From: Sasha Levin Date: Tue, 19 Mar 2019 22:13:50 +0000 (-0400) Subject: patches for 3.18 X-Git-Tag: v3.18.137~81 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=343e7fb92fcae633155a9f83dfa2a4364405dabe;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 3.18 Signed-off-by: Sasha Levin --- diff --git a/queue-3.18/arm64-relax-gic-version-check-during-early-boot.patch b/queue-3.18/arm64-relax-gic-version-check-during-early-boot.patch new file mode 100644 index 00000000000..a9e69c03d4f --- /dev/null +++ b/queue-3.18/arm64-relax-gic-version-check-during-early-boot.patch @@ -0,0 +1,40 @@ +From f44bd766125d991845e3563a3661a3e2870e1113 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 20 Feb 2019 11:43:05 +0000 +Subject: arm64: Relax GIC version check during early boot + +[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ] + +Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have +values other than 0 or 1. At the moment, Linux is quite strict in the +way it handles this field at early boot stage (cpufeature is fine) and +will refuse to use the system register CPU interface if it doesn't +find the value 1. + +Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3") +Reported-by: Chase Conklin +Reviewed-by: Marc Zyngier +Signed-off-by: Vladimir Murzin +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/head.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 5c4b8d6e8ba0..fcb224df471d 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -295,8 +295,7 @@ CPU_LE( bic x0, x0, #(3 << 24) ) // Clear the EE and E0E bits for EL1 + /* GICv3 system register access */ + mrs x0, id_aa64pfr0_el1 + ubfx x0, x0, #24, #4 +- cmp x0, #1 +- b.ne 3f ++ cbz x0, 3f + + mrs_s x0, ICC_SRE_EL2 + orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1 +-- +2.19.1 + diff --git a/queue-3.18/assoc_array-fix-shortcut-creation.patch b/queue-3.18/assoc_array-fix-shortcut-creation.patch new file mode 100644 index 00000000000..a2c29140b7e --- /dev/null +++ b/queue-3.18/assoc_array-fix-shortcut-creation.patch @@ -0,0 +1,57 @@ +From 841054a1d943f4e83ce3235e756536b657d40978 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 14 Feb 2019 16:20:15 +0000 +Subject: assoc_array: Fix shortcut creation + +[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ] + +Fix the creation of shortcuts for which the length of the index key value +is an exact multiple of the machine word size. The problem is that the +code that blanks off the unused bits of the shortcut value malfunctions if +the number of bits in the last word equals machine word size. This is due +to the "<<" operator being given a shift of zero in this case, and so the +mask that should be all zeros is all ones instead. This causes the +subsequent masking operation to clear everything rather than clearing +nothing. + +Ordinarily, the presence of the hash at the beginning of the tree index key +makes the issue very hard to test for, but in this case, it was encountered +due to a development mistake that caused the hash output to be either 0 +(keyring) or 1 (non-keyring) only. This made it susceptible to the +keyctl/unlink/valid test in the keyutils package. + +The fix is simply to skip the blanking if the shift would be 0. For +example, an index key that is 64 bits long would produce a 0 shift and thus +a 'blank' of all 1s. This would then be inverted and AND'd onto the +index_key, incorrectly clearing the entire last word. + +Fixes: 3cb989501c26 ("Add a generic associative array implementation.") +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + lib/assoc_array.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/assoc_array.c b/lib/assoc_array.c +index 0d122543bd63..1db287fffb67 100644 +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -780,9 +780,11 @@ all_leaves_cluster_together: + new_s0->index_key[i] = + ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE); + +- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); +- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); +- new_s0->index_key[keylen - 1] &= ~blank; ++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) { ++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); ++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); ++ new_s0->index_key[keylen - 1] &= ~blank; ++ } + + /* This now reduces to a node splitting exercise for which we'll need + * to regenerate the disparity table. +-- +2.19.1 + diff --git a/queue-3.18/i2c-cadence-fix-the-hold-bit-setting.patch b/queue-3.18/i2c-cadence-fix-the-hold-bit-setting.patch new file mode 100644 index 00000000000..5fa7093e823 --- /dev/null +++ b/queue-3.18/i2c-cadence-fix-the-hold-bit-setting.patch @@ -0,0 +1,56 @@ +From ea7ef28c964835e457918623ee9a578eeccd10b8 Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Tue, 5 Feb 2019 16:42:53 +0530 +Subject: i2c: cadence: Fix the hold bit setting + +[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ] + +In case the hold bit is not needed we are carrying the old values. +Fix the same by resetting the bit when not needed. + +Fixes the sporadic i2c bus lockups on National Instruments +Zynq-based devices. + +Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") +Reported-by: Kyle Roeschley +Acked-by: Michal Simek +Signed-off-by: Shubhrajyoti Datta +Tested-by: Kyle Roeschley +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index c604f4c3ac0d..c50a015018fe 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -320,8 +320,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->recv_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -375,8 +377,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->send_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; ++ + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +-- +2.19.1 + diff --git a/queue-3.18/input-matrix_keypad-use-flush_delayed_work.patch b/queue-3.18/input-matrix_keypad-use-flush_delayed_work.patch new file mode 100644 index 00000000000..377e7462c57 --- /dev/null +++ b/queue-3.18/input-matrix_keypad-use-flush_delayed_work.patch @@ -0,0 +1,34 @@ +From 4b6948eb789193bbf93042c72c97a4f935491f82 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 7 Feb 2019 14:39:40 -0800 +Subject: Input: matrix_keypad - use flush_delayed_work() + +[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ] + +We should be using flush_delayed_work() instead of flush_work() in +matrix_keypad_stop() to ensure that we are not missing work that is +scheduled but not yet put in the workqueue (i.e. its delay timer has not +expired yet). + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/matrix_keypad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c +index 176bdd140769..a1b9753e0616 100644 +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -220,7 +220,7 @@ static void matrix_keypad_stop(struct input_dev *dev) + keypad->stopped = true; + spin_unlock_irq(&keypad->lock); + +- flush_work(&keypad->work.work); ++ flush_delayed_work(&keypad->work); + /* + * matrix_keypad_scan() will leave IRQs enabled; + * we should disable them now. +-- +2.19.1 + diff --git a/queue-3.18/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch b/queue-3.18/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch new file mode 100644 index 00000000000..b63f50e2015 --- /dev/null +++ b/queue-3.18/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch @@ -0,0 +1,45 @@ +From 90ef175398deddcea4b0c2a2feae6babd7ebd8f1 Mon Sep 17 00:00:00 2001 +From: Gabriel Fernandez +Date: Sat, 16 Feb 2019 21:10:16 -0800 +Subject: Input: st-keyscan - fix potential zalloc NULL dereference + +[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ] + +This patch fixes the following static checker warning: + +drivers/input/keyboard/st-keyscan.c:156 keyscan_probe() +error: potential zalloc NULL dereference: 'keypad_data->input_dev' + +Reported-by: Dan Carpenter +Signed-off-by: Gabriel Fernandez +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/st-keyscan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c +index de7be4f03d91..ebf9f643d910 100644 +--- a/drivers/input/keyboard/st-keyscan.c ++++ b/drivers/input/keyboard/st-keyscan.c +@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev) + + input_dev->id.bustype = BUS_HOST; + ++ keypad_data->input_dev = input_dev; ++ + error = keypad_matrix_key_parse_dt(keypad_data); + if (error) + return error; +@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev) + + input_set_drvdata(input_dev, keypad_data); + +- keypad_data->input_dev = input_dev; +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + keypad_data->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(keypad_data->base)) +-- +2.19.1 + diff --git a/queue-3.18/mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 b/queue-3.18/mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 new file mode 100644 index 00000000000..6bdac0cb342 --- /dev/null +++ b/queue-3.18/mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 @@ -0,0 +1,128 @@ +From 7b3eef0f60b36cee8ff2b751044a142c7b27af14 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 21 Feb 2019 22:42:01 +0800 +Subject: mdio_bus: Fix use-after-free on device_register fails + +[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ] + +KASAN has found use-after-free