From: Sasha Levin (Microsoft) Date: Wed, 17 Apr 2019 14:52:41 +0000 (-0400) Subject: autosel patches for 4.4 X-Git-Tag: v4.9.170~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38edc49d92f1cecc3da2a92d8a5d9a0c7b476335;p=thirdparty%2Fkernel%2Fstable-queue.git autosel patches for 4.4 Signed-off-by: Sasha Levin (Microsoft) --- diff --git a/queue-4.4/9p-do-not-trust-pdu-content-for-stat-item-size.patch b/queue-4.4/9p-do-not-trust-pdu-content-for-stat-item-size.patch new file mode 100644 index 00000000000..bc6f06ec884 --- /dev/null +++ b/queue-4.4/9p-do-not-trust-pdu-content-for-stat-item-size.patch @@ -0,0 +1,75 @@ +From 65cf0a2cdab9854cc1b3909569154ea8fa0b1819 Mon Sep 17 00:00:00 2001 +From: Gertjan Halkes +Date: Wed, 5 Sep 2018 15:41:29 +0900 +Subject: 9p: do not trust pdu content for stat item size + +[ Upstream commit 2803cf4379ed252894f046cb8812a48db35294e3 ] + +v9fs_dir_readdir() could deadloop if a struct was sent with a size set +to -2 + +Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021 +Signed-off-by: Gertjan Halkes +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_dir.c | 8 +++----- + net/9p/protocol.c | 3 ++- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c +index 7d889f56b8e7..05769219d2c2 100644 +--- a/fs/9p/vfs_dir.c ++++ b/fs/9p/vfs_dir.c +@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + int err = 0; + struct p9_fid *fid; + int buflen; +- int reclen = 0; + struct p9_rdir *rdir; + struct kvec kvec; + +@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + while (rdir->head < rdir->tail) { + err = p9stat_read(fid->clnt, rdir->buf + rdir->head, + rdir->tail - rdir->head, &st); +- if (err) { ++ if (err <= 0) { + p9_debug(P9_DEBUG_VFS, "returned %d\n", err); + return -EIO; + } +- reclen = st.size+2; + + over = !dir_emit(ctx, st.name, strlen(st.name), + v9fs_qid2ino(&st.qid), dt_type(&st)); +@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + if (over) + return 0; + +- rdir->head += reclen; +- ctx->pos += reclen; ++ rdir->head += err; ++ ctx->pos += err; + } + } + } +diff --git a/net/9p/protocol.c b/net/9p/protocol.c +index 145f80518064..7f1b45c082c9 100644 +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st) + if (ret) { + p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret); + trace_9p_protocol_dump(clnt, &fake_pdu); ++ return ret; + } + +- return ret; ++ return fake_pdu.offset; + } + EXPORT_SYMBOL(p9stat_read); + +-- +2.19.1 + diff --git a/queue-4.4/9p-locks-add-mount-option-for-lock-retry-interval.patch b/queue-4.4/9p-locks-add-mount-option-for-lock-retry-interval.patch new file mode 100644 index 00000000000..90d1fc12128 --- /dev/null +++ b/queue-4.4/9p-locks-add-mount-option-for-lock-retry-interval.patch @@ -0,0 +1,121 @@ +From 435aae1f9f5fe75a27984881bc74b140f09b642a Mon Sep 17 00:00:00 2001 +From: Dinu-Razvan Chis-Serban +Date: Wed, 5 Sep 2018 16:44:12 +0900 +Subject: 9p locks: add mount option for lock retry interval + +[ Upstream commit 5e172f75e51e3de1b4274146d9b990f803cb5c2a ] + +The default P9_LOCK_TIMEOUT can be too long for some users exporting +a local file system to a guest VM (30s), make this configurable at +mount time. + +Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727 +Signed-off-by: Dinu-Razvan Chis-Serban +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/v9fs.c | 21 +++++++++++++++++++++ + fs/9p/v9fs.h | 1 + + fs/9p/vfs_file.c | 6 +++++- + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c +index 6caca025019d..1e9bb8db7b48 100644 +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -59,6 +59,8 @@ enum { + Opt_cache_loose, Opt_fscache, Opt_mmap, + /* Access options */ + Opt_access, Opt_posixacl, ++ /* Lock timeout option */ ++ Opt_locktimeout, + /* Error token */ + Opt_err + }; +@@ -78,6 +80,7 @@ static const match_table_t tokens = { + {Opt_cachetag, "cachetag=%s"}, + {Opt_access, "access=%s"}, + {Opt_posixacl, "posixacl"}, ++ {Opt_locktimeout, "locktimeout=%u"}, + {Opt_err, NULL} + }; + +@@ -126,6 +129,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts) + #ifdef CONFIG_9P_FSCACHE + v9ses->cachetag = NULL; + #endif ++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT; + + if (!opts) + return 0; +@@ -298,6 +302,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts) + #endif + break; + ++ case Opt_locktimeout: ++ r = match_int(&args[0], &option); ++ if (r < 0) { ++ p9_debug(P9_DEBUG_ERROR, ++ "integer field, but no integer?\n"); ++ ret = r; ++ continue; ++ } ++ if (option < 1) { ++ p9_debug(P9_DEBUG_ERROR, ++ "locktimeout must be a greater than zero integer.\n"); ++ ret = -EINVAL; ++ continue; ++ } ++ v9ses->session_lock_timeout = (long)option * HZ; ++ break; ++ + default: + continue; + } +diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h +index 6877050384a1..3775f275ede3 100644 +--- a/fs/9p/v9fs.h ++++ b/fs/9p/v9fs.h +@@ -116,6 +116,7 @@ struct v9fs_session_info { + struct list_head slist; /* list of sessions registered with v9fs */ + struct backing_dev_info bdi; + struct rw_semaphore rename_sem; ++ long session_lock_timeout; /* retry interval for blocking locks */ + }; + + /* cache_validity flags */ +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c +index 62ce8b4a7e5f..373cc50544e9 100644 +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + uint8_t status = P9_LOCK_ERROR; + int res = 0; + unsigned char fl_type; ++ struct v9fs_session_info *v9ses; + + fid = filp->private_data; + BUG_ON(fid == NULL); +@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + if (IS_SETLKW(cmd)) + flock.flags = P9_LOCK_FLAGS_BLOCK; + ++ v9ses = v9fs_inode2v9ses(file_inode(filp)); ++ + /* + * if its a blocked request and we get P9_LOCK_BLOCKED as the status + * for lock request, keep on trying +@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + break; + if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd)) + break; +- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0) ++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout) ++ != 0) + break; + /* + * p9_client_lock_dotl overwrites flock.client_id with the +-- +2.19.1 + diff --git a/queue-4.4/acpi-sbs-fix-gpe-storm-on-recent-macbookpro-s.patch b/queue-4.4/acpi-sbs-fix-gpe-storm-on-recent-macbookpro-s.patch new file mode 100644 index 00000000000..d3f26c6b23f --- /dev/null +++ b/queue-4.4/acpi-sbs-fix-gpe-storm-on-recent-macbookpro-s.patch @@ -0,0 +1,54 @@ +From 132cfeb761c335289b3425b4a6195fcb2e5eacca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ronald=20Tschal=C3=A4r?= +Date: Sun, 30 Sep 2018 19:52:51 -0700 +Subject: ACPI / SBS: Fix GPE storm on recent MacBookPro's +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ca1721c5bee77105829cbd7baab8ee0eab85b06d ] + +On Apple machines, plugging-in or unplugging the power triggers a GPE +for the EC. Since these machines expose an SBS device, this GPE ends +up triggering the acpi_sbs_callback(). This in turn tries to get the +status of the SBS charger. However, on MBP13,* and MBP14,* machines, +performing the smbus-read operation to get the charger's status triggers +the EC's GPE again. The result is an endless re-triggering and handling +of that GPE, consuming significant CPU resources (> 50% in irq). + +In the end this is quite similar to commit 3031cddea633 (ACPI / SBS: +Don't assume the existence of an SBS charger), except that on the above +machines a status of all 1's is returned. And like there, we just want +ignore the charger here. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169 +Signed-off-by: Ronald Tschalär +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/sbs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c +index cb3dedb1beae..b133dac8a7f2 100644 +--- a/drivers/acpi/sbs.c ++++ b/drivers/acpi/sbs.c +@@ -443,9 +443,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs) + + /* + * The spec requires that bit 4 always be 1. If it's not set, assume +- * that the implementation doesn't support an SBS charger ++ * that the implementation doesn't support an SBS charger. ++ * ++ * And on some MacBooks a status of 0xffff is always returned, no ++ * matter whether the charger is plugged in or not, which is also ++ * wrong, so ignore the SBS charger for those too. + */ +- if (!((status >> 4) & 0x1)) ++ if (!((status >> 4) & 0x1) || status == 0xffff) + return -ENODEV; + + sbs->charger_present = (status >> 15) & 0x1; +-- +2.19.1 + diff --git a/queue-4.4/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch b/queue-4.4/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch new file mode 100644 index 00000000000..6d1228bf114 --- /dev/null +++ b/queue-4.4/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch @@ -0,0 +1,36 @@ +From a521777ad87e76da1fc4d52944607919f0998859 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 22:58:29 -0500 +Subject: ALSA: echoaudio: add a check for ioremap_nocache + +[ Upstream commit 6ade657d6125ec3ec07f95fa51e28138aef6208f ] + +In case ioremap_nocache fails, the fix releases chip and returns +an error code upstream to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/echoaudio/echoaudio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index 286f5e3686a3..d73ee11a32bd 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -1953,6 +1953,11 @@ static int snd_echo_create(struct snd_card *card, + } + chip->dsp_registers = (volatile u32 __iomem *) + ioremap_nocache(chip->dsp_registers_phys, sz); ++ if (!chip->dsp_registers) { ++ dev_err(chip->card->dev, "ioremap failed\n"); ++ snd_echo_free(chip); ++ return -ENOMEM; ++ } + + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { +-- +2.19.1 + diff --git a/queue-4.4/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch b/queue-4.4/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch new file mode 100644 index 00000000000..b6cf646a77a --- /dev/null +++ b/queue-4.4/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch @@ -0,0 +1,39 @@ +From fc186a5f7b4b71e7ad51664098bd39ef20f8db06 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 17 Mar 2019 23:21:24 +0000 +Subject: ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and + declaration + +[ Upstream commit b4748e7ab731e436cf5db4786358ada5dd2db6dd ] + +The function snd_opl3_drum_switch declaration in the header file +has the order of the two arguments on_off and vel swapped when +compared to the definition arguments of vel and on_off. Fix this +by swapping them around to match the definition. + +This error predates the git history, so no idea when this error +was introduced. + +Signed-off-by: Colin Ian King +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/drivers/opl3/opl3_voice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/drivers/opl3/opl3_voice.h b/sound/drivers/opl3/opl3_voice.h +index a371c075ac87..e26702559f61 100644 +--- a/sound/drivers/opl3/opl3_voice.h ++++ b/sound/drivers/opl3/opl3_voice.h +@@ -41,7 +41,7 @@ void snd_opl3_timer_func(unsigned long data); + + /* Prototypes for opl3_drums.c */ + void snd_opl3_load_drums(struct snd_opl3 *opl3); +-void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int on_off, int vel, struct snd_midi_channel *chan); ++void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int vel, int on_off, struct snd_midi_channel *chan); + + /* Prototypes for opl3_oss.c */ + #ifdef CONFIG_SND_SEQUENCER_OSS +-- +2.19.1 + diff --git a/queue-4.4/alsa-sb8-add-a-check-for-request_region.patch b/queue-4.4/alsa-sb8-add-a-check-for-request_region.patch new file mode 100644 index 00000000000..e6041ab32a8 --- /dev/null +++ b/queue-4.4/alsa-sb8-add-a-check-for-request_region.patch @@ -0,0 +1,35 @@ +From bf834d817f9bbfad39e93e041da0bbfb7fbdfce4 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 23:04:14 -0500 +Subject: ALSA: sb8: add a check for request_region + +[ Upstream commit dcd0feac9bab901d5739de51b3f69840851f8919 ] + +In case request_region fails, the fix returns an error code to +avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/sb/sb8.