From: Greg Kroah-Hartman Date: Tue, 1 Mar 2016 22:23:12 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v3.10.99~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45e93f02b151d4308d56f0dd9d65c438de0ff8d0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch bio-return-eintr-if-copying-to-user-space-got-interrupted.patch block-fix-use-after-free-in-dio_bio_complete.patch cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch hpfs-don-t-truncate-the-file-when-delete-fails.patch i2c-i801-adding-intel-lewisburg-support-for-itco.patch kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch kvm-async_pf-do-not-warn-on-page-allocation-failures.patch kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch kvm-x86-fix-missed-hardware-breakpoints.patch kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch nfs-fix-nfs_size_to_loff_t.patch nfsv4-fix-a-dentry-leak-on-alias-use.patch of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch phy-core-fix-wrong-err-handle-for-phy_power_on.patch powerpc-eeh-fix-partial-hotplug-criterion.patch should_follow_link-validate-d_seq-after-having-decided-to-follow.patch sunrpc-cache-fix-off-by-one-in-qword_get.patch tracing-fix-showing-function-event-in-available_events.patch writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch x86-entry-compat-add-missing-clac-to-entry_int80_32.patch x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch xen-scsiback-correct-frontend-counting.patch --- diff --git a/queue-4.4/arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch b/queue-4.4/arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch new file mode 100644 index 00000000000..04ff4665630 --- /dev/null +++ b/queue-4.4/arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch @@ -0,0 +1,34 @@ +From 5e45a2589d24573c564630990c88ac93659f8fe4 Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Fri, 19 Feb 2016 20:21:17 +0100 +Subject: ARM: at91/dt: fix typo in sama5d2 pinmux descriptions + +From: Ludovic Desroches + +commit 5e45a2589d24573c564630990c88ac93659f8fe4 upstream. + +PIN_PA15 macro has the same value as PIN_PA14 so we were overriding PA14 +mux/configuration. + +Signed-off-by: Ludovic Desroches +Reported-by: Cyrille Pitchen +Fixes: 7f16cb676c00 ("ARM: at91/dt: add sama5d2 pinmux") +Signed-off-by: Alexandre Belloni +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sama5d2-pinfunc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/sama5d2-pinfunc.h ++++ b/arch/arm/boot/dts/sama5d2-pinfunc.h +@@ -90,7 +90,7 @@ + #define PIN_PA14__I2SC1_MCK PINMUX_PIN(PIN_PA14, 4, 2) + #define PIN_PA14__FLEXCOM3_IO2 PINMUX_PIN(PIN_PA14, 5, 1) + #define PIN_PA14__D9 PINMUX_PIN(PIN_PA14, 6, 2) +-#define PIN_PA15 14 ++#define PIN_PA15 15 + #define PIN_PA15__GPIO PINMUX_PIN(PIN_PA15, 0, 0) + #define PIN_PA15__SPI0_MOSI PINMUX_PIN(PIN_PA15, 1, 1) + #define PIN_PA15__TF1 PINMUX_PIN(PIN_PA15, 2, 1) diff --git a/queue-4.4/arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch b/queue-4.4/arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch new file mode 100644 index 00000000000..7f9a5499756 --- /dev/null +++ b/queue-4.4/arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch @@ -0,0 +1,55 @@ +From 3f315c5b850fa7aff73f50de8e316b98f611a32b Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Fri, 5 Feb 2016 16:37:08 +0200 +Subject: ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption + +From: Ivaylo Dimitrov + +commit 3f315c5b850fa7aff73f50de8e316b98f611a32b upstream. + +Commit e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid +filesystem corruption") partially fixed onenand configuration when GPMC +module is reset. Finish the job by also providing the correct values in +ONENAND_REG_SYS_CFG1 register. + +Fixes: e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid +filesystem corruption") +Signed-off-by: Ivaylo Dimitrov +Tested-by: Aaro Koskinen +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/gpmc-onenand.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-omap2/gpmc-onenand.c ++++ b/arch/arm/mach-omap2/gpmc-onenand.c +@@ -101,10 +101,8 @@ static void omap2_onenand_set_async_mode + + static void set_onenand_cfg(void __iomem *onenand_base) + { +- u32 reg; ++ u32 reg = ONENAND_SYS_CFG1_RDY | ONENAND_SYS_CFG1_INT; + +- reg = readw(onenand_base + ONENAND_REG_SYS_CFG1); +- reg &= ~((0x7 << ONENAND_SYS_CFG1_BRL_SHIFT) | (0x7 << 9)); + reg |= (latency << ONENAND_SYS_CFG1_BRL_SHIFT) | + ONENAND_SYS_CFG1_BL_16; + if (onenand_flags & ONENAND_FLAG_SYNCREAD) +@@ -123,6 +121,7 @@ static void set_onenand_cfg(void __iomem + reg |= ONENAND_SYS_CFG1_VHF; + else + reg &= ~ONENAND_SYS_CFG1_VHF; ++ + writew(reg, onenand_base + ONENAND_REG_SYS_CFG1); + } + +@@ -289,6 +288,7 @@ static int omap2_onenand_setup_async(voi + } + } + ++ onenand_async.sync_write = true; + omap2_onenand_calc_async_timings(&t); + + ret = gpmc_cs_program_settings(gpmc_onenand_data->cs, &onenand_async); diff --git a/queue-4.4/bio-return-eintr-if-copying-to-user-space-got-interrupted.patch b/queue-4.4/bio-return-eintr-if-copying-to-user-space-got-interrupted.patch new file mode 100644 index 00000000000..e4bce4cafa1 --- /dev/null +++ b/queue-4.4/bio-return-eintr-if-copying-to-user-space-got-interrupted.patch @@ -0,0 +1,50 @@ +From 2d99b55d378c996b9692a0c93dd25f4ed5d58934 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Fri, 12 Feb 2016 09:39:15 +0100 +Subject: bio: return EINTR if copying to user space got interrupted + +From: Hannes Reinecke + +commit 2d99b55d378c996b9692a0c93dd25f4ed5d58934 upstream. + +Commit 35dc248383bbab0a7203fca4d722875bc81ef091 introduced a check for +current->mm to see if we have a user space context and only copies data +if we do. Now if an IO gets interrupted by a signal data isn't copied +into user space any more (as we don't have a user space context) but +user space isn't notified about it. + +This patch modifies the behaviour to return -EINTR from bio_uncopy_user() +to notify userland that a signal has interrupted the syscall, otherwise +it could lead to a situation where the caller may get a buffer with +no data returned. + +This can be reproduced by issuing SG_IO ioctl()s in one thread while +constantly sending signals to it. + +Fixes: 35dc248 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal +Signed-off-by: Johannes Thumshirn +Signed-off-by: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1090,9 +1090,12 @@ int bio_uncopy_user(struct bio *bio) + if (!bio_flagged(bio, BIO_NULL_MAPPED)) { + /* + * if we're in a workqueue, the request is orphaned, so +- * don't copy into a random user address space, just free. ++ * don't copy into a random user address space, just free ++ * and return -EINTR so user space doesn't expect any data. + */ +- if (current->mm && bio_data_dir(bio) == READ) ++ if (!current->mm) ++ ret = -EINTR; ++ else if (bio_data_dir(bio) == READ) + ret = bio_copy_to_iter(bio, bmd->iter); + if (bmd->is_our_pages) + bio_free_pages(bio); diff --git a/queue-4.4/block-fix-use-after-free-in-dio_bio_complete.patch b/queue-4.4/block-fix-use-after-free-in-dio_bio_complete.patch new file mode 100644 index 00000000000..d67c237a00c --- /dev/null +++ b/queue-4.4/block-fix-use-after-free-in-dio_bio_complete.patch @@ -0,0 +1,95 @@ +From 7ddc971f86aa0a4cee9f6886c356a052461957ae Mon Sep 17 00:00:00 2001 +From: Mike Krinkin +Date: Sat, 30 Jan 2016 19:09:59 +0300 +Subject: block: fix use-after-free in dio_bio_complete + +From: Mike Krinkin + +commit 7ddc971f86aa0a4cee9f6886c356a052461957ae upstream. + +kasan reported the following error when i ran xfstest: + +[ 701.826854] ================================================================== +[ 701.826864] BUG: KASAN: use-after-free in dio_bio_complete+0x41a/0x600 at addr ffff880080b95f94 +[ 701.826870] Read of size 4 by task loop2/3874 +[ 701.826879] page:ffffea000202e540 count:0 mapcount:0 mapping: (null) index:0x0 +[ 701.826890] flags: 0x100000000000000() +[ 701.826895] page dumped because: kasan: bad access detected +[ 701.826904] CPU: 3 PID: 3874 Comm: loop2 Tainted: G B W L 4.5.0-rc1-next-20160129 #83 +[ 701.826910] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013 +[ 701.826917] ffff88008fadf800 ffff88008fadf758 ffffffff81ca67bb 0000000041b58ab3 +[ 701.826941] ffffffff830d1e74 ffffffff81ca6724 ffff88008fadf748 ffffffff8161c05c +[ 701.826963] 0000000000000282 ffff88008fadf800 ffffed0010172bf2 ffffea000202e540 +[ 701.826987] Call Trace: +[ 701.826997] [] dump_stack+0x97/0xdc +[ 701.827005] [] ? _atomic_dec_and_lock+0xc4/0xc4 +[ 701.827014] [] ? __dump_page+0x32c/0x490 +[ 701.827023] [] kasan_report_error+0x5f3/0x8b0 +[ 701.827033] [] ? dio_bio_complete+0x41a/0x600 +[ 701.827040] [] __asan_report_load4_noabort+0x59/0x80 +[ 701.827048] [] ? dio_bio_complete+0x41a/0x600 +[ 701.827053] [] dio_bio_complete+0x41a/0x600 +[ 701.827057] [] ? blk_queue_exit+0x108/0x270 +[ 701.827060] [] dio_bio_end_aio+0xa0/0x4d0 +[ 701.827063] [] ? dio_bio_complete+0x600/0x600 +[ 