in fixed_mdio_bus_init, +commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call +put_device on device_register() failure") call put_device() +while device_register() fails,give up the last reference +to the device and allow mdiobus_release to be executed +,kfreeing the bus. However in most drives, mdiobus_free +be called to free the bus while mdiobus_register fails. +use-after-free occurs when access bus again, this patch +revert it to let mdiobus_free free the bus. + +KASAN report details as below: + +BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482 +Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524 + +CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482 + fixed_mdio_bus_init+0x283/0x1000 [fixed_phy] + ? 0xffffffffc0e40000 + ? 0xffffffffc0e40000 + ? 0xffffffffc0e40000 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc +R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 + +Allocated by task 3524: + set_track mm/kasan/common.c:85 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496 + kmalloc include/linux/slab.h:545 [inline] + kzalloc include/linux/slab.h:740 [inline] + mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143 + fixed_mdio_bus_init+0x163/0x1000 [fixed_phy] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 3524: + set_track mm/kasan/common.c:85 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458 + slab_free_hook mm/slub.c:1409 [inline] + slab_free_freelist_hook mm/slub.c:1436 [inline] + slab_free mm/slub.c:2986 [inline] + kfree+0xe1/0x270 mm/slub.c:3938 + device_release+0x78/0x200 drivers/base/core.c:919 + kobject_cleanup lib/kobject.c:662 [inline] + kobject_release lib/kobject.c:691 [inline] + kref_put include/linux/kref.h:67 [inline] + kobject_put+0x146/0x240 lib/kobject.c:708 + put_device+0x1c/0x30 drivers/base/core.c:2060 + __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382 + fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy] + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881dc824c80 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 248 bytes inside of + 2048-byte region [ffff8881dc824c80, ffff8881dc825480) +The buggy address belongs to the page: +page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0 +flags: 0x2fffc0000010200(slab|head) +raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800 +raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure") +Signed-off-by: YueHaibing +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 50051f271b10..8dfd1aeb8fab 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -261,7 +261,6 @@ int mdiobus_register(struct mii_bus *bus) + err = device_register(&bus->dev); + if (err) { + pr_err("mii_bus %s failed to register\n", bus->id); +- put_device(&bus->dev); + return -EINVAL; + } + +-- +2.19.1 + diff --git a/queue-3.18/mm-gup-fix-gup_pmd_range-for-dax.patch b/queue-3.18/mm-gup-fix-gup_pmd_range-for-dax.patch new file mode 100644 index 00000000000..e777dfc6990 --- /dev/null +++ b/queue-3.18/mm-gup-fix-gup_pmd_range-for-dax.patch @@ -0,0 +1,48 @@ +From c10e7f56c98af101b7af458f19bb8a212cca0f2d Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Tue, 12 Feb 2019 15:35:58 -0800 +Subject: mm/gup: fix gup_pmd_range() for dax + +[ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ] + +For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true +on x86. So the function works as long as hugetlb is configured. +However, dax doesn't depend on hugetlb. + +Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.com +Signed-off-by: Yu Zhao +Reviewed-by: Jan Kara +Cc: Dan Williams +Cc: Huang Ying +Cc: Matthew Wilcox +Cc: Keith Busch +Cc: "Michael S . Tsirkin" +Cc: John Hubbard +Cc: Wei Yang +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/gup.c b/mm/gup.c +index ce1630bf0b95..29a36fae8624 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -885,7 +885,8 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, + if (pmd_none(pmd) || pmd_trans_splitting(pmd)) + return 0; + +- if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd))) { ++ if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) || ++ pmd_devmap(pmd))) { + /* + * NUMA hinting faults need to be handled in the GUP + * slowpath for accounting purposes and so that they +-- +2.19.1 + diff --git a/queue-3.18/net-marvell-mvneta-fix-dma-debug-warning.patch b/queue-3.18/net-marvell-mvneta-fix-dma-debug-warning.patch new file mode 100644 index 00000000000..5200ea89101 --- /dev/null +++ b/queue-3.18/net-marvell-mvneta-fix-dma-debug-warning.patch @@ -0,0 +1,58 @@ +From b5382511a65617df9f933b467a2fb4a17445a3b5 