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c +index b8e2391c33ff..0c7fe1418447 100644 +--- a/sound/isa/sb/sb8.c ++++ b/sound/isa/sb/sb8.c +@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int dev) + + /* block the 0x388 port to avoid PnP conflicts */ + acard->fm_res = request_region(0x388, 4, "SoundBlaster FM"); ++ if (!acard->fm_res) { ++ err = -EBUSY; ++ goto _err; ++ } + + if (port[dev] != SNDRV_AUTO_PORT) { + if ((err = snd_sbdsp_create(card, port[dev], irq[dev], +-- +2.19.1 + diff --git a/queue-4.4/appletalk-fix-use-after-free-in-atalk_proc_exit.patch b/queue-4.4/appletalk-fix-use-after-free-in-atalk_proc_exit.patch new file mode 100644 index 00000000000..2b63488f930 --- /dev/null +++ b/queue-4.4/appletalk-fix-use-after-free-in-atalk_proc_exit.patch @@ -0,0 +1,216 @@ +From 211c7f70f98737e254ad851d82dcce369c77881d Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 1 Mar 2019 10:57:57 +0800 +Subject: appletalk: Fix use-after-free in atalk_proc_exit + +[ Upstream commit 6377f787aeb945cae7abbb6474798de129e1f3ac ] + +KASAN report this: + +BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 +Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806 + +CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 + remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667 + atalk_proc_exit+0x18/0x820 [appletalk] + atalk_exit+0xf/0x5a [appletalk] + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc +R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff + +Allocated by task 2806: + set_track mm/kasan/common.c:85 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496 + slab_post_alloc_hook mm/slab.h:444 [inline] + slab_alloc_node mm/slub.c:2739 [inline] + slab_alloc mm/slub.c:2747 [inline] + kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752 + kmem_cache_zalloc include/linux/slab.h:730 [inline] + __proc_create+0x30f/0xa20 fs/proc/generic.c:408 + proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469 + 0xffffffffc10c01bb + 0xffffffffc10c0166 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 2806: + set_track mm/kasan/common.c:85 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458 + slab_free_hook mm/slub.c:1409 [inline] + slab_free_freelist_hook mm/slub.c:1436 [inline] + slab_free mm/slub.c:2986 [inline] + kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002 + pde_put+0x6e/0x80 fs/proc/generic.c:647 + remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684 + 0xffffffffc10c031c + 0xffffffffc10c0166 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881f41fe500 + which belongs to the cache proc_dir_entry of size 256 +The buggy address is located 176 bytes inside of + 256-byte region [ffff8881f41fe500, ffff8881f41fe600) +The buggy address belongs to the page: +page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0 +flags: 0x2fffc0000000200(slab) +raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +It should check the return value of atalk_proc_init fails, +otherwise atalk_exit will trgger use-after-free in pde_subdir_find +while unload the module.This patch fix error cleanup path of atalk_init + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/atalk.h | 2 +- + net/appletalk/atalk_proc.c | 2 +- + net/appletalk/ddp.c | 37 ++++++++++++++++++++++++++------ + net/appletalk/sysctl_net_atalk.c | 5 ++++- + 4 files changed, 37 insertions(+), 9 deletions(-) + +diff --git a/include/linux/atalk.h b/include/linux/atalk.h +index 73fd8b7e9534..716d53799d1f 100644 +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -150,7 +150,7 @@ extern int sysctl_aarp_retransmit_limit; + extern int sysctl_aarp_resolve_time; + + #ifdef CONFIG_SYSCTL +-extern void atalk_register_sysctl(void); ++extern int atalk_register_sysctl(void); + extern void atalk_unregister_sysctl(void); + #else + #define atalk_register_sysctl() do { } while(0) +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index af46bc49e1e9..b5f84f428aa6 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -293,7 +293,7 @@ int __init atalk_proc_init(void) + goto out; + } + +-void __exit atalk_proc_exit(void) ++void atalk_proc_exit(void) + { + remove_proc_entry("interface", atalk_proc_dir); + remove_proc_entry("route", atalk_proc_dir); +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index d5871ac493eb..4246df3b7ae8 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __initconst = + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +- int rc = proto_register(&ddp_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&ddp_proto, 0); ++ if (rc) + goto out; + +- (void)sock_register(&atalk_family_ops); ++ rc = sock_register(&atalk_family_ops); ++ if (rc) ++ goto out_proto; ++ + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) + printk(atalk_err_snap); +@@ -1925,12 +1929,33 @@ static int __init atalk_init(void) + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + +- register_netdevice_notifier(&ddp_notifier); ++ rc = register_netdevice_notifier(&ddp_notifier); ++ if (rc) ++ goto out_sock; ++ + aarp_proto_init(); +- atalk_proc_init(); +- atalk_register_sysctl(); ++ rc = atalk_proc_init(); ++ if (rc) ++ goto out_aarp; ++ ++ rc = atalk_register_sysctl(); ++ if (rc) ++ goto out_proc; + out: + return rc; ++out_proc: ++ atalk_proc_exit(); ++out_aarp: ++ aarp_cleanup_module(); ++ unregister_netdevice_notifier(&ddp_notifier); ++out_sock: ++ dev_remove_pack(&ppptalk_packet_type); ++ dev_remove_pack(<alk_packet_type); ++ unregister_snap_client(ddp_dl); ++ sock_unregister(PF_APPLETALK); ++out_proto: ++ proto_unregister(&ddp_proto); ++ goto out; + } + module_init(atalk_init); + +diff --git a/net/appletalk/sysctl_net_atalk.c b/net/appletalk/sysctl_net_atalk.c +index ebb864361f7a..4e6042e0fcac 100644 +--- a/net/appletalk/sysctl_net_atalk.c ++++ b/net/appletalk/sysctl_net_atalk.c +@@ -44,9 +44,12 @@ static struct ctl_table atalk_table[] = { + + static struct ctl_table_header *atalk_table_header; + +-void atalk_register_sysctl(void) ++int __init atalk_register_sysctl(void) + { + atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table); ++ if (!atalk_table_header) ++ return -ENOMEM; ++ return 0; + } + + void atalk_unregister_sysctl(void) +-- +2.19.1 + diff --git a/queue-4.4/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch b/queue-4.4/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch new file mode 100644 index 00000000000..00c273f27fc --- /dev/null +++ b/queue-4.4/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch @@ -0,0 +1,67 @@ +From 7aea42a7935dd29e1fc538a36104c6247472cd6a Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Wed, 13 Feb 2019 17:14:23 +0100 +Subject: ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t + +[ Upstream commit 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 ] + +When running kprobe on -rt kernel, the below bug is caught: + +|BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:931 +|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0 +|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140 +|CPU: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1 +|Hardware name: Freescale LS1021A +|[<8025a43c>] (___might_sleep) +|[<80b5b324>] (rt_spin_lock) +|[<80b5c31c>] (__patch_text_real) +|[<80b5c3ac>] (patch_text_stop_machine) +|[<802f2920>] (multi_cpu_stop) + +Since patch_text_stop_machine() is called in stop_machine() which +disables IRQ, sleepable lock should be not used in this atomic context, + so replace patch_lock to raw lock. + +Signed-off-by: Yang Shi +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Arnd Bergmann +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/patch.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c +index 69bda1a5707e..1f665acaa6a9 100644 +--- a/arch/arm/kernel/patch.c ++++ b/arch/arm/kernel/patch.c +@@ -15,7 +15,7 @@ struct patch { + unsigned int insn; + }; + +-static DEFINE_SPINLOCK(patch_lock); ++static DEFINE_RAW_SPINLOCK(patch_lock); + + static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + __acquires(&patch_lock) +@@ -32,7 +32,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + return addr; + + if (flags) +- spin_lock_irqsave(&patch_lock, *flags); ++ raw_spin_lock_irqsave(&patch_lock, *flags); + else + __acquire(&patch_lock); + +@@ -47,7 +47,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags) + clear_fixmap(fixmap); + + if (flags) +- spin_unlock_irqrestore(&patch_lock, *flags); ++ raw_spin_unlock_irqrestore(&patch_lock, *flags); + else + __release(&patch_lock); + } +-- +2.19.1 + diff --git a/queue-4.4/arm-samsung-limit-samsung_pm_check-config-option-to-.patch b/queue-4.4/arm-samsung-limit-samsung_pm_check-config-option-to-.patch new file mode 100644 index 00000000000..d32046b40df --- /dev/null +++ b/queue-4.4/arm-samsung-limit-samsung_pm_check-config-option-to-.patch @@ -0,0 +1,59 @@ +From 484f3a561cb4a54ff5f798de651e2c3a9023e18e Mon Sep 17 00:00:00 2001 +From: Bartlomiej Zolnierkiewicz +Date: Fri, 28 Sep 2018 15:32:46 +0200 +Subject: ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos + platforms + +[ Upstream commit 6862fdf2201ab67cd962dbf0643d37db909f4860 ] + +"S3C2410 PM Suspend Memory CRC" feature (controlled by +SAMSUNG_PM_CHECK config option) is incompatible with highmem +(uses phys_to_virt() instead of proper mapping) which is used by +the majority of Exynos boards. The issue manifests itself in OOPS +on affected boards, i.e. on Odroid-U3 I got the following one: + +Unable to handle kernel paging request at virtual address f0000000 +pgd = 1c0f9bb4 +[f0000000] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT SMP ARM +[] (crc32_le) from [] (s3c_pm_makecheck+0x34/0x54) +[] (s3c_pm_makecheck) from [] (s3c_pm_run_res+0x74/0x8c) +[] (s3c_pm_run_res) from [] (s3c_pm_run_res+0x44/0x8c) +[] (s3c_pm_run_res) from [] (exynos_suspend_enter+0x64/0x148) +[] (exynos_suspend_enter) from [] (suspend_devices_and_enter+0x9ec/0xe74) +[] (suspend_devices_and_enter) from [] (pm_suspend+0x770/0xc04) +[] (pm_suspend) from [] (state_store+0x6c/0xcc) +[] (state_store) from [] (kobj_attr_store+0x14/0x20) +[] (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50) +[] (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e4) +[] (kernfs_fop_write) from [] (__vfs_write+0x2c/0x140) +[] (__vfs_write) from [] (vfs_write+0xa4/0x160) +[] (vfs_write) from [] (ksys_write+0x40/0x8c) +[] (ksys_write) from [] (ret_fast_syscall+0x0/0x28) + +Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to +SAMSUNG_PM_CHECK config option to hide it on Exynos platforms. + +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/plat-samsung/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig +index 57729b915003..b9396dcf836d 100644 +--- a/arch/arm/plat-samsung/Kconfig ++++ b/arch/arm/plat-samsung/Kconfig +@@ -255,7 +255,7 @@ config S3C_PM_DEBUG_LED_SMDK + + config SAMSUNG_PM_CHECK + bool "S3C2410 PM Suspend Memory CRC" +- depends on PM ++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210) + select CRC32 + help + Enable the PM code's memory area checksum over sleep. This option +-- +2.19.1 + diff --git a/queue-4.4/cifs-fallback-to-older-infolevels-on-findfirst-query.patch b/queue-4.4/cifs-fallback-to-older-infolevels-on-findfirst-query.patch new file mode 100644 index 00000000000..073a64e24eb --- /dev/null +++ b/queue-4.4/cifs-fallback-to-older-infolevels-on-findfirst-query.patch @@ -0,0 +1,113 @@ +From d97c3df84f07140b3bad9271263ce76c76226b7b Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 19 Oct 2018 01:58:22 -0500 +Subject: cifs: fallback to older infolevels on findfirst queryinfo retry + +[ Upstream commit 3b7960caceafdfc2cdfe2850487f8d091eb41144 ] + +In cases where queryinfo fails, we have cases in cifs (vers=1.0) +where with backupuid mounts we retry the query info with findfirst. +This doesn't work to some NetApp servers which don't support +WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO) +so in this case use other info levels (in this case it will usually +be level 257, SMB_FIND_FILE_DIRECTORY_INFO). + +(Also fixes some indentation) + +See kernel bugzilla 201435 + +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 69 +++++++++++++++++++++++++++---------------------- + 1 file changed, 38 insertions(+), 31 deletions(-) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 5c3187df9ab9..d8bd8dd36211 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -759,43 +759,50 @@ cifs_get_inode_info(struct inode **inode, const char *full_path, + } else if ((rc == -EACCES) && backup_cred(cifs_sb) && + (strcmp(server->vals->version_string, SMB1_VERSION_STRING) + == 0)) { +- /* +- * For SMB2 and later the backup intent flag is already +- * sent if needed on open and there is no path based +- * FindFirst operation to use to retry with +- */ +- +- srchinf = kzalloc(sizeof(struct cifs_search_info), +- GFP_KERNEL); +- if (srchinf == NULL) { +- rc = -ENOMEM; +- goto cgii_exit; +- } ++ /* ++ * For SMB2 and later the backup intent flag is already ++ * sent if needed on open and there is no path based ++ * FindFirst operation to use to retry with ++ */ ++ ++ srchinf = kzalloc(sizeof(struct cifs_search_info), ++ GFP_KERNEL); ++ if (srchinf == NULL) { ++ rc = -ENOMEM; ++ goto cgii_exit; ++ } + +- srchinf->endOfSearch = false; ++ srchinf->endOfSearch = false; ++ if (tcon->unix_ext) ++ srchinf->info_level = SMB_FIND_FILE_UNIX; ++ else if ((tcon->ses->capabilities & ++ tcon->ses->server->vals->cap_nt_find) == 0) ++ srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD; ++ else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM) + srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO; ++ else /* no srvino useful for fallback to some netapp */ ++ srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO; + +- srchflgs = CIFS_SEARCH_CLOSE_ALWAYS | +- CIFS_SEARCH_CLOSE_AT_END | +- CIFS_SEARCH_BACKUP_SEARCH; ++ srchflgs = CIFS_SEARCH_CLOSE_ALWAYS | ++ CIFS_SEARCH_CLOSE_AT_END | ++ CIFS_SEARCH_BACKUP_SEARCH; + +- rc = CIFSFindFirst(xid, tcon, full_path, +- cifs_sb, NULL, srchflgs, srchinf, false); +- if (!rc) { +- data = +- (FILE_ALL_INFO *)srchinf->srch_entries_start; ++ rc = CIFSFindFirst(xid, tcon, full_path, ++ cifs_sb, NULL, srchflgs, srchinf, false); ++ if (!rc) { ++ data = (FILE_ALL_INFO *)srchinf->srch_entries_start; + +- cifs_dir_info_to_fattr(&fattr, +- (FILE_DIRECTORY_INFO *)data, cifs_sb); +- fattr.cf_uniqueid = le64_to_cpu( +- ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId); +- validinum = true; ++ cifs_dir_info_to_fattr(&fattr, ++ (FILE_DIRECTORY_INFO *)data, cifs_sb); ++ fattr.cf_uniqueid = le64_to_cpu( ++ ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId); ++ validinum = true; + +- cifs_buf_release(srchinf->ntwrk_buf_start); +- } +- kfree(srchinf); +- if (rc) +- goto cgii_exit; ++ cifs_buf_release(srchinf->ntwrk_buf_start); ++ } ++ kfree(srchinf); ++ if (rc) ++ goto cgii_exit; + } else + goto cgii_exit; + +-- +2.19.1 + diff --git a/queue-4.4/crypto-sha256-arm-fix-crash-bug-in-thumb2-build.patch b/queue-4.4/crypto-sha256-arm-fix-crash-bug-in-thumb2-build.patch new file mode 100644 index 00000000000..bf296c930e9 --- /dev/null +++ b/queue-4.4/crypto-sha256-arm-fix-crash-bug-in-thumb2-build.patch @@ -0,0 +1,97 @@ +From 0f57c6df006e597d3afef4a7310ee57e30ed8fe7 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 16 Feb 2019 14:51:25 +0100 +Subject: crypto: sha256/arm - fix crash bug in Thumb2 build + +[ Upstream commit 69216a545cf81b2b32d01948f7039315abaf75a0 ] + +The SHA256 code we adopted from the OpenSSL project uses a rather +peculiar way to take the address of the round constant table: it +takes the address of the sha256_block_data_order() routine, and +substracts a constant known quantity to arrive at the base of the +table, which is emitted by the same assembler code right before +the routine's entry point. + +However, recent versions of binutils have helpfully changed the +behavior of references emitted via an ADR instruction when running +in Thumb2 mode: it now takes the Thumb execution mode bit into +account, which is bit 0 af the address. This means the produced +table address also has bit 0 set, and so we end up with an address +value pointing 1 byte past the start of the table, which results +in crashes such as + + Unable to handle kernel paging request at virtual address bf825000 + pgd = 42f44b11 + [bf825000] *pgd=80000040206003, *pmd=5f1bd003, *pte=00000000 + Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2 + Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ... + CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144 + Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 + PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm] + LR is at __this_module+0x17fd/0xffffe800 [sha256_arm] + pc : [] lr : [] psr: 800b0033 + sp : ebc8bbe8 ip : faaabe1c fp : 2fdd3433 + r10: 4c5f1692 r9 : e43037df r8 : b04b0a5a + r7 : c369d722 r6 : 39c3693e r5 : 7a013189 r4 : 1580d26b + r3 : 8762a9b0 r2 : eea9c2cd r1 : 3e9ab536 r0 : 1dea4ae7 + Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user + Control: 70c5383d Table: 6b8467c0 DAC: dbadc0de + Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23) + Stack: (0xebc8bbe8 to 0xebc8c000) + ... + unwind: Unknown symbol address bf820bca + unwind: Index not found bf820bca + Code: 441a ea80 40f9 440a (f85e) 3b04 + ---[ end trace e560cce92700ef8a ]--- + +Given that this affects older kernels as well, in case they are built +with a recent toolchain, apply a minimal backportable fix, which is +to emit another non-code label at the start of the routine, and +reference that instead. (This is similar to the current upstream state +of this file in OpenSSL) + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/sha256-armv4.pl | 3 ++- + arch/arm/crypto/sha256-core.S_shipped | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/crypto/sha256-armv4.pl b/arch/arm/crypto/sha256-armv4.pl +index fac0533ea633..f64e8413ab9a 100644 +--- a/arch/arm/crypto/sha256-armv4.pl ++++ b/arch/arm/crypto/sha256-armv4.pl +@@ -205,10 +205,11 @@ K256: + .global sha256_block_data_order + .type sha256_block_data_order,%function + sha256_block_data_order: ++.Lsha256_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha256_block_data_order + #else +- adr r3,sha256_block_data_order ++ adr r3,.Lsha256_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha256-core.S_shipped b/arch/arm/crypto/sha256-core.S_shipped +index 555a1a8eec90..72c248081d27 100644 +--- a/arch/arm/crypto/sha256-core.S_shipped ++++ b/arch/arm/crypto/sha256-core.S_shipped +@@ -86,10 +86,11 @@ K256: + .global sha256_block_data_order + .type sha256_block_data_order,%function + sha256_block_data_order: ++.Lsha256_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha256_block_data_order + #else +- adr r3,sha256_block_data_order ++ adr r3,.Lsha256_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +-- +2.19.1 + diff --git a/queue-4.4/crypto-sha512-arm-fix-crash-bug-in-thumb2-build.patch b/queue-4.4/crypto-sha512-arm-fix-crash-bug-in-thumb2-build.patch new file mode 100644 index 00000000000..bc59efde366 --- /dev/null +++ b/queue-4.4/crypto-sha512-arm-fix-crash-bug-in-thumb2-build.patch @@ -0,0 +1,97 @@ +From f594f6e644102a1f27c53907fad7160e7f445c93 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 16 Feb 2019 14:51:26 +0100 +Subject: crypto: sha512/arm - fix crash bug in Thumb2 build + +[ Upstream commit c64316502008064c158fa40cc250665e461b0f2a ] + +The SHA512 code we adopted from the OpenSSL project uses a rather +peculiar way to take the address of the round constant table: it +takes the address of the sha256_block_data_order() routine, and +substracts a constant known quantity to arrive at the base of the +table, which is emitted by the same assembler code right before +the routine's entry point. + +However, recent versions of binutils have helpfully changed the +behavior of references emitted via an ADR instruction when running +in Thumb2 mode: it now takes the Thumb execution mode bit into +account, which is bit 0 af the address. This means the produced +table address also has bit 0 set, and so we end up with an address +value pointing 1 byte past the start of the table, which results +in crashes such as + + Unable to handle kernel paging request at virtual address bf825000 + pgd = 42f44b11 + [bf825000] *pgd=80000040206003, *pmd=5f1bd003, *pte=00000000 + Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2 + Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ... + CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144 + Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 + PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm] + LR is at __this_module+0x17fd/0xffffe800 [sha256_arm] + pc : [] lr : [] psr: 800b0033 + sp : ebc8bbe8 ip : faaabe1c fp : 2fdd3433 + r10: 4c5f1692 r9 : e43037df r8 : b04b0a5a + r7 : c369d722 r6 : 39c3693e r5 : 7a013189 r4 : 1580d26b + r3 : 8762a9b0 r2 : eea9c2cd r1 : 3e9ab536 r0 : 1dea4ae7 + Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user + Control: 70c5383d Table: 6b8467c0 DAC: dbadc0de + Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23) + Stack: (0xebc8bbe8 to 0xebc8c000) + ... + unwind: Unknown symbol address bf820bca + unwind: Index not found bf820bca + Code: 441a ea80 40f9 440a (f85e) 3b04 + ---[ end trace e560cce92700ef8a ]--- + +Given that this affects older kernels as well, in case they are built +with a recent toolchain, apply a minimal backportable fix, which is +to emit another non-code label at the start of the routine, and +reference that instead. (This is similar to the current upstream state +of this file in OpenSSL) + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/sha512-armv4.pl | 3 ++- + arch/arm/crypto/sha512-core.S_shipped | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl +index a2b11a844357..5fe336420bcf 100644 +--- a/arch/arm/crypto/sha512-armv4.pl ++++ b/arch/arm/crypto/sha512-armv4.pl +@@ -267,10 +267,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) + .global sha512_block_data_order + .type sha512_block_data_order,%function + sha512_block_data_order: ++.Lsha512_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha512_block_data_order + #else +- adr r3,sha512_block_data_order ++ adr r3,.Lsha512_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha512-core.S_shipped b/arch/arm/crypto/sha512-core.S_shipped +index 3694c4d4ca2b..de9bd7f55242 100644 +--- a/arch/arm/crypto/sha512-core.S_shipped ++++ b/arch/arm/crypto/sha512-core.S_shipped +@@ -134,10 +134,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) + .global sha512_block_data_order + .type sha512_block_data_order,%function + sha512_block_data_order: ++.Lsha512_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha512_block_data_order + #else +- adr r3,sha512_block_data_order ++ adr r3,.Lsha512_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +-- +2.19.1 + diff --git a/queue-4.4/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch b/queue-4.4/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch new file mode 100644 index 00000000000..316ddfc2063 --- /dev/null +++ b/queue-4.4/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch @@ -0,0 +1,49 @@ +From 7500897d71d468aea94f945ab783c333dcc36ca7 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 15 Mar 2019 00:15:32 -0400 +Subject: ext4: add missing brelse() in add_new_gdb_meta_bg() + +[ Upstream commit d64264d6218e6892edd832dc3a5a5857c2856c53 ] + +Currently in add_new_gdb_meta_bg() there is a missing brelse of gdb_bh +in case ext4_journal_get_write_access() fails. +Additionally kvfree() is missing in the same error path. Fix it by +moving the ext4_journal_get_write_access() before the ext4 sb update as +Ted suggested and release n_group_desc and gdb_bh in case it fails. + +Fixes: 61a9c11e5e7a ("ext4: add missing brelse() add_new_gdb_meta_bg()'s error path") +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 4bd12247a9be..22c90eb9a4e0 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -907,11 +907,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb, + memcpy(n_group_desc, o_group_desc, + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *)); + n_group_desc[gdb_num] = gdb_bh; ++ ++ BUFFER_TRACE(gdb_bh, "get_write_access"); ++ err = ext4_journal_get_write_access(handle, gdb_bh); ++ if (err) { ++ kvfree(n_group_desc); ++ brelse(gdb_bh); ++ return err; ++ } ++ + EXT4_SB(sb)->s_group_desc = n_group_desc; + EXT4_SB(sb)->s_gdb_count++; + kvfree(o_group_desc); +- BUFFER_TRACE(gdb_bh, "get_write_access"); +- err = ext4_journal_get_write_access(handle, gdb_bh); + return err; + } + +-- +2.19.1 + diff --git a/queue-4.4/ext4-prohibit-fstrim-in-norecovery-mode.patch b/queue-4.4/ext4-prohibit-fstrim-in-norecovery-mode.patch new file mode 100644 index 00000000000..5310b63a055 --- /dev/null +++ b/queue-4.4/ext4-prohibit-fstrim-in-norecovery-mode.patch @@ -0,0 +1,40 @@ +From cef9ffa0c23bd6e3303bcb7ece02be7fbd0c9d59 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sat, 23 Mar 2019 12:10:29 -0400 +Subject: ext4: prohibit fstrim in norecovery mode + +[ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ] + +The ext4 fstrim implementation uses the block bitmaps to find free space +that can be discarded. If we haven't replayed the journal, the bitmaps +will be stale and we absolutely *cannot* use stale metadata to zap the +underlying storage. + +Signed-off-by: Darrick J. Wong +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ioctl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index bcd7c4788903..e44e3cd738b6 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -599,6 +599,13 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + if (!blk_queue_discard(q)) + return -EOPNOTSUPP; + ++ /* ++ * We haven't replayed the journal, so we cannot use our ++ * block-bitmap-guided storage zapping commands. ++ */ ++ if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb)) ++ return -EROFS; ++ + if (copy_from_user(&range, (struct fstrim_range __user *)arg, + sizeof(range))) + return -EFAULT; +-- +2.19.1 + diff --git a/queue-4.4/ext4-report-real-fs-size-after-failed-resize.patch b/queue-4.4/ext4-report-real-fs-size-after-failed-resize.patch new file mode 100644 index 00000000000..f5eb213c464 --- /dev/null +++ b/queue-4.4/ext4-report-real-fs-size-after-failed-resize.patch @@ -0,0 +1,42 @@ +From 78c4ab58d0babb1f97132fc71fc00e73e367c11f Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 15 Mar 2019 00:22:28 -0400 +Subject: ext4: report real fs size after failed resize + +[ Upstream commit 6c7328400e0488f7d49e19e02290ba343b6811b2 ] + +Currently when the file system resize using ext4_resize_fs() fails it +will report into log that "resized filesystem to ". However this may not be true in the case of failure. Use the +current block count as returned by ext4_blocks_count() to report the +block count. + +Additionally, report a warning that "error occurred during file system +resize" + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 22c90eb9a4e0..5223eb25bf59 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -2047,6 +2047,10 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + free_flex_gd(flex_gd); + if (resize_inode != NULL) + iput(resize_inode); +- ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", n_blocks_count); ++ if (err) ++ ext4_warning(sb, "error (%d) occurred during " ++ "file system resize", err); ++ ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", ++ ext4_blocks_count(es)); + return err; + } +-- +2.19.1 + diff --git a/queue-4.4/f2fs-fix-to-do-sanity-check-with-current-segment-num.patch b/queue-4.4/f2fs-fix-to-do-sanity-check-with-current-segment-num.patch new file mode 100644 index 00000000000..61bf6a9b09c --- /dev/null +++ b/queue-4.4/f2fs-fix-to-do-sanity-check-with-current-segment-num.patch @@ -0,0 +1,139 @@ +From a53f0ad2910b948796a113899b4d2b0afb2933c2 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 6 Sep 2018 20:34:12 +0800 +Subject: f2fs: fix to do sanity check with current segment number + +[ Upstream commit 042be0f849e5fc24116d0afecfaf926eed5cac63 ] + +https://bugzilla.kernel.org/show_bug.cgi?id=200219 + +Reproduction way: +- mount image +- run poc code +- umount image + +F2FS-fs (loop1): Bitmap was wrongly set, blk:15364 +------------[ cut here ]------------ +kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061! +invalid opcode: 0000 [#1] PREEMPT SMP +CPU: 2 PID: 17686 Comm: umount Tainted: G W O 4.18.0-rc2+ #39 +Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +EIP: update_sit_entry+0x459/0x4e0 [f2fs] +Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44 +EAX: 00000032 EBX: 000000f8 ECX: 00000002 EDX: 00000001 +ESI: d7177000 EDI: f520fe68 EBP: d6477c6c ESP: d6477c34 +DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282 +CR0: 80050033 CR2: b7fbe000 CR3: 2a99b3c0 CR4: 000406f0 +Call Trace: + f2fs_allocate_data_block+0x124/0x580 [f2fs] + do_write_page+0x78/0x150 [f2fs] + f2fs_do_write_node_page+0x25/0xa0 [f2fs] + __write_node_page+0x2bf/0x550 [f2fs] + f2fs_sync_node_pages+0x60e/0x6d0 [f2fs] + ? sync_inode_metadata+0x2f/0x40 + ? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs] + ? up_write+0x1e/0x80 + f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs] + ? mark_held_locks+0x5d/0x80 + ? _raw_spin_unlock_irq+0x27/0x50 + kill_f2fs_super+0x68/0x90 [f2fs] + deactivate_locked_super+0x3d/0x70 + deactivate_super+0x40/0x60 + cleanup_mnt+0x39/0x70 + __cleanup_mnt+0x10/0x20 + task_work_run+0x81/0xa0 + exit_to_usermode_loop+0x59/0xa7 + do_fast_syscall_32+0x1f5/0x22c + entry_SYSENTER_32+0x53/0x86 +EIP: 0xb7f95c51 +Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 +EAX: 00000000 EBX: 0871ab90 ECX: bfb2cd00 EDX: 00000000 +ESI: 00000000 EDI: 0871ab90 EBP: 0871ab90 ESP: bfb2cd7c +DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246 +Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs] +---[ end trace d423f83982cfcdc5 ]--- + +The reason is, different log headers using the same segment, once +one log's next block address is used by another log, it will cause +panic as above. + +Main area: 24 segs, 24 secs 24 zones + - COLD data: 0, 0, 0 + - WARM data: 1, 1, 1 + - HOT data: 20, 20, 20 + - Dir dnode: 22, 22, 22 + - File dnode: 22, 22, 22 + - Indir nodes: 21, 21, 21 + +So this patch adds sanity check to detect such condition to avoid +this issue. + +Signed-off-by: Chao Yu + +Signed-off-by: Jaegeuk Kim + +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 34 +++++++++++++++++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index dbd7adff8b5a..bd0dfaecfac3 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1143,7 +1143,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + unsigned int segment_count_main; + unsigned int cp_pack_start_sum, cp_payload; + block_t user_block_count; +- int i; ++ int i, j; + + total = le32_to_cpu(raw_super->segment_count); + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); +@@ -1184,11 +1184,43 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg) + return 1; ++ for (j = i + 1; j < NR_CURSEG_NODE_TYPE; j++) { ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) == ++ le32_to_cpu(ckpt->cur_node_segno[j])) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Node segment (%u, %u) has the same " ++ "segno: %u", i, j, ++ le32_to_cpu(ckpt->cur_node_segno[i])); ++ return 1; ++ } ++ } + } + for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) { + if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs || + le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg) + return 1; ++ for (j = i + 1; j < NR_CURSEG_DATA_TYPE; j++) { ++ if (le32_to_cpu(ckpt->cur_data_segno[i]) == ++ le32_to_cpu(ckpt->cur_data_segno[j])) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Data segment (%u, %u) has the same " ++ "segno: %u", i, j, ++ le32_to_cpu(ckpt->cur_data_segno[i])); ++ return 1; ++ } ++ } ++ } ++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { ++ for (j = i; j < NR_CURSEG_DATA_TYPE; j++) { ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) == ++ le32_to_cpu(ckpt->cur_data_segno[j])) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Data segment (%u) and Data segment (%u)" ++ " has the same segno: %u", i, j, ++ le32_to_cpu(ckpt->cur_node_segno[i])); ++ return 1; ++ } ++ } + } + + sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize); +-- +2.19.1 + diff --git a/queue-4.4/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch b/queue-4.4/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch new file mode 100644 index 00000000000..cc4f4c155a3 --- /dev/null +++ b/queue-4.4/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch @@ -0,0 +1,40 @@ +From eb769286245e3bdcd506cb1a74522596524228b1 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 17 Mar 2019 15:58:38 -0500 +Subject: fix incorrect error code mapping for OBJECTID_NOT_FOUND + +[ Upstream commit 85f9987b236cf46e06ffdb5c225cf1f3c0acb789 ] + +It was mapped to EIO which can be confusing when user space +queries for an object GUID for an object for which the server +file system doesn't support (or hasn't saved one). + +As Amir Goldstein suggested this is similar to ENOATTR +(equivalently ENODATA in Linux errno definitions) so +changing NT STATUS code mapping for OBJECTID_NOT_FOUND +to ENODATA. + +Signed-off-by: Steve French +CC: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2maperror.