From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 01:49:46 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v4.19.2~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=921f11cd0e9d6bae8f5544c068225700bc168965;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: asoc-sta32x-set-component-pointer-in-private-struct.patch crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch genirq-fix-race-on-spurious-interrupt-detection.patch gfs2_meta-mount-can-get-null-dev_name.patch hid-hiddev-fix-potential-spectre-v1.patch hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch ima-fix-showing-large-violations-or-runtime_measurements_count.patch jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch kbuild-fix-kernel-bounds.c-w-1-warning.patch libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch net-ipv4-defensive-cipso-option-parsing.patch pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch signal-genwqe-fix-sending-of-sigkill.patch smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch tpm-restore-functionality-to-xen-vtpm-driver.patch w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch xen-fix-race-in-xen_qlock_wait.patch xen-make-xen_qlock_wait-nestable.patch xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch --- diff --git a/queue-4.4/asoc-sta32x-set-component-pointer-in-private-struct.patch b/queue-4.4/asoc-sta32x-set-component-pointer-in-private-struct.patch new file mode 100644 index 00000000000..e22d4d86a64 --- /dev/null +++ b/queue-4.4/asoc-sta32x-set-component-pointer-in-private-struct.patch @@ -0,0 +1,38 @@ +From 747df19747bc9752cd40b9cce761e17a033aa5c2 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Thu, 11 Oct 2018 20:32:05 +0200 +Subject: ASoC: sta32x: set ->component pointer in private struct + +From: Daniel Mack + +commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream. + +The ESD watchdog code in sta32x_watchdog() dereferences the pointer +which is never assigned. + +This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct +regmap API usage.") which went unnoticed since nobody seems to use that ESD +workaround. + +Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.") +Signed-off-by: Daniel Mack +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/sta32x.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/codecs/sta32x.c ++++ b/sound/soc/codecs/sta32x.c +@@ -880,6 +880,9 @@ static int sta32x_probe(struct snd_soc_c + struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec); + struct sta32x_platform_data *pdata = sta32x->pdata; + int i, ret = 0, thermal = 0; ++ ++ sta32x->component = component; ++ + ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies), + sta32x->supplies); + if (ret != 0) { diff --git a/queue-4.4/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch b/queue-4.4/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch new file mode 100644 index 00000000000..1abba34f05f --- /dev/null +++ b/queue-4.4/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch @@ -0,0 +1,40 @@ +From fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 13 Sep 2018 10:51:31 +0200 +Subject: crypto: lrw - Fix out-of bounds access on counter overflow + +From: Ondrej Mosnacek + +commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream. + +When the LRW block counter overflows, the current implementation returns +128 as the index to the precomputed multiplication table, which has 128 +entries. This patch fixes it to return the correct value (127). + +Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode") +Cc: # 2.6.20+ +Reported-by: Eric Biggers +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/lrw.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl + return x + ffz(val); + } + +- return x; ++ /* ++ * If we get here, then x == 128 and we are incrementing the counter ++ * from all ones to all zeros. This means we must return index 127, i.e. ++ * the one corresponding to key2*{ 1,...,1 }. ++ */ ++ return 127; + } + + static int crypt(struct blkcipher_desc *d, diff --git a/queue-4.4/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch b/queue-4.4/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch new file mode 100644 index 00000000000..d1fb9c9c8f3 --- /dev/null +++ b/queue-4.4/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch @@ -0,0 +1,64 @@ +From fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Sun, 23 Sep 2018 21:10:43 +0000 +Subject: Drivers: hv: kvp: Fix two "this statement may fall through" warnings + +From: Dexuan Cui + +commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream. + +We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is +KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on +the op code from the host to the userspace; when the userspace returns +the info requested by the host, we pass the info on to the host in +kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code +actually doesn't cause any harm, because only message->kvp_hdr.operation +is used by the userspace, in the case of KVP_OP_GET_IP_INFO. + +The patch also adds a missing "break;" in kvp_send_key(). BTW, the current +buggy code actually doesn't cause any harm, because in the case of +KVP_OP_SET, the unexpected fall-through corrupts +message->body.kvp_set.data.key_size, but that is not really used: see +the definition of struct hv_kvp_exchg_msg_value. + +Signed-off-by: Dexuan Cui +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_kvp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -336,7 +336,6 @@ static void process_ib_ipinfo(void *in_m + + out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled; + +- default: + utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id, + MAX_ADAPTER_ID_SIZE, + UTF16_LITTLE_ENDIAN, +@@ -389,7 +388,7 @@ kvp_send_key(struct work_struct *dummy) + process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO); + break; + case KVP_OP_GET_IP_INFO: +- process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO); ++ /* We only need to pass on message->kvp_hdr.operation. */ + break; + case KVP_OP_SET: + switch (in_msg->body.kvp_set.data.value_type) { +@@ -429,6 +428,9 @@ kvp_send_key(struct work_struct *dummy) + break; + + } ++ ++ break; ++ + case KVP_OP_GET: + message->body.kvp_set.data.key_size = + utf16s_to_utf8s( diff --git a/queue-4.4/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch b/queue-4.4/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch new file mode 100644 index 00000000000..431b6f13857 --- /dev/null +++ b/queue-4.4/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch @@ -0,0 +1,34 @@ +From 625ef8a3acd111d5f496d190baf99d1a815bd03e Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Tue, 2 Oct 2018 21:18:45 -0400 +Subject: ext4: initialize retries variable in ext4_da_write_inline_data_begin() + +From: Lukas Czerner + +commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream. + +Variable retries is not initialized in ext4_da_write_inline_data_begin() +which can lead to nondeterministic number of retries in case we hit +ENOSPC. Initialize retries to zero as we do everywhere else. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed") +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -859,7 +859,7 @@ int ext4_da_write_inline_data_begin(stru + handle_t *handle; + struct page *page; + struct ext4_iloc iloc; +- int retries; ++ int retries = 0; + + ret = ext4_get_inode_loc(inode, &iloc); + if (ret) diff --git a/queue-4.4/genirq-fix-race-on-spurious-interrupt-detection.patch b/queue-4.4/genirq-fix-race-on-spurious-interrupt-detection.patch new file mode 100644 index 00000000000..a97dbb3dcbf --- /dev/null +++ b/queue-4.4/genirq-fix-race-on-spurious-interrupt-detection.patch @@ -0,0 +1,96 @@ +From 746a923b863a1065ef77324e1e43f19b1a3eab5c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 18 Oct 2018 15:15:05 +0200 +Subject: genirq: Fix race on spurious interrupt detection + +From: Lukas Wunner + +commit 746a923b863a1065ef77324e1e43f19b1a3eab5c upstream. + +Commit 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of +threaded irqs") made detection of spurious interrupts work for threaded +handlers by: + +a) incrementing a counter every time the thread returns IRQ_HANDLED, and +b) checking whether that counter has increased every time the thread is + woken. + +However for oneshot interrupts, the commit unmasks the interrupt before +incrementing the counter. If another interrupt occurs right after +unmasking but before the counter is incremented, that interrupt is +incorrectly considered spurious: + +time + | irq_thread() + | irq_thread_fn() + | action->thread_fn() + | irq_finalize_oneshot() + | unmask_threaded_irq() /* interrupt is unmasked */ + | + | /* interrupt fires, incorrectly deemed spurious */ + | + | atomic_inc(&desc->threads_handled); /* counter is incremented */ + v + +This is observed with a hi3110 CAN controller receiving data at high volume +(from a separate machine sending with "cangen -g 0 -i -x"): The controller +signals a huge number of interrupts (hundreds of millions per day) and +every second there are about a dozen which are deemed spurious. + +In theory with high CPU load and the presence of higher priority tasks, the +number of incorrectly detected spurious interrupts might increase beyond +the 99,900 threshold and cause disablement of the interrupt. + +In practice it just increments the spurious interrupt count. But that can +cause people to waste time investigating it over and over. + +Fix it by moving the accounting before the invocation of +irq_finalize_oneshot(). + +[ tglx: Folded change log update ] + +Fixes: 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of threaded irqs") +Signed-off-by: Lukas Wunner +Signed-off-by: Thomas Gleixner +Cc: Mathias Duckeck +Cc: Akshay Bhat +Cc: Casey Fitzpatrick +Cc: stable@vger.kernel.org # v3.16+ +Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -864,6 +864,9 @@ irq_forced_thread_fn(struct irq_desc *de + + local_bh_disable(); + ret = action->thread_fn(action->irq, action->dev_id); ++ if (ret == IRQ_HANDLED) ++ atomic_inc(&desc->threads_handled); ++ + irq_finalize_oneshot(desc, action); + local_bh_enable(); + return ret; +@@ -880,6 +883,9 @@ static irqreturn_t irq_thread_fn(struct + irqreturn_t ret; + + ret = action->thread_fn(action->irq, action->dev_id); ++ if (ret == IRQ_HANDLED) ++ atomic_inc(&desc->threads_handled); ++ + irq_finalize_oneshot(desc, action); + return ret; + } +@@ -957,8 +963,6 @@ static int irq_thread(void *data) + irq_thread_check_affinity(desc, action); + + action_ret = handler_fn(desc, action); +- if (action_ret == IRQ_HANDLED) +- atomic_inc(&desc->threads_handled); + if (action_ret == IRQ_WAKE_THREAD) + irq_wake_secondary(desc, action); + diff --git a/queue-4.4/gfs2_meta-mount-can-get-null-dev_name.patch b/queue-4.4/gfs2_meta-mount-can-get-null-dev_name.patch new file mode 100644 index 00000000000..c675137ecc8 --- /dev/null +++ b/queue-4.4/gfs2_meta-mount-can-get-null-dev_name.patch @@ -0,0 +1,32 @@ +From 3df629d873f8683af6f0d34dfc743f637966d483 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 13 Oct 2018 00:19:13 -0400 +Subject: gfs2_meta: ->mount() can get NULL dev_name + +From: Al Viro + +commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream. + +get in sync with mount_bdev() handling of the same + +Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/ops_fstype.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1353,6 +1353,9 @@ static struct dentry *gfs2_mount_meta(st + struct path path; + int error; + ++ if (!dev_name || !*dev_name) ++ return ERR_PTR(-EINVAL); ++ + error = kern_path(dev_name, LOOKUP_FOLLOW, &path); + if (error) { + pr_warn("path_lookup on %s returned error %d\n", diff --git a/queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch b/queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..5b06d14fc4c --- /dev/null +++ b/queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch @@ -0,0 +1,76 @@ +From f11274396a538b31bc010f782e05c2ce3f804c13 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 19 Oct 2018 17:01:33 -0300 +Subject: HID: hiddev: fix potential Spectre v1 + +From: Breno Leitao + +commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream. + +uref->usage_index can be indirectly controlled by userspace, hence leading +to a potential exploitation of the Spectre variant 1 vulnerability. + +This field is used as an array index by the hiddev_ioctl_usage() function, +when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or +HIDIOCSUSAGES. + +For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to +field->maxusage and then used as an index to dereference field->usage +array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where +uref->usage_index is checked against an array maximum value and then it is +used as an index in an array. + +This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the +traditional Spectre V1 first load: + + copy_from_user(uref, user_arg, sizeof(*uref)) + if (uref->usage_index >= field->maxusage) + goto inval; + i = field->usage[uref->usage_index].collection_index; + return i; + +This patch fixes this by sanitizing field uref->usage_index before using it +to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in +HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load. + +Cc: +Signed-off-by: Breno Leitao +v2: Contemplate cmd == HIDIOC{G,S}USAGES case +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hiddev.