 00000000000..c0ce859bdfc --- /dev/null +++ b/queue-3.18/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch @@ -0,0 +1,56 @@ +From 46967e778bcff39d3f727c29c35cd26ab8e960f0 Mon Sep 17 00:00:00 2001 +From: Ming Lu +Date: Thu, 24 Jan 2019 13:25:42 +0800 +Subject: scsi: libfc: free skb when receiving invalid flogi resp + +[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ] + +The issue to be fixed in this commit is when libfc found it received a +invalid FLOGI response from FC switch, it would return without freeing the +fc frame, which is just the skb data. This would cause memory leak if FC +switch keeps sending invalid FLOGI responses. + +This fix is just to make it execute `fc_frame_free(fp)` before returning +from function `fc_lport_flogi_resp`. + +Signed-off-by: Ming Lu +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_lport.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index e01a29863c38..867fc036d6ef 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -1739,14 +1739,14 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + fc_frame_payload_op(fp) != ELS_LS_ACC) { + FC_LPORT_DBG(lport, "FLOGI not accepted or bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + flp = fc_frame_payload_get(fp, sizeof(*flp)); + if (!flp) { + FC_LPORT_DBG(lport, "FLOGI bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + mfs = ntohs(flp->fl_csp.sp_bb_data) & +@@ -1756,7 +1756,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, " + "lport->mfs:%hu\n", mfs, lport->mfs); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + if (mfs <= lport->mfs) { +-- +2.19.1 + diff --git a/queue-3.18/series b/queue-3.18/series index 534f4cc7456..b42227833f1 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -53,3 +53,25 @@ netlabel-fix-out-of-bounds-memory-accesses.patch ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch hugetlbfs-fix-races-and-page-leaks-during-migration.patch media-uvcvideo-fix-type-check-leading-to-overflow.patch +vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch +perf-tools-handle-topology-headers-with-no-cpu.patch +ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch +iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch +xtensa-smp-fix-secondary-cpu-initialization.patch +xtensa-smp_lx200_defconfig-fix-vectors-clash.patch +xtensa-smp-mark-each-possible-cpu-as-present.patch +xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch +net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch +nfs-fix-null-pointer-dereference-of-dev_name.patch +scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch +platform-x86-fix-unmet-dependency-warning-for-samsun.patch +cifs-fix-computation-for-max_smb2_hdr_size.patch +x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch +mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch +autofs-drop-dentry-reference-only-when-it-is-never-u.patch +autofs-fix-error-return-in-autofs_fill_super.patch +arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch +irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch +dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch +s390-qeth-fix-use-after-free-in-error-path.patch +perf-symbols-filter-out-hidden-symbols-from-labels.patch diff --git a/queue-3.18/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch b/queue-3.18/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch new file mode 100644 index 00000000000..116edc45d61 --- /dev/null +++ b/queue-3.18/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch @@ -0,0 +1,119 @@ +From 395b16ebd4907e12bb8bd298422ad328689b47a3 Mon Sep 17 00:00:00 2001 +From: Su Yanjun +Date: Sun, 6 Jan 2019 21:31:20 -0500 +Subject: vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel + +[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ] + +Recently we run a network test over ipcomp virtual tunnel.We find that +if a ipv4 packet needs fragment, then the peer can't receive +it. + +We deep into the code and find that when packet need fragment the smaller +fragment will be encapsulated by ipip not ipcomp. So when the ipip packet +goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code +always set skb'dev to the last fragment's dev. After ipv4 defrag processing, +when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV +error. + +This patch adds compatible support for the ipip process in ipcomp virtual tunnel. + +Signed-off-by: Su Yanjun +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_vti.