From: Greg Kroah-Hartman Date: Tue, 11 Sep 2018 10:15:22 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.156~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=64fb76cb2279463b77014b1ce66561e300d54f35;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch dm-kcopyd-avoid-softlockup-in-run_complete_job.patch fat-validate-i_start-before-using.patch fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch hfs-prevent-crash-on-exit-from-failed-search.patch hfsplus-don-t-return-0-when-fill_super-failed.patch hfsplus-fix-null-dereference-in-hfsplus_lookup.patch ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch net-9p-fix-error-path-of-p9_virtio_probe.patch pci-mvebu-fix-i-o-space-end-address-calculation.patch platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch powerpc-fix-size-calculation-using-resource_size.patch powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch reiserfs-change-j_timestamp-type-to-time64_t.patch s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch scripts-modpost-check-memory-allocation-results.patch scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch selftests-powerpc-kill-child-processes-on-sigint.patch smb3-fix-reset-of-bytes-read-and-written-stats.patch smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch tracing-handle-cc_flags_ftrace-more-accurately.patch --- diff --git a/queue-4.4/btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch b/queue-4.4/btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch new file mode 100644 index 00000000000..969f8983e38 --- /dev/null +++ b/queue-4.4/btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch @@ -0,0 +1,111 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Qu Wenruo +Date: Fri, 22 Jun 2018 12:35:00 +0800 +Subject: btrfs: Don't remove block group that still has pinned down bytes + +From: Qu Wenruo + +[ Upstream commit 43794446548730ac8461be30bbe47d5d027d1d16 ] + +[BUG] +Under certain KVM load and LTP tests, it is possible to hit the +following calltrace if quota is enabled: + +BTRFS critical (device vda2): unable to find logical 8820195328 length 4096 +BTRFS critical (device vda2): unable to find logical 8820195328 length 4096 + +WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30 +CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs] +task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000 +RIP: 0010:blk_status_to_errno+0x1a/0x30 +Call Trace: + submit_extent_page+0x191/0x270 [btrfs] + ? btrfs_create_repair_bio+0x130/0x130 [btrfs] + __do_readpage+0x2d2/0x810 [btrfs] + ? btrfs_create_repair_bio+0x130/0x130 [btrfs] + ? run_one_async_done+0xc0/0xc0 [btrfs] + __extent_read_full_page+0xe7/0x100 [btrfs] + ? run_one_async_done+0xc0/0xc0 [btrfs] + read_extent_buffer_pages+0x1ab/0x2d0 [btrfs] + ? run_one_async_done+0xc0/0xc0 [btrfs] + btree_read_extent_buffer_pages+0x94/0xf0 [btrfs] + read_tree_block+0x31/0x60 [btrfs] + read_block_for_search.isra.35+0xf0/0x2e0 [btrfs] + btrfs_search_slot+0x46b/0xa00 [btrfs] + ? kmem_cache_alloc+0x1a8/0x510 + ? btrfs_get_token_32+0x5b/0x120 [btrfs] + find_parent_nodes+0x11d/0xeb0 [btrfs] + ? leaf_space_used+0xb8/0xd0 [btrfs] + ? btrfs_leaf_free_space+0x49/0x90 [btrfs] + ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs] + btrfs_find_all_roots_safe+0x93/0x100 [btrfs] + btrfs_find_all_roots+0x45/0x60 [btrfs] + btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs] + btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs] + btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs] + insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs] + btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs] + ? pick_next_task_fair+0x2cd/0x530 + ? __switch_to+0x92/0x4b0 + btrfs_worker_helper+0x81/0x300 [btrfs] + process_one_work+0x1da/0x3f0 + worker_thread+0x2b/0x3f0 + ? process_one_work+0x3f0/0x3f0 + kthread+0x11a/0x130 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x35/0x40 + +BTRFS critical (device vda2): unable to find logical 8820195328 length 16384 +BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure +BTRFS info (device vda2): forced readonly +BTRFS error (device vda2): pending csums is 2887680 + +[CAUSE] +It's caused by race with block group auto removal: + +- There is a meta block group X, which has only one tree block + The tree block belongs to fs tree 257. +- In current transaction, some operation modified fs tree 257 + The tree block gets COWed, so the block group X is empty, and marked + as unused, queued to be deleted. +- Some workload (like fsync) wakes up cleaner_kthread() + Which will call btrfs_delete_unused_bgs() to remove unused block + groups. + So block group X along its chunk map get removed. +- Some delalloc work finished for fs tree 257 + Quota needs to get the original reference of the extent, which will + read tree blocks of commit root of 257. + Then since the chunk map gets removed, the above warning gets + triggered. + +[FIX] +Just let btrfs_delete_unused_bgs() skip block group which still has +pinned bytes. + +However there is a minor side effect: currently we only queue empty +blocks at update_block_group(), and such empty block group with pinned +bytes won't go through update_block_group() again, such block group +won't be removed, until it gets new extent allocated and removed. + +Signed-off-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -10410,7 +10410,7 @@ void btrfs_delete_unused_bgs(struct btrf + /* Don't want to race with allocators so take the groups_sem */ + down_write(&space_info->groups_sem); + spin_lock(&block_group->lock); +- if (block_group->reserved || ++ if (block_group->reserved || block_group->pinned || + btrfs_block_group_used(&block_group->item) || + block_group->ro || + list_is_singular(&block_group->list)) { diff --git a/queue-4.4/btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch b/queue-4.4/btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch new file mode 100644 index 00000000000..ebaa4f5298c --- /dev/null +++ b/queue-4.4/btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch @@ -0,0 +1,63 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Qu Wenruo +Date: Tue, 3 Jul 2018 17:10:07 +0800 +Subject: btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized + +From: Qu Wenruo + +[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ] + +Invalid reloc tree can cause kernel NULL pointer dereference when btrfs +does some cleanup of the reloc roots. + +It turns out that fs_info::reloc_ctl can be NULL in +btrfs_recover_relocation() as we allocate relocation control after all +reloc roots have been verified. +So when we hit: note, we haven't called set_reloc_control() thus +fs_info::reloc_ctl is still NULL. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Tested-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/relocation.