From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 05:25:06 +0000 (+0100) Subject: drop some duplicated patches that somehow got merged. X-Git-Tag: v3.18.137~80 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a53135179305d885aa3f00b1313bb14ffd8e3aa;p=thirdparty%2Fkernel%2Fstable-queue.git drop some duplicated patches that somehow got merged. --- diff --git a/queue-3.18/mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 b/queue-3.18/mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 deleted file mode 100644 index 6bdac0cb342..00000000000 --- a/queue-3.18/mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 +++ /dev/null @@ -1,128 +0,0 @@ -From 7b3eef0f60b36cee8ff2b751044a142c7b27af14 Mon Sep 17 00:00:00 2001 -From: YueHaibing -Date: Thu, 21 Feb 2019 22:42:01 +0800 -Subject: mdio_bus: Fix use-after-free on device_register fails - -[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ] - -KASAN has found use-after-free in fixed_mdio_bus_init, -commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call -put_device on device_register() failure") call put_device() -while device_register() fails,give up the last reference -to the device and allow mdiobus_release to be executed -,kfreeing the bus. However in most drives, mdiobus_free -be called to free the bus while mdiobus_register fails. -use-after-free occurs when access bus again, this patch -revert it to let mdiobus_free free the bus. - -KASAN report details as below: - -BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482 -Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524 - -CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0xfa/0x1ce lib/dump_stack.c:113 - print_address_description+0x65/0x270 mm/kasan/report.c:187 - kasan_report+0x149/0x18d mm/kasan/report.c:317 - mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482 - fixed_mdio_bus_init+0x283/0x1000 [fixed_phy] - ? 0xffffffffc0e40000 - ? 0xffffffffc0e40000 - ? 0xffffffffc0e40000 - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x462e99 -Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 -RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 -RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 -RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc -R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 - -Allocated by task 3524: - set_track mm/kasan/common.c:85 [inline] - __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496 - kmalloc include/linux/slab.h:545 [inline] - kzalloc include/linux/slab.h:740 [inline] - mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143 - fixed_mdio_bus_init+0x163/0x1000 [fixed_phy] - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 3524: - set_track mm/kasan/common.c:85 [inline] - __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458 - slab_free_hook mm/slub.c:1409 [inline] - slab_free_freelist_hook mm/slub.c:1436 [inline] - slab_free mm/slub.c:2986 [inline] - kfree+0xe1/0x270 mm/slub.c:3938 - device_release+0x78/0x200 drivers/base/core.c:919 - kobject_cleanup lib/kobject.c:662 [inline] - kobject_release lib/kobject.c:691 [inline] - kref_put include/linux/kref.h:67 [inline] - kobject_put+0x146/0x240 lib/kobject.c:708 - put_device+0x1c/0x30 drivers/base/core.c:2060 - __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382 - fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy] - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -The buggy address belongs to the object at ffff8881dc824c80 - which belongs to the cache kmalloc-2k of size 2048 -The buggy address is located 248 bytes inside of - 2048-byte region [ffff8881dc824c80, ffff8881dc825480) -The buggy address belongs to the page: -page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0 -flags: 0x2fffc0000010200(slab|head) -raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800 -raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ->ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - -Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure") -Signed-off-by: YueHaibing -Reviewed-by: Andrew Lunn -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/phy/mdio_bus.