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 98c25b969ab8..7e93d5706bf6 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -1034,7 +1034,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_UNFINISHED_CONTEXT_DELETED, -EIO, + "STATUS_UNFINISHED_CONTEXT_DELETED"}, + {STATUS_NO_TGT_REPLY, -EIO, "STATUS_NO_TGT_REPLY"}, +- {STATUS_OBJECTID_NOT_FOUND, -EIO, "STATUS_OBJECTID_NOT_FOUND"}, ++ /* Note that ENOATTTR and ENODATA are the same errno */ ++ {STATUS_OBJECTID_NOT_FOUND, -ENODATA, "STATUS_OBJECTID_NOT_FOUND"}, + {STATUS_NO_IP_ADDRESSES, -EIO, "STATUS_NO_IP_ADDRESSES"}, + {STATUS_WRONG_CREDENTIAL_HANDLE, -EIO, + "STATUS_WRONG_CREDENTIAL_HANDLE"}, +-- +2.19.1 + diff --git a/queue-4.4/ib-mlx4-fix-race-condition-between-catas-error-reset.patch b/queue-4.4/ib-mlx4-fix-race-condition-between-catas-error-reset.patch new file mode 100644 index 00000000000..17878b44201 --- /dev/null +++ b/queue-4.4/ib-mlx4-fix-race-condition-between-catas-error-reset.patch @@ -0,0 +1,39 @@ +From 498ead8924a7a01e0e5bdf8f423575d7ff713d59 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 6 Mar 2019 19:17:56 +0200 +Subject: IB/mlx4: Fix race condition between catas error reset and aliasguid + flows + +[ Upstream commit 587443e7773e150ae29e643ee8f41a1eed226565 ] + +Code review revealed a race condition which could allow the catas error +flow to interrupt the alias guid query post mechanism at random points. +Thiis is fixed by doing cancel_delayed_work_sync() instead of +cancel_delayed_work() during the alias guid mechanism destroy flow. + +Fixes: a0c64a17aba8 ("mlx4: Add alias_guid mechanism") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c +index 21cb41a60fe8..3a70b418d913 100644 +--- a/drivers/infiniband/hw/mlx4/alias_GUID.c ++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c +@@ -805,8 +805,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev) + unsigned long flags; + + for (i = 0 ; i < dev->num_ports; i++) { +- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work); + det = &sriov->alias_guid.ports_guid[i]; ++ cancel_delayed_work_sync(&det->alias_guid_work); + spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags); + while (!list_empty(&det->cb_list)) { + cb_ctx = list_entry(det->cb_list.next, +-- +2.19.1 + diff --git a/queue-4.4/include-linux-swap.h-use-offsetof-instead-of-custom-.patch b/queue-4.4/include-linux-swap.h-use-offsetof-instead-of-custom-.patch new file mode 100644 index 00000000000..5cd3b69ee93 --- /dev/null +++ b/queue-4.4/include-linux-swap.h-use-offsetof-instead-of-custom-.patch @@ -0,0 +1,59 @@ +From 7169afce8a08816f34c321d1f15948a5d38c5fa8 Mon Sep 17 00:00:00 2001 +From: Pi-Hsun Shih +Date: Wed, 13 Mar 2019 11:44:33 -0700 +Subject: include/linux/swap.h: use offsetof() instead of custom __swapoffset + macro + +[ Upstream commit a4046c06be50a4f01d435aa7fe57514818e6cc82 ] + +Use offsetof() to calculate offset of a field to take advantage of +compiler built-in version when possible, and avoid UBSAN warning when +compiling with Clang: + + UBSAN: Undefined behaviour in mm/swapfile.c:3010:38 + member access within null pointer of type 'union swap_header' + CPU: 6 PID: 1833 Comm: swapon Tainted: G S 4.19.23 #43 + Call trace: + dump_backtrace+0x0/0x194 + show_stack+0x20/0x2c + __dump_stack+0x20/0x28 + dump_stack+0x70/0x94 + ubsan_epilogue+0x14/0x44 + ubsan_type_mismatch_common+0xf4/0xfc + __ubsan_handle_type_mismatch_v1+0x34/0x54 + __se_sys_swapon+0x654/0x1084 + __arm64_sys_swapon+0x1c/0x24 + el0_svc_common+0xa8/0x150 + el0_svc_compat_handler+0x2c/0x38 + el0_svc_compat+0x8/0x18 + +Link: http://lkml.kernel.org/r/20190312081902.223764-1-pihsun@chromium.org +Signed-off-by: Pi-Hsun Shih +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swap.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/swap.h b/include/linux/swap.h +index d8ca2eaa3a8b..0a0b7529dae4 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -135,9 +135,9 @@ struct swap_extent { + /* + * Max bad pages in the new format.. + */ +-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x) + #define MAX_SWAP_BADPAGES \ +- ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / sizeof(int)) ++ ((offsetof(union swap_header, magic.magic) - \ ++ offsetof(union swap_header, info.badpages)) / sizeof(int)) + + enum { + SWP_USED = (1 << 0), /* is slot in swap_info[] used? */ +-- +2.19.1 + diff --git a/queue-4.4/iommu-dmar-fix-buffer-overflow-during-pci-bus-notifi.patch b/queue-4.4/iommu-dmar-fix-buffer-overflow-during-pci-bus-notifi.patch new file mode 100644 index 00000000000..d822514bf1d --- /dev/null +++ b/queue-4.4/iommu-dmar-fix-buffer-overflow-during-pci-bus-notifi.patch @@ -0,0 +1,87 @@ +From bd75182688c19eafc1df7c5a5e2a3169b53c4baf Mon Sep 17 00:00:00 2001 +From: Julia Cartwright +Date: Wed, 20 Feb 2019 16:46:31 +0000 +Subject: iommu/dmar: Fix buffer overflow during PCI bus notification + +[ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] + +Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI +device path") changed the type of the path data, however, the change in +path type was not reflected in size calculations. Update to use the +correct type and prevent a buffer overflow. + +This bug manifests in systems with deep PCI hierarchies, and can lead to +an overflow of the static allocated buffer (dmar_pci_notify_info_buf), +or can lead to overflow of slab-allocated data. + + BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 + Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 + CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 + Call Trace: + ? dump_stack+0x46/0x59 + ? print_address_description+0x1df/0x290 + ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 + ? kasan_report+0x256/0x340 + ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 + ? e820__memblock_setup+0xb0/0xb0 + ? dmar_dev_scope_init+0x424/0x48f + ? __down_write_common+0x1ec/0x230 + ? dmar_dev_scope_init+0x48f/0x48f + ? dmar_free_unused_resources+0x109/0x109 + ? cpumask_next+0x16/0x20 + ? __kmem_cache_create+0x392/0x430 + ? kmem_cache_create+0x135/0x2f0 + ? e820__memblock_setup+0xb0/0xb0 + ? intel_iommu_init+0x170/0x1848 + ? _raw_spin_unlock_irqrestore+0x32/0x60 + ? migrate_enable+0x27a/0x5b0 + ? sched_setattr+0x20/0x20 + ? migrate_disable+0x1fc/0x380 + ? task_rq_lock+0x170/0x170 + ? try_to_run_init_process+0x40/0x40 + ? locks_remove_file+0x85/0x2f0 + ? dev_prepare_static_identity_mapping+0x78/0x78 + ? rt_spin_unlock+0x39/0x50 + ? lockref_put_or_lock+0x2a/0x40 + ? dput+0x128/0x2f0 + ? __rcu_read_unlock+0x66/0x80 + ? __fput+0x250/0x300 + ? __rcu_read_lock+0x1b/0x30 + ? mntput_no_expire+0x38/0x290 + ? e820__memblock_setup+0xb0/0xb0 + ? pci_iommu_init+0x25/0x63 + ? pci_iommu_init+0x25/0x63 + ? do_one_initcall+0x7e/0x1c0 + ? initcall_blacklisted+0x120/0x120 + ? kernel_init_freeable+0x27b/0x307 + ? rest_init+0xd0/0xd0 + ? kernel_init+0xf/0x120 + ? rest_init+0xd0/0xd0 + ? ret_from_fork+0x1f/0x40 + The buggy address belongs to the variable: + dmar_pci_notify_info_buf+0x40/0x60 + +Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") +Signed-off-by: Julia Cartwright +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c +index 5a63e32a4a6b..cbad1926cec1 100644 +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) + for (tmp = dev; tmp; tmp = tmp->bus->self) + level++; + +- size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); ++ size = sizeof(*info) + level * sizeof(info->path[0]); + if (size <= sizeof(dmar_pci_notify_info_buf)) { + info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; + } else { +-- +2.19.1 + diff --git a/queue-4.4/iommu-vt-d-check-capability-before-disabling-protect.patch b/queue-4.4/iommu-vt-d-check-capability-before-disabling-protect.patch new file mode 100644 index 00000000000..f09fac840a8 --- /dev/null +++ b/queue-4.4/iommu-vt-d-check-capability-before-disabling-protect.patch @@ -0,0 +1,40 @@ +From c6eb74b3c3d1fe7611f77bb28ee126361cfce803 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Wed, 20 Mar 2019 09:58:33 +0800 +Subject: iommu/vt-d: Check capability before disabling protected memory + +[ Upstream commit 5bb71fc790a88d063507dc5d445ab8b14e845591 ] + +The spec states in 10.4.16 that the Protected Memory Enable +Register should be treated as read-only for implementations +not supporting protected memory regions (PLMR and PHMR fields +reported as Clear in the Capability register). + +Cc: Jacob Pan +Cc: mark gross +Suggested-by: Ashok Raj +Fixes: f8bab73515ca5 ("intel-iommu: PMEN support") +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 8b4a4d95669a..3e97c4b2ebed 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1598,6 +1598,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu) + u32 pmen; + unsigned long flags; + ++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap)) ++ return; ++ + raw_spin_lock_irqsave(&iommu->register_lock, flags); + pmen = readl(iommu->reg + DMAR_PMEN_REG); + pmen &= ~DMA_PMEN_EPM; +-- +2.19.1 + diff --git a/queue-4.4/lib-div64.c-off-by-one-in-shift.patch b/queue-4.4/lib-div64.c-off-by-one-in-shift.patch new file mode 100644 index 00000000000..d0c4e16fa20 --- /dev/null +++ b/queue-4.4/lib-div64.c-off-by-one-in-shift.patch @@ -0,0 +1,52 @@ +From a9e56f017e89334c0d05942f17bf2774d5f66255 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 7 Mar 2019 16:28:18 -0800 +Subject: lib/div64.c: off by one in shift + +[ Upstream commit cdc94a37493135e355dfc0b0e086d84e3eadb50d ] + +fls counts bits starting from 1 to 32 (returns 0 for zero argument). If +we add 1 we shift right one bit more and loose precision from divisor, +what cause function incorect results with some numbers. + +Corrected code was tested in user-space, see bugzilla: + https://bugzilla.kernel.org/show_bug.cgi?id=202391 + +Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgruszka@redhat.com +Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms") +Signed-off-by: Stanislaw Gruszka +Reported-by: Siarhei Volkau +Tested-by: Siarhei Volkau +Acked-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/div64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/div64.c b/lib/div64.c +index 62a698a432bc..75b8521c2146 100644 +--- a/lib/div64.c ++++ b/lib/div64.c +@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder) + quot = div_u64_rem(dividend, divisor, &rem32); + *remainder = rem32; + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor) + if (high == 0) { + quot = div_u64(dividend, divisor); + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +-- +2.19.1 + diff --git a/queue-4.4/mmc-davinci-remove-extraneous-__init-annotation.patch b/queue-4.4/mmc-davinci-remove-extraneous-__init-annotation.patch new file mode 100644 index 00000000000..0d8fb351368 --- /dev/null +++ b/queue-4.4/mmc-davinci-remove-extraneous-__init-annotation.patch @@ -0,0 +1,40 @@ +From 040264a1cf23b6dadf1fea055a2785fe6b3dba71 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 11:10:11 +0100 +Subject: mmc: davinci: remove extraneous __init annotation + +[ Upstream commit 9ce58dd7d9da3ca0d7cb8c9568f1c6f4746da65a ] + +Building with clang finds a mistaken __init tag: + +WARNING: vmlinux.o(.text+0x5e4250): Section mismatch in reference from the function davinci_mmcsd_probe() to the function .init.text:init_mmcsd_host() +The function davinci_mmcsd_probe() references +the function __init init_mmcsd_host(). +This is often because davinci_mmcsd_probe lacks a __init +annotation or the annotation of init_mmcsd_host is wrong. + +Signed-off-by: Arnd Bergmann +Acked-by: Wolfram Sang +Reviewed-by: Nathan Chancellor +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/davinci_mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index ea2a2ebc6b91..dba7565571a5 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1147,7 +1147,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host) + { + } + #endif +-static void __init init_mmcsd_host(struct mmc_davinci_host *host) ++static void init_mmcsd_host(struct mmc_davinci_host *host) + { + + mmc_davinci_reset_ctrl(host, 1); +-- +2.19.1 + diff --git a/queue-4.4/perf-core-restore-mmap-record-type-correctly.patch b/queue-4.4/perf-core-restore-mmap-record-type-correctly.patch new file mode 100644 index 00000000000..da0f45140df --- /dev/null +++ b/queue-4.4/perf-core-restore-mmap-record-type-correctly.patch @@ -0,0 +1,61 @@ +From 6b59a3a8b4431bb7fff0f8c2cb4cce1e945ae283 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Thu, 7 Mar 2019 10:52:33 -0800 +Subject: perf/core: Restore mmap record type correctly + +[ Upstream commit d9c1bb2f6a2157b38e8eb63af437cb22701d31ee ] + +On mmap(), perf_events generates a RECORD_MMAP record and then checks +which events are interested in this record. There are currently 2 +versions of mmap records: RECORD_MMAP and RECORD_MMAP2. MMAP2 is larger. +The event configuration controls which version the user level tool +accepts. + +If the event->attr.mmap2=1 field then MMAP2 record is returned. The +perf_event_mmap_output() takes care of this. It checks attr->mmap2 and +corrects the record fields before putting it in the sampling buffer of +the event. At the end the function restores the modified MMAP record +fields. + +The problem is that the function restores the size but not the type. +Thus, if a subsequent event only accepts MMAP type, then it would +instead receive an MMAP2 record with a size of MMAP record. + +This patch fixes the problem by restoring the record type on exit. + +Signed-off-by: Stephane Eranian +Acked-by: Peter Zijlstra (Intel) +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Fixes: 13d7a2410fa6 ("perf: Add attr->mmap2 attribute to an event") +Link: http://lkml.kernel.org/r/20190307185233.225521-1-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e53dfb5b826e..17230ca00bd4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5998,6 +5998,7 @@ static void perf_event_mmap_output(struct perf_event *event, + struct perf_output_handle handle; + struct perf_sample_data sample; + int size = mmap_event->event_id.header.size; ++ u32 type = mmap_event->event_id.header.type; + int ret; + + if (!perf_event_mmap_match(event, data)) +@@ -6041,6 +6042,7 @@ static void perf_event_mmap_output(struct perf_event *event, + perf_output_end(&handle); + out: + mmap_event->event_id.header.size = size; ++ mmap_event->event_id.header.type = type; + } + + static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +-- +2.19.1 + diff --git a/queue-4.4/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch b/queue-4.4/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch new file mode 100644 index 00000000000..b2b4270ad21 --- /dev/null +++ b/queue-4.4/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch @@ -0,0 +1,81 @@ +From 866dc36a5ce57d9b3c5dc490ca12214565130978 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Mon, 18 Mar 2019 16:41:28 -0300 +Subject: perf evsel: Free evsel->counts in perf_evsel__exit() + +[ Upstream commit 42dfa451d825a2ad15793c476f73e7bbc0f9d312 ] + +Using gcc's ASan, Changbin reports: + + ================================================================= + ==7494==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 48 byte(s) in 1 object(s) allocated from: + #0 0x7f0333a89138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x5625e5330a5e in zalloc util/util.h:23 + #2 0x5625e5330a9b in perf_counts__new util/counts.c:10 + #3 0x5625e5330ca0 in perf_evsel__alloc_counts util/counts.c:47 + #4 0x5625e520d8e5 in __perf_evsel__read_on_cpu util/evsel.c:1505 + #5 0x5625e517a985 in perf_evsel__read_on_cpu /home/work/linux/tools/perf/util/evsel.h:347 + #6 0x5625e517ad1a in test__openat_syscall_event tests/openat-syscall.c:47 + #7 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #8 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #9 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #10 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #11 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #12 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #13 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #14 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #15 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + Indirect leak of 72 byte(s) in 1 object(s) allocated from: + #0 0x7f0333a89138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x5625e532560d in zalloc util/util.h:23 + #2 0x5625e532566b in xyarray__new util/xyarray.c:10 + #3 0x5625e5330aba in perf_counts__new util/counts.c:15 + #4 0x5625e5330ca0 in perf_evsel__alloc_counts util/counts.c:47 + #5 0x5625e520d8e5 in __perf_evsel__read_on_cpu util/evsel.c:1505 + #6 0x5625e517a985 in perf_evsel__read_on_cpu /home/work/linux/tools/perf/util/evsel.h:347 + #7 0x5625e517ad1a in test__openat_syscall_event tests/openat-syscall.c:47 + #8 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #9 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #10 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #11 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #12 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #13 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #14 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #15 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #16 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +His patch took care of evsel->prev_raw_counts, but the above backtraces +are about evsel->counts, so fix that instead. + +Reported-by: Changbin Du +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Link: https://lkml.kernel.org/n/tip-hd1x13g59f0nuhe4anxhsmfp@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index f0bd4825f95a..97fde9275f42 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1051,6 +1051,7 @@ void perf_evsel__exit(struct perf_evsel *evsel) + { + assert(list_empty(&evsel->node)); + assert(evsel->evlist == NULL); ++ perf_evsel__free_counts(evsel); + perf_evsel__free_fd(evsel); + perf_evsel__free_id(evsel); + perf_evsel__free_config_terms(evsel); +-- +2.19.1 + diff --git a/queue-4.4/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch b/queue-4.4/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch new file mode 100644 index 00000000000..98f7d595e89 --- /dev/null +++ b/queue-4.4/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch @@ -0,0 +1,59 @@ +From f2424960224060c98e30bab559f5435d690e69b1 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:56 +0800 +Subject: perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() + +[ Upstream commit d982b33133284fa7efa0e52ae06b88f9be3ea764 ] + + ================================================================= + ==20875==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 1160 byte(s) in 1 object(s) allocated from: + #0 0x7f1b6fc84138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x55bd50005599 in zalloc util/util.h:23 + #2 0x55bd500068f5 in perf_evsel__newtp_idx util/evsel.c:327 + #3 0x55bd4ff810fc in perf_evsel__newtp /home/work/linux/tools/perf/util/evsel.h:216 + #4 0x55bd4ff81608 in test__perf_evsel__tp_sched_test tests/evsel-tp-sched.c:69 + #5 0x55bd4ff528e6 in run_test tests/builtin-test.c:358 + #6 0x55bd4ff52baf in test_and_print tests/builtin-test.c:388 + #7 0x55bd4ff543fe in __cmd_test tests/builtin-test.c:583 + #8 0x55bd4ff5572f in cmd_test tests/builtin-test.c:722 + #9 0x55bd4ffc4087 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #10 0x55bd4ffc45c6 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #11 0x55bd4ffc49ca in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #12 0x55bd4ffc5138 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #13 0x7f1b6e34809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + Indirect leak of 19 byte(s) in 1 object(s) allocated from: + #0 0x7f1b6fc83f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) + #1 0x7f1b6e3ac30f in vasprintf (/lib/x86_64-linux-gnu/libc.so.6+0x8830f) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields") +Link: http://lkml.kernel.org/r/20190316080556.3075-17-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/evsel-tp-sched.