701.827067] [] ? blk_account_io_completion+0x316/0x5d0 +[ 701.827070] [] bio_endio+0x79/0x200 +[ 701.827074] [] blk_update_request+0x1df/0xc50 +[ 701.827078] [] blk_mq_end_request+0x57/0x120 +[ 701.827081] [] __blk_mq_complete_request+0x310/0x590 +[ 701.827084] [] ? set_next_entity+0x2f8/0x2ed0 +[ 701.827088] [] ? put_prev_entity+0x22d/0x2a70 +[ 701.827091] [] blk_mq_complete_request+0x5b/0x80 +[ 701.827094] [] loop_queue_work+0x273/0x19d0 +[ 701.827098] [] ? finish_task_switch+0x1c8/0x8e0 +[ 701.827101] [] ? trace_hardirqs_on_caller+0x18/0x6c0 +[ 701.827104] [] ? lo_read_simple+0x890/0x890 +[ 701.827108] [] ? debug_check_no_locks_freed+0x350/0x350 +[ 701.827111] [] ? __hrtick_start+0x130/0x130 +[ 701.827115] [] ? __schedule+0x936/0x20b0 +[ 701.827118] [] ? kthread_worker_fn+0x3ed/0x8d0 +[ 701.827121] [] ? kthread_worker_fn+0x21d/0x8d0 +[ 701.827125] [] ? trace_hardirqs_on_caller+0x18/0x6c0 +[ 701.827128] [] kthread_worker_fn+0x2af/0x8d0 +[ 701.827132] [] ? __init_kthread_worker+0x170/0x170 +[ 701.827135] [] ? _raw_spin_unlock_irqrestore+0x36/0x60 +[ 701.827138] [] ? __init_kthread_worker+0x170/0x170 +[ 701.827141] [] ? __init_kthread_worker+0x170/0x170 +[ 701.827144] [] kthread+0x24b/0x3a0 +[ 701.827148] [] ? kthread_create_on_node+0x4c0/0x4c0 +[ 701.827151] [] ? trace_hardirqs_on+0xd/0x10 +[ 701.827155] [] ? do_group_exit+0xdd/0x350 +[ 701.827158] [] ? kthread_create_on_node+0x4c0/0x4c0 +[ 701.827161] [] ret_from_fork+0x3f/0x70 +[ 701.827165] [] ? kthread_create_on_node+0x4c0/0x4c0 +[ 701.827167] Memory state around the buggy address: +[ 701.827170] ffff880080b95e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 701.827172] ffff880080b95f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 701.827175] >ffff880080b95f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 701.827177] ^ +[ 701.827179] ffff880080b96000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 701.827182] ffff880080b96080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 701.827183] ================================================================== + +The problem is that bio_check_pages_dirty calls bio_put, so we must +not access bio fields after bio_check_pages_dirty. + +Fixes: 9b81c842355ac96097ba ("block: don't access bio->bi_error after bio_put()"). +Signed-off-by: Mike Krinkin +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +diff --git a/fs/direct-io.c b/fs/direct-io.c +index 1b2f7ffc8b84..d6a9012d42ad 100644 +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -472,8 +472,8 @@ static int dio_bio_complete(struct dio *dio, struct bio *bio) + dio->io_error = -EIO; + + if (dio->is_async && dio->rw == READ && dio->should_dirty) { +- bio_check_pages_dirty(bio); /* transfers ownership */ + err = bio->bi_error; ++ bio_check_pages_dirty(bio); /* transfers ownership */ + } else { + bio_for_each_segment_all(bvec, bio, i) { + struct page *page = bvec->bv_page; diff --git a/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch b/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch new file mode 100644 index 00000000000..03b69f4df82 --- /dev/null +++ b/queue-4.4/cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch @@ -0,0 +1,106 @@ +From aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 21 Jan 2016 15:31:11 -0500 +Subject: cgroup: make sure a parent css isn't offlined before its children + +From: Tejun Heo + +commit aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 upstream. + +There are three subsystem callbacks in css shutdown path - +css_offline(), css_released() and css_free(). Except for +css_released(), cgroup core didn't guarantee the order of invocation. +css_offline() or css_free() could be called on a parent css before its +children. This behavior is unexpected and led to bugs in cpu and +memory controller. + +This patch updates offline path so that a parent css is never offlined +before its children. Each css keeps online_cnt which reaches zero iff +itself and all its children are offline and offline_css() is invoked +only after online_cnt reaches zero. + +This fixes the memory controller bug and allows the fix for cpu +controller. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Christian Borntraeger +Reported-by: Brian Christiansen +Link: http://lkml.kernel.org/g/5698A023.9070703@de.ibm.com +Link: http://lkml.kernel.org/g/CAKB58ikDkzc8REt31WBkD99+hxNzjK4+FBmhkgS+NVrC9vjMSg@mail.gmail.com +Cc: Heiko Carstens +Cc: Peter Zijlstra +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cgroup-defs.h | 6 ++++++ + kernel/cgroup.c | 22 +++++++++++++++++----- + 2 files changed, 23 insertions(+), 5 deletions(-) + +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -133,6 +133,12 @@ struct cgroup_subsys_state { + */ + u64 serial_nr; + ++ /* ++ * Incremented by online self and children. Used to guarantee that ++ * parents are not offlined before their children. ++ */ ++ atomic_t online_cnt; ++ + /* percpu_ref killing and RCU release */ + struct rcu_head rcu_head; + struct work_struct destroy_work; +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -4784,6 +4784,7 @@ static void init_and_link_css(struct cgr + INIT_LIST_HEAD(&css->sibling); + INIT_LIST_HEAD(&css->children); + css->serial_nr = css_serial_nr_next++; ++ atomic_set(&css->online_cnt, 0); + + if (cgroup_parent(cgrp)) { + css->parent = cgroup_css(cgroup_parent(cgrp), ss); +@@ -4806,6 +4807,10 @@ static int online_css(struct cgroup_subs + if (!ret) { + css->flags |= CSS_ONLINE; + rcu_assign_pointer(css->cgroup->subsys[ss->id], css); ++ ++ atomic_inc(&css->online_cnt); ++ if (css->parent) ++ atomic_inc(&css->parent->online_cnt); + } + return ret; + } +@@ -5037,10 +5042,15 @@ static void css_killed_work_fn(struct wo + container_of(work, struct cgroup_subsys_state, destroy_work); + + mutex_lock(&cgroup_mutex); +- offline_css(css); +- mutex_unlock(&cgroup_mutex); + +- css_put(css); ++ do { ++ offline_css(css); ++ css_put(css); ++ /* @css can't go away while we're holding cgroup_mutex */ ++ css = css->parent; ++ } while (css && atomic_dec_and_test(&css->online_cnt)); ++ ++ mutex_unlock(&cgroup_mutex); + } + + /* css kill confirmation processing requires process context, bounce */ +@@ -5049,8 +5059,10 @@ static void css_killed_ref_fn(struct per + struct cgroup_subsys_state *css = + container_of(ref, struct cgroup_subsys_state, refcnt); + +- INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ if (atomic_dec_and_test(&css->online_cnt)) { ++ INIT_WORK(&css->destroy_work, css_killed_work_fn); ++ queue_work(cgroup_destroy_wq, &css->destroy_work); ++ } + } + + /** diff --git a/queue-4.4/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch b/queue-4.4/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch new file mode 100644 index 00000000000..aa67d8dc954 --- /dev/null +++ b/queue-4.4/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch @@ -0,0 +1,35 @@ +From c80567c82ae4814a41287618e315a60ecf513be6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 27 Feb 2016 19:17:33 -0500 +Subject: do_last(): don't let a bogus return value from ->open() et.al. to confuse us + +From: Al Viro + +commit c80567c82ae4814a41287618e315a60ecf513be6 upstream. + +... into returning a positive to path_openat(), which would interpret that +as "symlink had been encountered" and proceed to corrupt memory, etc. +It can only happen due to a bug in some ->open() instance or in some LSM +hook, etc., so we report any such event *and* make sure it doesn't trick +us into further unpleasantness. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3210,6 +3210,10 @@ opened: + goto exit_fput; + } + out: ++ if (unlikely(error > 0)) { ++ WARN_ON(1); ++ error = -EINVAL; ++ } + if (got_write) + mnt_drop_write(nd->path.mnt); + path_put(&save_parent); diff --git a/queue-4.4/do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch b/queue-4.4/do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch new file mode 100644 index 00000000000..b5d000bd78d --- /dev/null +++ b/queue-4.4/do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch @@ -0,0 +1,43 @@ +From 5129fa482b16615fd4464d2f5d23acb1b7056c66 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 27 Feb 2016 19:37:37 -0500 +Subject: do_last(): ELOOP failure exit should be done after leaving RCU mode + +From: Al Viro + +commit 5129fa482b16615fd4464d2f5d23acb1b7056c66 upstream. + +... or we risk seeing a bogus value of d_is_symlink() there. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3149,11 +3149,6 @@ finish_lookup: + if (unlikely(error)) + return error; + +- if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) { +- path_to_nameidata(&path, nd); +- return -ELOOP; +- } +- + if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path.mnt) { + path_to_nameidata(&path, nd); + } else { +@@ -3172,6 +3167,10 @@ finish_open: + return error; + } + audit_inode(nd->name, nd->path.dentry, 0); ++ if (unlikely(d_is_symlink(nd->path.dentry)) && !