From: Greg Kroah-Hartman Date: Mon, 8 Oct 2018 16:02:25 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.160~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80347ec839280a6e180f06c63babb4916f9390f3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arch-hexagon-fix-kernel-dma.c-build-warning.patch arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch cifs-read-overflow-in-is_valid_oplock_break.patch dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch fs-cifs-suppress-a-string-overflow-warning.patch hexagon-modify-ffs-and-fls-to-return-int.patch hid-add-support-for-apple-magic-keyboards.patch hid-hid-saitek-add-device-id-for-rat-7-contagion.patch net-ena-fix-driver-when-page_size-64kb.patch net-mlx5-consider-pci-domain-in-search-for-next-dev.patch nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch rdma-ucma-check-fd-type-in-ucma_migrate_id.patch s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch s390-qeth-use-vzalloc-for-query-oat-buffer.patch usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch usb-yurex-check-for-truncation-in-yurex_read.patch xen-avoid-crash-in-disable_hotplug_cpu.patch xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch --- diff --git a/queue-4.9/arch-hexagon-fix-kernel-dma.c-build-warning.patch b/queue-4.9/arch-hexagon-fix-kernel-dma.c-build-warning.patch new file mode 100644 index 00000000000..88ce89a4a8b --- /dev/null +++ b/queue-4.9/arch-hexagon-fix-kernel-dma.c-build-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Randy Dunlap +Date: Fri, 20 Jul 2018 20:17:35 -0700 +Subject: arch/hexagon: fix kernel/dma.c build warning + +From: Randy Dunlap + +[ Upstream commit 200f351e27f014fcbf69b544b0b4b72aeaf45fd3 ] + +Fix build warning in arch/hexagon/kernel/dma.c by casting a void * +to unsigned long to match the function parameter type. + +../arch/hexagon/kernel/dma.c: In function 'arch_dma_alloc': +../arch/hexagon/kernel/dma.c:51:5: warning: passing argument 2 of 'gen_pool_add' makes integer from pointer without a cast [enabled by default] +../include/linux/genalloc.h:112:19: note: expected 'long unsigned int' but argument is of type 'void *' + +Signed-off-by: Randy Dunlap +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Patch-mainline: linux-kernel @ 07/20/2018, 20:17 +[rkuo@codeaurora.org: fixed architecture name] +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/kernel/dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/hexagon/kernel/dma.c ++++ b/arch/hexagon/kernel/dma.c +@@ -68,7 +68,7 @@ static void *hexagon_dma_alloc_coherent( + panic("Can't create %s() memory pool!", __func__); + else + gen_pool_add(coherent_pool, +- pfn_to_virt(max_low_pfn), ++ (unsigned long)pfn_to_virt(max_low_pfn), + hexagon_coherent_pool_size, -1); + } + diff --git a/queue-4.9/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch b/queue-4.9/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch new file mode 100644 index 00000000000..87e5992bef8 --- /dev/null +++ b/queue-4.9/arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Miguel Ojeda +Date: Sun, 9 Sep 2018 17:47:31 +0200 +Subject: arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" + +From: Miguel Ojeda + +[ Upstream commit 13aceef06adfaf93d52e01e28a8bc8a0ad471d83 ] + +All other uses of "asm goto" go through asm_volatile_goto, which avoids +a miscompile when using GCC < 4.8.2. Replace our open-coded "asm goto" +statements with the asm_volatile_goto macro to avoid issues with older +toolchains. + +Cc: Catalin Marinas +Reviewed-by: Nick Desaulniers +Signed-off-by: Miguel Ojeda +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/jump_label.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/jump_label.h ++++ b/arch/arm64/include/asm/jump_label.h +@@ -28,7 +28,7 @@ + + static __always_inline bool arch_static_branch(struct static_key *key, bool branch) + { +- asm goto("1: nop\n\t" ++ asm_volatile_goto("1: nop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + ".align 3\n\t" + ".quad 1b, %l[l_yes], %c0\n\t" +@@ -42,7 +42,7 @@ l_yes: + + static __always_inline bool arch_static_branch_jump(struct static_key *key, bool branch) + { +- asm goto("1: b %l[l_yes]\n\t" ++ asm_volatile_goto("1: b %l[l_yes]\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + ".align 3\n\t" + ".quad 1b, %l[l_yes], %c0\n\t" diff --git a/queue-4.9/cifs-read-overflow-in-is_valid_oplock_break.patch b/queue-4.9/cifs-read-overflow-in-is_valid_oplock_break.patch new file mode 100644 index 00000000000..c69ad7526ef --- /dev/null +++ b/queue-4.9/cifs-read-overflow-in-is_valid_oplock_break.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Dan Carpenter +Date: Thu, 6 Sep 2018 12:47:01 +0300 +Subject: cifs: read overflow in is_valid_oplock_break() + +From: Dan Carpenter + +[ Upstream commit 097f5863b1a0c9901f180bbd56ae7d630655faaa ] + +We need to verify that the "data_offset" is within bounds. + +Reported-by: Dr Silvio Cesare of InfoSect +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/misc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -406,9 +406,17 @@ is_valid_oplock_break(char *buffer, stru + (struct smb_com_transaction_change_notify_rsp *)buf; + struct file_notify_information *pnotify; + __u32 data_offset = 0; ++ size_t len = srv->total_read - sizeof(pSMBr->hdr.smb_buf_length); ++ + if (get_bcc(buf) > sizeof(struct file_notify_information)) { + data_offset = le32_to_cpu(pSMBr->DataOffset); + ++ if (data_offset > ++ len - sizeof(struct file_notify_information)) { ++ cifs_dbg(FYI, "invalid data_offset %u\n", ++ data_offset); ++ return true; ++ } + pnotify = (struct file_notify_information *) + ((char *)&pSMBr->hdr.Protocol + data_offset); + cifs_dbg(FYI, "dnotify on %s Action: 0x%x\n", diff --git a/queue-4.9/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch b/queue-4.9/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch new file mode 100644 index 00000000000..8755bd3cb6e --- /dev/null +++ b/queue-4.9/dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Heinz Mauelshagen +Date: Thu, 6 Sep 2018 18:33:40 +0200 +Subject: dm raid: fix rebuild of specific devices by updating superblock + +From: Heinz Mauelshagen + +[ Upstream commit c44a5ee803d2b7ed8c2e6ce24a5c4dd60778886e ] + +Update superblock when particular devices are requested via rebuild +(e.g. lvconvert --replace ...) to avoid spurious failure with the "New +device injected into existing raid set without 'delta_disks' or +'rebuild' parameter specified" error message. + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2880,6 +2880,11 @@ static int raid_ctr(struct dm_target *ti + set_bit(RT_FLAG_UPDATE_SBS, &rs->runtime_flags); + rs_set_new(rs); + } else if (rs_is_recovering(rs)) { ++ /* Rebuild particular devices */ ++ if (test_bit(__CTR_FLAG_REBUILD, &rs->ctr_flags)) { ++ set_bit(RT_FLAG_UPDATE_SBS, &rs->runtime_flags); ++ rs_setup_recovery(rs, MaxSector); ++ } + /* A recovering raid set may be resized */ + ; /* skip setup rs */ + } else if (rs_is_reshaping(rs)) { diff --git a/queue-4.9/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch b/queue-4.9/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch new file mode 100644 index 00000000000..2fcd1993bd6 --- /dev/null +++ b/queue-4.9/dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch @@ -0,0 +1,260 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Joe Thornber +Date: Mon, 10 Sep 2018 16:50:09 +0100 +Subject: dm thin metadata: try to avoid ever aborting transactions + +From: Joe Thornber + +[ Upstream commit 3ab91828166895600efd9cdc3a0eb32001f7204a ] + +Committing a transaction can consume some metadata of it's own, we now +reserve a small amount of metadata to cover this. Free metadata +reported by the kernel will not include this reserve. + +If any of the reserve has been used after a commit we enter a new +internal state PM_OUT_OF_METADATA_SPACE. This is reported as +PM_READ_ONLY, so no userland changes are needed. If the metadata +device is resized the pool will move back to PM_WRITE. + +These changes mean we never need to abort and rollback a transaction due +to running out of metadata space. This is particularly important +because there have been a handful of reports of data corruption against +DM thin-provisioning that can all be attributed to the thin-pool having +ran out of metadata space. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin-metadata.c | 36 ++++++++++++++++++++ + drivers/md/dm-thin.c | 73 +++++++++++++++++++++++++++++++++++++----- + 2 files changed, 100 insertions(+), 9 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -190,6 +190,12 @@ struct dm_pool_metadata { + sector_t data_block_size; + + /* ++ * We reserve a section of the metadata for commit overhead. ++ * All reported space does *not* include this. ++ */ ++ dm_block_t metadata_reserve; ++ ++ /* + * Set if a transaction has to be aborted but the attempt to roll back + * to the previous (good) transaction failed. The only pool metadata + * operation possible in this state is the closing of the device. +@@ -827,6 +833,22 @@ static int __commit_transaction(struct d + return dm_tm_commit(pmd->tm, sblock); + } + ++static void __set_metadata_reserve(struct dm_pool_metadata *pmd) ++{ ++ int r; ++ dm_block_t total; ++ dm_block_t max_blocks = 4096; /* 16M */ ++ ++ r = dm_sm_get_nr_blocks(pmd->metadata_sm, &total); ++ if (r) { ++ DMERR("could not get size of metadata device"); ++ pmd->metadata_reserve = max_blocks; ++ } else { ++ sector_div(total, 10); ++ pmd->metadata_reserve = min(max_blocks, total); ++ } ++} ++ + struct dm_pool_metadata *dm_pool_metadata_open(struct block_device *bdev, + sector_t data_block_size, + bool format_device) +@@ -860,6 +882,8 @@ struct dm_pool_metadata *dm_pool_metadat + return ERR_PTR(r); + } + ++ __set_metadata_reserve(pmd); ++ + return pmd; + } + +@@ -1831,6 +1855,13 @@ int dm_pool_get_free_metadata_block_coun + down_read(&pmd->root_lock); + if (!pmd->fail_io) + r = dm_sm_get_nr_free(pmd->metadata_sm, result); ++ ++ if (!r) { ++ if (*result < pmd->metadata_reserve) ++ *result = 0; ++ else ++ *result -= pmd->metadata_reserve; ++ } + up_read(&pmd->root_lock); + + return r; +@@ -1943,8 +1974,11 @@ int dm_pool_resize_metadata_dev(struct d + int r = -EINVAL; + + down_write(&pmd->root_lock); +- if (!pmd->fail_io) ++ if (!pmd->fail_io) { + r = __resize_space_map(pmd->metadata_sm, new_count); ++ if (!r) ++ __set_metadata_reserve(pmd); ++ } + up_write(&pmd->root_lock); + + return r; +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -200,7 +200,13 @@ struct dm_thin_new_mapping; + enum pool_mode { + PM_WRITE, /* metadata may be changed */ + PM_OUT_OF_DATA_SPACE, /* metadata may be changed, though data may not be allocated */ ++ ++ /* ++ * Like READ_ONLY, except may switch back to WRITE on metadata resize. Reported as READ_ONLY. ++ */ ++ PM_OUT_OF_METADATA_SPACE, + PM_READ_ONLY, /* metadata may not be changed */ ++ + PM_FAIL, /* all I/O fails */ + }; + +@@ -1386,7 +1392,35 @@ static void set_pool_mode(struct pool *p + + static void requeue_bios(struct pool *pool); + +-static void check_for_space(struct pool *pool) ++static bool is_read_only_pool_mode(enum pool_mode mode) ++{ ++ return (mode == PM_OUT_OF_METADATA_SPACE || mode == PM_READ_ONLY); ++} ++ ++static bool is_read_only(struct pool *pool) ++{ ++ return is_read_only_pool_mode(get_pool_mode(pool)); ++} ++ ++static void check_for_metadata_space(struct pool *pool) ++{ ++ int r; ++ const char *ooms_reason = NULL; ++ dm_block_t nr_free; ++ ++ r = dm_pool_get_free_metadata_block_count(pool->pmd, &nr_free); ++ if (r) ++ ooms_reason = "Could not get free metadata blocks"; ++ else if (!nr_free) ++ ooms_reason = "No free metadata blocks"; ++ ++ if (ooms_reason && !is_read_only(pool)) { ++ DMERR("%s", ooms_reason); ++ set_pool_mode(pool, PM_OUT_OF_METADATA_SPACE); ++ } ++} ++ ++static void check_for_data_space(struct pool *pool) + { + int r; + dm_block_t nr_free; +@@ -1412,14 +1446,16 @@ static int commit(struct pool *pool) + { + int r; + +- if (get_pool_mode(pool) >= PM_READ_ONLY) ++ if (get_pool_mode(pool) >= PM_OUT_OF_METADATA_SPACE) + return -EINVAL; + + r = dm_pool_commit_metadata(pool->pmd); + if (r) + metadata_operation_failed(pool, "dm_pool_commit_metadata", r); +- else +- check_for_space(pool); ++ else { ++ check_for_metadata_space(pool); ++ check_for_data_space(pool); ++ } + + return r; + } +@@ -1485,6 +1521,19 @@ static int alloc_data_block(struct thin_ + return r; + } + ++ r = dm_pool_get_free_metadata_block_count(pool->pmd, &free_blocks); ++ if (r) { ++ metadata_operation_failed(pool, "dm_pool_get_free_metadata_block_count", r); ++ return r; ++ } ++ ++ if (!free_blocks) { ++ /* Let's commit before we use up the metadata reserve. */ ++ r = commit(pool); ++ if (r) ++ return r; ++ } ++ + return 0; + } + +@@ -1516,6 +1565,7 @@ static int should_error_unserviceable_bi + case PM_OUT_OF_DATA_SPACE: + return pool->pf.error_if_no_space ? -ENOSPC : 0; + ++ case PM_OUT_OF_METADATA_SPACE: + case PM_READ_ONLY: + case PM_FAIL: + return -EIO; +@@ -2479,8 +2529,9 @@ static void set_pool_mode(struct pool *p + error_retry_list(pool); + break; + ++ case PM_OUT_OF_METADATA_SPACE: + case PM_READ_ONLY: +- if (old_mode != new_mode) ++ if (!is_read_only_pool_mode(old_mode)) + notify_of_pool_mode_change(pool, "read-only"); + dm_pool_metadata_read_only(pool->pmd); + pool->process_bio = process_bio_read_only; +@@ -3418,6 +3469,10 @@ static int maybe_resize_metadata_dev(str + DMINFO("%s: growing the metadata device from %llu to %llu blocks", + dm_device_name(pool->pool_md), + sb_metadata_dev_size, metadata_dev_size); ++ ++ if (get_pool_mode(pool) == PM_OUT_OF_METADATA_SPACE) ++ set_pool_mode(pool, PM_WRITE); ++ + r = dm_pool_resize_metadata_dev(pool->pmd, metadata_dev_size); + if (r) { + metadata_operation_failed(pool, "dm_pool_resize_metadata_dev", r); +@@ -3721,7 +3776,7 @@ static int pool_message(struct dm_target + struct pool_c *pt = ti->private; + struct pool *pool = pt->pool; + +- if (get_pool_mode(pool) >= PM_READ_ONLY) { ++ if (get_pool_mode(pool) >= PM_OUT_OF_METADATA_SPACE) { + DMERR("%s: unable to service pool target messages in READ_ONLY or FAIL mode", + dm_device_name(pool->pool_md)); + return -EOPNOTSUPP; +@@ -3795,6 +3850,7 @@ static void pool_status(struct dm_target + dm_block_t nr_blocks_data; + dm_block_t nr_blocks_metadata; + dm_block_t held_root; ++ enum pool_mode mode; + char buf[BDEVNAME_SIZE]; + char buf2[BDEVNAME_SIZE]; + struct pool_c *pt = ti->private; +@@ -3865,9 +3921,10 @@ static void pool_status(struct dm_target + else + DMEMIT("- "); + +- if (pool->pf.mode == PM_OUT_OF_DATA_SPACE) ++ mode = get_pool_mode(pool); ++ if (mode == PM_OUT_OF_DATA_SPACE) + DMEMIT("out_of_data_space "); +- else if (pool->pf.mode == PM_READ_ONLY) ++ else if (is_read_only_pool_mode(mode)) + DMEMIT("ro "); + else + DMEMIT("rw "); diff --git a/queue-4.9/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch b/queue-4.9/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch new file mode 100644 index 00000000000..eb4e4fd35e4 --- /dev/null +++ b/queue-4.9/drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Ben Skeggs +Date: Tue, 4 Sep 2018 15:56:57 +1000 +Subject: drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS + +From: Ben Skeggs + +[ Upstream commit 0a6986c6595e9afd20ff7280dab36431c1e467f8 ] + +This Falcon application doesn't appear to be present on some newer +systems, so let's not fail init if we can't find it. + +TBD: is there a way to determine whether it *should* be there? + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/devinit/gm200.c +@@ -161,7 +161,8 @@ gm200_devinit_post(struct nvkm_devinit * + } + + /* load and execute some other ucode image (bios therm?) */ +- return pmu_load(init, 0x01, post, NULL, NULL); ++ pmu_load(init, 0x01, post, NULL, NULL); ++ return 0; + } + + static const struct nvkm_devinit_func diff --git a/queue-4.9/fs-cifs-suppress-a-string-overflow-warning.patch b/queue-4.9/fs-cifs-suppress-a-string-overflow-warning.patch new file mode 100644 index 00000000000..48b8a47d943 --- /dev/null +++ b/queue-4.9/fs-cifs-suppress-a-string-overflow-warning.