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index da474d743b6a..37529f73833d 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -84,5 +84,6 @@ int test__perf_evsel__tp_sched_test(void) + if (perf_evsel__test_field(evsel, "target_cpu", 4, true)) + ret = -1; + ++ perf_evsel__delete(evsel); + return ret; + } +-- +2.19.1 + diff --git a/queue-4.4/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch b/queue-4.4/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch new file mode 100644 index 00000000000..17d29779683 --- /dev/null +++ b/queue-4.4/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch @@ -0,0 +1,68 @@ +From 903fbd95335a309cf73bf179f0c7cbc5f7f990c0 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:54 +0800 +Subject: perf tests: Fix a memory leak of cpu_map object in the + openat_syscall_event_on_all_cpus test + +[ Upstream commit 93faa52e8371f0291ee1ff4994edae2b336b6233 ] + + ================================================================= + ==7497==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 40 byte(s) in 1 object(s) allocated from: + #0 0x7f0333a88f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) + #1 0x5625e5326213 in cpu_map__trim_new util/cpumap.c:45 + #2 0x5625e5326703 in cpu_map__read util/cpumap.c:103 + #3 0x5625e53267ef in cpu_map__read_all_cpu_map util/cpumap.c:120 + #4 0x5625e5326915 in cpu_map__new util/cpumap.c:135 + #5 0x5625e517b355 in test__openat_syscall_event_on_all_cpus tests/openat-syscall-all-cpus.c:36 + #6 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #7 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #8 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #9 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #10 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #11 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #12 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #13 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #14 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: f30a79b012e5 ("perf tools: Add reference counting for cpu_map object") +Link: http://lkml.kernel.org/r/20190316080556.3075-15-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/openat-syscall-all-cpus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/openat-syscall-all-cpus.c b/tools/perf/tests/openat-syscall-all-cpus.c +index 2006485a2859..3848d5ab378d 100644 +--- a/tools/perf/tests/openat-syscall-all-cpus.c ++++ b/tools/perf/tests/openat-syscall-all-cpus.c +@@ -35,7 +35,7 @@ int test__openat_syscall_event_on_all_cpus(void) + if (IS_ERR(evsel)) { + tracing_path__strerror_open_tp(errno, errbuf, sizeof(errbuf), "syscalls", "sys_enter_openat"); + pr_debug("%s\n", errbuf); +- goto out_thread_map_delete; ++ goto out_cpu_map_delete; + } + + if (perf_evsel__open(evsel, cpus, threads) < 0) { +@@ -109,6 +109,8 @@ int test__openat_syscall_event_on_all_cpus(void) + perf_evsel__close_fd(evsel, 1, threads->nr); + out_evsel_delete: + perf_evsel__delete(evsel); ++out_cpu_map_delete: ++ cpu_map__put(cpus); + out_thread_map_delete: + thread_map__put(threads); + return err; +-- +2.19.1 + diff --git a/queue-4.4/perf-top-fix-error-handling-in-cmd_top.patch b/queue-4.4/perf-top-fix-error-handling-in-cmd_top.patch new file mode 100644 index 00000000000..2e6b8d3add3 --- /dev/null +++ b/queue-4.4/perf-top-fix-error-handling-in-cmd_top.patch @@ -0,0 +1,43 @@ +From 8a1f6e4d2f4a8007a5136199871f9bc6d0927048 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:48 +0800 +Subject: perf top: Fix error handling in cmd_top() + +[ Upstream commit 70c819e4bf1c5f492768b399d898d458ccdad2b6 ] + +We should go to the cleanup path, to avoid leaks, detected using gcc's +ASan. + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Link: http://lkml.kernel.org/r/20190316080556.3075-9-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 47719bde34c6..4e64ba8163bb 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1320,8 +1320,9 @@ int cmd_top(int argc, const char **argv, const char *prefix __maybe_unused) + symbol_conf.priv_size = sizeof(struct annotation); + + symbol_conf.try_vmlinux_path = (symbol_conf.vmlinux_name == NULL); +- if (symbol__init(NULL) < 0) +- return -1; ++ status = symbol__init(NULL); ++ if (status < 0) ++ goto out_delete_evlist; + + sort__setup_elide(stdout); + +-- +2.19.1 + diff --git a/queue-4.4/rsi-improve-kernel-thread-handling-to-fix-kernel-pan.patch b/queue-4.4/rsi-improve-kernel-thread-handling-to-fix-kernel-pan.patch new file mode 100644 index 00000000000..958110c8ecf --- /dev/null +++ b/queue-4.4/rsi-improve-kernel-thread-handling-to-fix-kernel-pan.patch @@ -0,0 +1,61 @@ +From e25d23f1d65546d67a20ac5fd550133857adafe5 Mon Sep 17 00:00:00 2001 +From: Siva Rebbagondla +Date: Mon, 27 Aug 2018 17:05:15 +0530 +Subject: rsi: improve kernel thread handling to fix kernel panic + +[ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ] + +While running regressions, observed below kernel panic when sdio disconnect +called. This is because of, kthread_stop() is taking care of +wait_for_completion() by default. When wait_for_completion triggered +in kthread_stop and as it was done already, giving kernel panic. +Hence, removing redundant wait_for_completion() from rsi_kill_thread(). + +... skipping ... +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] exit_creds+0x1f/0x50 +PGD 0 +Oops: 0002 [#1] SMP +CPU: 0 PID: 6502 Comm: rmmod Tainted: G OE 4.15.9-Generic #154-Ubuntu +Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017 +Stack: +ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000 +ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000 +ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15 +Call Trace: +[] __put_task_struct+0x5a/0x140 +[] kthread_stop+0x10b/0x110 +[] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio] +[] ? __pm_runtime_resume+0x5b/0x80 +[] sdio_bus_remove+0x38/0x100 +[] __device_release_driver+0xa4/0x150 +[] driver_detach+0xb5/0xc0 +[] bus_remove_driver+0x55/0xd0 +[] driver_unregister+0x2c/0x50 +[] sdio_unregister_driver+0x1a/0x20 +[] rsi_module_exit+0x15/0x30 [ven_rsi_sdio] +[] SyS_delete_module+0x1b8/0x210 +[] entry_SYSCALL_64_fastpath+0x1c/0xbb + +Signed-off-by: Siva Rebbagondla +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_common.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h +index d3fbe33d2324..a13f08fd8690 100644 +--- a/drivers/net/wireless/rsi/rsi_common.h ++++ b/drivers/net/wireless/rsi/rsi_common.h +@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle) + atomic_inc(&handle->thread_done); + rsi_set_event(&handle->event); + +- wait_for_completion(&handle->completion); + return kthread_stop(handle->task); + } + +-- +2.19.1 + diff --git a/queue-4.4/serial-uartps-console_setup-can-t-be-placed-to-init-.patch b/queue-4.4/serial-uartps-console_setup-can-t-be-placed-to-init-.patch new file mode 100644 index 00000000000..452ab1091a2 --- /dev/null +++ b/queue-4.4/serial-uartps-console_setup-can-t-be-placed-to-init-.patch @@ -0,0 +1,36 @@ +From 109fbaa4eec0511010654624c7f312a93c726ee2 Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Mon, 3 Sep 2018 15:10:49 +0200 +Subject: serial: uartps: console_setup() can't be placed to init section + +[ Upstream commit 4bb1ce2350a598502b23088b169e16b43d4bc639 ] + +When console device is rebinded, console_setup() is called again. +But marking it as __init means that function will be clear after boot is +complete. If console device is binded again console_setup() is not found +and error "Unable to handle kernel paging request at virtual address" +is reported. + +Signed-off-by: Michal Simek +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 4f2f4aca8d2e..06efcef1b495 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1145,7 +1145,7 @@ static void cdns_uart_console_write(struct console *co, const char *s, + * + * Return: 0 on success, negative errno otherwise. + */ +-static int __init cdns_uart_console_setup(struct console *co, char *options) ++static int cdns_uart_console_setup(struct console *co, char *options) + { + struct uart_port *port = &cdns_uart_port[co->index]; + int baud = 9600; +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index ee6d2476aee..f6194ad50ff 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -95,3 +95,39 @@ xen-prevent-buffer-overflow-in-privcmd-ioctl.patch sched-fair-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch xtensa-fix-return_address.patch pci-add-function-1-dma-alias-quirk-for-marvell-9170-sata-controller.patch +perf-core-restore-mmap-record-type-correctly.patch +ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch +ext4-report-real-fs-size-after-failed-resize.patch +alsa-echoaudio-add-a-check-for-ioremap_nocache.patch +alsa-sb8-add-a-check-for-request_region.patch +ib-mlx4-fix-race-condition-between-catas-error-reset.patch +mmc-davinci-remove-extraneous-__init-annotation.patch +alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch +thermal-int340x_thermal-add-additional-uuids.patch +thermal-int340x_thermal-fix-mode-setting.patch +tools-power-turbostat-return-the-exit-status-of-a-co.patch +perf-top-fix-error-handling-in-cmd_top.patch +perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch +perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch +perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch +x86-hpet-prevent-potential-null-pointer-dereference.patch +x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch +iommu-vt-d-check-capability-before-disabling-protect.patch +x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch +fix-incorrect-error-code-mapping-for-objectid_not_fo.patch +ext4-prohibit-fstrim-in-norecovery-mode.patch +rsi-improve-kernel-thread-handling-to-fix-kernel-pan.patch +9p-do-not-trust-pdu-content-for-stat-item-size.patch +9p-locks-add-mount-option-for-lock-retry-interval.patch +f2fs-fix-to-do-sanity-check-with-current-segment-num.patch +serial-uartps-console_setup-can-t-be-placed-to-init-.patch +arm-samsung-limit-samsung_pm_check-config-option-to-.patch +acpi-sbs-fix-gpe-storm-on-recent-macbookpro-s.patch +cifs-fallback-to-older-infolevels-on-findfirst-query.patch +crypto-sha256-arm-fix-crash-bug-in-thumb2-build.patch +crypto-sha512-arm-fix-crash-bug-in-thumb2-build.patch +iommu-dmar-fix-buffer-overflow-during-pci-bus-notifi.patch +arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch +appletalk-fix-use-after-free-in-atalk_proc_exit.patch +lib-div64.c-off-by-one-in-shift.patch +include-linux-swap.h-use-offsetof-instead-of-custom-.patch diff --git a/queue-4.4/thermal-int340x_thermal-add-additional-uuids.patch b/queue-4.4/thermal-int340x_thermal-add-additional-uuids.patch new file mode 100644 index 00000000000..8bdaf4ca211 --- /dev/null +++ b/queue-4.4/thermal-int340x_thermal-add-additional-uuids.patch @@ -0,0 +1,52 @@ +From 1e1bd1b713041b76141929d90a16053fd715d5ea Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 10 Oct 2018 01:30:06 -0700 +Subject: thermal/int340x_thermal: Add additional UUIDs + +[ Upstream commit 16fc8eca1975358111dbd7ce65e4ce42d1a848fb ] + +Add more supported DPTF policies than the driver currently exposes. + +Signed-off-by: Matthew Garrett +Cc: Nisha Aram +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/int340x_thermal/int3400_thermal.