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index c35e0aa57e66..e224ca2ea1c0 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -75,6 +75,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, + return 0; + } + ++static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type) ++{ ++ struct ip_tunnel *tunnel; ++ const struct iphdr *iph = ip_hdr(skb); ++ struct net *net = dev_net(skb->dev); ++ struct ip_tunnel_net *itn = net_generic(net, vti_net_id); ++ ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ if (tunnel) { ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ goto drop; ++ ++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; ++ ++ skb->dev = tunnel->dev; ++ ++ return xfrm_input(skb, nexthdr, spi, encap_type); ++ } ++ ++ return -EINVAL; ++drop: ++ kfree_skb(skb); ++ return 0; ++} ++ + static int vti_rcv(struct sk_buff *skb) + { + XFRM_SPI_SKB_CB(skb)->family = AF_INET; +@@ -83,6 +110,14 @@ static int vti_rcv(struct sk_buff *skb) + return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); + } + ++static int vti_rcv_ipip(struct sk_buff *skb) ++{ ++ XFRM_SPI_SKB_CB(skb)->family = AF_INET; ++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ ++ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); ++} ++ + static int vti_rcv_cb(struct sk_buff *skb, int err) + { + unsigned short family; +@@ -409,6 +444,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { + .priority = 100, + }; + ++static struct xfrm_tunnel ipip_handler __read_mostly = { ++ .handler = vti_rcv_ipip, ++ .err_handler = vti4_err, ++ .priority = 0, ++}; ++ + static int __net_init vti_init_net(struct net *net) + { + int err; +@@ -562,6 +603,13 @@ static int __init vti_init(void) + if (err < 0) + goto xfrm_proto_comp_failed; + ++ msg = "ipip tunnel"; ++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET); ++ if (err < 0) { ++ pr_info("%s: cant't register tunnel\n",__func__); ++ goto xfrm_tunnel_failed; ++ } ++ + msg = "netlink interface"; + err = rtnl_link_register(&vti_link_ops); + if (err < 0) +@@ -571,6 +619,8 @@ static int __init vti_init(void) + + rtnl_link_failed: + xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); ++xfrm_tunnel_failed: ++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); + xfrm_proto_comp_failed: + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm_proto_ah_failed: +-- +2.19.1 + diff --git a/queue-3.18/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch b/queue-3.18/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch new file mode 100644 index 00000000000..c7233a1ec68 --- /dev/null +++ b/queue-3.18/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch @@ -0,0 +1,70 @@ +From 6c47d1e21e4958de875963d45201c4a8867c70c2 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Fri, 18 Jan 2019 19:13:08 +0800 +Subject: x86/kexec: Don't setup EFI info if EFI runtime is not enabled + +[ Upstream commit 2aa958c99c7fd3162b089a1a56a34a0cdb778de1 ] + +Kexec-ing a kernel with "efi=noruntime" on the first kernel's command +line causes the following null pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + #PF error: [normal kernel read fault] + Call Trace: + efi_runtime_map_copy+0x28/0x30 + bzImage64_load+0x688/0x872 + arch_kexec_kernel_image_load+0x6d/0x70 + kimage_file_alloc_init+0x13e/0x220 + __x64_sys_kexec_file_load+0x144/0x290 + do_syscall_64+0x55/0x1a0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Just skip the EFI info setup if EFI runtime services are not enabled. + + [ bp: Massage commit message. ] + +Suggested-by: Dave Young +Signed-off-by: Kairui Song +Signed-off-by: Borislav Petkov +Acked-by: Dave Young +Cc: AKASHI Takahiro +Cc: Andrew Morton +Cc: Ard Biesheuvel +Cc: bhe@redhat.com +Cc: David Howells +Cc: erik.schmauss@intel.com +Cc: fanc.fnst@cn.fujitsu.com +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: kexec@lists.infradead.org +Cc: lenb@kernel.org +Cc: linux-acpi@vger.kernel.org +Cc: Philipp Rudo +Cc: rafael.j.wysocki@intel.com +Cc: robert.moore@intel.com +Cc: Thomas Gleixner +Cc: x86-ml +Cc: Yannik Sembritzki +Link: https://lkml.kernel.org/r/20190118111310.29589-2-kasong@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kexec-bzimage64.