From: Sasha Levin Date: Sun, 5 May 2019 20:04:00 +0000 (-0400) Subject: fixes for 3.18 X-Git-Tag: v4.9.174~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92a94851d1720e5b899191403d49d411b35a6370;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 3.18 Signed-off-by: Sasha Levin --- diff --git a/queue-3.18/arm-iop-don-t-use-using-64-bit-dma-masks.patch b/queue-3.18/arm-iop-don-t-use-using-64-bit-dma-masks.patch new file mode 100644 index 00000000000..3649edf3529 --- /dev/null +++ b/queue-3.18/arm-iop-don-t-use-using-64-bit-dma-masks.patch @@ -0,0 +1,152 @@ +From 74ccb582ca876d86c62acbda3d549a90a113daf4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Mar 2019 16:50:43 +0100 +Subject: ARM: iop: don't use using 64-bit DMA masks + +[ Upstream commit 2125801ccce19249708ca3245d48998e70569ab8 ] + +clang warns about statically defined DMA masks from the DMA_BIT_MASK +macro with length 64: + + arch/arm/mach-iop13xx/setup.c:303:35: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); + ^~~~~~~~~~~~~~~~ + include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK' + #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) + ^ ~~~ + +The ones in iop shouldn't really be 64 bit masks, so changing them +to what the driver can support avoids the warning. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-iop13xx/setup.c | 8 ++++---- + arch/arm/mach-iop13xx/tpmi.c | 10 +++++----- + arch/arm/plat-iop/adma.c | 6 +++--- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c +index 53c316f7301e..fe4932fda01d 100644 +--- a/arch/arm/mach-iop13xx/setup.c ++++ b/arch/arm/mach-iop13xx/setup.c +@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = { + } + }; + +-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); ++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32); + static struct iop_adma_platform_data iop13xx_adma_0_data = { + .hw_id = 0, + .pool_size = PAGE_SIZE, +@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = { + .resource = iop13xx_adma_0_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_0_data, + }, + }; +@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = { + .resource = iop13xx_adma_1_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_1_data, + }, + }; +@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = { + .resource = iop13xx_adma_2_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_2_data, + }, + }; +diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c +index db511ec2b1df..116feb6b261e 100644 +--- a/arch/arm/mach-iop13xx/tpmi.c ++++ b/arch/arm/mach-iop13xx/tpmi.c +@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = { + } + }; + +-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64); ++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32); + static struct platform_device iop13xx_tpmi_0_device = { + .name = "iop-tpmi", + .id = 0, +@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = { + .resource = iop13xx_tpmi_0_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = { + .resource = iop13xx_tpmi_1_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = { + .resource = iop13xx_tpmi_2_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = { + .resource = iop13xx_tpmi_3_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c +index a4d1f8de3b5b..d9612221e484 100644 +--- a/arch/arm/plat-iop/adma.c ++++ b/arch/arm/plat-iop/adma.c +@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = { + .resource = iop3xx_dma_0_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_0_data, + }, + }; +@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = { + .resource = iop3xx_dma_1_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_1_data, + }, + }; +@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = { + .resource = iop3xx_aau_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_aau_data, + }, + }; +-- +2.20.1 + diff --git a/queue-3.18/arm-orion-don-t-use-using-64-bit-dma-masks.patch b/queue-3.18/arm-orion-don-t-use-using-64-bit-dma-masks.patch new file mode 100644 index 00000000000..c852070a008 --- /dev/null +++ b/queue-3.18/arm-orion-don-t-use-using-64-bit-dma-masks.patch @@ -0,0 +1,51 @@ +From ea0651a4715f5fbdeafdf3bbd27168a6c67bd1ef Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Mar 2019 16:50:42 +0100 +Subject: ARM: orion: don't use using 64-bit DMA masks + +[ Upstream commit cd92d74d67c811dc22544430b9ac3029f5bd64c5 ] + +clang warns about statically defined DMA masks from the DMA_BIT_MASK +macro with length 64: + +arch/arm/plat-orion/common.c:625:29: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + .coherent_dma_mask = DMA_BIT_MASK(64), + ^~~~~~~~~~~~~~~~ +include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK' + #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) + +The ones in orion shouldn't really be 64 bit masks, so changing them +to what the driver can support avoids the warning. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/plat-orion/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c +index b8b6e22f9987..c774011131e2 100644 +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -649,7 +649,7 @@ static struct platform_device orion_xor0_shared = { + .resource = orion_xor0_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor0_pdata, + }, + }; +@@ -710,7 +710,7 @@ static struct platform_device orion_xor1_shared = { + .resource = orion_xor1_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor1_pdata, + }, + }; +-- +2.20.1 + diff --git a/queue-3.18/bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch b/queue-3.18/bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch new file mode 100644 index 00000000000..73e74a23cb5 --- /dev/null +++ b/queue-3.18/bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch @@ -0,0 +1,43 @@ +From ea69dad3d928d20b692447dd39333920ec30cd0b Mon Sep 17 00:00:00 2001 +From: Konstantin Khorenko +Date: Thu, 28 Mar 2019 13:29:21 +0300 +Subject: bonding: show full hw address in sysfs for slave entries + +[ Upstream commit 18bebc6dd3281955240062655a4df35eef2c46b3 ] + +Bond expects ethernet hwaddr for its slave, but it can be longer than 6 +bytes - infiniband interface for example. + + # cat /sys/devices//net/ib0/address + 80:00:02:08:fe:80:00:00:00:00:00:00:7c:fe:90:03:00:be:5d:e1 + + # cat /sys/devices//net/ib0/bonding_slave/perm_hwaddr + 80:00:02:08:fe:80 + +So print full hwaddr in sysfs "bonding_slave/perm_hwaddr" as well. + +Signed-off-by: Konstantin Khorenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_sysfs_slave.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index b01b0ce4d1be..cf9e9a3d4a48 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -55,7 +55,9 @@ static SLAVE_ATTR_RO(link_failure_count); + + static ssize_t perm_hwaddr_show(struct slave *slave, char *buf) + { +- return sprintf(buf, "%pM\n", slave->perm_hwaddr); ++ return sprintf(buf, "%*phC\n", ++ slave->dev->addr_len, ++ slave->perm_hwaddr); + } + static SLAVE_ATTR_RO(perm_hwaddr); + +-- +2.20.1 + diff --git a/queue-3.18/hid-debug-fix-race-condition-with-between-rdesc_show.patch b/queue-3.18/hid-debug-fix-race-condition-with-between-rdesc_show.patch new file mode 100644 index 00000000000..67949f5998e --- /dev/null +++ b/queue-3.18/hid-debug-fix-race-condition-with-between-rdesc_show.patch @@ -0,0 +1,61 @@ +From c636b0a42588e3f6578528dda6d93ab97d0c482f Mon Sep 17 00:00:00 2001 +From: "He, Bo" +Date: Thu, 14 Mar 2019 02:28:21 +0000 +Subject: HID: debug: fix race condition with between rdesc_show() and device + removal + +[ Upstream commit cef0d4948cb0a02db37ebfdc320e127c77ab1637 ] + +There is a race condition that could happen if hid_debug_rdesc_show() +is running while hdev is in the process of going away (device removal, +system suspend, etc) which could result in NULL pointer dereference: + + BUG: unable to handle kernel paging request at 0000000783316040 + CPU: 1 PID: 1512 Comm: getevent Tainted: G U O 4.19.20-quilt-2e5dc0ac-00029-gc455a447dd55 #1 + RIP: 0010:hid_dump_device+0x9b/0x160 + Call Trace: + hid_debug_rdesc_show+0x72/0x1d0 + seq_read+0xe0/0x410 + full_proxy_read+0x5f/0x90 + __vfs_read+0x3a/0x170 + vfs_read+0xa0/0x150 + ksys_read+0x58/0xc0 + __x64_sys_read+0x1a/0x20 + do_syscall_64+0x55/0x110 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Grab driver_input_lock to make sure the input device exists throughout the +whole process of dumping the rdesc. + +[jkosina@suse.cz: update changelog a bit] +Signed-off-by: he, bo +Signed-off-by: "Zhang, Jun" +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-debug.