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -521,14 +521,24 @@ static noinline int hiddev_ioctl_usage(s + if (cmd == HIDIOCGCOLLECTIONINDEX) { + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = ++ array_index_nospec(uref->usage_index, ++ field->maxusage); + } else if (uref->usage_index >= field->report_count) + goto inval; + } + +- if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; ++ if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) { ++ if (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > ++ field->report_count) ++ goto inval; ++ ++ uref->usage_index = ++ array_index_nospec(uref->usage_index, ++ field->report_count - ++ uref_multi->num_values); ++ } + + switch (cmd) { + case HIDIOCGUSAGE: diff --git a/queue-4.4/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch b/queue-4.4/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch new file mode 100644 index 00000000000..084cb6b38c7 --- /dev/null +++ b/queue-4.4/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch @@ -0,0 +1,73 @@ +From 22146c3ce98962436e401f7b7016a6f664c9ffb5 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 26 Oct 2018 15:10:58 -0700 +Subject: hugetlbfs: dirty pages as they are added to pagecache + +From: Mike Kravetz + +commit 22146c3ce98962436e401f7b7016a6f664c9ffb5 upstream. + +Some test systems were experiencing negative huge page reserve counts and +incorrect file block counts. This was traced to /proc/sys/vm/drop_caches +removing clean pages from hugetlbfs file pagecaches. When non-hugetlbfs +explicit code removes the pages, the appropriate accounting is not +performed. + +This can be recreated as follows: + fallocate -l 2M /dev/hugepages/foo + echo 1 > /proc/sys/vm/drop_caches + fallocate -l 2M /dev/hugepages/foo + grep -i huge /proc/meminfo + AnonHugePages: 0 kB + ShmemHugePages: 0 kB + HugePages_Total: 2048 + HugePages_Free: 2047 + HugePages_Rsvd: 18446744073709551615 + HugePages_Surp: 0 + Hugepagesize: 2048 kB + Hugetlb: 4194304 kB + ls -lsh /dev/hugepages/foo + 4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo + +To address this issue, dirty pages as they are added to pagecache. This +can easily be reproduced with fallocate as shown above. Read faulted +pages will eventually end up being marked dirty. But there is a window +where they are clean and could be impacted by code such as drop_caches. +So, just dirty them all as they are added to the pagecache. + +Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com +Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()") +Signed-off-by: Mike Kravetz +Acked-by: Mihcla Hocko +Reviewed-by: Khalid Aziz +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: "Aneesh Kumar K . V" +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Cc: Davidlohr Bueso +Cc: Alexander Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3537,6 +3537,12 @@ int huge_add_to_page_cache(struct page * + return err; + ClearPagePrivate(page); + ++ /* ++ * set page dirty so that it will not be removed from cache/file ++ * by non-hugetlbfs specific code paths. ++ */ ++ set_page_dirty(page); ++ + spin_lock(&inode->i_lock); + inode->i_blocks += blocks_per_huge_page(h); + spin_unlock(&inode->i_lock); diff --git a/queue-4.4/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch b/queue-4.4/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch new file mode 100644 index 00000000000..8ee215fc64a --- /dev/null +++ b/queue-4.4/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch @@ -0,0 +1,39 @@ +From bc1b45326223e7e890053cf6266357adfa61942d Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 24 Sep 2018 10:51:43 +0300 +Subject: iio: adc: at91: fix acking DRDY irq on simple conversions + +From: Eugen Hristev + +commit bc1b45326223e7e890053cf6266357adfa61942d upstream. + +When doing simple conversions, the driver did not acknowledge the DRDY irq. +If this irq status is not acked, it will be left pending, and as soon as a +trigger is enabled, the irq handler will be called, it doesn't know why +this status has occurred because no channel is pending, and then it will go +int a irq loop and board will hang. +To avoid this situation, read the LCDR after a raw conversion is done. + +Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.") +Cc: Maxime Ripard +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -276,6 +276,8 @@ static void handle_adc_eoc_trigger(int i + iio_trigger_poll(idev->trig); + } else { + st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb)); ++ /* Needed to ACK the DRDY interruption */ ++ at91_adc_readl(st, AT91_ADC_LCDR); + st->done = true; + wake_up_interruptible(&st->wq_data_avail); + } diff --git a/queue-4.4/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch b/queue-4.4/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch new file mode 100644 index 00000000000..f91d5f2f595 --- /dev/null +++ b/queue-4.4/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch @@ -0,0 +1,49 @@ +From aea835f2dc8a682942b859179c49ad1841a6c8b9 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 24 Sep 2018 10:51:44 +0300 +Subject: iio: adc: at91: fix wrong channel number in triggered buffer mode + +From: Eugen Hristev + +commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream. + +When channels are registered, the hardware channel number is not the +actual iio channel number. +This is because the driver is probed with a certain number of accessible +channels. Some pins are routed and some not, depending on the description of +the board in the DT. +Because of that, channels 0,1,2,3 can correspond to hardware channels +2,3,4,5 for example. +In the buffered triggered case, we need to do the translation accordingly. +Fixed the channel number to stop reading the wrong channel. + +Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.") +Cc: Maxime Ripard +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_hand + struct iio_poll_func *pf = p; + struct iio_dev *idev = pf->indio_dev; + struct at91_adc_state *st = iio_priv(idev); ++ struct iio_chan_spec const *chan; + int i, j = 0; + + for (i = 0; i < idev->masklength; i++) { + if (!test_bit(i, idev->active_scan_mask)) + continue; +- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i)); ++ chan = idev->channels + i; ++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel)); + j++; + } + diff --git a/queue-4.4/ima-fix-showing-large-violations-or-runtime_measurements_count.patch b/queue-4.4/ima-fix-showing-large-violations-or-runtime_measurements_count.patch new file mode 100644 index 00000000000..b802cba7d9d --- /dev/null +++ b/queue-4.4/ima-fix-showing-large-violations-or-runtime_measurements_count.patch @@ -0,0 +1,41 @@ +From 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 7 Sep 2018 14:33:24 -0700 +Subject: ima: fix showing large 'violations' or 'runtime_measurements_count' + +From: Eric Biggers + +commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream. + +The 12 character temporary buffer is not necessarily