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c -index 50051f271b10..8dfd1aeb8fab 100644 ---- a/drivers/net/phy/mdio_bus.c -+++ b/drivers/net/phy/mdio_bus.c -@@ -261,7 +261,6 @@ int mdiobus_register(struct mii_bus *bus) - err = device_register(&bus->dev); - if (err) { - pr_err("mii_bus %s failed to register\n", bus->id); -- put_device(&bus->dev); - return -EINVAL; - } - --- -2.19.1 - diff --git a/queue-3.18/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch b/queue-3.18/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch deleted file mode 100644 index 1661865c92b..00000000000 --- a/queue-3.18/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 28fce9c67b5f32cd28e88d55a3c78bc02688cf00 Mon Sep 17 00:00:00 2001 -From: John Garry -Date: Fri, 15 Feb 2019 00:37:57 +0800 -Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices - attached - -[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ] - -The sysfs phy_identifier attribute for a sas_end_device comes from the rphy -phy_identifier value. - -Currently this is not being set for rphys with an end device attached, so -we see incorrect symlinks from systemd disk/by-path: - -root@localhost:~# ls -l /dev/disk/by-path/ -total 0 -lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb -lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1 -lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2 -lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3 - -Indeed, each sas_end_device phy_identifier value is 0: - -root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier -0 -root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier -0 - -This patch fixes the discovery code to set the phy_identifier. With this, -we now get proper symlinks: - -root@localhost:~# ls -l /dev/disk/by-path/ -total 0 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3 - -Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") -Reported-by: dann frazier -Signed-off-by: John Garry -Reviewed-by: Jason Yan -Tested-by: dann frazier -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/libsas/sas_expander.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c -index e2630aea4e9f..22450abf0a03 100644 ---- a/drivers/scsi/libsas/sas_expander.c -+++ b/drivers/scsi/libsas/sas_expander.c -@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev( - rphy = sas_end_device_alloc(phy->port); - if (!rphy) - goto out_free; -+ rphy->identify.phy_identifier = phy_id; - - child->rphy = rphy; - get_device(&rphy->dev); -@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev( - - child->rphy = rphy; - get_device(&rphy->dev); -+ rphy->identify.phy_identifier = phy_id; - sas_fill_in_rphy(child, rphy); - - list_add_tail(&child->disco_list_node, &parent->port->disco_list); --- -2.19.1 - diff --git a/queue-3.18/series b/queue-3.18/series index a946fe38512..c127cb35eed 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -97,17 +97,14 @@ asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch crypto-ahash-fix-another-early-termination-in-hash-walk.patch s390-dasd-fix-using-offset-into-zero-size-array-erro.patch input-matrix_keypad-use-flush_delayed_work.patch -team-avoid-complex-list-operations-in-team_nl_cmd_op.patch mm-gup-fix-gup_pmd_range-for-dax.patch i2c-cadence-fix-the-hold-bit-setting.patch input-st-keyscan-fix-potential-zalloc-null-dereferen.patch assoc_array-fix-shortcut-creation.patch scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch -scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch net-systemport-fix-reception-of-bpdus.patch net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch arm64-relax-gic-version-check-during-early-boot.patch net-marvell-mvneta-fix-dma-debug-warning.patch tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch -mdio_bus-fix-use-after-free-on-device_register-fails.patch-13169 net-set-static-variable-an-initial-value-in-atl2_pro.patch diff --git a/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch b/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch deleted file mode 100644 index 8128e23a8cf..00000000000 --- a/queue-3.18/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch +++ /dev/null @@ -1,116 +0,0 @@ -From c677ba18b2cc94ea2e13bf60709085582121d36c Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Mon, 11 Feb 2019 21:59:51 -0800 -Subject: team: avoid complex list operations in team_nl_cmd_options_set() - -[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ] - -The current opt_inst_list operations inside team_nl_cmd_options_set() -is too complex to track: - - LIST_HEAD(opt_inst_list); - nla_for_each_nested(...) { - list_for_each_entry(opt_inst, &team->option_inst_list, list) { - if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) - continue; - list_add(&opt_inst->tmp_list, &opt_inst_list); - } - } - team_nl_send_event_options_get(team, &opt_inst_list); - -as while we retrieve 'opt_inst' from team->option_inst_list, it could -be added to