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index e930627d0c76..71b069bd2a24 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1057,10 +1057,15 @@ static int hid_debug_rdesc_show(struct seq_file *f, void *p) + seq_printf(f, "\n\n"); + + /* dump parsed data and input mappings */ ++ if (down_interruptible(&hdev->driver_input_lock)) ++ return 0; ++ + hid_dump_device(hdev, f); + seq_printf(f, "\n"); + hid_dump_input_mapping(hdev, f); + ++ up(&hdev->driver_input_lock); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-3.18/hugetlbfs-fix-memory-leak-for-resv_map.patch b/queue-3.18/hugetlbfs-fix-memory-leak-for-resv_map.patch new file mode 100644 index 00000000000..0d3db66d947 --- /dev/null +++ b/queue-3.18/hugetlbfs-fix-memory-leak-for-resv_map.patch @@ -0,0 +1,78 @@ +From a1cad585bef8428f75327f6168ea2b3c26c83fce Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 5 Apr 2019 18:39:06 -0700 +Subject: hugetlbfs: fix memory leak for resv_map + +[ Upstream commit 58b6e5e8f1addd44583d61b0a03c0f5519527e35 ] + +When mknod is used to create a block special file in hugetlbfs, it will +allocate an inode and kmalloc a 'struct resv_map' via resv_map_alloc(). +inode->i_mapping->private_data will point the newly allocated resv_map. +However, when the device special file is opened bd_acquire() will set +inode->i_mapping to bd_inode->i_mapping. Thus the pointer to the +allocated resv_map is lost and the structure is leaked. + +Programs to reproduce: + mount -t hugetlbfs nodev hugetlbfs + mknod hugetlbfs/dev b 0 0 + exec 30<> hugetlbfs/dev + umount hugetlbfs/ + +resv_map structures are only needed for inodes which can have associated +page allocations. To fix the leak, only allocate resv_map for those +inodes which could possibly be associated with page allocations. + +Link: http://lkml.kernel.org/r/20190401213101.16476-1-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Reviewed-by: Andrew Morton +Reported-by: Yufen Yu +Suggested-by: Yufen Yu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hugetlbfs/inode.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index ec1ed7e4b8f3..c3a03f5a1b49 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -484,11 +484,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + umode_t mode, dev_t dev) + { + struct inode *inode; +- struct resv_map *resv_map; ++ struct resv_map *resv_map = NULL; + +- resv_map = resv_map_alloc(); +- if (!resv_map) +- return NULL; ++ /* ++ * Reserve maps are only needed for inodes that can have associated ++ * page allocations. ++ */ ++ if (S_ISREG(mode) || S_ISLNK(mode)) { ++ resv_map = resv_map_alloc(); ++ if (!resv_map) ++ return NULL; ++ } + + inode = new_inode(sb); + if (inode) { +@@ -530,8 +536,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + break; + } + lockdep_annotate_inode_mutex_key(inode); +- } else +- kref_put(&resv_map->refs, resv_map_release); ++ } else { ++ if (resv_map) ++ kref_put(&resv_map->refs, resv_map_release); ++ } + + return inode; + } +-- +2.20.1 + diff --git a/queue-3.18/igb-fix-warn_once-on-runtime-suspend.patch b/queue-3.18/igb-fix-warn_once-on-runtime-suspend.patch new file mode 100644 index 00000000000..2c4d50eeb6b --- /dev/null +++ b/queue-3.18/igb-fix-warn_once-on-runtime-suspend.patch @@ -0,0 +1,155 @@ +From 66909c11050376a4a4285c41088f969b01d3554c Mon Sep 17 00:00:00 2001 +From: Arvind Sankar +Date: Sat, 2 Mar 2019 11:01:17 -0500 +Subject: igb: Fix WARN_ONCE on runtime suspend + +[ Upstream commit dabb8338be533c18f50255cf39ff4f66d4dabdbe ] + +The runtime_suspend device callbacks are not supposed to save +configuration state or change the power state. Commit fb29f76cc566 +("igb: Fix an issue that PME is not enabled during runtime suspend") +changed the driver to not save configuration state during runtime +suspend, however the driver callback still put the device into a +low-power state. This causes a warning in the pci pm core and results in +pci_pm_runtime_suspend not calling pci_save_state or pci_finish_runtime_suspend. + +Fix this by not changing the power state either, leaving that to pci pm +core, and make the same change for suspend callback as well. + +Also move a couple of defines into the appropriate header file instead +of inline in the .c file. + +Fixes: fb29f76cc566 ("igb: Fix an issue that PME is not enabled during runtime suspend") +Signed-off-by: Arvind Sankar +Reviewed-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/igb/e1000_defines.h | 2 + + drivers/net/ethernet/intel/igb/igb_main.c | 57 +++---------------- + 2 files changed, 10 insertions(+), 49 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h +index 217f8138851b..bd92291e531d 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_defines.h ++++ b/drivers/net/ethernet/intel/igb/e1000_defines.h +@@ -193,6 +193,8 @@ + /* enable link status from external LINK_0 and LINK_1 pins */ + #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */ + #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */ ++#define E1000_CTRL_ADVD3WUC 0x00100000 /* D3 WUC */ ++#define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 /* PHY PM enable */ + #define E1000_CTRL_SDP0_DIR 0x00400000 /* SDP0 Data direction */ + #define E1000_CTRL_SDP1_DIR 0x00800000 /* SDP1 Data direction */ + #define E1000_CTRL_RST 0x04000000 /* Global reset */ +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 390d96ae4147..9bd84498cbe7 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7337,9 +7337,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + struct e1000_hw *hw = &adapter->hw; + u32 ctrl, rctl, status; + u32 wufc = runtime ? E1000_WUFC_LNKC : adapter->wol; +-#ifdef CONFIG_PM +- int retval = 0; +-#endif ++ bool wake; + + rtnl_lock(); + netif_device_detach(netdev); +@@ -7350,14 +7348,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + igb_clear_interrupt_scheme(adapter); + rtnl_unlock(); + +-#ifdef CONFIG_PM +- if (!runtime) { +- retval = pci_save_state(pdev); +- if (retval) +- return retval; +- } +-#endif +- + status = rd32(E1000_STATUS); + if (status & E1000_STATUS_LU) + wufc &= ~E1000_WUFC_LNKC; +@@ -7374,10 +7364,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + } + + ctrl = rd32(E1000_CTRL); +- /* advertise wake from D3Cold */ +- #define E1000_CTRL_ADVD3WUC 0x00100000 +- /* phy power management enable */ +- #define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 + ctrl |= E1000_CTRL_ADVD3WUC; + wr32(E1000_CTRL, ctrl); + +@@ -7391,12 +7377,15 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + wr32(E1000_WUFC, 0); + } + +- *enable_wake = wufc || adapter->en_mng_pt; +- if (!*enable_wake) ++ wake = wufc || adapter->en_mng_pt; ++ if (!wake) + igb_power_down_link(adapter); + else + igb_power_up_link(adapter); + ++ if (enable_wake) ++ *enable_wake = wake; ++ + /* Release control of h/w to f/w. If f/w is AMT enabled, this + * would have already happened in close and is redundant. + */ +@@ -7411,22 +7400,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + #ifdef CONFIG_PM_SLEEP + static int igb_suspend(struct device *dev) + { +- int retval; +- bool wake; +- struct pci_dev *pdev = to_pci_dev(dev); +- +- retval = __igb_shutdown(pdev, &wake, 0); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + #endif /* CONFIG_PM_SLEEP */ + +@@ -7495,22 +7469,7 @@ static int igb_runtime_idle(struct device *dev) + + static int igb_runtime_suspend(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- int retval; +- bool wake; +- +- retval = __igb_shutdown(pdev, &wake, 1); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 1); + } + + static int igb_runtime_resume(struct device *dev) +-- +2.20.1 + diff --git a/queue-3.18/jffs2-fix-use-after-free-on-symlink-traversal.patch b/queue-3.18/jffs2-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..ac8c96c0896 --- /dev/null +++ b/queue-3.18/jffs2-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,53 @@ +From 9f2080effd03f16bb9d4811d92ced404604ee5c6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2019 01:39:50 +0000 +Subject: jffs2: fix use-after-free on symlink traversal + +[ Upstream commit 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca ] + +free the symlink body after the same RCU delay we have for freeing the +struct inode itself, so that traversal during RCU pathwalk wouldn't step +into freed memory. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/jffs2/readinode.c | 5 ----- + fs/jffs2/super.c | 5 ++++- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c +index 386303dca382..4f390be71723 100644 +--- a/fs/jffs2/readinode.c ++++ b/fs/jffs2/readinode.c +@@ -1429,11 +1429,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) + + jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); + +- if (f->target) { +- kfree(f->target); +- f->target = NULL; +- } +- + fds = f->dents; + while(fds) { + fd = fds; +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 0bbc31d10857..d1be5991bb66 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) + static void