long enough to hold +a 'long' value. Increase it. + +Signed-off-by: Eric Biggers +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_fs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/security/integrity/ima/ima_fs.c ++++ b/security/integrity/ima/ima_fs.c +@@ -26,14 +26,14 @@ + #include "ima.h" + + static int valid_policy = 1; +-#define TMPBUFLEN 12 ++ + static ssize_t ima_show_htable_value(char __user *buf, size_t count, + loff_t *ppos, atomic_long_t *val) + { +- char tmpbuf[TMPBUFLEN]; ++ char tmpbuf[32]; /* greater than largest 'long' string value */ + ssize_t len; + +- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val)); ++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val)); + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); + } + diff --git a/queue-4.4/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch b/queue-4.4/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 00000000000..4ea9a3881a2 --- /dev/null +++ b/queue-4.4/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,69 @@ +From ccd3c4373eacb044eb3832966299d13d2631f66f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 5 Oct 2018 18:44:40 -0400 +Subject: jbd2: fix use after free in jbd2_log_do_checkpoint() + +From: Jan Kara + +commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream. + +The code cleaning transaction's lists of checkpoint buffers has a bug +where it increases bh refcount only after releasing +journal->j_list_lock. Thus the following race is possible: + +CPU0 CPU1 +jbd2_log_do_checkpoint() + jbd2_journal_try_to_free_buffers() + __journal_try_to_free_buffer(bh) + ... + while (transaction->t_checkpoint_io_list) + ... + if (buffer_locked(bh)) { + +<-- IO completes now, buffer gets unlocked --> + + spin_unlock(&journal->j_list_lock); + spin_lock(&journal->j_list_lock); + __jbd2_journal_remove_checkpoint(jh); + spin_unlock(&journal->j_list_lock); + try_to_free_buffers(page); + get_bh(bh) <-- accesses freed bh + +Fix the problem by grabbing bh reference before unlocking +journal->j_list_lock. + +Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()") +Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()") +Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -254,8 +254,8 @@ restart: + bh = jh2bh(jh); + + if (buffer_locked(bh)) { +- spin_unlock(&journal->j_list_lock); + get_bh(bh); ++ spin_unlock(&journal->j_list_lock); + wait_on_buffer(bh); + /* the journal_head may have gone by now */ + BUFFER_TRACE(bh, "brelse"); +@@ -336,8 +336,8 @@ restart2: + jh = transaction->t_checkpoint_io_list; + bh = jh2bh(jh); + if (buffer_locked(bh)) { +- spin_unlock(&journal->j_list_lock); + get_bh(bh); ++ spin_unlock(&journal->j_list_lock); + wait_on_buffer(bh); + /* the journal_head may have gone by now */ + BUFFER_TRACE(bh, "brelse"); diff --git a/queue-4.4/kbuild-fix-kernel-bounds.c-w-1-warning.patch b/queue-4.4/kbuild-fix-kernel-bounds.c-w-1-warning.patch new file mode 100644 index 00000000000..e14d87f50fb --- /dev/null +++ b/queue-4.4/kbuild-fix-kernel-bounds.c-w-1-warning.patch @@ -0,0 +1,54 @@ +From 6a32c2469c3fbfee8f25bcd20af647326650a6cf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 30 Oct 2018 15:07:32 -0700 +Subject: kbuild: fix kernel/bounds.c 'W=1' warning + +From: Arnd Bergmann + +commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream. + +Building any configuration with 'make W=1' produces a warning: + +kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes] + +When also passing -Werror, this prevents us from building any other files. +Nobody ever calls the function, but we can't make it 'static' either +since we want the compiler output. + +Calling it 'main' instead however avoids the warning, because gcc +does not insist on having a declaration for main. + +Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Reported-by: Kieran Bingham +Reviewed-by: Kieran Bingham +Cc: David Laight +Cc: Masahiro Yamada +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bounds.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/bounds.c ++++ b/kernel/bounds.c +@@ -12,7 +12,7 @@ + #include + #include + +-void foo(void) ++int main(void) + { + /* The enum constants to put into include/generated/bounds.h */ + DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS); +@@ -22,4 +22,6 @@ void foo(void) + #endif + DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t)); + /* End of constants */ ++ ++ return 0; + } diff --git a/queue-4.4/libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch b/queue-4.4/libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch new file mode 100644 index 00000000000..df8fe057489 --- /dev/null +++ b/queue-4.4/libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch @@ -0,0 +1,46 @@ +From b6eae0f61db27748606cc00dafcfd1e2c032f0a5 Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Tue, 25 Sep 2018 13:53:02 -0700 +Subject: libnvdimm: Hold reference on parent while scheduling async init + +From: Alexander Duyck + +commit b6eae0f61db27748606cc00dafcfd1e2c032f0a5 upstream. + +Unlike asynchronous initialization in the core we have not yet associated +the device with the parent, and as such the device doesn't hold a reference +to the parent. + +In order to resolve that we should be holding a reference on the parent +until the asynchronous initialization has completed. + +Cc: +Fixes: 4d88a97aa9e8 ("libnvdimm: ...base ... infrastructure") +Signed-off-by: Alexander Duyck +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/bus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -158,6 +158,8 @@ static void nd_async_device_register(voi + put_device(dev); + } + put_device(dev); ++ if (dev->parent) ++ put_device(dev->parent); + } + + static void nd_async_device_unregister(void *d, async_cookie_t cookie) +@@ -175,6 +177,8 @@ static void nd_async_device_unregister(v + void __nd_device_register(struct device *dev) + { + dev->bus = &nvdimm_bus_type; ++ if (dev->parent) ++ get_device(dev->parent); + get_device(dev); + async_schedule_domain(nd_async_device_register, dev, + &nd_async_domain); diff --git a/queue-4.4/net-ipv4-defensive-cipso-option-parsing.patch b/queue-4.4/net-ipv4-defensive-cipso-option-parsing.patch new file mode 100644 index 00000000000..33bc56bb2f5 --- /dev/null +++ b/queue-4.4/net-ipv4-defensive-cipso-option-parsing.patch @@ -0,0 +1,66 @@ +From 076ed3da0c9b2f88d9157dbe7044a45641ae369e Mon Sep 17 00:00:00 2001 +From: Stefan Nuernberger +Date: Mon, 17 Sep 2018 19:46:53 +0200 +Subject: net/ipv4: defensive cipso option parsing + +From: Stefan Nuernberger + +commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream. + +commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed +a possible infinite loop in the IP option parsing of CIPSO. The fix +assumes that ip_options_compile filtered out all zero length options and +that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist. +While this assumption currently holds true, add explicit checks for zero +length and invalid length options to be safe for the future. Even though +ip_options_compile should have validated the options, the introduction of +new one-byte options can still confuse this code without the additional +checks. + +Signed-off-by: Stefan Nuernberger +Cc: David Woodhouse +Cc: Simon Veith +Cc: stable@vger.kernel.org +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/cipso_ipv4.