From: Sasha Levin Date: Thu, 19 Sep 2019 18:08:17 +0000 (-0400) Subject: fixes for 4.9 X-Git-Tag: v4.4.194~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2fc920f9bf3d4ba01924c3bb78eac608b49f4a2c;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch b/queue-4.9/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch new file mode 100644 index 00000000000..4a1b359cec3 --- /dev/null +++ b/queue-4.9/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch @@ -0,0 +1,52 @@ +From 59ab81471e3b271751b8c979842f25c2174cc076 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2019 18:50:11 +0100 +Subject: ARM: 8874/1: mm: only adjust sections of valid mm structures + +From: Doug Berger + +[ Upstream commit c51bc12d06b3a5494fbfcbd788a8e307932a06e9 ] + +A timing hazard exists when an early fork/exec thread begins +exiting and sets its mm pointer to NULL while a separate core +tries to update the section information. + +This commit ensures that the mm pointer is not NULL before +setting its section parameters. The arguments provided by +commit 11ce4b33aedc ("ARM: 8672/1: mm: remove tasklist locking +from update_sections_early()") are equally valid for not +requiring grabbing the task_lock around this check. + +Fixes: 08925c2f124f ("ARM: 8464/1: Update all mm structures with section adjustments") +Signed-off-by: Doug Berger +Acked-by: Laura Abbott +Cc: Mike Rapoport +Cc: Andrew Morton +Cc: Florian Fainelli +Cc: Rob Herring +Cc: "Steven Rostedt (VMware)" +Cc: Peng Fan +Cc: Geert Uytterhoeven +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index 1565d6b671636..4fb1474141a61 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -698,7 +698,8 @@ static void update_sections_early(struct section_perm perms[], int n) + if (t->flags & PF_KTHREAD) + continue; + for_each_thread(t, s) +- set_section_perms(perms, n, true, s->mm); ++ if (s->mm) ++ set_section_perms(perms, n, true, s->mm); + } + read_unlock(&tasklist_lock); + set_section_perms(perms, n, true, current->active_mm); +-- +2.20.1 + diff --git a/queue-4.9/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch b/queue-4.9/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch new file mode 100644 index 00000000000..8b9e5db15dd --- /dev/null +++ b/queue-4.9/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch @@ -0,0 +1,50 @@ +From 7e3ccb1f27950e8d0b45ce72cbb6114974843157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 04:07:37 +0100 +Subject: ARM: 8901/1: add a criteria for pfn_valid of arm + +From: zhaoyang + +[ Upstream commit 5b3efa4f1479c91cb8361acef55f9c6662feba57 ] + +pfn_valid can be wrong when parsing a invalid pfn whose phys address +exceeds BITS_PER_LONG as the MSB will be trimed when shifted. + +The issue originally arise from bellowing call stack, which corresponding to +an access of the /proc/kpageflags from userspace with a invalid pfn parameter +and leads to kernel panic. + +[46886.723249] c7 [] (stable_page_flags) from [] +[46886.723264] c7 [] (kpageflags_read) from [] +[46886.723280] c7 [] (proc_reg_read) from [] +[46886.723290] c7 [] (__vfs_read) from [] +[46886.723301] c7 [] (vfs_read) from [] +[46886.723315] c7 [] (SyS_pread64) from [] +(ret_fast_syscall+0x0/0x28) + +Signed-off-by: Zhaoyang Huang +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/init.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index 4fb1474141a61..0fe4a7025e467 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -192,6 +192,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max_low, + #ifdef CONFIG_HAVE_ARCH_PFN_VALID + int pfn_valid(unsigned long pfn) + { ++ phys_addr_t addr = __pfn_to_phys(pfn); ++ ++ if (__phys_to_pfn(addr) != pfn) ++ return 0; ++ + return memblock_is_map_memory(__pfn_to_phys(pfn)); + } + EXPORT_SYMBOL(pfn_valid); +-- +2.20.1 + diff --git a/queue-4.9/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch b/queue-4.9/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch new file mode 100644 index 00000000000..6a6fc9f880b --- /dev/null +++ b/queue-4.9/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch @@ -0,0 +1,40 @@ +From d632856f39adabaa9790284e9ec60843a6f66094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2019 03:44:52 -0700 +Subject: ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss + +From: Tony Lindgren + +[ Upstream commit afd58b162e48076e3fe66d08a69eefbd6fe71643 ] + +TRM says PWMSS_SYSCONFIG bit for SOFTRESET changes to zero when +reset is completed. Let's configure it as otherwise we get warnings +on boot when we check the data against dts provided data. Eventually +the legacy platform data will be just dropped, but let's fix the +warning first. + +Reviewed-by: Suman Anna +Tested-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap_hwmod_7xx_data.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +index 1ab7096af8e23..f850fc3a91e82 100644 +--- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +@@ -387,7 +387,8 @@ static struct omap_hwmod dra7xx_dcan2_hwmod = { + static struct omap_hwmod_class_sysconfig dra7xx_epwmss_sysc = { + .rev_offs = 0x0, + .sysc_offs = 0x4, +- .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET, ++ .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET | ++ SYSC_HAS_RESET_STATUS, + .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART), + .sysc_fields = &omap_hwmod_sysc_type2, + }; +-- +2.20.1 + diff --git a/queue-4.9/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch b/queue-4.9/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch new file mode 100644 index 00000000000..d391c2c4fb8 --- /dev/null +++ b/queue-4.9/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch @@ -0,0 +1,45 @@ +From dcf21b76f77e0f661a2bab60c1cca4f26e178991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2019 04:37:45 -0700 +Subject: ARM: OMAP2+: Fix omap4 errata warning on other SoCs + +From: Tony Lindgren + +[ Upstream commit 45da5e09dd32fa98c32eaafe2513db6bd75e2f4f ] + +We have errata i688 workaround produce warnings on SoCs other than +omap4 and omap5: + +omap4_sram_init:Unable to allocate sram needed to handle errata I688 +omap4_sram_init:Unable to get sram pool needed to handle errata I688 + +This is happening because there is no ti,omap4-mpu node, or no SRAM +to configure for the other SoCs, so let's remove the warning based +on the SoC revision checks. + +As nobody has complained it seems that the other SoC variants do not +need this workaround. + +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap4-common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap2/omap4-common.c b/arch/arm/mach-omap2/omap4-common.c +index cf65ab8bb0046..e5dcbda20129d 100644 +--- a/arch/arm/mach-omap2/omap4-common.c ++++ b/arch/arm/mach-omap2/omap4-common.c +@@ -131,6 +131,9 @@ static int __init omap4_sram_init(void) + struct device_node *np; + struct gen_pool *sram_pool; + ++ if (!soc_is_omap44xx() && !soc_is_omap54xx()) ++ return 0; ++ + np = of_find_compatible_node(NULL, NULL, "ti,omap4-mpu"); + if (!np) + pr_warn("%s:Unable to allocate sram needed to handle errata I688\n", +-- +2.20.1 + diff --git a/queue-4.9/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch b/queue-4.9/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch new file mode 100644 index 00000000000..7b8fe0c8ea8 --- /dev/null +++ b/queue-4.9/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch @@ -0,0 +1,73 @@ +From d9cad5eec1c020d6fdf347225c93fa0cda8f1c5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 08:55:36 +0200 +Subject: batman-adv: Only read OGM2 tvlv_len after buffer len check + +From: Sven Eckelmann + +[ Upstream commit 0ff0f15a32c093381ad1abc06abe85afb561ab28 ] + +Multiple batadv_ogm2_packet can be stored in an skbuff. The functions +batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there +is another additional batadv_ogm2_packet in the skb or not before they +continue processing the packet. + +The length for such an OGM2 is BATADV_OGM2_HLEN + +batadv_ogm2_packet->tvlv_len. The check must first check that at least +BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is +part of the header. Otherwise it might try read outside of the currently +available skbuff to get the content of tvlv_len. + +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_ogm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index 1aeeadca620cd..f435435b447e0 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -618,17 +618,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv, + * batadv_v_ogm_aggr_packet - checks if there is another OGM aggregated + * @buff_pos: current position in the skb + * @packet_len: total length of the skb +- * @tvlv_len: tvlv length of the previously considered OGM ++ * @ogm2_packet: potential OGM2 in buffer + * + * Return: true if there is enough space for another OGM, false otherwise. + */ +-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, +- __be16 tvlv_len) ++static bool ++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, ++ const struct batadv_ogm2_packet *ogm2_packet) + { + int next_buff_pos = 0; + +- next_buff_pos += buff_pos + BATADV_OGM2_HLEN; +- next_buff_pos += ntohs(tvlv_len); ++ /* check if there is enough space for the header */ ++ next_buff_pos += buff_pos + sizeof(*ogm2_packet); ++ if (next_buff_pos > packet_len) ++ return false; ++ ++ /* check if there is enough space for the optional TVLV */ ++ next_buff_pos += ntohs(ogm2_packet->tvlv_len); + + return (next_buff_pos <= packet_len) && + (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); +@@ -775,7 +781,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, + ogm_packet = (struct batadv_ogm2_packet *)skb->data; + + while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb), +- ogm_packet->tvlv_len)) { ++ ogm_packet)) { + batadv_v_ogm_process(skb, ogm_offset, if_incoming); + + ogm_offset += BATADV_OGM2_HLEN; +-- +2.20.1 + diff --git a/queue-4.9/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch b/queue-4.9/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch new file mode 100644 index 00000000000..2fb7344148b --- /dev/null +++ b/queue-4.9/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch @@ -0,0 +1,72 @@ +From 2c5aef2a49f6aae8c5c6e00decb2e66bae6911bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 08:09:50 +1000 +Subject: cifs: set domainName when a domain-key is used in multiuser + +From: Ronnie Sahlberg + +[ Upstream commit f2aee329a68f5a907bcff11a109dfe17c0b41aeb ] + +RHBZ: 1710429 + +When we use a domain-key to authenticate using multiuser we must also set +the domainnmame for the new volume as it will be used and passed to the server +in the NTLMSSP Domain-name. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index f291ed0c155db..2a199f4b663bf 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2447,6 +2447,7 @@ static int + cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + { + int rc = 0; ++ int is_domain = 0; + const char *delim, *payload; + char *desc; + ssize_t len; +@@ -2494,6 +2495,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = PTR_ERR(key); + goto out_err; + } ++ is_domain = 1; + } + + down_read(&key->sem); +@@ -2551,6 +2553,26 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + goto out_key_put; + } + ++ /* ++ * If we have a domain key then we must set the domainName in the ++ * for the request. ++ */ ++ if (is_domain && ses->domainName) { ++ vol->domainname = kstrndup(ses->domainName, ++ strlen(ses->domainName), ++ GFP_KERNEL); ++ if (!vol->domainname) { ++ cifs_dbg(FYI, "Unable to allocate %zd bytes for " ++ "domain\n", len); ++ rc = -ENOMEM; ++ kfree(vol->username); ++ vol->username = NULL; ++ kfree(vol->password); ++ vol->password = NULL; ++ goto out_key_put; ++ } ++ } ++ + out_key_put: + up_read(&key->sem); + key_put(key); +-- +2.20.1 + diff --git a/queue-4.9/cifs-use-kzfree-to-zero-out-the-password.patch b/queue-4.9/cifs-use-kzfree-to-zero-out-the-password.patch new file mode 100644 index 00000000000..f5e6b22659f --- /dev/null +++ b/queue-4.9/cifs-use-kzfree-to-zero-out-the-password.patch @@ -0,0 +1,35 @@ +From 6b6ba21b3a193b025b390f569b6e403e9d612a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 13:59:17 +0300 +Subject: cifs: Use kzfree() to zero out the password + +From: Dan Carpenter + +[ Upstream commit 478228e57f81f6cb60798d54fc02a74ea7dd267e ] + +It's safer to zero out the password so that it can never be disclosed. + +Fixes: 0c219f5799c7 ("cifs: set domainName when a domain-key is used in multiuser") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 2a199f4b663bf..e43ba6db2bdd6 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2567,7 +2567,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = -ENOMEM; + kfree(vol->username); + vol->username = NULL; +- kfree(vol->password); ++ kzfree(vol->password); + vol->password = NULL; + goto out_key_put; + } +-- +2.20.1 + diff --git a/queue-4.9/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch b/queue-4.9/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..90de9a47282 --- /dev/null +++ b/queue-4.9/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch @@ -0,0 +1,43 @@ +From 8621e505207bea67524b27009885f22a5b63f2c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 01:48:55 -0500 +Subject: dmaengine: ti: dma-crossbar: Fix a memory leak bug + +From: Wenwen Wang + +[ Upstream commit 2c231c0c1dec42192aca0f87f2dc68b8f0cbc7d2 ] + +In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then +of_property_read_u32_array() is invoked to search for the property. +However, if this process fails, 'rsv_events' is not deallocated, leading to +a memory leak bug. To fix this issue, free 'rsv_events' before returning +the error. + +Signed-off-by: Wenwen Wang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1565938136-7249-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti-dma-crossbar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti-dma-crossbar.c b/drivers/dma/ti-dma-crossbar.c +index 8c3c588834d2e..a7e1f6e17e3d1 100644 +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -395,8 +395,10 @@ static int ti_dra7_xbar_probe(struct platform_device *pdev) + + ret = of_property_read_u32_array(node, pname, (u32 *)rsv_events, + nelm * 2); +- if (ret) ++ if (ret) { ++ kfree(rsv_events); + return ret; ++ } + + for (i = 0; i < nelm; i++) { + ti_dra7_xbar_reserve(rsv_events[i][0], rsv_events[i][1], +-- +2.20.1 + diff --git a/queue-4.9/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch b/queue-4.9/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch new file mode 100644 index 00000000000..5b5cf6c3987 --- /dev/null +++ b/queue-4.9/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch @@ -0,0 +1,41 @@ +From f1b5a8c323b91faf05a7dcf0ec703d376fb45568 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 01:56:08 -0500 +Subject: dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() + +From: Wenwen Wang + +[ Upstream commit 962411b05a6d3342aa649e39cda1704c1fc042c6 ] + +If devm_request_irq() fails to disable all interrupts, no cleanup is +performed before retuning the error. To fix this issue, invoke +omap_dma_free() to do the cleanup. + +Signed-off-by: Wenwen Wang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/omap-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/omap-dma.c b/drivers/dma/omap-dma.c +index 6b16ce390dce1..9f901f16bddcd 100644 +--- a/drivers/dma/omap-dma.c ++++ b/drivers/dma/omap-dma.c +@@ -1429,8 +1429,10 @@ static int omap_dma_probe(struct platform_device *pdev) + + rc = devm_request_irq(&pdev->dev, irq, omap_dma_irq, + IRQF_SHARED, "omap-dma-engine", od); +- if (rc) ++ if (rc) { ++ omap_dma_free(od); + return rc; ++ } + } + + if (omap_dma_glbl_read(od, CAPS_0) & CAPS_0_SUPPORT_LL123) +-- +2.20.1 + diff --git a/queue-4.9/iommu-amd-fix-race-in-increase_address_space.patch b/queue-4.9/iommu-amd-fix-race-in-increase_address_space.patch new file mode 100644 index 00000000000..a154dd62e87 --- /dev/null +++ b/queue-4.9/iommu-amd-fix-race-in-increase_address_space.patch @@ -0,0 +1,73 @@ +From 4030bb34526b859467f0db112e87e2a4b4740ea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2019 10:39:54 +0200 +Subject: iommu/amd: Fix race in increase_address_space() + +From: Joerg Roedel + +[ Upstream commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 ] + +After the conversion to lock-less dma-api call the +increase_address_space() function can be called without any +locking. Multiple CPUs could potentially race for increasing +the address space, leading to invalid domain->mode settings +and invalid page-tables. This has been happening in the wild +under high IO load and memory pressure. + +Fix the race by locking this operation. The function is +called infrequently so that this does not introduce +a performance regression in the dma-api path again. + +Reported-by: Qian Cai +Fixes: 256e4621c21a ('iommu/amd: Make use of the generic IOVA allocator') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index c1233d0288a03..dd7880de7e4e9 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1321,18 +1321,21 @@ static void domain_flush_devices(struct protection_domain *domain) + * another level increases the size of the address space by 9 bits to a size up + * to 64 bits. + */ +-static bool increase_address_space(struct protection_domain *domain, ++static void increase_address_space(struct protection_domain *domain, + gfp_t gfp) + { ++ unsigned long flags; + u64 *pte; + +- if (domain->mode == PAGE_MODE_6_LEVEL) ++ spin_lock_irqsave(&domain->lock, flags); ++ ++ if (WARN_ON_ONCE(domain->mode == PAGE_MODE_6_LEVEL)) + /* address space already 64 bit large */ +- return false; ++ goto out; + + pte = (void *)get_zeroed_page(gfp); + if (!pte) +- return false; ++ goto out; + + *pte = PM_LEVEL_PDE(domain->mode, + virt_to_phys(domain->pt_root)); +@@ -1340,7 +1343,10 @@ static bool increase_address_space(struct protection_domain *domain, + domain->mode += 1; + domain->updated = true; + +- return true; ++out: ++ spin_unlock_irqrestore(&domain->lock, flags); ++ ++ return; + } + + static u64 *alloc_pte(struct protection_domain *domain, +-- +2.20.1 + diff --git a/queue-4.9/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch b/queue-4.9/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch new file mode 100644 index 00000000000..63331b9e55b --- /dev/null +++ b/queue-4.9/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch @@ -0,0 +1,35 @@ +From d925044c28f1d1b9b2694d4d6a97e2566dcb12dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2019 07:04:25 +0200 +Subject: Kconfig: Fix the reference to the IDT77105 Phy driver in the + description of ATM_NICSTAR_USE_IDT77105 + +From: Christophe JAILLET + +[ Upstream commit cd9d4ff9b78fcd0fc4708900ba3e52e71e1a7690 ] + +This should be IDT77105, not IDT77015. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/Kconfig b/drivers/atm/Kconfig +index 31c60101a69a4..7fa840170151b 100644 +--- a/drivers/atm/Kconfig ++++ b/drivers/atm/Kconfig +@@ -199,7 +199,7 @@ config ATM_NICSTAR_USE_SUNI + make the card work). + + config ATM_NICSTAR_USE_IDT77105 +- bool "Use IDT77015 PHY driver (25Mbps)" ++ bool "Use IDT77105 PHY driver (25Mbps)" + depends on ATM_NICSTAR + help + Support for the PHYsical layer chip in ForeRunner LE25 cards. In +-- +2.20.1 + diff --git a/queue-4.9/keys-fix-missing-null-pointer-check-in-request_key_a.patch b/queue-4.9/keys-fix-missing-null-pointer-check-in-request_key_a.patch new file mode 100644 index 00000000000..95cc4869223 --- /dev/null +++ b/queue-4.9/keys-fix-missing-null-pointer-check-in-request_key_a.patch @@ -0,0 +1,74 @@ +From 612901bc0802d1c49921b4aeb022aa837c958da6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2019 13:37:29 +0100 +Subject: keys: Fix missing null pointer check in request_key_auth_describe() + +From: Hillf Danton + +[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ] + +If a request_key authentication token key gets revoked, there's a window in +which request_key_auth_describe() can see it with a NULL payload - but it +makes no check for this and something