From: Greg Kroah-Hartman Date: Tue, 17 Apr 2018 13:24:13 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v4.16.3~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=51a949478b3f1730795296cad395690f0fffa81b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: apparmor-fix-display-of-.ns_name-for-containers.patch apparmor-fix-logging-of-the-existence-test-for-signals.patch apparmor-fix-resource-audit-messages-when-auditing-peer.patch block-loop-fix-deadlock-after-loop_set_status.patch bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch bluetooth-hci_bcm-treat-interrupt-acpi-resources-as-always-being-active-low.patch get_user_pages_fast-return-efault-on-access_ok-failure.patch getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch mm-gup_benchmark-handle-gup-failures.patch nfit-fix-region-registration-vs-block-data-window-ranges.patch revert-scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch s390-compat-fix-setup_frame32.patch s390-ipl-ensure-loadparm-valid-flag-is-set.patch s390-qdio-don-t-merge-error-output-buffers.patch s390-qdio-don-t-retry-eqbs-after-ccq-96.patch scsi-qla2xxx-fix-small-memory-leak-in-qla2x00_probe_one-on-probe-failure.patch scsi-scsi_dh-don-t-look-for-null-devices-handlers-by-name.patch --- diff --git a/queue-4.16/apparmor-fix-display-of-.ns_name-for-containers.patch b/queue-4.16/apparmor-fix-display-of-.ns_name-for-containers.patch new file mode 100644 index 00000000000..c4fe520c660 --- /dev/null +++ b/queue-4.16/apparmor-fix-display-of-.ns_name-for-containers.patch @@ -0,0 +1,38 @@ +From 040d9e2bce0a5b321c402b79ee43a8e8d2fd3b06 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Tue, 23 Jan 2018 01:47:42 -0800 +Subject: apparmor: fix display of .ns_name for containers + +From: John Johansen + +commit 040d9e2bce0a5b321c402b79ee43a8e8d2fd3b06 upstream. + +The .ns_name should not be virtualized by the current ns view. It +needs to report the ns base name as that is being used during startup +as part of determining apparmor policy namespace support. + +BugLink: http://bugs.launchpad.net/bugs/1746463 +Fixes: d9f02d9c237aa ("apparmor: fix display of ns name") +Cc: Stable +Reported-by: Serge Hallyn +Tested-by: Serge Hallyn +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/apparmorfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -1189,9 +1189,7 @@ static int seq_ns_level_show(struct seq_ + static int seq_ns_name_show(struct seq_file *seq, void *v) + { + struct aa_label *label = begin_current_label_crit_section(); +- +- seq_printf(seq, "%s\n", aa_ns_name(labels_ns(label), +- labels_ns(label), true)); ++ seq_printf(seq, "%s\n", labels_ns(label)->base.name); + end_current_label_crit_section(label); + + return 0; diff --git a/queue-4.16/apparmor-fix-logging-of-the-existence-test-for-signals.patch b/queue-4.16/apparmor-fix-logging-of-the-existence-test-for-signals.patch new file mode 100644 index 00000000000..df10cdbb111 --- /dev/null +++ b/queue-4.16/apparmor-fix-logging-of-the-existence-test-for-signals.patch @@ -0,0 +1,60 @@ +From 98cf5bbff413eadf1b9cb195a7b80cc61c72a50e Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 1 Feb 2018 11:24:10 +0100 +Subject: apparmor: fix logging of the existence test for signals + +From: John Johansen + +commit 98cf5bbff413eadf1b9cb195a7b80cc61c72a50e upstream. + +The existence test is not being properly logged as the signal mapping +maps it to the last entry in the named signal table. This is done +to help catch bugs by making the 0 mapped signal value invalid so +that we can catch the signal value not being filled in. + +When fixing the off-by-one comparision logic the reporting of the +existence test was broken, because the logic behind the mapped named +table was hidden. Fix this by adding a define for the name lookup +and using it. + +Cc: Stable +Fixes: f7dc4c9a855a1 ("apparmor: fix off-by-one comparison on MAXMAPPED_SIG") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/include/sig_names.h | 4 +++- + security/apparmor/ipc.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/security/apparmor/include/sig_names.h ++++ b/security/apparmor/include/sig_names.h +@@ -2,6 +2,8 @@ + + #define SIGUNKNOWN 0 + #define MAXMAPPED_SIG 35 ++#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) ++ + /* provide a mapping of arch signal to internal signal # for mediation + * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO + * map to the same entry those that may/or may not get a separate entry +@@ -56,7 +58,7 @@ static const int sig_map[MAXMAPPED_SIG] + }; + + /* this table is ordered post sig_map[sig] mapping */ +-static const char *const sig_names[MAXMAPPED_SIG + 1] = { ++static const char *const sig_names[MAXMAPPED_SIGNAME] = { + "unknown", + "hup", + "int", +--- a/security/apparmor/ipc.c ++++ b/security/apparmor/ipc.c +@@ -174,7 +174,7 @@ static void audit_signal_cb(struct audit + audit_signal_mask(ab, aad(sa)->denied); + } + } +- if (aad(sa)->signal < MAXMAPPED_SIG) ++ if (aad(sa)->signal < MAXMAPPED_SIGNAME) + audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); + else + audit_log_format(ab, " signal=rtmin+%d", diff --git a/queue-4.16/apparmor-fix-resource-audit-messages-when-auditing-peer.patch b/queue-4.16/apparmor-fix-resource-audit-messages-when-auditing-peer.patch new file mode 100644 index 00000000000..25e5c4fe520 --- /dev/null +++ b/queue-4.16/apparmor-fix-resource-audit-messages-when-auditing-peer.patch @@ -0,0 +1,50 @@ +From b5beb07ad32ab533027aa988d96a44965ec116f7 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Fri, 9 Feb 2018 04:57:39 -0800 +Subject: apparmor: fix resource audit messages when auditing peer + +From: John Johansen + +commit b5beb07ad32ab533027aa988d96a44965ec116f7 upstream. + +Resource auditing is using the peer field which is not available +when the rlim data struct is used, because it is a different element +of the same union. Accessing peer during resource auditing could +cause garbage log entries or even oops the kernel. + +Move the rlim data block into the same struct as the peer field +so they can be used together. + +CC: +Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels") +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/include/audit.