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1582,7 +1582,7 @@ static int cipso_v4_parsetag_loc(const s + * + * Description: + * Parse the packet's IP header looking for a CIPSO option. Returns a pointer +- * to the start of the CIPSO option on success, NULL if one if not found. ++ * to the start of the CIPSO option on success, NULL if one is not found. + * + */ + unsigned char *cipso_v4_optptr(const struct sk_buff *skb) +@@ -1592,10 +1592,8 @@ unsigned char *cipso_v4_optptr(const str + int optlen; + int taglen; + +- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { ++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) { + switch (optptr[0]) { +- case IPOPT_CIPSO: +- return optptr; + case IPOPT_END: + return NULL; + case IPOPT_NOOP: +@@ -1604,6 +1602,11 @@ unsigned char *cipso_v4_optptr(const str + default: + taglen = optptr[1]; + } ++ if (!taglen || taglen > optlen) ++ return NULL; ++ if (optptr[0] == IPOPT_CIPSO) ++ return optptr; ++ + optlen -= taglen; + optptr += taglen; + } diff --git a/queue-4.4/pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch b/queue-4.4/pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch new file mode 100644 index 00000000000..4adfe65ad52 --- /dev/null +++ b/queue-4.4/pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch @@ -0,0 +1,51 @@ +From d0c9606b31a21028fb5b753c8ad79626292accfd Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 26 Sep 2018 08:14:01 -0700 +Subject: PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk + +From: Bin Meng + +commit d0c9606b31a21028fb5b753c8ad79626292accfd upstream. + +Add Device IDs to the Intel GPU "spurious interrupt" quirk table. + +For these devices, unplugging the VGA cable and plugging it in again causes +spurious interrupts from the IGD. Linux eventually disables the interrupt, +but of course that disables any other devices sharing the interrupt. + +The theory is that this is a VGA BIOS defect: it should have disabled the +IGD interrupt but failed to do so. + +See f67fd55fa96f ("PCI: Add quirk for still enabled interrupts on Intel +Sandy Bridge GPUs") and 7c82126a94e6 ("PCI: Add new ID for Intel GPU +"spurious interrupt" quirk") for some history. + +[bhelgaas: See link below for discussion about how to fix this more +generically instead of adding device IDs for every new Intel GPU. I hope +this is the last patch to add device IDs.] + +Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.com +Signed-off-by: Bin Meng +[bhelgaas: changelog] +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3061,7 +3061,11 @@ static void disable_igfx_irq(struct pci_ + + pci_iounmap(dev, regs); + } ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq); + diff --git a/queue-4.4/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch b/queue-4.4/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch new file mode 100644 index 00000000000..8c53f8d67a4 --- /dev/null +++ b/queue-4.4/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch @@ -0,0 +1,65 @@ +From 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Sun, 30 Sep 2018 00:45:50 +0800 +Subject: printk: Fix panic caused by passing log_buf_len to command line + +From: He Zhe + +commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream. + +log_buf_len_setup does not check input argument before passing it to +simple_strtoull. The argument would be a NULL pointer if "log_buf_len", +without its value, is set in command line and thus causes the following +panic. + +PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0 +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1 +[ 0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70 +... +[ 0.000000] Call Trace: +[ 0.000000] simple_strtoull+0x29/0x70 +[ 0.000000] memparse+0x26/0x90 +[ 0.000000] log_buf_len_setup+0x17/0x22 +[ 0.000000] do_early_param+0x57/0x8e +[ 0.000000] parse_args+0x208/0x320 +[ 0.000000] ? rdinit_setup+0x30/0x30 +[ 0.000000] parse_early_options+0x29/0x2d +[ 0.000000] ? rdinit_setup+0x30/0x30 +[ 0.000000] parse_early_param+0x36/0x4d +[ 0.000000] setup_arch+0x336/0x99e +[ 0.000000] start_kernel+0x6f/0x4ee +[ 0.000000] x86_64_start_reservations+0x24/0x26 +[ 0.000000] x86_64_start_kernel+0x6f/0x72 +[ 0.000000] secondary_startup_64+0xa4/0xb0 + +This patch adds a check to prevent the panic. + +Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com +Cc: stable@vger.kernel.org +Cc: rostedt@goodmis.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: He Zhe +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -881,7 +881,12 @@ static void __init log_buf_len_update(un + /* save requested log_buf_len since it's too early to process it */ + static int __init log_buf_len_setup(char *str) + { +- unsigned size = memparse(str, &str); ++ unsigned int size; ++ ++ if (!str) ++ return -EINVAL; ++ ++ size = memparse(str, &str); + + log_buf_len_update(size); + diff --git a/queue-4.4/series b/queue-4.4/series index 71b2338efa1..d14bdd15914 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -45,3 +45,29 @@ scsi-lpfc-correct-soft-lockup-when-running-mds-diagnostics.patch signal-always-deliver-the-kernel-s-sigkill-and-sigstop-to-a-pid-namespace-init.patch dmaengine-dma-jz4780-return-error-if-not-probed-from-dt.patch alsa-hda-check-the-non-cached-stream-buffers-more-explicitly.patch +xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch +tpm-restore-functionality-to-xen-vtpm-driver.patch +xen-fix-race-in-xen_qlock_wait.patch +xen-make-xen_qlock_wait-nestable.patch +net-ipv4-defensive-cipso-option-parsing.patch +libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch +asoc-sta32x-set-component-pointer-in-private-struct.patch +jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch +gfs2_meta-mount-can-get-null-dev_name.patch +ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch +hid-hiddev-fix-potential-spectre-v1.patch +pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch +signal-genwqe-fix-sending-of-sigkill.patch +crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch +ima-fix-showing-large-violations-or-runtime_measurements_count.patch +hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch +kbuild-fix-kernel-bounds.c-w-1-warning.patch +iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch +iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch +drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch +w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch +smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch +smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch +smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch +printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch +genirq-fix-race-on-spurious-interrupt-detection.patch diff --git a/queue-4.4/signal-genwqe-fix-sending-of-sigkill.patch b/queue-4.4/signal-genwqe-fix-sending-of-sigkill.patch new file mode 100644 index 00000000000..e1485aa4fb3 --- /dev/null +++ b/queue-4.4/signal-genwqe-fix-sending-of-sigkill.patch @@ -0,0 +1,112 @@ +From 0ab93e9c99f8208c0a1a7b7170c827936268c996 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 13 Sep 2018 11:28:01 +0200 +Subject: signal/GenWQE: Fix sending of SIGKILL + +From: Eric W. Biederman + +commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream. + +The genweq_add_file and genwqe_del_file by caching current without +using reference counting embed the assumption that a file descriptor +will never be passed from one process to another. It even embeds the +assumption that the the thread that opened the file will be in +existence when the process terminates. Neither of which are +guaranteed to be true. + +Therefore replace caching the task_struct of the opener with +pid of the openers thread group id. All the knowledge of the +opener is used for is as the target of SIGKILL and a SIGKILL +will kill the entire process group. + +Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary +signal argument, update it's ownly caller, and use kill_pid +instead of force_sig. + +The work force_sig does in changing signal handling state is not +relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess +will be killed just with less work, and less confusion. The work done +by force_sig is really only needed for handling syncrhonous +exceptions. + +It will still be possible to cause genwqe_device_remove to wait +8 seconds by passing a file descriptor to another process but +the possible user after free is fixed. + +Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") +Cc: stable@vger.kernel.org +Cc: Greg Kroah-Hartman +Cc: Frank Haverkamp +Cc: Joerg-Stephan Vogt +Cc: Michael Jung +Cc: Michael Ruettger +Cc: Kleber Sacilotto de Souza +Cc: Sebastian Ott +Cc: Eberhard S. Amann +Cc: Gabriel Krisman Bertazi +Cc: Guilherme G. Piccoli +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/genwqe/card_base.h | 2 +- + drivers/misc/genwqe/card_dev.c | 9 +++++---- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/misc/genwqe/card_base.h ++++ b/drivers/misc/genwqe/card_base.h +@@ -404,7 +404,7 @@ struct genwqe_file { + struct file *filp; + + struct fasync_struct *async_queue; +- struct task_struct *owner; ++ struct pid *opener; + struct list_head list; /* entry in list of open files */ + + spinlock_t map_lock; /* lock for dma_mappings */ +--- a/drivers/misc/genwqe/card_dev.c ++++ b/drivers/misc/genwqe/card_dev.c +@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq + { + unsigned long flags; + +- cfile->owner = current; ++ cfile->opener = get_pid(task_tgid(current)); + spin_lock_irqsave(&cd->file_lock, flags); + list_add(&cfile->list, &cd->file_list); + spin_unlock_irqrestore(&cd->file_lock, flags); +@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe + spin_lock_irqsave(&cd->file_lock, flags); + list_del(&cfile->list); + spin_unlock_irqrestore(&cd->file_lock, flags); ++ put_pid(cfile->opener); + + return 0; + } +@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen + return files; + } + +-static int genwqe_force_sig(struct genwqe_dev *cd, int sig) ++static int genwqe_terminate(struct genwqe_dev *cd) + { + unsigned int files = 0; + unsigned long flags; +@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq + + spin_lock_irqsave(&cd->file_lock, flags); + list_for_each_entry(cfile, &cd->file_list, list) { +- force_sig(sig, cfile->owner); ++ kill_pid(cfile->opener, SIGKILL, 1); + files++; + } + spin_unlock_irqrestore(&cd->file_lock, flags); +@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces + dev_warn(&pci_dev->dev, + "[%s] send SIGKILL and wait ...\n", __func__); + +- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */ ++ rc = genwqe_terminate(cd); + if (rc) { + /* Give kill_timout more seconds to end processes */ + for (i = 0; (i < genwqe_kill_timeout) && diff --git a/queue-4.4/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch b/queue-4.4/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch new file mode 100644 index 00000000000..ea316df097e --- /dev/null +++ b/queue-4.4/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch @@ -0,0 +1,34 @@ +From 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sat, 15 Sep 2018 23:04:41 -0500 +Subject: smb3: allow stats which track session and share reconnects to be reset + +From: Steve French + +commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream. + +Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats +except the session and share reconnect counts. Fix it to +reset those as well. + +CC: Stable +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_debug.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -285,6 +285,9 @@ static ssize_t cifs_stats_proc_write(str + atomic_set(&totBufAllocCount, 0); + atomic_set(&totSmBufAllocCount, 0); + #endif /* CONFIG_CIFS_STATS2 */ ++ atomic_set(&tcpSesReconnectCount, 0); ++ atomic_set(&tconInfoReconnectCount, 0); ++ + spin_lock(&GlobalMid_Lock); + GlobalMaxActiveXid = 0; + GlobalCurrentXid = 0; diff --git a/queue-4.4/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch b/queue-4.4/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch new file mode 100644 index 00000000000..550be0f59da --- /dev/null +++ b/queue-4.4/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch @@ -0,0 +1,45 @@ +From 1e77a8c204c9d1b655c61751b8ad0fde22421dbb Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 19 Oct 2018 00:45:21 -0500 +Subject: smb3: do not attempt cifs operation in smb3 query info error path + +From: Steve French + +commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream. + +If backupuid mount option is sent, we can incorrectly retry +(on access denied on query info) with a cifs (FindFirst) operation +on an smb3 mount which causes the server to force the session close. + +We set backup intent on open so no need for this fallback. + +See kernel bugzilla 201435 + +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -756,7 +756,15 @@ cifs_get_inode_info(struct inode **inode + } else if (rc == -EREMOTE) { + cifs_create_dfs_fattr(&fattr, sb); + rc = 0; +- } else if (rc == -EACCES && backup_cred(cifs_sb)) { ++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) && ++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING) ++ == 0)) { ++ /* ++ * For SMB2 and later the backup intent flag is already ++ * sent if needed on open and there is no path based ++ * FindFirst operation to use to retry with ++ */ ++ + srchinf = kzalloc(sizeof(struct cifs_search_info), + GFP_KERNEL); + if (srchinf == NULL) { diff --git a/queue-4.4/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch b/queue-4.4/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch new file mode 100644 index 00000000000..8786652d94b --- /dev/null +++ b/queue-4.4/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch @@ -0,0 +1,40 @@ +From 926674de6705f0f1dbf29a62fd758d0977f535d6 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 28 Oct 2018 13:13:23 -0500 +Subject: smb3: on kerberos mount if server doesn't specify auth type use krb5 + +From: Steve French + +commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream. + +Some servers (e.g. Azure) do not include a spnego blob in the SMB3 +negotiate protocol response, so on kerberos mounts ("sec=krb5") +we can fail, as we expected the server to list its supported +auth types (OIDs in the spnego blob in the negprot response). +Change this so that on krb5 mounts we default to trying krb5 if the +server doesn't list its supported protocol mechanisms. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_spnego.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifs_spnego.c ++++ b/fs/cifs/cifs_spnego.c +@@ -143,8 +143,10 @@ cifs_get_spnego_key(struct cifs_ses *ses + sprintf(dp, ";sec=krb5"); + else if (server->sec_mskerberos) + sprintf(dp, ";sec=mskrb5"); +- else +- goto out; ++ else { ++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n"); ++ sprintf(dp, ";sec=krb5"); ++ } + + dp = description + strlen(description); + sprintf(dp, ";uid=0x%x", diff --git a/queue-4.4/tpm-restore-functionality-to-xen-vtpm-driver.patch b/queue-4.4/tpm-restore-functionality-to-xen-vtpm-driver.patch new file mode 100644 index 00000000000..5293b1f0af3 --- /dev/null +++ b/queue-4.4/tpm-restore-functionality-to-xen-vtpm-driver.patch @@ -0,0 +1,59 @@ +From e487a0f52301293152a6f8c4e217f2a11dd808e3 Mon Sep 17 00:00:00 2001 +From: "Dr. Greg Wettstein" +Date: Mon, 17 Sep 2018 18:53:33 -0400 +Subject: tpm: Restore functionality to xen vtpm driver. + +From: Dr. Greg Wettstein + +commit e487a0f52301293152a6f8c4e217f2a11dd808e3 upstream. + +Functionality of the xen-tpmfront driver was lost secondary to +the introduction of xenbus multi-page support in commit ccc9d90a9a8b +("xenbus_client: Extend interface to support multi-page ring"). + +In this commit pointer to location of where the shared page address +is stored was being passed to the xenbus_grant_ring() function rather +then the address of the shared page itself. This resulted in a situation +where the driver would attach to the vtpm-stubdom but any attempt +to send a command to the stub domain would timeout. + +A diagnostic finding for this regression is the following error +message being generated when the xen-tpmfront driver probes for a +device: + +<3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62 + +<3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine +the timeouts + +This fix is relevant to all kernels from 4.1 forward which is the +release in which multi-page xenbus support was introduced. + +Daniel De Graaf formulated the fix by code inspection after the +regression point was located. + +Fixes: ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring") +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +[boris: Updated commit message, added Fixes tag] +Signed-off-by: Boris Ostrovsky +Cc: stable@vger.kernel.org # v4.1+ +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen + +--- + drivers/char/tpm/xen-tpmfront.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/xen-tpmfront.c ++++ b/drivers/char/tpm/xen-tpmfront.c +@@ -201,7 +201,7 @@ static int setup_ring(struct xenbus_devi + return -ENOMEM; + } + +- rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref); ++ rv = xenbus_grant_ring(dev, priv->shr, 1, &gref); + if (rv < 0) + return rv; + diff --git a/queue-4.4/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch b/queue-4.4/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch new file mode 100644 index 00000000000..0c09f5a13d7 --- /dev/null +++ b/queue-4.4/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch @@ -0,0 +1,65 @@ +From a007734618fee1bf35556c04fa498d41d42c7301 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Sat, 22 Sep 2018 21:20:54 +0200 +Subject: w1: omap-hdq: fix missing bus unregister at removal + +From: Andreas Kemnade + +commit a007734618fee1bf35556c04fa498d41d42c7301 upstream. + +The bus master was not removed after unloading the module +or unbinding the driver. That lead to oopses like this + +[ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c +[ 127.850646] pgd = 70e3cd9a +[ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000 +[ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM +[ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq] +[ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12 +[ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree) +[ 127.890441] PC is at 0xbf01d04c +[ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc +[ 127.898956] pc : [] lr : [] psr: a0070013 +[ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c +[ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040 +[ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c +[ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10 +[ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051 +[ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f) +[ 127.951171] Stack: (0xcf885f48 to 0xcf886000) +[ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00 +[ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000 +[ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000 +[ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 +[ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[ 128.007781] [] (w1_search_process_cb) from [] (w1_process+0x6c/0x118) +[ 128.016479] [] (w1_process) from [] (kthread+0x130/0x148) +[ 128.024047] [] (kthread) from [] (ret_from_fork+0x14/0x2c) +[ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8) +[ 128.037017] 5fa0: 00000000 00000000 00000000 00000000 +[ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 128.061340] Code: bad PC value +[ 128.064697] ---[ end trace af066e33c0e14119 ]--- + +Cc: +Signed-off-by: Andreas Kemnade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/masters/omap_hdq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/w1/masters/omap_hdq.c ++++ b/drivers/w1/masters/omap_hdq.c +@@ -785,6 +785,8 @@ static int omap_hdq_remove(struct platfo + /* remove module dependency */ + pm_runtime_disable(&pdev->dev); + ++ w1_remove_master_device(&omap_w1_master); ++ + return 0; + } + diff --git a/queue-4.4/xen-fix-race-in-xen_qlock_wait.patch b/queue-4.4/xen-fix-race-in-xen_qlock_wait.patch new file mode 100644 index 00000000000..01d1da4d70e --- /dev/null +++ b/queue-4.4/xen-fix-race-in-xen_qlock_wait.patch @@ -0,0 +1,71 @@ +From 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 1 Oct 2018 07:57:42 +0200 +Subject: xen: fix race in xen_qlock_wait() + +From: Juergen Gross + +commit 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 upstream. + +In the following situation a vcpu waiting for a lock might not be +woken up from xen_poll_irq(): + +CPU 1: CPU 2: CPU 3: +takes a spinlock + tries to get lock + -> xen_qlock_wait() +frees the lock +-> xen_qlock_kick(cpu2) + -> xen_clear_irq_pending() + +takes lock again + tries to get lock + -> *lock = _Q_SLOW_VAL + -> *lock == _Q_SLOW_VAL ? + -> xen_poll_irq() +frees the lock +-> xen_qlock_kick(cpu3) + +And cpu 2 will sleep forever. + +This can be avoided easily by modifying xen_qlock_wait() to call +xen_poll_irq() only if the related irq was not pending and to call +xen_clear_irq_pending() only if it was pending. + +Cc: stable@vger.kernel.org +Cc: Waiman.Long@hp.com +Cc: peterz@infradead.org +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/spinlock.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -47,17 +47,12 @@ static void xen_qlock_wait(u8 *byte, u8 + if (irq == -1) + return; + +- /* clear pending */ +- xen_clear_irq_pending(irq); +- barrier(); ++ /* If irq pending already clear it and return. */ ++ if (xen_test_irq_pending(irq)) { ++ xen_clear_irq_pending(irq); ++ return; ++ } + +- /* +- * We check the byte value after clearing pending IRQ to make sure +- * that we won't miss a wakeup event because of the clearing. +- * +- * The sync_clear_bit() call in xen_clear_irq_pending() is atomic. +- * So it is effectively a memory barrier for x86. +- */ + if (READ_ONCE(*byte) != val) + return; + diff --git a/queue-4.4/xen-make-xen_qlock_wait-nestable.patch b/queue-4.4/xen-make-xen_qlock_wait-nestable.patch new file mode 100644 index 00000000000..dffd62feffa --- /dev/null +++ b/queue-4.4/xen-make-xen_qlock_wait-nestable.patch @@ -0,0 +1,93 @@ +From a856531951dc8094359dfdac21d59cee5969c18e Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 1 Oct 2018 07:57:42 +0200 +Subject: xen: make xen_qlock_wait() nestable + +From: Juergen Gross + +commit a856531951dc8094359dfdac21d59cee5969c18e upstream. + +xen_qlock_wait() isn't safe for nested calls due to interrupts. A call +of xen_qlock_kick() might be ignored in case a deeper nesting level +was active right before the call of xen_poll_irq(): + +CPU 1: CPU 2: +spin_lock(lock1) + spin_lock(lock1) + -> xen_qlock_wait() + -> xen_clear_irq_pending() + Interrupt happens +spin_unlock(lock1) +-> xen_qlock_kick(CPU 2) +spin_lock_irqsave(lock2) + spin_lock_irqsave(lock2) + -> xen_qlock_wait() + -> xen_clear_irq_pending() + clears kick for lock1 + -> xen_poll_irq() +spin_unlock_irq_restore(lock2) +-> xen_qlock_kick(CPU 2) + wakes up + spin_unlock_irq_restore(lock2) + IRET + resumes in xen_qlock_wait() + -> xen_poll_irq() + never wakes up + +The solution is to disable interrupts in xen_qlock_wait() and not to +poll for the irq in case xen_qlock_wait() is called in nmi context. + +Cc: stable@vger.kernel.org +Cc: Waiman.Long@hp.com +Cc: peterz@infradead.org +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/spinlock.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -41,29 +41,25 @@ static void xen_qlock_kick(int cpu) + */ + static void xen_qlock_wait(u8 *byte, u8 val) + { ++ unsigned long flags; + int irq = __this_cpu_read(lock_kicker_irq); + + /* If kicker interrupts not initialized yet, just spin */ +- if (irq == -1) ++ if (irq == -1 || in_nmi()) + return; + +- /* If irq pending already clear it and return. */ ++ /* Guard against reentry. */ ++ local_irq_save(flags); ++ ++ /* If irq pending already clear it. */ + if (xen_test_irq_pending(irq)) { + xen_clear_irq_pending(irq); +- return; ++ } else if (READ_ONCE(*byte) == val) { ++ /* Block until irq becomes pending (or a spurious wakeup) */ ++ xen_poll_irq(irq); + } + +- if (READ_ONCE(*byte) != val) +- return; +- +- /* +- * If an interrupt happens here, it will leave the wakeup irq +- * pending, which will cause xen_poll_irq() to return +- * immediately. +- */ +- +- /* Block until irq becomes pending (or perhaps a spurious wakeup) */ +- xen_poll_irq(irq); ++ local_irq_restore(flags); + } + + #else /* CONFIG_QUEUED_SPINLOCKS */ diff --git a/queue-4.4/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch b/queue-4.4/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch new file mode 100644 index 00000000000..544a786e453 --- /dev/null +++ b/queue-4.4/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch @@ -0,0 +1,56 @@ +From 7250f422da0480d8512b756640f131b9b893ccda Mon Sep 17 00:00:00 2001 +From: Joe Jin +Date: Tue, 16 Oct 2018 15:21:16 -0700 +Subject: xen-swiotlb: use actually allocated size on check physical continuous + +From: Joe Jin + +commit 7250f422da0480d8512b756640f131b9b893ccda upstream. + +xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the +order of the pages and not size argument (bytes). This is inconsistent with +range_straddles_page_boundary and memset which use the 'size' value, +which may lead to not exchanging memory with Xen (range_straddles_page_boundary() +returned true). And then the call to xen_swiotlb_free_coherent() would +actually try to exchange the memory with Xen, leading to the kernel +hitting an BUG (as the hypercall returned an error). + +This patch fixes it by making the 'size' variable be of the same size +as the amount of memory allocated. + +CC: stable@vger.kernel.org +Signed-off-by: Joe Jin +Cc: Konrad Rzeszutek Wilk +Cc: Boris Ostrovsky +Cc: Christoph Helwig +Cc: Dongli Zhang +Cc: John Sobecki +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/swiotlb-xen.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -310,6 +310,9 @@ xen_swiotlb_alloc_coherent(struct device + */ + flags &= ~(__GFP_DMA | __GFP_HIGHMEM); + ++ /* Convert the size to actually allocated. */ ++ size = 1UL << (order + XEN_PAGE_SHIFT); ++ + /* On ARM this function returns an ioremap'ped virtual address for + * which virt_to_phys doesn't return the corresponding physical + * address. In fact on ARM virt_to_phys only works for kernel direct +@@ -359,6 +362,9 @@ xen_swiotlb_free_coherent(struct device + * physical address */ + phys = xen_bus_to_phys(dev_addr); + ++ /* Convert the size to actually allocated. */ ++ size = 1UL << (order + XEN_PAGE_SHIFT); ++ + if (((dev_addr + size - 1 <= dma_mask)) || + range_straddles_page_boundary(phys, size)) + xen_destroy_contiguous_region(phys, order);