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1318,18 +1318,19 @@ static void __del_reloc_root(struct btrf + struct mapping_node *node = NULL; + struct reloc_control *rc = root->fs_info->reloc_ctl; + +- spin_lock(&rc->reloc_root_tree.lock); +- rb_node = tree_search(&rc->reloc_root_tree.rb_root, +- root->node->start); +- if (rb_node) { +- node = rb_entry(rb_node, struct mapping_node, rb_node); +- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ if (rc) { ++ spin_lock(&rc->reloc_root_tree.lock); ++ rb_node = tree_search(&rc->reloc_root_tree.rb_root, ++ root->node->start); ++ if (rb_node) { ++ node = rb_entry(rb_node, struct mapping_node, rb_node); ++ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ } ++ spin_unlock(&rc->reloc_root_tree.lock); ++ if (!node) ++ return; ++ BUG_ON((struct btrfs_root *)node->data != root); + } +- spin_unlock(&rc->reloc_root_tree.lock); +- +- if (!node) +- return; +- BUG_ON((struct btrfs_root *)node->data != root); + + spin_lock(&root->fs_info->trans_lock); + list_del_init(&root->root_list); diff --git a/queue-4.4/btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch b/queue-4.4/btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch new file mode 100644 index 00000000000..ef004454970 --- /dev/null +++ b/queue-4.4/btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Misono Tomohiro +Date: Tue, 31 Jul 2018 16:20:21 +0900 +Subject: btrfs: replace: Reset on-disk dev stats value after replace + +From: Misono Tomohiro + +[ Upstream commit 1e7e1f9e3aba00c9b9c323bfeeddafe69ff21ff6 ] + +on-disk devs stats value is updated in btrfs_run_dev_stats(), +which is called during commit transaction, if device->dev_stats_ccnt +is not zero. + +Since current replace operation does not touch dev_stats_ccnt, +on-disk dev stats value is not updated. Therefore "btrfs device stats" +may return old device's value after umount/mount +(Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish). + +Fix this by just incrementing dev_stats_ccnt in +btrfs_dev_replace_finishing() when replace is succeeded and this will +update the values. + +Signed-off-by: Misono Tomohiro +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/dev-replace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -574,6 +574,12 @@ static int btrfs_dev_replace_finishing(s + btrfs_rm_dev_replace_unblocked(fs_info); + + /* ++ * Increment dev_stats_ccnt so that btrfs_run_dev_stats() will ++ * update on-disk dev stats value during commit transaction ++ */ ++ atomic_inc(&tgt_device->dev_stats_ccnt); ++ ++ /* + * this is again a consistent state where no dev_replace procedure + * is running, the target device is part of the filesystem, the + * source device is not part of the filesystem anymore and its 1st diff --git a/queue-4.4/cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch b/queue-4.4/cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch new file mode 100644 index 00000000000..f500560374b --- /dev/null +++ b/queue-4.4/cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Ronnie Sahlberg +Date: Wed, 22 Aug 2018 12:19:24 +1000 +Subject: cifs: check if SMB2 PDU size has been padded and suppress the warning + +From: Ronnie Sahlberg + +[ Upstream commit e6c47dd0da1e3a484e778046fc10da0b20606a86 ] + +Some SMB2/3 servers, Win2016 but possibly others too, adds padding +not only between PDUs in a compound but also to the final PDU. +This padding extends the PDU to a multiple of 8 bytes. + +Check if the unexpected length looks like this might be the case +and avoid triggering the log messages for : + + "SMB2 server sent bad RFC1001 len %d not %d\n" + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2misc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -185,6 +185,13 @@ smb2_check_message(char *buf, unsigned i + return 0; + + /* ++ * Some windows servers (win2016) will pad also the final ++ * PDU in a compound to 8 bytes. ++ */ ++ if (((clc_len + 7) & ~7) == len) ++ return 0; ++ ++ /* + * MacOS server pads after SMB2.1 write response with 3 bytes + * of junk. Other servers match RFC1001 len to actual + * SMB2/SMB3 frame length (header + smb2 response specific data) diff --git a/queue-4.4/dm-kcopyd-avoid-softlockup-in-run_complete_job.patch b/queue-4.4/dm-kcopyd-avoid-softlockup-in-run_complete_job.patch new file mode 100644 index 00000000000..7f3f64da706 --- /dev/null +++ b/queue-4.4/dm-kcopyd-avoid-softlockup-in-run_complete_job.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: John Pittman +Date: Mon, 6 Aug 2018 15:53:12 -0400 +Subject: dm kcopyd: avoid softlockup in run_complete_job + +From: John Pittman + +[ Upstream commit 784c9a29e99eb40b842c29ecf1cc3a79e00fb629 ] + +It was reported that softlockups occur when using dm-snapshot ontop of +slow (rbd) storage. E.g.: + +[ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177] +... +[ 4048.034151] Workqueue: kcopyd do_work [dm_mod] +[ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot] +... +[ 4048.034190] Call Trace: +[ 4048.034196] ? __chunk_is_tracked+0x70/0x70 [dm_snapshot] +[ 4048.034200] run_complete_job+0x5f/0xb0 [dm_mod] +[ 4048.034205] process_jobs+0x91/0x220 [dm_mod] +[ 4048.034210] ? kcopyd_put_pages+0x40/0x40 [dm_mod] +[ 4048.034214] do_work+0x46/0xa0 [dm_mod] +[ 4048.034219] process_one_work+0x171/0x370 +[ 4048.034221] worker_thread+0x1fc/0x3f0 +[ 4048.034224] kthread+0xf8/0x130 +[ 4048.034226] ? max_active_store+0x80/0x80 +[ 4048.034227] ? kthread_bind+0x10/0x10 +[ 4048.034231] ret_from_fork+0x35/0x40 +[ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks + +Fix this by calling cond_resched() after run_complete_job()'s callout to +the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above +trace). + +Signed-off-by: John Pittman +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-kcopyd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-kcopyd.c ++++ b/drivers/md/dm-kcopyd.c +@@ -454,6 +454,8 @@ static int run_complete_job(struct kcopy + if (atomic_dec_and_test(&kc->nr_jobs)) + wake_up(&kc->destroyq); + ++ cond_resched(); ++ + return 0; + } + diff --git a/queue-4.4/fat-validate-i_start-before-using.patch b/queue-4.4/fat-validate-i_start-before-using.patch new file mode 100644 index 00000000000..f96df3bfa16 --- /dev/null +++ b/queue-4.4/fat-validate-i_start-before-using.patch @@ -0,0 +1,120 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: OGAWA Hirofumi +Date: Tue, 21 Aug 2018 21:59:44 -0700 +Subject: fat: validate ->i_start before using + +From: OGAWA Hirofumi + +[ Upstream commit 0afa9626667c3659ef8bd82d42a11e39fedf235c ] + +On corrupted FATfs may have invalid ->i_start. To handle it, this checks +->i_start before using, and return proper error code. + +Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp +Signed-off-by: OGAWA Hirofumi +Reported-by: Anatoly Trosinenko +Tested-by: Anatoly Trosinenko +Cc: Alan Cox +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fat/cache.c | 19 ++++++++++++------- + fs/fat/fat.h | 5 +++++ + fs/fat/fatent.c | 6 +++--- + 3 files changed, 20 insertions(+), 10 deletions(-) + +--- a/fs/fat/cache.c ++++ b/fs/fat/cache.c +@@ -224,7 +224,8 @@ static inline void cache_init(struct fat + int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus) + { + struct super_block *sb = inode->i_sb; +- const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits; ++ struct msdos_sb_info *sbi = MSDOS_SB(sb); ++ const int limit = sb->s_maxbytes >> sbi->cluster_bits; + struct fat_entry fatent; + struct fat_cache_id cid; + int nr; +@@ -233,6 +234,12 @@ int fat_get_cluster(struct inode *inode, + + *fclus = 0; + *dclus = MSDOS_I(inode)->i_start; ++ if (!fat_valid_entry(sbi, *dclus)) { ++ fat_fs_error_ratelimit(sb, ++ "%s: invalid start cluster (i_pos %lld, start %08x)", ++ __func__, MSDOS_I(inode)->i_pos, *dclus); ++ return -EIO; ++ } + if (cluster == 0) + return 0; + +@@ -249,9 +256,8 @@ int fat_get_cluster(struct inode *inode, + /* prevent the infinite loop of cluster chain */ + if (*fclus > limit) { + fat_fs_error_ratelimit(sb, +- "%s: detected the cluster chain loop" +- " (i_pos %lld)", __func__, +- MSDOS_I(inode)->i_pos); ++ "%s: detected the cluster chain loop (i_pos %lld)", ++ __func__, MSDOS_I(inode)->i_pos); + nr = -EIO; + goto out; + } +@@ -261,9 +267,8 @@ int fat_get_cluster(struct inode *inode, + goto out; + else if (nr == FAT_ENT_FREE) { + fat_fs_error_ratelimit(sb, +- "%s: invalid cluster chain (i_pos %lld)", +- __func__, +- MSDOS_I(inode)->i_pos); ++ "%s: invalid cluster chain (i_pos %lld)", ++ __func__, MSDOS_I(inode)->i_pos); + nr = -EIO; + goto out; + } else if (nr == FAT_ENT_EOF) { +--- a/fs/fat/fat.h ++++ b/fs/fat/fat.h +@@ -344,6 +344,11 @@ static inline void fatent_brelse(struct + fatent->fat_inode = NULL; + } + ++static inline bool fat_valid_entry(struct msdos_sb_info *sbi, int entry) ++{ ++ return FAT_START_ENT <= entry && entry < sbi->max_cluster; ++} ++ + extern void fat_ent_access_init(struct super_block *sb); + extern int fat_ent_read(struct inode *inode, struct fat_entry *fatent, + int entry); +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -23,7 +23,7 @@ static void fat12_ent_blocknr(struct sup + { + struct msdos_sb_info *sbi = MSDOS_SB(sb); + int bytes = entry + (entry >> 1); +- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry); ++ WARN_ON(!fat_valid_entry(sbi, entry)); + *offset = bytes & (sb->s_blocksize - 1); + *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits); + } +@@ -33,7 +33,7 @@ static void fat_ent_blocknr(struct super + { + struct msdos_sb_info *sbi = MSDOS_SB(sb); + int bytes = (entry << sbi->fatent_shift); +- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry); ++ WARN_ON(!fat_valid_entry(sbi, entry)); + *offset = bytes & (sb->s_blocksize - 1); + *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits); + } +@@ -353,7 +353,7 @@ int fat_ent_read(struct inode *inode, st + int err, offset; + sector_t blocknr; + +- if (entry < FAT_START_ENT || sbi->max_cluster <= entry) { ++ if (!fat_valid_entry(sbi, entry)) { + fatent_brelse(fatent); + fat_fs_error(sb, "invalid access to FAT (entry 0x%08x)", entry); + return -EIO; diff --git a/queue-4.4/fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch b/queue-4.4/fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch new file mode 100644 index 00000000000..3dba6e1327c --- /dev/null +++ b/queue-4.4/fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Jann Horn +Date: Tue, 21 Aug 2018 22:00:58 -0700 +Subject: fork: don't copy inconsistent signal handler state to child + +From: Jann Horn + +[ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ] + +Before this change, if a multithreaded process forks while one of its +threads is changing a signal handler using sigaction(), the memcpy() in +copy_sighand() can race with the struct assignment in do_sigaction(). It +isn't clear whether this can cause corruption of the userspace signal +handler pointer, but it definitely can cause inconsistency between +different fields of struct sigaction. + +Take the appropriate spinlock to avoid this. + +I have tested that this patch prevents inconsistency between sa_sigaction +and sa_flags, which is possible before this patch. + +Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com +Signed-off-by: Jann Horn +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Rik van Riel +Cc: "Peter Zijlstra (Intel)" +Cc: Kees Cook +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/fork.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1109,7 +1109,9 @@ static int copy_sighand(unsigned long cl + return -ENOMEM; + + atomic_set(&sig->count, 1); ++ spin_lock_irq(¤t->sighand->siglock); + memcpy(sig->action, current->sighand->action, sizeof(sig->action)); ++ spin_unlock_irq(¤t->sighand->siglock); + return 0; + } + diff --git a/queue-4.4/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch b/queue-4.4/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch new file mode 100644 index 00000000000..8b3d559cf64 --- /dev/null +++ b/queue-4.4/fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch @@ -0,0 +1,57 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Tetsuo Handa +Date: Fri, 17 Aug 2018 15:44:34 -0700 +Subject: fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() + +From: Tetsuo Handa + +[ Upstream commit 6cd00a01f0c1ae6a852b09c59b8dd55cc6c35d1d ] + +Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes +are initialized at __d_alloc(), we can't copy the whole size +unconditionally. + + WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50) + 636f6e66696766732e746d70000000000010000000000000020000000188ffff + i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u + ^ + RIP: 0010:take_dentry_name_snapshot+0x28/0x50 + RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246 + RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002 + RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60 + RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001 + R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00 + R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0 + take_dentry_name_snapshot+0x28/0x50 + vfs_rename+0x128/0x870 + SyS_rename+0x3b2/0x3d0 + entry_SYSCALL_64_fastpath+0x1a/0xa4 + 0xffffffffffffffff + +Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Cc: Vegard Nossum +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -278,7 +278,8 @@ void take_dentry_name_snapshot(struct na + spin_unlock(&dentry->d_lock); + name->name = p->name; + } else { +- memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN); ++ memcpy(name->inline_name, dentry->d_iname, ++ dentry->d_name.len + 1); + spin_unlock(&dentry->d_lock); + name->name = name->inline_name; + } diff --git a/queue-4.4/hfs-prevent-crash-on-exit-from-failed-search.patch b/queue-4.4/hfs-prevent-crash-on-exit-from-failed-search.patch new file mode 100644 index 00000000000..212a577eec8 --- /dev/null +++ b/queue-4.4/hfs-prevent-crash-on-exit-from-failed-search.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: "Ernesto A. Fernández" +Date: Thu, 23 Aug 2018 17:00:31 -0700 +Subject: hfs: prevent crash on exit from failed search + +From: "Ernesto A. Fernández" + +[ Upstream commit dc2572791d3a41bab94400af2b6bca9d71ccd303 ] + +hfs_find_exit() expects fd->bnode to be NULL after a search has failed. +hfs_brec_insert() may instead set it to an error-valued pointer. Fix +this to prevent a crash. + +Link: http://lkml.kernel.org/r/53d9749a029c41b4016c495fc5838c9dba3afc52.1530294815.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Cc: Anatoly Trosinenko +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/brec.