the local 'opt_inst_list' for multiple times. The -__team_option_inst_tmp_find() doesn't work, as the setter -team_mode_option_set() still calls team->ops.exit() which uses -->tmp_list too in __team_options_change_check(). - -Simplify the list operations by moving the 'opt_inst_list' and -team_nl_send_event_options_get() into the nla_for_each_nested() loop so -that it can be guranteed that we won't insert a same list entry for -multiple times. Therefore, __team_option_inst_tmp_find() can be removed -too. - -Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") -Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") -Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com -Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com -Cc: Jiri Pirko -Cc: Paolo Abeni -Signed-off-by: Cong Wang -Acked-by: Jiri Pirko -Reviewed-by: Paolo Abeni -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/team/team.c | 27 +++++---------------------- - 1 file changed, 5 insertions(+), 22 deletions(-) - -diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 3e0f7116380d..eb04b348edf3 100644 ---- a/drivers/net/team/team.c -+++ b/drivers/net/team/team.c -@@ -253,17 +253,6 @@ static void __team_option_inst_mark_removed_port(struct team *team, - } - } - --static bool __team_option_inst_tmp_find(const struct list_head *opts, -- const struct team_option_inst *needle) --{ -- struct team_option_inst *opt_inst; -- -- list_for_each_entry(opt_inst, opts, tmp_list) -- if (opt_inst == needle) -- return true; -- return false; --} -- - static int __team_options_register(struct team *team, - const struct team_option *option, - size_t option_count) -@@ -2435,7 +2424,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) - int err = 0; - int i; - struct nlattr *nl_option; -- LIST_HEAD(opt_inst_list); - - team = team_nl_team_get(info); - if (!team) -@@ -2451,6 +2439,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) - struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; - struct nlattr *attr; - struct nlattr *attr_data; -+ LIST_HEAD(opt_inst_list); - enum team_option_type opt_type; - int opt_port_ifindex = 0; /* != 0 for per-port options */ - u32 opt_array_index = 0; -@@ -2554,23 +2543,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) - if (err) - goto team_put; - opt_inst->changed = true; -- -- /* dumb/evil user-space can send us duplicate opt, -- * keep only the last one -- */ -- if (__team_option_inst_tmp_find(&opt_inst_list, -- opt_inst)) -- continue; -- - list_add(&opt_inst->tmp_list, &opt_inst_list); - } - if (!opt_found) { - err = -ENOENT; - goto team_put; - } -- } - -- err = team_nl_send_event_options_get(team, &opt_inst_list); -+ err = team_nl_send_event_options_get(team, &opt_inst_list); -+ if (err) -+ break; -+ } - - team_put: - team_nl_team_put(team); --- -2.19.1 - diff --git a/queue-4.14/media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch b/queue-4.14/media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch index 98eb54a6908..f435e1a7f03 100644 --- a/queue-4.14/media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch +++ b/queue-4.14/media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch @@ -20,11 +20,13 @@ Signed-off-by: Mauro Carvalho Chehab Cc: Matthias Maennich Signed-off-by: Greg Kroah-Hartman -diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c -index f02d452ceeb9..1244c246d0c4 100644 ---- a/drivers/media/common/videobuf2/videobuf2-v4l2.c -+++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c -@@ -158,7 +158,6 @@ static void vb2_warn_zero_bytesused(struct vb2_buffer *vb) +--- + drivers/media/v4l2-core/videobuf2-v4l2.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf2-v4l2.c ++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c +@@ -145,7 +145,6 @@ static void vb2_warn_zero_bytesused(stru return; check_once = true; diff --git a/queue-4.14/series b/queue-4.14/series index 45b54a751bf..7ec421873ba 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -7,7 +7,6 @@ crypto-caam-fixed-handling-of-sg-list.patch crypto-ahash-fix-another-early-termination-in-hash-walk.patch crypto-rockchip-fix-scatterlist-nents-error.patch crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch -media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch drm-imx-ignore-plane-updates-on-disabled-crtcs.patch gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch drm-imx-imx-ldb-add-missing-of_node_puts.patch @@ -66,3 +65,4 @@ nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch nfp-bpf-fix-alu32-high-bits-clearance-bug.patch