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/security/apparmor/include/audit.h ++++ b/security/apparmor/include/audit.h +@@ -126,6 +126,10 @@ struct apparmor_audit_data { + const char *target; + kuid_t ouid; + } fs; ++ struct { ++ int rlim; ++ unsigned long max; ++ } rlim; + int signal; + }; + }; +@@ -135,10 +139,6 @@ struct apparmor_audit_data { + long pos; + } iface; + struct { +- int rlim; +- unsigned long max; +- } rlim; +- struct { + const char *src_name; + const char *type; + const char *trans; diff --git a/queue-4.16/block-loop-fix-deadlock-after-loop_set_status.patch b/queue-4.16/block-loop-fix-deadlock-after-loop_set_status.patch new file mode 100644 index 00000000000..e760163f553 --- /dev/null +++ b/queue-4.16/block-loop-fix-deadlock-after-loop_set_status.patch @@ -0,0 +1,132 @@ +From 1e047eaab3bb5564f25b41e9cd3a053009f4e789 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 6 Apr 2018 10:03:17 +0900 +Subject: block/loop: fix deadlock after loop_set_status + +From: Tetsuo Handa + +commit 1e047eaab3bb5564f25b41e9cd3a053009f4e789 upstream. + +syzbot is reporting deadlocks at __blkdev_get() [1]. + +---------------------------------------- +[ 92.493919] systemd-udevd D12696 525 1 0x00000000 +[ 92.495891] Call Trace: +[ 92.501560] schedule+0x23/0x80 +[ 92.502923] schedule_preempt_disabled+0x5/0x10 +[ 92.504645] __mutex_lock+0x416/0x9e0 +[ 92.510760] __blkdev_get+0x73/0x4f0 +[ 92.512220] blkdev_get+0x12e/0x390 +[ 92.518151] do_dentry_open+0x1c3/0x2f0 +[ 92.519815] path_openat+0x5d9/0xdc0 +[ 92.521437] do_filp_open+0x7d/0xf0 +[ 92.527365] do_sys_open+0x1b8/0x250 +[ 92.528831] do_syscall_64+0x6e/0x270 +[ 92.530341] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +[ 92.931922] 1 lock held by systemd-udevd/525: +[ 92.933642] #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x73/0x4f0 +---------------------------------------- + +The reason of deadlock turned out that wait_event_interruptible() in +blk_queue_enter() got stuck with bdev->bd_mutex held at __blkdev_put() +due to q->mq_freeze_depth == 1. + +---------------------------------------- +[ 92.787172] a.out S12584 634 633 0x80000002 +[ 92.789120] Call Trace: +[ 92.796693] schedule+0x23/0x80 +[ 92.797994] blk_queue_enter+0x3cb/0x540 +[ 92.803272] generic_make_request+0xf0/0x3d0 +[ 92.807970] submit_bio+0x67/0x130 +[ 92.810928] submit_bh_wbc+0x15e/0x190 +[ 92.812461] __block_write_full_page+0x218/0x460 +[ 92.815792] __writepage+0x11/0x50 +[ 92.817209] write_cache_pages+0x1ae/0x3d0 +[ 92.825585] generic_writepages+0x5a/0x90 +[ 92.831865] do_writepages+0x43/0xd0 +[ 92.836972] __filemap_fdatawrite_range+0xc1/0x100 +[ 92.838788] filemap_write_and_wait+0x24/0x70 +[ 92.840491] __blkdev_put+0x69/0x1e0 +[ 92.841949] blkdev_close+0x16/0x20 +[ 92.843418] __fput+0xda/0x1f0 +[ 92.844740] task_work_run+0x87/0xb0 +[ 92.846215] do_exit+0x2f5/0xba0 +[ 92.850528] do_group_exit+0x34/0xb0 +[ 92.852018] SyS_exit_group+0xb/0x10 +[ 92.853449] do_syscall_64+0x6e/0x270 +[ 92.854944] entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +[ 92.943530] 1 lock held by a.out/634: +[ 92.945105] #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x3c/0x1e0 +---------------------------------------- + +The reason of q->mq_freeze_depth == 1 turned out that loop_set_status() +forgot to call blk_mq_unfreeze_queue() at error paths for +info->lo_encrypt_type != NULL case. + +---------------------------------------- +[ 37.509497] CPU: 2 PID: 634 Comm: a.out Tainted: G W 4.16.0+ #457 +[ 37.513608] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 +[ 37.518832] RIP: 0010:blk_freeze_queue_start+0x17/0x40 +[ 37.521778] RSP: 0018:ffffb0c2013e7c60 EFLAGS: 00010246 +[ 37.524078] RAX: 0000000000000000 RBX: ffff8b07b1519798 RCX: 0000000000000000 +[ 37.527015] RDX: 0000000000000002 RSI: ffffb0c2013e7cc0 RDI: ffff8b07b1519798 +[ 37.529934] RBP: ffffb0c2013e7cc0 R08: 0000000000000008 R09: 47a189966239b898 +[ 37.532684] R10: dad78b99b278552f R11: 9332dca72259d5ef R12: ffff8b07acd73678 +[ 37.535452] R13: 0000000000004c04 R14: 0000000000000000 R15: ffff8b07b841e940 +[ 37.538186] FS: 00007fede33b9740(0000) GS:ffff8b07b8e80000(0000) knlGS:0000000000000000 +[ 37.541168] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 37.543590] CR2: 00000000206fdf18 CR3: 0000000130b30006 CR4: 00000000000606e0 +[ 37.546410] Call Trace: +[ 37.547902] blk_freeze_queue+0x9/0x30 +[ 37.549968] loop_set_status+0x67/0x3c0 [loop] +[ 37.549975] loop_set_status64+0x3b/0x70 [loop] +[ 37.549986] lo_ioctl+0x223/0x810 [loop] +[ 37.549995] blkdev_ioctl+0x572/0x980 +[ 37.550003] block_ioctl+0x34/0x40 +[ 37.550006] do_vfs_ioctl+0xa7/0x6d0 +[ 37.550017] ksys_ioctl+0x6b/0x80 +[ 37.573076] SyS_ioctl+0x5/0x10 +[ 37.574831] do_syscall_64+0x6e/0x270 +[ 37.576769] entry_SYSCALL_64_after_hwframe+0x42/0xb7 +---------------------------------------- + +[1] https://syzkaller.appspot.com/bug?id=cd662bc3f6022c0979d01a262c318fab2ee9b56f + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Fixes: ecdd09597a572513 ("block/loop: fix race between I/O and set_status") +Cc: Ming Lei +Cc: Dmitry Vyukov +Cc: stable +Cc: Jens Axboe +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1103,11 +1103,15 @@ loop_set_status(struct loop_device *lo, + if (info->lo_encrypt_type) { + unsigned int type = info->lo_encrypt_type; + +- if (type >= MAX_LO_CRYPT) +- return -EINVAL; ++ if (type >= MAX_LO_CRYPT) { ++ err = -EINVAL; ++ goto exit; ++ } + xfer = xfer_funcs[type]; +- if (xfer == NULL) +- return -EINVAL; ++ if (xfer == NULL) { ++ err = -EINVAL; ++ goto exit; ++ } + } else + xfer = NULL; + diff --git a/queue-4.16/bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch b/queue-4.16/bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch new file mode 100644 index 00000000000..180968c850b --- /dev/null +++ b/queue-4.16/bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch @@ -0,0 +1,300 @@ +From 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 Mon Sep 17 00:00:00 2001 +From: Szymon Janc +Date: Tue, 3 Apr 2018 13:40:06 +0200 +Subject: Bluetooth: Fix connection if directed advertising and privacy is used + +From: Szymon Janc + +commit 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 upstream. + +Local random address needs to be updated before creating connection if +RPA from LE Direct Advertising Report was resolved in host. Otherwise +remote device might ignore connection request due to address mismatch. + +This was affecting following qualification test cases: +GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C + +Before patch: +< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #11350 [hci0] 84680.231216 + Address: 56:BC:E8:24:11:68 (Resolvable) + Identity type: Random (0x01) + Identity: F2:F1:06:3D:9C:42 (Static) +> HCI Event: Command Complete (0x0e) plen 4 #11351 [hci0] 84680.246022 + LE Set Random Address (0x08|0x0005) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #11352 [hci0] 84680.246417 + Type: Passive (0x00) + Interval: 60.000 msec (0x0060) + Window: 30.000 msec (0x0030) + Own address type: Random (0x01) + Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02) +> HCI Event: Command Complete (0x0e) plen 4 #11353 [hci0] 84680.248854 + LE Set Scan Parameters (0x08|0x000b) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11354 [hci0] 84680.249466 + Scanning: Enabled (0x01) + Filter duplicates: Enabled (0x01) +> HCI Event: Command Complete (0x0e) plen 4 #11355 [hci0] 84680.253222 + LE Set Scan Enable (0x08|0x000c) ncmd 1 + Status: Success (0x00) +> HCI Event: LE Meta Event (0x3e) plen 18 #11356 [hci0] 84680.458387 + LE Direct Advertising Report (0x0b) + Num reports: 1 + Event type: Connectable directed - ADV_DIRECT_IND (0x01) + Address type: Random (0x01) + Address: 53:38:DA:46:8C:45 (Resolvable) + Identity type: Public (0x00) + Identity: 11:22:33:44:55:66 (OUI 11-22-33) + Direct address type: Random (0x01) + Direct address: 7C:D6:76:8C:DF:82 (Resolvable) + Identity type: Random (0x01) + Identity: F2:F1:06:3D:9C:42 (Static) + RSSI: -74 dBm (0xb6) +< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11357 [hci0] 84680.458737 + Scanning: Disabled (0x00) + Filter duplicates: Disabled (0x00) +> HCI Event: Command Complete (0x0e) plen 4 #11358 [hci0] 84680.469982 + LE Set Scan Enable (0x08|0x000c) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #11359 [hci0] 84680.470444 + Scan interval: 60.000 msec (0x0060) + Scan window: 60.000 msec (0x0060) + Filter policy: White list is not used (0x00) + Peer address type: Random (0x01) + Peer address: 53:38:DA:46:8C:45 (Resolvable) + Identity type: Public (0x00) + Identity: 11:22:33:44:55:66 (OUI 11-22-33) + Own address type: Random (0x01) + Min connection interval: 30.00 msec (0x0018) + Max connection interval: 50.00 msec (0x0028) + Connection latency: 0 (0x0000) + Supervision timeout: 420 msec (0x002a) + Min connection length: 0.000 msec (0x0000) + Max connection length: 0.000 msec (0x0000) +> HCI Event: Command Status (0x0f) plen 4 #11360 [hci0] 84680.474971 + LE Create Connection (0x08|0x000d) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0 #11361 [hci0] 84682.545385 +> HCI Event: Command Complete (0x0e) plen 4 #11362 [hci0] 84682.551014 + LE Create Connection Cancel (0x08|0x000e) ncmd 1 + Status: Success (0x00) +> HCI Event: LE Meta Event (0x3e) plen 19 #11363 [hci0] 84682.551074 + LE Connection Complete (0x01) + Status: Unknown Connection Identifier (0x02) + Handle: 0 + Role: Master (0x00) + Peer address type: Public (0x00) + Peer address: 00:00:00:00:00:00 (OUI 00-00-00) + Connection interval: 0.00 msec (0x0000) + Connection latency: 0 (0x0000) + Supervision timeout: 0 msec (0x0000) + Master clock accuracy: 0x00 + +After patch: +< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #210 [hci0] 667.152459 + Type: Passive (0x00) + Interval: 60.000 msec (0x0060) + Window: 30.000 msec (0x0030) + Own address type: Random (0x01) + Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02) +> HCI Event: Command Complete (0x0e) plen 4 #211 [hci0] 667.153613 + LE Set Scan Parameters (0x08|0x000b) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #212 [hci0] 667.153704 + Scanning: Enabled (0x01) + Filter duplicates: Enabled (0x01) +> HCI Event: Command Complete (0x0e) plen 4 #213 [hci0] 667.154584 + LE Set Scan Enable (0x08|0x000c) ncmd 1 + Status: Success (0x00) +> HCI Event: LE Meta Event (0x3e) plen 18 #214 [hci0] 667.182619 + LE Direct Advertising Report (0x0b) + Num reports: 1 + Event type: Connectable directed - ADV_DIRECT_IND (0x01) + Address type: Random (0x01) + Address: 50:52:D9:A6:48:A0 (Resolvable) + Identity type: Public (0x00) + Identity: 11:22:33:44:55:66 (OUI 11-22-33) + Direct address type: Random (0x01) + Direct address: 7C:C1:57:A5:B7:A8 (Resolvable) + Identity type: Random (0x01) + Identity: F4:28:73:5D:38:B0 (Static) + RSSI: -70 dBm (0xba) +< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #215 [hci0] 667.182704 + Scanning: Disabled (0x00) + Filter duplicates: Disabled (0x00) +> HCI Event: Command Complete (0x0e) plen 4 #216 [hci0] 667.183599 + LE Set Scan Enable (0x08|0x000c) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #217 [hci0] 667.183645 + Address: 7C:C1:57:A5:B7:A8 (Resolvable) + Identity type: Random (0x01) + Identity: F4:28:73:5D:38:B0 (Static) +> HCI Event: Command Complete (0x0e) plen 4 #218 [hci0] 667.184590 + LE Set Random Address (0x08|0x0005) ncmd 1 + Status: Success (0x00) +< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #219 [hci0] 667.184613 + Scan interval: 60.000 msec (0x0060) + Scan window: 60.000 msec (0x0060) + Filter policy: White list is not used (0x00) + Peer address type: Random (0x01) + Peer address: 50:52:D9:A6:48:A0 (Resolvable) + Identity type: Public (0x00) + Identity: 11:22:33:44:55:66 (OUI 11-22-33) + Own address type: Random (0x01) + Min connection interval: 30.00 msec (0x0018) + Max connection interval: 50.00 msec (0x0028) + Connection latency: 0 (0x0000) + Supervision timeout: 420 msec (0x002a) + Min connection length: 0.000 msec (0x0000) + Max connection length: 0.000 msec (0x0000) +> HCI Event: Command Status (0x0f) plen 4 #220 [hci0] 667.186558 + LE Create Connection (0x08|0x000d) ncmd 1 + Status: Success (0x00) +> HCI Event: LE Meta Event (0x3e) plen 19 #221 [hci0] 667.485824 + LE Connection Complete (0x01) + Status: Success (0x00) + Handle: 0 + Role: Master (0x00) + Peer address type: Random (0x01) + Peer address: 50:52:D9:A6:48:A0 (Resolvable) + Identity type: Public (0x00) + Identity: 11:22:33:44:55:66 (OUI 11-22-33) + Connection interval: 50.00 msec (0x0028) + Connection latency: 0 (0x0000) + Supervision timeout: 420 msec (0x002a) + Master clock accuracy: 0x07 +@ MGMT Event: Device Connected (0x000b) plen 13 {0x0002} [hci0] 667.485996 + LE Address: 11:22:33:44:55:66 (OUI 11-22-33) + Flags: 0x00000000 + Data length: 0 + +Signed-off-by: Szymon Janc +Signed-off-by: Marcel Holtmann +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/bluetooth/hci_core.h | 2 +- + net/bluetooth/hci_conn.c | 29 +++++++++++++++++++++-------- + net/bluetooth/hci_event.c | 15 +++++++++++---- + net/bluetooth/l2cap_core.c | 2 +- + 4 files changed, 34 insertions(+), 14 deletions(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -895,7 +895,7 @@ struct hci_conn *hci_connect_le_scan(str + u16 conn_timeout); + struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + u8 dst_type, u8 sec_level, u16 conn_timeout, +- u8 role); ++ u8 role, bdaddr_t *direct_rpa); + struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, + u8 sec_level, u8 auth_type); + struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -749,18 +749,31 @@ static bool conn_use_rpa(struct hci_conn + } + + static void hci_req_add_le_create_conn(struct hci_request *req, +- struct hci_conn *conn) ++ struct hci_conn *conn, ++ bdaddr_t *direct_rpa) + { + struct hci_cp_le_create_conn cp; + struct hci_dev *hdev = conn->hdev; + u8 own_addr_type; + +- /* Update random address, but set require_privacy to false so +- * that we never connect with an non-resolvable address. ++ /* If direct address was provided we use it instead of current ++ * address. + */ +- if (hci_update_random_address(req, false, conn_use_rpa(conn), +- &own_addr_type)) +- return; ++ if (direct_rpa) { ++ if (bacmp(&req->hdev->random_addr, direct_rpa)) ++ hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6, ++ direct_rpa); ++ ++ /* direct address is always RPA */ ++ own_addr_type = ADDR_LE_DEV_RANDOM; ++ } else { ++ /* Update random address, but set require_privacy to false so ++ * that we never connect with an non-resolvable address. ++ */ ++ if (hci_update_random_address(req, false, conn_use_rpa(conn), ++ &own_addr_type)) ++ return; ++ } + + memset(&cp, 0, sizeof(cp)); + +@@ -825,7 +838,7 @@ static void hci_req_directed_advertising + + struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst, + u8 dst_type, u8 sec_level, u16 conn_timeout, +- u8 role) ++ u8 role, bdaddr_t *direct_rpa) + { + struct hci_conn_params *params; + struct hci_conn *conn; +@@ -940,7 +953,7 @@ struct hci_conn *hci_connect_le(struct h + hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); + } + +- hci_req_add_le_create_conn(&req, conn); ++ hci_req_add_le_create_conn(&req, conn, direct_rpa); + + create_conn: + err = hci_req_run(&req, create_le_conn_complete); +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4648,7 +4648,8 @@ static void hci_le_conn_update_complete_ + /* This function requires the caller holds hdev->lock */ + static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, + bdaddr_t *addr, +- u8 addr_type, u8 adv_type) ++ u8 addr_type, u8 adv_type, ++ bdaddr_t *direct_rpa) + { + struct hci_conn *conn; + struct hci_conn_params *params; +@@ -4699,7 +4700,8 @@ static struct hci_conn *check_pending_le + } + + conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, +- HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER); ++ HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER, ++ direct_rpa); + if (!IS_ERR(conn)) { + /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned + * by higher layer that tried to connect, if no then +@@ -4808,8 +4810,13 @@ static void process_adv_report(struct hc + bdaddr_type = irk->addr_type; + } + +- /* Check if we have been requested to connect to this device */ +- conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type); ++ /* Check if we have been requested to connect to this device. ++ * ++ * direct_addr is set only for directed advertising reports (it is NULL ++ * for advertising reports) and is already verified to be RPA above. ++ */ ++ conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, ++ direct_addr); + if (conn && type == LE_ADV_IND) { + /* Store report for later inclusion by + * mgmt_device_connected +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7156,7 +7156,7 @@ int l2cap_chan_connect(struct l2cap_chan + hcon = hci_connect_le(hdev, dst, dst_type, + chan->sec_level, + HCI_LE_CONN_TIMEOUT, +- HCI_ROLE_SLAVE); ++ HCI_ROLE_SLAVE, NULL); + else + hcon = hci_connect_le_scan(hdev, dst, dst_type, + chan->sec_level, diff --git a/queue-4.16/bluetooth-hci_bcm-treat-interrupt-acpi-resources-as-always-being-active-low.patch b/queue-4.16/bluetooth-hci_bcm-treat-interrupt-acpi-resources-as-always-being-active-low.patch new file mode 100644 index 00000000000..876182a6ef1 --- /dev/null +++ b/queue-4.16/bluetooth-hci_bcm-treat-interrupt-acpi-resources-as-always-being-active-low.patch @@ -0,0 +1,71 @@ +From bb5208b314c5127b716b2ee4f55803a8bb73b750 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 16 Mar 2018 21:28:08 +0100 +Subject: Bluetooth: hci_bcm: Treat Interrupt ACPI resources as always being active-low + +From: Hans de Goede + +commit bb5208b314c5127b716b2ee4f55803a8bb73b750 upstream. + +Older devices with a serdev attached bcm bt hci, use an Interrupt ACPI +resource to describe the IRQ (rather then a GpioInt resource). + +These device seem to all claim the IRQ is active-high and seem to all need +a DMI quirk to treat it as active-low. Instead simply always assume that +Interrupt resource specified IRQs are always active-low. + +This fixes the bt device not being able to wake the host from runtime- +suspend on the: Asus T100TAM, Asus T200TA, Lenovo Yoga2 and the Toshiba +Encore, without the need to add 4 new DMI quirks for these models. + +This also allows us to remove 2 DMI quirks for the Asus T100TA and Asus +T100CHI series. Likely the 2 remaining quirks can also be removed but I +could not find a DSDT of these devices to verify this. + +Cc: stable@vger.kernel.org +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=198953 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1554835 +Signed-off-by: Hans de Goede +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_bcm.c | 20 +++----------------- + 1 file changed, 3 insertions(+), 17 deletions(-) + +--- a/drivers/bluetooth/hci_bcm.c ++++ b/drivers/bluetooth/hci_bcm.c +@@ -795,22 +795,6 @@ static const struct acpi_gpio_mapping ac + #ifdef CONFIG_ACPI + /* IRQ polarity of some chipsets are not defined correctly in ACPI table. */ + static const struct dmi_system_id bcm_active_low_irq_dmi_table[] = { +- { +- .ident = "Asus T100TA", +- .matches = { +- DMI_EXACT_MATCH(DMI_SYS_VENDOR, +- "ASUSTeK COMPUTER INC."), +- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TA"), +- }, +- }, +- { +- .ident = "Asus T100CHI", +- .matches = { +- DMI_EXACT_MATCH(DMI_SYS_VENDOR, +- "ASUSTeK COMPUTER INC."), +- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100CHI"), +- }, +- }, + { /* Handle ThinkPad 8 tablets with BCM2E55 chipset ACPI ID */ + .ident = "Lenovo ThinkPad 8", + .matches = { +@@ -838,7 +822,9 @@ static int bcm_resource(struct acpi_reso + switch (ares->type) { + case ACPI_RESOURCE_TYPE_EXTENDED_IRQ: + irq = &ares->data.extended_irq; +- dev->irq_active_low = irq->polarity == ACPI_ACTIVE_LOW; ++ if (irq->polarity != ACPI_ACTIVE_LOW) ++ dev_info(dev->dev, "ACPI Interrupt resource is active-high, this is usually wrong, treating the IRQ as active-low\n"); ++ dev->irq_active_low = true; + break; + + case ACPI_RESOURCE_TYPE_GPIO: diff --git a/queue-4.16/get_user_pages_fast-return-efault-on-access_ok-failure.patch b/queue-4.16/get_user_pages_fast-return-efault-on-access_ok-failure.patch new file mode 100644 index 00000000000..07fea20794e --- /dev/null +++ b/queue-4.16/get_user_pages_fast-return-efault-on-access_ok-failure.patch @@ -0,0 +1,70 @@ +From c61611f70958d86f659bca25c02ae69413747a8d Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 13 Apr 2018 15:35:20 -0700 +Subject: get_user_pages_fast(): return -EFAULT on access_ok failure + +From: Michael S. Tsirkin + +commit c61611f70958d86f659bca25c02ae69413747a8d upstream. + +get_user_pages_fast is supposed to be a faster drop-in equivalent of +get_user_pages. As such, callers expect it to return a negative return +code when passed an invalid address, and never expect it to return 0 +when passed a positive number of pages, since its documentation says: + + * Returns number of pages pinned. This may be fewer than the number + * requested. If nr_pages is 0 or negative, returns 0. If no pages + * were pinned, returns -errno. + +When get_user_pages_fast fall back on get_user_pages this is exactly +what happens. Unfortunately the implementation is inconsistent: it +returns 0 if passed a kernel address, confusing callers: for example, +the following is pretty common but does not appear to do the right thing +with a kernel address: + + ret = get_user_pages_fast(addr, 1, writeable, &page); + if (ret < 0) + return ret; + +Change get_user_pages_fast to return -EFAULT when supplied a kernel +address to make it match expectations. + +All callers have been audited for consistency with the documented +semantics. + +Link: http://lkml.kernel.org/r/1522962072-182137-4-git-send-email-mst@redhat.com +Fixes: 5b65c4677a57 ("mm, x86/mm: Fix performance regression in get_user_pages_fast()") +Signed-off-by: Michael S. Tsirkin +Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com +Reviewed-by: Andrew Morton +Cc: Kirill A. Shutemov +Cc: Huang Ying +Cc: Jonathan Corbet +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Thorsten Leemhuis +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/gup.