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -74,9 +74,10 @@ int hfs_brec_insert(struct hfs_find_data + if (!fd->bnode) { + if (!tree->root) + hfs_btree_inc_height(tree); +- fd->bnode = hfs_bnode_find(tree, tree->leaf_head); +- if (IS_ERR(fd->bnode)) +- return PTR_ERR(fd->bnode); ++ node = hfs_bnode_find(tree, tree->leaf_head); ++ if (IS_ERR(node)) ++ return PTR_ERR(node); ++ fd->bnode = node; + fd->record = -1; + } + new_node = NULL; diff --git a/queue-4.4/hfsplus-don-t-return-0-when-fill_super-failed.patch b/queue-4.4/hfsplus-don-t-return-0-when-fill_super-failed.patch new file mode 100644 index 00000000000..12d246dd5eb --- /dev/null +++ b/queue-4.4/hfsplus-don-t-return-0-when-fill_super-failed.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Tetsuo Handa +Date: Tue, 21 Aug 2018 21:59:12 -0700 +Subject: hfsplus: don't return 0 when fill_super() failed + +From: Tetsuo Handa + +[ Upstream commit 7464726cb5998846306ed0a7d6714afb2e37b25d ] + +syzbot is reporting NULL pointer dereference at mount_fs() [1]. This is +because hfsplus_fill_super() is by error returning 0 when +hfsplus_fill_super() detected invalid filesystem image, and mount_bdev() +is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL, +and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if +root == NULL. Fix this by returning -EINVAL when hfsplus_fill_super() +detected invalid filesystem image. + +[1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0 + +Link: http://lkml.kernel.org/r/d83ce31a-874c-dd5b-f790-41405983a5be@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Ernesto A. Fernández +Reviewed-by: Andrew Morton +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -521,8 +521,10 @@ static int hfsplus_fill_super(struct sup + goto out_put_root; + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); +- if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) ++ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { ++ err = -EINVAL; + goto out_put_root; ++ } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); diff --git a/queue-4.4/hfsplus-fix-null-dereference-in-hfsplus_lookup.patch b/queue-4.4/hfsplus-fix-null-dereference-in-hfsplus_lookup.patch new file mode 100644 index 00000000000..98b9de866c4 --- /dev/null +++ b/queue-4.4/hfsplus-fix-null-dereference-in-hfsplus_lookup.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: "Ernesto A. Fernández" +Date: Thu, 23 Aug 2018 17:00:25 -0700 +Subject: hfsplus: fix NULL dereference in hfsplus_lookup() + +From: "Ernesto A. Fernández" + +[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ] + +An HFS+ filesystem can be mounted read-only without having a metadata +directory, which is needed to support hardlinks. But if the catalog +data is corrupted, a directory lookup may still find dentries claiming +to be hardlinks. + +hfsplus_lookup() does check that ->hidden_dir is not NULL in such a +situation, but mistakenly does so after dereferencing it for the first +time. Reorder this check to prevent a crash. + +This happens when looking up corrupted catalog data (dentry) on a +filesystem with no metadata directory (this could only ever happen on a +read-only mount). Wen Xu sent the replication steps in detail to the +fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297 + +Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf +Signed-off-by: Ernesto A. Fernández +Reported-by: Wen Xu +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -77,13 +77,13 @@ again: + cpu_to_be32(HFSP_HARDLINK_TYPE) && + entry.file.user_info.fdCreator == + cpu_to_be32(HFSP_HFSPLUS_CREATOR) && ++ HFSPLUS_SB(sb)->hidden_dir && + (entry.file.create_date == + HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)-> + create_date || + entry.file.create_date == + HFSPLUS_I(d_inode(sb->s_root))-> +- create_date) && +- HFSPLUS_SB(sb)->hidden_dir) { ++ create_date)) { + struct qstr str; + char name[32]; + diff --git a/queue-4.4/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch b/queue-4.4/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch new file mode 100644 index 00000000000..c0e36e9e78f --- /dev/null +++ b/queue-4.4/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Tan Hu +Date: Wed, 25 Jul 2018 15:23:07 +0800 +Subject: ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() + +From: Tan Hu + +[ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ] + +We came across infinite loop in ipvs when using ipvs in docker +env. + +When ipvs receives new packets and cannot find an ipvs connection, +it will create a new connection, then if the dest is unavailable +(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently. + +But if the dropped packet is the first packet of this connection, +the connection control timer never has a chance to start and the +ipvs connection cannot be released. This will lead to memory leak, or +infinite loop in cleanup_net() when net namespace is released like +this: + + ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs] + __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs] + ops_exit_list at ffffffff81567a49 + cleanup_net at ffffffff81568b40 + process_one_work at ffffffff810a851b + worker_thread at ffffffff810a9356 + kthread at ffffffff810b0b6f + ret_from_fork at ffffffff81697a18 + +race condition: + CPU1 CPU2 + ip_vs_in() + ip_vs_conn_new() + ip_vs_del_dest() + __ip_vs_unlink_dest() + ~IP_VS_DEST_F_AVAILABLE + cp->dest && !IP_VS_DEST_F_AVAILABLE + __ip_vs_conn_put + ... + cleanup_net ---> infinite looping + +Fix this by checking whether the timer already started. + +Signed-off-by: Tan Hu +Reviewed-by: Jiang Biao +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1809,13 +1809,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsign + if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { + /* the destination server is not available */ + +- if (sysctl_expire_nodest_conn(ipvs)) { ++ __u32 flags = cp->flags; ++ ++ /* when timer already started, silently drop the packet.*/ ++ if (timer_pending(&cp->timer)) ++ __ip_vs_conn_put(cp); ++ else ++ ip_vs_conn_put(cp); ++ ++ if (sysctl_expire_nodest_conn(ipvs) && ++ !(flags & IP_VS_CONN_F_ONE_PACKET)) { + /* try to expire the connection immediately */ + ip_vs_conn_expire_now(cp); + } +- /* don't restart its timer, and silently +- drop the packet. */ +- __ip_vs_conn_put(cp); ++ + return NF_DROP; + } + diff --git a/queue-4.4/irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch b/queue-4.4/irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch new file mode 100644 index 00000000000..61f4bf5ac20 --- /dev/null +++ b/queue-4.4/irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Jonas Gorski +Date: Thu, 9 Aug 2018 10:59:01 +0200 +Subject: irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP + +From: Jonas Gorski + +[ Upstream commit 0702bc4d2fe793018ad9aa0eb14bff7f526c4095 ] + +When compiling bmips with SMP disabled, the build fails with: + +drivers/irqchip/irq-bcm7038-l1.o: In function `bcm7038_l1_cpu_offline': +drivers/irqchip/irq-bcm7038-l1.c:242: undefined reference to `irq_set_affinity_locked' +make[5]: *** [vmlinux] Error 1 + +Fix this by adding and setting bcm7038_l1_cpu_offline only when actually +compiling for SMP. It wouldn't have been used anyway, as it requires +CPU_HOTPLUG, which in turn requires SMP. + +Fixes: 34c535793bcb ("irqchip/bcm7038-l1: Implement irq_cpu_offline() callback") +Signed-off-by: Jonas Gorski +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-bcm7038-l1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/irqchip/irq-bcm7038-l1.c ++++ b/drivers/irqchip/irq-bcm7038-l1.c +@@ -216,6 +216,7 @@ static int bcm7038_l1_set_affinity(struc + return 0; + } + ++#ifdef CONFIG_SMP + static void bcm7038_l1_cpu_offline(struct irq_data *d) + { + struct cpumask *mask = irq_data_get_affinity_mask(d); +@@ -240,6 +241,7 @@ static void bcm7038_l1_cpu_offline(struc + } + irq_set_affinity_locked(d, &new_affinity, false); + } ++#endif + + static int __init bcm7038_l1_init_one(struct device_node *dn, + unsigned int idx, +@@ -292,7 +294,9 @@ static struct irq_chip bcm7038_l1_irq_ch + .irq_mask = bcm7038_l1_mask, + .irq_unmask = bcm7038_l1_unmask, + .irq_set_affinity = bcm7038_l1_set_affinity, ++#ifdef CONFIG_SMP + .irq_cpu_offline = bcm7038_l1_cpu_offline, ++#endif + }; + + static int bcm7038_l1_map(struct irq_domain *d, unsigned int virq, diff --git a/queue-4.4/mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch b/queue-4.4/mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch new file mode 100644 index 00000000000..1f24363c205 --- /dev/null +++ b/queue-4.4/mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Guenter Roeck +Date: Fri, 3 Aug 2018 20:59:51 -0700 +Subject: mfd: sm501: Set coherent_dma_mask when creating subdevices + +From: Guenter Roeck + +[ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ] + +Instantiating the sm501 OHCI subdevice results in a kernel warning. + +sm501-usb sm501-usb: SM501 OHCI +sm501-usb sm501-usb: new USB bus registered, assigned bus number 1 +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 +ohci_init+0x194/0x2d8 +Modules linked in: + +CPU: 0 PID: 1 Comm: swapper Tainted: G W +4.18.0-rc7-00178-g0b5b1f9a78b5 #1 +PC is at ohci_init+0x194/0x2d8 +PR is at ohci_init+0x168/0x2d8 +PC : 8c27844c SP : 8f81dd94 SR : 40008001 +TEA : 29613060 +R0 : 00000000 R1 : 00000000 R2 : 00000000 R3 : 00000202 +R4 : 8fa98b88 R5 : 8c277e68 R6 : 00000000 R7 : 00000000 +R8 : 8f965814 R9 : 8c388100 R10 : 8fa98800 R11 : 8fa98928 +R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c +MACH: 00000096 MACL: 0000017c GBR : 00000000 PR : 8c278420 + +Call trace: + [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec + [<(ptrval)>] _dev_info+0x0/0x54 + [<(ptrval)>] arch_local_save_flags+0x0/0x8 + [<(ptrval)>] arch_local_irq_restore+0x0/0x24 + [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8 +... + +Initialize coherent_dma_mask when creating SM501 subdevices to fix +the problem. + +Fixes: b6d6454fdb66f ("mfd: SM501 core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/sm501.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -714,6 +714,7 @@ sm501_create_subdev(struct sm501_devdata + smdev->pdev.name = name; + smdev->pdev.id = sm->pdev_id; + smdev->pdev.dev.parent = sm->dev; ++ smdev->pdev.dev.coherent_dma_mask = 0xffffffff; + + if (res_count) { + smdev->pdev.resource = (struct resource *)(smdev+1); diff --git a/queue-4.4/mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch b/queue-4.4/mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch new file mode 100644 index 00000000000..8e978cb3504 --- /dev/null +++ b/queue-4.4/mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Andrey Ryabinin +Date: Fri, 17 Aug 2018 15:46:57 -0700 +Subject: mm/fadvise.c: fix signed overflow UBSAN complaint + +From: Andrey Ryabinin + +[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ] + +Signed integer overflow is undefined according to the C standard. The +overflow in ksys_fadvise64_64() is deliberate, but since it is signed +overflow, UBSAN complains: + + UBSAN: Undefined behaviour in mm/fadvise.c:76:10 + signed integer overflow: + 4 + 9223372036854775805 cannot be represented in type 'long long int' + +Use unsigned types to do math. Unsigned overflow is defined so UBSAN +will not complain about it. This patch doesn't change generated code. + +[akpm@linux-foundation.org: add comment explaining the casts] +Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com +Signed-off-by: Andrey Ryabinin +Reported-by: +Reviewed-by: Andrew Morton +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/fadvise.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/fadvise.c ++++ b/mm/fadvise.c +@@ -68,8 +68,12 @@ SYSCALL_DEFINE4(fadvise64_64, int, fd, l + goto out; + } + +- /* Careful about overflows. Len == 0 means "as much as possible" */ +- endbyte = offset + len; ++ /* ++ * Careful about overflows. Len == 0 means "as much as possible". Use ++ * unsigned math because signed overflows are undefined and UBSan ++ * complains. ++ */ ++ endbyte = (u64)offset + (u64)len; + if (!len || endbyte < len) + endbyte = -1; + else diff --git a/queue-4.4/net-9p-fix-error-path-of-p9_virtio_probe.patch b/queue-4.4/net-9p-fix-error-path-of-p9_virtio_probe.patch new file mode 100644 index 00000000000..aedceec02ea --- /dev/null +++ b/queue-4.4/net-9p-fix-error-path-of-p9_virtio_probe.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Jean-Philippe Brucker +Date: Tue, 17 Jul 2018 19:14:45 -0700 +Subject: net/9p: fix error path of p9_virtio_probe + +From: Jean-Philippe Brucker + +[ Upstream commit 92aef4675d5b1b55404e1532379e343bed0e5cf2 ] + +Currently when virtio_find_single_vq fails, we go through del_vqs which +throws a warning (Trying to free already-free IRQ). Skip del_vqs if vq +allocation failed. + +Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.com +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Greg Kurz +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Signed-off-by: Andrew Morton +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -574,7 +574,7 @@ static int p9_virtio_probe(struct virtio + chan->vq = virtio_find_single_vq(vdev, req_done, "requests"); + if (IS_ERR(chan->vq)) { + err = PTR_ERR(chan->vq); +- goto out_free_vq; ++ goto out_free_chan; + } + chan->vq->vdev->priv = chan; + spin_lock_init(&chan->lock); +@@ -627,6 +627,7 @@ out_free_tag: + kfree(tag); + out_free_vq: + vdev->config->del_vqs(vdev); ++out_free_chan: + kfree(chan); + fail: + return err; diff --git a/queue-4.4/pci-mvebu-fix-i-o-space-end-address-calculation.patch b/queue-4.4/pci-mvebu-fix-i-o-space-end-address-calculation.patch new file mode 100644 index 00000000000..2eb473f8757 --- /dev/null +++ b/queue-4.4/pci-mvebu-fix-i-o-space-end-address-calculation.