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Stephen Rothwell +Date: Mon, 3 Sep 2018 13:15:58 +1000 +Subject: fs/cifs: suppress a string overflow warning + +From: Stephen Rothwell + +[ Upstream commit bcfb84a996f6fa90b5e6e2954b2accb7a4711097 ] + +A powerpc build of cifs with gcc v8.2.0 produces this warning: + +fs/cifs/cifssmb.c: In function ‘CIFSSMBNegotiate’: +fs/cifs/cifssmb.c:605:3: warning: ‘strncpy’ writing 16 bytes into a region of size 1 overflows the destination [-Wstringop-overflow=] + strncpy(pSMB->DialectsArray+count, protocols[i].name, 16); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Since we are already doing a strlen() on the source, change the strncpy +to a memcpy(). + +Signed-off-by: Stephen Rothwell +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -577,10 +577,15 @@ CIFSSMBNegotiate(const unsigned int xid, + } + + count = 0; ++ /* ++ * We know that all the name entries in the protocols array ++ * are short (< 16 bytes anyway) and are NUL terminated. ++ */ + for (i = 0; i < CIFS_NUM_PROT; i++) { +- strncpy(pSMB->DialectsArray+count, protocols[i].name, 16); +- count += strlen(protocols[i].name) + 1; +- /* null at end of source and target buffers anyway */ ++ size_t len = strlen(protocols[i].name) + 1; ++ ++ memcpy(pSMB->DialectsArray+count, protocols[i].name, len); ++ count += len; + } + inc_rfc1001_len(pSMB, count); + pSMB->ByteCount = cpu_to_le16(count); diff --git a/queue-4.9/hexagon-modify-ffs-and-fls-to-return-int.patch b/queue-4.9/hexagon-modify-ffs-and-fls-to-return-int.patch new file mode 100644 index 00000000000..f56a8e7ac05 --- /dev/null +++ b/queue-4.9/hexagon-modify-ffs-and-fls-to-return-int.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Randy Dunlap +Date: Sun, 22 Jul 2018 16:03:58 -0700 +Subject: hexagon: modify ffs() and fls() to return int + +From: Randy Dunlap + +[ Upstream commit 5c41aaad409c097cf1ef74f2c649fed994744ef5 ] + +Building drivers/mtd/nand/raw/nandsim.c on arch/hexagon/ produces a +printk format build warning. This is due to hexagon's ffs() being +coded as returning long instead of int. + +Fix the printk format warning by changing all of hexagon's ffs() and +fls() functions to return int instead of long. The variables that +they return are already int instead of long. This return type +matches the return type in . + +../drivers/mtd/nand/raw/nandsim.c: In function 'init_nandsim': +../drivers/mtd/nand/raw/nandsim.c:760:2: warning: format '%u' expects argument of type 'unsigned int', but argument 2 has type 'long int' [-Wformat] + +There are no ffs() or fls() allmodconfig build errors after making this +change. + +Signed-off-by: Randy Dunlap +Cc: Richard Kuo +Cc: linux-hexagon@vger.kernel.org +Cc: Geert Uytterhoeven +Patch-mainline: linux-kernel @ 07/22/2018, 16:03 +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/bitops.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/hexagon/include/asm/bitops.h ++++ b/arch/hexagon/include/asm/bitops.h +@@ -211,7 +211,7 @@ static inline long ffz(int x) + * This is defined the same way as ffs. + * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32. + */ +-static inline long fls(int x) ++static inline int fls(int x) + { + int r; + +@@ -232,7 +232,7 @@ static inline long fls(int x) + * the libc and compiler builtin ffs routines, therefore + * differs in spirit from the above ffz (man ffs). + */ +-static inline long ffs(int x) ++static inline int ffs(int x) + { + int r; + diff --git a/queue-4.9/hid-add-support-for-apple-magic-keyboards.patch b/queue-4.9/hid-add-support-for-apple-magic-keyboards.patch new file mode 100644 index 00000000000..ca9b9b00cdd --- /dev/null +++ b/queue-4.9/hid-add-support-for-apple-magic-keyboards.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Sean O'Brien +Date: Mon, 27 Aug 2018 13:02:15 -0700 +Subject: HID: add support for Apple Magic Keyboards + +From: Sean O'Brien + +[ Upstream commit ee345492437043a79db058a3d4f029ebcb52089a ] + +USB device + Vendor 05ac (Apple) + Device 026c (Magic Keyboard with Numeric Keypad) + +Bluetooth devices + Vendor 004c (Apple) + Device 0267 (Magic Keyboard) + Device 026c (Magic Keyboard with Numeric Keypad) + +Support already exists for the Magic Keyboard over USB connection. +Add support for the Magic Keyboard over Bluetooth connection, and for +the Magic Keyboard with Numeric Keypad over Bluetooth and USB +connection. + +Signed-off-by: Sean O'Brien +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-apple.c | 9 ++++++++- + drivers/hid/hid-ids.h | 2 ++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -333,7 +333,8 @@ static int apple_input_mapping(struct hi + struct hid_field *field, struct hid_usage *usage, + unsigned long **bit, int *max) + { +- if (usage->hid == (HID_UP_CUSTOM | 0x0003)) { ++ if (usage->hid == (HID_UP_CUSTOM | 0x0003) || ++ usage->hid == (HID_UP_MSVENDOR | 0x0003)) { + /* The fn key on Apple USB keyboards */ + set_bit(EV_REP, hi->input->evbit); + hid_map_usage_clear(hi, usage, bit, max, EV_KEY, KEY_FN); +@@ -476,6 +477,12 @@ static const struct hid_device_id apple_ + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI), + .driver_data = APPLE_HAS_FN }, ++ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI), ++ .driver_data = APPLE_HAS_FN }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI), ++ .driver_data = APPLE_HAS_FN }, ++ { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI), ++ .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ANSI), + .driver_data = APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING_ISO), +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -83,6 +83,7 @@ + #define USB_DEVICE_ID_ANTON_TOUCH_PAD 0x3101 + + #define USB_VENDOR_ID_APPLE 0x05ac ++#define BT_VENDOR_ID_APPLE 0x004c + #define USB_DEVICE_ID_APPLE_MIGHTYMOUSE 0x0304 + #define USB_DEVICE_ID_APPLE_MAGICMOUSE 0x030d + #define USB_DEVICE_ID_APPLE_MAGICTRACKPAD 0x030e +@@ -152,6 +153,7 @@ + #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO 0x0256 + #define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_JIS 0x0257 + #define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_ANSI 0x0267 ++#define USB_DEVICE_ID_APPLE_MAGIC_KEYBOARD_NUMPAD_ANSI 0x026c + #define USB_DEVICE_ID_APPLE_WELLSPRING8_ANSI 0x0290 + #define USB_DEVICE_ID_APPLE_WELLSPRING8_ISO 0x0291 + #define USB_DEVICE_ID_APPLE_WELLSPRING8_JIS 0x0292 diff --git a/queue-4.9/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch b/queue-4.9/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch new file mode 100644 index 00000000000..9bc80fa57e0 --- /dev/null +++ b/queue-4.9/hid-hid-saitek-add-device-id-for-rat-7-contagion.