net-set-static-variable-an-initial-value-in-atl2_pro.patch tmpfs-fix-uninitialized-return-value-in-shmem_link.patch +media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch diff --git a/queue-4.4/mdio_bus-fix-use-after-free-on-device_register-fails.patch-26729 b/queue-4.4/mdio_bus-fix-use-after-free-on-device_register-fails.patch-26729 deleted file mode 100644 index d978e39065c..00000000000 --- a/queue-4.4/mdio_bus-fix-use-after-free-on-device_register-fails.patch-26729 +++ /dev/null @@ -1,128 +0,0 @@ -From 511c96a278c67054621e55aa6ca74fbb701cf41f Mon Sep 17 00:00:00 2001 -From: YueHaibing -Date: Thu, 21 Feb 2019 22:42:01 +0800 -Subject: mdio_bus: Fix use-after-free on device_register fails - -[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ] - -KASAN has found use-after-free in fixed_mdio_bus_init, -commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call -put_device on device_register() failure") call put_device() -while device_register() fails,give up the last reference -to the device and allow mdiobus_release to be executed -,kfreeing the bus. However in most drives, mdiobus_free -be called to free the bus while mdiobus_register fails. -use-after-free occurs when access bus again, this patch -revert it to let mdiobus_free free the bus. - -KASAN report details as below: - -BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482 -Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524 - -CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0xfa/0x1ce lib/dump_stack.c:113 - print_address_description+0x65/0x270 mm/kasan/report.c:187 - kasan_report+0x149/0x18d mm/kasan/report.c:317 - mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482 - fixed_mdio_bus_init+0x283/0x1000 [fixed_phy] - ? 0xffffffffc0e40000 - ? 0xffffffffc0e40000 - ? 0xffffffffc0e40000 - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x462e99 -Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 -RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 -RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 -RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc -R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 - -Allocated by task 3524: - set_track mm/kasan/common.c:85 [inline] - __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496 - kmalloc include/linux/slab.h:545 [inline] - kzalloc include/linux/slab.h:740 [inline] - mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143 - fixed_mdio_bus_init+0x163/0x1000 [fixed_phy] - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 3524: - set_track mm/kasan/common.c:85 [inline] - __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458 - slab_free_hook mm/slub.c:1409 [inline] - slab_free_freelist_hook mm/slub.c:1436 [inline] - slab_free mm/slub.c:2986 [inline] - kfree+0xe1/0x270 mm/slub.c:3938 - device_release+0x78/0x200 drivers/base/core.c:919 - kobject_cleanup lib/kobject.c:662 [inline] - kobject_release lib/kobject.c:691 [inline] - kref_put include/linux/kref.h:67 [inline] - kobject_put+0x146/0x240 lib/kobject.c:708 - put_device+0x1c/0x30 drivers/base/core.c:2060 - __mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382 - fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy] - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -The buggy address belongs to the object at ffff8881dc824c80 - which belongs to the cache kmalloc-2k of size 2048 -The buggy address is located 248 bytes inside of - 2048-byte region [ffff8881dc824c80, ffff8881dc825480) -The buggy address belongs to the page: -page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0 -flags: 0x2fffc0000010200(slab|head) -raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800 -raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ->ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - -Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure") -Signed-off-by: YueHaibing -Reviewed-by: Andrew Lunn -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/phy/mdio_bus.