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Thomas Petazzoni +Date: Fri, 3 Aug 2018 16:38:44 +0200 +Subject: PCI: mvebu: Fix I/O space end address calculation + +From: Thomas Petazzoni + +[ Upstream commit dfd0309fd7b30a5baffaf47b2fccb88b46d64d69 ] + +pcie->realio.end should be the address of last byte of the area, +therefore using resource_size() of another resource is not correct, we +must substract 1 to get the address of the last byte. + +Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout") +Signed-off-by: Thomas Petazzoni +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/host/pci-mvebu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/host/pci-mvebu.c ++++ b/drivers/pci/host/pci-mvebu.c +@@ -1235,7 +1235,7 @@ static int mvebu_pcie_probe(struct platf + pcie->realio.start = PCIBIOS_MIN_IO; + pcie->realio.end = min_t(resource_size_t, + IO_SPACE_LIMIT, +- resource_size(&pcie->io)); ++ resource_size(&pcie->io) - 1); + } else + pcie->realio = pcie->io; + diff --git a/queue-4.4/platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch b/queue-4.4/platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch new file mode 100644 index 00000000000..29ce43d9155 --- /dev/null +++ b/queue-4.4/platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Aleh Filipovich +Date: Fri, 10 Aug 2018 22:07:25 +0200 +Subject: platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 + +From: Aleh Filipovich + +[ Upstream commit 880b29ac107d15644bf4da228376ba3cd6af6d71 ] + +Add entry to WMI keymap for lid flip event on Asus UX360. + +On Asus Zenbook ux360 flipping lid from/to tablet mode triggers +keyscan code 0xfa which cannot be handled and results in kernel +log message "Unknown key fa pressed". + +Signed-off-by: Aleh Filipovich +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-nb-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -392,6 +392,7 @@ static const struct key_entry asus_nb_wm + { KE_KEY, 0xC4, { KEY_KBDILLUMUP } }, + { KE_KEY, 0xC5, { KEY_KBDILLUMDOWN } }, + { KE_IGNORE, 0xC6, }, /* Ambient Light Sensor notification */ ++ { KE_KEY, 0xFA, { KEY_PROG2 } }, /* Lid flip action */ + { KE_END, 0}, + }; + diff --git a/queue-4.4/powerpc-fix-size-calculation-using-resource_size.patch b/queue-4.4/powerpc-fix-size-calculation-using-resource_size.patch new file mode 100644 index 00000000000..c0eca233b93 --- /dev/null +++ b/queue-4.4/powerpc-fix-size-calculation-using-resource_size.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Dan Carpenter +Date: Wed, 8 Aug 2018 14:57:24 +0300 +Subject: powerpc: Fix size calculation using resource_size() + +From: Dan Carpenter + +[ Upstream commit c42d3be0c06f0c1c416054022aa535c08a1f9b39 ] + +The problem is the the calculation should be "end - start + 1" but the +plus one is missing in this calculation. + +Fixes: 8626816e905e ("powerpc: add support for MPIC message register API") +Signed-off-by: Dan Carpenter +Reviewed-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpic_msgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpic_msgr.c ++++ b/arch/powerpc/sysdev/mpic_msgr.c +@@ -196,7 +196,7 @@ static int mpic_msgr_probe(struct platfo + + /* IO map the message register block. */ + of_address_to_resource(np, 0, &rsrc); +- msgr_block_addr = ioremap(rsrc.start, rsrc.end - rsrc.start); ++ msgr_block_addr = ioremap(rsrc.start, resource_size(&rsrc)); + if (!msgr_block_addr) { + dev_err(&dev->dev, "Failed to iomap MPIC message registers"); + return -EFAULT; diff --git a/queue-4.4/powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch b/queue-4.4/powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch new file mode 100644 index 00000000000..2b09763e0ea --- /dev/null +++ b/queue-4.4/powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Mahesh Salgaonkar +Date: Wed, 4 Jul 2018 23:27:02 +0530 +Subject: powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX. + +From: Mahesh Salgaonkar + +[ Upstream commit 74e96bf44f430cf7a01de19ba6cf49b361cdfd6e ] + +The global mce data buffer that used to copy rtas error log is of 2048 +(RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read +extended_log_length from rtas error log header, then use max of +extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied. +Ideally the platform (phyp) will never send extended error log with +size > 2048. But if that happens, then we have a risk of buffer overrun +and corruption. Fix this by using min_t instead. + +Fixes: d368514c3097 ("powerpc: Fix corruption when grabbing FWNMI data") +Reported-by: Michal Suchanek +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/ras.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -311,7 +311,7 @@ static struct rtas_error_log *fwnmi_get_ + int len, error_log_length; + + error_log_length = 8 + rtas_error_extended_log_length(h); +- len = max_t(int, error_log_length, RTAS_ERROR_LOG_MAX); ++ len = min_t(int, error_log_length, RTAS_ERROR_LOG_MAX); + memset(global_mce_data_buf, 0, RTAS_ERROR_LOG_MAX); + memcpy(global_mce_data_buf, h, len); + errhdr = (struct rtas_error_log *)global_mce_data_buf; diff --git a/queue-4.4/reiserfs-change-j_timestamp-type-to-time64_t.patch b/queue-4.4/reiserfs-change-j_timestamp-type-to-time64_t.patch new file mode 100644 index 00000000000..8a3d832c79d --- /dev/null +++ b/queue-4.4/reiserfs-change-j_timestamp-type-to-time64_t.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Arnd Bergmann +Date: Tue, 21 Aug 2018 21:59:34 -0700 +Subject: reiserfs: change j_timestamp type to time64_t + +From: Arnd Bergmann + +[ Upstream commit 8b73ce6a4bae4fe12bcb2c361c0da4183c2e1b6f ] + +This uses the deprecated time_t type but is write-only, and could be +removed, but as Jeff explains, having a timestamp can be usefule for +post-mortem analysis in crash dumps. + +In order to remove one of the last instances of time_t, this changes the +type to time64_t, same as j_trans_start_time. + +Link: http://lkml.kernel.org/r/20180622133315.221210-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Cc: Jan Kara +Cc: Jeff Mahoney +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/reiserfs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/reiserfs.h ++++ b/fs/reiserfs/reiserfs.h +@@ -270,7 +270,7 @@ struct reiserfs_journal_list { + + struct mutex j_commit_mutex; + unsigned int j_trans_id; +- time_t j_timestamp; ++ time64_t j_timestamp; /* write-only but useful for crash dump analysis */ + struct reiserfs_list_bitmap *j_list_bitmap; + struct buffer_head *j_commit_bh; /* commit buffer head */ + struct reiserfs_journal_cnode *j_realblock; diff --git a/queue-4.4/s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch b/queue-4.4/s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch new file mode 100644 index 00000000000..19af0e673c1 --- /dev/null +++ b/queue-4.4/s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Stefan Haberland +Date: Wed, 25 Jul 2018 14:00:47 +0200 +Subject: s390/dasd: fix hanging offline processing due to canceled worker + +From: Stefan Haberland + +[ Upstream commit 669f3765b755fd8739ab46ce3a9c6292ce8b3d2a ] + +During offline processing two worker threads are canceled without +freeing the device reference which leads to a hanging offline process. + +Reviewed-by: Jan Hoeppner +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -2101,8 +2101,11 @@ static int dasd_eckd_basic_to_ready(stru + + static int dasd_eckd_online_to_ready(struct dasd_device *device) + { +- cancel_work_sync(&device->reload_device); +- cancel_work_sync(&device->kick_validate); ++ if (cancel_work_sync(&device->reload_device)) ++ dasd_put_device(device); ++ if (cancel_work_sync(&device->kick_validate)) ++ dasd_put_device(device); ++ + return 0; + }; + diff --git a/queue-4.4/scripts-modpost-check-memory-allocation-results.patch b/queue-4.4/scripts-modpost-check-memory-allocation-results.patch new file mode 100644 index 00000000000..e9d3ab0a50b --- /dev/null +++ b/queue-4.4/scripts-modpost-check-memory-allocation-results.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Randy Dunlap +Date: Wed, 15 Aug 2018 12:30:38 -0700 +Subject: scripts: modpost: check memory allocation results + +From: Randy Dunlap + +[ Upstream commit 1f3aa9002dc6a0d59a4b599b4fc8f01cf43ef014 ] + +Fix missing error check for memory allocation functions in +scripts/mod/modpost.c. + +Fixes kernel bugzilla #200319: +https://bugzilla.kernel.org/show_bug.cgi?id=200319 + +Signed-off-by: Randy Dunlap +Cc: Yuexing Wang +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/mod/modpost.