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 15 Feb 2019 13:55:47 +0000 +Subject: net: marvell: mvneta: fix DMA debug warning + +[ Upstream commit a8fef9ba58c9966ddb1fec916d8d8137c9d8bc89 ] + +Booting 4.20 on SolidRun Clearfog issues this warning with DMA API +debug enabled: + +WARNING: CPU: 0 PID: 555 at kernel/dma/debug.c:1230 check_sync+0x514/0x5bc +mvneta f1070000.ethernet: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x000000002dd7dc00] [size=240 bytes] +Modules linked in: ahci mv88e6xxx dsa_core xhci_plat_hcd xhci_hcd devlink armada_thermal marvell_cesa des_generic ehci_orion phy_armada38x_comphy mcp3021 spi_orion evbug sfp mdio_i2c ip_tables x_tables +CPU: 0 PID: 555 Comm: bridge-network- Not tainted 4.20.0+ #291 +Hardware name: Marvell Armada 380/385 (Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x9c/0xd4) +[] (dump_stack) from [] (__warn+0xf8/0x124) +[] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [] (check_sync+0x514/0x5bc) +[] (check_sync) from [] (debug_dma_sync_single_range_for_cpu+0x6c/0x74) +[] (debug_dma_sync_single_range_for_cpu) from [] (mvneta_poll+0x298/0xf58) +[] (mvneta_poll) from [] (net_rx_action+0x128/0x424) +[] (net_rx_action) from [] (__do_softirq+0xf0/0x540) +[] (__do_softirq) from [] (irq_exit+0x124/0x144) +[] (irq_exit) from [] (__handle_domain_irq+0x58/0xb0) +[] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x98) +[] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) +... + +This appears to be caused by mvneta_rx_hwbm() calling +dma_sync_single_range_for_cpu() with the wrong struct device pointer, +as the buffer manager device pointer is used to map and unmap the +buffer. Fix this. + +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 6212177781d5..922c4afc767b 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1482,7 +1482,7 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo, + if (unlikely(!skb)) + goto err_drop_frame; + +- dma_sync_single_range_for_cpu(dev->dev.parent, ++ dma_sync_single_range_for_cpu(&pp->bm_priv->pdev->dev, + rx_desc->buf_phys_addr, + MVNETA_MH_SIZE + NET_SKB_PAD, + rx_bytes, +-- +2.19.1 + diff --git a/queue-3.18/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch b/queue-3.18/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch new file mode 100644 index 00000000000..614bfa54228 --- /dev/null +++ b/queue-3.18/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch @@ -0,0 +1,48 @@ +From 8a22410e35c7016949b119a484d2bd0f525d43cf Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 16 Feb 2019 00:20:54 +0300 +Subject: net: mv643xx_eth: disable clk on error path in + mv643xx_eth_shared_probe() + +[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ] + +If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe() +leaves clk enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index d44560d1d268..5fcf026d3528 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2814,7 +2814,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + + ret = mv643xx_eth_shared_of_probe(pdev); + if (ret) +- return ret; ++ goto err_put_clk; + pd = dev_get_platdata(&pdev->dev); + + msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ? +@@ -2822,6 +2822,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + infer_hw_params(msp); + + return 0; ++ ++err_put_clk: ++ if (!IS_ERR(msp->clk)) ++ clk_disable_unprepare(msp->clk); ++ return ret; + } + + static int mv643xx_eth_shared_remove(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-3.18/net-set-static-variable-an-initial-value-in-atl2_pro.patch b/queue-3.18/net-set-static-variable-an-initial-value-in-atl2_pro.patch new file mode 100644 index 00000000000..8fe84ad5f05 --- /dev/null +++ b/queue-3.18/net-set-static-variable-an-initial-value-in-atl2_pro.patch @@ -0,0 +1,40 @@ +From e9b19a9947cef6829fd5f7a7134f57b6d3d5bb77 Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Fri, 22 Feb 2019 14:57:23 +0800 +Subject: net: set static variable an initial value in atl2_probe() + +[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ] + +cards_found is a static variable, but when it enters atl2_probe(), +cards_found is set to zero, the value is not consistent with last probe, +so next behavior is not our expect. + +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atlx/atl2.