jffs2_i_callback(struct rcu_head *head) + { + struct inode *inode = container_of(head, struct inode, i_rcu); +- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); ++ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ ++ kfree(f->target); ++ kmem_cache_free(jffs2_inode_cachep, f); + } + + static void jffs2_destroy_inode(struct inode *inode) +-- +2.20.1 + diff --git a/queue-3.18/rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch b/queue-3.18/rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch new file mode 100644 index 00000000000..4f65d476d6f --- /dev/null +++ b/queue-3.18/rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch @@ -0,0 +1,46 @@ +From 8ff3cc4e201c3d9f6e866c54f41a607585a4ff11 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 20 Mar 2019 11:32:14 +0100 +Subject: rtc: sh: Fix invalid alarm warning for non-enabled alarm + +[ Upstream commit 15d82d22498784966df8e4696174a16b02cc1052 ] + +When no alarm has been programmed on RSK-RZA1, an error message is +printed during boot: + + rtc rtc0: invalid alarm value: 2019-03-14T255:255:255 + +sh_rtc_read_alarm_value() returns 0xff when querying a hardware alarm +field that is not enabled. __rtc_read_alarm() validates the received +alarm values, and fills in missing fields when needed. +While 0xff is handled fine for the year, month, and day fields, and +corrected as considered being out-of-range, this is not the case for the +hour, minute, and second fields, where -1 is expected for missing +fields. + +Fix this by returning -1 instead, as this value is handled fine for all +fields. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index d0d2b047658b..dcd5dcae7b3c 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -455,7 +455,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm) + static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off) + { + unsigned int byte; +- int value = 0xff; /* return 0xff for ignored values */ ++ int value = -1; /* return -1 for ignored values */ + + byte = readb(rtc->regbase + reg_off); + if (byte & AR_ENB) { +-- +2.20.1 + diff --git a/queue-3.18/scsi-storvsc-fix-calculation-of-sub-channel-count.patch b/queue-3.18/scsi-storvsc-fix-calculation-of-sub-channel-count.patch new file mode 100644 index 00000000000..eb9de108c0c --- /dev/null +++ b/queue-3.18/scsi-storvsc-fix-calculation-of-sub-channel-count.patch @@ -0,0 +1,58 @@ +From b3c0ffb00a59fc4e6ecd6137e7821d24be883bca Mon Sep 17 00:00:00 2001 +From: Michael Kelley +Date: Mon, 1 Apr 2019 16:10:52 +0000 +Subject: scsi: storvsc: Fix calculation of sub-channel count + +[ Upstream commit 382e06d11e075a40b4094b6ef809f8d4bcc7ab2a ] + +When the number of sub-channels offered by Hyper-V is >= the number of CPUs +in the VM, calculate the correct number of sub-channels. The current code +produces one too many. + +This scenario arises only when the number of CPUs is artificially +restricted (for example, with maxcpus= on the kernel boot line), because +Hyper-V normally offers a sub-channel count < number of CPUs. While the +current code doesn't break, the extra sub-channel is unbalanced across the +CPUs (for example, a total of 5 channels on a VM with 4 CPUs). + +Signed-off-by: Michael Kelley +Reviewed-by: Vitaly Kuznetsov +Reviewed-by: Long Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 96c6e75bbfe6..bc29b571e3fb 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -788,13 +788,22 @@ static void handle_sc_creation(struct vmbus_channel *new_sc) + static void handle_multichannel_storage(struct hv_device *device, int max_chns) + { + struct storvsc_device *stor_device; +- int num_cpus = num_online_cpus(); + int num_sc; + struct storvsc_cmd_request *request; + struct vstor_packet *vstor_packet; + int ret, t; + +- num_sc = ((max_chns > num_cpus) ? num_cpus : max_chns); ++ /* ++ * If the number of CPUs is artificially restricted, such as ++ * with maxcpus=1 on the kernel boot line, Hyper-V could offer ++ * sub-channels >= the number of CPUs. These sub-channels ++ * should not be created. The primary channel is already created ++ * and assigned to one CPU, so check against # CPUs - 1. ++ */ ++ num_sc = min((int)(num_online_cpus() - 1), max_chns); ++ if (!num_sc) ++ return; ++ + stor_device = get_out_stor_device(device); + if (!stor_device) + return; +-- +2.20.1 + diff --git a/queue-3.18/series b/queue-3.18/series index 393693f795b..4b43bea251e 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -34,3 +34,14 @@ usb-w1-ds2490-fix-bug-caused-by-improper-use-of-altsetting-array.patch usb-core-fix-unterminated-string-returned-by-usb_string.patch usb-disable-tlg2300.patch usb-core-fix-bug-caused-by-duplicate-interface-pm-usage-counter.patch +hid-debug-fix-race-condition-with-between-rdesc_show.patch +rtc-sh-fix-invalid-alarm-warning-for-non-enabled-ala.patch +igb-fix-warn_once-on-runtime-suspend.patch +bonding-show-full-hw-address-in-sysfs-for-slave-entr.patch +jffs2-fix-use-after-free-on-symlink-traversal.patch +scsi-storvsc-fix-calculation-of-sub-channel-count.patch +hugetlbfs-fix-memory-leak-for-resv_map.patch +xsysace-fix-error-handling-in-ace_setup.patch +arm-orion-don-t-use-using-64-bit-dma-masks.patch +arm-iop-don-t-use-using-64-bit-dma-masks.patch +usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch diff --git a/queue-3.18/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch b/queue-3.18/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch new file mode 100644 index 00000000000..ef4feec394f --- /dev/null +++ b/queue-3.18/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch @@ -0,0 +1,93 @@ +From 1967c981d55926886130939a63bfa0f774fa2baf Mon Sep 17 00:00:00 2001 +From: Malte Leip +Date: Sun, 5 May 2019 20:01:30 +0200 +Subject: usb: usbip: fix isoc packet num validation in get_pipe + +commit c409ca3be3c6ff3a1eeb303b191184e80d412862 upstream. + +Backport of the upstream commit, which fixed c6688ef9f297. +c6688ef9f297 got backported as commit eebf31529012, as the unavailable +function usb_endpoint_maxp_mult had to be replaced. The upstream commit +removed the call to this function, so the backport is straightforward. + +Original commit message: + +Change the validation of number_of_packets in get_pipe to compare the +number of packets to a fixed maximum number of packets allowed, set to +be 1024. This number was chosen due to it being used by other drivers as +well, for example drivers/usb/host/uhci-q.c + +Background/reason: +The get_pipe function in stub_rx.c validates the number of packets in +isochronous mode and aborts with an error if that number is too large, +in order to prevent malicious input from possibly triggering large +memory allocations. This was previously done by checking whether +pdu->u.cmd_submit.number_of_packets is bigger than the number of packets +that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes +if all except possibly the last packet had maximum length, given by +usb_endpoint_maxp(epd) * usb_endpoint_maxp_mult(epd). This leads to an +error if URBs with packets shorter than the maximum possible length are +submitted, which is allowed according to +Documentation/driver-api/usb/URB.rst and occurs for example with the +snd-usb-audio driver. + +Fixes: eebf31529012 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") +Signed-off-by: Malte Leip +Cc: stable # 3.18.x +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_rx.c | 18 +++--------------- + drivers/usb/usbip/usbip_common.h | 7 +++++++ + 2 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 56cacb68040c..808e3a317954 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -380,22 +380,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) + } + + if (usb_endpoint_xfer_isoc(epd)) { +- /* validate packet size and number of packets */ +- unsigned int maxp, packets, bytes; +- +-#define USB_EP_MAXP_MULT_SHIFT 11 +-#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT) +-#define USB_EP_MAXP_MULT(m) \ +- (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT) +- +- maxp = usb_endpoint_maxp(epd); +- maxp *= (USB_EP_MAXP_MULT( +- __le16_to_cpu(epd->wMaxPacketSize)) + 1); +- bytes = pdu->u.cmd_submit.transfer_buffer_length; +- packets = DIV_ROUND_UP(bytes, maxp); +- ++ /* validate number of packets */ + if (pdu->u.cmd_submit.number_of_packets < 0 || +- pdu->u.cmd_submit.number_of_packets > packets) { ++ pdu->u.cmd_submit.number_of_packets > ++ USBIP_MAX_ISO_PACKETS) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index 0fc5ace57c0e..af903aa4ad90 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug; + #define USBIP_DIR_OUT 0x00 + #define USBIP_DIR_IN 0x01 + ++/* ++ * Arbitrary limit for the maximum number of isochronous packets in an URB, ++ * compare for example the uhci_submit_isochronous function in ++ * drivers/usb/host/uhci-q.c ++ */ ++#define USBIP_MAX_ISO_PACKETS 1024 ++ + /** + * struct usbip_header_basic - data pertinent to every request + * @command: the usbip request type +-- +2.20.1 + diff --git a/queue-3.18/xsysace-fix-error-handling-in-ace_setup.patch b/queue-3.18/xsysace-fix-error-handling-in-ace_setup.patch new file mode 100644 index 00000000000..7486fee30d4 --- /dev/null +++ b/queue-3.18/xsysace-fix-error-handling-in-ace_setup.patch @@ -0,0 +1,85 @@ +From f92f84a357271cd3ca148415ea24003d630c5da9 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 19 Feb 2019 08:49:56 -0800 +Subject: xsysace: Fix error handling in ace_setup + +[ Upstream commit 47b16820c490149c2923e8474048f2c6e7557cab ] + +If xace hardware reports a bad version number, the error handling code +in ace_setup() calls put_disk(), followed by queue cleanup. However, since +the disk data structure has the queue pointer set, put_disk() also +cleans and releases the queue. This results in blk_cleanup_queue() +accessing an already released data structure, which in turn may result +in a crash such as the following. + +[ 10.681671] BUG: Kernel NULL pointer dereference at 0x00000040 +[ 10.681826] Faulting instruction address: 0xc0431480 +[ 10.682072] Oops: Kernel access of bad area, sig: 11 [#1] +[ 10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440 +[ 10.682387] Modules linked in: +[ 10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G W 5.0.0-rc6-next-20190218+ #2 +[ 10.682733] NIP: c0431480 LR: c043147c CTR: c0422ad8 +[ 10.682863] REGS: cf82fbe0 TRAP: 0300 Tainted: G W (5.0.0-rc6-next-20190218+) +[ 10.683065] MSR: 00029000 CR: 22000222 XER: 00000000 +[ 10.683236] DEAR: 00000040 ESR: 00000000 +[ 10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000 +[ 10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000 +[ 10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000 +[ 10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800 +[ 10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114 +[ 10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114 +[ 10.684602] Call Trace: +[ 10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable) +[ 10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c +[ 10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68 +[ 10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c +[ 10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508 +[ 10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8 +[ 10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c +[ 10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464 +[ 10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4 +[ 10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc +[ 10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0 +[ 10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234 +[ 10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c +[ 10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac +[ 10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330 +[ 10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478 +[ 10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114 +[ 10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c +[ 10.687349] Instruction dump: +[ 10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008 +[ 10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008 +[ 10.688056] ---[ end trace 13c9ff51d41b9d40 ]--- + +Fix the problem by setting the disk queue pointer to NULL before calling +put_disk(). A more comprehensive fix might be to rearrange the code +to check the hardware version before initializing data structures, +but I don't know if this would have undesirable side effects, and +it would increase the complexity of backporting the fix to older kernels. + +Fixes: 74489a91dd43a ("Add support for Xilinx SystemACE CompactFlash interface") +Acked-by: Michal Simek +Signed-off-by: Guenter Roeck +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/xsysace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c +index c4328d9d9981..f838119d12b2 100644 +--- a/drivers/block/xsysace.c ++++ b/drivers/block/xsysace.c +@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace) + return 0; + + err_read: ++ /* prevent double queue cleanup */ ++ ace->gd->queue = NULL; + put_disk(ace->gd); + err_alloc_disk: + blk_cleanup_queue(ace->queue); +-- +2.20.1 +