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index ca05f86481aa..3e22751382c3 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -167,6 +167,9 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + struct efi_info *current_ei = &boot_params.efi_info; + struct efi_info *ei = ¶ms->efi_info; + ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + if (!current_ei->efi_memmap_size) + return 0; + +-- +2.19.1 + diff --git a/queue-3.18/xtensa-smp-fix-secondary-cpu-initialization.patch b/queue-3.18/xtensa-smp-fix-secondary-cpu-initialization.patch new file mode 100644 index 00000000000..5c79e8ec38d --- /dev/null +++ b/queue-3.18/xtensa-smp-fix-secondary-cpu-initialization.patch @@ -0,0 +1,128 @@ +From b7ac72b6cf18c0f6d7bb4d92cddef1a84c015d2b Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 21 Dec 2018 08:26:20 -0800 +Subject: xtensa: SMP: fix secondary CPU initialization + +[ Upstream commit 32a7726c4f4aadfabdb82440d84f88a5a2c8fe13 ] + +- add missing memory barriers to the secondary CPU synchronization spin + loops; add comment to the matching memory barrier in the boot_secondary + and __cpu_die functions; +- use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount + instead of reading/writing them directly; +- re-initialize cpu_running every time before starting secondary CPU to + flush possible previous CPU startup results. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/head.S | 5 ++++- + arch/xtensa/kernel/smp.c | 34 +++++++++++++++++++++------------- + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S +index 64140998e117..16bdb414784a 100644 +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -281,12 +281,13 @@ should_never_return: + + movi a2, cpu_start_ccount + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + movi a3, 0 + s32i a3, a2, 0 +- memw + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + wsr a3, ccount +@@ -323,11 +324,13 @@ ENTRY(cpu_restart) + rsr a0, prid + neg a2, a0 + movi a3, cpu_start_id ++ memw + s32i a2, a3, 0 + #if XCHAL_DCACHE_IS_WRITEBACK + dhwbi a3, 0 + #endif + 1: ++ memw + l32i a2, a3, 0 + dhi a3, 0 + bne a2, a0, 1b +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 4d02e38514f5..545144d1431d 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -192,9 +192,11 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + int i; + + #ifdef CONFIG_HOTPLUG_CPU +- cpu_start_id = cpu; +- system_flush_invalidate_dcache_range( +- (unsigned long)&cpu_start_id, sizeof(cpu_start_id)); ++ WRITE_ONCE(cpu_start_id, cpu); ++ /* Pairs with the third memw in the cpu_restart */ ++ mb(); ++ system_flush_invalidate_dcache_range((unsigned long)&cpu_start_id, ++ sizeof(cpu_start_id)); + #endif + smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1); + +@@ -203,18 +205,21 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + ccount = get_ccount(); + while (!ccount); + +- cpu_start_ccount = ccount; ++ WRITE_ONCE(cpu_start_ccount, ccount); + +- while (time_before(jiffies, timeout)) { ++ do { ++ /* ++ * Pairs with the first two memws in the ++ * .Lboot_secondary. ++ */ + mb(); +- if (!cpu_start_ccount) +- break; +- } ++ ccount = READ_ONCE(cpu_start_ccount); ++ } while (ccount && time_before(jiffies, timeout)); + +- if (cpu_start_ccount) { ++ if (ccount) { + smp_call_function_single(0, mx_cpu_stop, +- (void *)cpu, 1); +- cpu_start_ccount = 0; ++ (void *)cpu, 1); ++ WRITE_ONCE(cpu_start_ccount, 0); + return -EIO; + } + } +@@ -234,6 +239,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle) + pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n", + __func__, cpu, idle, start_info.stack); + ++ init_completion(&cpu_running); + ret = boot_secondary(cpu, idle); + if (ret == 0) { + wait_for_completion_timeout(&cpu_running, +@@ -295,8 +301,10 @@ void __cpu_die(unsigned int cpu) + unsigned long timeout = jiffies + msecs_to_jiffies(1000); + while (time_before(jiffies, timeout)) { + system_invalidate_dcache_range((unsigned long)&cpu_start_id, +- sizeof(cpu_start_id)); +- if (cpu_start_id == -cpu) { ++ sizeof(cpu_start_id)); ++ /* Pairs with the second memw in the cpu_restart */ ++ mb(); ++ if (READ_ONCE(cpu_start_id) == -cpu) { + platform_cpu_kill(cpu); + return; + } +-- +2.19.1 + diff --git a/queue-3.18/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch b/queue-3.18/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch new file mode 100644 index 00000000000..8cc3eacacec --- /dev/null +++ b/queue-3.18/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch @@ -0,0 +1,49 @@ +From 634cd46665eb82a65c73b413c1b782a40b616300 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 26 Jan 2019 20:35:18 -0800 +Subject: xtensa: SMP: limit number of possible CPUs by NR_CPUS + +[ Upstream commit 25384ce5f9530def39421597b1457d9462df6455 ] + +This fixes the following warning at boot when the kernel is booted on a +board with more CPU cores than was configured in NR_CPUS: + + smp_init_cpus: Core Count = 8 + smp_init_cpus: Core Id = 0 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124 + Call Trace: + __warn$part$3+0x6a/0x7c + warn_slowpath_null+0x35/0x3c + smp_init_cpus+0x54/0x74 + setup_arch+0x1c0/0x1d0 + start_kernel+0x44/0x310 + _startup+0x107/0x107 + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/smp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 0e34c1ed4aa8..54bb8e0473a0 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -93,6 +93,11 @@ void __init smp_init_cpus(void) + pr_info("%s: Core Count = %d\n", __func__, ncpus); + pr_info("%s: Core Id = %d\n", __func__, core_id); + ++ if (ncpus > NR_CPUS) { ++ ncpus = NR_CPUS; ++ pr_info("%s: limiting core count by %d\n", __func__, ncpus); ++ } ++ + for (i = 0; i < ncpus; ++i) + set_cpu_possible(i, true); + } +-- +2.19.1 + diff --git a/queue-3.18/xtensa-smp-mark-each-possible-cpu-as-present.patch b/queue-3.18/xtensa-smp-mark-each-possible-cpu-as-present.patch new file mode 100644 index 00000000000..7e62c3b11d3 --- /dev/null +++ b/queue-3.18/xtensa-smp-mark-each-possible-cpu-as-present.patch @@ -0,0 +1,32 @@ +From 5fbafc9cb9ce0111e7be1cde598316538fb5cfc1 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 19 Jan 2019 00:26:48 -0800 +Subject: xtensa: SMP: mark each possible CPU as present + +[ Upstream commit 8b1c42cdd7181200dc1fff39dcb6ac1a3fac2c25 ] + +Otherwise it is impossible to enable CPUs after booting with 'maxcpus' +parameter. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 545144d1431d..0e34c1ed4aa8 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -80,7 +80,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + { + unsigned i; + +- for (i = 0; i < max_cpus; ++i) ++ for_each_possible_cpu(i) + set_cpu_present(i, true); + } + +-- +2.19.1 + diff --git a/queue-3.18/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch b/queue-3.18/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch new file mode 100644 index 00000000000..35684dc6579 --- /dev/null +++ b/queue-3.18/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch @@ -0,0 +1,33 @@ +From 0373e4a8bb01a058655c520bcc60f2b40e89ab5d Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 24 Jan 2019 17:16:11 -0800 +Subject: xtensa: smp_lx200_defconfig: fix vectors clash + +[ Upstream commit 306b38305c0f86de7f17c5b091a95451dcc93d7d ] + +Secondary CPU reset vector overlaps part of the double exception handler +code, resulting in weird crashes and hangups when running user code. +Move exception vectors one page up so that they don't clash with the +secondary CPU reset vector. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/configs/smp_lx200_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/xtensa/configs/smp_lx200_defconfig b/arch/xtensa/configs/smp_lx200_defconfig +index 22eeacba37cc..199e05f85e89 100644 +--- a/arch/xtensa/configs/smp_lx200_defconfig ++++ b/arch/xtensa/configs/smp_lx200_defconfig +@@ -35,6 +35,7 @@ CONFIG_SMP=y + CONFIG_HOTPLUG_CPU=y + # CONFIG_INITIALIZE_XTENSA_MMU_INSIDE_VMLINUX is not set + # CONFIG_PCI is not set ++CONFIG_VECTORS_OFFSET=0x00002000 + CONFIG_XTENSA_PLATFORM_XTFPGA=y + CONFIG_CMDLINE_BOOL=y + CONFIG_CMDLINE="earlycon=uart8250,mmio32,0xfd050020,115200n8 console=ttyS0,115200n8 ip=dhcp root=/dev/nfs rw debug" +-- +2.19.1 +