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Harry Mallon +Date: Tue, 28 Aug 2018 22:51:29 +0100 +Subject: HID: hid-saitek: Add device ID for RAT 7 Contagion + +From: Harry Mallon + +[ Upstream commit 43822c98f2ebb2cbd5e467ab72bbcdae7f0caa22 ] + +Signed-off-by: Harry Mallon +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-saitek.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -890,6 +890,7 @@ + #define USB_DEVICE_ID_SAITEK_RUMBLEPAD 0xff17 + #define USB_DEVICE_ID_SAITEK_PS1000 0x0621 + #define USB_DEVICE_ID_SAITEK_RAT7_OLD 0x0ccb ++#define USB_DEVICE_ID_SAITEK_RAT7_CONTAGION 0x0ccd + #define USB_DEVICE_ID_SAITEK_RAT7 0x0cd7 + #define USB_DEVICE_ID_SAITEK_RAT9 0x0cfa + #define USB_DEVICE_ID_SAITEK_MMO7 0x0cd0 +--- a/drivers/hid/hid-saitek.c ++++ b/drivers/hid/hid-saitek.c +@@ -183,6 +183,8 @@ static const struct hid_device_id saitek + .driver_data = SAITEK_RELEASE_MODE_RAT7 }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT7), + .driver_data = SAITEK_RELEASE_MODE_RAT7 }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT7_CONTAGION), ++ .driver_data = SAITEK_RELEASE_MODE_RAT7 }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RAT9), + .driver_data = SAITEK_RELEASE_MODE_RAT7 }, + { HID_USB_DEVICE(USB_VENDOR_ID_MADCATZ, USB_DEVICE_ID_MADCATZ_RAT9), diff --git a/queue-4.9/net-ena-fix-driver-when-page_size-64kb.patch b/queue-4.9/net-ena-fix-driver-when-page_size-64kb.patch new file mode 100644 index 00000000000..72a1c7c26c7 --- /dev/null +++ b/queue-4.9/net-ena-fix-driver-when-page_size-64kb.patch @@ -0,0 +1,86 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Netanel Belgazal +Date: Sun, 9 Sep 2018 08:15:21 +0000 +Subject: net: ena: fix driver when PAGE_SIZE == 64kB + +From: Netanel Belgazal + +[ Upstream commit ef5b0771d247379c90c8bf1332ff32f7f74bff7f ] + +The buffer length field in the ena rx descriptor is 16 bit, and the +current driver passes a full page in each ena rx descriptor. +When PAGE_SIZE equals 64kB or more, the buffer length field becomes +zero. +To solve this issue, limit the ena Rx descriptor to use 16kB even +when allocating 64kB kernel pages. This change would not impact ena +device functionality, as 16kB is still larger than maximum MTU. + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 10 +++++----- + drivers/net/ethernet/amazon/ena/ena_netdev.h | 11 +++++++++++ + 2 files changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -422,7 +422,7 @@ static inline int ena_alloc_rx_page(stru + return -ENOMEM; + } + +- dma = dma_map_page(rx_ring->dev, page, 0, PAGE_SIZE, ++ dma = dma_map_page(rx_ring->dev, page, 0, ENA_PAGE_SIZE, + DMA_FROM_DEVICE); + if (unlikely(dma_mapping_error(rx_ring->dev, dma))) { + u64_stats_update_begin(&rx_ring->syncp); +@@ -439,7 +439,7 @@ static inline int ena_alloc_rx_page(stru + rx_info->page_offset = 0; + ena_buf = &rx_info->ena_buf; + ena_buf->paddr = dma; +- ena_buf->len = PAGE_SIZE; ++ ena_buf->len = ENA_PAGE_SIZE; + + return 0; + } +@@ -456,7 +456,7 @@ static void ena_free_rx_page(struct ena_ + return; + } + +- dma_unmap_page(rx_ring->dev, ena_buf->paddr, PAGE_SIZE, ++ dma_unmap_page(rx_ring->dev, ena_buf->paddr, ENA_PAGE_SIZE, + DMA_FROM_DEVICE); + + __free_page(page); +@@ -849,10 +849,10 @@ static struct sk_buff *ena_rx_skb(struct + do { + dma_unmap_page(rx_ring->dev, + dma_unmap_addr(&rx_info->ena_buf, paddr), +- PAGE_SIZE, DMA_FROM_DEVICE); ++ ENA_PAGE_SIZE, DMA_FROM_DEVICE); + + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, rx_info->page, +- rx_info->page_offset, len, PAGE_SIZE); ++ rx_info->page_offset, len, ENA_PAGE_SIZE); + + netif_dbg(rx_ring->adapter, rx_status, rx_ring->netdev, + "rx skb updated. len %d. data_len %d\n", +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.h ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.h +@@ -321,4 +321,15 @@ void ena_dump_stats_to_buf(struct ena_ad + + int ena_get_sset_count(struct net_device *netdev, int sset); + ++/* The ENA buffer length fields is 16 bit long. So when PAGE_SIZE == 64kB the ++ * driver passas 0. ++ * Since the max packet size the ENA handles is ~9kB limit the buffer length to ++ * 16kB. ++ */ ++#if PAGE_SIZE > SZ_16K ++#define ENA_PAGE_SIZE SZ_16K ++#else ++#define ENA_PAGE_SIZE PAGE_SIZE ++#endif ++ + #endif /* !(ENA_H) */ diff --git a/queue-4.9/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch b/queue-4.9/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch new file mode 100644 index 00000000000..b1655a09472 --- /dev/null +++ b/queue-4.9/net-mlx5-consider-pci-domain-in-search-for-next-dev.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Daniel Jurgens +Date: Mon, 27 Aug 2018 09:09:46 -0500 +Subject: net/mlx5: Consider PCI domain in search for next dev + +From: Daniel Jurgens + +[ Upstream commit df7ddb2396cd162e64aaff9401be05e31e438961 ] + +The PCI BDF is not unique. PCI domain must also be considered when +searching for the next physical device during lag setup. Example below: + +mlx5_core 0000:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) +mlx5_core 0000:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) +mlx5_core 0001:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) +mlx5_core 0001:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0) + +Signed-off-by: Daniel Jurgens +Reviewed-by: Aviv Heller +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/dev.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c +@@ -288,16 +288,17 @@ void mlx5_remove_dev_by_protocol(struct + } + } + +-static u16 mlx5_gen_pci_id(struct mlx5_core_dev *dev) ++static u32 mlx5_gen_pci_id(struct mlx5_core_dev *dev) + { +- return (u16)((dev->pdev->bus->number << 8) | ++ return (u32)((pci_domain_nr(dev->pdev->bus) << 16) | ++ (dev->pdev->bus->number << 8) | + PCI_SLOT(dev->pdev->devfn)); + } + + /* Must be called with intf_mutex held */ + struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev) + { +- u16 pci_id = mlx5_gen_pci_id(dev); ++ u32 pci_id = mlx5_gen_pci_id(dev); + struct mlx5_core_dev *res = NULL; + struct mlx5_core_dev *tmp_dev; + struct mlx5_priv *priv; diff --git a/queue-4.9/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch b/queue-4.9/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch new file mode 100644 index 00000000000..c6ae14c4b6d --- /dev/null +++ b/queue-4.9/nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Sagi Grimberg +Date: Mon, 3 Sep 2018 03:47:07 -0700 +Subject: nvmet-rdma: fix possible bogus dereference under heavy load + +From: Sagi Grimberg + +[ Upstream commit 8407879c4e0d7731f6e7e905893cecf61a7762c7 ] + +Currently we always repost the recv buffer before we send a response +capsule back to the host. Since ordering is not guaranteed for send +and recv completions, it is posible that we will receive a new request +from the host before we got a send completion for the response capsule. + +Today, we pre-allocate 2x rsps the length of the queue, but in reality, +under heavy load there is nothing that is really preventing the gap to +expand until we exhaust all our rsps. + +To fix this, if we don't have any pre-allocated rsps left, we dynamically +allocate a rsp and make sure to free it when we are done. If under memory +pressure we fail to allocate a rsp, we silently drop the command and +wait for the host to retry. + +Reported-by: Steve Wise +Tested-by: Steve Wise +Signed-off-by: Sagi Grimberg +[hch: dropped a superflous assignment] +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/rdma.