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index 5086ec9214c3..ceae4d56105d 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1338,13 +1338,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *netdev; + struct atl2_adapter *adapter; +- static int cards_found; ++ static int cards_found = 0; + unsigned long mmio_start; + int mmio_len; + int err; + +- cards_found = 0; +- + err = pci_enable_device(pdev); + if (err) + return err; +-- +2.19.1 + diff --git a/queue-3.18/net-systemport-fix-reception-of-bpdus.patch b/queue-3.18/net-systemport-fix-reception-of-bpdus.patch new file mode 100644 index 00000000000..c13e19de028 --- /dev/null +++ b/queue-3.18/net-systemport-fix-reception-of-bpdus.patch @@ -0,0 +1,38 @@ +From e89a83607b768169ade5f3030456a2534addcf53 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 15 Feb 2019 12:16:51 -0800 +Subject: net: systemport: Fix reception of BPDUs + +[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ] + +SYSTEMPORT has its RXCHK parser block that attempts to validate the +packet structures, unfortunately setting the L2 header check bit will +cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look +like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type. + +Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index dbe35e9277c3..c81e0139fe74 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -126,6 +126,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev, + + priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM); + reg = rxchk_readl(priv, RXCHK_CONTROL); ++ /* Clear L2 header checks, which would prevent BPDUs ++ * from being received. ++ */ ++ reg &= ~RXCHK_L2_HDR_DIS; + if (priv->rx_chk_en) + reg |= RXCHK_EN; + else +-- +2.19.1 + diff --git a/queue-3.18/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch b/queue-3.18/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch new file mode 100644 index 00000000000..7aefc10540c --- /dev/null +++ b/queue-3.18/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch @@ -0,0 +1,96 @@ +From 1069d07a8e877ba935e3d6c8b10d3ebc7055f135 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Wed, 21 Nov 2018 12:39:47 +0100 +Subject: s390/dasd: fix using offset into zero size array error + +[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ] + +Dan Carpenter reported the following: + +The patch 52898025cf7d: "[S390] dasd: security and PSF update patch +for EMC CKD ioctl" from Mar 8, 2010, leads to the following static +checker warning: + + drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io() + error: using offset into zero size array 'psf_data[]' + +drivers/s390/block/dasd_eckd.c + 4458 /* Copy parms from caller */ + 4459 rc = -EFAULT; + 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm))) + ^^^^^^^ +The user can specify any "usrparm.psf_data_len". They choose zero by +mistake. + + 4461 goto out; + 4462 if (is_compat_task()) { + 4463 /* Make sure pointers are sane even on 31 bit. */ + 4464 rc = -EINVAL; + 4465 if ((usrparm.psf_data >> 32) != 0) + 4466 goto out; + 4467 if ((usrparm.rssd_result >> 32) != 0) + 4468 goto out; + 4469 usrparm.psf_data &= 0x7fffffffULL; + 4470 usrparm.rssd_result &= 0x7fffffffULL; + 4471 } + 4472 /* alloc I/O data area */ + 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL + | GFP_DMA); + 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL + | GFP_DMA); + 4475 if (!psf_data || !rssd_result) { + +kzalloc() returns a ZERO_SIZE_PTR (0x16). + + 4476 rc = -ENOMEM; + 4477 goto out_free; + 4478 } + 4479 + 4480 /* get syscall header from user space */ + 4481 rc = -EFAULT; + 4482 if (copy_from_user(psf_data, + 4483 (void __user *)(unsigned long) + usrparm.psf_data, + 4484 usrparm.psf_data_len)) + +That all works great. + + 4485 goto out_free; + 4486 psf0 = psf_data[0]; + 4487 psf1 = psf_data[1]; + +But now we're assuming that "->psf_data_len" was at least 2 bytes. + +Fix this by checking the user specified length psf_data_len. + +Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl") +Reported-by: Dan Carpenter +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index ff1ab6da8cff..4bbcdf991c26 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -3990,6 +3990,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) + usrparm.psf_data &= 0x7fffffffULL; + usrparm.rssd_result &= 0x7fffffffULL; + } ++ /* at least 2 bytes are accessed and should be allocated */ ++ if (usrparm.psf_data_len < 2) { ++ DBF_DEV_EVENT(DBF_WARNING, device, ++ "Symmetrix ioctl invalid data length %d", ++ usrparm.psf_data_len); ++ rc = -EINVAL; ++ goto out; ++ } + /* alloc I/O data area */ + psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); + rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); +-- +2.19.1 + diff --git a/queue-3.18/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch b/queue-3.18/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch new file mode 100644 index 00000000000..0b668ea7579 --- /dev/null +++ b/queue-3.18/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch @@ -0,0 +1,110 @@ +From fc95563045e57d7b1717d34b38818a38efe7f16e Mon Sep 17 00:00:00 2001 +From: Anoob Soman +Date: Wed, 13 Feb 2019 13:21:39 +0800 +Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and + iscsi_complete_task + +[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ] + +When a target sends Check Condition, whilst initiator is busy xmiting +re-queued data, could lead to race between iscsi_complete_task() and +iscsi_xmit_task() and eventually crashing with the following kernel +backtrace. + +[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +[3326150.987549] ALERT: IP: [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0 +[3326150.987582] WARN: Oops: 0002 [#1] SMP +[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin +[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1 +[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016 +[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi] +[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000 +[3326150.987810] WARN: RIP: e030:[] [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246 +[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480 +[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20 +[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008 +[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000 +[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08 +[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000 +[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660 +[3326150.987918] WARN: Stack: +[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18 +[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00 +[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400 +[3326150.987964] WARN: Call Trace: +[3326150.987975] WARN: [] iscsi_xmitworker+0x2f0/0x360 [libiscsi] +[3326150.987988] WARN: [] process_one_work+0x1fc/0x3b0 +[3326150.987997] WARN: [] worker_thread+0x2a5/0x470 +[3326150.988006] WARN: [] ? __schedule+0x648/0x870 +[3326150.988015] WARN: [] ? rescuer_thread+0x300/0x300 +[3326150.988023] WARN: [] kthread+0xd5/0xe0 +[3326150.988031] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988040] WARN: [] ret_from_fork+0x3f/0x70 +[3326150.988048] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988127] ALERT: RIP [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.988138] WARN: RSP +[3326150.988144] WARN: CR2: 0000000000000078 +[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]--- + +Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix +list corruption regression") introduced "taskqueuelock" to fix list +corruption during the race, but this wasn't enough. + +Re-setting of conn->task to NULL, could race with iscsi_xmit_task(). +iscsi_complete_task() +{ + .... + if (conn->task == task) + conn->task = NULL; +} + +conn->task in iscsi_xmit_task() could be NULL and so will be task. +__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access +refcount. + +iscsi_xmit_task() +{ + struct iscsi_task *task = conn->task; + + __iscsi_get_task(task); +} + +This commit will take extra conn->session->back_lock in iscsi_xmit_task() +to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if +iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race, +iscsi_xmit_task() increments task->refcount +(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task(). + +Signed-off-by: Anoob Soman +Signed-off-by: Bob Liu +Acked-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 56441a5ec3d7..d9a061ac8e7f 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1448,7 +1448,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn) + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) + return -ENODATA; + ++ spin_lock_bh(&conn->session->back_lock); ++ if (conn->task == NULL) { ++ spin_unlock_bh(&conn->session->back_lock); ++ return -ENODATA; ++ } + __iscsi_get_task(task); ++ spin_unlock_bh(&conn->session->back_lock); + spin_unlock_bh(&conn->session->frwd_lock); + rc = conn->session->tt->xmit_task(task); + spin_lock_bh(&conn->session->frwd_lock); +-- +2.19.1 + diff --git a/queue-3.18/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch b/queue-3.18/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch new file mode 100644 index 00000000000..1661865c92b --- /dev/null +++ b/queue-3.18/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch @@ -0,0 +1,88 @@ +From 28fce9c67b5f32cd28e88d55a3c78bc02688cf00 Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Fri, 15 Feb 2019 00:37:57 +0800 +Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices + attached + +[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ] + +The sysfs phy_identifier attribute for a sas_end_device comes from the rphy +phy_identifier value. + +Currently this is not being set for rphys with an end device attached, so +we see incorrect symlinks from systemd disk/by-path: + +root@localhost:~# ls -l /dev/disk/by-path/ +total 0 +lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb +lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1 +lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2 +lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3 + +Indeed, each sas_end_device phy_identifier value is 0: + +root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier +0 +root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier +0 + +This patch fixes the discovery code to set the phy_identifier. With this, +we now get proper symlinks: + +root@localhost:~# ls -l /dev/disk/by-path/ +total 0 +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1 +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2 +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3 +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3 +lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2 +lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3 + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Reported-by: dann frazier +Signed-off-by: John Garry +Reviewed-by: Jason Yan +Tested-by: dann frazier +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index e2630aea4e9f..22450abf0a03 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev( + rphy = sas_end_device_alloc(phy->port); + if (!rphy) + goto out_free; ++ rphy->identify.phy_identifier = phy_id; + + child->rphy = rphy; + get_device(&rphy->dev); +@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev( + + child->rphy = rphy; + get_device(&rphy->dev); ++ rphy->identify.phy_identifier = phy_id; + sas_fill_in_rphy(child, rphy); + + list_add_tail(&child->disco_list_node, &parent->port->disco_list); +-- +2.19.1 + diff --git a/queue-3.18/series b/queue-3.18/series index 0ad69124522..a946fe38512 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -95,3 +95,19 @@ it-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape-twice.patch 9p-net-fix-memory-leak-in-p9_client_create.patch asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch crypto-ahash-fix-another-early-termination-in-hash-walk.patch +s390-dasd-fix-using-offset-into-zero-size-array-erro.patch +input-matrix_keypad-use-flush_delayed_work.patch +team-avoid-complex-list-operations-in-team_nl_cmd_op.patch +mm-gup-fix-gup_pmd_range-for-dax.patch +i2c-cadence-fix-the-hold-bit-setting.patch +input-st-keyscan-fix-potential-zalloc-null-dereferen.patch +assoc_array-fix-shortcut-creation.patch +scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch +scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch +net-systemport-fix-reception-of-bpdus.patch +net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch +arm64-relax-gic-version-check-during-early-boot.patch +net-marvell-mvneta-fix-dma-debug-warning.patch +tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch +mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 +net-set-static-variable-an-initial-value-in-atl2_pro.patch diff --git a/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch b/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch new file mode 100644 index 00000000000..8128e23a8cf --- /dev/null +++ b/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch @@ -0,0 +1,116 @@ +From c677ba18b2cc94ea2e13bf60709085582121d36c Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Mon, 11 Feb 2019 21:59:51 -0800 +Subject: team: avoid complex list operations in team_nl_cmd_options_set() + +[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ] + +The current opt_inst_list operations inside team_nl_cmd_options_set() +is too complex to track: + + LIST_HEAD(opt_inst_list); + nla_for_each_nested(...) { + list_for_each_entry(opt_inst, &team->option_inst_list, list) { + if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) + continue; + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + } + team_nl_send_event_options_get(team, &opt_inst_list); + +as while we retrieve 'opt_inst' from team->option_inst_list, it could +be added to the local 'opt_inst_list' for multiple times. The +__team_option_inst_tmp_find() doesn't work, as the setter +team_mode_option_set() still calls team->ops.exit() which uses +->tmp_list too in __team_options_change_check(). + +Simplify the list operations by moving the 'opt_inst_list' and +team_nl_send_event_options_get() into