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1806,9 +1806,12 @@ int get_user_pages_fast(unsigned long st + len = (unsigned long) nr_pages << PAGE_SHIFT; + end = start + len; + ++ if (nr_pages <= 0) ++ return 0; ++ + if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, + (void __user *)start, len))) +- return 0; ++ return -EFAULT; + + if (gup_fast_permitted(start, nr_pages, write)) { + local_irq_disable(); diff --git a/queue-4.16/getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch b/queue-4.16/getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch new file mode 100644 index 00000000000..c46ec2c7bf8 --- /dev/null +++ b/queue-4.16/getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch @@ -0,0 +1,33 @@ +From 30ce4d1903e1d8a7ccd110860a5eef3c638ed8be Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 8 Apr 2018 11:57:10 -0400 +Subject: getname_kernel() needs to make sure that ->name != ->iname in long case + +From: Al Viro + +commit 30ce4d1903e1d8a7ccd110860a5eef3c638ed8be upstream. + +missed it in "kill struct filename.separate" several years ago. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -222,9 +222,10 @@ getname_kernel(const char * filename) + if (len <= EMBEDDED_NAME_MAX) { + result->name = (char *)result->iname; + } else if (len <= PATH_MAX) { ++ const size_t size = offsetof(struct filename, iname[1]); + struct filename *tmp; + +- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL); ++ tmp = kmalloc(size, GFP_KERNEL); + if (unlikely(!tmp)) { + __putname(result); + return ERR_PTR(-ENOMEM); diff --git a/queue-4.16/mm-gup_benchmark-handle-gup-failures.patch b/queue-4.16/mm-gup_benchmark-handle-gup-failures.patch new file mode 100644 index 00000000000..16589f12ff7 --- /dev/null +++ b/queue-4.16/mm-gup_benchmark-handle-gup-failures.patch @@ -0,0 +1,70 @@ +From 09e35a4a1ca8b9988ca9b8557d17948cd6c0808b Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 13 Apr 2018 15:35:16 -0700 +Subject: mm/gup_benchmark: handle gup failures + +From: Michael S. Tsirkin + +commit 09e35a4a1ca8b9988ca9b8557d17948cd6c0808b upstream. + +Patch series "mm/get_user_pages_fast fixes, cleanups", v2. + +Turns out get_user_pages_fast and __get_user_pages_fast return different +values on error when given a single page: __get_user_pages_fast returns +0. get_user_pages_fast returns either 0 or an error. + +Callers of get_user_pages_fast expect an error so fix it up to return an +error consistently. + +Stress the difference between get_user_pages_fast and +__get_user_pages_fast to make sure callers aren't confused. + +This patch (of 3): + +__gup_benchmark_ioctl does not handle the case where get_user_pages_fast +fails: + + - a negative return code will cause a buffer overrun + + - returning with partial success will cause use of uninitialized + memory. + +[akpm@linux-foundation.org: simplification] +Link: http://lkml.kernel.org/r/1522962072-182137-3-git-send-email-mst@redhat.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Andrew Morton +Cc: Kirill A. Shutemov +Cc: Huang Ying +Cc: Jonathan Corbet +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Thorsten Leemhuis +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/gup_benchmark.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/gup_benchmark.c ++++ b/mm/gup_benchmark.c +@@ -23,7 +23,7 @@ static int __gup_benchmark_ioctl(unsigne + struct page **pages; + + nr_pages = gup->size / PAGE_SIZE; +- pages = kvmalloc(sizeof(void *) * nr_pages, GFP_KERNEL); ++ pages = kvzalloc(sizeof(void *) * nr_pages, GFP_KERNEL); + if (!pages) + return -ENOMEM; + +@@ -41,6 +41,8 @@ static int __gup_benchmark_ioctl(unsigne + } + + nr = get_user_pages_fast(addr, nr, gup->flags & 1, pages + i); ++ if (nr <= 0) ++ break; + i += nr; + } + end_time = ktime_get(); diff --git a/queue-4.16/nfit-fix-region-registration-vs-block-data-window-ranges.patch b/queue-4.16/nfit-fix-region-registration-vs-block-data-window-ranges.patch new file mode 100644 index 00000000000..46534a4dde4 --- /dev/null +++ b/queue-4.16/nfit-fix-region-registration-vs-block-data-window-ranges.patch @@ -0,0 +1,58 @@ +From 8d0d8ed3356aa9ed43b819aaedd39b08ca453007 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 2 Apr 2018 16:49:30 -0700 +Subject: nfit: fix region registration vs block-data-window ranges + +From: Dan Williams + +commit 8d0d8ed3356aa9ed43b819aaedd39b08ca453007 upstream. + +Commit 1cf03c00e7c1 "nfit: scrub and register regions in a workqueue" +mistakenly attempts to register a region per BLK aperture. There is +nothing to register for individual apertures as they belong as a set to +a BLK aperture group that are registered with a corresponding +DIMM-control-region. Filter them for registration to prevent some +needless devm_kzalloc() allocations. + +Cc: +Fixes: 1cf03c00e7c1 ("nfit: scrub and register regions in a workqueue") +Reviewed-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -3024,15 +3024,21 @@ static void acpi_nfit_scrub(struct work_ + static int acpi_nfit_register_regions(struct acpi_nfit_desc *acpi_desc) + { + struct nfit_spa *nfit_spa; +- int rc; + +- list_for_each_entry(nfit_spa, &acpi_desc->spas, list) +- if (nfit_spa_type(nfit_spa->spa) == NFIT_SPA_DCR) { +- /* BLK regions don't need to wait for ars results */ +- rc = acpi_nfit_register_region(acpi_desc, nfit_spa); +- if (rc) +- return rc; +- } ++ list_for_each_entry(nfit_spa, &acpi_desc->spas, list) { ++ int rc, type = nfit_spa_type(nfit_spa->spa); ++ ++ /* PMEM and VMEM will be registered by the ARS workqueue */ ++ if (type == NFIT_SPA_PM || type == NFIT_SPA_VOLATILE) ++ continue; ++ /* BLK apertures belong to BLK region registration below */ ++ if (type == NFIT_SPA_BDW) ++ continue; ++ /* BLK regions don't need to wait for ARS results */ ++ rc = acpi_nfit_register_region(acpi_desc, nfit_spa); ++ if (rc) ++ return rc; ++ } + + acpi_desc->ars_start_flags = 0; + if (!acpi_desc->cancel) diff --git a/queue-4.16/revert-scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch b/queue-4.16/revert-scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch new file mode 100644 index 00000000000..31065f6e723 --- /dev/null +++ b/queue-4.16/revert-scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch @@ -0,0 +1,45 @@ +From cbe095e2b584623b882ebaf6c18e0b9077baa3f7 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 5 Apr 2018 10:32:59 -0700 +Subject: Revert "scsi: core: return BLK_STS_OK for DID_OK in __scsi_error_from_host_byte()" + +From: Bart Van Assche + +commit cbe095e2b584623b882ebaf6c18e0b9077baa3f7 upstream. + +The description of commit e39a97353e53 is wrong: it mentions that commit +2a842acab109 introduced a bug in __scsi_error_from_host_byte() although that +commit did not change the behavior of that function. Additionally, commit +e39a97353e53 introduced a bug: it causes commands that fail with +hostbyte=DID_OK and driverbyte=DRIVER_SENSE to be completed with +BLK_STS_OK. Hence revert that commit. + +Fixes: e39a97353e53 ("scsi: core: return BLK_STS_OK for DID_OK in __scsi_error_from_host_byte()") +Reported-by: Damien Le Moal +Signed-off-by: Bart Van Assche +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Cc: Damien Le Moal +Cc: Christoph Hellwig +Cc: Lee Duncan +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -721,8 +721,6 @@ static blk_status_t __scsi_error_from_ho + int result) + { + switch (host_byte(result)) { +- case DID_OK: +- return BLK_STS_OK; + case DID_TRANSPORT_FAILFAST: + return BLK_STS_TRANSPORT; + case DID_TARGET_FAILURE: diff --git a/queue-4.16/rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch b/queue-4.16/rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch new file mode 100644 index 00000000000..1f2229a1b90 --- /dev/null +++ b/queue-4.16/rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch @@ -0,0 +1,74 @@ +From 7972326a26b5bf8dc2adac575c4e03ee7e9d193a Mon Sep 17 00:00:00 2001 +From: Sudhir Sreedharan +Date: Thu, 15 Feb 2018 12:52:45 +0530 +Subject: rtl8187: Fix NULL pointer dereference in priv->conf_mutex + +From: Sudhir Sreedharan + +commit 7972326a26b5bf8dc2adac575c4e03ee7e9d193a upstream. + +This can be reproduced by bind/unbind the driver multiple times +in AM3517 board. + +Analysis revealed that rtl8187_start() was invoked before probe +finishes(ie. before the mutex is initialized). + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250 + Hardware name: Generic AM3517 (Flattened Device Tree) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (register_lock_class+0x4f4/0x55c) + [] (register_lock_class) from [] (__lock_acquire+0x74/0x1938) + [] (__lock_acquire) from [] (lock_acquire+0xfc/0x23c) + [] (lock_acquire) from [] (mutex_lock_nested+0x50/0x3b0) + [] (mutex_lock_nested) from [] (rtl8187_start+0x2c/0xd54) + [] (rtl8187_start) from [] (drv_start+0xa8/0x320) + [] (drv_start) from [] (ieee80211_do_open+0x2bc/0x8e4) + [] (ieee80211_do_open) from [] (__dev_open+0xb8/0x120) + [] (__dev_open) from [] (__dev_change_flags+0x88/0x14c) + [] (__dev_change_flags) from [] (dev_change_flags+0x18/0x48) + [] (dev_change_flags) from [] (devinet_ioctl+0x738/0x840) + [] (devinet_ioctl) from [] (sock_ioctl+0x164/0x2f4) + [] (sock_ioctl) from [] (do_vfs_ioctl+0x8c/0x9d0) + [] (do_vfs_ioctl) from [] (SyS_ioctl+0x6c/0x7c) + [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x1c) + Unable to handle kernel NULL pointer dereference at virtual address 00000000 + pgd = cd1ec000 + [00000000] *pgd=8d1de831, *pte=00000000, *ppte=00000000 + Internal error: Oops: 817 [#1] PREEMPT ARM + Modules linked in: + CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250 + Hardware name: Generic AM3517 (Flattened Device Tree) + task: ce73eec0 task.stack: cd1ea000 + PC is at mutex_lock_nested+0xe8/0x3b0 + LR is at mutex_lock_nested+0xd0/0x3b0 + +Cc: stable@vger.kernel.org +Signed-off-by: Sudhir Sreedharan +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +@@ -1450,6 +1450,7 @@ static int rtl8187_probe(struct usb_inte + goto err_free_dev; + } + mutex_init(&priv->io_mutex); ++ mutex_init(&priv->conf_mutex); + + SET_IEEE80211_DEV(dev, &intf->dev); + usb_set_intfdata(intf, dev); +@@ -1625,7 +1626,6 @@ static int rtl8187_probe(struct usb_inte + printk(KERN_ERR "rtl8187: Cannot register device\n"); + goto err_free_dmabuf; + } +- mutex_init(&priv->conf_mutex); + skb_queue_head_init(&priv->b_tx_status.queue); + + wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n", diff --git a/queue-4.16/s390-compat-fix-setup_frame32.patch b/queue-4.16/s390-compat-fix-setup_frame32.patch new file mode 100644 index 00000000000..964d0cce3d5 --- /dev/null +++ b/queue-4.16/s390-compat-fix-setup_frame32.patch @@ -0,0 +1,36 @@ +From 8b09ca746a643ca452cd41a522046a96ee5a55fd Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Fri, 6 Apr 2018 18:10:04 +0200 +Subject: s390/compat: fix setup_frame32 + +From: Heiko Carstens + +commit 8b09ca746a643ca452cd41a522046a96ee5a55fd upstream. + +Git commit c60a03fee0e5 ("s390: switch to {get,put}_compat_sigset()") +contains a typo and now copies the wrong pointer to user space. +Use the correct pointer instead. + +Reported-and-tested-by: Stefan Liebler +Fixes: c60a03fee0e5 ("s390: switch to {get,put}_compat_sigset()") +Cc: # v4.15+ +Cc: Al Viro +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/compat_signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/compat_signal.c ++++ b/arch/s390/kernel/compat_signal.c +@@ -279,7 +279,7 @@ static int setup_frame32(struct ksignal + if (put_compat_sigset((compat_sigset_t __user *)frame->sc.oldmask, + set, sizeof(compat_sigset_t))) + return -EFAULT; +- if (__put_user(ptr_to_compat(&frame->sc), &frame->sc.sregs)) ++ if (__put_user(ptr_to_compat(&frame->sregs), &frame->sc.sregs)) + return -EFAULT; + + /* Store registers needed to create the signal frame */ diff --git a/queue-4.16/s390-ipl-ensure-loadparm-valid-flag-is-set.patch b/queue-4.16/s390-ipl-ensure-loadparm-valid-flag-is-set.patch new file mode 100644 index 00000000000..4b931a5bb37 --- /dev/null +++ b/queue-4.16/s390-ipl-ensure-loadparm-valid-flag-is-set.patch @@ -0,0 +1,35 @@ +From 15deb080a6087b73089139569558965750e69d67 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 3 Apr 2018 16:02:15 +0200 +Subject: s390/ipl: ensure loadparm valid flag is set + +From: Vasily Gorbik + +commit 15deb080a6087b73089139569558965750e69d67 upstream. + +When loadparm is set in reipl parm block, the kernel should also set +DIAG308_FLAGS_LP_VALID flag. + +This fixes loadparm ignoring during z/VM fcp -> ccw reipl and kvm direct +boot -> ccw reipl. + +Cc: +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/ipl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -776,6 +776,7 @@ static ssize_t reipl_generic_loadparm_st + /* copy and convert to ebcdic */ + memcpy(ipb->hdr.loadparm, buf, lp_len); + ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN); ++ ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID; + return len; + } + diff --git a/queue-4.16/s390-qdio-don-t-merge-error-output-buffers.patch b/queue-4.16/s390-qdio-don-t-merge-error-output-buffers.patch new file mode 100644 index 00000000000..baca23a5541 --- /dev/null +++ b/queue-4.16/s390-qdio-don-t-merge-error-output-buffers.patch @@ -0,0 +1,93 @@ +From 0cf1e05157b9e5530dcc3ca9fec9bf617fc93375 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Wed, 7 Mar 2018 14:01:01 +0100 +Subject: s390/qdio: don't merge ERROR output buffers + +From: Julian Wiedmann + +commit 0cf1e05157b9e5530dcc3ca9fec9bf617fc93375 upstream. + +On an Output queue, both EMPTY and PENDING buffer states imply that the +buffer is ready for completion-processing by the upper-layer drivers. + +So for a non-QEBSM Output queue, get_buf_states() merges mixed +batches of PENDING and EMPTY buffers into one large batch of EMPTY +buffers. The upper-layer driver (ie. qeth) later distuingishes PENDING +from EMPTY by inspecting the slsb_state for +QDIO_OUTBUF_STATE_FLAG_PENDING. + +But the merge logic in get_buf_states() contains a bug that causes us to +erronously also merge ERROR buffers into such a batch of EMPTY buffers +(ERROR is 0xaf, EMPTY is 0xa1; so ERROR & EMPTY == EMPTY). +Effectively, most outbound ERROR buffers are currently discarded +silently and processed as if they had succeeded. + +Note that this affects _all_ non-QEBSM device types, not just IQD with CQ. + +Fix it by explicitly spelling out the exact conditions for merging. + +For extracting the "get initial state" part out of the loop, this relies +on the fact that get_buf_states() is never called with a count of 0. The +QEBSM path already strictly requires this, and the two callers with +variable 'count' make sure of it. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Cc: #v3.2+ +Signed-off-by: Julian Wiedmann +Reviewed-by: Ursula Braun +Reviewed-by: Benjamin Block +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_main.