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -65,6 +65,7 @@ struct nvmet_rdma_rsp { + + struct nvmet_req req; + ++ bool allocated; + u8 n_rdma; + u32 flags; + u32 invalidate_rkey; +@@ -167,11 +168,19 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_que + unsigned long flags; + + spin_lock_irqsave(&queue->rsps_lock, flags); +- rsp = list_first_entry(&queue->free_rsps, ++ rsp = list_first_entry_or_null(&queue->free_rsps, + struct nvmet_rdma_rsp, free_list); +- list_del(&rsp->free_list); ++ if (likely(rsp)) ++ list_del(&rsp->free_list); + spin_unlock_irqrestore(&queue->rsps_lock, flags); + ++ if (unlikely(!rsp)) { ++ rsp = kmalloc(sizeof(*rsp), GFP_KERNEL); ++ if (unlikely(!rsp)) ++ return NULL; ++ rsp->allocated = true; ++ } ++ + return rsp; + } + +@@ -180,6 +189,11 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp + { + unsigned long flags; + ++ if (rsp->allocated) { ++ kfree(rsp); ++ return; ++ } ++ + spin_lock_irqsave(&rsp->queue->rsps_lock, flags); + list_add_tail(&rsp->free_list, &rsp->queue->free_rsps); + spin_unlock_irqrestore(&rsp->queue->rsps_lock, flags); +@@ -755,6 +769,15 @@ static void nvmet_rdma_recv_done(struct + + cmd->queue = queue; + rsp = nvmet_rdma_get_rsp(queue); ++ if (unlikely(!rsp)) { ++ /* ++ * we get here only under memory pressure, ++ * silently drop and have the host retry ++ * as we can't even fail it. ++ */ ++ nvmet_rdma_post_recv(queue->dev, cmd); ++ return; ++ } + rsp->queue = queue; + rsp->cmd = cmd; + rsp->flags = 0; diff --git a/queue-4.9/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch b/queue-4.9/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch new file mode 100644 index 00000000000..403f2fed673 --- /dev/null +++ b/queue-4.9/perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Hisao Tanabe +Date: Sat, 25 Aug 2018 00:45:56 +0900 +Subject: perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() + +From: Hisao Tanabe + +[ Upstream commit fd8d2702791a970c751f8b526a17d8e725a05b46 ] + +If evsel is NULL, we should return NULL to avoid a NULL pointer +dereference a bit later in the code. + +Signed-off-by: Hisao Tanabe +Acked-by: Namhyung Kim +Cc: Jiri Olsa +Cc: Wang Nan +Fixes: 03e0a7df3efd ("perf tools: Introduce bpf-output event") +LPU-Reference: 20180824154556.23428-1-xtanabe@gmail.com +Link: https://lkml.kernel.org/n/tip-e5plzjhx6595a5yjaf22jss3@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/evsel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -241,8 +241,9 @@ struct perf_evsel *perf_evsel__new_idx(s + { + struct perf_evsel *evsel = zalloc(perf_evsel__object.size); + +- if (evsel != NULL) +- perf_evsel__init(evsel, attr, idx); ++ if (!evsel) ++ return NULL; ++ perf_evsel__init(evsel, attr, idx); + + if (perf_evsel__is_bpf_output(evsel)) { + evsel->attr.sample_type |= (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | diff --git a/queue-4.9/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch b/queue-4.9/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch new file mode 100644 index 00000000000..253545cfe2a --- /dev/null +++ b/queue-4.9/perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Sandipan Das +Date: Tue, 28 Aug 2018 14:38:48 +0530 +Subject: perf probe powerpc: Ignore SyS symbols irrespective of endianness + +From: Sandipan Das + +[ Upstream commit fa694160cca6dbba17c57dc7efec5f93feaf8795 ] + +This makes sure that the SyS symbols are ignored for any powerpc system, +not just the big endian ones. + +Reported-by: Naveen N. Rao +Signed-off-by: Sandipan Das +Reviewed-by: Kamalesh Babulal +Acked-by: Naveen N. Rao +Cc: Jiri Olsa +Cc: Ravi Bangoria +Fixes: fb6d59423115 ("perf probe ppc: Use the right prefix when ignoring SyS symbols on ppc") +Link: http://lkml.kernel.org/r/20180828090848.1914-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/sym-handling.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/perf/arch/powerpc/util/sym-handling.c ++++ b/tools/perf/arch/powerpc/util/sym-handling.c +@@ -21,15 +21,16 @@ bool elf__needs_adjust_symbols(GElf_Ehdr + + #endif + +-#if !defined(_CALL_ELF) || _CALL_ELF != 2 + int arch__choose_best_symbol(struct symbol *syma, + struct symbol *symb __maybe_unused) + { + char *sym = syma->name; + ++#if !defined(_CALL_ELF) || _CALL_ELF != 2 + /* Skip over any initial dot */ + if (*sym == '.') + sym++; ++#endif + + /* Avoid "SyS" kernel syscall aliases */ + if (strlen(sym) >= 3 && !strncmp(sym, "SyS", 3)) +@@ -40,6 +41,7 @@ int arch__choose_best_symbol(struct symb + return SYMBOL_A; + } + ++#if !defined(_CALL_ELF) || _CALL_ELF != 2 + /* Allow matching against dot variants */ + int arch__compare_symbol_names(const char *namea, const char *nameb) + { diff --git a/queue-4.9/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch b/queue-4.9/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch new file mode 100644 index 00000000000..06930e09e45 --- /dev/null +++ b/queue-4.9/perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Jacek Tomaka +Date: Thu, 2 Aug 2018 09:38:30 +0800 +Subject: perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs + +From: Jacek Tomaka + +[ Upstream commit 16160c1946b702dcfa95ef63389a56deb2f1c7cb ] + +Problem: perf did not show branch predicted/mispredicted bit in brstack. + +Output of perf -F brstack for profile collected + +Before: + + 0x4fdbcd/0x4fdc03/-/-/-/0 + 0x45f4c1/0x4fdba0/-/-/-/0 + 0x45f544/0x45f4bb/-/-/-/0 + 0x45f555/0x45f53c/-/-/-/0 + 0x7f66901cc24b/0x45f555/-/-/-/0 + 0x7f66901cc22e/0x7f66901cc23d/-/-/-/0 + 0x7f66901cc1ff/0x7f66901cc20f/-/-/-/0 + 0x7f66901cc1e8/0x7f66901cc1fc/-/-/-/0 + +After: + + 0x4fdbcd/0x4fdc03/P/-/-/0 + 0x45f4c1/0x4fdba0/P/-/-/0 + 0x45f544/0x45f4bb/P/-/-/0 + 0x45f555/0x45f53c/P/-/-/0 + 0x7f66901cc24b/0x45f555/P/-/-/0 + 0x7f66901cc22e/0x7f66901cc23d/P/-/-/0 + 0x7f66901cc1ff/0x7f66901cc20f/P/-/-/0 + 0x7f66901cc1e8/0x7f66901cc1fc/P/-/-/0 + +Cause: + +As mentioned in Software Development Manual vol 3, 17.4.8.1, +IA32_PERF_CAPABILITIES[5:0] indicates the format of the address that is +stored in the LBR stack. Knights Landing reports 1 (LBR_FORMAT_LIP) as +its format. Despite that, registers containing FROM address of the branch, +do have MISPREDICT bit but because of the format indicated in +IA32_PERF_CAPABILITIES[5:0], LBR did not read MISPREDICT bit. + +Solution: + +Teach LBR about above Knights Landing quirk and make it read MISPREDICT bit. + +Signed-off-by: Jacek Tomaka +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180802013830.10600-1-jacekt@dugeo.