(open_flag & O_PATH)) { ++ error = -ELOOP; ++ goto out; ++ } + error = -EISDIR; + if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) + goto out; diff --git a/queue-4.4/hpfs-don-t-truncate-the-file-when-delete-fails.patch b/queue-4.4/hpfs-don-t-truncate-the-file-when-delete-fails.patch new file mode 100644 index 00000000000..a9723580b9b --- /dev/null +++ b/queue-4.4/hpfs-don-t-truncate-the-file-when-delete-fails.patch @@ -0,0 +1,86 @@ +From b6853f78e763d42c7a158d8de3549c9827c604ab Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 25 Feb 2016 18:17:38 +0100 +Subject: hpfs: don't truncate the file when delete fails + +From: Mikulas Patocka + +commit b6853f78e763d42c7a158d8de3549c9827c604ab upstream. + +The delete opration can allocate additional space on the HPFS filesystem +due to btree split. The HPFS driver checks in advance if there is +available space, so that it won't corrupt the btree if we run out of space +during splitting. + +If there is not enough available space, the HPFS driver attempted to +truncate the file, but this results in a deadlock since the commit +7dd29d8d865efdb00c0542a5d2c87af8c52ea6c7 ("HPFS: Introduce a global mutex +and lock it on every callback from VFS"). + +This patch removes the code that tries to truncate the file and -ENOSPC is +returned instead. If the user hits -ENOSPC on delete, he should try to +delete other files (that are stored in a leaf btree node), so that the +delete operation will make some space for deleting the file stored in +non-leaf btree node. + +Reported-by: Al Viro +Signed-off-by: Mikulas Patocka +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/namei.c | 31 +++---------------------------- + 1 file changed, 3 insertions(+), 28 deletions(-) + +--- a/fs/hpfs/namei.c ++++ b/fs/hpfs/namei.c +@@ -375,12 +375,11 @@ static int hpfs_unlink(struct inode *dir + struct inode *inode = d_inode(dentry); + dnode_secno dno; + int r; +- int rep = 0; + int err; + + hpfs_lock(dir->i_sb); + hpfs_adjust_length(name, &len); +-again: ++ + err = -ENOENT; + de = map_dirent(dir, hpfs_i(dir)->i_dno, name, len, &dno, &qbh); + if (!de) +@@ -400,33 +399,9 @@ again: + hpfs_error(dir->i_sb, "there was error when removing dirent"); + err = -EFSERROR; + break; +- case 2: /* no space for deleting, try to truncate file */ +- ++ case 2: /* no space for deleting */ + err = -ENOSPC; +- if (rep++) +- break; +- +- dentry_unhash(dentry); +- if (!d_unhashed(dentry)) { +- hpfs_unlock(dir->i_sb); +- return -ENOSPC; +- } +- if (generic_permission(inode, MAY_WRITE) || +- !S_ISREG(inode->i_mode) || +- get_write_access(inode)) { +- d_rehash(dentry); +- } else { +- struct iattr newattrs; +- /*pr_info("truncating file before delete.\n");*/ +- newattrs.ia_size = 0; +- newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME; +- err = notify_change(dentry, &newattrs, NULL); +- put_write_access(inode); +- if (!err) +- goto again; +- } +- hpfs_unlock(dir->i_sb); +- return -ENOSPC; ++ break; + default: + drop_nlink(inode); + err = 0; diff --git a/queue-4.4/i2c-i801-adding-intel-lewisburg-support-for-itco.patch b/queue-4.4/i2c-i801-adding-intel-lewisburg-support-for-itco.patch new file mode 100644 index 00000000000..48478f742fc --- /dev/null +++ b/queue-4.4/i2c-i801-adding-intel-lewisburg-support-for-itco.patch @@ -0,0 +1,38 @@ +From 1a1503c5396eb7f2edf4b8ef6067853014478c0c Mon Sep 17 00:00:00 2001 +From: Alexandra Yates +Date: Wed, 17 Feb 2016 18:21:21 -0800 +Subject: i2c: i801: Adding Intel Lewisburg support for iTCO + +From: Alexandra Yates + +commit 1a1503c5396eb7f2edf4b8ef6067853014478c0c upstream. + +Starting from Intel Sunrisepoint (Skylake PCH) the iTCO watchdog +resources have been moved to reside under the i801 SMBus host +controller whereas previously they were under the LPC device. + +This patch adds Intel lewisburg SMBus support for iTCO device. +It allows to load watchdog dynamically when the hardware is +present. + +Fixes: cdc5a3110e7c ("i2c: i801: add Intel Lewisburg device IDs") +Reviewed-by: Jean Delvare +Signed-off-by: Alexandra Yates +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-i801.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1271,6 +1271,8 @@ static int i801_probe(struct pci_dev *de + switch (dev->device) { + case PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_SMBUS: + case PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_SMBUS: ++ case PCI_DEVICE_ID_INTEL_LEWISBURG_SMBUS: ++ case PCI_DEVICE_ID_INTEL_LEWISBURG_SSKU_SMBUS: + case PCI_DEVICE_ID_INTEL_DNV_SMBUS: + priv->features |= FEATURE_I2C_BLOCK_READ; + priv->features |= FEATURE_IRQ; diff --git a/queue-4.4/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch b/queue-4.4/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch new file mode 100644 index 00000000000..776cb44fe08 --- /dev/null +++ b/queue-4.4/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch @@ -0,0 +1,53 @@ +From 59ceeaaf355fa0fb16558ef7c24413c804932ada Mon Sep 17 00:00:00 2001 +From: Simon Guinot +Date: Thu, 10 Sep 2015 00:15:18 +0200 +Subject: kernel/resource.c: fix muxed resource handling in __request_region() + +From: Simon Guinot + +commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream. + +In __request_region, if a conflict with a BUSY and MUXED resource is +detected, then the caller goes to sleep and waits for the resource to be +released. A pointer on the conflicting resource is kept. At wake-up +this pointer is used as a parent to retry to request the region. + +A first problem is that this pointer might well be invalid (if for +example the conflicting resource have already been freed). Another +problem is that the next call to __request_region() fails to detect a +remaining conflict. The previously conflicting resource is passed as a +parameter and __request_region() will look for a conflict among the +children of this resource and not at the resource itself. It is likely +to succeed anyway, even if there is still a conflict. + +Instead, the parent of the conflicting resource should be passed to +__request_region(). + +As a fix, this patch doesn't update the parent resource pointer in the +case we have to wait for a muxed region right after. + +Reported-and-tested-by: Vincent Pelletier +Signed-off-by: Simon Guinot +Tested-by: Vincent Donnefort +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/resource.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -1083,9 +1083,10 @@ struct resource * __request_region(struc + if (!conflict) + break; + if (conflict != parent) { +- parent = conflict; +- if (!(conflict->flags & IORESOURCE_BUSY)) ++ if (!(conflict->flags & IORESOURCE_BUSY)) { ++ parent = conflict; + continue; ++ } + } + if (conflict->flags & flags & IORESOURCE_MUXED) { + add_wait_queue(&muxed_resource_wait, &wait); diff --git a/queue-4.4/kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch b/queue-4.4/kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch new file mode 100644 index 00000000000..e418cf07b40 --- /dev/null +++ b/queue-4.4/kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch @@ -0,0 +1,93 @@ +From 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Feb 2016 14:47:31 +0000 +Subject: KVM: arm/arm64: vgic: Ensure bitmaps are long enough + +From: Mark Rutland + +commit 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 upstream. + +When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of +bits we need by 8 to figure out how many bytes to allocate. However, +bitmap elements are always accessed as unsigned longs, and if we didn't +happen to allocate a size such that size % sizeof(unsigned long) == 0, +bitmap accesses may go past the end of the allocation. + +When using KASAN (which does byte-granular access checks), this results +in a continuous stream of BUGs whenever these bitmaps are accessed: + +============================================================================= +BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected +----------------------------------------------------------------------------- + +INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730 +INFO: Slab 0xffffffbde6d5da40 objects=16 used=15 fp=0xffffffc935769700 flags=0x4000000000000080 +INFO: Object 0xffffffc935769500 @offset=1280 fp=0x (null) + +Bytes b4 ffffffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffffffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Padding ffffffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Padding ffffffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Padding ffffffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Padding ffffffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Padding ffffffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: G B 4.4.0+ #17 +Hardware name: ARM Juno development board (r1) (DT) +Call trace: +[] dump_backtrace+0x0/0x280 +[] show_stack+0x14/0x20 +[] dump_stack+0x100/0x188 +[] print_trailer+0xfc/0x168 +[] object_err+0x3c/0x50 +[] kasan_report_error+0x244/0x558 +[] __asan_report_load8_noabort+0x48/0x50 +[] __bitmap_or+0xc0/0xc8 +[] kvm_vgic_flush_hwstate+0x1bc/0x650 +[] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60 +[] kvm_vcpu_ioctl+0x474/0xa68 +[] do_vfs_ioctl+0x5b8/0xcb0 +[] SyS_ioctl+0x8c/0xa0 +[] el0_svc_naked+0x24/0x28 +Memory state around the buggy address: + ffffffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffffffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fix the issue by always allocating a multiple of sizeof(unsigned long), +as we do elsewhere in the vgic code. + +Fixes: c1bfb577a ("arm/arm64: KVM: vgic: switch to dynamic allocation") +Acked-by: Marc Zyngier +Acked-by: Christoffer Dall +Signed-off-by: Mark Rutland +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/virt/kvm/arm/vgic.c ++++ b/virt/kvm/arm/vgic.c +@@ -1875,8 +1875,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vc + static int vgic_vcpu_init_maps(struct kvm_vcpu *vcpu, int nr_irqs) + { + struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu; +- +- int sz = (nr_irqs - VGIC_NR_PRIVATE_IRQS) / 8; ++ int nr_longs = BITS_TO_LONGS(nr_irqs - VGIC_NR_PRIVATE_IRQS); ++ int sz = nr_longs * sizeof(unsigned long); + vgic_cpu->pending_shared = kzalloc(sz, GFP_KERNEL); + vgic_cpu->active_shared = kzalloc(sz, GFP_KERNEL); + vgic_cpu->pend_act_shared = kzalloc(sz, GFP_KERNEL); diff --git a/queue-4.4/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch b/queue-4.4/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch new file mode 100644 index 00000000000..e49c815d0e7 --- /dev/null +++ b/queue-4.4/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch @@ -0,0 +1,52 @@ +From d7444794a02ff655eda87e3cc54e86b940e7736f Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 19 Feb 2016 13:11:46 +0100 +Subject: KVM: async_pf: do not warn on page allocation failures + +From: Christian Borntraeger + +commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream. + +In async_pf we try to allocate with NOWAIT to get an element quickly +or fail. This code also handle failures gracefully. Lets silence +potential page allocation failures under load. + +qemu-system-s39: page allocation failure: order:0,mode:0x2200000 +[...] +Call Trace: +([<00000000001146b8>] show_trace+0xf8/0x148) +[<000000000011476a>] show_stack+0x62/0xe8 +[<00000000004a36b8>] dump_stack+0x70/0x98 +[<0000000000272c3a>] warn_alloc_failed+0xd2/0x148 +[<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38 +[<00000000002cd36a>] new_slab+0x382/0x400 +[<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378 +[<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0 +[<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198 +[<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58 +[<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690 +[<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510 +[<00000000002f68ec>] SyS_ioctl+0xa4/0xb8 +[<0000000000781c5e>] system_call+0xd6/0x264 +[<000003ffa24fa06a>] 0x3ffa24fa06a + +Signed-off-by: Christian Borntraeger +Reviewed-by: Dominik Dingel +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/async_pf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/async_pf.c ++++ b/virt/kvm/async_pf.c +@@ -173,7 +173,7 @@ int kvm_setup_async_pf(struct kvm_vcpu * + * do alloc nowait since if we are going to sleep anyway we + * may as well sleep faulting in page + */ +- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT); ++ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN); + if (!work) + return 0; + diff --git a/queue-4.4/kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch b/queue-4.4/kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch new file mode 100644 index 00000000000..5e4178da606 --- /dev/null +++ b/queue-4.4/kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch @@ -0,0 +1,57 @@ +From 0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 19 Feb 2016 18:07:21 +0100 +Subject: KVM: x86: fix conversion of addresses to linear in 32-bit protected mode + +From: Paolo Bonzini + +commit 0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70 upstream. + +Commit e8dd2d2d641c ("Silence compiler warning in arch/x86/kvm/emulate.c", +2015-09-06) broke boot of the Hurd. The bug is that the "default:" +case actually could modify "la", but after the patch this change is +not reflected in *linear. + +The bug is visible whenever a non-zero segment base causes the linear +address to wrap around the 4GB mark. + +Fixes: e8dd2d2d641cb2724ee10e76c0ad02e04289c017 +Reported-by: Aurelien Jarno +Tested-by: Aurelien Jarno +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -650,10 +650,10 @@ static __always_inline int __linearize(s + u16 sel; + + la = seg_base(ctxt, addr.seg) + addr.ea; +- *linear = la; + *max_size = 0; + switch (mode) { + case X86EMUL_MODE_PROT64: ++ *linear = la; + if (is_noncanonical_address(la)) + goto bad; + +@@ -662,6 +662,7 @@ static __always_inline int __linearize(s + goto bad; + break; + default: ++ *linear = la = (u32)la; + usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL, + addr.seg); + if (!usable) +@@ -689,7 +690,6 @@ static __always_inline int __linearize(s + if (size > *max_size) + goto bad; + } +- la &= (u32)-1; + break; + } + if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0)) diff --git a/queue-4.4/kvm-x86-fix-missed-hardware-breakpoints.patch b/queue-4.4/kvm-x86-fix-missed-hardware-breakpoints.patch new file mode 100644 index 00000000000..347e1a365d7 --- /dev/null +++ b/queue-4.4/kvm-x86-fix-missed-hardware-breakpoints.patch @@ -0,0 +1,130 @@ +From 172b2386ed16a9143d9a456aae5ec87275c61489 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 10 Feb 2016 17:50:23 +0100 +Subject: KVM: x86: fix missed hardware breakpoints + +From: Paolo Bonzini + +commit 172b2386ed16a9143d9a456aae5ec87275c61489 upstream. + +Sometimes when setting a breakpoint a process doesn't stop on it. +This is because the debug registers are not loaded correctly on +VCPU load. + +The following simple reproducer from Oleg Nesterov tries using debug +registers in two threads. To see the bug, run a 2-VCPU guest with +"taskset -c 0" and run "./bp 0 1" inside the guest. + + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER) + + unsigned long encode_dr7(int drnum, int enable, unsigned int type, unsigned int len) + { + unsigned long dr7; + + dr7 = ((len | type) & 0xf) + << (DR_CONTROL_SHIFT + drnum * DR_CONTROL_SIZE); + if (enable) + dr7 |= (DR_GLOBAL_ENABLE << (drnum * DR_ENABLE_SIZE)); + + return dr7; + } + + int write_dr(int pid, int dr, unsigned long val) + { + return ptrace(PTRACE_POKEUSER, pid, + offsetof (struct user, u_debugreg[dr]), + val); + } + + void set_bp(pid_t pid, void *addr) + { + unsigned long dr7; + assert(write_dr(pid, 0, (long)addr) == 0); + dr7 = encode_dr7(0, 1, DR_RW_EXECUTE, DR_LEN_1); + assert(write_dr(pid, 7, dr7) == 0); + } + + void *get_rip(int pid) + { + return (void*)ptrace(PTRACE_PEEKUSER, pid, + offsetof(struct user, regs.rip), 0); + } + + void test(int nr) + { + void *bp_addr = &&label + nr, *bp_hit; + int pid; + + printf("test bp %d\n", nr); + assert(nr < 16); // see 16 asm nops below + + pid = fork(); + if (!pid) { + assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0); + kill(getpid(), SIGSTOP); + for (;;) { + label: asm ( + "nop; nop; nop; nop;" + "nop; nop; nop; nop;" + "nop; nop; nop; nop;" + "nop; nop; nop; nop;" + ); + } + } + + assert(pid == wait(NULL)); + set_bp(pid, bp_addr); + + for (;;) { + assert(ptrace(PTRACE_CONT, pid, 0, 0) == 0); + assert(pid == wait(NULL)); + + bp_hit = get_rip(pid); + if (bp_hit != bp_addr) + fprintf(stderr, "ERR!! hit wrong bp %ld != %d\n", + bp_hit - &&label, nr); + } + } + + int main(int argc, const char *argv[]) + { + while (--argc) { + int nr = atoi(*++argv); + if (!fork()) + test(nr); + } + + while (wait(NULL) > 0) + ; + return 0; + } + +Suggested-by: Nadav Amit +Reported-by: Andrey Wagin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2736,6 +2736,7 @@ void kvm_arch_vcpu_load(struct kvm_vcpu + } + + kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu); ++ vcpu->arch.switch_db_regs |= KVM_DEBUGREG_RELOAD; + } + + void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu) diff --git a/queue-4.4/kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch b/queue-4.4/kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch new file mode 100644 index 00000000000..c8368dd919c --- /dev/null +++ b/queue-4.4/kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch @@ -0,0 +1,100 @@ +From 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 Mon Sep 17 00:00:00 2001 +From: Mike Krinkin +Date: Wed, 24 Feb 2016 21:02:31 +0300 +Subject: KVM: x86: MMU: fix ubsan index-out-of-range warning + +From: Mike Krinkin + +commit 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 upstream. + +Ubsan reports the following warning due to a typo in +update_accessed_dirty_bits template, the patch fixes +the typo: + +[ 168.791851] ================================================================================ +[ 168.791862] UBSAN: Undefined behaviour in arch/x86/kvm/paging_tmpl.h:252:15 +[ 168.791866] index 4 is out of range for type 'u64 [4]' +[ 168.791871] CPU: 0 PID: 2950 Comm: qemu-system-x86 Tainted: G O L 4.5.0-rc5-next-20160222 #7 +[ 168.791873] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013 +[ 168.791876] 0000000000000000 ffff8801cfcaf208 ffffffff81c9f780 0000000041b58ab3 +[ 168.791882] ffffffff82eb2cc1 ffffffff81c9f6b4 ffff8801cfcaf230 ffff8801cfcaf1e0 +[ 168.791886] 0000000000000004 0000000000000001 0000000000000000 ffffffffa1981600 +[ 168.791891] Call Trace: +[ 168.791899] [] dump_stack+0xcc/0x12c +[ 168.791904] [] ? _atomic_dec_and_lock+0xc4/0xc4 +[ 168.791910] [] ubsan_epilogue+0xd/0x8a +[ 168.791914] [] __ubsan_handle_out_of_bounds+0x15c/0x1a3 +[ 168.791918] [] ? __ubsan_handle_shift_out_of_bounds+0x2bd/0x2bd +[ 168.791922] [] ? get_user_pages_fast+0x2bf/0x360 +[ 168.791954] [] ? kvm_largepages_enabled+0x30/0x30 [kvm] +[ 168.791958] [] ? __get_user_pages_fast+0x360/0x360 +[ 168.791987] [] paging64_walk_addr_generic+0x1b28/0x2600 [kvm] +[ 168.792014] [] ? init_kvm_mmu+0x1100/0x1100 [kvm] +[ 168.792019] [] ? debug_check_no_locks_freed+0x350/0x350 +[ 168.792044] [] ? init_kvm_mmu+0x1100/0x1100 [kvm] +[ 168.792076] [] paging64_gva_to_gpa+0x7d/0x110 [kvm] +[ 168.792121] [] ? paging64_walk_addr_generic+0x2600/0x2600 [kvm] +[ 168.792130] [] ? debug_lockdep_rcu_enabled+0x7b/0x90 +[ 168.792178] [] emulator_read_write_onepage+0x27a/0x1150 [kvm] +[ 168.792208] [] ? __kvm_read_guest_page+0x54/0x70 [kvm] +[ 168.792234] [] ? kvm_task_switch+0x160/0x160 [kvm] +[ 168.792238] [] ? debug_lockdep_rcu_enabled+0x7b/0x90 +[ 168.792263] [] emulator_read_write+0xe7/0x6d0 [kvm] +[ 168.792290] [] ? em_cr_write+0x230/0x230 [kvm] +[ 168.792314] [] emulator_write_emulated+0x15/0x20 [kvm] +[ 168.792340] [] segmented_write+0xf8/0x130 [kvm] +[ 168.792367] [] ? em_lgdt+0x20/0x20 [kvm] +[ 168.792374] [] ? vmx_read_guest_seg_ar+0x42/0x1e0 [kvm_intel] +[ 168.792400] [] writeback+0x3f2/0x700 [kvm] +[ 168.792424] [] ? em_sidt+0xa0/0xa0 [kvm] +[ 168.792449] [] ? x86_decode_insn+0x1b3d/0x4f70 [kvm] +[ 168.792474] [] x86_emulate_insn+0x572/0x3010 [kvm] +[ 168.792499] [] x86_emulate_instruction+0x3bd/0x2110 [kvm] +[ 168.792524] [] ? reexecute_instruction.part.110+0x2e0/0x2e0 [kvm] +[ 168.792532] [] handle_ept_misconfig+0x61/0x460 [kvm_intel] +[ 168.792539] [] ? handle_pause+0x450/0x450 [kvm_intel] +[ 168.792546] [] vmx_handle_exit+0xd6a/0x1ad0 [kvm_intel] +[ 168.792572] [] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm] +[ 168.792597] [] kvm_arch_vcpu_ioctl_run+0xd3d/0x6090 [kvm] +[ 168.792621] [] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm] +[ 168.792627] [] ? __ww_mutex_lock_interruptible+0x1630/0x1630 +[ 168.792651] [] ? kvm_arch_vcpu_runnable+0x4f0/0x4f0 [kvm] +[ 168.792656] [] ? preempt_notifier_unregister+0x190/0x190 +[ 168.792681] [] ? kvm_arch_vcpu_load+0x127/0x650 [kvm] +[ 168.792704] [] kvm_vcpu_ioctl+0x553/0xda0 [kvm] +[ 168.792727] [] ? vcpu_put+0x40/0x40 [kvm] +[ 168.792732] [] ? debug_check_no_locks_freed+0x350/0x350 +[ 168.792735] [] ? _raw_spin_unlock+0x27/0x40 +[ 168.792740] [] ? handle_mm_fault+0x1673/0x2e40 +[ 168.792744] [] ? trace_hardirqs_on_caller+0x478/0x6c0 +[ 168.792747] [] ? trace_hardirqs_on+0xd/0x10 +[ 168.792751] [] ? debug_lockdep_rcu_enabled+0x7b/0x90 +[ 168.792756] [] do_vfs_ioctl+0x1b0/0x12b0 +[ 168.792759] [] ? ioctl_preallocate+0x210/0x210 +[ 168.792763] [] ? __fget+0x273/0x4a0 +[ 168.792766] [] ? __fget+0x50/0x4a0 +[ 168.792770] [] ? __fget_light+0x96/0x2b0 +[ 168.792773] [] SyS_ioctl+0x79/0x90 +[ 168.792777] [] entry_SYSCALL_64_fastpath+0x23/0xc1 +[ 168.792780] ================================================================================ + +Signed-off-by: Mike Krinkin +Reviewed-by: Xiao Guangrong +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/paging_tmpl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -249,7 +249,7 @@ static int FNAME(update_accessed_dirty_b + return ret; + + kvm_vcpu_mark_page_dirty(vcpu, table_gfn); +- walker->ptes[level] = pte; ++ walker->ptes[level - 1] = pte; + } + return 0; + } diff --git a/queue-4.4/nfs-fix-nfs_size_to_loff_t.patch b/queue-4.4/nfs-fix-nfs_size_to_loff_t.patch new file mode 100644 index 00000000000..63ee07d9bb7 --- /dev/null +++ b/queue-4.4/nfs-fix-nfs_size_to_loff_t.patch @@ -0,0 +1,39 @@ +From 50ab8ec74a153eb30db26529088bc57dd700b24c Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 8 Feb 2016 21:11:50 +0100 +Subject: nfs: fix nfs_size_to_loff_t + +From: Christoph Hellwig + +commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream. + +See http: //www.infradead.org/rpr.html +X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org +Content-Transfer-Encoding: 8bit +Mime-Version: 1.0 + +We support OFFSET_MAX just fine, so don't round down below it. Also +switch to using min_t to make the helper more readable. + +Signed-off-by: Christoph Hellwig +Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nfs_fs.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -544,9 +544,7 @@ extern int nfs_readpage_async(struct nf + + static inline loff_t nfs_size_to_loff_t(__u64 size) + { +- if (size > (__u64) OFFSET_MAX - 1) +- return OFFSET_MAX - 1; +- return (loff_t) size; ++ return min_t(u64, size, OFFSET_MAX); + } + + static inline ino_t diff --git a/queue-4.4/nfsv4-fix-a-dentry-leak-on-alias-use.patch b/queue-4.4/nfsv4-fix-a-dentry-leak-on-alias-use.patch new file mode 100644 index 00000000000..8c2e2d2aaf6 --- /dev/null +++ b/queue-4.4/nfsv4-fix-a-dentry-leak-on-alias-use.patch @@ -0,0 +1,36 @@ +From d9dfd8d741683347ee159d25f5b50c346a0df557 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Wed, 17 Feb 2016 10:41:41 -0500 +Subject: NFSv4: Fix a dentry leak on alias use + +From: Benjamin Coddington + +commit d9dfd8d741683347ee159d25f5b50c346a0df557 upstream. + +In the case where d_add_unique() finds an appropriate alias to use it will +have already incremented the reference count. An additional dget() to swap +the open context's dentry is unnecessary and will leak a reference. + +Signed-off-by: Benjamin Coddington +Fixes: 275bb307865a3 ("NFSv4: Move dentry instantiation into the NFSv4-...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2461,9 +2461,9 @@ static int _nfs4_open_and_get_state(stru + dentry = d_add_unique(dentry, igrab(state->inode)); + if (dentry == NULL) { + dentry = opendata->dentry; +- } else if (dentry != ctx->dentry) { ++ } else { + dput(ctx->dentry); +- ctx->dentry = dget(dentry); ++ ctx->dentry = dentry; + } + nfs_set_verifier(dentry, + nfs_save_change_attribute(d_inode(opendata->dir))); diff --git a/queue-4.4/of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch b/queue-4.4/of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch new file mode 100644 index 00000000000..62eabf66629 --- /dev/null +++ b/queue-4.4/of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch @@ -0,0 +1,54 @@ +From 5d589d81acf974d23af98044aac56c6339d659f8 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Tue, 9 Feb 2016 11:04:45 +0000 +Subject: of/irq: Fix msi-map calculation for nonzero rid-base + +From: Robin Murphy + +commit 5d589d81acf974d23af98044aac56c6339d659f8 upstream. + +The existing msi-map code is fine for shifting the entire RID space +upwards, but attempting finer-grained remapping reveals a bug. It turns +out that we are mistakenly treating the msi-base part as an offset, not +as a new base to remap onto, so things get squiffy when rid-base is +nonzero. Fix this, and at the same time add a sanity check against +having msi-map-mask clash with a nonzero rid-base, as that's another +thing one can easily get wrong. + +Signed-off-by: Robin Murphy +Reviewed-by: Marc Zyngier +Tested-by: Stuart Yoder +Acked-by: Mark Rutland +Acked-by: David Daney +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/irq.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -636,6 +636,13 @@ static u32 __of_msi_map_rid(struct devic + msi_base = be32_to_cpup(msi_map + 2); + rid_len = be32_to_cpup(msi_map + 3); + ++ if (rid_base & ~map_mask) { ++ dev_err(parent_dev, ++ "Invalid msi-map translation - msi-map-mask (0x%x) ignores rid-base (0x%x)\n", ++ map_mask, rid_base); ++ return rid_out; ++ } ++ + msi_controller_node = of_find_node_by_phandle(phandle); + + matched = (masked_rid >= rid_base && +@@ -655,7 +662,7 @@ static u32 __of_msi_map_rid(struct devic + if (!matched) + return rid_out; + +- rid_out = masked_rid + msi_base; ++ rid_out = masked_rid - rid_base + msi_base; + dev_dbg(dev, + "msi-map at: %s, using mask %08x, rid-base: %08x, msi-base: %08x, length: %08x, rid: %08x -> %08x\n", + dev_name(parent_dev), map_mask, rid_base, msi_base, diff --git a/queue-4.4/phy-core-fix-wrong-err-handle-for-phy_power_on.patch b/queue-4.4/phy-core-fix-wrong-err-handle-for-phy_power_on.patch new file mode 100644 index 00000000000..5bac63f904b --- /dev/null +++ b/queue-4.4/phy-core-fix-wrong-err-handle-for-phy_power_on.patch @@ -0,0 +1,77 @@ +From b82fcabe212a11698fd4b3e604d2f81d929d22f6 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Thu, 28 Jan 2016 16:14:18 +0800 +Subject: phy: core: fix wrong err handle for phy_power_on + +From: Shawn Lin + +commit b82fcabe212a11698fd4b3e604d2f81d929d22f6 upstream. + +If phy_pm_runtime_get_sync failed but we already +enable regulator, current code return directly without +doing regulator_disable. This patch fix this problem +and cleanup err handle of phy_power_on to be more readable. + +Fixes: 3be88125d85d ("phy: core: Support regulator ...") +Cc: Roger Quadros +Cc: Axel Lin +Signed-off-by: Shawn Lin +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/phy-core.