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c -index 88cb4592b6fb..ccefba7af960 100644 ---- a/drivers/net/phy/mdio_bus.c -+++ b/drivers/net/phy/mdio_bus.c -@@ -267,7 +267,6 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) - err = device_register(&bus->dev); - if (err) { - pr_err("mii_bus %s failed to register\n", bus->id); -- put_device(&bus->dev); - return -EINVAL; - } - --- -2.19.1 - diff --git a/queue-4.4/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch b/queue-4.4/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch deleted file mode 100644 index 4c312dc38da..00000000000 --- a/queue-4.4/scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 5ee06cd33773481fbce4c8db4c553aacc9d2894e Mon Sep 17 00:00:00 2001 -From: John Garry -Date: Fri, 15 Feb 2019 00:37:57 +0800 -Subject: scsi: libsas: Fix rphy phy_identifier for PHYs with end devices - attached - -[ Upstream commit ffeafdd2bf0b280d67ec1a47ea6287910d271f3f ] - -The sysfs phy_identifier attribute for a sas_end_device comes from the rphy -phy_identifier value. - -Currently this is not being set for rphys with an end device attached, so -we see incorrect symlinks from systemd disk/by-path: - -root@localhost:~# ls -l /dev/disk/by-path/ -total 0 -lrwxrwxrwx 1 root root 9 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0 -> ../../sdb -lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part1 -> ../../sdb1 -lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part2 -> ../../sdb2 -lrwxrwxrwx 1 root root 10 Feb 13 12:26 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy0-lun-0-part3 -> ../../sdc3 - -Indeed, each sas_end_device phy_identifier value is 0: - -root@localhost:/# more sys/class/sas_device/end_device-0\:0\:2/phy_identifier -0 -root@localhost:/# more sys/class/sas_device/end_device-0\:0\:10/phy_identifier -0 - -This patch fixes the discovery code to set the phy_identifier. With this, -we now get proper symlinks: - -root@localhost:~# ls -l /dev/disk/by-path/ -total 0 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy10-lun-0 -> ../../sdg -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy11-lun-0 -> ../../sdh -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0 -> ../../sda -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy2-lun-0-part1 -> ../../sda1 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0 -> ../../sdb -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part1 -> ../../sdb1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy3-lun-0-part2 -> ../../sdb2 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0 -> ../../sdc -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part1 -> ../../sdc1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part2 -> ../../sdc2 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy4-lun-0-part3 -> ../../sdc3 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy5-lun-0 -> ../../sdd -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0 -> ../../sde -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part1 -> ../../sde1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part2 -> ../../sde2 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy7-lun-0-part3 -> ../../sde3 -lrwxrwxrwx 1 root root 9 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0 -> ../../sdf -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part1 -> ../../sdf1 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part2 -> ../../sdf2 -lrwxrwxrwx 1 root root 10 Feb 13 11:53 platform-HISI0162:01-sas-exp0x500e004aaaaaaa1f-phy8-lun-0-part3 -> ../../sdf3 - -Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") -Reported-by: dann frazier -Signed-off-by: John Garry -Reviewed-by: Jason Yan -Tested-by: dann frazier -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/libsas/sas_expander.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c -index 12886f96b286..7be581f7c35d 100644 ---- a/drivers/scsi/libsas/sas_expander.c -+++ b/drivers/scsi/libsas/sas_expander.c -@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev( - rphy = sas_end_device_alloc(phy->port); - if (!rphy) - goto out_free; -+ rphy->identify.phy_identifier = phy_id; - - child->rphy = rphy; - get_device(&rphy->dev); -@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev( - - child->rphy = rphy; - get_device(&rphy->dev); -+ rphy->identify.phy_identifier = phy_id; - sas_fill_in_rphy(child, rphy); - - list_add_tail(&child->disco_list_node, &parent->port->disco_list); --- -2.19.1 - diff --git a/queue-4.4/series b/queue-4.4/series index 5475b6368b0..ec2c9b898e5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -158,13 +158,11 @@ gpu-ipu-v3-fix-csi-offsets-for-imx53.patch s390-dasd-fix-using-offset-into-zero-size-array-erro.patch arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch input-matrix_keypad-use-flush_delayed_work.patch -team-avoid-complex-list-operations-in-team_nl_cmd_op.patch i2c-cadence-fix-the-hold-bit-setting.patch input-st-keyscan-fix-potential-zalloc-null-dereferen.patch arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch assoc_array-fix-shortcut-creation.patch scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch -scsi-libsas-fix-rphy-phy_identifier-for-phys-with-en.patch net-systemport-fix-reception-of-bpdus.patch pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch @@ -174,6 +172,5 @@ tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch phonet-fix-building-with-clang.patch mac80211_hwsim-propagate-genlmsg_reply-return-code.patch -mdio_bus-fix-use-after-free-on-device_register-fails.patch-26729 net-set-static-variable-an-initial-value-in-atl2_pro.patch tmpfs-fix-uninitialized-return-value-in-shmem_link.patch diff --git a/queue-4.4/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch b/queue-4.4/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch deleted file mode 100644 index be08c3d813e..00000000000 --- a/queue-4.4/team-avoid-complex-list-operations-in-team_nl_cmd_op.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 42133293dc97f30e37d814582583b780662cfca3 Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Mon, 11 Feb 2019 21:59:51 -0800 -Subject: team: avoid complex list operations in team_nl_cmd_options_set() - -[ Upstream commit 2fdeee2549231b1f989f011bb18191f5660d3745 ] - -The current opt_inst_list operations inside team_nl_cmd_options_set() -is too complex to track: - - LIST_HEAD(opt_inst_list); - nla_for_each_nested(...) { - list_for_each_entry(opt_inst, &team->option_inst_list, list) { - if (__team_option_inst_tmp_find(&opt_inst_list, opt_inst)) - continue; - list_add(&opt_inst->tmp_list, &opt_inst_list); - } - } - team_nl_send_event_options_get(team, &opt_inst_list); - -as while we retrieve 'opt_inst' from team->option_inst_list, it could -be added to the local 'opt_inst_list' for multiple times. The -__team_option_inst_tmp_find() doesn't work, as the setter -team_mode_option_set() still calls team->ops.exit() which uses -->tmp_list too in __team_options_change_check(). - -Simplify the list operations by moving the 'opt_inst_list' and -team_nl_send_event_options_get() into the nla_for_each_nested() loop so -that it can be guranteed that we won't insert a same list entry for -multiple times. Therefore, __team_option_inst_tmp_find() can be removed -too. - -Fixes: 4fb0534fb7bb ("team: avoid adding twice the same option to the event list") -Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message") -Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com -Reported-by: syzbot+68ee510075cf64260cc4@syzkaller.appspotmail.com -Cc: Jiri Pirko -Cc: Paolo Abeni -Signed-off-by: Cong Wang -Acked-by: Jiri Pirko -Reviewed-by: Paolo Abeni -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/team/team.c | 27 +++++---------------------- - 1 file changed, 5 insertions(+), 22 deletions(-) - -diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 33ffb573fd67..267a90423154 100644 ---- a/drivers/net/team/team.c -+++ b/drivers/net/team/team.c -@@ -247,17 +247,6 @@ static void __team_option_inst_mark_removed_port(struct team *team, - } - } - --static bool __team_option_inst_tmp_find(const struct list_head *opts, -- const struct team_option_inst *needle) --{ -- struct team_option_inst *opt_inst; -- -- list_for_each_entry(opt_inst, opts, tmp_list) -- if (opt_inst == needle) -- return true; -- return false; --} -- - static int __team_options_register(struct team *team, - const struct team_option *option, - size_t option_count) -@@ -2447,7 +2436,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) - int err = 0; - int i; - struct nlattr *nl_option; -- LIST_HEAD(opt_inst_list); - - team = team_nl_team_get(info); - if (!team) -@@ -2463,6 +2451,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) - struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; - struct nlattr *attr; - struct nlattr *attr_data; -+ LIST_HEAD(opt_inst_list); - enum team_option_type opt_type; - int opt_port_ifindex = 0; /* != 0 for per-port options */ - u32 opt_array_index = 0; -@@ -2566,23 +2555,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) - if (err) - goto team_put; - opt_inst->changed = true; -- -- /* dumb/evil user-space can send us duplicate opt, -- * keep only the last one -- */ -- if (__team_option_inst_tmp_find(&opt_inst_list, -- opt_inst)) -- continue; -- - list_add(&opt_inst->tmp_list, &opt_inst_list); - } - if (!opt_found) { - err = -ENOENT; - goto team_put; - } -- } - -- err = team_nl_send_event_options_get(team, &opt_inst_list); -+ err = team_nl_send_event_options_get(team, &opt_inst_list); -+ if (err) -+ break; -+ } - - team_put: - team_nl_team_put(team); --- -2.19.1 -