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/lbr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -1195,4 +1195,8 @@ void intel_pmu_lbr_init_knl(void) + + x86_pmu.lbr_sel_mask = LBR_SEL_MASK; + x86_pmu.lbr_sel_map = snb_lbr_sel_map; ++ ++ /* Knights Landing does have MISPREDICT bit */ ++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_LIP) ++ x86_pmu.intel_cap.lbr_format = LBR_FORMAT_EIP_FLAGS; + } diff --git a/queue-4.9/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch b/queue-4.9/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch new file mode 100644 index 00000000000..060e01fe052 --- /dev/null +++ b/queue-4.9/pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch @@ -0,0 +1,93 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Stephen Boyd +Date: Thu, 16 Aug 2018 13:06:46 -0700 +Subject: pinctrl: msm: Really mask level interrupts to prevent latching + +From: Stephen Boyd + +[ Upstream commit b55326dc969ea2d704a008d9a97583b128f54f4f ] + +The interrupt controller hardware in this pin controller has two status +enable bits. The first "normal" status enable bit enables or disables +the summary interrupt line being raised when a gpio interrupt triggers +and the "raw" status enable bit allows or prevents the hardware from +latching an interrupt into the status register for a gpio interrupt. +Currently we just toggle the "normal" status enable bit in the mask and +unmask ops so that the summary irq interrupt going to the CPU's +interrupt controller doesn't trigger for the masked gpio interrupt. + +For a level triggered interrupt, the flow would be as follows: the pin +controller sees the interrupt, latches the status into the status +register, raises the summary irq to the CPU, summary irq handler runs +and calls handle_level_irq(), handle_level_irq() masks and acks the gpio +interrupt, the interrupt handler runs, and finally unmask the interrupt. +When the interrupt handler completes, we expect that the interrupt line +level will go back to the deasserted state so the genirq code can unmask +the interrupt without it triggering again. + +If we only mask the interrupt by clearing the "normal" status enable bit +then we'll ack the interrupt but it will continue to show up as pending +in the status register because the raw status bit is enabled, the +hardware hasn't deasserted the line, and thus the asserted state latches +into the status register again. When the hardware deasserts the +interrupt the pin controller still thinks there is a pending unserviced +level interrupt because it latched it earlier. This behavior causes +software to see an extra interrupt for level type interrupts each time +the interrupt is handled. + +Let's fix this by clearing the raw status enable bit for level type +interrupts so that the hardware stops latching the status of the +interrupt after we ack it. We don't do this for edge type interrupts +because it seems that toggling the raw status enable bit for edge type +interrupts causes spurious edge interrupts. + +Signed-off-by: Stephen Boyd +Reviewed-by: Douglas Anderson +Reviewed-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -574,6 +574,29 @@ static void msm_gpio_irq_mask(struct irq + spin_lock_irqsave(&pctrl->lock, flags); + + val = readl(pctrl->regs + g->intr_cfg_reg); ++ /* ++ * There are two bits that control interrupt forwarding to the CPU. The ++ * RAW_STATUS_EN bit causes the level or edge sensed on the line to be ++ * latched into the interrupt status register when the hardware detects ++ * an irq that it's configured for (either edge for edge type or level ++ * for level type irq). The 'non-raw' status enable bit causes the ++ * hardware to assert the summary interrupt to the CPU if the latched ++ * status bit is set. There's a bug though, the edge detection logic ++ * seems to have a problem where toggling the RAW_STATUS_EN bit may ++ * cause the status bit to latch spuriously when there isn't any edge ++ * so we can't touch that bit for edge type irqs and we have to keep ++ * the bit set anyway so that edges are latched while the line is masked. ++ * ++ * To make matters more complicated, leaving the RAW_STATUS_EN bit ++ * enabled all the time causes level interrupts to re-latch into the ++ * status register because the level is still present on the line after ++ * we ack it. We clear the raw status enable bit during mask here and ++ * set the bit on unmask so the interrupt can't latch into the hardware ++ * while it's masked. ++ */ ++ if (irqd_get_trigger_type(d) & IRQ_TYPE_LEVEL_MASK) ++ val &= ~BIT(g->intr_raw_status_bit); ++ + val &= ~BIT(g->intr_enable_bit); + writel(val, pctrl->regs + g->intr_cfg_reg); + +@@ -595,6 +618,7 @@ static void msm_gpio_irq_unmask(struct i + spin_lock_irqsave(&pctrl->lock, flags); + + val = readl(pctrl->regs + g->intr_cfg_reg); ++ val |= BIT(g->intr_raw_status_bit); + val |= BIT(g->intr_enable_bit); + writel(val, pctrl->regs + g->intr_cfg_reg); + diff --git a/queue-4.9/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch b/queue-4.9/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch new file mode 100644 index 00000000000..b77a33ed476 --- /dev/null +++ b/queue-4.9/r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Kai-Heng Feng +Date: Tue, 11 Sep 2018 01:51:43 +0800 +Subject: r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED + +From: Kai-Heng Feng + +[ Upstream commit 6ad569019999300afd8e614d296fdc356550b77f ] + +After system suspend, sometimes the r8169 doesn't work when ethernet +cable gets pluggued. + +This issue happens because rtl_reset_work() doesn't get called from +rtl8169_runtime_resume(), after system suspend. + +In rtl_task(), RTL_FLAG_TASK_* only gets cleared if this condition is +met: +if (!netif_running(dev) || + !test_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags)) + ... + +If RTL_FLAG_TASK_ENABLED was cleared during system suspend while +RTL_FLAG_TASK_RESET_PENDING was set, the next rtl_schedule_task() won't +schedule task as the flag is still there. + +So in addition to clearing RTL_FLAG_TASK_ENABLED, also clears other +flags. + +Cc: Heiner Kallweit +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -760,7 +760,7 @@ struct rtl8169_tc_offsets { + }; + + enum rtl_flag { +- RTL_FLAG_TASK_ENABLED, ++ RTL_FLAG_TASK_ENABLED = 0, + RTL_FLAG_TASK_SLOW_PENDING, + RTL_FLAG_TASK_RESET_PENDING, + RTL_FLAG_TASK_PHY_PENDING, +@@ -7637,7 +7637,8 @@ static int rtl8169_close(struct net_devi + rtl8169_update_counters(dev); + + rtl_lock_work(tp); +- clear_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags); ++ /* Clear all task flags */ ++ bitmap_zero(tp->wk.flags, RTL_FLAG_MAX); + + rtl8169_down(dev); + rtl_unlock_work(tp); +@@ -7820,7 +7821,9 @@ static void rtl8169_net_suspend(struct n + + rtl_lock_work(tp); + napi_disable(&tp->napi); +- clear_bit(RTL_FLAG_TASK_ENABLED, tp->wk.flags); ++ /* Clear all task flags */ ++ bitmap_zero(tp->wk.flags, RTL_FLAG_MAX); ++ + rtl_unlock_work(tp); + + rtl_pll_power_down(tp); diff --git a/queue-4.9/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch b/queue-4.9/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch new file mode 100644 index 00000000000..05693246ac3 --- /dev/null +++ b/queue-4.9/rdma-ucma-check-fd-type-in-ucma_migrate_id.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Jann Horn +Date: Mon, 3 Sep 2018 18:54:14 +0200 +Subject: RDMA/ucma: check fd type in ucma_migrate_id() + +From: Jann Horn + +[ Upstream commit 0d23ba6034b9cf48b8918404367506da3e4b3ee5 ] + +The current code grabs the private_data of whatever file descriptor +userspace has supplied and implicitly casts it to a `struct ucma_file *`, +potentially causing a type confusion. + +This is probably fine in practice because the pointer is only used for +comparisons, it is never actually dereferenced; and even in the +comparisons, it is unlikely that a file from another filesystem would have +a ->private_data pointer that happens to also be valid in this context. +But ->private_data is not always guaranteed to be a valid pointer to an +object owned by the file's filesystem; for example, some filesystems just +cram numbers in there. + +Check the type of the supplied file descriptor to be safe, analogous to how +other places in the kernel do it. + +Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()") +Signed-off-by: Jann Horn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -124,6 +124,8 @@ static DEFINE_MUTEX(mut); + static DEFINE_IDR(ctx_idr); + static DEFINE_IDR(multicast_idr); + ++static const struct file_operations ucma_fops; ++ + static inline struct ucma_context *_ucma_find_context(int id, + struct ucma_file *file) + { +@@ -1545,6 +1547,10 @@ static ssize_t ucma_migrate_id(struct uc + f = fdget(cmd.fd); + if (!f.file) + return -ENOENT; ++ if (f.file->f_op != &ucma_fops) { ++ ret = -EINVAL; ++ goto file_put; ++ } + + /* Validate current fd and prevent destruction of id. */ + ctx = ucma_get_ctx(f.file->private_data, cmd.id); diff --git a/queue-4.9/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch b/queue-4.9/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch new file mode 100644 index 00000000000..6311d4a2f05 --- /dev/null +++ b/queue-4.9/s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Julian Wiedmann +Date: Wed, 12 Sep 2018 15:31:35 +0200 +Subject: s390/qeth: don't dump past end of unknown HW header + +From: Julian Wiedmann + +[ Upstream commit 0ac1487c4b2de383b91ecad1be561b8f7a2c15f4 ] + +For inbound data with an unsupported HW header format, only dump the +actual HW header. We have no idea how much payload follows it, and what +it contains. Worst case, we dump past the end of the Inbound Buffer and +access whatever is located next in memory. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_l2_main.c | 2 +- + drivers/s390/net/qeth_l3_main.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -491,7 +491,7 @@ static int qeth_l2_process_inbound_buffe + default: + dev_kfree_skb_any(skb); + QETH_CARD_TEXT(card, 3, "inbunkno"); +- QETH_DBF_HEX(CTRL, 3, hdr, QETH_DBF_CTRL_LEN); ++ QETH_DBF_HEX(CTRL, 3, hdr, sizeof(*hdr)); + continue; + } + work_done++; +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -1836,7 +1836,7 @@ static int qeth_l3_process_inbound_buffe + default: + dev_kfree_skb_any(skb); + QETH_CARD_TEXT(card, 3, "inbunkno"); +- QETH_DBF_HEX(CTRL, 3, hdr, QETH_DBF_CTRL_LEN); ++ QETH_DBF_HEX(CTRL, 3, hdr, sizeof(*hdr)); + continue; + } + work_done++; diff --git a/queue-4.9/s390-qeth-use-vzalloc-for-query-oat-buffer.patch b/queue-4.9/s390-qeth-use-vzalloc-for-query-oat-buffer.patch new file mode 100644 index 00000000000..c7b70f3b51c --- /dev/null +++ b/queue-4.9/s390-qeth-use-vzalloc-for-query-oat-buffer.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Wenjia Zhang +Date: Wed, 12 Sep 2018 15:31:34 +0200 +Subject: s390/qeth: use vzalloc for QUERY OAT buffer + +From: Wenjia Zhang + +[ Upstream commit aec45e857c5538664edb76a60dd452e3265f37d1 ] + +qeth_query_oat_command() currently allocates the kernel buffer for +the SIOC_QETH_QUERY_OAT ioctl with kzalloc. So on systems with +fragmented memory, large allocations may fail (eg. the qethqoat tool by +default uses 132KB). + +Solve this issue by using vzalloc, backing the allocation with +non-contiguous memory. + +Signed-off-by: Wenjia Zhang +Reviewed-by: Julian Wiedmann +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -4715,7 +4716,7 @@ int qeth_query_oat_command(struct qeth_c + + priv.buffer_len = oat_data.buffer_len; + priv.response_len = 0; +- priv.buffer = kzalloc(oat_data.buffer_len, GFP_KERNEL); ++ priv.buffer = vzalloc(oat_data.buffer_len); + if (!priv.buffer) { + rc = -ENOMEM; + goto out; +@@ -4756,7 +4757,7 @@ int qeth_query_oat_command(struct qeth_c + rc = -EFAULT; + + out_free: +- kfree(priv.buffer); ++ vfree(priv.buffer); + out: + return rc; + } diff --git a/queue-4.9/series b/queue-4.9/series index 433c41b0f93..b304f011053 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -23,3 +23,29 @@ mac80211-shorten-the-ibss-debug-messages.patch tools-vm-slabinfo.c-fix-sign-compare-warning.patch tools-vm-page-types.c-fix-defined-but-not-used-warning.patch mm-madvise-madv_dodump-allow-hugetlbfs-pages.patch +hid-add-support-for-apple-magic-keyboards.patch +usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch +pinctrl-msm-really-mask-level-interrupts-to-prevent-latching.patch +hid-hid-saitek-add-device-id-for-rat-7-contagion.patch +perf-evsel-fix-potential-null-pointer-dereference-in-perf_evsel__new_idx.patch +perf-probe-powerpc-ignore-sys-symbols-irrespective-of-endianness.patch +rdma-ucma-check-fd-type-in-ucma_migrate_id.patch +usb-yurex-check-for-truncation-in-yurex_read.patch +nvmet-rdma-fix-possible-bogus-dereference-under-heavy-load.patch +net-mlx5-consider-pci-domain-in-search-for-next-dev.patch +drm-nouveau-tbddevinit-don-t-fail-when-pmu-pre_os-is-missing-from-vbios.patch +dm-raid-fix-rebuild-of-specific-devices-by-updating-superblock.patch +fs-cifs-suppress-a-string-overflow-warning.patch +net-ena-fix-driver-when-page_size-64kb.patch +perf-x86-intel-add-support-quirk-for-the-mispredict-bit-on-knights-landing-cpus.patch +dm-thin-metadata-try-to-avoid-ever-aborting-transactions.patch +arch-hexagon-fix-kernel-dma.c-build-warning.patch +hexagon-modify-ffs-and-fls-to-return-int.patch +arm64-jump_label.h-use-asm_volatile_goto-macro-instead-of-asm-goto.patch +r8169-clear-rtl_flag_task_-_pending-when-clearing-rtl_flag_task_enabled.patch +s390-qeth-use-vzalloc-for-query-oat-buffer.patch +s390-qeth-don-t-dump-past-end-of-unknown-hw-header.patch +cifs-read-overflow-in-is_valid_oplock_break.patch +xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch +xen-avoid-crash-in-disable_hotplug_cpu.patch +xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch diff --git a/queue-4.9/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch b/queue-4.9/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch new file mode 100644 index 00000000000..ff33aea140e --- /dev/null +++ b/queue-4.9/usb-gadget-fotg210-udc-fix-memory-leak-of-fotg210-ep.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Anton Vasilyev +Date: Tue, 7 Aug 2018 14:44:48 +0300 +Subject: usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] + +From: Anton Vasilyev + +[ Upstream commit c37bd52836296ecc9a0fc8060b819089aebdbcde ] + +There is no deallocation of fotg210->ep[i] elements, allocated at +fotg210_udc_probe. + +The patch adds deallocation of fotg210->ep array elements and simplifies +error path of fotg210_udc_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/fotg210-udc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -1066,12 +1066,15 @@ static struct usb_gadget_ops fotg210_gad + static int fotg210_udc_remove(struct platform_device *pdev) + { + struct fotg210_udc *fotg210 = platform_get_drvdata(pdev); ++ int i; + + usb_del_gadget_udc(&fotg210->gadget); + iounmap(fotg210->reg); + free_irq(platform_get_irq(pdev, 0), fotg210); + + fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req); ++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++) ++ kfree(fotg210->ep[i]); + kfree(fotg210); + + return 0; +@@ -1102,7 +1105,7 @@ static int fotg210_udc_probe(struct plat + /* initialize udc */ + fotg210 = kzalloc(sizeof(struct fotg210_udc), GFP_KERNEL); + if (fotg210 == NULL) +- goto err_alloc; ++ goto err; + + for (i = 0; i < FOTG210_MAX_NUM_EP; i++) { + _ep[i] = kzalloc(sizeof(struct fotg210_ep), GFP_KERNEL); +@@ -1114,7 +1117,7 @@ static int fotg210_udc_probe(struct plat + fotg210->reg = ioremap(res->start, resource_size(res)); + if (fotg210->reg == NULL) { + pr_err("ioremap error.