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -649,7 +649,7 @@ static void handle_modversions(struct mo + if (ELF_ST_TYPE(sym->st_info) == STT_SPARC_REGISTER) + break; + if (symname[0] == '.') { +- char *munged = strdup(symname); ++ char *munged = NOFAIL(strdup(symname)); + munged[0] = '_'; + munged[1] = toupper(munged[1]); + symname = munged; +@@ -1311,7 +1311,7 @@ static Elf_Sym *find_elf_symbol2(struct + static char *sec2annotation(const char *s) + { + if (match(s, init_exit_sections)) { +- char *p = malloc(20); ++ char *p = NOFAIL(malloc(20)); + char *r = p; + + *p++ = '_'; +@@ -1331,7 +1331,7 @@ static char *sec2annotation(const char * + strcat(p, " "); + return r; + } else { +- return strdup(""); ++ return NOFAIL(strdup("")); + } + } + +@@ -2032,7 +2032,7 @@ void buf_write(struct buffer *buf, const + { + if (buf->size - buf->pos < len) { + buf->size += len + SZ; +- buf->p = realloc(buf->p, buf->size); ++ buf->p = NOFAIL(realloc(buf->p, buf->size)); + } + strncpy(buf->p + buf->pos, s, len); + buf->pos += len; diff --git a/queue-4.4/scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch b/queue-4.4/scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch new file mode 100644 index 00000000000..9f75f6d0853 --- /dev/null +++ b/queue-4.4/scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Dan Carpenter +Date: Wed, 8 Aug 2018 17:29:09 +0300 +Subject: scsi: aic94xx: fix an error code in aic94xx_init() + +From: Dan Carpenter + +[ Upstream commit 0756c57bce3d26da2592d834d8910b6887021701 ] + +We accidentally return success instead of -ENOMEM on this error path. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Johannes Thumshirn +Reviewed-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aic94xx/aic94xx_init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/aic94xx/aic94xx_init.c ++++ b/drivers/scsi/aic94xx/aic94xx_init.c +@@ -1031,8 +1031,10 @@ static int __init aic94xx_init(void) + + aic94xx_transport_template = + sas_domain_attach_transport(&aic94xx_transport_functions); +- if (!aic94xx_transport_template) ++ if (!aic94xx_transport_template) { ++ err = -ENOMEM; + goto out_destroy_caches; ++ } + + err = pci_register_driver(&aic94xx_pci_driver); + if (err) diff --git a/queue-4.4/selftests-powerpc-kill-child-processes-on-sigint.patch b/queue-4.4/selftests-powerpc-kill-child-processes-on-sigint.patch new file mode 100644 index 00000000000..5e3f9c12559 --- /dev/null +++ b/queue-4.4/selftests-powerpc-kill-child-processes-on-sigint.patch @@ -0,0 +1,72 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Breno Leitao +Date: Tue, 7 Aug 2018 11:15:39 -0300 +Subject: selftests/powerpc: Kill child processes on SIGINT + +From: Breno Leitao + +[ Upstream commit 7c27a26e1ed5a7dd709aa19685d2c98f64e1cf0c ] + +There are some powerpc selftests, as tm/tm-unavailable, that run for a long +period (>120 seconds), and if it is interrupted, as pressing CRTL-C +(SIGINT), the foreground process (harness) dies but the child process and +threads continue to execute (with PPID = 1 now) in background. + +In this case, you'd think the whole test exited, but there are remaining +threads and processes being executed in background. Sometimes these +zombies processes are doing annoying things, as consuming the whole CPU or +dumping things to STDOUT. + +This patch fixes this problem by attaching an empty signal handler to +SIGINT in the harness process. This handler will interrupt (EINTR) the +parent process waitpid() call, letting the code to follow through the +normal flow, which will kill all the processes in the child process group. + +This patch also fixes a typo. + +Signed-off-by: Breno Leitao +Signed-off-by: Gustavo Romero +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/harness.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/powerpc/harness.c ++++ b/tools/testing/selftests/powerpc/harness.c +@@ -85,13 +85,13 @@ wait: + return status; + } + +-static void alarm_handler(int signum) ++static void sig_handler(int signum) + { +- /* Jut wake us up from waitpid */ ++ /* Just wake us up from waitpid */ + } + +-static struct sigaction alarm_action = { +- .sa_handler = alarm_handler, ++static struct sigaction sig_action = { ++ .sa_handler = sig_handler, + }; + + int test_harness(int (test_function)(void), char *name) +@@ -101,8 +101,14 @@ int test_harness(int (test_function)(voi + test_start(name); + test_set_git_version(GIT_VERSION); + +- if (sigaction(SIGALRM, &alarm_action, NULL)) { +- perror("sigaction"); ++ if (sigaction(SIGINT, &sig_action, NULL)) { ++ perror("sigaction (sigint)"); ++ test_error(name); ++ return 1; ++ } ++ ++ if (sigaction(SIGALRM, &sig_action, NULL)) { ++ perror("sigaction (sigalrm)"); + test_error(name); + return 1; + } diff --git a/queue-4.4/series b/queue-4.4/series index 7a534ad67d9..77685335424 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -4,3 +4,32 @@ net-bcmgenet-use-mac-link-status-for-fixed-phy.patch qlge-fix-netdev-features-configuration.patch tcp-do-not-restart-timewait-timer-on-rst-reception.patch vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch +cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch +hfsplus-don-t-return-0-when-fill_super-failed.patch +hfs-prevent-crash-on-exit-from-failed-search.patch +fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch +reiserfs-change-j_timestamp-type-to-time64_t.patch +hfsplus-fix-null-dereference-in-hfsplus_lookup.patch +fat-validate-i_start-before-using.patch +scripts-modpost-check-memory-allocation-results.patch +mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch +fs-dcache.c-fix-kmemcheck-splat-at-take_dentry_name_snapshot.patch +ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch +mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch +tracing-handle-cc_flags_ftrace-more-accurately.patch +platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch +irqchip-bcm7038-l1-hide-cpu-offline-callback-when-building-for-smp.patch +net-9p-fix-error-path-of-p9_virtio_probe.patch +powerpc-fix-size-calculation-using-resource_size.patch +s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch +scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch +pci-mvebu-fix-i-o-space-end-address-calculation.patch +dm-kcopyd-avoid-softlockup-in-run_complete_job.patch +staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch +selftests-powerpc-kill-child-processes-on-sigint.patch +smb3-fix-reset-of-bytes-read-and-written-stats.patch +smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch +powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch +btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch +btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch +btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch diff --git a/queue-4.4/smb3-fix-reset-of-bytes-read-and-written-stats.patch b/queue-4.4/smb3-fix-reset-of-bytes-read-and-written-stats.patch new file mode 100644 index 00000000000..b575dd006c3 --- /dev/null +++ b/queue-4.4/smb3-fix-reset-of-bytes-read-and-written-stats.