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/phy/phy-core.c ++++ b/drivers/phy/phy-core.c +@@ -275,20 +275,21 @@ EXPORT_SYMBOL_GPL(phy_exit); + + int phy_power_on(struct phy *phy) + { +- int ret; ++ int ret = 0; + + if (!phy) +- return 0; ++ goto out; + + if (phy->pwr) { + ret = regulator_enable(phy->pwr); + if (ret) +- return ret; ++ goto out; + } + + ret = phy_pm_runtime_get_sync(phy); + if (ret < 0 && ret != -ENOTSUPP) +- return ret; ++ goto err_pm_sync; ++ + ret = 0; /* Override possible ret == -ENOTSUPP */ + + mutex_lock(&phy->mutex); +@@ -296,19 +297,20 @@ int phy_power_on(struct phy *phy) + ret = phy->ops->power_on(phy); + if (ret < 0) { + dev_err(&phy->dev, "phy poweron failed --> %d\n", ret); +- goto out; ++ goto err_pwr_on; + } + } + ++phy->power_count; + mutex_unlock(&phy->mutex); + return 0; + +-out: ++err_pwr_on: + mutex_unlock(&phy->mutex); + phy_pm_runtime_put_sync(phy); ++err_pm_sync: + if (phy->pwr) + regulator_disable(phy->pwr); +- ++out: + return ret; + } + EXPORT_SYMBOL_GPL(phy_power_on); diff --git a/queue-4.4/powerpc-eeh-fix-partial-hotplug-criterion.patch b/queue-4.4/powerpc-eeh-fix-partial-hotplug-criterion.patch new file mode 100644 index 00000000000..26c6938dbf9 --- /dev/null +++ b/queue-4.4/powerpc-eeh-fix-partial-hotplug-criterion.patch @@ -0,0 +1,44 @@ +From f6bf0fa14cf848ae770e0b7842c9b11ce2f01645 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Fri, 12 Feb 2016 16:03:05 +1100 +Subject: powerpc/eeh: Fix partial hotplug criterion + +From: Gavin Shan + +commit f6bf0fa14cf848ae770e0b7842c9b11ce2f01645 upstream. + +During error recovery, the device could be removed as part of the +partial hotplug. The criterion used to come with partial hotplug +is: if the device driver provides error_detected(), slot_reset() +and resume() callbacks, it's immune from hotplug. Otherwise, +it's going to experience partial hotplug during EEH recovery. But +the criterion isn't correct enough: mlx4_core driver for Mellanox +adapters provides error_detected(), slot_reset() callbacks, but +resume() isn't there. Those Mellanox adapters won't be to involved +in the partial hotplug. + +This fixes the criterion to a practical one: adpater with driver +that provides error_detected(), slot_reset() will be immune from +partial hotplug. resume() isn't mandatory. + +Fixes: f2da4ccf ("powerpc/eeh: More relaxed hotplug criterion") +Signed-off-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_driver.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -418,8 +418,7 @@ static void *eeh_rmv_device(void *data, + eeh_pcid_put(dev); + if (driver->err_handler && + driver->err_handler->error_detected && +- driver->err_handler->slot_reset && +- driver->err_handler->resume) ++ driver->err_handler->slot_reset) + return NULL; + } + diff --git a/queue-4.4/series b/queue-4.4/series index 11889c19809..dad0c3c90dc 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -288,3 +288,34 @@ arcv2-star-9000950267-handle-return-from-intr-to-delay-slot-2.patch arcv2-smp-emulate-ipi-to-self-using-software-triggered-interrupt.patch pci-aer-flush-workqueue-on-device-remove-to-avoid-use-after-free.patch cpuset-make-mm-migration-asynchronous.patch +cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch +writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch +phy-core-fix-wrong-err-handle-for-phy_power_on.patch +i2c-i801-adding-intel-lewisburg-support-for-itco.patch +bio-return-eintr-if-copying-to-user-space-got-interrupted.patch +block-fix-use-after-free-in-dio_bio_complete.patch +nfs-fix-nfs_size_to_loff_t.patch +nfsv4-fix-a-dentry-leak-on-alias-use.patch +of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch +kvm-async_pf-do-not-warn-on-page-allocation-failures.patch +kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch +kvm-x86-fix-missed-hardware-breakpoints.patch +kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch +kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch +powerpc-eeh-fix-partial-hotplug-criterion.patch +tracing-fix-showing-function-event-in-available_events.patch +sunrpc-cache-fix-off-by-one-in-qword_get.patch +kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch +do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch +arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch +arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch +xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch +xen-scsiback-correct-frontend-counting.patch +xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch +xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch +xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch +should_follow_link-validate-d_seq-after-having-decided-to-follow.patch +do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch +hpfs-don-t-truncate-the-file-when-delete-fails.patch +x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch +x86-entry-compat-add-missing-clac-to-entry_int80_32.patch diff --git a/queue-4.4/should_follow_link-validate-d_seq-after-having-decided-to-follow.patch b/queue-4.4/should_follow_link-validate-d_seq-after-having-decided-to-follow.patch new file mode 100644 index 00000000000..a274f1fbb8b --- /dev/null +++ b/queue-4.4/should_follow_link-validate-d_seq-after-having-decided-to-follow.patch @@ -0,0 +1,33 @@ +From a7f775428b8f5808815c0e3004020cedb94cbe3b Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 27 Feb 2016 19:31:01 -0500 +Subject: should_follow_link(): validate ->d_seq after having decided to follow + +From: Al Viro + +commit a7f775428b8f5808815c0e3004020cedb94cbe3b upstream. + +... otherwise d_is_symlink() above might have nothing to do with +the inode value we've got. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1711,6 +1711,11 @@ static inline int should_follow_link(str + return 0; + if (!follow) + return 0; ++ /* make sure that d_is_symlink above matches inode */ ++ if (nd->flags & LOOKUP_RCU) { ++ if (read_seqcount_retry(&link->dentry->d_seq, seq)) ++ return -ECHILD; ++ } + return pick_link(nd, link, inode, seq); + } + diff --git a/queue-4.4/sunrpc-cache-fix-off-by-one-in-qword_get.patch b/queue-4.4/sunrpc-cache-fix-off-by-one-in-qword_get.patch new file mode 100644 index 00000000000..e2e99a24473 --- /dev/null +++ b/queue-4.4/sunrpc-cache-fix-off-by-one-in-qword_get.patch @@ -0,0 +1,48 @@ +From b7052cd7bcf3c1478796e93e3dff2b44c9e82943 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 18 Feb 2016 18:55:54 +0000 +Subject: sunrpc/cache: fix off-by-one in qword_get() + +From: Stefan Hajnoczi + +commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream. + +The qword_get() function NUL-terminates its output buffer. If the input +string is in hex format \xXXXX... and the same length as the output +buffer, there is an off-by-one: + + int qword_get(char **bpp, char *dest, int bufsize) + { + ... + while (len < bufsize) { + ... + *dest++ = (h << 4) | l; + len++; + } + ... + *dest = '\0'; + return len; + } + +This patch ensures the NUL terminator doesn't fall outside the output +buffer. + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, in + if (bp[0] == '\\' && bp[1] == 'x') { + /* HEX STRING */ + bp += 2; +- while (len < bufsize) { ++ while (len < bufsize - 1) { + int h, l; + + h = hex_to_bin(bp[0]); diff --git a/queue-4.4/tracing-fix-showing-function-event-in-available_events.patch b/queue-4.4/tracing-fix-showing-function-event-in-available_events.patch new file mode 100644 index 00000000000..c181ff23889 --- /dev/null +++ b/queue-4.4/tracing-fix-showing-function-event-in-available_events.patch @@ -0,0 +1,54 @@ +From d045437a169f899dfb0f6f7ede24cc042543ced9 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 24 Feb 2016 09:04:24 -0500 +Subject: tracing: Fix showing function event in available_events + +From: Steven Rostedt (Red Hat) + +commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream. + +The ftrace:function event is only displayed for parsing the function tracer +data. It is not used to enable function tracing, and does not include an +"enable" file in its event directory. + +Originally, this event was kept separate from other events because it did +not have a ->reg parameter. But perf added a "reg" parameter for its use +which caused issues, because it made the event available to functions where +it was not compatible for. + +Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable" +added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event +from being enabled by normal trace events. But this commit missed keeping +the function event from being displayed by the "available_events" directory, +which is used to show what events can be enabled by set_event. + +One documented way to enable all events is to: + + cat available_events > set_event + +But because the function event is displayed in the available_events, this +now causes an INVALID error: + + cat: write error: Invalid argument + +Reported-by: Chunyu Hu +Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -869,7 +869,8 @@ t_next(struct seq_file *m, void *v, loff + * The ftrace subsystem is for showing formats only. + * They can not be enabled or disabled via the event files. + */ +- if (call->class && call->class->reg) ++ if (call->class && call->class->reg && ++ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) + return file; + } + diff --git a/queue-4.4/writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch b/queue-4.4/writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch new file mode 100644 index 00000000000..88f7b0ed3f5 --- /dev/null +++ b/queue-4.4/writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch @@ -0,0 +1,95 @@ +From 5ff8eaac1636bf6deae86491f4818c4c69d1a9ac Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 16 Feb 2016 11:34:07 -0700 +Subject: writeback: keep superblock pinned during cgroup writeback association switches + +From: Tejun Heo + +commit 5ff8eaac1636bf6deae86491f4818c4c69d1a9ac upstream. + +If cgroup writeback is in use, an inode is associated with a cgroup +for writeback. If the inode's main dirtier changes to another cgroup, +the association gets updated asynchronously. Nothing was pinning the +superblock while such switches are in progress and superblock could go +away while async switching is pending or in progress leading to +crashes like the following. + + kernel BUG at fs/jbd2/transaction.c:319! + invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC + CPU: 1 PID: 29158 Comm: kworker/1:10 Not tainted 4.5.0-rc3 #51 + Hardware name: Google Google, BIOS Google 01/01/2011 + Workqueue: events inode_switch_wbs_work_fn + task: ffff880213dbbd40 ti: ffff880209264000 task.ti: ffff880209264000 + RIP: 0010:[] [] start_this_handle+0x382/0x3e0 + RSP: 0018:ffff880209267c30 EFLAGS: 00010202 + ... + Call Trace: + [] jbd2__journal_start+0xf4/0x190 + [] __ext4_journal_start_sb+0x4e/0x70 + [] ext4_evict_inode+0x12c/0x3d0 + [] evict+0xbb/0x190 + [] iput+0x130/0x190 + [] inode_switch_wbs_work_fn+0x343/0x4c0 + [] process_one_work+0x129/0x300 + [] worker_thread+0x126/0x480 + [] kthread+0xc4/0xe0 + [] ret_from_fork+0x3f/0x70 + +Fix it by bumping s_active while cgroup association switching is in +flight. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Tahsin Erdogan +Link: http://lkml.kernel.org/g/CAAeU0aNCq7LGODvVGRU-oU_o-6enii5ey0p1c26D1ZzYwkDc5A@mail.gmail.com +Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 6915c950e6e8..1f76d8950a57 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -317,6 +317,7 @@ static void inode_switch_wbs_work_fn(struct work_struct *work) + struct inode_switch_wbs_context *isw = + container_of(work, struct inode_switch_wbs_context, work); + struct inode *inode = isw->inode; ++ struct super_block *sb = inode->i_sb; + struct address_space *mapping = inode->i_mapping; + struct bdi_writeback *old_wb = inode->i_wb; + struct bdi_writeback *new_wb = isw->new_wb; +@@ -423,6 +424,7 @@ skip_switch: + wb_put(new_wb); + + iput(inode); ++ deactivate_super(sb); + kfree(isw); + } + +@@ -469,11 +471,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + + /* while holding I_WB_SWITCH, no one else can update the association */ + spin_lock(&inode->i_lock); ++ + if (inode->i_state & (I_WB_SWITCH | I_FREEING) || +- inode_to_wb(inode) == isw->new_wb) { +- spin_unlock(&inode->i_lock); +- goto out_free; +- } ++ inode_to_wb(inode) == isw->new_wb) ++ goto out_unlock; ++ ++ if (!atomic_inc_not_zero(&inode->i_sb->s_active)) ++ goto out_unlock; ++ + inode->i_state |= I_WB_SWITCH; + spin_unlock(&inode->i_lock); + +@@ -489,6 +494,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); + return; + ++out_unlock: ++ spin_unlock(&inode->i_lock); + out_free: + if (isw->new_wb) + wb_put(isw->new_wb); diff --git a/queue-4.4/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch b/queue-4.4/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch new file mode 100644 index 00000000000..e0f5e4c3759 --- /dev/null +++ b/queue-4.4/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch @@ -0,0 +1,46 @@ +From 3d44d51bd339766f0178f0cf2e8d048b4a4872aa Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 24 Feb 2016 12:18:49 -0800 +Subject: x86/entry/compat: Add missing CLAC to entry_INT80_32 + +From: Andy Lutomirski + +commit 3d44d51bd339766f0178f0cf2e8d048b4a4872aa upstream. + +This doesn't seem to fix a regression -- I don't think the CLAC was +ever there. + +I double-checked in a debugger: entries through the int80 gate do +not automatically clear AC. + +Stable maintainers: I can provide a backport to 4.3 and earlier if +needed. This needs to be backported all the way to 3.10. + +Reported-by: Brian Gerst +Signed-off-by: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user space access") +Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64_compat.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -267,6 +267,7 @@ ENTRY(entry_INT80_compat) + * Interrupts are off on entry. + */ + PARAVIRT_ADJUST_EXCEPTION_FRAME ++ ASM_CLAC /* Do this early to minimize exposure */ + SWAPGS + + /* diff --git a/queue-4.4/x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch b/queue-4.4/x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch new file mode 100644 index 00000000000..b7a6457c8e4 --- /dev/null +++ b/queue-4.4/x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch @@ -0,0 +1,37 @@ +From 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 26 Feb 2016 18:55:31 +0000 +Subject: x86/mpx: Fix off-by-one comparison with nr_registers + +From: Colin Ian King + +commit 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 upstream. + +In the unlikely event that regno == nr_registers then we get an array +overrun on regoff because the invalid register check is currently +off-by-one. Fix this with a check that regno is >= nr_registers instead. + +Detected with static analysis using CoverityScan. + +Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information" +Signed-off-by: Colin Ian King +Acked-by: Dave Hansen +Cc: Borislav Petkov +Cc: "Kirill A . Shutemov" +Link: http://lkml.kernel.org/r/1456512931-3388-1-git-send-email-colin.king@canonical.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c +index b2fd67da1701..ef05755a1900 100644 +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -123,7 +123,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs, + break; + } + +- if (regno > nr_registers) { ++ if (regno >= nr_registers) { + WARN_ONCE(1, "decoded an instruction with an invalid register"); + return -EINVAL; + } diff --git a/queue-4.4/xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch b/queue-4.4/xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch new file mode 100644 index 00000000000..93e386bb665 --- /dev/null +++ b/queue-4.4/xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch @@ -0,0 +1,69 @@ +From 52ba0746b3b44c86aee121babf3b2fd9b8f84090 Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Mon, 8 Feb 2016 16:02:06 +0000 +Subject: xen/arm: correctly handle DMA mapping of compound pages + +From: Ian Campbell + +commit 52ba0746b3b44c86aee121babf3b2fd9b8f84090 upstream. + +Currently xen_dma_map_page concludes that DMA to anything other than +the head page of a compound page must be foreign, since the PFN of the +page is that of the head. + +Fix the check to instead consider the whole of a compound page to be +local if the PFN of the head passes the 1:1 check. + +We can never see a compound page which is a mixture of foreign and +local sub-pages. + +The comment already correctly described the intention, but fixup the +spelling and some grammar. + +This fixes the various SSH protocol errors which we have been seeing +on the cubietrucks in our automated test infrastructure. + +This has been broken since commit 3567258d281b ("xen/arm: use +hypercall to flush caches in map_page"), which was in v3.19-rc1. + +NB arch/arm64/.../xen/page-coherent.h also includes this file. + +Signed-off-by: Ian Campbell +Reviewed-by: Stefano Stabellini +Cc: xen-devel@lists.xenproject.org +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Greg Kroah-Hartman + +diff --git a/arch/arm/include/asm/xen/page-coherent.h b/arch/arm/include/asm/xen/page-coherent.h +index 0375c8caa061..9408a994cc91 100644 +--- a/arch/arm/include/asm/xen/page-coherent.h ++++ b/arch/arm/include/asm/xen/page-coherent.h +@@ -35,14 +35,21 @@ static inline void xen_dma_map_page(struct device *hwdev, struct page *page, + dma_addr_t dev_addr, unsigned long offset, size_t size, + enum dma_data_direction dir, struct dma_attrs *attrs) + { +- bool local = XEN_PFN_DOWN(dev_addr) == page_to_xen_pfn(page); ++ unsigned long page_pfn = page_to_xen_pfn(page); ++ unsigned long dev_pfn = XEN_PFN_DOWN(dev_addr); ++ unsigned long compound_pages = ++ (1<map_page(hwdev, page, offset, size, dir, attrs); diff --git a/queue-4.4/xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch b/queue-4.4/xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch new file mode 100644 index 00000000000..8b171130b45 --- /dev/null +++ b/queue-4.4/xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch @@ -0,0 +1,38 @@ +From 8d47065f7d1980dde52abb874b301054f3013602 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Thu, 11 Feb 2016 16:10:23 -0500 +Subject: xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY + +From: Konrad Rzeszutek Wilk + +commit 8d47065f7d1980dde52abb874b301054f3013602 upstream. + +Commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 (xen/pciback: Don't +allow MSI-X ops if PCI_COMMAND_MEMORY is not set) prevented enabling +MSI-X on passed-through virtual functions, because it checked the VF +for PCI_COMMAND_MEMORY but this is not a valid bit for VFs. + +Instead, check the physical function for PCI_COMMAND_MEMORY. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Jan Beulich +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-pciback/pciback_ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -227,8 +227,9 @@ int xen_pcibk_enable_msix(struct xen_pci + /* + * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able + * to access the BARs where the MSI-X entries reside. ++ * But VF devices are unique in which the PF needs to be checked. + */ +- pci_read_config_word(dev, PCI_COMMAND, &cmd); ++ pci_read_config_word(pci_physfn(dev), PCI_COMMAND, &cmd); + if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY)) + return -ENXIO; + diff --git a/queue-4.4/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch b/queue-4.4/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch new file mode 100644 index 00000000000..6fbd338daf0 --- /dev/null +++ b/queue-4.4/xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch @@ -0,0 +1,56 @@ +From d159457b84395927b5a52adb72f748dd089ad5e5 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Thu, 11 Feb 2016 16:10:24 -0500 +Subject: xen/pciback: Save the number of MSI-X entries to be copied later. + +From: Konrad Rzeszutek Wilk + +commit d159457b84395927b5a52adb72f748dd089ad5e5 upstream. + +Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save +xen_pci_op commands before processing it) broke enabling MSI-X because +it would never copy the resulting vectors into the response. The +number of vectors requested was being overwritten by the return value +(typically zero for success). + +Save the number of vectors before processing the op, so the correct +number of vectors are copied afterwards. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Jan Beulich +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-pciback/pciback_ops.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -333,6 +333,9 @@ void xen_pcibk_do_op(struct work_struct + struct xen_pcibk_dev_data *dev_data = NULL; + struct xen_pci_op *op = &pdev->op; + int test_intx = 0; ++#ifdef CONFIG_PCI_MSI ++ unsigned int nr = 0; ++#endif + + *op = pdev->sh_info->op; + barrier(); +@@ -361,6 +364,7 @@ void xen_pcibk_do_op(struct work_struct + op->err = xen_pcibk_disable_msi(pdev, dev, op); + break; + case XEN_PCI_OP_enable_msix: ++ nr = op->value; + op->err = xen_pcibk_enable_msix(pdev, dev, op); + break; + case XEN_PCI_OP_disable_msix: +@@ -383,7 +387,7 @@ void xen_pcibk_do_op(struct work_struct + if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) { + unsigned int i; + +- for (i = 0; i < op->value; i++) ++ for (i = 0; i < nr; i++) + pdev->sh_info->op.msix_entries[i].vector = + op->msix_entries[i].vector; + } diff --git a/queue-4.4/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch b/queue-4.4/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch new file mode 100644 index 00000000000..7dba38f504a --- /dev/null +++ b/queue-4.4/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch @@ -0,0 +1,111 @@ +From 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Thu, 11 Feb 2016 16:10:26 -0500 +Subject: xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. + +From: Konrad Rzeszutek Wilk + +commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream. + +Occasionaly PV guests would crash with: + +pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16 +BUG: unable to handle kernel paging request at 0000000d1a8c0be0 +.. snip.. + ] find_next_bit+0xb/0x10 + [] cpumask_next_and+0x22/0x40 + [] pci_device_probe+0xb8/0x120 + [] ? driver_sysfs_add+0x77/0xa0 + [] driver_probe_device+0x1a4/0x2d0 + [] ? pci_match_device+0xdd/0x110 + [] __device_attach_driver+0xa7/0xb0 + [] ? __driver_attach+0xa0/0xa0 + [] bus_for_each_drv+0x62/0x90 + [] __device_attach+0xbd/0x110 + [] device_attach+0xb/0x10 + [] pci_bus_add_device+0x3c/0x70 + [] pci_bus_add_devices+0x38/0x80 + [] pcifront_scan_root+0x13e/0x1a0 + [] pcifront_backend_changed+0x262/0x60b + [] ? xenbus_gather+0xd6/0x160 + [] ? put_object+0x2f/0x50 + [] xenbus_otherend_changed+0x9d/0xa0 + [] backend_changed+0xe/0x10 + [] xenwatch_thread+0xc8/0x190 + [] ? woken_wake_function+0x10/0x10 + +which was the result of two things: + +When we call pci_scan_root_bus we would pass in 'sd' (sysdata) +pointer which was an 'pcifront_sd' structure. However in the +pci_device_add it expects that the 'sd' is 'struct sysdata' and +sets the dev->node to what is in sd->node (offset 4): + +set_dev_node(&dev->dev, pcibus_to_node(bus)); + + __pcibus_to_node(const struct pci_bus *bus) +{ + const struct pci_sysdata *sd = bus->sysdata; + + return sd->node; +} + +However our structure was pcifront_sd which had nothing at that +offset: + +struct pcifront_sd { + int domain; /* 0 4 */ + /* XXX 4 bytes hole, try to pack */ + struct pcifront_device * pdev; /* 8 8 */ +} + +That is an hole - filled with garbage as we used kmalloc instead of +kzalloc (the second problem). + +This patch fixes the issue by: + 1) Use kzalloc to initialize to a well known state. + 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That + way access to the 'node' will access the right offset. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Boris Ostrovsky +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/xen-pcifront.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/pci/xen-pcifront.c ++++ b/drivers/pci/xen-pcifront.c +@@ -53,7 +53,7 @@ struct pcifront_device { + }; + + struct pcifront_sd { +- int domain; ++ struct pci_sysdata sd; + struct pcifront_device *pdev; + }; + +@@ -67,7 +67,9 @@ static inline void pcifront_init_sd(stru + unsigned int domain, unsigned int bus, + struct pcifront_device *pdev) + { +- sd->domain = domain; ++ /* Because we do not expose that information via XenBus. */ ++ sd->sd.node = first_online_node; ++ sd->sd.domain = domain; + sd->pdev = pdev; + } + +@@ -468,8 +470,8 @@ static int pcifront_scan_root(struct pci + dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n", + domain, bus); + +- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL); +- sd = kmalloc(sizeof(*sd), GFP_KERNEL); ++ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL); ++ sd = kzalloc(sizeof(*sd), GFP_KERNEL); + if (!bus_entry || !sd) { + err = -ENOMEM; + goto err_out; diff --git a/queue-4.4/xen-scsiback-correct-frontend-counting.patch b/queue-4.4/xen-scsiback-correct-frontend-counting.patch new file mode 100644 index 00000000000..cb27e1f9ec5 --- /dev/null +++ b/queue-4.4/xen-scsiback-correct-frontend-counting.patch @@ -0,0 +1,43 @@ +From f285aa8db7cc4432c1a03f8b55ff34fe96317c11 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 8 Feb 2016 15:30:18 +0100 +Subject: xen/scsiback: correct frontend counting + +From: Juergen Gross + +commit f285aa8db7cc4432c1a03f8b55ff34fe96317c11 upstream. + +When adding a new frontend to xen-scsiback don't decrement the number +of active frontends in case of no error. Doing so results in a failure +when trying to remove the xen-pvscsi nexus even if no domain is using +it. + +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-scsiback.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/xen/xen-scsiback.c ++++ b/drivers/xen/xen-scsiback.c +@@ -939,12 +939,12 @@ out: + spin_unlock_irqrestore(&info->v2p_lock, flags); + + out_free: +- mutex_lock(&tpg->tv_tpg_mutex); +- tpg->tv_tpg_fe_count--; +- mutex_unlock(&tpg->tv_tpg_mutex); +- +- if (err) ++ if (err) { ++ mutex_lock(&tpg->tv_tpg_mutex); ++ tpg->tv_tpg_fe_count--; ++ mutex_unlock(&tpg->tv_tpg_mutex); + kfree(new); ++ } + + return err; + }