\n"); +- goto err_map; ++ goto err_alloc; + } + + spin_lock_init(&fotg210->lock); +@@ -1162,7 +1165,7 @@ static int fotg210_udc_probe(struct plat + fotg210->ep0_req = fotg210_ep_alloc_request(&fotg210->ep[0]->ep, + GFP_KERNEL); + if (fotg210->ep0_req == NULL) +- goto err_req; ++ goto err_map; + + fotg210_init(fotg210); + +@@ -1190,12 +1193,14 @@ err_req: + fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req); + + err_map: +- if (fotg210->reg) +- iounmap(fotg210->reg); ++ iounmap(fotg210->reg); + + err_alloc: ++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++) ++ kfree(fotg210->ep[i]); + kfree(fotg210); + ++err: + return ret; + } + diff --git a/queue-4.9/usb-yurex-check-for-truncation-in-yurex_read.patch b/queue-4.9/usb-yurex-check-for-truncation-in-yurex_read.patch new file mode 100644 index 00000000000..b65c81713a1 --- /dev/null +++ b/queue-4.9/usb-yurex-check-for-truncation-in-yurex_read.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Ben Hutchings +Date: Wed, 15 Aug 2018 21:45:37 +0100 +Subject: USB: yurex: Check for truncation in yurex_read() + +From: Ben Hutchings + +[ Upstream commit 14427b86837a4baf1c121934c6599bdb67dfa9fc ] + +snprintf() always returns the full length of the string it could have +printed, even if it was truncated because the buffer was too small. +So in case the counter value is truncated, we will over-read from +in_buffer and over-write to the caller's buffer. + +I don't think it's actually possible for this to happen, but in case +truncation occurs, WARN and return -EIO. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/yurex.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -423,6 +423,9 @@ static ssize_t yurex_read(struct file *f + spin_unlock_irqrestore(&dev->lock, flags); + mutex_unlock(&dev->io_mutex); + ++ if (WARN_ON_ONCE(len >= sizeof(in_buffer))) ++ return -EIO; ++ + return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); + } + diff --git a/queue-4.9/xen-avoid-crash-in-disable_hotplug_cpu.patch b/queue-4.9/xen-avoid-crash-in-disable_hotplug_cpu.patch new file mode 100644 index 00000000000..8cf44ffb1ff --- /dev/null +++ b/queue-4.9/xen-avoid-crash-in-disable_hotplug_cpu.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Olaf Hering +Date: Fri, 7 Sep 2018 16:31:35 +0200 +Subject: xen: avoid crash in disable_hotplug_cpu + +From: Olaf Hering + +[ Upstream commit 3366cdb6d350d95466ee430ac50f3c8415ca8f46 ] + +The command 'xl vcpu-set 0 0', issued in dom0, will crash dom0: + +BUG: unable to handle kernel NULL pointer dereference at 00000000000002d8 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 7 PID: 65 Comm: xenwatch Not tainted 4.19.0-rc2-1.ga9462db-default #1 openSUSE Tumbleweed (unreleased) +Hardware name: Intel Corporation S5520UR/S5520UR, BIOS S5500.86B.01.00.0050.050620101605 05/06/2010 +RIP: e030:device_offline+0x9/0xb0 +Code: 77 24 00 e9 ce fe ff ff 48 8b 13 e9 68 ff ff ff 48 8b 13 e9 29 ff ff ff 48 8b 13 e9 ea fe ff ff 90 66 66 66 66 90 41 54 55 53 87 d8 02 00 00 01 0f 85 88 00 00 00 48 c7 c2 20 09 60 81 31 f6 +RSP: e02b:ffffc90040f27e80 EFLAGS: 00010203 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ffff8801f3800000 RSI: ffffc90040f27e70 RDI: 0000000000000000 +RBP: 0000000000000000 R08: ffffffff820e47b3 R09: 0000000000000000 +R10: 0000000000007ff0 R11: 0000000000000000 R12: ffffffff822e6d30 +R13: dead000000000200 R14: dead000000000100 R15: ffffffff8158b4e0 +FS: 00007ffa595158c0(0000) GS:ffff8801f39c0000(0000) knlGS:0000000000000000 +CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000002d8 CR3: 00000001d9602000 CR4: 0000000000002660 +Call Trace: + handle_vcpu_hotplug_event+0xb5/0xc0 + xenwatch_thread+0x80/0x140 + ? wait_woken+0x80/0x80 + kthread+0x112/0x130 + ? kthread_create_worker_on_cpu+0x40/0x40 + ret_from_fork+0x3a/0x50 + +This happens because handle_vcpu_hotplug_event is called twice. In the +first iteration cpu_present is still true, in the second iteration +cpu_present is false which causes get_cpu_device to return NULL. +In case of cpu#0, cpu_online is apparently always true. + +Fix this crash by checking if the cpu can be hotplugged, which is false +for a cpu that was just removed. + +Also check if the cpu was actually offlined by device_remove, otherwise +leave the cpu_present state as it is. + +Rearrange to code to do all work with device_hotplug_lock held. + +Signed-off-by: Olaf Hering +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/cpu_hotplug.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/xen/cpu_hotplug.c ++++ b/drivers/xen/cpu_hotplug.c +@@ -18,15 +18,16 @@ static void enable_hotplug_cpu(int cpu) + + static void disable_hotplug_cpu(int cpu) + { +- if (cpu_online(cpu)) { +- lock_device_hotplug(); ++ if (!cpu_is_hotpluggable(cpu)) ++ return; ++ lock_device_hotplug(); ++ if (cpu_online(cpu)) + device_offline(get_cpu_device(cpu)); +- unlock_device_hotplug(); +- } +- if (cpu_present(cpu)) ++ if (!cpu_online(cpu) && cpu_present(cpu)) { + xen_arch_unregister_cpu(cpu); +- +- set_cpu_present(cpu, false); ++ set_cpu_present(cpu, false); ++ } ++ unlock_device_hotplug(); + } + + static int vcpu_online(unsigned int cpu) diff --git a/queue-4.9/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch b/queue-4.9/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch new file mode 100644 index 00000000000..455d59a2215 --- /dev/null +++ b/queue-4.9/xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Josh Abraham +Date: Wed, 12 Sep 2018 15:13:54 -1000 +Subject: xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage + +From: Josh Abraham + +[ Upstream commit 4dca864b59dd150a221730775e2f21f49779c135 ] + +This patch removes duplicate macro useage in events_base.c. + +It also fixes gcc warning: +variable ‘col’ set but not used [-Wunused-but-set-variable] + +Signed-off-by: Joshua Abraham +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -139,7 +139,7 @@ static int set_evtchn_to_irq(unsigned ev + clear_evtchn_to_irq_row(row); + } + +- evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)] = irq; ++ evtchn_to_irq[row][col] = irq; + return 0; + } + diff --git a/queue-4.9/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch b/queue-4.9/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch new file mode 100644 index 00000000000..4f9f59fdb5e --- /dev/null +++ b/queue-4.9/xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Oct 8 18:01:43 CEST 2018 +From: Vitaly Kuznetsov +Date: Thu, 6 Sep 2018 13:26:08 +0200 +Subject: xen/manage: don't complain about an empty value in control/sysrq node + +From: Vitaly Kuznetsov + +[ Upstream commit 87dffe86d406bee8782cac2db035acb9a28620a7 ] + +When guest receives a sysrq request from the host it acknowledges it by +writing '\0' to control/sysrq xenstore node. This, however, make xenstore +watch fire again but xenbus_scanf() fails to parse empty value with "%c" +format string: + + sysrq: SysRq : Emergency Sync + Emergency Sync complete + xen:manage: Error -34 reading sysrq code in control/sysrq + +Ignore -ERANGE the same way we already ignore -ENOENT, empty value in +control/sysrq is totally legal. + +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Wei Liu +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/manage.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -282,9 +282,11 @@ static void sysrq_handler(struct xenbus_ + /* + * The Xenstore watch fires directly after registering it and + * after a suspend/resume cycle. So ENOENT is no error but +- * might happen in those cases. ++ * might happen in those cases. ERANGE is observed when we get ++ * an empty value (''), this happens when we acknowledge the ++ * request by writing '\0' below. + */ +- if (err != -ENOENT) ++ if (err != -ENOENT && err != -ERANGE) + pr_err("Error %d reading sysrq code in control/sysrq\n", + err); + xenbus_transaction_end(xbt, 1);