the nla_for_each_nested() loop so +that it can be guranteed that we won't insert a same list entry for +multiple times. Therefore, __team_option_inst_tmp_find() can be removed +too. + +Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") +Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") +Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com +Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com +Cc: Jiri Pirko +Cc: Paolo Abeni +Signed-off-by: Cong Wang +Acked-by: Jiri Pirko +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 3e0f7116380d..eb04b348edf3 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -253,17 +253,6 @@ static void __team_option_inst_mark_removed_port(struct team *team, + } + } + +-static bool __team_option_inst_tmp_find(const struct list_head *opts, +- const struct team_option_inst *needle) +-{ +- struct team_option_inst *opt_inst; +- +- list_for_each_entry(opt_inst, opts, tmp_list) +- if (opt_inst == needle) +- return true; +- return false; +-} +- + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -2435,7 +2424,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + int err = 0; + int i; + struct nlattr *nl_option; +- LIST_HEAD(opt_inst_list); + + team = team_nl_team_get(info); + if (!team) +@@ -2451,6 +2439,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; + struct nlattr *attr; + struct nlattr *attr_data; ++ LIST_HEAD(opt_inst_list); + enum team_option_type opt_type; + int opt_port_ifindex = 0; /* != 0 for per-port options */ + u32 opt_array_index = 0; +@@ -2554,23 +2543,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + if (err) + goto team_put; + opt_inst->changed = true; +- +- /* dumb/evil user-space can send us duplicate opt, +- * keep only the last one +- */ +- if (__team_option_inst_tmp_find(&opt_inst_list, +- opt_inst)) +- continue; +- + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { + err = -ENOENT; + goto team_put; + } +- } + +- err = team_nl_send_event_options_get(team, &opt_inst_list); ++ err = team_nl_send_event_options_get(team, &opt_inst_list); ++ if (err) ++ break; ++ } + + team_put: + team_nl_team_put(team); +-- +2.19.1 + diff --git a/queue-3.18/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch b/queue-3.18/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch new file mode 100644 index 00000000000..f39713e346d --- /dev/null +++ b/queue-3.18/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch @@ -0,0 +1,62 @@ +From dff76959d55c9506ec3af81719f497b104098c63 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 21 Feb 2019 08:48:09 -0800 +Subject: tmpfs: fix link accounting when a tmpfile is linked in + +[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ] + +tmpfs has a peculiarity of accounting hard links as if they were +separate inodes: so that when the number of inodes is limited, as it is +by default, a user cannot soak up an unlimited amount of unreclaimable +dcache memory just by repeatedly linking a file. + +But when v3.11 added O_TMPFILE, and the ability to use linkat() on the +fd, we missed accommodating this new case in tmpfs: "df -i" shows that +an extra "inode" remains accounted after the file is unlinked and the fd +closed and the actual inode evicted. If a user repeatedly links +tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they +are deleted. + +Just skip the extra reservation from shmem_link() in this case: there's +a sense in which this first link of a tmpfile is then cheaper than a +hard link of another file, but the accounting works out, and there's +still good limiting, so no need to do anything more complicated. + +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils +Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to") +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Reported-by: Matej Kupljen +Acked-by: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 64c33e3dbe69..b40b13c94e03 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2286,10 +2286,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr + * No ordinary (disk based) filesystem counts links as inodes; + * but each new link needs a new dentry, pinning lowmem, and + * tmpfs dentries cannot be pruned until they are unlinked. ++ * But if an O_TMPFILE file is linked into the tmpfs, the ++ * first link must skip that, to get the accounting right. + */ +- ret = shmem_reserve_inode(inode->i_sb); +- if (ret) +- goto out; ++ if (inode->i_nlink) { ++ ret = shmem_reserve_inode(inode->i_sb); ++ if (ret) ++ goto out; ++ } + + dir->i_size += BOGO_DIRENT_SIZE; + inode->i_ctime = dir->i_ctime = dir->i_mtime = CURRENT_TIME; +-- +2.19.1 +