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -207,7 +207,10 @@ again: + return 0; + } + +-/* returns number of examined buffers and their common state in *state */ ++/* ++ * Returns number of examined buffers and their common state in *state. ++ * Requested number of buffers-to-examine must be > 0. ++ */ + static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, + unsigned char *state, unsigned int count, + int auto_ack, int merge_pending) +@@ -218,17 +221,23 @@ static inline int get_buf_states(struct + if (is_qebsm(q)) + return qdio_do_eqbs(q, state, bufnr, count, auto_ack); + +- for (i = 0; i < count; i++) { +- if (!__state) { +- __state = q->slsb.val[bufnr]; +- if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) +- __state = SLSB_P_OUTPUT_EMPTY; +- } else if (merge_pending) { +- if ((q->slsb.val[bufnr] & __state) != __state) +- break; +- } else if (q->slsb.val[bufnr] != __state) +- break; ++ /* get initial state: */ ++ __state = q->slsb.val[bufnr]; ++ if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) ++ __state = SLSB_P_OUTPUT_EMPTY; ++ ++ for (i = 1; i < count; i++) { + bufnr = next_buf(bufnr); ++ ++ /* merge PENDING into EMPTY: */ ++ if (merge_pending && ++ q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING && ++ __state == SLSB_P_OUTPUT_EMPTY) ++ continue; ++ ++ /* stop if next state differs from initial state: */ ++ if (q->slsb.val[bufnr] != __state) ++ break; + } + *state = __state; + return i; diff --git a/queue-4.16/s390-qdio-don-t-retry-eqbs-after-ccq-96.patch b/queue-4.16/s390-qdio-don-t-retry-eqbs-after-ccq-96.patch new file mode 100644 index 00000000000..9acc8092538 --- /dev/null +++ b/queue-4.16/s390-qdio-don-t-retry-eqbs-after-ccq-96.patch @@ -0,0 +1,77 @@ +From dae55b6fef58530c13df074bcc182c096609339e Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 5 Mar 2018 09:39:38 +0100 +Subject: s390/qdio: don't retry EQBS after CCQ 96 + +From: Julian Wiedmann + +commit dae55b6fef58530c13df074bcc182c096609339e upstream. + +Immediate retry of EQBS after CCQ 96 means that we potentially misreport +the state of buffers inspected during the first EQBS call. + +This occurs when +1. the first EQBS finds all inspected buffers still in the initial state + set by the driver (ie INPUT EMPTY or OUTPUT PRIMED), +2. the EQBS terminates early with CCQ 96, and +3. by the time that the second EQBS comes around, the state of those + previously inspected buffers has changed. + +If the state reported by the second EQBS is 'driver-owned', all we know +is that the previous buffers are driver-owned now as well. But we can't +tell if they all have the same state. So for instance +- the second EQBS reports OUTPUT EMPTY, but any number of the previous + buffers could be OUTPUT ERROR by now, +- the second EQBS reports OUTPUT ERROR, but any number of the previous + buffers could be OUTPUT EMPTY by now. + +Effectively, this can result in both over- and underreporting of errors. + +If the state reported by the second EQBS is 'HW-owned', that doesn't +guarantee that the previous buffers have not been switched to +driver-owned in the mean time. So for instance +- the second EQBS reports INPUT EMPTY, but any number of the previous + buffers could be INPUT PRIMED (or INPUT ERROR) by now. + +This would result in failure to process pending work on the queue. If +it's the final check before yielding initiative, this can cause +a (temporary) queue stall due to IRQ avoidance. + +Fixes: 25f269f17316 ("[S390] qdio: EQBS retry after CCQ 96") +Cc: #v3.2+ +Signed-off-by: Julian Wiedmann +Reviewed-by: Benjamin Block +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_main.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -128,7 +128,7 @@ static inline int qdio_check_ccq(struct + static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state, + int start, int count, int auto_ack) + { +- int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0; ++ int rc, tmp_count = count, tmp_start = start, nr = q->nr; + unsigned int ccq = 0; + + qperf_inc(q, eqbs); +@@ -151,14 +151,7 @@ again: + qperf_inc(q, eqbs_partial); + DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x", + tmp_count); +- /* +- * Retry once, if that fails bail out and process the +- * extracted buffers before trying again. +- */ +- if (!retried++) +- goto again; +- else +- return count - tmp_count; ++ return count - tmp_count; + } + + DBF_ERROR("%4x EQBS ERROR", SCH_NO(q)); diff --git a/queue-4.16/scsi-qla2xxx-fix-small-memory-leak-in-qla2x00_probe_one-on-probe-failure.patch b/queue-4.16/scsi-qla2xxx-fix-small-memory-leak-in-qla2x00_probe_one-on-probe-failure.patch new file mode 100644 index 00000000000..d06a8e2a793 --- /dev/null +++ b/queue-4.16/scsi-qla2xxx-fix-small-memory-leak-in-qla2x00_probe_one-on-probe-failure.patch @@ -0,0 +1,232 @@ +From 6d6340672ba3a99c4cf7af79c2edf7aa25595c84 Mon Sep 17 00:00:00 2001 +From: Bill Kuzeja +Date: Fri, 23 Mar 2018 10:37:25 -0400 +Subject: scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure + +From: Bill Kuzeja + +commit 6d6340672ba3a99c4cf7af79c2edf7aa25595c84 upstream. + +The code that fixes the crashes in the following commit introduced a small +memory leak: + +commit 6a2cf8d3663e ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure") + +Fixing this requires a bit of reworking, which I've explained. Also provide +some code cleanup. + +There is a small window in qla2x00_probe_one where if qla2x00_alloc_queues +fails, we end up never freeing req and rsp and leak 0xc0 and 0xc8 bytes +respectively (the sizes of req and rsp). + +I originally put in checks to test for this condition which were based on +the incorrect assumption that if ha->rsp_q_map and ha->req_q_map were +allocated, then rsp and req were allocated as well. This is incorrect. +There is a window between these allocations: + + ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp); + goto probe_hw_failed; + +[if successful, both rsp and req allocated] + + base_vha = qla2x00_create_host(sht, ha); + goto probe_hw_failed; + + ret = qla2x00_request_irqs(ha, rsp); + goto probe_failed; + + if (qla2x00_alloc_queues(ha, req, rsp)) { + goto probe_failed; + +[if successful, now ha->rsp_q_map and ha->req_q_map allocated] + +To simplify this, we should just set req and rsp to NULL after we free +them. Sounds simple enough? The problem is that req and rsp are pointers +defined in the qla2x00_probe_one and they are not always passed by reference +to the routines that free them. + +Here are paths which can free req and rsp: + +PATH 1: +qla2x00_probe_one + ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp); + [req and rsp are passed by reference, but if this fails, we currently + do not NULL out req and rsp. Easily fixed] + +PATH 2: +qla2x00_probe_one + failing in qla2x00_request_irqs or qla2x00_alloc_queues + probe_failed: + qla2x00_free_device(base_vha); + qla2x00_free_req_que(ha, req) + qla2x00_free_rsp_que(ha, rsp) + +PATH 3: +qla2x00_probe_one: + failing in qla2x00_mem_alloc or qla2x00_create_host + probe_hw_failed: + qla2x00_free_req_que(ha, req) + qla2x00_free_rsp_que(ha, rsp) + +PATH 1: This should currently work, but it doesn't because rsp and rsp are +not set to NULL in qla2x00_mem_alloc. Easily remedied. + +PATH 2: req and rsp aren't passed in at all to qla2x00_free_device but are +derived from ha->req_q_map[0] and ha->rsp_q_map[0]. These are only set up if +qla2x00_alloc_queues