like the following oops may occur: + + BUG: Kernel NULL pointer dereference at 0x00000038 + Faulting instruction address: 0xc0000000004ddf30 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP [...] request_key_auth_describe+0x90/0xd0 + LR [...] request_key_auth_describe+0x54/0xd0 + Call Trace: + [...] request_key_auth_describe+0x54/0xd0 (unreliable) + [...] proc_keys_show+0x308/0x4c0 + [...] seq_read+0x3d0/0x540 + [...] proc_reg_read+0x90/0x110 + [...] __vfs_read+0x3c/0x70 + [...] vfs_read+0xb4/0x1b0 + [...] ksys_read+0x7c/0x130 + [...] system_call+0x5c/0x70 + +Fix this by checking for a NULL pointer when describing such a key. + +Also make the read routine check for a NULL pointer to be on the safe side. + +[DH: Modified to not take already-held rcu lock and modified to also check + in the read routine] + +Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key") +Reported-by: Sachin Sant +Signed-off-by: Hillf Danton +Signed-off-by: David Howells +Tested-by: Sachin Sant +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + security/keys/request_key_auth.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index f60baeb338e5f..b47445022d5ce 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -71,6 +71,9 @@ static void request_key_auth_describe(const struct key *key, + { + struct request_key_auth *rka = key->payload.data[0]; + ++ if (!rka) ++ return; ++ + seq_puts(m, "key:"); + seq_puts(m, key->description); + if (key_is_positive(key)) +@@ -88,6 +91,9 @@ static long request_key_auth_read(const struct key *key, + size_t datalen; + long ret; + ++ if (!rka) ++ return -EKEYREVOKED; ++ + datalen = rka->callout_len; + ret = datalen; + +-- +2.20.1 + diff --git a/queue-4.9/net-seeq-fix-the-function-used-to-release-some-memor.patch b/queue-4.9/net-seeq-fix-the-function-used-to-release-some-memor.patch new file mode 100644 index 00000000000..90192f0c314 --- /dev/null +++ b/queue-4.9/net-seeq-fix-the-function-used-to-release-some-memor.patch @@ -0,0 +1,56 @@ +From 7ae4fcceaae72c4f400a41cade66d01865a3fdc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 09:17:51 +0200 +Subject: net: seeq: Fix the function used to release some memory in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 ] + +In commit 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"), +a call to 'get_zeroed_page()' has been turned into a call to +'dma_alloc_coherent()'. Only the remove function has been updated to turn +the corresponding 'free_page()' into 'dma_free_attrs()'. +The error hndling path of the probe function has not been updated. + +Fix it now. + +Rename the corresponding label to something more in line. + +Fixes: 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv") +Signed-off-by: Christophe JAILLET +Reviewed-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/seeq/sgiseeq.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/seeq/sgiseeq.c b/drivers/net/ethernet/seeq/sgiseeq.c +index c2bd5378ffdaf..3527962f0bdad 100644 +--- a/drivers/net/ethernet/seeq/sgiseeq.c ++++ b/drivers/net/ethernet/seeq/sgiseeq.c +@@ -792,15 +792,16 @@ static int sgiseeq_probe(struct platform_device *pdev) + printk(KERN_ERR "Sgiseeq: Cannot register net device, " + "aborting.\n"); + err = -ENODEV; +- goto err_out_free_page; ++ goto err_out_free_attrs; + } + + printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr); + + return 0; + +-err_out_free_page: +- free_page((unsigned long) sp->srings); ++err_out_free_attrs: ++ dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings, ++ sp->srings_dma, DMA_ATTR_NON_CONSISTENT); + err_out_free_dev: + free_netdev(dev); + +-- +2.20.1 + diff --git a/queue-4.9/netfilter-nf_conntrack_ftp-fix-debug-output.patch b/queue-4.9/netfilter-nf_conntrack_ftp-fix-debug-output.patch new file mode 100644 index 00000000000..d49e4dfaf64 --- /dev/null +++ b/queue-4.9/netfilter-nf_conntrack_ftp-fix-debug-output.patch @@ -0,0 +1,47 @@ +From cd9b82ebe16e6584a59dd05a411aa212e8aee636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 16:14:28 +0200 +Subject: netfilter: nf_conntrack_ftp: Fix debug output + +From: Thomas Jarosch + +[ Upstream commit 3a069024d371125227de3ac8fa74223fcf473520 ] + +The find_pattern() debug output was printing the 'skip' character. +This can be a NULL-byte and messes up further pr_debug() output. + +Output without the fix: +kernel: nf_conntrack_ftp: Pattern matches! +kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8 +kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8 + +Output with the fix: +kernel: nf_conntrack_ftp: Pattern matches! +kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter! +kernel: nf_conntrack_ftp: Match succeeded! +kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645) +kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8 + +Signed-off-by: Thomas Jarosch +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_ftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c +index e3ed200608788..562b545242492 100644 +--- a/net/netfilter/nf_conntrack_ftp.c ++++ b/net/netfilter/nf_conntrack_ftp.c +@@ -323,7 +323,7 @@ static int find_pattern(const char *data, size_t dlen, + i++; + } + +- pr_debug("Skipped up to `%c'!\n", skip); ++ pr_debug("Skipped up to 0x%hhx delimiter!\n", skip); + + *numoff = i; + *numlen = getnum(data + i, dlen - i, cmd, term, numoff); +-- +2.20.1 + diff --git a/queue-4.9/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch b/queue-4.9/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch new file mode 100644 index 00000000000..aa605f2e374 --- /dev/null +++ b/queue-4.9/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch @@ -0,0 +1,36 @@ +From a0a93b66d480ab64d028a5fecd3777aa3f14f504 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 14:19:09 -0400 +Subject: NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup + +From: Trond Myklebust + +[ Upstream commit 17d8c5d145000070c581f2a8aa01edc7998582ab ] + +Initialise the result count to 0 rather than initialising it to the +argument count. The reason is that we want to ensure we record the +I/O stats correctly in the case where an error is returned (for +instance in the layoutstats). + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index fad4d5188aafa..b6e25126a0b0f 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -562,7 +562,7 @@ static void nfs_pgio_rpcsetup(struct nfs_pgio_header *hdr, + } + + hdr->res.fattr = &hdr->fattr; +- hdr->res.count = count; ++ hdr->res.count = 0; + hdr->res.eof = 0; + hdr->res.verf = &hdr->verf; + nfs_fattr_init(&hdr->fattr); +-- +2.20.1 + diff --git a/queue-4.9/nfsv2-fix-eof-handling.patch b/queue-4.9/nfsv2-fix-eof-handling.patch new file mode 100644 index 00000000000..9a2166ee373 --- /dev/null +++ b/queue-4.9/nfsv2-fix-eof-handling.patch @@ -0,0 +1,35 @@ +From 24477498cb88ae438adad4f6c02e26965aaad304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 20:41:16 -0400 +Subject: NFSv2: Fix eof handling + +From: Trond Myklebust + +[ Upstream commit 71affe9be45a5c60b9772e1b2701710712637274 ] + +If we received a reply from the server with a zero length read and +no error, then that implies we are at eof. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index b7bca83039895..f3e8bcbd29a09 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -588,7 +588,8 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + /* Emulate the eof flag, which isn't normally needed in NFSv2 + * as it is guaranteed to always return the file attributes + */ +- if (hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) ++ if ((hdr->res.count == 0 && hdr->args.count > 0) || ++ hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) + hdr->res.eof = 1; + } + return 0; +-- +2.20.1 + diff --git a/queue-4.9/nfsv2-fix-write-regression.patch b/queue-4.9/nfsv2-fix-write-regression.patch new file mode 100644 index 00000000000..de981673bb7 --- /dev/null +++ b/queue-4.9/nfsv2-fix-write-regression.patch @@ -0,0 +1,40 @@ +From c1b2c7f7f82f96c04008b1f82182d6053e15ecb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 07:03:28 -0400 +Subject: NFSv2: Fix write regression + +From: Trond Myklebust + +[ Upstream commit d33d4beb522987d1c305c12500796f9be3687dee ] + +Ensure we update the write result count on success, since the +RPC call itself does not do so. + +Reported-by: Jan Stancek +Reported-by: Naresh Kamboju +Signed-off-by: Trond Myklebust +Tested-by: Jan Stancek +Signed-off-by: Sasha Levin +--- + fs/nfs/proc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index f3e8bcbd29a09..06e72229be123 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -610,8 +610,10 @@ static int nfs_proc_pgio_rpc_prepare(struct rpc_task *task, + + static int nfs_write_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + { +- if (task->tk_status >= 0) ++ if (task->tk_status >= 0) { ++ hdr->res.count = hdr->args.count; + nfs_writeback_update_inode(hdr); ++ } + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.9/nfsv4-fix-return-values-for-nfs4_file_open.patch b/queue-4.9/nfsv4-fix-return-values-for-nfs4_file_open.patch new file mode 100644 index 00000000000..a305ee738a4 --- /dev/null +++ b/queue-4.9/nfsv4-fix-return-values-for-nfs4_file_open.patch @@ -0,0 +1,51 @@ +From be3a5746e295019d9901fb75f18c3496404897e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2019 15:03:11 -0400 +Subject: NFSv4: Fix return values for nfs4_file_open() + +From: Trond Myklebust + +[ Upstream commit 90cf500e338ab3f3c0f126ba37e36fb6a9058441 ] + +Currently, we are translating RPC level errors such as timeouts, +as well as interrupts etc into EOPENSTALE, which forces a single +replay of the open attempt. What we actually want to do is +force the replay only in the cases where the returned error +indicates that the file may have changed on the server. + +So the fix is to spell out the exact set of errors where we want +to return EOPENSTALE. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 8a0c301b0c699..7138383382ff1 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -73,13 +73,13 @@ nfs4_file_open(struct inode *inode, struct file *filp) + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + switch (err) { +- case -EPERM: +- case -EACCES: +- case -EDQUOT: +- case -ENOSPC: +- case -EROFS: +- goto out_put_ctx; + default: ++ goto out_put_ctx; ++ case -ENOENT: ++ case -ESTALE: ++ case -EISDIR: ++ case -ENOTDIR: ++ case -ELOOP: + goto out_drop; + } + } +-- +2.20.1 + diff --git a/queue-4.9/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch b/queue-4.9/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch new file mode 100644 index 00000000000..8cfe0c6fd19 --- /dev/null +++ b/queue-4.9/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch @@ -0,0 +1,143 @@ +From 41509cfd102407d7bfa472f5befbf470edd2d59b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 14:57:30 -0500 +Subject: perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops + +From: Kim Phillips + +[ Upstream commit 0f4cd769c410e2285a4e9873a684d90423f03090 ] + +When counting dispatched micro-ops with cnt_ctl=1, in order to prevent +sample bias, IBS hardware preloads the least significant 7 bits of +current count (IbsOpCurCnt) with random values, such that, after the +interrupt is handled and counting resumes, the next sample taken +will be slightly perturbed. + +The current count bitfield is in the IBS execution control h/w register, +alongside the maximum count field. + +Currently, the IBS driver writes that register with the maximum count, +leaving zeroes to fill the current count field, thereby overwriting +the random bits the hardware preloaded for itself. + +Fix the driver to actually retain and carry those random bits from the +read of the IBS control register, through to its write, instead of +overwriting the lower current count bits with zeroes. + +Tested with: + +perf record -c 100001 -e ibs_op/cnt_ctl=1/pp -a -C 0 taskset -c 0 + +'perf annotate' output before: + + 15.70 65: addsd %xmm0,%xmm1 + 17.30 add $0x1,%rax + 15.88 cmp %rdx,%rax + je 82 + 17.32 72: test $0x1,%al + jne 7c + 7.52 movapd %xmm1,%xmm0 + 5.90 jmp 65 + 8.23 7c: sqrtsd %xmm1,%xmm0 + 12.15 jmp 65 + +'perf annotate' output after: + + 16.63 65: addsd %xmm0,%xmm1 + 16.82 add $0x1,%rax + 16.81 cmp %rdx,%rax + je 82 + 16.69 72: test $0x1,%al + jne 7c + 8.30 movapd %xmm1,%xmm0 + 8.13 jmp 65 + 8.24 7c: sqrtsd %xmm1,%xmm0 + 8.39 jmp 65 + +Tested on Family 15h and 17h machines. + +Machines prior to family 10h Rev. C don't have the RDWROPCNT capability, +and have the IbsOpCurCnt bitfield reserved, so this patch shouldn't +affect their operation. + +It is unknown why commit db98c5faf8cb ("perf/x86: Implement 64-bit +counter support for IBS") ignored the lower 4 bits of the IbsOpCurCnt +field; the number of preloaded random bits has always been 7, AFAICT. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: "Arnaldo Carvalho de Melo" +Cc: +Cc: Ingo Molnar +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Thomas Gleixner +Cc: "Borislav Petkov" +Cc: Stephane Eranian +Cc: Alexander Shishkin +Cc: "Namhyung Kim" +Cc: "H. Peter Anvin" +Link: https://lkml.kernel.org/r/20190826195730.30614-1-kim.phillips@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 13 ++++++++++--- + arch/x86/include/asm/perf_event.h | 12 ++++++++---- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index fd4484ae3ffca..112e3c4636b4f 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -671,10 +671,17 @@ fail: + + throttle = perf_event_overflow(event, &data, ®s); + out: +- if (throttle) ++ if (throttle) { + perf_ibs_stop(event, 0); +- else +- perf_ibs_enable_event(perf_ibs, hwc, period >> 4); ++ } else { ++ period >>= 4; ++ ++ if ((ibs_caps & IBS_CAPS_RDWROPCNT) && ++ (*config & IBS_OP_CNT_CTL)) ++ period |= *config & IBS_OP_CUR_CNT_RAND; ++ ++ perf_ibs_enable_event(perf_ibs, hwc, period); ++ } + + perf_event_update_userpage(event); + +diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h +index f353061bba1d0..81d5ea71bbe94 100644 +--- a/arch/x86/include/asm/perf_event.h ++++ b/arch/x86/include/asm/perf_event.h +@@ -200,16 +200,20 @@ struct x86_pmu_capability { + #define IBSCTL_LVT_OFFSET_VALID (1ULL<<8) + #define IBSCTL_LVT_OFFSET_MASK 0x0F + +-/* ibs fetch bits/masks */ ++/* IBS fetch bits/masks */ + #define IBS_FETCH_RAND_EN (1ULL<<57) + #define IBS_FETCH_VAL (1ULL<<49) + #define IBS_FETCH_ENABLE (1ULL<<48) + #define IBS_FETCH_CNT 0xFFFF0000ULL + #define IBS_FETCH_MAX_CNT 0x0000FFFFULL + +-/* ibs op bits/masks */ +-/* lower 4 bits of the current count are ignored: */ +-#define IBS_OP_CUR_CNT (0xFFFF0ULL<<32) ++/* ++ * IBS op bits/masks ++ * The lower 7 bits of the current count are random bits ++ * preloaded by hardware and ignored in software ++ */ ++#define IBS_OP_CUR_CNT (0xFFF80ULL<<32) ++#define IBS_OP_CUR_CNT_RAND (0x0007FULL<<32) + #define IBS_OP_CNT_CTL (1ULL<<19) + #define IBS_OP_VAL (1ULL<<18) + #define IBS_OP_ENABLE (1ULL<<17) +-- +2.20.1 + diff --git a/queue-4.9/perf-x86-intel-restrict-period-on-nehalem.patch b/queue-4.9/perf-x86-intel-restrict-period-on-nehalem.patch new file mode 100644 index 00000000000..b98220ec029 --- /dev/null +++ b/queue-4.9/perf-x86-intel-restrict-period-on-nehalem.patch @@ -0,0 +1,94 @@ +From 4c9848fb25cf256d0b73d0f9746e4bb09c4c69ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2019 19:13:31 -0400 +Subject: perf/x86/intel: Restrict period on Nehalem + +From: Josh Hunt + +[ Upstream commit 44d3bbb6f5e501b873218142fe08cdf62a4ac1f3 ] + +We see our Nehalem machines reporting 'perfevents: irq loop stuck!' in +some cases when using perf: + +perfevents: irq loop stuck! +WARNING: CPU: 0 PID: 3485 at arch/x86/events/intel/core.c:2282 intel_pmu_handle_irq+0x37b/0x530 +... +RIP: 0010:intel_pmu_handle_irq+0x37b/0x530 +... +Call Trace: + +? perf_event_nmi_handler+0x2e/0x50 +? intel_pmu_save_and_restart+0x50/0x50 +perf_event_nmi_handler+0x2e/0x50 +nmi_handle+0x6e/0x120 +default_do_nmi+0x3e/0x100 +do_nmi+0x102/0x160 +end_repeat_nmi+0x16/0x50 +... +? native_write_msr+0x6/0x20 +? native_write_msr+0x6/0x20 + +intel_pmu_enable_event+0x1ce/0x1f0 +x86_pmu_start+0x78/0xa0 +x86_pmu_enable+0x252/0x310 +__perf_event_task_sched_in+0x181/0x190 +? __switch_to_asm+0x41/0x70 +? __switch_to_asm+0x35/0x70 +? __switch_to_asm+0x41/0x70 +? __switch_to_asm+0x35/0x70 +finish_task_switch+0x158/0x260 +__schedule+0x2f6/0x840 +? hrtimer_start_range_ns+0x153/0x210 +schedule+0x32/0x80 +schedule_hrtimeout_range_clock+0x8a/0x100 +? hrtimer_init+0x120/0x120 +ep_poll+0x2f7/0x3a0 +? wake_up_q+0x60/0x60 +do_epoll_wait+0xa9/0xc0 +__x64_sys_epoll_wait+0x1a/0x20 +do_syscall_64+0x4e/0x110 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fdeb1e96c03 +... +Signed-off-by: Peter Zijlstra (Intel) +Cc: acme@kernel.org +Cc: Josh Hunt +Cc: bpuranda@akamai.com +Cc: mingo@redhat.com +Cc: jolsa@redhat.com +Cc: tglx@linutronix.de +Cc: namhyung@kernel.org +Cc: alexander.shishkin@linux.intel.com +Link: https://lkml.kernel.org/r/1566256411-18820-1-git-send-email-johunt@akamai.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index e98e238d37750..55e362f9dbfaa 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3075,6 +3075,11 @@ static u64 bdw_limit_period(struct perf_event *event, u64 left) + return left; + } + ++static u64 nhm_limit_period(struct perf_event *event, u64 left) ++{ ++ return max(left, 32ULL); ++} ++ + PMU_FORMAT_ATTR(event, "config:0-7" ); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + PMU_FORMAT_ATTR(edge, "config:18" ); +@@ -3734,6 +3739,7 @@ __init int intel_pmu_init(void) + x86_pmu.pebs_constraints = intel_nehalem_pebs_event_constraints; + x86_pmu.enable_all = intel_pmu_nhm_enable_all; + x86_pmu.extra_regs = intel_nehalem_extra_regs; ++ x86_pmu.limit_period = nhm_limit_period; + + x86_pmu.cpu_events = nhm_events_attrs; + +-- +2.20.1 + diff --git a/queue-4.9/qed-add-cleanup-in-qed_slowpath_start.patch b/queue-4.9/qed-add-cleanup-in-qed_slowpath_start.patch new file mode 100644 index 00000000000..a1b78276067 --- /dev/null +++ b/queue-4.9/qed-add-cleanup-in-qed_slowpath_start.patch @@ -0,0 +1,46 @@ +From 0b06a2f6e4b4579c46c2be2b78e5238afe6e0c13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2019 23:46:36 -0500 +Subject: qed: Add cleanup in qed_slowpath_start() + +From: Wenwen Wang + +[ Upstream commit de0e4fd2f07ce3bbdb69dfb8d9426b7227451b69 ] + +If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to +memory leaks. To fix this issue, introduce the label 'err4' to perform the +cleanup work before returning the error. + +Signed-off-by: Wenwen Wang +Acked-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index a769196628d91..708117fc6f733 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -958,7 +958,7 @@ static int qed_slowpath_start(struct qed_dev *cdev, + &drv_version); + if (rc) { + DP_NOTICE(cdev, "Failed sending drv version command\n"); +- return rc; ++ goto err4; + } + } + +@@ -966,6 +966,8 @@ static int qed_slowpath_start(struct qed_dev *cdev, + + return 0; + ++err4: ++ qed_ll2_dealloc_if(cdev); + err3: + qed_hw_stop(cdev); + err2: +-- +2.20.1 + diff --git a/queue-4.9/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch b/queue-4.9/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch new file mode 100644 index 00000000000..6ff4cd67a22 --- /dev/null +++ b/queue-4.9/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch @@ -0,0 +1,52 @@ +From 855add65563d91de3f65f168a3daedf23253dac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2019 01:36:19 -0700 +Subject: r8152: Set memory to all 0xFFs on failed reg reads + +From: Prashant Malani + +[ Upstream commit f53a7ad189594a112167efaf17ea8d0242b5ac00 ] + +get_registers() blindly copies the memory written to by the +usb_control_msg() call even if the underlying urb failed. + +This could lead to junk register values being read by the driver, since +some indirect callers of get_registers() ignore the return values. One +example is: + ocp_read_dword() ignores the return value of generic_ocp_read(), which + calls get_registers(). + +So, emulate PCI "Master Abort" behavior by setting the buffer to all +0xFFs when usb_control_msg() fails. + +This patch is copied from the r8152 driver (v2.12.0) published by +Realtek (www.realtek.com). + +Signed-off-by: Prashant Malani +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 02e29562d254e..15dc70c118579 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -689,8 +689,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, + value, index, tmp, size, 500); ++ if (ret < 0) ++ memset(data, 0xff, size); ++ else ++ memcpy(data, tmp, size); + +- memcpy(data, tmp, size); + kfree(tmp); + + return ret; +-- +2.20.1 + diff --git a/queue-4.9/s390-bpf-fix-lcgr-instruction-encoding.patch b/queue-4.9/s390-bpf-fix-lcgr-instruction-encoding.patch new file mode 100644 index 00000000000..b5143b48e6f --- /dev/null +++ b/queue-4.9/s390-bpf-fix-lcgr-instruction-encoding.patch @@ -0,0 +1,43 @@ +From 3d5dfc64e354428e254199ebe763d7bc583cd01a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 17:03:32 +0200 +Subject: s390/bpf: fix lcgr instruction encoding + +From: Ilya Leoshkevich + +[ Upstream commit bb2d267c448f4bc3a3389d97c56391cb779178ae ] + +"masking, test in bounds 3" fails on s390, because +BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0) ignores the top 32 bits of +BPF_REG_2. The reason is that JIT emits lcgfr instead of lcgr. +The associated comment indicates that the code was intended to +emit lcgr in the first place, it's just that the wrong opcode +was used. + +Fix by using the correct opcode. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Ilya Leoshkevich +Acked-by: Vasily Gorbik +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 896344b6e0363..e4616090732a4 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -881,7 +881,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + break; + case BPF_ALU64 | BPF_NEG: /* dst = -dst */ + /* lcgr %dst,%dst */ +- EMIT4(0xb9130000, dst_reg, dst_reg); ++ EMIT4(0xb9030000, dst_reg, dst_reg); + break; + /* + * BPF_FROM_BE/LE +-- +2.20.1 + diff --git a/queue-4.9/s390-bpf-use-32-bit-index-for-tail-calls.patch b/queue-4.9/s390-bpf-use-32-bit-index-for-tail-calls.patch new file mode 100644 index 00000000000..b8b045ee121 --- /dev/null +++ b/queue-4.9/s390-bpf-use-32-bit-index-for-tail-calls.patch @@ -0,0 +1,62 @@ +From 4735742b320dc429123a3a2042bf360cf0aba25f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 18:18:07 +0200 +Subject: s390/bpf: use 32-bit index for tail calls + +From: Ilya Leoshkevich + +[ Upstream commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 ] + +"p runtime/jit: pass > 32bit index to tail_call" fails when +bpf_jit_enable=1, because the tail call is not executed. + +This in turn is because the generated code assumes index is 64-bit, +while it must be 32-bit, and as a result prog array bounds check fails, +while it should pass. Even if bounds check would have passed, the code +that follows uses 64-bit index to compute prog array offset. + +Fix by using clrj instead of clgrj for comparing index with array size, +and also by using llgfr for truncating index to 32 bits before using it +to compute prog array offset. + +Fixes: 6651ee070b31 ("s390/bpf: implement bpf_tail_call() helper") +Reported-by: Yauheni Kaliuta +Acked-by: Vasily Gorbik +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index e4616090732a4..9b15a1dc66287 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1062,8 +1062,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + /* llgf %w1,map.max_entries(%b2) */ + EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2, + offsetof(struct bpf_array, map.max_entries)); +- /* clgrj %b3,%w1,0xa,label0: if %b3 >= %w1 goto out */ +- EMIT6_PCREL_LABEL(0xec000000, 0x0065, BPF_REG_3, ++ /* clrj %b3,%w1,0xa,label0: if (u32)%b3 >= (u32)%w1 goto out */ ++ EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3, + REG_W1, 0, 0xa); + + /* +@@ -1089,8 +1089,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + * goto out; + */ + +- /* sllg %r1,%b3,3: %r1 = index * 8 */ +- EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, BPF_REG_3, REG_0, 3); ++ /* llgfr %r1,%b3: %r1 = (u32) index */ ++ EMIT4(0xb9160000, REG_1, BPF_REG_3); ++ /* sllg %r1,%r1,3: %r1 *= 8 */ ++ EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3); + /* lg %r1,prog(%b2,%r1) */ + EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, BPF_REG_2, + REG_1, offsetof(struct bpf_array, ptrs)); +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 21f4f35d37b..3d37bd029c2 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -41,3 +41,31 @@ kvm-coalesced_mmio-add-bounds-checking.patch serial-sprd-correct-the-wrong-sequence-of-arguments.patch tty-serial-atmel-reschedule-tx-after-rx-was-started.patch mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch +arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch +s390-bpf-fix-lcgr-instruction-encoding.patch +arm-omap2-fix-omap4-errata-warning-on-other-socs.patch +s390-bpf-use-32-bit-index-for-tail-calls.patch +nfsv4-fix-return-values-for-nfs4_file_open.patch +nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch +kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch +qed-add-cleanup-in-qed_slowpath_start.patch +arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch +batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch +r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch +x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch +netfilter-nf_conntrack_ftp-fix-debug-output.patch +nfsv2-fix-eof-handling.patch +nfsv2-fix-write-regression.patch +cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch +cifs-use-kzfree-to-zero-out-the-password.patch +arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch +sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch +perf-x86-intel-restrict-period-on-nehalem.patch +perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch +tools-power-turbostat-fix-buffer-overrun.patch +net-seeq-fix-the-function-used-to-release-some-memor.patch +dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch +dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch +x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch +keys-fix-missing-null-pointer-check-in-request_key_a.patch +iommu-amd-fix-race-in-increase_address_space.patch diff --git a/queue-4.9/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch b/queue-4.9/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch new file mode 100644 index 00000000000..77034e8e5e8 --- /dev/null +++ b/queue-4.9/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch @@ -0,0 +1,43 @@ +From f5f76de208921080b071ab297918301d7d68ae3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 08:31:19 +0200 +Subject: sky2: Disable MSI on yet another ASUS boards (P6Xxxx) + +From: Takashi Iwai + +[ Upstream commit 189308d5823a089b56e2299cd96589507dac7319 ] + +A similar workaround for the suspend/resume problem is needed for yet +another ASUS machines, P6X models. Like the previous fix, the BIOS +doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_* +entries are used instead. + +Reported-and-tested-by: SteveM +Signed-off-by: Takashi Iwai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/sky2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index 59dbecd19c93f..49f692907a30b 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4946,6 +4946,13 @@ static const struct dmi_system_id msi_blacklist[] = { + DMI_MATCH(DMI_BOARD_NAME, "P6T"), + }, + }, ++ { ++ .ident = "ASUS P6X", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P6X"), ++ }, ++ }, + {} + }; + +-- +2.20.1 + diff --git a/queue-4.9/tools-power-turbostat-fix-buffer-overrun.patch b/queue-4.9/tools-power-turbostat-fix-buffer-overrun.patch new file mode 100644 index 00000000000..2f139076ae4 --- /dev/null +++ b/queue-4.9/tools-power-turbostat-fix-buffer-overrun.patch @@ -0,0 +1,37 @@ +From 04061788e06000306332dca38d538cfe019761b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2019 16:02:14 +0900 +Subject: tools/power turbostat: fix buffer overrun + +From: Naoya Horiguchi + +[ Upstream commit eeb71c950bc6eee460f2070643ce137e067b234c ] + +turbostat could be terminated by general protection fault on some latest +hardwares which (for example) support 9 levels of C-states and show 18 +"tADDED" lines. That bloats the total output and finally causes buffer +overrun. So let's extend the buffer to avoid this. + +Signed-off-by: Naoya Horiguchi +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index b4c5d96e54c12..7c2c8e74aa9a9 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -3593,7 +3593,7 @@ int initialize_counters(int cpu_id) + + void allocate_output_buffer() + { +- output_buffer = calloc(1, (1 + topo.num_cpus) * 1024); ++ output_buffer = calloc(1, (1 + topo.num_cpus) * 2048); + outp = output_buffer; + if (outp == NULL) + err(-1, "calloc output buffer"); +-- +2.20.1 + diff --git a/queue-4.9/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch b/queue-4.9/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch new file mode 100644 index 00000000000..5bacef378fb --- /dev/null +++ b/queue-4.9/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch @@ -0,0 +1,71 @@ +From b047ae6bb83df346ae32f8f66a67b7cc82336aeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 15:16:31 +0200 +Subject: x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines + +From: Thomas Gleixner + +[ Upstream commit 3e5bedc2c258341702ddffbd7688c5e6eb01eafa ] + +Rahul Tanwar reported the following bug on DT systems: + +> 'ioapic_dynirq_base' contains the virtual IRQ base number. Presently, it is +> updated to the end of hardware IRQ numbers but this is done only when IOAPIC +> configuration type is IOAPIC_DOMAIN_LEGACY or IOAPIC_DOMAIN_STRICT. There is +> a third type IOAPIC_DOMAIN_DYNAMIC which applies when IOAPIC configuration +> comes from devicetree. +> +> See dtb_add_ioapic() in arch/x86/kernel/devicetree.c +> +> In case of IOAPIC_DOMAIN_DYNAMIC (DT/OF based system), 'ioapic_dynirq_base' +> remains to zero initialized value. This means that for OF based systems, +> virtual IRQ base will get set to zero. + +Such systems will very likely not even boot. + +For DT enabled machines ioapic_dynirq_base is irrelevant and not +updated, so simply map the IRQ base 1:1 instead. + +Reported-by: Rahul Tanwar +Tested-by: Rahul Tanwar +Tested-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: Alexander Shishkin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: alan@linux.intel.com +Cc: bp@alien8.de +Cc: cheol.yong.kim@intel.com +Cc: qi-ming.wu@intel.com +Cc: rahul.tanwar@intel.com +Cc: rppt@linux.ibm.com +Cc: tony.luck@intel.com +Link: http://lkml.kernel.org/r/20190821081330.1187-1-rahul.tanwar@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/io_apic.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index d34629d70421f..09dd95cabfc28 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2346,7 +2346,13 @@ unsigned int arch_dynirq_lower_bound(unsigned int from) + * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use + * gsi_top if ioapic_dynirq_base hasn't been initialized yet. + */ +- return ioapic_initialized ? ioapic_dynirq_base : gsi_top; ++ if (!ioapic_initialized) ++ return gsi_top; ++ /* ++ * For DT enabled machines ioapic_dynirq_base is irrelevant and not ++ * updated. So simply return @from if ioapic_dynirq_base == 0. ++ */ ++ return ioapic_dynirq_base ? : from; + } + + #ifdef CONFIG_X86_32 +-- +2.20.1 + diff --git a/queue-4.9/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch b/queue-4.9/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch new file mode 100644 index 00000000000..5c6d9ceb40e --- /dev/null +++ b/queue-4.9/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch @@ -0,0 +1,58 @@ +From c8f4609eae1b16fbd365a33aec7beb4f02e5e093 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 10:24:45 +0200 +Subject: x86/uaccess: Don't leak the AC flags into __get_user() argument + evaluation + +From: Peter Zijlstra + +[ Upstream commit 9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5 ] + +Identical to __put_user(); the __get_user() argument evalution will too +leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region. +While uncommon this was observed to happen for: + + drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i])) + +where UBSAN added array bound checking. + +This complements commit: + + 6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation") + +Tested-by Sedat Dilek +Reported-by: Randy Dunlap +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Josh Poimboeuf +Reviewed-by: Thomas Gleixner +Cc: broonie@kernel.org +Cc: sfr@canb.auug.org.au +Cc: akpm@linux-foundation.org +Cc: Randy Dunlap +Cc: mhocko@suse.cz +Cc: Josh Poimboeuf +Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/uaccess.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 2177c7551ff77..9db8d8758ed3b 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -438,8 +438,10 @@ do { \ + ({ \ + int __gu_err; \ + __inttype(*(ptr)) __gu_val; \ ++ __typeof__(ptr) __gu_ptr = (ptr); \ ++ __typeof__(size) __gu_size = (size); \ + __uaccess_begin_nospec(); \ +- __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ ++ __get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT); \ + __uaccess_end(); \ + (x) = (__force __typeof__(*(ptr)))__gu_val; \ + __builtin_expect(__gu_err, 0); \ +-- +2.20.1 +