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Steve French +Date: Wed, 1 Aug 2018 00:56:12 -0500 +Subject: smb3: fix reset of bytes read and written stats + +From: Steve French + +[ Upstream commit c281bc0c7412308c7ec0888904f7c99353da4796 ] + +echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats +but there were four (see example below) that were not reset +(bytes read and witten, total vfs ops and max ops +at one time). + +... +0 session 0 share reconnects +Total vfs operations: 100 maximum at one time: 2 + +1) \\localhost\test +SMBs: 0 +Bytes read: 502092 Bytes written: 31457286 +TreeConnects: 0 total 0 failed +TreeDisconnects: 0 total 0 failed +... + +This patch fixes cifs_stats_proc_write to properly reset +those four. + +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_debug.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -285,6 +285,10 @@ static ssize_t cifs_stats_proc_write(str + atomic_set(&totBufAllocCount, 0); + atomic_set(&totSmBufAllocCount, 0); + #endif /* CONFIG_CIFS_STATS2 */ ++ spin_lock(&GlobalMid_Lock); ++ GlobalMaxActiveXid = 0; ++ GlobalCurrentXid = 0; ++ spin_unlock(&GlobalMid_Lock); + spin_lock(&cifs_tcp_ses_lock); + list_for_each(tmp1, &cifs_tcp_ses_list) { + server = list_entry(tmp1, struct TCP_Server_Info, +@@ -297,6 +301,10 @@ static ssize_t cifs_stats_proc_write(str + struct cifs_tcon, + tcon_list); + atomic_set(&tcon->num_smbs_sent, 0); ++ spin_lock(&tcon->stat_lock); ++ tcon->bytes_read = 0; ++ tcon->bytes_written = 0; ++ spin_unlock(&tcon->stat_lock); + if (server->ops->clear_stats) + server->ops->clear_stats(tcon); + } diff --git a/queue-4.4/smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch b/queue-4.4/smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch new file mode 100644 index 00000000000..049e7bdc8c9 --- /dev/null +++ b/queue-4.4/smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Steve French +Date: Mon, 23 Jul 2018 09:15:18 -0500 +Subject: SMB3: Number of requests sent should be displayed for SMB3 not just CIFS + +From: Steve French + +[ Upstream commit 289131e1f1e6ad8c661ec05e176b8f0915672059 ] + +For SMB2/SMB3 the number of requests sent was not displayed +in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was +enabled (only number of failed requests displayed). As +with earlier dialects, we should be displaying these +counters if CONFIG_CIFS_STATS is enabled. They +are important for debugging. + +e.g. when you cat /proc/fs/cifs/Stats (before the patch) +Resources in use +CIFS Session: 1 +Share (unique mount targets): 2 +SMB Request/Response Buffer: 1 Pool size: 5 +SMB Small Req/Resp Buffer: 1 Pool size: 30 +Operations (MIDs): 0 + +0 session 0 share reconnects +Total vfs operations: 690 maximum at one time: 2 + +1) \\localhost\test +SMBs: 975 +Negotiates: 0 sent 0 failed +SessionSetups: 0 sent 0 failed +Logoffs: 0 sent 0 failed +TreeConnects: 0 sent 0 failed +TreeDisconnects: 0 sent 0 failed +Creates: 0 sent 2 failed +Closes: 0 sent 0 failed +Flushes: 0 sent 0 failed +Reads: 0 sent 0 failed +Writes: 0 sent 0 failed +Locks: 0 sent 0 failed +IOCTLs: 0 sent 1 failed +Cancels: 0 sent 0 failed +Echos: 0 sent 0 failed +QueryDirectories: 0 sent 63 failed + +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -315,7 +315,7 @@ small_smb2_init(__le16 smb2_command, str + smb2_hdr_assemble((struct smb2_hdr *) *request_buf, smb2_command, tcon); + + if (tcon != NULL) { +-#ifdef CONFIG_CIFS_STATS2 ++#ifdef CONFIG_CIFS_STATS + uint16_t com_code = le16_to_cpu(smb2_command); + cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_sent[com_code]); + #endif diff --git a/queue-4.4/staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch b/queue-4.4/staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch new file mode 100644 index 00000000000..5a679b60d76 --- /dev/null +++ b/queue-4.4/staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Ian Abbott +Date: Mon, 6 Aug 2018 11:05:13 +0100 +Subject: staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice + +From: Ian Abbott + +[ Upstream commit e083926b3e269d4064825dcf2ad50c636fddf8cf ] + +The PFI subdevice flags indicate that the subdevice is readable and +writeable, but that is only true for the supported "M-series" boards, +not the older "E-series" boards. Only set the SDF_READABLE and +SDF_WRITABLE subdevice flags for the M-series boards. These two flags +are mainly for informational purposes. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/ni_mio_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -5275,11 +5275,11 @@ static int ni_E_init(struct comedi_devic + /* Digital I/O (PFI) subdevice */ + s = &dev->subdevices[NI_PFI_DIO_SUBDEV]; + s->type = COMEDI_SUBD_DIO; +- s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL; + s->maxdata = 1; + if (devpriv->is_m_series) { + s->n_chan = 16; + s->insn_bits = ni_pfi_insn_bits; ++ s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL; + + ni_writew(dev, s->state, NI_M_PFI_DO_REG); + for (i = 0; i < NUM_PFI_OUTPUT_SELECT_REGS; ++i) { +@@ -5288,6 +5288,7 @@ static int ni_E_init(struct comedi_devic + } + } else { + s->n_chan = 10; ++ s->subdev_flags = SDF_INTERNAL; + } + s->insn_config = ni_pfi_insn_config; + diff --git a/queue-4.4/tracing-handle-cc_flags_ftrace-more-accurately.patch b/queue-4.4/tracing-handle-cc_flags_ftrace-more-accurately.patch new file mode 100644 index 00000000000..e66d7b45d8a --- /dev/null +++ b/queue-4.4/tracing-handle-cc_flags_ftrace-more-accurately.patch @@ -0,0 +1,54 @@ +From foo@baz Tue Sep 11 12:11:08 CEST 2018 +From: Vasily Gorbik +Date: Mon, 6 Aug 2018 15:17:42 +0200 +Subject: tracing: Handle CC_FLAGS_FTRACE more accurately + +From: Vasily Gorbik + +[ Upstream commit f28bc3c32c059ab4d13f52155fabd3e20f477f65 ] + +CC_FLAGS_FTRACE is exported and later used to remove ftrace relevant +build flags from files which should be built without ftrace support. +For that reason add -mfentry to CC_FLAGS_FTRACE as well. That fixes +a problem with vdso32 build on s390, where -mfentry could not be used +together with -m31 flag. + +At the same time flags like -pg and -mfentry are not relevant for asm +files, so avoid adding them to KBUILD_AFLAGS. + +Introduce CC_FLAGS_USING instead of CC_USING_FENTRY to collect +-DCC_USING_FENTRY (and future alike) which are relevant for both +KBUILD_CFLAGS and KBUILD_AFLAGS. + +Link: http://lkml.kernel.org/r/patch-1.thread-aa7b8d.git-42971afe87de.your-ad-here.call-01533557518-ext-9465@work.hours + +Signed-off-by: Vasily Gorbik +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -754,12 +754,15 @@ ifdef CONFIG_FUNCTION_TRACER + ifndef CC_FLAGS_FTRACE + CC_FLAGS_FTRACE := -pg + endif +-export CC_FLAGS_FTRACE + ifdef CONFIG_HAVE_FENTRY +-CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY) ++ ifeq ($(call cc-option-yn, -mfentry),y) ++ CC_FLAGS_FTRACE += -mfentry ++ CC_FLAGS_USING += -DCC_USING_FENTRY ++ endif + endif +-KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_USING_FENTRY) +-KBUILD_AFLAGS += $(CC_USING_FENTRY) ++export CC_FLAGS_FTRACE ++KBUILD_CFLAGS += $(CC_FLAGS_FTRACE) $(CC_FLAGS_USING) ++KBUILD_AFLAGS += $(CC_FLAGS_USING) + ifdef CONFIG_DYNAMIC_FTRACE + ifdef CONFIG_HAVE_C_RECORDMCOUNT + BUILD_C_RECORDMCOUNT := y