succeeds. + +In qla2x00_free_queues, we are protected from crashing if these don't exist +because req_qid_map and rsp_qid_map are only set on their allocation. We are +guarded in this way: + + for (cnt = 0; cnt < ha->max_req_queues; cnt++) { + if (!test_bit(cnt, ha->req_qid_map)) + continue; + +PATH 3: This works. We haven't freed req or rsp yet (or they were never +allocated if qla2x00_mem_alloc failed), so we'll attempt to free them here. + +To summarize, there are a few small changes to make this work correctly and +(and for some cleanup): + +1) (For PATH 1) Set *rsp and *req to NULL in case of failure in +qla2x00_mem_alloc so these are correctly set to NULL back in +qla2x00_probe_one + +2) After jumping to probe_failed: and calling qla2x00_free_device, +explicitly set rsp and req to NULL so further calls with these pointers do +not crash, i.e. the free queue calls in the probe_hw_failed section we fall +through to. + +3) Fix return code check in the call to qla2x00_alloc_queues. We currently +drop the return code on the floor. The probe fails but the caller of the +probe doesn't have an error code, so it attaches to pci. This can result in +a crash on module shutdown. + +4) Remove unnecessary NULL checks in qla2x00_free_req_que, +qla2x00_free_rsp_que, and the egregious NULL checks before kfrees and vfrees +in qla2x00_mem_free. + +I tested this out running a scenario where the card breaks at various times +during initialization. I made sure I forced every error exit path in +qla2x00_probe_one. + +Cc: # v4.16 +Fixes: 6a2cf8d3663e ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure") +Signed-off-by: Bill Kuzeja +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 44 ++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -471,9 +471,6 @@ fail_req_map: + + static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) + { +- if (!ha->req_q_map) +- return; +- + if (IS_QLAFX00(ha)) { + if (req && req->ring_fx00) + dma_free_coherent(&ha->pdev->dev, +@@ -484,17 +481,14 @@ static void qla2x00_free_req_que(struct + (req->length + 1) * sizeof(request_t), + req->ring, req->dma); + +- if (req) { ++ if (req) + kfree(req->outstanding_cmds); +- kfree(req); +- } ++ ++ kfree(req); + } + + static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) + { +- if (!ha->rsp_q_map) +- return; +- + if (IS_QLAFX00(ha)) { + if (rsp && rsp->ring) + dma_free_coherent(&ha->pdev->dev, +@@ -505,8 +499,7 @@ static void qla2x00_free_rsp_que(struct + (rsp->length + 1) * sizeof(response_t), + rsp->ring, rsp->dma); + } +- if (rsp) +- kfree(rsp); ++ kfree(rsp); + } + + static void qla2x00_free_queues(struct qla_hw_data *ha) +@@ -3107,7 +3100,8 @@ qla2x00_probe_one(struct pci_dev *pdev, + goto probe_failed; + + /* Alloc arrays of request and response ring ptrs */ +- if (qla2x00_alloc_queues(ha, req, rsp)) { ++ ret = qla2x00_alloc_queues(ha, req, rsp); ++ if (ret) { + ql_log(ql_log_fatal, base_vha, 0x003d, + "Failed to allocate memory for queue pointers..." + "aborting.\n"); +@@ -3408,8 +3402,15 @@ probe_failed: + } + + qla2x00_free_device(base_vha); +- + scsi_host_put(base_vha->host); ++ /* ++ * Need to NULL out local req/rsp after ++ * qla2x00_free_device => qla2x00_free_queues frees ++ * what these are pointing to. Or else we'll ++ * fall over below in qla2x00_free_req/rsp_que. ++ */ ++ req = NULL; ++ rsp = NULL; + + probe_hw_failed: + qla2x00_mem_free(ha); +@@ -4115,6 +4116,7 @@ fail_npiv_info: + (*rsp)->dma = 0; + fail_rsp_ring: + kfree(*rsp); ++ *rsp = NULL; + fail_rsp: + dma_free_coherent(&ha->pdev->dev, ((*req)->length + 1) * + sizeof(request_t), (*req)->ring, (*req)->dma); +@@ -4122,6 +4124,7 @@ fail_rsp: + (*req)->dma = 0; + fail_req_ring: + kfree(*req); ++ *req = NULL; + fail_req: + dma_free_coherent(&ha->pdev->dev, sizeof(struct ct_sns_pkt), + ha->ct_sns, ha->ct_sns_dma); +@@ -4509,16 +4512,11 @@ qla2x00_mem_free(struct qla_hw_data *ha) + dma_free_coherent(&ha->pdev->dev, ha->init_cb_size, + ha->init_cb, ha->init_cb_dma); + +- if (ha->optrom_buffer) +- vfree(ha->optrom_buffer); +- if (ha->nvram) +- kfree(ha->nvram); +- if (ha->npiv_info) +- kfree(ha->npiv_info); +- if (ha->swl) +- kfree(ha->swl); +- if (ha->loop_id_map) +- kfree(ha->loop_id_map); ++ vfree(ha->optrom_buffer); ++ kfree(ha->nvram); ++ kfree(ha->npiv_info); ++ kfree(ha->swl); ++ kfree(ha->loop_id_map); + + ha->srb_mempool = NULL; + ha->ctx_mempool = NULL; diff --git a/queue-4.16/scsi-scsi_dh-don-t-look-for-null-devices-handlers-by-name.patch b/queue-4.16/scsi-scsi_dh-don-t-look-for-null-devices-handlers-by-name.patch new file mode 100644 index 00000000000..ade6710b2c1 --- /dev/null +++ b/queue-4.16/scsi-scsi_dh-don-t-look-for-null-devices-handlers-by-name.patch @@ -0,0 +1,42 @@ +From 2ee5671e3ae35e53bb5a53a89ac8f033e4b1721f Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Fri, 23 Mar 2018 14:37:05 +0100 +Subject: scsi: scsi_dh: Don't look for NULL devices handlers by name + +From: Johannes Thumshirn + +commit 2ee5671e3ae35e53bb5a53a89ac8f033e4b1721f upstream. + +Currently scsi_dh_lookup() doesn't check for NULL as a device name. This +combined with nvme over dm-mpath results in the following messages +emitted by device-mapper: + + device-mapper: multipath: Could not failover device 259:67: Handler scsi_dh_(null) error 14. + +Let scsi_dh_lookup() fail fast on NULL names. + +[mkp: typo fix] + +Cc: # v4.16 +Signed-off-by: Johannes Thumshirn +Reviewed-by: Hannes Reinecke +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_dh.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/scsi_dh.c ++++ b/drivers/scsi/scsi_dh.c +@@ -112,6 +112,9 @@ static struct scsi_device_handler *scsi_ + { + struct scsi_device_handler *dh; + ++ if (!name || strlen(name) == 0) ++ return NULL; ++ + dh = __scsi_dh_lookup(name); + if (!dh) { + request_module("scsi_dh_%s", name); diff --git a/queue-4.16/series b/queue-4.16/series index 70d27148208..900a3559757 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -48,3 +48,21 @@ ovl-set-lower-layer-st_dev-only-if-setting-lower-st_ino.patch xen-xenbus_dev_frontend-fix-xs_transaction_end-handling.patch hugetlbfs-fix-bug-in-pgoff-overflow-checking.patch nfsd-fix-incorrect-umasks.patch +scsi-scsi_dh-don-t-look-for-null-devices-handlers-by-name.patch +scsi-qla2xxx-fix-small-memory-leak-in-qla2x00_probe_one-on-probe-failure.patch +revert-scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch +apparmor-fix-logging-of-the-existence-test-for-signals.patch +apparmor-fix-display-of-.ns_name-for-containers.patch +apparmor-fix-resource-audit-messages-when-auditing-peer.patch +block-loop-fix-deadlock-after-loop_set_status.patch +nfit-fix-region-registration-vs-block-data-window-ranges.patch +s390-qdio-don-t-retry-eqbs-after-ccq-96.patch +s390-qdio-don-t-merge-error-output-buffers.patch +s390-ipl-ensure-loadparm-valid-flag-is-set.patch +s390-compat-fix-setup_frame32.patch +get_user_pages_fast-return-efault-on-access_ok-failure.patch +mm-gup_benchmark-handle-gup-failures.patch +getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch +bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch +bluetooth-hci_bcm-treat-interrupt-acpi-resources-as-always-being-active-low.patch +rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch