From: Greg Kroah-Hartman Date: Fri, 14 Apr 2017 13:52:24 +0000 (+0200) Subject: more 3.18 patches X-Git-Tag: v4.10.11~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a2d81a374f3853991a7690d6ca5f2a7c52c52738;p=thirdparty%2Fkernel%2Fstable-queue.git more 3.18 patches --- diff --git a/queue-3.18/dccp-fix-memory-leak-during-tear-down-of-unsuccessful-connection-request.patch b/queue-3.18/dccp-fix-memory-leak-during-tear-down-of-unsuccessful-connection-request.patch new file mode 100644 index 00000000000..1ae207dba03 --- /dev/null +++ b/queue-3.18/dccp-fix-memory-leak-during-tear-down-of-unsuccessful-connection-request.patch @@ -0,0 +1,33 @@ +From 72ef9c4125c7b257e3a714d62d778ab46583d6a3 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 13 Mar 2017 00:01:30 +0100 +Subject: dccp: fix memory leak during tear-down of unsuccessful connection request + +From: Hannes Frederic Sowa + +commit 72ef9c4125c7b257e3a714d62d778ab46583d6a3 upstream. + +This patch fixes a memory leak, which happens if the connection request +is not fulfilled between parsing the DCCP options and handling the SYN +(because e.g. the backlog is full), because we forgot to free the +list of ack vectors. + +Reported-by: Jianwen Ji +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/dccp/ccids/ccid2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -749,6 +749,7 @@ static void ccid2_hc_tx_exit(struct sock + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); + hc->tx_seqbufc = 0; ++ dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks); + } + + static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb) diff --git a/queue-3.18/dccp-tcp-fix-routing-redirect-race.patch b/queue-3.18/dccp-tcp-fix-routing-redirect-race.patch new file mode 100644 index 00000000000..647ee5b2c7b --- /dev/null +++ b/queue-3.18/dccp-tcp-fix-routing-redirect-race.patch @@ -0,0 +1,163 @@ +From 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 Mon Sep 17 00:00:00 2001 +From: Jon Maxwell +Date: Fri, 10 Mar 2017 16:40:33 +1100 +Subject: dccp/tcp: fix routing redirect race +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jon Maxwell + +commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 upstream. + +As Eric Dumazet pointed out this also needs to be fixed in IPv6. +v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. + +We have seen a few incidents lately where a dst_enty has been freed +with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that +dst_entry. If the conditions/timings are right a crash then ensues when the +freed dst_entry is referenced later on. A Common crashing back trace is: + + #8 [] page_fault at ffffffff8163e648 + [exception RIP: __tcp_ack_snd_check+74] +. +. + #9 [] tcp_rcv_established at ffffffff81580b64 +#10 [] tcp_v4_do_rcv at ffffffff8158b54a +#11 [] tcp_v4_rcv at ffffffff8158cd02 +#12 [] ip_local_deliver_finish at ffffffff815668f4 +#13 [] ip_local_deliver at ffffffff81566bd9 +#14 [] ip_rcv_finish at ffffffff8156656d +#15 [] ip_rcv at ffffffff81566f06 +#16 [] __netif_receive_skb_core at ffffffff8152b3a2 +#17 [] __netif_receive_skb at ffffffff8152b608 +#18 [] netif_receive_skb at ffffffff8152b690 +#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] +#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] +#21 [] net_rx_action at ffffffff8152bac2 +#22 [] __do_softirq at ffffffff81084b4f +#23 [] call_softirq at ffffffff8164845c +#24 [] do_softirq at ffffffff81016fc5 +#25 [] irq_exit at ffffffff81084ee5 +#26 [] do_IRQ at ffffffff81648ff8 + +Of course it may happen with other NIC drivers as well. + +It's found the freed dst_entry here: + + 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ + 225 {↩ + 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ + 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ + 228 ↩ + 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ + 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ + 231 }↩ + +But there are other backtraces attributed to the same freed dst_entry in +netfilter code as well. + +All the vmcores showed 2 significant clues: + +- Remote hosts behind the default gateway had always been redirected to a +different gateway. A rtable/dst_entry will be added for that host. Making +more dst_entrys with lower reference counts. Making this more probable. + +- All vmcores showed a postitive LockDroppedIcmps value, e.g: + +LockDroppedIcmps 267 + +A closer look at the tcp_v4_err() handler revealed that do_redirect() will run +regardless of whether user space has the socket locked. This can result in a +race condition where the same dst_entry cached in sk->sk_dst_entry can be +decremented twice for the same socket via: + +do_redirect()->__sk_dst_check()-> dst_release(). + +Which leads to the dst_entry being prematurely freed with another socket +pointing to it via sk->sk_dst_cache and a subsequent crash. + +To fix this skip do_redirect() if usespace has the socket locked. Instead let +the redirect take place later when user space does not have the socket +locked. + +The dccp/IPv6 code is very similar in this respect, so fixing it there too. + +As Eric Garver pointed out the following commit now invalidates routes. Which +can set the dst->obsolete flag so that ipv4_dst_check() returns null and +triggers the dst_release(). + +Fixes: ceb3320610d6 ("ipv4: Kill routes during PMTU/redirect updates.") +Cc: Eric Garver +Cc: Hannes Sowa +Signed-off-by: Jon Maxwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/dccp/ipv4.c | 3 ++- + net/dccp/ipv6.c | 8 +++++--- + net/ipv4/tcp_ipv4.c | 3 ++- + net/ipv6/tcp_ipv6.c | 8 +++++--- + 4 files changed, 14 insertions(+), 8 deletions(-) + +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -262,7 +262,8 @@ static void dccp_v4_err(struct sk_buff * + + switch (type) { + case ICMP_REDIRECT: +- dccp_do_redirect(skb, sk); ++ if (!sock_owned_by_user(sk)) ++ dccp_do_redirect(skb, sk); + goto out; + case ICMP_SOURCE_QUENCH: + /* Just silently ignore these. */ +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -131,10 +131,12 @@ static void dccp_v6_err(struct sk_buff * + np = inet6_sk(sk); + + if (type == NDISC_REDIRECT) { +- struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); ++ if (!sock_owned_by_user(sk)) { ++ struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); + +- if (dst) +- dst->ops->redirect(dst, sk, skb); ++ if (dst) ++ dst->ops->redirect(dst, sk, skb); ++ } + goto out; + } + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -389,7 +389,8 @@ void tcp_v4_err(struct sk_buff *icmp_skb + + switch (type) { + case ICMP_REDIRECT: +- do_redirect(icmp_skb, sk); ++ if (!sock_owned_by_user(sk)) ++ do_redirect(icmp_skb, sk); + goto out; + case ICMP_SOURCE_QUENCH: + /* Just silently ignore these. */ +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -389,10 +389,12 @@ static void tcp_v6_err(struct sk_buff *s + np = inet6_sk(sk); + + if (type == NDISC_REDIRECT) { +- struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); ++ if (!sock_owned_by_user(sk)) { ++ struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); + +- if (dst) +- dst->ops->redirect(dst, sk, skb); ++ if (dst) ++ dst->ops->redirect(dst, sk, skb); ++ } + goto out; + } + diff --git a/queue-3.18/kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch b/queue-3.18/kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch new file mode 100644 index 00000000000..d93b049e424 --- /dev/null +++ b/queue-3.18/kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch @@ -0,0 +1,61 @@ +From b0e85701a7766341618d5e924f29f359431f9c91 Mon Sep 17 00:00:00 2001 +From: Janosch Frank +Date: Thu, 2 Mar 2017 15:23:42 +0100 +Subject: KVM: s390: Fix guest migration for huge guests resulting in panic + +From: Janosch Frank + +commit 2e4d88009f57057df7672fa69a32b5224af54d37 upstream. + +While we can technically not run huge page guests right now, we can +setup a guest with huge pages. Trying to migrate it will trigger a +VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it +will happily try to work on non-existing page table entries. + +With this patch, we always return "dirty" if we encounter a large page +when migrating. This at least fixes the immediate problem until we +have proper handling for both kind of pages. + +Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.") +Signed-off-by: Janosch Frank +Acked-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/pgtable.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -1358,11 +1358,28 @@ EXPORT_SYMBOL_GPL(s390_enable_skey); + */ + bool gmap_test_and_clear_dirty(unsigned long address, struct gmap *gmap) + { ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; + pte_t *pte; + spinlock_t *ptl; + bool dirty = false; + +- pte = get_locked_pte(gmap->mm, address, &ptl); ++ pgd = pgd_offset(gmap->mm, address); ++ pud = pud_alloc(gmap->mm, pgd, address); ++ if (!pud) ++ return false; ++ pmd = pmd_alloc(gmap->mm, pud, address); ++ if (!pmd) ++ return false; ++ /* We can't run guests backed by huge pages, but userspace can ++ * still set them up and then try to migrate them without any ++ * migration support. ++ */ ++ if (pmd_large(*pmd)) ++ return true; ++ ++ pte = pte_alloc_map_lock(gmap->mm, pmd, address, &ptl); + if (unlikely(!pte)) + return false; + diff --git a/queue-3.18/libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch b/queue-3.18/libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch new file mode 100644 index 00000000000..834c350be67 --- /dev/null +++ b/queue-3.18/libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch @@ -0,0 +1,38 @@ +From b581a5854eee4b7851dedb0f8c2ceb54fb902c06 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 1 Mar 2017 17:33:27 +0100 +Subject: libceph: don't set weight to IN when OSD is destroyed + +From: Ilya Dryomov + +commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream. + +Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info, +osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted. +This changes the result of applying an incremental for clients, not +just OSDs. Because CRUSH computations are obviously affected, +pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on +object placement, resulting in misdirected requests. + +Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f. + +Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals") +Link: http://tracker.ceph.com/issues/19122 +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osdmap.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1240,7 +1240,6 @@ static int decode_new_up_state_weight(vo + if ((map->osd_state[osd] & CEPH_OSD_EXISTS) && + (xorstate & CEPH_OSD_EXISTS)) { + pr_info("osd%d does not exist\n", osd); +- map->osd_weight[osd] = CEPH_OSD_IN; + ret = set_primary_affinity(map, osd, + CEPH_OSD_DEFAULT_PRIMARY_AFFINITY); + if (ret) diff --git a/queue-3.18/mbox_todo b/queue-3.18/mbox_todo index 3488239b4fd..012628bc56c 100644 --- a/queue-3.18/mbox_todo +++ b/queue-3.18/mbox_todo @@ -1,246 +1,3 @@ -From ec50c80c780152d2058c23d9e246fc81f73742da Mon Sep 17 00:00:00 2001 -From: Julian Wiedmann -Date: Mon, 21 Nov 2016 13:37:48 +0100 -Subject: [PATCH 007/251] s390/qdio: clear DSCI prior to scanning multiple - input queues -Status: RO -Content-Length: 2241 -Lines: 56 - -commit 1e4a382fdc0ba8d1a85b758c0811de3a3631085e upstream. - -For devices with multiple input queues, tiqdio_call_inq_handlers() -iterates over all input queues and clears the device's DSCI -during each iteration. If the DSCI is re-armed during one -of the later iterations, we therefore do not scan the previous -queues again. -The re-arming also raises a new adapter interrupt. But its -handler does not trigger a rescan for the device, as the DSCI -has already been erroneously cleared. -This can result in queue stalls on devices with multiple -input queues. - -Fix it by clearing the DSCI just once, prior to scanning the queues. - -As the code is moved in front of the loop, we also need to access -the DSCI directly (ie irq->dsci) instead of going via each queue's -parent pointer to the same irq. This is not a functional change, -and a follow-up patch will clean up the other users. - -In practice, this bug only affects CQ-enabled HiperSockets devices, -ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is -needed for AF_IUCV socket applications that use HiperSockets -communication. - -Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") -Reviewed-by: Ursula Braun -Signed-off-by: Julian Wiedmann -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - drivers/s390/cio/qdio_thinint.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/s390/cio/qdio_thinint.c b/drivers/s390/cio/qdio_thinint.c -index 5d06253c2a7a..30e9fbbff051 100644 ---- a/drivers/s390/cio/qdio_thinint.c -+++ b/drivers/s390/cio/qdio_thinint.c -@@ -147,11 +147,11 @@ static inline void tiqdio_call_inq_handlers(struct qdio_irq *irq) - struct qdio_q *q; - int i; - -- for_each_input_queue(irq, q, i) { -- if (!references_shared_dsci(irq) && -- has_multiple_inq_on_dsci(irq)) -- xchg(q->irq_ptr->dsci, 0); -+ if (!references_shared_dsci(irq) && -+ has_multiple_inq_on_dsci(irq)) -+ xchg(irq->dsci, 0); - -+ for_each_input_queue(irq, q, i) { - if (q->u.in.queue_start_poll) { - /* skip if polling is enabled or already in work */ - if (test_and_set_bit(QDIO_QUEUE_IRQS_DISABLED, --- -2.12.2 - -From 792bd1fb5b0338232e47412bce2a9b6f0f1fbdaf Mon Sep 17 00:00:00 2001 -From: Gerald Schaefer -Date: Mon, 30 Jan 2017 15:52:14 +0100 -Subject: [PATCH 008/251] s390/dcssblk: fix device size calculation in - dcssblk_direct_access() -Status: RO -Content-Length: 1263 -Lines: 32 - -commit a63f53e34db8b49675448d03ae324f6c5bc04fe6 upstream. - -Since commit dd22f551 "block: Change direct_access calling convention", -the device size calculation in dcssblk_direct_access() is off-by-one. -This results in bdev_direct_access() always returning -ENXIO because the -returned value is not page aligned. - -Fix this by adding 1 to the dev_sz calculation. - -Fixes: dd22f551 ("block: Change direct_access calling convention") -Signed-off-by: Gerald Schaefer -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - drivers/s390/block/dcssblk.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/s390/block/dcssblk.c b/drivers/s390/block/dcssblk.c -index 94a8f4ab57bc..ae1dc37e4068 100644 ---- a/drivers/s390/block/dcssblk.c -+++ b/drivers/s390/block/dcssblk.c -@@ -892,7 +892,7 @@ dcssblk_direct_access (struct block_device *bdev, sector_t secnum, - dev_info = bdev->bd_disk->private_data; - if (!dev_info) - return -ENODEV; -- dev_sz = dev_info->end - dev_info->start; -+ dev_sz = dev_info->end - dev_info->start + 1; - offset = secnum * 512; - addr = (void *) (dev_info->start + offset); - *pfn = virt_to_phys(addr) >> PAGE_SHIFT; --- -2.12.2 - -From 9cf431dbd8f78d4e78d4aa3ef4fb453cd71e2978 Mon Sep 17 00:00:00 2001 -From: Martin Schwidefsky -Date: Fri, 24 Feb 2017 07:43:51 +0100 -Subject: [PATCH 009/251] s390: TASK_SIZE for kernel threads -Status: RO -Content-Length: 1158 -Lines: 30 - -commit fb94a687d96c570d46332a4a890f1dcb7310e643 upstream. - -Return a sensible value if TASK_SIZE if called from a kernel thread. - -This gets us around an issue with copy_mount_options that does a magic -size calculation "TASK_SIZE - (unsigned long)data" while in a kernel -thread and data pointing to kernel space. - -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/include/asm/processor.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h -index c1ea67db8404..c61ed7890cef 100644 ---- a/arch/s390/include/asm/processor.h -+++ b/arch/s390/include/asm/processor.h -@@ -74,7 +74,8 @@ extern void execve_tail(void); - * User space process size: 2GB for 31 bit, 4TB or 8PT for 64 bit. - */ - --#define TASK_SIZE_OF(tsk) ((tsk)->mm->context.asce_limit) -+#define TASK_SIZE_OF(tsk) ((tsk)->mm ? \ -+ (tsk)->mm->context.asce_limit : TASK_MAX_SIZE) - #define TASK_UNMAPPED_BASE (test_thread_flag(TIF_31BIT) ? \ - (1UL << 30) : (1UL << 41)) - #define TASK_SIZE TASK_SIZE_OF(current) --- -2.12.2 - -From 296f7bd7f1dbd2379489ea779779ef437d9e6c6f Mon Sep 17 00:00:00 2001 -From: Heiko Carstens -Date: Sat, 4 Feb 2017 11:40:36 +0100 -Subject: [PATCH 010/251] s390: make setup_randomness work -Status: RO -Content-Length: 1465 -Lines: 40 - -commit da8fd820f389a0e29080b14c61bf5cf1d8ef5ca1 upstream. - -Commit bcfcbb6bae64 ("s390: add system information as device -randomness") intended to add some virtual machine specific information -to the randomness pool. - -Unfortunately it uses the page allocator before it is ready to use. In -result the page allocator always returns NULL and the setup_randomness -function never adds anything to the randomness pool. - -To fix this use memblock_alloc and memblock_free instead. - -Fixes: bcfcbb6bae64 ("s390: add system information as device randomness") -Signed-off-by: Heiko Carstens -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/kernel/setup.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c -index 1f581eb61bc2..1cf4aae76780 100644 ---- a/arch/s390/kernel/setup.c -+++ b/arch/s390/kernel/setup.c -@@ -805,10 +805,10 @@ static void __init setup_randomness(void) - { - struct sysinfo_3_2_2 *vmms; - -- vmms = (struct sysinfo_3_2_2 *) alloc_page(GFP_KERNEL); -- if (vmms && stsi(vmms, 3, 2, 2) == 0 && vmms->count) -+ vmms = (struct sysinfo_3_2_2 *) memblock_alloc(PAGE_SIZE, PAGE_SIZE); -+ if (stsi(vmms, 3, 2, 2) == 0 && vmms->count) - add_device_randomness(&vmms, vmms->count); -- free_page((unsigned long) vmms); -+ memblock_free((unsigned long) vmms, PAGE_SIZE); - } - - /* --- -2.12.2 - -From 376a12eb7f608fad96b13fab3f151eb4c9b40c7c Mon Sep 17 00:00:00 2001 -From: Heiko Carstens -Date: Sun, 5 Feb 2017 23:03:18 +0100 -Subject: [PATCH 011/251] s390: use correct input data address for - setup_randomness -Status: RO -Content-Length: 1414 -Lines: 37 - -commit 4920e3cf77347d7d7373552d4839e8d832321313 upstream. - -The current implementation of setup_randomness uses the stack address -and therefore the pointer to the SYSIB 3.2.2 block as input data -address. Furthermore the length of the input data is the number of -virtual-machine description blocks which is typically one. - -This means that typically a single zero byte is fed to -add_device_randomness. - -Fix both of these and use the address of the first virtual machine -description block as input data address and also use the correct -length. - -Fixes: bcfcbb6bae64 ("s390: add system information as device randomness") -Signed-off-by: Heiko Carstens -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/kernel/setup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c -index 1cf4aae76780..d097d71685df 100644 ---- a/arch/s390/kernel/setup.c -+++ b/arch/s390/kernel/setup.c -@@ -807,7 +807,7 @@ static void __init setup_randomness(void) - - vmms = (struct sysinfo_3_2_2 *) memblock_alloc(PAGE_SIZE, PAGE_SIZE); - if (stsi(vmms, 3, 2, 2) == 0 && vmms->count) -- add_device_randomness(&vmms, vmms->count); -+ add_device_randomness(&vmms->vm, sizeof(vmms->vm[0]) * vmms->count); - memblock_free((unsigned long) vmms, PAGE_SIZE); - } - --- -2.12.2 - From 839d42687dfce0ed0ea2c6bd8d707cc0e276fbe7 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Fri, 20 Jan 2017 18:28:35 +1300 @@ -701,2003 +458,120 @@ index 10aec937e9e4..7f54ac081cf3 100644 -- 2.12.2 -From adc48c710b7e3d0d169e013ca089f46347aaf064 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Wed, 11 Jan 2017 15:29:48 +0100 -Subject: [PATCH 041/251] MIPS: Update defconfigs for NF_CT_PROTO_DCCP/UDPLITE - change -Content-Length: 5304 -Lines: 136 - -commit 9ddc16ad8e0bc7742fc96d5aaabc5b8698512cd1 upstream. - -In linux-4.10-rc, NF_CT_PROTO_UDPLITE and NF_CT_PROTO_DCCP are bool -symbols instead of tristate, and kernelci.org reports a bunch of -warnings for this, like: - -arch/mips/configs/malta_kvm_guest_defconfig:63:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE -arch/mips/configs/malta_defconfig:62:warning: symbol value 'm' invalid for NF_CT_PROTO_DCCP -arch/mips/configs/malta_defconfig:63:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE -arch/mips/configs/ip22_defconfig:70:warning: symbol value 'm' invalid for NF_CT_PROTO_DCCP -arch/mips/configs/ip22_defconfig:71:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE - -This changes all the MIPS defconfigs with these symbols to have them -built-in. - -Fixes: 9b91c96c5d1f ("netfilter: conntrack: built-in support for UDPlite") -Fixes: c51d39010a1b ("netfilter: conntrack: built-in support for DCCP") -Signed-off-by: Arnd Bergmann -Cc: linux-mips@linux-mips.org -Cc: linux-kernel@vger.kernel.org -Patchwork: https://patchwork.linux-mips.org/patch/14999/ -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/configs/ip22_defconfig | 4 ++-- - arch/mips/configs/malta_defconfig | 4 ++-- - arch/mips/configs/malta_kvm_defconfig | 4 ++-- - arch/mips/configs/malta_kvm_guest_defconfig | 4 ++-- - arch/mips/configs/maltaup_xpa_defconfig | 4 ++-- - arch/mips/configs/nlm_xlp_defconfig | 2 +- - arch/mips/configs/nlm_xlr_defconfig | 2 +- - 7 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/arch/mips/configs/ip22_defconfig b/arch/mips/configs/ip22_defconfig -index 57ed466e00db..2f140d75d01c 100644 ---- a/arch/mips/configs/ip22_defconfig -+++ b/arch/mips/configs/ip22_defconfig -@@ -68,8 +68,8 @@ CONFIG_NETFILTER_NETLINK_QUEUE=m - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_DCCP=m --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_DCCP=y -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m -diff --git a/arch/mips/configs/malta_defconfig b/arch/mips/configs/malta_defconfig -index 5afb4840aec7..739ccd0dca64 100644 ---- a/arch/mips/configs/malta_defconfig -+++ b/arch/mips/configs/malta_defconfig -@@ -59,8 +59,8 @@ CONFIG_NETFILTER=y - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_DCCP=m --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_DCCP=y -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m -diff --git a/arch/mips/configs/malta_kvm_defconfig b/arch/mips/configs/malta_kvm_defconfig -index 98f13879bb8f..47f4ecf125ba 100644 ---- a/arch/mips/configs/malta_kvm_defconfig -+++ b/arch/mips/configs/malta_kvm_defconfig -@@ -60,8 +60,8 @@ CONFIG_NETFILTER=y - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_DCCP=m --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_DCCP=y -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m -diff --git a/arch/mips/configs/malta_kvm_guest_defconfig b/arch/mips/configs/malta_kvm_guest_defconfig -index 3b5d5913f548..e79d325aa085 100644 ---- a/arch/mips/configs/malta_kvm_guest_defconfig -+++ b/arch/mips/configs/malta_kvm_guest_defconfig -@@ -59,8 +59,8 @@ CONFIG_NETFILTER=y - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_DCCP=m --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_DCCP=y -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m -diff --git a/arch/mips/configs/maltaup_xpa_defconfig b/arch/mips/configs/maltaup_xpa_defconfig -index 732215732751..ae87ad86243b 100644 ---- a/arch/mips/configs/maltaup_xpa_defconfig -+++ b/arch/mips/configs/maltaup_xpa_defconfig -@@ -61,8 +61,8 @@ CONFIG_NETFILTER=y - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_DCCP=m --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_DCCP=y -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m -diff --git a/arch/mips/configs/nlm_xlp_defconfig b/arch/mips/configs/nlm_xlp_defconfig -index b3d1d37f85ea..47492fee2952 100644 ---- a/arch/mips/configs/nlm_xlp_defconfig -+++ b/arch/mips/configs/nlm_xlp_defconfig -@@ -111,7 +111,7 @@ CONFIG_NETFILTER=y - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m -diff --git a/arch/mips/configs/nlm_xlr_defconfig b/arch/mips/configs/nlm_xlr_defconfig -index 3d8016d6cf3e..472a818f1eb8 100644 ---- a/arch/mips/configs/nlm_xlr_defconfig -+++ b/arch/mips/configs/nlm_xlr_defconfig -@@ -91,7 +91,7 @@ CONFIG_NETFILTER=y - CONFIG_NF_CONNTRACK=m - CONFIG_NF_CONNTRACK_SECMARK=y - CONFIG_NF_CONNTRACK_EVENTS=y --CONFIG_NF_CT_PROTO_UDPLITE=m -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m --- -2.12.2 - -From 8ed0fdcc0c1157f49795913ab9fd3de768fad8f6 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Fri, 3 Feb 2017 17:43:50 +0100 -Subject: [PATCH 042/251] MIPS: ip27: Disable qlge driver in defconfig -Content-Length: 1534 -Lines: 41 - -commit b617649468390713db1515ea79fc772d2eb897a8 upstream. - -One of the last remaining failures in kernelci.org is for a gcc bug: - -drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints: -drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190 - -This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot -reproduce the problem here. However, it is clear that ip27_defconfig -does not actually need this driver as the platform has only PCI-X but -not PCIe, and the qlge adapter in turn is PCIe-only. - -The driver was originally enabled in 2010 along with lots of other -drivers. - -Fixes: 59d302b342e5 ("MIPS: IP27: Make defconfig useful again.") -Signed-off-by: Arnd Bergmann -Cc: Ralf Baechle -Cc: linux-mips@linux-mips.org -Cc: linux-kernel@vger.kernel.org -Patchwork: https://patchwork.linux-mips.org/patch/15197/ -Signed-off-by: James Hogan -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/configs/ip27_defconfig | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/arch/mips/configs/ip27_defconfig b/arch/mips/configs/ip27_defconfig -index 48e16d98b2cc..6ecc67f3736b 100644 ---- a/arch/mips/configs/ip27_defconfig -+++ b/arch/mips/configs/ip27_defconfig -@@ -206,7 +206,6 @@ CONFIG_MLX4_EN=m - # CONFIG_MLX4_DEBUG is not set - CONFIG_TEHUTI=m - CONFIG_BNX2X=m --CONFIG_QLGE=m - CONFIG_SFC=m - CONFIG_BE2NET=m - CONFIG_LIBERTAS_THINFIRM=m --- -2.12.2 - -From 7a6a965f350ec47171184898368a17b8228cdaf9 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Wed, 11 Jan 2017 15:29:50 +0100 -Subject: [PATCH 043/251] MIPS: Update ip27_defconfig for SCSI_DH change -Content-Length: 1140 -Lines: 35 - -commit ea58fca1842a5dc410cae4167b01643db971a4e2 upstream. - -Since linux-4.3, SCSI_DH is a bool symbol, causing a warning in -kernelci.org: - -arch/mips/configs/ip27_defconfig:136:warning: symbol value 'm' invalid for SCSI_DH - -This updates the defconfig to have the feature built-in. - -Fixes: 086b91d052eb ("scsi_dh: integrate into the core SCSI code") -Signed-off-by: Arnd Bergmann -Cc: linux-mips@linux-mips.org -Cc: linux-kernel@vger.kernel.org -Patchwork: https://patchwork.linux-mips.org/patch/15001/ -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/configs/ip27_defconfig | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/mips/configs/ip27_defconfig b/arch/mips/configs/ip27_defconfig -index 6ecc67f3736b..b15508447366 100644 ---- a/arch/mips/configs/ip27_defconfig -+++ b/arch/mips/configs/ip27_defconfig -@@ -134,7 +134,7 @@ CONFIG_LIBFC=m - CONFIG_SCSI_QLOGIC_1280=y - CONFIG_SCSI_PMCRAID=m - CONFIG_SCSI_BFA_FC=m --CONFIG_SCSI_DH=m -+CONFIG_SCSI_DH=y - CONFIG_SCSI_DH_RDAC=m - CONFIG_SCSI_DH_HP_SW=m - CONFIG_SCSI_DH_EMC=m --- -2.12.2 - -From c018595d83a39dc4156f46ac21955778835e7781 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Tue, 17 Jan 2017 16:18:46 +0100 -Subject: [PATCH 044/251] MIPS: ip22: Fix ip28 build for modern gcc -Content-Length: 1395 -Lines: 37 - -commit 23ca9b522383d3b9b7991d8586db30118992af4a upstream. - -kernelci reports a failure of the ip28_defconfig build after upgrading its -gcc version: - -arch/mips/sgi-ip22/Platform:29: *** gcc doesn't support needed option -mr10k-cache-barrier=store. Stop. - -The problem apparently is that the -mr10k-cache-barrier=store option is now -rejected for CPUs other than r10k. Explicitly including the CPU in the -check fixes this and is safe because both options were introduced in -gcc-4.4. +From 28ec98bc2e4a175b60f45d505e715a33b93dd077 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 18 Mar 2017 19:10:23 +0800 +Subject: [PATCH 073/251] Linux 4.4.55 +Status: RO +Content-Length: 301 +Lines: 18 -Signed-off-by: Arnd Bergmann -Cc: linux-mips@linux-mips.org -Cc: linux-kernel@vger.kernel.org -Patchwork: https://patchwork.linux-mips.org/patch/15049/ -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman --- - arch/mips/sgi-ip22/Platform | 2 +- + Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/arch/mips/sgi-ip22/Platform b/arch/mips/sgi-ip22/Platform -index b7a4b7e04c38..e8f6b3a42a48 100644 ---- a/arch/mips/sgi-ip22/Platform -+++ b/arch/mips/sgi-ip22/Platform -@@ -25,7 +25,7 @@ endif - # Simplified: what IP22 does at 128MB+ in ksegN, IP28 does at 512MB+ in xkphys - # - ifdef CONFIG_SGI_IP28 -- ifeq ($(call cc-option-yn,-mr10k-cache-barrier=store), n) -+ ifeq ($(call cc-option-yn,-march=r10000 -mr10k-cache-barrier=store), n) - $(error gcc doesn't support needed option -mr10k-cache-barrier=store) - endif - endif +diff --git a/Makefile b/Makefile +index 7f54ac081cf3..d9cc21df444d 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 54 ++SUBLEVEL = 55 + EXTRAVERSION = + NAME = Blurry Fish Butt + -- 2.12.2 -From d2a8d746ae9530aeea0a3b4b129c970ffc90d926 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Wed, 11 Jan 2017 15:29:49 +0100 -Subject: [PATCH 045/251] MIPS: Update lemote2f_defconfig for CPU_FREQ_STAT - change -Content-Length: 1241 -Lines: 35 - -commit b3f6046186ef45acfeebc5a59c9fb45cefc685e7 upstream. - -Since linux-4.8, CPU_FREQ_STAT is a bool symbol, causing a warning in -kernelci.org: - -arch/mips/configs/lemote2f_defconfig:42:warning: symbol value 'm' invalid for CPU_FREQ_STAT - -This updates the defconfig to have the feature built-in. +From 56f9b9502f2d15b9c7b83f9cfb32798e2e364f61 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 13 Mar 2017 17:38:17 +0100 +Subject: [PATCH 092/251] bridge: drop netfilter fake rtable unconditionally +Status: RO +Content-Length: 2943 +Lines: 81 -Fixes: 1aefc75b2449 ("cpufreq: stats: Make the stats code non-modular") -Signed-off-by: Arnd Bergmann -Cc: linux-mips@linux-mips.org -Cc: linux-kernel@vger.kernel.org -Patchwork: https://patchwork.linux-mips.org/patch/15000/ -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/configs/lemote2f_defconfig | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) +[ Upstream commit a13b2082ece95247779b9995c4e91b4246bed023 ] -diff --git a/arch/mips/configs/lemote2f_defconfig b/arch/mips/configs/lemote2f_defconfig -index 004cf52d1b7d..c24b87819ccb 100644 ---- a/arch/mips/configs/lemote2f_defconfig -+++ b/arch/mips/configs/lemote2f_defconfig -@@ -39,7 +39,7 @@ CONFIG_HIBERNATION=y - CONFIG_PM_STD_PARTITION="/dev/hda3" - CONFIG_CPU_FREQ=y - CONFIG_CPU_FREQ_DEBUG=y --CONFIG_CPU_FREQ_STAT=m -+CONFIG_CPU_FREQ_STAT=y - CONFIG_CPU_FREQ_STAT_DETAILS=y - CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y - CONFIG_CPU_FREQ_GOV_POWERSAVE=m --- -2.12.2 +Andreas reports kernel oops during rmmod of the br_netfilter module. +Hannes debugged the oops down to a NULL rt6info->rt6i_indev. -From 4b91e7a2a9a78b161caebfa5fcf6372a40161699 Mon Sep 17 00:00:00 2001 -From: John Crispin -Date: Tue, 20 Dec 2016 19:12:46 +0100 -Subject: [PATCH 047/251] MIPS: ralink: Cosmetic change to prom_init(). -Content-Length: 1412 -Lines: 49 +Problem is that br_netfilter has the nasty concept of adding a fake +rtable to skb->dst; this happens in a br_netfilter prerouting hook. -commit 9c48568b3692f1a56cbf1935e4eea835e6b185b1 upstream. +A second hook (in bridge LOCAL_IN) is supposed to remove these again +before the skb is handed up the stack. -Over the years the code has been changed various times leading to -argc/argv being defined in a different function to where we actually -use the variables. Clean this up by moving them to prom_init_cmdline(). +However, on module unload hooks get unregistered which means an +skb could traverse the prerouting hook that attaches the fake_rtable, +while the 'fake rtable remove' hook gets removed from the hooklist +immediately after. -Signed-off-by: John Crispin -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/14902/ -Signed-off-by: Ralf Baechle +Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core") +Reported-by: Andreas Karis +Debugged-by: Hannes Frederic Sowa +Signed-off-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- - arch/mips/ralink/prom.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) + net/bridge/br_input.c | 1 + + net/bridge/br_netfilter_hooks.c | 21 --------------------- + 2 files changed, 1 insertion(+), 21 deletions(-) -diff --git a/arch/mips/ralink/prom.c b/arch/mips/ralink/prom.c -index 39a9142f71be..7ecb4af79b7b 100644 ---- a/arch/mips/ralink/prom.c -+++ b/arch/mips/ralink/prom.c -@@ -30,8 +30,10 @@ const char *get_system_type(void) - return soc_info.sys_type; - } - --static __init void prom_init_cmdline(int argc, char **argv) -+static __init void prom_init_cmdline(void) - { -+ int argc; -+ char **argv; - int i; - - pr_debug("prom: fw_arg0=%08x fw_arg1=%08x fw_arg2=%08x fw_arg3=%08x\n", -@@ -60,14 +62,11 @@ static __init void prom_init_cmdline(int argc, char **argv) - - void __init prom_init(void) +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index f7fba74108a9..e24754a0e052 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook); + static int + br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb) { -- int argc; -- char **argv; -- - prom_soc_init(&soc_info); - - pr_info("SoC Type: %s\n", get_system_type()); - -- prom_init_cmdline(argc, argv); -+ prom_init_cmdline(); ++ br_drop_fake_rtable(skb); + return netif_receive_skb(skb); } - void __init prom_free_prom_memory(void) --- -2.12.2 - -From 32883383f5e0c95436c2affaad675245727c0493 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Tue, 17 Jan 2017 16:18:43 +0100 -Subject: [PATCH 048/251] MIPS: ralink: Remove unused rt*_wdt_reset functions -Content-Length: 2704 -Lines: 91 - -commit 886f9c69fc68f56ddea34d3de51ac1fc2ac8dfbc upstream. - -All pointers to these functions were removed, so now they produce -warnings: - -arch/mips/ralink/rt305x.c:92:13: error: 'rt305x_wdt_reset' defined but not used [-Werror=unused-function] - -This removes the functions. If we need them again, the patch can be -reverted later. - -Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data") -Signed-off-by: Arnd Bergmann -Cc: John Crispin -Cc: Colin Ian King -Cc: linux-mips@linux-mips.org -Cc: linux-kernel@vger.kernel.org -Patchwork: https://patchwork.linux-mips.org/patch/15044/ -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/ralink/rt288x.c | 10 ---------- - arch/mips/ralink/rt305x.c | 11 ----------- - arch/mips/ralink/rt3883.c | 10 ---------- - 3 files changed, 31 deletions(-) - -diff --git a/arch/mips/ralink/rt288x.c b/arch/mips/ralink/rt288x.c -index 844f5cd55c8f..15506a1ff22a 100644 ---- a/arch/mips/ralink/rt288x.c -+++ b/arch/mips/ralink/rt288x.c -@@ -40,16 +40,6 @@ static struct rt2880_pmx_group rt2880_pinmux_data_act[] = { - { 0 } - }; - --static void rt288x_wdt_reset(void) --{ -- u32 t; -- -- /* enable WDT reset output on pin SRAM_CS_N */ -- t = rt_sysc_r32(SYSC_REG_CLKCFG); -- t |= CLKCFG_SRAM_CS_N_WDT; -- rt_sysc_w32(t, SYSC_REG_CLKCFG); --} -- - void __init ralink_clk_init(void) - { - unsigned long cpu_rate, wmac_rate = 40000000; -diff --git a/arch/mips/ralink/rt305x.c b/arch/mips/ralink/rt305x.c -index 9e4572592065..15b32cd01906 100644 ---- a/arch/mips/ralink/rt305x.c -+++ b/arch/mips/ralink/rt305x.c -@@ -89,17 +89,6 @@ static struct rt2880_pmx_group rt5350_pinmux_data[] = { - { 0 } - }; +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 7ddbe7ec81d6..97fc19f001bf 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv, + } --static void rt305x_wdt_reset(void) --{ -- u32 t; -- -- /* enable WDT reset output on pin SRAM_CS_N */ -- t = rt_sysc_r32(SYSC_REG_SYSTEM_CONFIG); -- t |= RT305X_SYSCFG_SRAM_CS0_MODE_WDT << -- RT305X_SYSCFG_SRAM_CS0_MODE_SHIFT; -- rt_sysc_w32(t, SYSC_REG_SYSTEM_CONFIG); --} -- - static unsigned long rt5350_get_mem_size(void) - { - void __iomem *sysc = (void __iomem *) KSEG1ADDR(RT305X_SYSC_BASE); -diff --git a/arch/mips/ralink/rt3883.c b/arch/mips/ralink/rt3883.c -index 582995aaaf4e..f42834c7f007 100644 ---- a/arch/mips/ralink/rt3883.c -+++ b/arch/mips/ralink/rt3883.c -@@ -63,16 +63,6 @@ static struct rt2880_pmx_group rt3883_pinmux_data[] = { - { 0 } - }; --static void rt3883_wdt_reset(void) +-/* PF_BRIDGE/LOCAL_IN ************************************************/ +-/* The packet is locally destined, which requires a real +- * dst_entry, so detach the fake one. On the way up, the +- * packet would pass through PRE_ROUTING again (which already +- * took place when the packet entered the bridge), but we +- * register an IPv4 PRE_ROUTING 'sabotage' hook that will +- * prevent this from happening. */ +-static unsigned int br_nf_local_in(void *priv, +- struct sk_buff *skb, +- const struct nf_hook_state *state) -{ -- u32 t; -- -- /* enable WDT reset output on GPIO 2 */ -- t = rt_sysc_r32(RT3883_SYSC_REG_SYSCFG1); -- t |= RT3883_SYSCFG1_GPIO2_AS_WDT_OUT; -- rt_sysc_w32(t, RT3883_SYSC_REG_SYSCFG1); +- br_drop_fake_rtable(skb); +- return NF_ACCEPT; -} - - void __init ralink_clk_init(void) + /* PF_BRIDGE/FORWARD *************************************************/ + static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) { - unsigned long cpu_rate, sys_rate; --- -2.12.2 - -From 2e4aff2405af6a4573299dee361a44903c9bb717 Mon Sep 17 00:00:00 2001 -From: Ralf Baechle -Date: Tue, 20 Sep 2016 14:33:01 +0200 -Subject: [PATCH 051/251] MIPS: DEC: Avoid la pseudo-instruction in delay slots -Content-Length: 2448 -Lines: 81 - -commit 3021773c7c3e75e20b693931a19362681e744ea9 upstream. - -When expanding the la or dla pseudo-instruction in a delay slot the GNU -assembler will complain should the pseudo-instruction expand to multiple -actual instructions, since only the first of them will be in the delay -slot leading to the pseudo-instruction being only partially executed if -the branch is taken. Use of PTR_LA in the dec int-handler.S leads to -such warnings: - - arch/mips/dec/int-handler.S: Assembler messages: - arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot - arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot - -Avoid this by open coding the PTR_LA macros. - -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 38 insertions(+), 2 deletions(-) - -diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S -index 8c6f508e59de..554d1da97743 100644 ---- a/arch/mips/dec/int-handler.S -+++ b/arch/mips/dec/int-handler.S -@@ -146,7 +146,25 @@ - /* - * Find irq with highest priority - */ -- PTR_LA t1,cpu_mask_nr_tbl -+ # open coded PTR_LA t1, cpu_mask_nr_tbl -+#if (_MIPS_SZPTR == 32) -+ # open coded la t1, cpu_mask_nr_tbl -+ lui t1, %hi(cpu_mask_nr_tbl) -+ addiu t1, %lo(cpu_mask_nr_tbl) -+ -+#endif -+#if (_MIPS_SZPTR == 64) -+ # open coded dla t1, cpu_mask_nr_tbl -+ .set push -+ .set noat -+ lui t1, %highest(cpu_mask_nr_tbl) -+ lui AT, %hi(cpu_mask_nr_tbl) -+ daddiu t1, t1, %higher(cpu_mask_nr_tbl) -+ daddiu AT, AT, %lo(cpu_mask_nr_tbl) -+ dsll t1, 32 -+ daddu t1, t1, AT -+ .set pop -+#endif - 1: lw t2,(t1) - nop - and t2,t0 -@@ -195,7 +213,25 @@ - /* - * Find irq with highest priority - */ -- PTR_LA t1,asic_mask_nr_tbl -+ # open coded PTR_LA t1,asic_mask_nr_tbl -+#if (_MIPS_SZPTR == 32) -+ # open coded la t1, asic_mask_nr_tbl -+ lui t1, %hi(asic_mask_nr_tbl) -+ addiu t1, %lo(asic_mask_nr_tbl) -+ -+#endif -+#if (_MIPS_SZPTR == 64) -+ # open coded dla t1, asic_mask_nr_tbl -+ .set push -+ .set noat -+ lui t1, %highest(asic_mask_nr_tbl) -+ lui AT, %hi(asic_mask_nr_tbl) -+ daddiu t1, t1, %higher(asic_mask_nr_tbl) -+ daddiu AT, AT, %lo(asic_mask_nr_tbl) -+ dsll t1, 32 -+ daddu t1, t1, AT -+ .set pop -+#endif - 2: lw t2,(t1) - nop - and t2,t0 --- -2.12.2 - -From 127651058594cafc624cf63bd266a42a62dfefcf Mon Sep 17 00:00:00 2001 -From: James Hogan -Date: Thu, 28 Apr 2016 17:06:16 +0100 -Subject: [PATCH 052/251] MIPS: Netlogic: Fix CP0_EBASE redefinition warnings -Content-Length: 3506 -Lines: 106 - -commit 32eb6e8bee147b45e5e59230630d59541ccbb6e5 upstream. - -A couple of netlogic assembly files define CP0_EBASE to $15, the same as -CP0_PRID in mipsregs.h, and use it for accessing both CP0_PRId and -CP0_EBase registers. However commit 609cf6f2291a ("MIPS: CPS: Early -debug using an ns16550-compatible UART") added a different definition of -CP0_EBASE to mipsregs.h, which included a register select of 1. This -causes harmless build warnings like the following: - - arch/mips/netlogic/common/reset.S:53:0: warning: "CP0_EBASE" redefined - #define CP0_EBASE $15 - ^ - In file included from arch/mips/netlogic/common/reset.S:41:0: - ./arch/mips/include/asm/mipsregs.h:63:0: note: this is the location of the previous definition - #define CP0_EBASE $15, 1 - ^ - -Update the code to use the definitions from mipsregs.h for accessing -both registers. - -Fixes: 609cf6f2291a ("MIPS: CPS: Early debug using an ns16550-compatible UART") -Signed-off-by: James Hogan -Acked-by: Jayachandran C -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/13183/ -Signed-off-by: Ralf Baechle -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/netlogic/common/reset.S | 11 +++++------ - arch/mips/netlogic/common/smpboot.S | 4 +--- - 2 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/arch/mips/netlogic/common/reset.S b/arch/mips/netlogic/common/reset.S -index edbab9b8691f..c474981a6c0d 100644 ---- a/arch/mips/netlogic/common/reset.S -+++ b/arch/mips/netlogic/common/reset.S -@@ -50,7 +50,6 @@ - #include - #include - --#define CP0_EBASE $15 - #define SYS_CPU_COHERENT_BASE CKSEG1ADDR(XLP_DEFAULT_IO_BASE) + \ - XLP_IO_SYS_OFFSET(0) + XLP_IO_PCI_HDRSZ + \ - SYS_CPU_NONCOHERENT_MODE * 4 -@@ -92,7 +91,7 @@ - * registers. On XLPII CPUs, usual cache instructions work. - */ - .macro xlp_flush_l1_dcache -- mfc0 t0, CP0_EBASE, 0 -+ mfc0 t0, CP0_PRID - andi t0, t0, PRID_IMP_MASK - slt t1, t0, 0x1200 - beqz t1, 15f -@@ -171,7 +170,7 @@ FEXPORT(nlm_reset_entry) - nop - - 1: /* Entry point on core wakeup */ -- mfc0 t0, CP0_EBASE, 0 /* processor ID */ -+ mfc0 t0, CP0_PRID /* processor ID */ - andi t0, PRID_IMP_MASK - li t1, 0x1500 /* XLP 9xx */ - beq t0, t1, 2f /* does not need to set coherent */ -@@ -182,8 +181,8 @@ FEXPORT(nlm_reset_entry) - nop - - /* set bit in SYS coherent register for the core */ -- mfc0 t0, CP0_EBASE, 1 -- mfc0 t1, CP0_EBASE, 1 -+ mfc0 t0, CP0_EBASE -+ mfc0 t1, CP0_EBASE - srl t1, 5 - andi t1, 0x3 /* t1 <- node */ - li t2, 0x40000 -@@ -232,7 +231,7 @@ EXPORT(nlm_boot_siblings) - - * NOTE: All GPR contents are lost after the mtcr above! - */ -- mfc0 v0, CP0_EBASE, 1 -+ mfc0 v0, CP0_EBASE - andi v0, 0x3ff /* v0 <- node/core */ - - /* -diff --git a/arch/mips/netlogic/common/smpboot.S b/arch/mips/netlogic/common/smpboot.S -index 805355b0bd05..f0cc4c9de2bb 100644 ---- a/arch/mips/netlogic/common/smpboot.S -+++ b/arch/mips/netlogic/common/smpboot.S -@@ -48,8 +48,6 @@ - #include - #include - --#define CP0_EBASE $15 -- - .set noreorder - .set noat - .set arch=xlr /* for mfcr/mtcr, XLR is sufficient */ -@@ -86,7 +84,7 @@ NESTED(nlm_boot_secondary_cpus, 16, sp) - PTR_L gp, 0(t1) - - /* a0 has the processor id */ -- mfc0 a0, CP0_EBASE, 1 -+ mfc0 a0, CP0_EBASE - andi a0, 0x3ff /* a0 <- node/core */ - PTR_LA t0, nlm_early_init_secondary - jalr t0 --- -2.12.2 - -From 2ca39d1300152e70977797c3e39c105adfcc0e0b Mon Sep 17 00:00:00 2001 -From: Ravi Bangoria -Date: Tue, 14 Feb 2017 14:46:42 +0530 -Subject: [PATCH 054/251] powerpc: Emulation support for load/store - instructions on LE -Status: RO -Content-Length: 3197 -Lines: 106 - -commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream. - -emulate_step() uses a number of underlying kernel functions that were -initially not enabled for LE. This has been rectified since. So, fix -emulate_step() for LE for the corresponding instructions. - -Reported-by: Anton Blanchard -Signed-off-by: Ravi Bangoria -Signed-off-by: Michael Ellerman -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/lib/sstep.c | 20 -------------------- - 1 file changed, 20 deletions(-) - -diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c -index dc885b30f7a6..4014881e9843 100644 ---- a/arch/powerpc/lib/sstep.c -+++ b/arch/powerpc/lib/sstep.c -@@ -1806,8 +1806,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto instr_done; - - case LARX: -- if (regs->msr & MSR_LE) -- return 0; - if (op.ea & (size - 1)) - break; /* can't handle misaligned */ - err = -EFAULT; -@@ -1829,8 +1827,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto ldst_done; - - case STCX: -- if (regs->msr & MSR_LE) -- return 0; - if (op.ea & (size - 1)) - break; /* can't handle misaligned */ - err = -EFAULT; -@@ -1854,8 +1850,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto ldst_done; - - case LOAD: -- if (regs->msr & MSR_LE) -- return 0; - err = read_mem(®s->gpr[op.reg], op.ea, size, regs); - if (!err) { - if (op.type & SIGNEXT) -@@ -1867,8 +1861,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - - #ifdef CONFIG_PPC_FPU - case LOAD_FP: -- if (regs->msr & MSR_LE) -- return 0; - if (size == 4) - err = do_fp_load(op.reg, do_lfs, op.ea, size, regs); - else -@@ -1877,15 +1869,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - #endif - #ifdef CONFIG_ALTIVEC - case LOAD_VMX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs); - goto ldst_done; - #endif - #ifdef CONFIG_VSX - case LOAD_VSX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs); - goto ldst_done; - #endif -@@ -1908,8 +1896,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto instr_done; - - case STORE: -- if (regs->msr & MSR_LE) -- return 0; - if ((op.type & UPDATE) && size == sizeof(long) && - op.reg == 1 && op.update_reg == 1 && - !(regs->msr & MSR_PR) && -@@ -1922,8 +1908,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - - #ifdef CONFIG_PPC_FPU - case STORE_FP: -- if (regs->msr & MSR_LE) -- return 0; - if (size == 4) - err = do_fp_store(op.reg, do_stfs, op.ea, size, regs); - else -@@ -1932,15 +1916,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - #endif - #ifdef CONFIG_ALTIVEC - case STORE_VMX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs); - goto ldst_done; - #endif - #ifdef CONFIG_VSX - case STORE_VSX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs); - goto ldst_done; - #endif --- -2.12.2 - -From b0e85701a7766341618d5e924f29f359431f9c91 Mon Sep 17 00:00:00 2001 -From: Janosch Frank -Date: Thu, 2 Mar 2017 15:23:42 +0100 -Subject: [PATCH 068/251] KVM: s390: Fix guest migration for huge guests - resulting in panic -Status: RO -Content-Length: 1904 -Lines: 58 - -commit 2e4d88009f57057df7672fa69a32b5224af54d37 upstream. - -While we can technically not run huge page guests right now, we can -setup a guest with huge pages. Trying to migrate it will trigger a -VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it -will happily try to work on non-existing page table entries. - -With this patch, we always return "dirty" if we encounter a large page -when migrating. This at least fixes the immediate problem until we -have proper handling for both kind of pages. - -Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.") -Cc: # 3.16+ - -Signed-off-by: Janosch Frank -Acked-by: Christian Borntraeger -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/mm/pgtable.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c -index 8345ae1f117d..05ae254f84cf 100644 ---- a/arch/s390/mm/pgtable.c -+++ b/arch/s390/mm/pgtable.c -@@ -1237,11 +1237,28 @@ EXPORT_SYMBOL_GPL(s390_reset_cmma); - */ - bool gmap_test_and_clear_dirty(unsigned long address, struct gmap *gmap) - { -+ pgd_t *pgd; -+ pud_t *pud; -+ pmd_t *pmd; - pte_t *pte; - spinlock_t *ptl; - bool dirty = false; - -- pte = get_locked_pte(gmap->mm, address, &ptl); -+ pgd = pgd_offset(gmap->mm, address); -+ pud = pud_alloc(gmap->mm, pgd, address); -+ if (!pud) -+ return false; -+ pmd = pmd_alloc(gmap->mm, pud, address); -+ if (!pmd) -+ return false; -+ /* We can't run guests backed by huge pages, but userspace can -+ * still set them up and then try to migrate them without any -+ * migration support. -+ */ -+ if (pmd_large(*pmd)) -+ return true; -+ -+ pte = pte_alloc_map_lock(gmap->mm, pmd, address, &ptl); - if (unlikely(!pte)) - return false; - --- -2.12.2 - -From 28ec98bc2e4a175b60f45d505e715a33b93dd077 Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Sat, 18 Mar 2017 19:10:23 +0800 -Subject: [PATCH 073/251] Linux 4.4.55 -Content-Length: 301 -Lines: 18 - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 7f54ac081cf3..d9cc21df444d 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 4 --SUBLEVEL = 54 -+SUBLEVEL = 55 - EXTRAVERSION = - NAME = Blurry Fish Butt - --- -2.12.2 - -From 2681a7853ad73bfebc3a683765a496bb283c6648 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 3 Mar 2017 14:08:21 -0800 -Subject: [PATCH 082/251] tcp: fix various issues for sockets morphing to - listen state -Content-Length: 2289 -Lines: 72 - -[ Upstream commit 02b2faaf0af1d85585f6d6980e286d53612acfc2 ] - -Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting -tcp_disconnect() path that was never really considered and/or used -before syzkaller ;) - -I was not able to reproduce the bug, but it seems issues here are the -three possible actions that assumed they would never trigger on a -listener. - -1) tcp_write_timer_handler -2) tcp_delack_timer_handler -3) MTU reduction - -Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN - states from tcp_v6_mtu_reduced() - -Signed-off-by: Eric Dumazet -Reported-by: Dmitry Vyukov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/tcp_ipv4.c | 7 +++++-- - net/ipv4/tcp_timer.c | 6 ++++-- - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index b58a38eea059..f66d4b5d47f9 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -271,10 +271,13 @@ EXPORT_SYMBOL(tcp_v4_connect); - */ - void tcp_v4_mtu_reduced(struct sock *sk) - { -- struct dst_entry *dst; - struct inet_sock *inet = inet_sk(sk); -- u32 mtu = tcp_sk(sk)->mtu_info; -+ struct dst_entry *dst; -+ u32 mtu; - -+ if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) -+ return; -+ mtu = tcp_sk(sk)->mtu_info; - dst = inet_csk_update_pmtu(sk, mtu); - if (!dst) - return; -diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c -index 193ba1fa8a9a..ebb34d0c5e80 100644 ---- a/net/ipv4/tcp_timer.c -+++ b/net/ipv4/tcp_timer.c -@@ -223,7 +223,8 @@ void tcp_delack_timer_handler(struct sock *sk) - - sk_mem_reclaim_partial(sk); - -- if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) -+ if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) || -+ !(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) - goto out; - - if (time_after(icsk->icsk_ack.timeout, jiffies)) { -@@ -504,7 +505,8 @@ void tcp_write_timer_handler(struct sock *sk) - struct inet_connection_sock *icsk = inet_csk(sk); - int event; - -- if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending) -+ if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) || -+ !icsk->icsk_pending) - goto out; - - if (time_after(icsk->icsk_timeout, jiffies)) { --- -2.12.2 - -From 9e7683301beef0cef8254eecb661e7eac3146717 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 3 Mar 2017 21:01:02 -0800 -Subject: [PATCH 083/251] net: fix socket refcounting in - skb_complete_wifi_ack() -Content-Length: 1864 -Lines: 58 - -[ Upstream commit dd4f10722aeb10f4f582948839f066bebe44e5fb ] - -TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt -By the time TX completion happens, sk_refcnt might be already 0. - -sock_hold()/sock_put() would then corrupt critical state, like -sk_wmem_alloc. - -Fixes: bf7fa551e0ce ("mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path") -Signed-off-by: Eric Dumazet -Cc: Alexander Duyck -Cc: Johannes Berg -Cc: Soheil Hassas Yeganeh -Cc: Willem de Bruijn -Acked-by: Soheil Hassas Yeganeh -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/core/skbuff.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 4968b5ddea69..370f4f86e2b5 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -3735,7 +3735,7 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked) - { - struct sock *sk = skb->sk; - struct sock_exterr_skb *serr; -- int err; -+ int err = 1; - - skb->wifi_acked_valid = 1; - skb->wifi_acked = acked; -@@ -3745,14 +3745,15 @@ void skb_complete_wifi_ack(struct sk_buff *skb, bool acked) - serr->ee.ee_errno = ENOMSG; - serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS; - -- /* take a reference to prevent skb_orphan() from freeing the socket */ -- sock_hold(sk); -- -- err = sock_queue_err_skb(sk, skb); -+ /* Take a reference to prevent skb_orphan() from freeing the socket, -+ * but only if the socket refcount is not zero. -+ */ -+ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) { -+ err = sock_queue_err_skb(sk, skb); -+ sock_put(sk); -+ } - if (err) - kfree_skb(skb); -- -- sock_put(sk); - } - EXPORT_SYMBOL_GPL(skb_complete_wifi_ack); - --- -2.12.2 - -From ec4d8692b76e08a40221eb7c74775a390114f098 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 3 Mar 2017 21:01:03 -0800 -Subject: [PATCH 084/251] net: fix socket refcounting in - skb_complete_tx_timestamp() -Content-Length: 1731 -Lines: 49 - -[ Upstream commit 9ac25fc063751379cb77434fef9f3b088cd3e2f7 ] - -TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt -By the time TX completion happens, sk_refcnt might be already 0. - -sock_hold()/sock_put() would then corrupt critical state, like -sk_wmem_alloc and lead to leaks or use after free. - -Fixes: 62bccb8cdb69 ("net-timestamp: Make the clone operation stand-alone from phy timestamping") -Signed-off-by: Eric Dumazet -Cc: Alexander Duyck -Cc: Johannes Berg -Cc: Soheil Hassas Yeganeh -Cc: Willem de Bruijn -Acked-by: Soheil Hassas Yeganeh -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/core/skbuff.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 370f4f86e2b5..73dfd7729bc9 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -3678,13 +3678,14 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, - if (!skb_may_tx_timestamp(sk, false)) - return; - -- /* take a reference to prevent skb_orphan() from freeing the socket */ -- sock_hold(sk); -- -- *skb_hwtstamps(skb) = *hwtstamps; -- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); -- -- sock_put(sk); -+ /* Take a reference to prevent skb_orphan() from freeing the socket, -+ * but only if the socket refcount is not zero. -+ */ -+ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) { -+ *skb_hwtstamps(skb) = *hwtstamps; -+ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); -+ sock_put(sk); -+ } - } - EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp); - --- -2.12.2 - -From d0ebde92fbeb98eedbfce15cef3c86b652846d25 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sun, 5 Mar 2017 10:52:16 -0800 -Subject: [PATCH 085/251] dccp: fix use-after-free in dccp_feat_activate_values -Content-Length: 9868 -Lines: 235 - -[ Upstream commit 62f8f4d9066c1c6f2474845d1ca7e2891f2ae3fd ] - -Dmitry reported crashes in DCCP stack [1] - -Problem here is that when I got rid of listener spinlock, I missed the -fact that DCCP stores a complex state in struct dccp_request_sock, -while TCP does not. - -Since multiple cpus could access it at the same time, we need to add -protection. - -[1] -BUG: KASAN: use-after-free in dccp_feat_activate_values+0x967/0xab0 -net/dccp/feat.c:1541 at addr ffff88003713be68 -Read of size 8 by task syz-executor2/8457 -CPU: 2 PID: 8457 Comm: syz-executor2 Not tainted 4.10.0-rc7+ #127 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 -Call Trace: - - __dump_stack lib/dump_stack.c:15 [inline] - dump_stack+0x292/0x398 lib/dump_stack.c:51 - kasan_object_err+0x1c/0x70 mm/kasan/report.c:162 - print_address_description mm/kasan/report.c:200 [inline] - kasan_report_error mm/kasan/report.c:289 [inline] - kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311 - kasan_report mm/kasan/report.c:332 [inline] - __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332 - dccp_feat_activate_values+0x967/0xab0 net/dccp/feat.c:1541 - dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121 - dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457 - dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186 - dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711 - ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279 - NF_HOOK include/linux/netfilter.h:257 [inline] - ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322 - dst_input include/net/dst.h:507 [inline] - ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69 - NF_HOOK include/linux/netfilter.h:257 [inline] - ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203 - __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190 - __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228 - process_backlog+0xe5/0x6c0 net/core/dev.c:4839 - napi_poll net/core/dev.c:5202 [inline] - net_rx_action+0xe70/0x1900 net/core/dev.c:5267 - __do_softirq+0x2fb/0xb7d kernel/softirq.c:284 - do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902 - - do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328 - do_softirq kernel/softirq.c:176 [inline] - __local_bh_enable_ip+0x1f2/0x200 kernel/softirq.c:181 - local_bh_enable include/linux/bottom_half.h:31 [inline] - rcu_read_unlock_bh include/linux/rcupdate.h:971 [inline] - ip6_finish_output2+0xbb0/0x23d0 net/ipv6/ip6_output.c:123 - ip6_finish_output+0x302/0x960 net/ipv6/ip6_output.c:148 - NF_HOOK_COND include/linux/netfilter.h:246 [inline] - ip6_output+0x1cb/0x8d0 net/ipv6/ip6_output.c:162 - ip6_xmit+0xcdf/0x20d0 include/net/dst.h:501 - inet6_csk_xmit+0x320/0x5f0 net/ipv6/inet6_connection_sock.c:179 - dccp_transmit_skb+0xb09/0x1120 net/dccp/output.c:141 - dccp_xmit_packet+0x215/0x760 net/dccp/output.c:280 - dccp_write_xmit+0x168/0x1d0 net/dccp/output.c:362 - dccp_sendmsg+0x79c/0xb10 net/dccp/proto.c:796 - inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 - sock_sendmsg_nosec net/socket.c:635 [inline] - sock_sendmsg+0xca/0x110 net/socket.c:645 - SYSC_sendto+0x660/0x810 net/socket.c:1687 - SyS_sendto+0x40/0x50 net/socket.c:1655 - entry_SYSCALL_64_fastpath+0x1f/0xc2 -RIP: 0033:0x4458b9 -RSP: 002b:00007f8ceb77bb58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 00000000004458b9 -RDX: 0000000000000023 RSI: 0000000020e60000 RDI: 0000000000000017 -RBP: 00000000006e1b90 R08: 00000000200f9fe1 R09: 0000000000000020 -R10: 0000000000008010 R11: 0000000000000282 R12: 00000000007080a8 -R13: 0000000000000000 R14: 00007f8ceb77c9c0 R15: 00007f8ceb77c700 -Object at ffff88003713be50, in cache kmalloc-64 size: 64 -Allocated: -PID = 8446 - save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 - save_stack+0x43/0xd0 mm/kasan/kasan.c:502 - set_track mm/kasan/kasan.c:514 [inline] - kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605 - kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2738 - kmalloc include/linux/slab.h:490 [inline] - dccp_feat_entry_new+0x214/0x410 net/dccp/feat.c:467 - dccp_feat_push_change+0x38/0x220 net/dccp/feat.c:487 - __feat_register_sp+0x223/0x2f0 net/dccp/feat.c:741 - dccp_feat_propagate_ccid+0x22b/0x2b0 net/dccp/feat.c:949 - dccp_feat_server_ccid_dependencies+0x1b3/0x250 net/dccp/feat.c:1012 - dccp_make_response+0x1f1/0xc90 net/dccp/output.c:423 - dccp_v6_send_response+0x4ec/0xc20 net/dccp/ipv6.c:217 - dccp_v6_conn_request+0xaba/0x11b0 net/dccp/ipv6.c:377 - dccp_rcv_state_process+0x51e/0x1650 net/dccp/input.c:606 - dccp_v6_do_rcv+0x213/0x350 net/dccp/ipv6.c:632 - sk_backlog_rcv include/net/sock.h:893 [inline] - __sk_receive_skb+0x36f/0xcc0 net/core/sock.c:479 - dccp_v6_rcv+0xba5/0x1d00 net/dccp/ipv6.c:742 - ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279 - NF_HOOK include/linux/netfilter.h:257 [inline] - ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322 - dst_input include/net/dst.h:507 [inline] - ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69 - NF_HOOK include/linux/netfilter.h:257 [inline] - ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203 - __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190 - __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228 - process_backlog+0xe5/0x6c0 net/core/dev.c:4839 - napi_poll net/core/dev.c:5202 [inline] - net_rx_action+0xe70/0x1900 net/core/dev.c:5267 - __do_softirq+0x2fb/0xb7d kernel/softirq.c:284 -Freed: -PID = 15 - save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 - save_stack+0x43/0xd0 mm/kasan/kasan.c:502 - set_track mm/kasan/kasan.c:514 [inline] - kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578 - slab_free_hook mm/slub.c:1355 [inline] - slab_free_freelist_hook mm/slub.c:1377 [inline] - slab_free mm/slub.c:2954 [inline] - kfree+0xe8/0x2b0 mm/slub.c:3874 - dccp_feat_entry_destructor.part.4+0x48/0x60 net/dccp/feat.c:418 - dccp_feat_entry_destructor net/dccp/feat.c:416 [inline] - dccp_feat_list_pop net/dccp/feat.c:541 [inline] - dccp_feat_activate_values+0x57f/0xab0 net/dccp/feat.c:1543 - dccp_create_openreq_child+0x464/0x610 net/dccp/minisocks.c:121 - dccp_v6_request_recv_sock+0x1f6/0x1960 net/dccp/ipv6.c:457 - dccp_check_req+0x335/0x5a0 net/dccp/minisocks.c:186 - dccp_v6_rcv+0x69e/0x1d00 net/dccp/ipv6.c:711 - ip6_input_finish+0x46d/0x17a0 net/ipv6/ip6_input.c:279 - NF_HOOK include/linux/netfilter.h:257 [inline] - ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322 - dst_input include/net/dst.h:507 [inline] - ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69 - NF_HOOK include/linux/netfilter.h:257 [inline] - ipv6_rcv+0x12ec/0x23d0 net/ipv6/ip6_input.c:203 - __netif_receive_skb_core+0x1ae5/0x3400 net/core/dev.c:4190 - __netif_receive_skb+0x2a/0x170 net/core/dev.c:4228 - process_backlog+0xe5/0x6c0 net/core/dev.c:4839 - napi_poll net/core/dev.c:5202 [inline] - net_rx_action+0xe70/0x1900 net/core/dev.c:5267 - __do_softirq+0x2fb/0xb7d kernel/softirq.c:284 -Memory state around the buggy address: - ffff88003713bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff88003713bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ->ffff88003713be00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb - ^ - -Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") -Signed-off-by: Eric Dumazet -Reported-by: Dmitry Vyukov -Tested-by: Dmitry Vyukov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/dccp.h | 1 + - net/dccp/minisocks.c | 24 ++++++++++++++++-------- - 2 files changed, 17 insertions(+), 8 deletions(-) - -diff --git a/include/linux/dccp.h b/include/linux/dccp.h -index 61d042bbbf60..68449293c4b6 100644 ---- a/include/linux/dccp.h -+++ b/include/linux/dccp.h -@@ -163,6 +163,7 @@ struct dccp_request_sock { - __u64 dreq_isr; - __u64 dreq_gsr; - __be32 dreq_service; -+ spinlock_t dreq_lock; - struct list_head dreq_featneg; - __u32 dreq_timestamp_echo; - __u32 dreq_timestamp_time; -diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c -index e314caa39176..68eed344b471 100644 ---- a/net/dccp/minisocks.c -+++ b/net/dccp/minisocks.c -@@ -146,6 +146,13 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb, - struct dccp_request_sock *dreq = dccp_rsk(req); - bool own_req; - -+ /* TCP/DCCP listeners became lockless. -+ * DCCP stores complex state in its request_sock, so we need -+ * a protection for them, now this code runs without being protected -+ * by the parent (listener) lock. -+ */ -+ spin_lock_bh(&dreq->dreq_lock); -+ - /* Check for retransmitted REQUEST */ - if (dccp_hdr(skb)->dccph_type == DCCP_PKT_REQUEST) { - -@@ -160,7 +167,7 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb, - inet_rtx_syn_ack(sk, req); - } - /* Network Duplicate, discard packet */ -- return NULL; -+ goto out; - } - - DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_PACKET_ERROR; -@@ -186,20 +193,20 @@ struct sock *dccp_check_req(struct sock *sk, struct sk_buff *skb, - - child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL, - req, &own_req); -- if (!child) -- goto listen_overflow; -- -- return inet_csk_complete_hashdance(sk, child, req, own_req); -+ if (child) { -+ child = inet_csk_complete_hashdance(sk, child, req, own_req); -+ goto out; -+ } - --listen_overflow: -- dccp_pr_debug("listen_overflow!\n"); - DCCP_SKB_CB(skb)->dccpd_reset_code = DCCP_RESET_CODE_TOO_BUSY; - drop: - if (dccp_hdr(skb)->dccph_type != DCCP_PKT_RESET) - req->rsk_ops->send_reset(sk, skb); - - inet_csk_reqsk_queue_drop(sk, req); -- return NULL; -+out: -+ spin_unlock_bh(&dreq->dreq_lock); -+ return child; - } - - EXPORT_SYMBOL_GPL(dccp_check_req); -@@ -250,6 +257,7 @@ int dccp_reqsk_init(struct request_sock *req, - { - struct dccp_request_sock *dreq = dccp_rsk(req); - -+ spin_lock_init(&dreq->dreq_lock); - inet_rsk(req)->ir_rmt_port = dccp_hdr(skb)->dccph_sport; - inet_rsk(req)->ir_num = ntohs(dccp_hdr(skb)->dccph_dport); - inet_rsk(req)->acked = 0; --- -2.12.2 - -From e671f1cc588f380b17e1c0ce38c7c712d13dfe93 Mon Sep 17 00:00:00 2001 -From: David Ahern -Date: Mon, 6 Mar 2017 08:53:04 -0800 -Subject: [PATCH 086/251] vrf: Fix use-after-free in vrf_xmit -Content-Length: 1945 -Lines: 52 - -[ Upstream commit f7887d40e541f74402df0684a1463c0a0bb68c68 ] - -KASAN detected a use-after-free: - -[ 269.467067] BUG: KASAN: use-after-free in vrf_xmit+0x7f1/0x827 [vrf] at addr ffff8800350a21c0 -[ 269.467067] Read of size 4 by task ssh/1879 -[ 269.467067] CPU: 1 PID: 1879 Comm: ssh Not tainted 4.10.0+ #249 -[ 269.467067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 -[ 269.467067] Call Trace: -[ 269.467067] dump_stack+0x81/0xb6 -[ 269.467067] kasan_object_err+0x21/0x78 -[ 269.467067] kasan_report+0x2f7/0x450 -[ 269.467067] ? vrf_xmit+0x7f1/0x827 [vrf] -[ 269.467067] ? ip_output+0xa4/0xdb -[ 269.467067] __asan_load4+0x6b/0x6d -[ 269.467067] vrf_xmit+0x7f1/0x827 [vrf] -... - -Which corresponds to the skb access after xmit handling. Fix by saving -skb->len and using the saved value to update stats. - -Fixes: 193125dbd8eb2 ("net: Introduce VRF device driver") -Signed-off-by: David Ahern -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/vrf.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index d6b619667f1a..349aecbc210a 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -345,6 +345,7 @@ static netdev_tx_t is_ip_tx_frame(struct sk_buff *skb, struct net_device *dev) - - static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev) - { -+ int len = skb->len; - netdev_tx_t ret = is_ip_tx_frame(skb, dev); - - if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) { -@@ -352,7 +353,7 @@ static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev) - - u64_stats_update_begin(&dstats->syncp); - dstats->tx_pkts++; -- dstats->tx_bytes += skb->len; -+ dstats->tx_bytes += len; - u64_stats_update_end(&dstats->syncp); - } else { - this_cpu_inc(dev->dstats->tx_drps); --- -2.12.2 - -From 6c72458ab428ce659261fa060295e580503a5b12 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Tue, 7 Mar 2017 23:50:50 +0300 -Subject: [PATCH 087/251] uapi: fix linux/packet_diag.h userspace compilation - error -Content-Length: 1344 -Lines: 40 - -[ Upstream commit 745cb7f8a5de0805cade3de3991b7a95317c7c73 ] - -Replace MAX_ADDR_LEN with its numeric value to fix the following -linux/packet_diag.h userspace compilation error: - -/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function) - __u8 pdmc_addr[MAX_ADDR_LEN]; - -This is not the first case in the UAPI where the numeric value -of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h -already does the same: - -$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h - __u8 mac[32]; /* MAX_ADDR_LEN */ - -There are no UAPI headers besides these two that use MAX_ADDR_LEN. - -Signed-off-by: Dmitry V. Levin -Acked-by: Pavel Emelyanov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - include/uapi/linux/packet_diag.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h -index d08c63f3dd6f..0c5d5dd61b6a 100644 ---- a/include/uapi/linux/packet_diag.h -+++ b/include/uapi/linux/packet_diag.h -@@ -64,7 +64,7 @@ struct packet_diag_mclist { - __u32 pdmc_count; - __u16 pdmc_type; - __u16 pdmc_alen; -- __u8 pdmc_addr[MAX_ADDR_LEN]; -+ __u8 pdmc_addr[32]; /* MAX_ADDR_LEN */ - }; - - struct packet_diag_ring { --- -2.12.2 - -From 710fbeb3f5c5441fbe002b2c1566ceaad0725c01 Mon Sep 17 00:00:00 2001 -From: Etienne Noss -Date: Fri, 10 Mar 2017 16:55:32 +0100 -Subject: [PATCH 088/251] act_connmark: avoid crashing on malformed nlattrs - with null parms -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 2433 -Lines: 53 - -[ Upstream commit 52491c7607c5527138095edf44c53169dc1ddb82 ] - -tcf_connmark_init does not check in its configuration if TCA_CONNMARK_PARMS -is set, resulting in a null pointer dereference when trying to access it. - -[501099.043007] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 -[501099.043039] IP: [] tcf_connmark_init+0x8b/0x180 [act_connmark] -... -[501099.044334] Call Trace: -[501099.044345] [] ? tcf_action_init_1+0x198/0x1b0 -[501099.044363] [] ? tcf_action_init+0xb0/0x120 -[501099.044380] [] ? tcf_exts_validate+0xc4/0x110 -[501099.044398] [] ? u32_set_parms+0xa7/0x270 [cls_u32] -[501099.044417] [] ? u32_change+0x680/0x87b [cls_u32] -[501099.044436] [] ? tc_ctl_tfilter+0x4dd/0x8a0 -[501099.044454] [] ? security_capable+0x41/0x60 -[501099.044471] [] ? rtnetlink_rcv_msg+0xe1/0x220 -[501099.044490] [] ? rtnl_newlink+0x870/0x870 -[501099.044507] [] ? netlink_rcv_skb+0xa1/0xc0 -[501099.044524] [] ? rtnetlink_rcv+0x24/0x30 -[501099.044541] [] ? netlink_unicast+0x184/0x230 -[501099.044558] [] ? netlink_sendmsg+0x2f8/0x3b0 -[501099.044576] [] ? sock_sendmsg+0x30/0x40 -[501099.044592] [] ? SYSC_sendto+0xd3/0x150 -[501099.044608] [] ? __do_page_fault+0x2d1/0x510 -[501099.044626] [] ? system_call_fast_compare_end+0xc/0x9b - -Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action") -Signed-off-by: Étienne Noss -Signed-off-by: Victorien Molle -Acked-by: Cong Wang -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/sched/act_connmark.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c -index bb41699c6c49..7ecb14f3db54 100644 ---- a/net/sched/act_connmark.c -+++ b/net/sched/act_connmark.c -@@ -109,6 +109,9 @@ static int tcf_connmark_init(struct net *net, struct nlattr *nla, - if (ret < 0) - return ret; - -+ if (!tb[TCA_CONNMARK_PARMS]) -+ return -EINVAL; -+ - parm = nla_data(tb[TCA_CONNMARK_PARMS]); - - if (!tcf_hash_check(parm->index, a, bind)) { --- -2.12.2 - -From b57955ea30e13aa37e5955bf20617f839f32c560 Mon Sep 17 00:00:00 2001 -From: David Ahern -Date: Fri, 10 Mar 2017 09:46:15 -0800 -Subject: [PATCH 089/251] mpls: Send route delete notifications when router - module is unloaded -Content-Length: 1050 -Lines: 29 - -[ Upstream commit e37791ec1ad785b59022ae211f63a16189bacebf ] - -When the mpls_router module is unloaded, mpls routes are deleted but -notifications are not sent to userspace leaving userspace caches -out of sync. Add the call to mpls_notify_route in mpls_net_exit as -routes are freed. - -Fixes: 0189197f44160 ("mpls: Basic routing support") -Signed-off-by: David Ahern -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/mpls/af_mpls.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c -index 881bc2072809..52cfc4478511 100644 ---- a/net/mpls/af_mpls.c -+++ b/net/mpls/af_mpls.c -@@ -1567,6 +1567,7 @@ static void mpls_net_exit(struct net *net) - for (index = 0; index < platform_labels; index++) { - struct mpls_route *rt = rtnl_dereference(platform_label[index]); - RCU_INIT_POINTER(platform_label[index], NULL); -+ mpls_notify_route(net, index, rt, NULL, NULL); - mpls_rt_free(rt); - } - rtnl_unlock(); --- -2.12.2 - -From 5f8bc3856e285cc12597879039c17f7397f4b37d Mon Sep 17 00:00:00 2001 -From: Sabrina Dubroca -Date: Mon, 13 Mar 2017 13:28:09 +0100 -Subject: [PATCH 090/251] ipv6: make ECMP route replacement less greedy -Content-Length: 2282 -Lines: 67 - -[ Upstream commit 67e194007be08d071294456274dd53e0a04fdf90 ] - -Commit 27596472473a ("ipv6: fix ECMP route replacement") introduced a -loop that removes all siblings of an ECMP route that is being -replaced. However, this loop doesn't stop when it has replaced -siblings, and keeps removing other routes with a higher metric. -We also end up triggering the WARN_ON after the loop, because after -this nsiblings < 0. - -Instead, stop the loop when we have taken care of all routes with the -same metric as the route being replaced. - - Reproducer: - =========== - #!/bin/sh - - ip netns add ns1 - ip netns add ns2 - ip -net ns1 link set lo up - - for x in 0 1 2 ; do - ip link add veth$x netns ns2 type veth peer name eth$x netns ns1 - ip -net ns1 link set eth$x up - ip -net ns2 link set veth$x up - done - - ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \ - nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2 - ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256 - ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048 - - echo "before replace, 3 routes" - ip -net ns1 -6 r | grep -v '^fe80\|^ff00' - echo - - ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \ - nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2 - - echo "after replace, only 2 routes, metric 2048 is gone" - ip -net ns1 -6 r | grep -v '^fe80\|^ff00' - -Fixes: 27596472473a ("ipv6: fix ECMP route replacement") -Signed-off-by: Sabrina Dubroca -Acked-by: Nicolas Dichtel -Reviewed-by: Xin Long -Reviewed-by: Michal Kubecek -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv6/ip6_fib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c -index 34cf46d74554..85bf86458706 100644 ---- a/net/ipv6/ip6_fib.c -+++ b/net/ipv6/ip6_fib.c -@@ -903,6 +903,8 @@ add: - ins = &rt->dst.rt6_next; - iter = *ins; - while (iter) { -+ if (iter->rt6i_metric > rt->rt6i_metric) -+ break; - if (rt6_qualify_for_ecmp(iter)) { - *ins = iter->dst.rt6_next; - fib6_purge_rt(iter, fn, info->nl_net); --- -2.12.2 - -From aed728c38c483650885dfd975dd9f4903e5505bf Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Mon, 13 Mar 2017 16:24:28 +0100 -Subject: [PATCH 091/251] ipv6: avoid write to a possibly cloned skb -Content-Length: 1969 -Lines: 61 - -[ Upstream commit 79e49503efe53a8c51d8b695bedc8a346c5e4a87 ] - -ip6_fragment, in case skb has a fraglist, checks if the -skb is cloned. If it is, it will move to the 'slow path' and allocates -new skbs for each fragment. - -However, right before entering the slowpath loop, it updates the -nexthdr value of the last ipv6 extension header to NEXTHDR_FRAGMENT, -to account for the fragment header that will be inserted in the new -ipv6-fragment skbs. - -In case original skb is cloned this munges nexthdr value of another -skb. Avoid this by doing the nexthdr update for each of the new fragment -skbs separately. - -This was observed with tcpdump on a bridge device where netfilter ipv6 -reassembly is active: tcpdump shows malformed fragment headers as -the l4 header (icmpv6, tcp, etc). is decoded as a fragment header. - -Cc: Hannes Frederic Sowa -Reported-by: Andreas Karis -Signed-off-by: Florian Westphal -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv6/ip6_output.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 58900c21e4e4..8004532fa882 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -742,13 +742,14 @@ slow_path: - * Fragment the datagram. - */ - -- *prevhdr = NEXTHDR_FRAGMENT; - troom = rt->dst.dev->needed_tailroom; - - /* - * Keep copying data until we run out. - */ - while (left > 0) { -+ u8 *fragnexthdr_offset; -+ - len = left; - /* IF: it doesn't fit, use 'mtu' - the data space left */ - if (len > mtu) -@@ -793,6 +794,10 @@ slow_path: - */ - skb_copy_from_linear_data(skb, skb_network_header(frag), hlen); - -+ fragnexthdr_offset = skb_network_header(frag); -+ fragnexthdr_offset += prevhdr - skb_network_header(skb); -+ *fragnexthdr_offset = NEXTHDR_FRAGMENT; -+ - /* - * Build fragment header. - */ --- -2.12.2 - -From 56f9b9502f2d15b9c7b83f9cfb32798e2e364f61 Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Mon, 13 Mar 2017 17:38:17 +0100 -Subject: [PATCH 092/251] bridge: drop netfilter fake rtable unconditionally -Content-Length: 2943 -Lines: 81 - -[ Upstream commit a13b2082ece95247779b9995c4e91b4246bed023 ] - -Andreas reports kernel oops during rmmod of the br_netfilter module. -Hannes debugged the oops down to a NULL rt6info->rt6i_indev. - -Problem is that br_netfilter has the nasty concept of adding a fake -rtable to skb->dst; this happens in a br_netfilter prerouting hook. - -A second hook (in bridge LOCAL_IN) is supposed to remove these again -before the skb is handed up the stack. - -However, on module unload hooks get unregistered which means an -skb could traverse the prerouting hook that attaches the fake_rtable, -while the 'fake rtable remove' hook gets removed from the hooklist -immediately after. - -Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core") -Reported-by: Andreas Karis -Debugged-by: Hannes Frederic Sowa -Signed-off-by: Florian Westphal -Acked-by: Pablo Neira Ayuso -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/bridge/br_input.c | 1 + - net/bridge/br_netfilter_hooks.c | 21 --------------------- - 2 files changed, 1 insertion(+), 21 deletions(-) - -diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c -index f7fba74108a9..e24754a0e052 100644 ---- a/net/bridge/br_input.c -+++ b/net/bridge/br_input.c -@@ -29,6 +29,7 @@ EXPORT_SYMBOL(br_should_route_hook); - static int - br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb) - { -+ br_drop_fake_rtable(skb); - return netif_receive_skb(skb); - } - -diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c -index 7ddbe7ec81d6..97fc19f001bf 100644 ---- a/net/bridge/br_netfilter_hooks.c -+++ b/net/bridge/br_netfilter_hooks.c -@@ -516,21 +516,6 @@ static unsigned int br_nf_pre_routing(void *priv, - } - - --/* PF_BRIDGE/LOCAL_IN ************************************************/ --/* The packet is locally destined, which requires a real -- * dst_entry, so detach the fake one. On the way up, the -- * packet would pass through PRE_ROUTING again (which already -- * took place when the packet entered the bridge), but we -- * register an IPv4 PRE_ROUTING 'sabotage' hook that will -- * prevent this from happening. */ --static unsigned int br_nf_local_in(void *priv, -- struct sk_buff *skb, -- const struct nf_hook_state *state) --{ -- br_drop_fake_rtable(skb); -- return NF_ACCEPT; --} -- - /* PF_BRIDGE/FORWARD *************************************************/ - static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb) - { -@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = { - .priority = NF_BR_PRI_BRNF, - }, - { -- .hook = br_nf_local_in, -- .pf = NFPROTO_BRIDGE, -- .hooknum = NF_BR_LOCAL_IN, -- .priority = NF_BR_PRI_BRNF, -- }, -- { - .hook = br_nf_forward_ip, - .pf = NFPROTO_BRIDGE, - .hooknum = NF_BR_FORWARD, --- -2.12.2 - -From 4ab956b561334866dfe1b17d9c7567313e07cfa2 Mon Sep 17 00:00:00 2001 -From: Jon Maxwell -Date: Fri, 10 Mar 2017 16:40:33 +1100 -Subject: [PATCH 093/251] dccp/tcp: fix routing redirect race -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 5663 -Lines: 162 - -[ Upstream commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 ] - -As Eric Dumazet pointed out this also needs to be fixed in IPv6. -v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. - -We have seen a few incidents lately where a dst_enty has been freed -with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that -dst_entry. If the conditions/timings are right a crash then ensues when the -freed dst_entry is referenced later on. A Common crashing back trace is: - - #8 [] page_fault at ffffffff8163e648 - [exception RIP: __tcp_ack_snd_check+74] -. -. - #9 [] tcp_rcv_established at ffffffff81580b64 -#10 [] tcp_v4_do_rcv at ffffffff8158b54a -#11 [] tcp_v4_rcv at ffffffff8158cd02 -#12 [] ip_local_deliver_finish at ffffffff815668f4 -#13 [] ip_local_deliver at ffffffff81566bd9 -#14 [] ip_rcv_finish at ffffffff8156656d -#15 [] ip_rcv at ffffffff81566f06 -#16 [] __netif_receive_skb_core at ffffffff8152b3a2 -#17 [] __netif_receive_skb at ffffffff8152b608 -#18 [] netif_receive_skb at ffffffff8152b690 -#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] -#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] -#21 [] net_rx_action at ffffffff8152bac2 -#22 [] __do_softirq at ffffffff81084b4f -#23 [] call_softirq at ffffffff8164845c -#24 [] do_softirq at ffffffff81016fc5 -#25 [] irq_exit at ffffffff81084ee5 -#26 [] do_IRQ at ffffffff81648ff8 - -Of course it may happen with other NIC drivers as well. - -It's found the freed dst_entry here: - - 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ - 225 {↩ - 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ - 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ - 228 ↩ - 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ - 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ - 231 }↩ - -But there are other backtraces attributed to the same freed dst_entry in -netfilter code as well. - -All the vmcores showed 2 significant clues: - -- Remote hosts behind the default gateway had always been redirected to a -different gateway. A rtable/dst_entry will be added for that host. Making -more dst_entrys with lower reference counts. Making this more probable. - -- All vmcores showed a postitive LockDroppedIcmps value, e.g: - -LockDroppedIcmps 267 - -A closer look at the tcp_v4_err() handler revealed that do_redirect() will run -regardless of whether user space has the socket locked. This can result in a -race condition where the same dst_entry cached in sk->sk_dst_entry can be -decremented twice for the same socket via: - -do_redirect()->__sk_dst_check()-> dst_release(). - -Which leads to the dst_entry being prematurely freed with another socket -pointing to it via sk->sk_dst_cache and a subsequent crash. - -To fix this skip do_redirect() if usespace has the socket locked. Instead let -the redirect take place later when user space does not have the socket -locked. - -The dccp/IPv6 code is very similar in this respect, so fixing it there too. - -As Eric Garver pointed out the following commit now invalidates routes. Which -can set the dst->obsolete flag so that ipv4_dst_check() returns null and -triggers the dst_release(). - -Fixes: ceb3320610d6 ("ipv4: Kill routes during PMTU/redirect updates.") -Cc: Eric Garver -Cc: Hannes Sowa -Signed-off-by: Jon Maxwell -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/dccp/ipv4.c | 3 ++- - net/dccp/ipv6.c | 8 +++++--- - net/ipv4/tcp_ipv4.c | 3 ++- - net/ipv6/tcp_ipv6.c | 8 +++++--- - 4 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c -index 0759f5b9180e..6467bf392e1b 100644 ---- a/net/dccp/ipv4.c -+++ b/net/dccp/ipv4.c -@@ -289,7 +289,8 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info) - - switch (type) { - case ICMP_REDIRECT: -- dccp_do_redirect(skb, sk); -+ if (!sock_owned_by_user(sk)) -+ dccp_do_redirect(skb, sk); - goto out; - case ICMP_SOURCE_QUENCH: - /* Just silently ignore these. */ -diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c -index 27c4e81efa24..8113ad58fcb4 100644 ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -122,10 +122,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, - np = inet6_sk(sk); - - if (type == NDISC_REDIRECT) { -- struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); -+ if (!sock_owned_by_user(sk)) { -+ struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); - -- if (dst) -- dst->ops->redirect(dst, sk, skb); -+ if (dst) -+ dst->ops->redirect(dst, sk, skb); -+ } - goto out; - } - -diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c -index f66d4b5d47f9..198fc2314c82 100644 ---- a/net/ipv4/tcp_ipv4.c -+++ b/net/ipv4/tcp_ipv4.c -@@ -423,7 +423,8 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info) - - switch (type) { - case ICMP_REDIRECT: -- do_redirect(icmp_skb, sk); -+ if (!sock_owned_by_user(sk)) -+ do_redirect(icmp_skb, sk); - goto out; - case ICMP_SOURCE_QUENCH: - /* Just silently ignore these. */ -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 76a8c8057a23..1a63c4deef26 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -376,10 +376,12 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, - np = inet6_sk(sk); - - if (type == NDISC_REDIRECT) { -- struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); -+ if (!sock_owned_by_user(sk)) { -+ struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie); - -- if (dst) -- dst->ops->redirect(dst, sk, skb); -+ if (dst) -+ dst->ops->redirect(dst, sk, skb); -+ } - goto out; - } - --- -2.12.2 - -From 676fe978525d3d3f583e1f6463f3b25623e81afd Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Mon, 13 Mar 2017 00:01:30 +0100 -Subject: [PATCH 094/251] dccp: fix memory leak during tear-down of - unsuccessful connection request -Content-Length: 1037 -Lines: 29 - -[ Upstream commit 72ef9c4125c7b257e3a714d62d778ab46583d6a3 ] - -This patch fixes a memory leak, which happens if the connection request -is not fulfilled between parsing the DCCP options and handling the SYN -(because e.g. the backlog is full), because we forgot to free the -list of ack vectors. - -Reported-by: Jianwen Ji -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/dccp/ccids/ccid2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c -index f053198e730c..5e3a7302f774 100644 ---- a/net/dccp/ccids/ccid2.c -+++ b/net/dccp/ccids/ccid2.c -@@ -749,6 +749,7 @@ static void ccid2_hc_tx_exit(struct sock *sk) - for (i = 0; i < hc->tx_seqbufc; i++) - kfree(hc->tx_seqbuf[i]); - hc->tx_seqbufc = 0; -+ dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks); - } - - static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb) +@@ -901,12 +886,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = { + .priority = NF_BR_PRI_BRNF, + }, + { +- .hook = br_nf_local_in, +- .pf = NFPROTO_BRIDGE, +- .hooknum = NF_BR_LOCAL_IN, +- .priority = NF_BR_PRI_BRNF, +- }, +- { + .hook = br_nf_forward_ip, + .pf = NFPROTO_BRIDGE, + .hooknum = NF_BR_FORWARD, -- 2.12.2 @@ -2804,6 +678,7 @@ From fd74e8d258da9f9678da6bf88a0b02b2c1b71d0c Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 19 Dec 2016 14:20:13 -0800 Subject: [PATCH 096/251] fscrypt: fix renaming and linking special files +Status: RO Content-Length: 2187 Lines: 59 @@ -2973,390 +848,35 @@ index 1a8256dd6729..5b2f2306fbcc 100644 - load_mm_cr4(current->mm); + if (current->active_mm) + load_mm_cr4(current->active_mm); - } - - static void x86_pmu_event_mapped(struct perf_event *event) --- -2.12.2 - -From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Wed, 22 Mar 2017 12:17:51 +0100 -Subject: [PATCH 102/251] Linux 4.4.56 -Content-Length: 301 -Lines: 18 - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index d9cc21df444d..cf9303a5d621 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 4 - PATCHLEVEL = 4 --SUBLEVEL = 55 -+SUBLEVEL = 56 - EXTRAVERSION = - NAME = Blurry Fish Butt - --- -2.12.2 - -From ac1a97d8a562161e42edd23e5d0f1740a3d93c85 Mon Sep 17 00:00:00 2001 -From: Chris Bainbridge -Date: Mon, 25 Apr 2016 13:48:38 +0100 -Subject: [PATCH 103/251] usb: core: hub: hub_port_init lock controller instead - of bus -Content-Length: 8176 -Lines: 219 - -commit feb26ac31a2a5cb88d86680d9a94916a6343e9e6 upstream. - -The XHCI controller presents two USB buses to the system - one for USB2 -and one for USB3. The hub init code (hub_port_init) is reentrant but -only locks one bus per thread, leading to a race condition failure when -two threads attempt to simultaneously initialise a USB2 and USB3 device: - -[ 8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command -[ 13.183701] usb 3-3: device descriptor read/all, error -110 - -On a test system this failure occurred on 6% of all boots. - -The call traces at the point of failure are: - -Call Trace: - [] schedule+0x37/0x90 - [] usb_kill_urb+0x8d/0xd0 - [] ? wake_up_atomic_t+0x30/0x30 - [] usb_start_wait_urb+0xbe/0x150 - [] usb_control_msg+0xbc/0xf0 - [] hub_port_init+0x51e/0xb70 - [] hub_event+0x817/0x1570 - [] process_one_work+0x1ff/0x620 - [] ? process_one_work+0x15f/0x620 - [] worker_thread+0x64/0x4b0 - [] ? rescuer_thread+0x390/0x390 - [] kthread+0x105/0x120 - [] ? kthread_create_on_node+0x200/0x200 - [] ret_from_fork+0x3f/0x70 - [] ? kthread_create_on_node+0x200/0x200 - -Call Trace: - [] xhci_setup_device+0x53d/0xa40 - [] xhci_address_device+0xe/0x10 - [] hub_port_init+0x1bf/0xb70 - [] ? trace_hardirqs_on+0xd/0x10 - [] hub_event+0x817/0x1570 - [] process_one_work+0x1ff/0x620 - [] ? process_one_work+0x15f/0x620 - [] worker_thread+0x64/0x4b0 - [] ? rescuer_thread+0x390/0x390 - [] kthread+0x105/0x120 - [] ? kthread_create_on_node+0x200/0x200 - [] ret_from_fork+0x3f/0x70 - [] ? kthread_create_on_node+0x200/0x200 - -Which results from the two call chains: - -hub_port_init - usb_get_device_descriptor - usb_get_descriptor - usb_control_msg - usb_internal_control_msg - usb_start_wait_urb - usb_submit_urb / wait_for_completion_timeout / usb_kill_urb - -hub_port_init - hub_set_address - xhci_address_device - xhci_setup_device - -Mathias Nyman explains the current behaviour violates the XHCI spec: - - hub_port_reset() will end up moving the corresponding xhci device slot - to default state. - - As hub_port_reset() is called several times in hub_port_init() it - sounds reasonable that we could end up with two threads having their - xhci device slots in default state at the same time, which according to - xhci 4.5.3 specs still is a big no no: - - "Note: Software shall not transition more than one Device Slot to the - Default State at a time" - - So both threads fail at their next task after this. - One fails to read the descriptor, and the other fails addressing the - device. - -Fix this in hub_port_init by locking the USB controller (instead of an -individual bus) to prevent simultaneous initialisation of both buses. - -Fixes: 638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel") -Link: https://lkml.org/lkml/2016/2/8/312 -Link: https://lkml.org/lkml/2016/2/4/748 -Signed-off-by: Chris Bainbridge -Cc: stable -Acked-by: Mathias Nyman -Signed-off-by: Sumit Semwal - [sumits: minor merge conflict resolution for linux-4.4.y] -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/core/hcd.c | 15 +++++++++++++-- - drivers/usb/core/hub.c | 8 ++++---- - include/linux/usb.h | 3 +-- - include/linux/usb/hcd.h | 1 + - 4 files changed, 19 insertions(+), 8 deletions(-) - -diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index f44ce09367bc..9a5303c17de7 100644 ---- a/drivers/usb/core/hcd.c -+++ b/drivers/usb/core/hcd.c -@@ -966,7 +966,7 @@ static void usb_bus_init (struct usb_bus *bus) - bus->bandwidth_allocated = 0; - bus->bandwidth_int_reqs = 0; - bus->bandwidth_isoc_reqs = 0; -- mutex_init(&bus->usb_address0_mutex); -+ mutex_init(&bus->devnum_next_mutex); - - INIT_LIST_HEAD (&bus->bus_list); - } -@@ -2497,6 +2497,14 @@ struct usb_hcd *usb_create_shared_hcd(const struct hc_driver *driver, - return NULL; - } - if (primary_hcd == NULL) { -+ hcd->address0_mutex = kmalloc(sizeof(*hcd->address0_mutex), -+ GFP_KERNEL); -+ if (!hcd->address0_mutex) { -+ kfree(hcd); -+ dev_dbg(dev, "hcd address0 mutex alloc failed\n"); -+ return NULL; -+ } -+ mutex_init(hcd->address0_mutex); - hcd->bandwidth_mutex = kmalloc(sizeof(*hcd->bandwidth_mutex), - GFP_KERNEL); - if (!hcd->bandwidth_mutex) { -@@ -2508,6 +2516,7 @@ struct usb_hcd *usb_create_shared_hcd(const struct hc_driver *driver, - dev_set_drvdata(dev, hcd); - } else { - mutex_lock(&usb_port_peer_mutex); -+ hcd->address0_mutex = primary_hcd->address0_mutex; - hcd->bandwidth_mutex = primary_hcd->bandwidth_mutex; - hcd->primary_hcd = primary_hcd; - primary_hcd->primary_hcd = primary_hcd; -@@ -2574,8 +2583,10 @@ static void hcd_release(struct kref *kref) - struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref); - - mutex_lock(&usb_port_peer_mutex); -- if (usb_hcd_is_primary_hcd(hcd)) -+ if (usb_hcd_is_primary_hcd(hcd)) { -+ kfree(hcd->address0_mutex); - kfree(hcd->bandwidth_mutex); -+ } - if (hcd->shared_hcd) { - struct usb_hcd *peer = hcd->shared_hcd; - -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 780db8bb2262..f52d8abf6979 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -1980,7 +1980,7 @@ static void choose_devnum(struct usb_device *udev) - struct usb_bus *bus = udev->bus; - - /* be safe when more hub events are proceed in parallel */ -- mutex_lock(&bus->usb_address0_mutex); -+ mutex_lock(&bus->devnum_next_mutex); - if (udev->wusb) { - devnum = udev->portnum + 1; - BUG_ON(test_bit(devnum, bus->devmap.devicemap)); -@@ -1998,7 +1998,7 @@ static void choose_devnum(struct usb_device *udev) - set_bit(devnum, bus->devmap.devicemap); - udev->devnum = devnum; - } -- mutex_unlock(&bus->usb_address0_mutex); -+ mutex_unlock(&bus->devnum_next_mutex); - } - - static void release_devnum(struct usb_device *udev) -@@ -4262,7 +4262,7 @@ hub_port_init(struct usb_hub *hub, struct usb_device *udev, int port1, - if (oldspeed == USB_SPEED_LOW) - delay = HUB_LONG_RESET_TIME; - -- mutex_lock(&hdev->bus->usb_address0_mutex); -+ mutex_lock(hcd->address0_mutex); - - /* Reset the device; full speed may morph to high speed */ - /* FIXME a USB 2.0 device may morph into SuperSpeed on reset. */ -@@ -4548,7 +4548,7 @@ fail: - hub_port_disable(hub, port1, 0); - update_devnum(udev, devnum); /* for disconnect processing */ - } -- mutex_unlock(&hdev->bus->usb_address0_mutex); -+ mutex_unlock(hcd->address0_mutex); - return retval; - } - -diff --git a/include/linux/usb.h b/include/linux/usb.h -index 12891ffd4bf0..8c75af6b7d5b 100644 ---- a/include/linux/usb.h -+++ b/include/linux/usb.h -@@ -371,14 +371,13 @@ struct usb_bus { - - int devnum_next; /* Next open device number in - * round-robin allocation */ -+ struct mutex devnum_next_mutex; /* devnum_next mutex */ - - struct usb_devmap devmap; /* device address allocation map */ - struct usb_device *root_hub; /* Root hub */ - struct usb_bus *hs_companion; /* Companion EHCI bus, if any */ - struct list_head bus_list; /* list of busses */ - -- struct mutex usb_address0_mutex; /* unaddressed device mutex */ -- - int bandwidth_allocated; /* on this bus: how much of the time - * reserved for periodic (intr/iso) - * requests is used, on average? -diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h -index f89c24bd53a4..3993b21f3d11 100644 ---- a/include/linux/usb/hcd.h -+++ b/include/linux/usb/hcd.h -@@ -180,6 +180,7 @@ struct usb_hcd { - * bandwidth_mutex should be dropped after a successful control message - * to the device, or resetting the bandwidth after a failed attempt. - */ -+ struct mutex *address0_mutex; - struct mutex *bandwidth_mutex; - struct usb_hcd *shared_hcd; - struct usb_hcd *primary_hcd; --- -2.12.2 - -From 45d9558837d4d79e6d241f1c45cabea8d20dca22 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Mon, 27 Jun 2016 10:23:10 -0400 -Subject: [PATCH 104/251] USB: don't free bandwidth_mutex too early -Content-Length: 4635 -Lines: 119 - -commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1 upstream. - -The USB core contains a bug that can show up when a USB-3 host -controller is removed. If the primary (USB-2) hcd structure is -released before the shared (USB-3) hcd, the core will try to do a -double-free of the common bandwidth_mutex. - -The problem was described in graphical form by Chung-Geol Kim, who -first reported it: - -================================================= - At *remove USB(3.0) Storage - sequence <1> --> <5> ((Problem Case)) -================================================= - VOLD -------------------------------------|------------ - (uevent) - ________|_________ - |<1> | - |dwc3_otg_sm_work | - |usb_put_hcd | - |peer_hcd(kref=2)| - |__________________| - ________|_________ - |<2> | - |New USB BUS #2 | - | | - |peer_hcd(kref=1) | - | | - --(Link)-bandXX_mutex| - | |__________________| - | - ___________________ | - |<3> | | - |dwc3_otg_sm_work | | - |usb_put_hcd | | - |primary_hcd(kref=1)| | - |___________________| | - _________|_________ | - |<4> | | - |New USB BUS #1 | | - |hcd_release | | - |primary_hcd(kref=0)| | - | | | - |bandXX_mutex(free) |<- - |___________________| - (( VOLD )) - ______|___________ - |<5> | - | SCSI | - |usb_put_hcd | - |peer_hcd(kref=0) | - |*hcd_release | - |bandXX_mutex(free*)|<- double free - |__________________| - -================================================= - -This happens because hcd_release() frees the bandwidth_mutex whenever -it sees a primary hcd being released (which is not a very good idea -in any case), but in the course of releasing the primary hcd, it -changes the pointers in the shared hcd in such a way that the shared -hcd will appear to be primary when it gets released. - -This patch fixes the problem by changing hcd_release() so that it -deallocates the bandwidth_mutex only when the _last_ hcd structure -referencing it is released. The patch also removes an unnecessary -test, so that when an hcd is released, both the shared_hcd and -primary_hcd pointers in the hcd's peer will be cleared. - -Signed-off-by: Alan Stern -Reported-by: Chung-Geol Kim -Tested-by: Chung-Geol Kim -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman + } + + static void x86_pmu_event_mapped(struct perf_event *event) +-- +2.12.2 + +From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 22 Mar 2017 12:17:51 +0100 +Subject: [PATCH 102/251] Linux 4.4.56 +Content-Length: 301 +Lines: 18 + --- - drivers/usb/core/hcd.c | 17 +++++++---------- - 1 file changed, 7 insertions(+), 10 deletions(-) + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index 9a5303c17de7..5724d7c41e29 100644 ---- a/drivers/usb/core/hcd.c -+++ b/drivers/usb/core/hcd.c -@@ -2573,26 +2573,23 @@ EXPORT_SYMBOL_GPL(usb_create_hcd); - * Don't deallocate the bandwidth_mutex until the last shared usb_hcd is - * deallocated. - * -- * Make sure to only deallocate the bandwidth_mutex when the primary HCD is -- * freed. When hcd_release() is called for either hcd in a peer set -- * invalidate the peer's ->shared_hcd and ->primary_hcd pointers to -- * block new peering attempts -+ * Make sure to deallocate the bandwidth_mutex only when the last HCD is -+ * freed. When hcd_release() is called for either hcd in a peer set, -+ * invalidate the peer's ->shared_hcd and ->primary_hcd pointers. - */ - static void hcd_release(struct kref *kref) - { - struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref); - - mutex_lock(&usb_port_peer_mutex); -- if (usb_hcd_is_primary_hcd(hcd)) { -- kfree(hcd->address0_mutex); -- kfree(hcd->bandwidth_mutex); -- } - if (hcd->shared_hcd) { - struct usb_hcd *peer = hcd->shared_hcd; +diff --git a/Makefile b/Makefile +index d9cc21df444d..cf9303a5d621 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 55 ++SUBLEVEL = 56 + EXTRAVERSION = + NAME = Blurry Fish Butt - peer->shared_hcd = NULL; -- if (peer->primary_hcd == hcd) -- peer->primary_hcd = NULL; -+ peer->primary_hcd = NULL; -+ } else { -+ kfree(hcd->address0_mutex); -+ kfree(hcd->bandwidth_mutex); - } - mutex_unlock(&usb_port_peer_mutex); - kfree(hcd); -- 2.12.2 @@ -3849,78 +1369,6 @@ index 5cc2e7af3a7b..b379146de55b 100644 -- 2.12.2 -From 68ea3948ed3d48dd1e0897b121f37da6f14ffbcc Mon Sep 17 00:00:00 2001 -From: Sebastian Ott -Date: Fri, 15 Apr 2016 09:41:35 +0200 -Subject: [PATCH 115/251] s390/pci: fix use after free in dma_init -Content-Length: 1833 -Lines: 64 - -commit dba599091c191d209b1499511a524ad9657c0e5a upstream. - -After a failure during registration of the dma_table (because of the -function being in error state) we free its memory but don't reset the -associated pointer to zero. - -When we then receive a notification from firmware (about the function -being in error state) we'll try to walk and free the dma_table again. - -Fix this by resetting the dma_table pointer. In addition to that make -sure that we free the iommu_bitmap when appropriate. - -Signed-off-by: Sebastian Ott -Reviewed-by: Gerald Schaefer -Signed-off-by: Martin Schwidefsky -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/pci/pci_dma.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c -index 3a40f718baef..4004e03267cd 100644 ---- a/arch/s390/pci/pci_dma.c -+++ b/arch/s390/pci/pci_dma.c -@@ -455,7 +455,7 @@ int zpci_dma_init_device(struct zpci_dev *zdev) - zdev->dma_table = dma_alloc_cpu_table(); - if (!zdev->dma_table) { - rc = -ENOMEM; -- goto out_clean; -+ goto out; - } - - /* -@@ -475,18 +475,22 @@ int zpci_dma_init_device(struct zpci_dev *zdev) - zdev->iommu_bitmap = vzalloc(zdev->iommu_pages / 8); - if (!zdev->iommu_bitmap) { - rc = -ENOMEM; -- goto out_reg; -+ goto free_dma_table; - } - - rc = zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma, - (u64) zdev->dma_table); - if (rc) -- goto out_reg; -- return 0; -+ goto free_bitmap; - --out_reg: -+ return 0; -+free_bitmap: -+ vfree(zdev->iommu_bitmap); -+ zdev->iommu_bitmap = NULL; -+free_dma_table: - dma_free_cpu_table(zdev->dma_table); --out_clean: -+ zdev->dma_table = NULL; -+out: - return rc; - } - --- -2.12.2 - From 13a26889cbc1eb8a7b9a7712c05538c55659fe40 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Thu, 14 Jan 2016 08:07:55 +1000 @@ -6679,6 +4127,7 @@ From: Dan Williams Date: Thu, 9 Mar 2017 11:32:28 -0600 Subject: [PATCH 157/251] USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems +Status: RO Content-Length: 2146 Lines: 50 @@ -6733,43 +4182,6 @@ index 42cc72e54c05..af67a0de6b5d 100644 -- 2.12.2 -From 9218793a39def5ee7555d990ef6034260024a379 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= -Date: Fri, 17 Mar 2017 17:21:28 +0100 -Subject: [PATCH 158/251] USB: serial: qcserial: add Dell DW5811e -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 1135 -Lines: 26 - -commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream. - -This is a Dell branded Sierra Wireless EM7455. - -Signed-off-by: Bjørn Mork -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/qcserial.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c -index 696458db7e3c..38b3f0d8cd58 100644 ---- a/drivers/usb/serial/qcserial.c -+++ b/drivers/usb/serial/qcserial.c -@@ -169,6 +169,8 @@ static const struct usb_device_id id_table[] = { - {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ - {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ - {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ -+ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ -+ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ - - /* Huawei devices */ - {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */ --- -2.12.2 - From 19f0fe67b9d04580c377efc568cc8630a5af06b4 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Tue, 14 Mar 2017 12:09:56 +0100 @@ -6817,447 +4229,6 @@ index 2fa1e80a3ce7..67e474b13fca 100644 -- 2.12.2 -From 8a8a8007871acae231ca5dba49f648d64326e919 Mon Sep 17 00:00:00 2001 -From: Roger Quadros -Date: Wed, 8 Mar 2017 16:05:43 +0200 -Subject: [PATCH 160/251] usb: gadget: f_uvc: Fix SuperSpeed companion - descriptor's wBytesPerInterval -Content-Length: 1446 -Lines: 35 - -commit 09424c50b7dff40cb30011c09114404a4656e023 upstream. - -The streaming_maxburst module parameter is 0 offset (0..15) -so we must add 1 while using it for wBytesPerInterval -calculation for the SuperSpeed companion descriptor. - -Without this host uvcvideo driver will always see the wrong -wBytesPerInterval for SuperSpeed uvc gadget and may not find -a suitable video interface endpoint. -e.g. for streaming_maxburst = 0 case it will always -fail as wBytePerInterval was evaluating to 0. - -Reviewed-by: Laurent Pinchart -Signed-off-by: Roger Quadros -Signed-off-by: Felipe Balbi -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/function/f_uvc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c -index 29b41b5dee04..c7689d05356c 100644 ---- a/drivers/usb/gadget/function/f_uvc.c -+++ b/drivers/usb/gadget/function/f_uvc.c -@@ -625,7 +625,7 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) - uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst; - uvc_ss_streaming_comp.wBytesPerInterval = - cpu_to_le16(max_packet_size * max_packet_mult * -- opts->streaming_maxburst); -+ (opts->streaming_maxburst + 1)); - - /* Allocate endpoints. */ - ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep); --- -2.12.2 - -From 2c929ea720f968da2f1ad90db995cc49a937955f Mon Sep 17 00:00:00 2001 -From: Samuel Thibault -Date: Mon, 13 Mar 2017 20:50:08 +0100 -Subject: [PATCH 161/251] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk -Content-Length: 3060 -Lines: 83 - -commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream. - -Some USB 2.0 devices erroneously report millisecond values in -bInterval. The generic config code manages to catch most of them, -but in some cases it's not completely enough. - -The case at stake here is a USB 2.0 braille device, which wants to -announce 10ms and thus sets bInterval to 10, but with the USB 2.0 -computation that yields to 64ms. It happens that one can type fast -enough to reach this interval and get the device buffers overflown, -leading to problematic latencies. The generic config code does not -catch this case because the 64ms is considered a sane enough value. - -This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk -to mark devices which actually report milliseconds in bInterval, -and marks Vario Ultra devices as needing it. - -Signed-off-by: Samuel Thibault -Acked-by: Alan Stern -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/core/config.c | 10 ++++++++++ - drivers/usb/core/quirks.c | 8 ++++++++ - include/linux/usb/quirks.h | 6 ++++++ - 3 files changed, 24 insertions(+) - -diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c -index ac30a051ad71..325cbc9c35d8 100644 ---- a/drivers/usb/core/config.c -+++ b/drivers/usb/core/config.c -@@ -246,6 +246,16 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, - - /* - * Adjust bInterval for quirked devices. -+ */ -+ /* -+ * This quirk fixes bIntervals reported in ms. -+ */ -+ if (to_usb_device(ddev)->quirks & -+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) { -+ n = clamp(fls(d->bInterval) + 3, i, j); -+ i = j = n; -+ } -+ /* - * This quirk fixes bIntervals reported in - * linear microframes. - */ -diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c -index 24f9f98968a5..96b21b0dac1e 100644 ---- a/drivers/usb/core/quirks.c -+++ b/drivers/usb/core/quirks.c -@@ -170,6 +170,14 @@ static const struct usb_device_id usb_quirk_list[] = { - /* M-Systems Flash Disk Pioneers */ - { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, - -+ /* Baum Vario Ultra */ -+ { USB_DEVICE(0x0904, 0x6101), .driver_info = -+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, -+ { USB_DEVICE(0x0904, 0x6102), .driver_info = -+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, -+ { USB_DEVICE(0x0904, 0x6103), .driver_info = -+ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, -+ - /* Keytouch QWERTY Panel keyboard */ - { USB_DEVICE(0x0926, 0x3333), .driver_info = - USB_QUIRK_CONFIG_INTF_STRINGS }, -diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h -index 1d0043dc34e4..de2a722fe3cf 100644 ---- a/include/linux/usb/quirks.h -+++ b/include/linux/usb/quirks.h -@@ -50,4 +50,10 @@ - /* device can't handle Link Power Management */ - #define USB_QUIRK_NO_LPM BIT(10) - -+/* -+ * Device reports its bInterval as linear frames instead of the -+ * USB 2.0 calculation. -+ */ -+#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) -+ - #endif /* __LINUX_USB_QUIRKS_H */ --- -2.12.2 - -From 73490abe249c238e2141f62995e2cc2d4ae392db Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:47:50 +0100 -Subject: [PATCH 162/251] USB: uss720: fix NULL-deref at probe -Content-Length: 1198 -Lines: 37 - -commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer or accessing memory beyond the endpoint array should a -malicious device lack the expected endpoints. - -Note that the endpoint access that causes the NULL-deref is currently -only used for debugging purposes during probe so the oops only happens -when dynamic debugging is enabled. This means the driver could be -rewritten to continue to accept device with only two endpoints, should -such devices exist. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/misc/uss720.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c -index bbd029c9c725..442b6631162e 100644 ---- a/drivers/usb/misc/uss720.c -+++ b/drivers/usb/misc/uss720.c -@@ -711,6 +711,11 @@ static int uss720_probe(struct usb_interface *intf, - - interface = intf->cur_altsetting; - -+ if (interface->desc.bNumEndpoints < 3) { -+ usb_put_dev(usbdev); -+ return -ENODEV; -+ } -+ - /* - * Allocate parport interface - */ --- -2.12.2 - -From a7712869e2e7cb1a5add2a8613f04e6c3647ef38 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:47:49 +0100 -Subject: [PATCH 163/251] USB: lvtest: fix NULL-deref at probe -Content-Length: 995 -Lines: 32 - -commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should the probed device lack endpoints. - -Note that this driver does not bind to any devices by default. - -Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver") -Cc: Pratyush Anand -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/misc/lvstest.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/usb/misc/lvstest.c b/drivers/usb/misc/lvstest.c -index 86b4e4b2ab9a..383fa007348f 100644 ---- a/drivers/usb/misc/lvstest.c -+++ b/drivers/usb/misc/lvstest.c -@@ -370,6 +370,10 @@ static int lvs_rh_probe(struct usb_interface *intf, - - hdev = interface_to_usbdev(intf); - desc = intf->cur_altsetting; -+ -+ if (desc->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - endpoint = &desc->endpoint[0].desc; - - /* valid only for SS root hub */ --- -2.12.2 - -From d6389d6abb8aff1d67ea64ef5b295ab3f4967d2d Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:47:48 +0100 -Subject: [PATCH 164/251] USB: idmouse: fix NULL-deref at probe -Content-Length: 929 -Lines: 28 - -commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer should a malicious device lack endpoints. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/misc/idmouse.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c -index 4e38683c653c..6d4e75785710 100644 ---- a/drivers/usb/misc/idmouse.c -+++ b/drivers/usb/misc/idmouse.c -@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_interface *interface, - if (iface_desc->desc.bInterfaceClass != 0x0A) - return -ENODEV; - -+ if (iface_desc->desc.bNumEndpoints < 1) -+ return -ENODEV; -+ - /* allocate memory for our device state and initialize it */ - dev = kzalloc(sizeof(*dev), GFP_KERNEL); - if (dev == NULL) --- -2.12.2 - -From a7cb1fafe429ebd9ecf7768edc577662cbb6011e Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 13 Mar 2017 13:47:51 +0100 -Subject: [PATCH 165/251] USB: wusbcore: fix NULL-deref at probe -Content-Length: 1148 -Lines: 34 - -commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream. - -Make sure to check the number of endpoints to avoid dereferencing a -NULL-pointer or accessing memory beyond the endpoint array should a -malicious device lack the expected endpoints. - -This specifically fixes the NULL-pointer dereference when probing HWA HC -devices. - -Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core") -Cc: Inaky Perez-Gonzalez -Cc: David Vrabel -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/wusbcore/wa-hc.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/usb/wusbcore/wa-hc.c b/drivers/usb/wusbcore/wa-hc.c -index 252c7bd9218a..d01496fd27fe 100644 ---- a/drivers/usb/wusbcore/wa-hc.c -+++ b/drivers/usb/wusbcore/wa-hc.c -@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct usb_interface *iface, - int result; - struct device *dev = &iface->dev; - -+ if (iface->cur_altsetting->desc.bNumEndpoints < 3) -+ return -ENODEV; -+ - result = wa_rpipes_create(wa); - if (result < 0) - goto error_rpipes_create; --- -2.12.2 - -From 47285be050ca3e9ca45f22966b0b655b5b83c250 Mon Sep 17 00:00:00 2001 -From: Bin Liu -Date: Fri, 10 Mar 2017 14:43:35 -0600 -Subject: [PATCH 166/251] usb: musb: cppi41: don't check early-TX-interrupt for - Isoch transfer -Content-Length: 1899 -Lines: 56 - -commit 0090114d336a9604aa2d90bc83f20f7cd121b76c upstream. - -The CPPI 4.1 driver polls register to workaround the premature TX -interrupt issue, but it causes audio playback underrun when triggered in -Isoch transfers. - -Isoch doesn't do back-to-back transfers, the TX should be done by the -time the next transfer is scheduled. So skip this polling workaround for -Isoch transfer. - -Fixes: a655f481d83d6 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt") -Reported-by: Alexandre Bailon -Acked-by: Sebastian Andrzej Siewior -Tested-by: Alexandre Bailon -Signed-off-by: Bin Liu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/musb/musb_cppi41.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/musb/musb_cppi41.c b/drivers/usb/musb/musb_cppi41.c -index e499b862a946..88f26ac2a185 100644 ---- a/drivers/usb/musb/musb_cppi41.c -+++ b/drivers/usb/musb/musb_cppi41.c -@@ -250,8 +250,27 @@ static void cppi41_dma_callback(void *private_data) - transferred < cppi41_channel->packet_sz) - cppi41_channel->prog_len = 0; - -- if (cppi41_channel->is_tx) -- empty = musb_is_tx_fifo_empty(hw_ep); -+ if (cppi41_channel->is_tx) { -+ u8 type; -+ -+ if (is_host_active(musb)) -+ type = hw_ep->out_qh->type; -+ else -+ type = hw_ep->ep_in.type; -+ -+ if (type == USB_ENDPOINT_XFER_ISOC) -+ /* -+ * Don't use the early-TX-interrupt workaround below -+ * for Isoch transfter. Since Isoch are periodic -+ * transfer, by the time the next transfer is -+ * scheduled, the current one should be done already. -+ * -+ * This avoids audio playback underrun issue. -+ */ -+ empty = true; -+ else -+ empty = musb_is_tx_fifo_empty(hw_ep); -+ } - - if (!cppi41_channel->is_tx || empty) { - cppi41_trans_done(cppi41_channel); --- -2.12.2 - -From 14a2032287d43bbffadf22752e40830000aad503 Mon Sep 17 00:00:00 2001 -From: Guenter Roeck -Date: Wed, 8 Mar 2017 10:19:36 -0800 -Subject: [PATCH 167/251] usb: hub: Fix crash after failure to read BOS - descriptor -Content-Length: 2813 -Lines: 69 - -commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream. - -If usb_get_bos_descriptor() returns an error, usb->bos will be NULL. -Nevertheless, it is dereferenced unconditionally in -hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set. -This results in a crash. - -usb 5-1: unable to get BOS descriptor -... -Unable to handle kernel NULL pointer dereference at virtual address 00000008 -pgd = ffffffc00165f000 -[00000008] *pgd=000000000174f003, *pud=000000000174f003, - *pmd=0000000001750003, *pte=00e8000001751713 -Internal error: Oops: 96000005 [#1] PREEMPT SMP -Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ] -CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480 -Hardware name: Google Kevin (DT) -Workqueue: events driver_set_config_work -task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000 -PC is at hub_port_init+0xc3c/0xd10 -LR is at hub_port_init+0xc3c/0xd10 -... -Call trace: -[] hub_port_init+0xc3c/0xd10 -[] usb_reset_and_verify_device+0x15c/0x82c -[] usb_reset_device+0xe4/0x298 -[] rtl8152_probe+0x84/0x9b0 [r8152] -[] usb_probe_interface+0x244/0x2f8 -[] driver_probe_device+0x180/0x3b4 -[] __device_attach_driver+0xb4/0xe0 -[] bus_for_each_drv+0xb4/0xe4 -[] __device_attach+0xd0/0x158 -[] device_initial_probe+0x24/0x30 -[] bus_probe_device+0x50/0xe4 -[] device_add+0x414/0x738 -[] usb_set_configuration+0x89c/0x914 -[] driver_set_config_work+0xc0/0xf0 -[] process_one_work+0x390/0x6b8 -[] worker_thread+0x480/0x610 -[] kthread+0x164/0x178 -[] ret_from_fork+0x10/0x40 - -Since we don't know anything about LPM capabilities without BOS descriptor, -don't attempt to enable LPM if it is not available. - -Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...") -Cc: Mathias Nyman -Signed-off-by: Guenter Roeck -Acked-by: Mathias Nyman -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/core/hub.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index f52d8abf6979..9e62c93af96e 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -4199,7 +4199,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev) - struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); - int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN; - -- if (!udev->usb2_hw_lpm_capable) -+ if (!udev->usb2_hw_lpm_capable || !udev->bos) - return; - - if (hub) --- -2.12.2 - From 815321da2e267c5c44a2900b39ac92632a9d6e80 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 13 Mar 2017 13:47:53 +0100 @@ -8108,48 +5079,6 @@ index 122af340a531..a92979e704e3 100644 -- 2.12.2 -From 48da8f817b9db7909e5758257bdc84a6c611d99a Mon Sep 17 00:00:00 2001 -From: Ilya Dryomov -Date: Wed, 1 Mar 2017 17:33:27 +0100 -Subject: [PATCH 182/251] libceph: don't set weight to IN when OSD is destroyed -Content-Length: 1361 -Lines: 34 - -commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream. - -Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info, -osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted. -This changes the result of applying an incremental for clients, not -just OSDs. Because CRUSH computations are obviously affected, -pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on -object placement, resulting in misdirected requests. - -Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f. - -Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals") -Link: http://tracker.ceph.com/issues/19122 -Signed-off-by: Ilya Dryomov -Reviewed-by: Sage Weil -Signed-off-by: Greg Kroah-Hartman ---- - net/ceph/osdmap.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c -index ddc3573894b0..bc95e48d5cfb 100644 ---- a/net/ceph/osdmap.c -+++ b/net/ceph/osdmap.c -@@ -1265,7 +1265,6 @@ static int decode_new_up_state_weight(void **p, void *end, - if ((map->osd_state[osd] & CEPH_OSD_EXISTS) && - (xorstate & CEPH_OSD_EXISTS)) { - pr_info("osd%d does not exist\n", osd); -- map->osd_weight[osd] = CEPH_OSD_IN; - ret = set_primary_affinity(map, osd, - CEPH_OSD_DEFAULT_PRIMARY_AFFINITY); - if (ret) --- -2.12.2 - From c4cf86f69597d4547a736e3edd5b88ae61b68fa2 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Mon, 5 Dec 2016 12:38:38 +1100 @@ -8640,6 +5569,7 @@ From f154de03f4167664808b002495a877dbe91dd798 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Tue, 14 Mar 2017 17:55:45 +0100 Subject: [PATCH 186/251] USB: usbtmc: add missing endpoint sanity check +Status: RO Content-Length: 2168 Lines: 61 @@ -9936,57 +6866,6 @@ index 0774799942e0..c6fee7437be4 100644 -- 2.12.2 -From ce5494107946450f79ffce4538c243c37b08d85f Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:15 +0530 -Subject: [PATCH 202/251] s390/zcrypt: Introduce CEX6 toleration -Content-Length: 1646 -Lines: 43 - -From: Harald Freudenberger - -[ Upstream commit b3e8652bcbfa04807e44708d4d0c8cdad39c9215 ] - -Signed-off-by: Harald Freudenberger -Signed-off-by: Martin Schwidefsky -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/s390/crypto/ap_bus.c | 3 +++ - drivers/s390/crypto/ap_bus.h | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c -index 24ec282e15d8..7c3b8d3516e3 100644 ---- a/drivers/s390/crypto/ap_bus.c -+++ b/drivers/s390/crypto/ap_bus.c -@@ -1651,6 +1651,9 @@ static void ap_scan_bus(struct work_struct *unused) - ap_dev->queue_depth = queue_depth; - ap_dev->raw_hwtype = device_type; - ap_dev->device_type = device_type; -+ /* CEX6 toleration: map to CEX5 */ -+ if (device_type == AP_DEVICE_TYPE_CEX6) -+ ap_dev->device_type = AP_DEVICE_TYPE_CEX5; - ap_dev->functions = device_functions; - spin_lock_init(&ap_dev->lock); - INIT_LIST_HEAD(&ap_dev->pendingq); -diff --git a/drivers/s390/crypto/ap_bus.h b/drivers/s390/crypto/ap_bus.h -index 6adcbdf225d1..cc741e948170 100644 ---- a/drivers/s390/crypto/ap_bus.h -+++ b/drivers/s390/crypto/ap_bus.h -@@ -105,6 +105,7 @@ static inline int ap_test_bit(unsigned int *ptr, unsigned int nr) - #define AP_DEVICE_TYPE_CEX3C 9 - #define AP_DEVICE_TYPE_CEX4 10 - #define AP_DEVICE_TYPE_CEX5 11 -+#define AP_DEVICE_TYPE_CEX6 12 - - /* - * Known function facilities --- -2.12.2 - From 4e2c66bb6658f6f4583c8920adeecb7bcc90bd9f Mon Sep 17 00:00:00 2001 From: Sumit Semwal Date: Sat, 25 Mar 2017 21:48:16 +0530 @@ -11621,6 +8500,7 @@ From ba46d8fab00a8e1538df241681d9161c8ec85778 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Tue, 21 Mar 2017 13:44:28 +0100 Subject: [PATCH 225/251] libceph: force GFP_NOIO for socket allocations +Status: RO Content-Length: 4579 Lines: 104 @@ -12356,58 +9236,6 @@ index 156a262b6b65..a15070a7fcd6 100644 -- 2.12.2 -From eac3ab3e69151c21a0a71ec8711600022cc12fa3 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Fri, 24 Mar 2017 13:38:28 -0400 -Subject: [PATCH 237/251] USB: fix linked-list corruption in rh_call_control() -Content-Length: 1325 -Lines: 44 - -commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream. - -Using KASAN, Dmitry found a bug in the rh_call_control() routine: If -buffer allocation fails, the routine returns immediately without -unlinking its URB from the control endpoint, eventually leading to -linked-list corruption. - -This patch fixes the problem by jumping to the end of the routine -(where the URB is unlinked) when an allocation failure occurs. - -Signed-off-by: Alan Stern -Reported-and-tested-by: Dmitry Vyukov -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/core/hcd.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index 5724d7c41e29..ca2cbdb3aa67 100644 ---- a/drivers/usb/core/hcd.c -+++ b/drivers/usb/core/hcd.c -@@ -499,8 +499,10 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb) - */ - tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength); - tbuf = kzalloc(tbuf_size, GFP_KERNEL); -- if (!tbuf) -- return -ENOMEM; -+ if (!tbuf) { -+ status = -ENOMEM; -+ goto err_alloc; -+ } - - bufp = tbuf; - -@@ -705,6 +707,7 @@ error: - } - - kfree(tbuf); -+ err_alloc: - - /* any errors get returned through the urb completion */ - spin_lock_irq(&hcd_root_hub_lock); --- -2.12.2 - From 3eb392056aeb4a0beca5fcead9ad3d6b6ff0816e Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Wed, 15 Mar 2017 16:01:17 +0800 diff --git a/queue-3.18/mips-dec-avoid-la-pseudo-instruction-in-delay-slots.patch b/queue-3.18/mips-dec-avoid-la-pseudo-instruction-in-delay-slots.patch new file mode 100644 index 00000000000..1ccab5280bb --- /dev/null +++ b/queue-3.18/mips-dec-avoid-la-pseudo-instruction-in-delay-slots.patch @@ -0,0 +1,85 @@ +From 3021773c7c3e75e20b693931a19362681e744ea9 Mon Sep 17 00:00:00 2001 +From: Ralf Baechle +Date: Tue, 20 Sep 2016 14:33:01 +0200 +Subject: MIPS: DEC: Avoid la pseudo-instruction in delay slots + +From: Ralf Baechle + +commit 3021773c7c3e75e20b693931a19362681e744ea9 upstream. + +When expanding the la or dla pseudo-instruction in a delay slot the GNU +assembler will complain should the pseudo-instruction expand to multiple +actual instructions, since only the first of them will be in the delay +slot leading to the pseudo-instruction being only partially executed if +the branch is taken. Use of PTR_LA in the dec int-handler.S leads to +such warnings: + + arch/mips/dec/int-handler.S: Assembler messages: + arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot + arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot + +Avoid this by open coding the PTR_LA macros. + +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +--- a/arch/mips/dec/int-handler.S ++++ b/arch/mips/dec/int-handler.S +@@ -146,7 +146,25 @@ + /* + * Find irq with highest priority + */ +- PTR_LA t1,cpu_mask_nr_tbl ++ # open coded PTR_LA t1, cpu_mask_nr_tbl ++#if (_MIPS_SZPTR == 32) ++ # open coded la t1, cpu_mask_nr_tbl ++ lui t1, %hi(cpu_mask_nr_tbl) ++ addiu t1, %lo(cpu_mask_nr_tbl) ++ ++#endif ++#if (_MIPS_SZPTR == 64) ++ # open coded dla t1, cpu_mask_nr_tbl ++ .set push ++ .set noat ++ lui t1, %highest(cpu_mask_nr_tbl) ++ lui AT, %hi(cpu_mask_nr_tbl) ++ daddiu t1, t1, %higher(cpu_mask_nr_tbl) ++ daddiu AT, AT, %lo(cpu_mask_nr_tbl) ++ dsll t1, 32 ++ daddu t1, t1, AT ++ .set pop ++#endif + 1: lw t2,(t1) + nop + and t2,t0 +@@ -195,7 +213,25 @@ + /* + * Find irq with highest priority + */ +- PTR_LA t1,asic_mask_nr_tbl ++ # open coded PTR_LA t1,asic_mask_nr_tbl ++#if (_MIPS_SZPTR == 32) ++ # open coded la t1, asic_mask_nr_tbl ++ lui t1, %hi(asic_mask_nr_tbl) ++ addiu t1, %lo(asic_mask_nr_tbl) ++ ++#endif ++#if (_MIPS_SZPTR == 64) ++ # open coded dla t1, asic_mask_nr_tbl ++ .set push ++ .set noat ++ lui t1, %highest(asic_mask_nr_tbl) ++ lui AT, %hi(asic_mask_nr_tbl) ++ daddiu t1, t1, %higher(asic_mask_nr_tbl) ++ daddiu AT, AT, %lo(asic_mask_nr_tbl) ++ dsll t1, 32 ++ daddu t1, t1, AT ++ .set pop ++#endif + 2: lw t2,(t1) + nop + and t2,t0 diff --git a/queue-3.18/mips-ip22-fix-ip28-build-for-modern-gcc.patch b/queue-3.18/mips-ip22-fix-ip28-build-for-modern-gcc.patch new file mode 100644 index 00000000000..1f5602fc290 --- /dev/null +++ b/queue-3.18/mips-ip22-fix-ip28-build-for-modern-gcc.patch @@ -0,0 +1,41 @@ +From 23ca9b522383d3b9b7991d8586db30118992af4a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 17 Jan 2017 16:18:46 +0100 +Subject: MIPS: ip22: Fix ip28 build for modern gcc + +From: Arnd Bergmann + +commit 23ca9b522383d3b9b7991d8586db30118992af4a upstream. + +kernelci reports a failure of the ip28_defconfig build after upgrading its +gcc version: + +arch/mips/sgi-ip22/Platform:29: *** gcc doesn't support needed option -mr10k-cache-barrier=store. Stop. + +The problem apparently is that the -mr10k-cache-barrier=store option is now +rejected for CPUs other than r10k. Explicitly including the CPU in the +check fixes this and is safe because both options were introduced in +gcc-4.4. + +Signed-off-by: Arnd Bergmann +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/15049/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/sgi-ip22/Platform | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/sgi-ip22/Platform ++++ b/arch/mips/sgi-ip22/Platform +@@ -25,7 +25,7 @@ endif + # Simplified: what IP22 does at 128MB+ in ksegN, IP28 does at 512MB+ in xkphys + # + ifdef CONFIG_SGI_IP28 +- ifeq ($(call cc-option-yn,-mr10k-cache-barrier=store), n) ++ ifeq ($(call cc-option-yn,-march=r10000 -mr10k-cache-barrier=store), n) + $(error gcc doesn't support needed option -mr10k-cache-barrier=store) + endif + endif diff --git a/queue-3.18/mips-ip27-disable-qlge-driver-in-defconfig.patch b/queue-3.18/mips-ip27-disable-qlge-driver-in-defconfig.patch new file mode 100644 index 00000000000..3464cfe5b87 --- /dev/null +++ b/queue-3.18/mips-ip27-disable-qlge-driver-in-defconfig.patch @@ -0,0 +1,45 @@ +From b617649468390713db1515ea79fc772d2eb897a8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 3 Feb 2017 17:43:50 +0100 +Subject: MIPS: ip27: Disable qlge driver in defconfig + +From: Arnd Bergmann + +commit b617649468390713db1515ea79fc772d2eb897a8 upstream. + +One of the last remaining failures in kernelci.org is for a gcc bug: + +drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints: +drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190 + +This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot +reproduce the problem here. However, it is clear that ip27_defconfig +does not actually need this driver as the platform has only PCI-X but +not PCIe, and the qlge adapter in turn is PCIe-only. + +The driver was originally enabled in 2010 along with lots of other +drivers. + +Fixes: 59d302b342e5 ("MIPS: IP27: Make defconfig useful again.") +Signed-off-by: Arnd Bergmann +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/15197/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/configs/ip27_defconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/configs/ip27_defconfig ++++ b/arch/mips/configs/ip27_defconfig +@@ -206,7 +206,6 @@ CONFIG_MLX4_EN=m + # CONFIG_MLX4_DEBUG is not set + CONFIG_TEHUTI=m + CONFIG_BNX2X=m +-CONFIG_QLGE=m + CONFIG_SFC=m + CONFIG_BE2NET=m + CONFIG_LIBERTAS_THINFIRM=m diff --git a/queue-3.18/net-fix-socket-refcounting-in-skb_complete_tx_timestamp.patch b/queue-3.18/net-fix-socket-refcounting-in-skb_complete_tx_timestamp.patch new file mode 100644 index 00000000000..94bb13114c0 --- /dev/null +++ b/queue-3.18/net-fix-socket-refcounting-in-skb_complete_tx_timestamp.patch @@ -0,0 +1,53 @@ +From 9ac25fc063751379cb77434fef9f3b088cd3e2f7 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 3 Mar 2017 21:01:03 -0800 +Subject: net: fix socket refcounting in skb_complete_tx_timestamp() + +From: Eric Dumazet + +commit 9ac25fc063751379cb77434fef9f3b088cd3e2f7 upstream. + +TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt +By the time TX completion happens, sk_refcnt might be already 0. + +sock_hold()/sock_put() would then corrupt critical state, like +sk_wmem_alloc and lead to leaks or use after free. + +Fixes: 62bccb8cdb69 ("net-timestamp: Make the clone operation stand-alone from phy timestamping") +Signed-off-by: Eric Dumazet +Cc: Alexander Duyck +Cc: Johannes Berg +Cc: Soheil Hassas Yeganeh +Cc: Willem de Bruijn +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3617,13 +3617,14 @@ void skb_complete_tx_timestamp(struct sk + { + struct sock *sk = skb->sk; + +- /* take a reference to prevent skb_orphan() from freeing the socket */ +- sock_hold(sk); +- +- *skb_hwtstamps(skb) = *hwtstamps; +- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); +- +- sock_put(sk); ++ /* Take a reference to prevent skb_orphan() from freeing the socket, ++ * but only if the socket refcount is not zero. ++ */ ++ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) { ++ *skb_hwtstamps(skb) = *hwtstamps; ++ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); ++ sock_put(sk); ++ } + } + EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp); + diff --git a/queue-3.18/net-fix-socket-refcounting-in-skb_complete_wifi_ack.patch b/queue-3.18/net-fix-socket-refcounting-in-skb_complete_wifi_ack.patch new file mode 100644 index 00000000000..137acecf457 --- /dev/null +++ b/queue-3.18/net-fix-socket-refcounting-in-skb_complete_wifi_ack.patch @@ -0,0 +1,62 @@ +From dd4f10722aeb10f4f582948839f066bebe44e5fb Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 3 Mar 2017 21:01:02 -0800 +Subject: net: fix socket refcounting in skb_complete_wifi_ack() + +From: Eric Dumazet + +commit dd4f10722aeb10f4f582948839f066bebe44e5fb upstream. + +TX skbs do not necessarily hold a reference on skb->sk->sk_refcnt +By the time TX completion happens, sk_refcnt might be already 0. + +sock_hold()/sock_put() would then corrupt critical state, like +sk_wmem_alloc. + +Fixes: bf7fa551e0ce ("mac80211: Resolve sk_refcnt/sk_wmem_alloc issue in wifi ack path") +Signed-off-by: Eric Dumazet +Cc: Alexander Duyck +Cc: Johannes Berg +Cc: Soheil Hassas Yeganeh +Cc: Willem de Bruijn +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/skbuff.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3661,7 +3661,7 @@ void skb_complete_wifi_ack(struct sk_buf + { + struct sock *sk = skb->sk; + struct sock_exterr_skb *serr; +- int err; ++ int err = 1; + + skb->wifi_acked_valid = 1; + skb->wifi_acked = acked; +@@ -3671,14 +3671,15 @@ void skb_complete_wifi_ack(struct sk_buf + serr->ee.ee_errno = ENOMSG; + serr->ee.ee_origin = SO_EE_ORIGIN_TXSTATUS; + +- /* take a reference to prevent skb_orphan() from freeing the socket */ +- sock_hold(sk); +- +- err = sock_queue_err_skb(sk, skb); ++ /* Take a reference to prevent skb_orphan() from freeing the socket, ++ * but only if the socket refcount is not zero. ++ */ ++ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) { ++ err = sock_queue_err_skb(sk, skb); ++ sock_put(sk); ++ } + if (err) + kfree_skb(skb); +- +- sock_put(sk); + } + EXPORT_SYMBOL_GPL(skb_complete_wifi_ack); + diff --git a/queue-3.18/powerpc-emulation-support-for-load-store-instructions-on-le.patch b/queue-3.18/powerpc-emulation-support-for-load-store-instructions-on-le.patch new file mode 100644 index 00000000000..cce4f51d2e0 --- /dev/null +++ b/queue-3.18/powerpc-emulation-support-for-load-store-instructions-on-le.patch @@ -0,0 +1,110 @@ +From e148bd17f48bd17fca2f4f089ec879fa6e47e34c Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 14 Feb 2017 14:46:42 +0530 +Subject: powerpc: Emulation support for load/store instructions on LE + +From: Ravi Bangoria + +commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream. + +emulate_step() uses a number of underlying kernel functions that were +initially not enabled for LE. This has been rectified since. So, fix +emulate_step() for LE for the corresponding instructions. + +Reported-by: Anton Blanchard +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -1806,8 +1806,6 @@ int __kprobes emulate_step(struct pt_reg + goto instr_done; + + case LARX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1829,8 +1827,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case STCX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1854,8 +1850,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case LOAD: +- if (regs->msr & MSR_LE) +- return 0; + err = read_mem(®s->gpr[op.reg], op.ea, size, regs); + if (!err) { + if (op.type & SIGNEXT) +@@ -1866,8 +1860,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case LOAD_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_load(op.reg, do_lfs, op.ea, size, regs); + else +@@ -1876,15 +1868,11 @@ int __kprobes emulate_step(struct pt_reg + + #ifdef CONFIG_ALTIVEC + case LOAD_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case LOAD_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs); + goto ldst_done; + #endif +@@ -1907,8 +1895,6 @@ int __kprobes emulate_step(struct pt_reg + goto instr_done; + + case STORE: +- if (regs->msr & MSR_LE) +- return 0; + if ((op.type & UPDATE) && size == sizeof(long) && + op.reg == 1 && op.update_reg == 1 && + !