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c +index 5836e5554433..0beed2899163 100644 +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -20,6 +20,13 @@ enum int3400_thermal_uuid { + INT3400_THERMAL_PASSIVE_1, + INT3400_THERMAL_ACTIVE, + INT3400_THERMAL_CRITICAL, ++ INT3400_THERMAL_ADAPTIVE_PERFORMANCE, ++ INT3400_THERMAL_EMERGENCY_CALL_MODE, ++ INT3400_THERMAL_PASSIVE_2, ++ INT3400_THERMAL_POWER_BOSS, ++ INT3400_THERMAL_VIRTUAL_SENSOR, ++ INT3400_THERMAL_COOLING_MODE, ++ INT3400_THERMAL_HARDWARE_DUTY_CYCLING, + INT3400_THERMAL_MAXIMUM_UUID, + }; + +@@ -27,6 +34,13 @@ static u8 *int3400_thermal_uuids[INT3400_THERMAL_MAXIMUM_UUID] = { + "42A441D6-AE6A-462b-A84B-4A8CE79027D3", + "3A95C389-E4B8-4629-A526-C52C88626BAE", + "97C68AE7-15FA-499c-B8C9-5DA81D606E0A", ++ "63BE270F-1C11-48FD-A6F7-3AF253FF3E2D", ++ "5349962F-71E6-431D-9AE8-0A635B710AEE", ++ "9E04115A-AE87-4D1C-9500-0F3E340BFE75", ++ "F5A35014-C209-46A4-993A-EB56DE7530A1", ++ "6ED722A7-9240-48A5-B479-31EEF723D7CF", ++ "16CAF1B7-DD38-40ED-B1C1-1B8A1913D531", ++ "BE84BABF-C4D4-403D-B495-3128FD44dAC1", + }; + + struct int3400_thermal_priv { +-- +2.19.1 + diff --git a/queue-4.4/thermal-int340x_thermal-fix-mode-setting.patch b/queue-4.4/thermal-int340x_thermal-fix-mode-setting.patch new file mode 100644 index 00000000000..7bbbbfbe099 --- /dev/null +++ b/queue-4.4/thermal-int340x_thermal-fix-mode-setting.patch @@ -0,0 +1,40 @@ +From 23b468cd9e498d5f3045847fb1ddab671df2a02b Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 10 Oct 2018 01:30:07 -0700 +Subject: thermal/int340x_thermal: fix mode setting + +[ Upstream commit 396ee4d0cd52c13b3f6421b8d324d65da5e7e409 ] + +int3400 only pushes the UUID into the firmware when the mode is flipped +to "enable". The current code only exposes the mode flag if the firmware +supports the PASSIVE_1 UUID, which not all machines do. Remove the +restriction. + +Signed-off-by: Matthew Garrett +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/int340x_thermal/int3400_thermal.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c +index 0beed2899163..d4c374cc4f74 100644 +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -285,10 +285,9 @@ static int int3400_thermal_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, priv); + +- if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) { +- int3400_thermal_ops.get_mode = int3400_thermal_get_mode; +- int3400_thermal_ops.set_mode = int3400_thermal_set_mode; +- } ++ int3400_thermal_ops.get_mode = int3400_thermal_get_mode; ++ int3400_thermal_ops.set_mode = int3400_thermal_set_mode; ++ + priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0, + priv, &int3400_thermal_ops, + &int3400_thermal_params, 0, 0); +-- +2.19.1 + diff --git a/queue-4.4/tools-power-turbostat-return-the-exit-status-of-a-co.patch b/queue-4.4/tools-power-turbostat-return-the-exit-status-of-a-co.patch new file mode 100644 index 00000000000..5b3862a49cf --- /dev/null +++ b/queue-4.4/tools-power-turbostat-return-the-exit-status-of-a-co.patch @@ -0,0 +1,37 @@ +From 296bcd6f92fa2c01d94c85b99f6456669c3fe7fc Mon Sep 17 00:00:00 2001 +From: David Arcari +Date: Tue, 12 Feb 2019 09:34:39 -0500 +Subject: tools/power turbostat: return the exit status of a command + +[ Upstream commit 2a95496634a017c19641f26f00907af75b962f01 ] + +turbostat failed to return a non-zero exit status even though the +supplied command (turbostat ) failed. Currently when turbostat +forks a command it returns zero instead of the actual exit status of the +command. Modify the code to return the exit status. + +Signed-off-by: David Arcari +Acked-by: Len Brown +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 33c79e415075..532e7bf06868 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -3089,6 +3089,9 @@ int fork_it(char **argv) + signal(SIGQUIT, SIG_IGN); + if (waitpid(child_pid, &status, 0) == -1) + err(status, "waitpid"); ++ ++ if (WIFEXITED(status)) ++ status = WEXITSTATUS(status); + } + /* + * n.b. fork_it() does not check for errors from for_all_cpus() +-- +2.19.1 + diff --git a/queue-4.4/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch b/queue-4.4/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch new file mode 100644 index 00000000000..9259a78d684 --- /dev/null +++ b/queue-4.4/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch @@ -0,0 +1,108 @@ +From 699102a05e6dbc22dd38d9f7c71f600fae09d094 Mon Sep 17 00:00:00 2001 +From: Matthew Whitehead +Date: Thu, 14 Mar 2019 16:46:00 -0400 +Subject: x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors + +[ Upstream commit 18fb053f9b827bd98cfc64f2a35df8ab19745a1d ] + +There are comments in processor-cyrix.h advising you to _not_ make calls +using the deprecated macros in this style: + + setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80); + +This is because it expands the macro into a non-functioning calling +sequence. The calling order must be: + + outb(CX86_CCR2, 0x22); + inb(0x23); + +From the comments: + + * When using the old macros a line like + * setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); + * gets expanded to: + * do { + * outb((CX86_CCR2), 0x22); + * outb((({ + * outb((CX86_CCR2), 0x22); + * inb(0x23); + * }) | 0x88), 0x23); + * } while (0); + +The new macros fix this problem, so use them instead. Tested on an +actual Geode processor. + +Signed-off-by: Matthew Whitehead +Signed-off-by: Thomas Gleixner +Cc: luto@kernel.org +Link: https://lkml.kernel.org/r/1552596361-8967-2-git-send-email-tedheadster@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/cyrix.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c +index 15e47c1cd412..6e4e4191abb5 100644 +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -121,7 +121,7 @@ static void set_cx86_reorder(void) + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + /* Load/Store Serialize to mem access disable (=reorder it) */ +- setCx86_old(CX86_PCR0, getCx86_old(CX86_PCR0) & ~0x80); ++ setCx86(CX86_PCR0, getCx86(CX86_PCR0) & ~0x80); + /* set load/store serialize from 1GB to 4GB */ + ccr3 |= 0xe0; + setCx86(CX86_CCR3, ccr3); +@@ -132,11 +132,11 @@ static void set_cx86_memwb(void) + printk(KERN_INFO "Enable Memory-Write-back mode on Cyrix/NSC processor.\n"); + + /* CCR2 bit 2: unlock NW bit */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) & ~0x04); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) & ~0x04); + /* set 'Not Write-through' */ + write_cr0(read_cr0() | X86_CR0_NW); + /* CCR2 bit 2: lock NW bit and set WT1 */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x14); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x14); + } + + /* +@@ -150,14 +150,14 @@ static void geode_configure(void) + local_irq_save(flags); + + /* Suspend on halt power saving and enable #SUSP pin */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x88); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); + + ccr3 = getCx86(CX86_CCR3); + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + + /* FPU fast, DTE cache, Mem bypass */ +- setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x38); ++ setCx86(CX86_CCR4, getCx86(CX86_CCR4) | 0x38); + setCx86(CX86_CCR3, ccr3); /* disable MAPEN */ + + set_cx86_memwb(); +@@ -292,7 +292,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + /* GXm supports extended cpuid levels 'ala' AMD */ + if (c->cpuid_level == 2) { + /* Enable cxMMX extensions (GX1 Datasheet 54) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7) | 1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7) | 1); + + /* + * GXm : 0x30 ... 0x5f GXm datasheet 51 +@@ -315,7 +315,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + if (dir1 > 7) { + dir0_msn++; /* M II */ + /* Enable MMX extensions (App note 108) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7)|1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1); + } else { + /* A 6x86MX - it has the bug. */ + set_cpu_bug(c, X86_BUG_COMA); +-- +2.19.1 + diff --git a/queue-4.4/x86-hpet-prevent-potential-null-pointer-dereference.patch b/queue-4.4/x86-hpet-prevent-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..59dbc336603 --- /dev/null +++ b/queue-4.4/x86-hpet-prevent-potential-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 2b3a0828e3e55b7ef2f89210e492e465257b6c7e Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Mon, 18 Mar 2019 21:19:56 -0500 +Subject: x86/hpet: Prevent potential NULL pointer dereference + +[ Upstream commit 2e84f116afca3719c9d0a1a78b47b48f75fd5724 ] + +hpet_virt_address may be NULL when ioremap_nocache fail, but the code lacks +a check. + +Add a check to prevent NULL pointer dereference. + +Signed-off-by: Aditya Pakki +Signed-off-by: Thomas Gleixner +Cc: kjlu@umn.edu +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Kees Cook +Cc: Joe Perches +Cc: Nicolai Stange +Cc: Roland Dreier +Link: https://lkml.kernel.org/r/20190319021958.17275-1-pakki001@umn.edu +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/hpet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index 3fdc1e53aaac..9cce5504a5c7 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -825,6 +825,8 @@ int __init hpet_enable(void) + return 0; + + hpet_set_mapping(); ++ if (!hpet_virt_address) ++ return 0; + + /* + * Read the period and check for a sane value: +-- +2.19.1 + diff --git a/queue-4.4/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch b/queue-4.4/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch new file mode 100644 index 00000000000..36b800e9ca5 --- /dev/null +++ b/queue-4.4/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch @@ -0,0 +1,48 @@ +From fe08eaf763ced50fe133747dc36364dfa085620a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 7 Mar 2019 14:27:56 -0700 +Subject: x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() + return an error + +[ Upstream commit e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 ] + +When building with -Wsometimes-uninitialized, Clang warns: + +arch/x86/kernel/hw_breakpoint.c:355:2: warning: variable 'align' is used +uninitialized whenever switch default is taken +[-Wsometimes-uninitialized] + +The default cannot be reached because arch_build_bp_info() initializes +hw->len to one of the specified cases. Nevertheless the warning is valid +and returning -EINVAL makes sure that this cannot be broken by future +modifications. + +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Gleixner +Reviewed-by: Nick Desaulniers +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: clang-built-linux@googlegroups.com +Link: https://github.com/ClangBuiltLinux/linux/issues/392 +Link: https://lkml.kernel.org/r/20190307212756.4648-1-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/hw_breakpoint.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c +index 2bcfb5f2bc44..433f17d154e2 100644 +--- a/arch/x86/kernel/hw_breakpoint.c ++++ b/arch/x86/kernel/hw_breakpoint.c +@@ -351,6 +351,7 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp) + #endif + default: + WARN_ON_ONCE(1); ++ return -EINVAL; + } + + /* +-- +2.19.1 +