(regs->msr & MSR_PR) && +@@ -1920,8 +1906,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case STORE_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_store(op.reg, do_stfs, op.ea, size, regs); + else +@@ -1930,15 +1914,11 @@ int __kprobes emulate_step(struct pt_reg + + #ifdef CONFIG_ALTIVEC + case STORE_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case STORE_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs); + goto ldst_done; + #endif diff --git a/queue-3.18/s390-make-setup_randomness-work.patch b/queue-3.18/s390-make-setup_randomness-work.patch new file mode 100644 index 00000000000..7c959c5f499 --- /dev/null +++ b/queue-3.18/s390-make-setup_randomness-work.patch @@ -0,0 +1,44 @@ +From da8fd820f389a0e29080b14c61bf5cf1d8ef5ca1 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Sat, 4 Feb 2017 11:40:36 +0100 +Subject: s390: make setup_randomness work + +From: Heiko Carstens + +commit da8fd820f389a0e29080b14c61bf5cf1d8ef5ca1 upstream. + +Commit bcfcbb6bae64 ("s390: add system information as device +randomness") intended to add some virtual machine specific information +to the randomness pool. + +Unfortunately it uses the page allocator before it is ready to use. In +result the page allocator always returns NULL and the setup_randomness +function never adds anything to the randomness pool. + +To fix this use memblock_alloc and memblock_free instead. + +Fixes: bcfcbb6bae64 ("s390: add system information as device randomness") +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -822,10 +822,10 @@ static void __init setup_randomness(void + { + struct sysinfo_3_2_2 *vmms; + +- vmms = (struct sysinfo_3_2_2 *) alloc_page(GFP_KERNEL); +- if (vmms && stsi(vmms, 3, 2, 2) == 0 && vmms->count) ++ vmms = (struct sysinfo_3_2_2 *) memblock_alloc(PAGE_SIZE, PAGE_SIZE); ++ if (stsi(vmms, 3, 2, 2) == 0 && vmms->count) + add_device_randomness(&vmms, vmms->count); +- free_page((unsigned long) vmms); ++ memblock_free((unsigned long) vmms, PAGE_SIZE); + } + + /* diff --git a/queue-3.18/s390-qdio-clear-dsci-prior-to-scanning-multiple-input-queues.patch b/queue-3.18/s390-qdio-clear-dsci-prior-to-scanning-multiple-input-queues.patch new file mode 100644 index 00000000000..1111d96c25a --- /dev/null +++ b/queue-3.18/s390-qdio-clear-dsci-prior-to-scanning-multiple-input-queues.patch @@ -0,0 +1,60 @@ +From 1e4a382fdc0ba8d1a85b758c0811de3a3631085e Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 21 Nov 2016 13:37:48 +0100 +Subject: s390/qdio: clear DSCI prior to scanning multiple input queues + +From: Julian Wiedmann + +commit 1e4a382fdc0ba8d1a85b758c0811de3a3631085e upstream. + +For devices with multiple input queues, tiqdio_call_inq_handlers() +iterates over all input queues and clears the device's DSCI +during each iteration. If the DSCI is re-armed during one +of the later iterations, we therefore do not scan the previous +queues again. +The re-arming also raises a new adapter interrupt. But its +handler does not trigger a rescan for the device, as the DSCI +has already been erroneously cleared. +This can result in queue stalls on devices with multiple +input queues. + +Fix it by clearing the DSCI just once, prior to scanning the queues. + +As the code is moved in front of the loop, we also need to access +the DSCI directly (ie irq->dsci) instead of going via each queue's +parent pointer to the same irq. This is not a functional change, +and a follow-up patch will clean up the other users. + +In practice, this bug only affects CQ-enabled HiperSockets devices, +ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is +needed for AF_IUCV socket applications that use HiperSockets +communication. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Reviewed-by: Ursula Braun +Signed-off-by: Julian Wiedmann +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_thinint.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/s390/cio/qdio_thinint.c ++++ b/drivers/s390/cio/qdio_thinint.c +@@ -147,11 +147,11 @@ static inline void tiqdio_call_inq_handl + struct qdio_q *q; + int i; + +- for_each_input_queue(irq, q, i) { +- if (!references_shared_dsci(irq) && +- has_multiple_inq_on_dsci(irq)) +- xchg(q->irq_ptr->dsci, 0); ++ if (!references_shared_dsci(irq) && ++ has_multiple_inq_on_dsci(irq)) ++ xchg(irq->dsci, 0); + ++ for_each_input_queue(irq, q, i) { + if (q->u.in.queue_start_poll) { + /* skip if polling is enabled or already in work */ + if (test_and_set_bit(QDIO_QUEUE_IRQS_DISABLED, diff --git a/queue-3.18/s390-task_size-for-kernel-threads.patch b/queue-3.18/s390-task_size-for-kernel-threads.patch new file mode 100644 index 00000000000..20e57f61eb7 --- /dev/null +++ b/queue-3.18/s390-task_size-for-kernel-threads.patch @@ -0,0 +1,34 @@ +From fb94a687d96c570d46332a4a890f1dcb7310e643 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Fri, 24 Feb 2017 07:43:51 +0100 +Subject: s390: TASK_SIZE for kernel threads + +From: Martin Schwidefsky + +commit fb94a687d96c570d46332a4a890f1dcb7310e643 upstream. + +Return a sensible value if TASK_SIZE if called from a kernel thread. + +This gets us around an issue with copy_mount_options that does a magic +size calculation "TASK_SIZE - (unsigned long)data" while in a kernel +thread and data pointing to kernel space. + +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/processor.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -74,7 +74,8 @@ extern void execve_tail(void); + + #else /* CONFIG_64BIT */ + +-#define TASK_SIZE_OF(tsk) ((tsk)->mm->context.asce_limit) ++#define TASK_SIZE_OF(tsk) ((tsk)->mm ? \ ++ (tsk)->mm->context.asce_limit : TASK_MAX_SIZE) + #define TASK_UNMAPPED_BASE (test_thread_flag(TIF_31BIT) ? \ + (1UL << 30) : (1UL << 41)) + #define TASK_SIZE TASK_SIZE_OF(current) diff --git a/queue-3.18/s390-use-correct-input-data-address-for-setup_randomness.patch b/queue-3.18/s390-use-correct-input-data-address-for-setup_randomness.patch new file mode 100644 index 00000000000..5a8ffcd8a7e --- /dev/null +++ b/queue-3.18/s390-use-correct-input-data-address-for-setup_randomness.patch @@ -0,0 +1,41 @@ +From 4920e3cf77347d7d7373552d4839e8d832321313 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Sun, 5 Feb 2017 23:03:18 +0100 +Subject: s390: use correct input data address for setup_randomness + +From: Heiko Carstens + +commit 4920e3cf77347d7d7373552d4839e8d832321313 upstream. + +The current implementation of setup_randomness uses the stack address +and therefore the pointer to the SYSIB 3.2.2 block as input data +address. Furthermore the length of the input data is the number of +virtual-machine description blocks which is typically one. + +This means that typically a single zero byte is fed to +add_device_randomness. + +Fix both of these and use the address of the first virtual machine +description block as input data address and also use the correct +length. + +Fixes: bcfcbb6bae64 ("s390: add system information as device randomness") +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -824,7 +824,7 @@ static void __init setup_randomness(void + + vmms = (struct sysinfo_3_2_2 *) memblock_alloc(PAGE_SIZE, PAGE_SIZE); + if (stsi(vmms, 3, 2, 2) == 0 && vmms->count) +- add_device_randomness(&vmms, vmms->count); ++ add_device_randomness(&vmms->vm, sizeof(vmms->vm[0]) * vmms->count); + memblock_free((unsigned long) vmms, PAGE_SIZE); + } + diff --git a/queue-3.18/series b/queue-3.18/series index d22f6e0ff83..585a6b2a890 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -118,3 +118,28 @@ crypto-cryptd-assign-statesize-properly.patch crypto-mcryptd-fix-load-failure.patch crypto-algif_hash-avoid-zero-sized-array.patch crypto-ghash-clmulni-fix-load-failure.patch +s390-qdio-clear-dsci-prior-to-scanning-multiple-input-queues.patch +s390-task_size-for-kernel-threads.patch +s390-make-setup_randomness-work.patch +s390-use-correct-input-data-address-for-setup_randomness.patch +kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch +usb-serial-qcserial-add-dell-dw5811e.patch +usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch +usb-core-add-linear_frame_intr_binterval-usb-quirk.patch +usb-uss720-fix-null-deref-at-probe.patch +usb-lvtest-fix-null-deref-at-probe.patch +usb-idmouse-fix-null-deref-at-probe.patch +usb-wusbcore-fix-null-deref-at-probe.patch +usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch +usb-fix-linked-list-corruption-in-rh_call_control.patch +mips-ip27-disable-qlge-driver-in-defconfig.patch +mips-ip22-fix-ip28-build-for-modern-gcc.patch +mips-dec-avoid-la-pseudo-instruction-in-delay-slots.patch +powerpc-emulation-support-for-load-store-instructions-on-le.patch +libceph-don-t-set-weight-to-in-when-osd-is-destroyed.patch +tcp-fix-various-issues-for-sockets-morphing-to-listen-state.patch +net-fix-socket-refcounting-in-skb_complete_wifi_ack.patch +net-fix-socket-refcounting-in-skb_complete_tx_timestamp.patch +uapi-fix-linux-packet_diag.h-userspace-compilation-error.patch +dccp-tcp-fix-routing-redirect-race.patch +dccp-fix-memory-leak-during-tear-down-of-unsuccessful-connection-request.patch diff --git a/queue-3.18/tcp-fix-various-issues-for-sockets-morphing-to-listen-state.patch b/queue-3.18/tcp-fix-various-issues-for-sockets-morphing-to-listen-state.patch new file mode 100644 index 00000000000..fc73d6f3c2c --- /dev/null +++ b/queue-3.18/tcp-fix-various-issues-for-sockets-morphing-to-listen-state.patch @@ -0,0 +1,74 @@ +From 02b2faaf0af1d85585f6d6980e286d53612acfc2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 3 Mar 2017 14:08:21 -0800 +Subject: tcp: fix various issues for sockets morphing to listen state + +From: Eric Dumazet + +commit 02b2faaf0af1d85585f6d6980e286d53612acfc2 upstream. + +Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting +tcp_disconnect() path that was never really considered and/or used +before syzkaller ;) + +I was not able to reproduce the bug, but it seems issues here are the +three possible actions that assumed they would never trigger on a +listener. + +1) tcp_write_timer_handler +2) tcp_delack_timer_handler +3) MTU reduction + +Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN + states from tcp_v6_mtu_reduced() + +Signed-off-by: Eric Dumazet +Reported-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_ipv4.c | 7 +++++-- + net/ipv4/tcp_timer.c | 6 ++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -271,10 +271,13 @@ EXPORT_SYMBOL(tcp_v4_connect); + */ + void tcp_v4_mtu_reduced(struct sock *sk) + { +- struct dst_entry *dst; + struct inet_sock *inet = inet_sk(sk); +- u32 mtu = tcp_sk(sk)->mtu_info; ++ struct dst_entry *dst; ++ u32 mtu; + ++ if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) ++ return; ++ mtu = tcp_sk(sk)->mtu_info; + dst = inet_csk_update_pmtu(sk, mtu); + if (!dst) + return; +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -207,7 +207,8 @@ void tcp_delack_timer_handler(struct soc + + sk_mem_reclaim_partial(sk); + +- if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) ++ if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) || ++ !(icsk->icsk_ack.pending & ICSK_ACK_TIMER)) + goto out; + + if (time_after(icsk->icsk_ack.timeout, jiffies)) { +@@ -486,7 +487,8 @@ void tcp_write_timer_handler(struct sock + struct inet_connection_sock *icsk = inet_csk(sk); + int event; + +- if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending) ++ if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) || ++ !icsk->icsk_pending) + goto out; + + if (time_after(icsk->icsk_timeout, jiffies)) { diff --git a/queue-3.18/uapi-fix-linux-packet_diag.h-userspace-compilation-error.patch b/queue-3.18/uapi-fix-linux-packet_diag.h-userspace-compilation-error.patch new file mode 100644 index 00000000000..a79eac59add --- /dev/null +++ b/queue-3.18/uapi-fix-linux-packet_diag.h-userspace-compilation-error.patch @@ -0,0 +1,44 @@ +From 745cb7f8a5de0805cade3de3991b7a95317c7c73 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Tue, 7 Mar 2017 23:50:50 +0300 +Subject: uapi: fix linux/packet_diag.h userspace compilation error + +From: Dmitry V. Levin + +commit 745cb7f8a5de0805cade3de3991b7a95317c7c73 upstream. + +Replace MAX_ADDR_LEN with its numeric value to fix the following +linux/packet_diag.h userspace compilation error: + +/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function) + __u8 pdmc_addr[MAX_ADDR_LEN]; + +This is not the first case in the UAPI where the numeric value +of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h +already does the same: + +$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h + __u8 mac[32]; /* MAX_ADDR_LEN */ + +There are no UAPI headers besides these two that use MAX_ADDR_LEN. + +Signed-off-by: Dmitry V. Levin +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/packet_diag.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/packet_diag.h ++++ b/include/uapi/linux/packet_diag.h +@@ -64,7 +64,7 @@ struct packet_diag_mclist { + __u32 pdmc_count; + __u16 pdmc_type; + __u16 pdmc_alen; +- __u8 pdmc_addr[MAX_ADDR_LEN]; ++ __u8 pdmc_addr[32]; /* MAX_ADDR_LEN */ + }; + + struct packet_diag_ring { diff --git a/queue-3.18/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch b/queue-3.18/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch new file mode 100644 index 00000000000..cccae810676 --- /dev/null +++ b/queue-3.18/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch @@ -0,0 +1,83 @@ +From 3243367b209faed5c320a4e5f9a565ee2a2ba958 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Mon, 13 Mar 2017 20:50:08 +0100 +Subject: usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk + +From: Samuel Thibault + +commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream. + +Some USB 2.0 devices erroneously report millisecond values in +bInterval. The generic config code manages to catch most of them, +but in some cases it's not completely enough. + +The case at stake here is a USB 2.0 braille device, which wants to +announce 10ms and thus sets bInterval to 10, but with the USB 2.0 +computation that yields to 64ms. It happens that one can type fast +enough to reach this interval and get the device buffers overflown, +leading to problematic latencies. The generic config code does not +catch this case because the 64ms is considered a sane enough value. + +This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk +to mark devices which actually report milliseconds in bInterval, +and marks Vario Ultra devices as needing it. + +Signed-off-by: Samuel Thibault +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 10 ++++++++++ + drivers/usb/core/quirks.c | 8 ++++++++ + include/linux/usb/quirks.h | 6 ++++++ + 3 files changed, 24 insertions(+) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -208,6 +208,16 @@ static int usb_parse_endpoint(struct dev + + /* + * Adjust bInterval for quirked devices. ++ */ ++ /* ++ * This quirk fixes bIntervals reported in ms. ++ */ ++ if (to_usb_device(ddev)->quirks & ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) { ++ n = clamp(fls(d->bInterval) + 3, i, j); ++ i = j = n; ++ } ++ /* + * This quirk fixes bIntervals reported in + * linear microframes. + */ +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -163,6 +163,14 @@ static const struct usb_device_id usb_qu + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Baum Vario Ultra */ ++ { USB_DEVICE(0x0904, 0x6101), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ { USB_DEVICE(0x0904, 0x6102), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ { USB_DEVICE(0x0904, 0x6103), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ + /* Keytouch QWERTY Panel keyboard */ + { USB_DEVICE(0x0926, 0x3333), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -50,4 +50,10 @@ + /* device can't handle Link Power Management */ + #define USB_QUIRK_NO_LPM BIT(10) + ++/* ++ * Device reports its bInterval as linear frames instead of the ++ * USB 2.0 calculation. ++ */ ++#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) ++ + #endif /* __LINUX_USB_QUIRKS_H */ diff --git a/queue-3.18/usb-fix-linked-list-corruption-in-rh_call_control.patch b/queue-3.18/usb-fix-linked-list-corruption-in-rh_call_control.patch new file mode 100644 index 00000000000..556449f5e47 --- /dev/null +++ b/queue-3.18/usb-fix-linked-list-corruption-in-rh_call_control.patch @@ -0,0 +1,48 @@ +From 1633682053a7ee8058e10c76722b9b28e97fb73f Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 24 Mar 2017 13:38:28 -0400 +Subject: USB: fix linked-list corruption in rh_call_control() + +From: Alan Stern + +commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream. + +Using KASAN, Dmitry found a bug in the rh_call_control() routine: If +buffer allocation fails, the routine returns immediately without +unlinking its URB from the control endpoint, eventually leading to +linked-list corruption. + +This patch fixes the problem by jumping to the end of the routine +(where the URB is unlinked) when an allocation failure occurs. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Dmitry Vyukov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -498,8 +498,10 @@ static int rh_call_control (struct usb_h + */ + tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength); + tbuf = kzalloc(tbuf_size, GFP_KERNEL); +- if (!tbuf) +- return -ENOMEM; ++ if (!tbuf) { ++ status = -ENOMEM; ++ goto err_alloc; ++ } + + bufp = tbuf; + +@@ -702,6 +704,7 @@ error: + } + + kfree(tbuf); ++ err_alloc: + + /* any errors get returned through the urb completion */ + spin_lock_irq(&hcd_root_hub_lock); diff --git a/queue-3.18/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch b/queue-3.18/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch new file mode 100644 index 00000000000..77f21b44874 --- /dev/null +++ b/queue-3.18/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch @@ -0,0 +1,39 @@ +From 09424c50b7dff40cb30011c09114404a4656e023 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 8 Mar 2017 16:05:43 +0200 +Subject: usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval + +From: Roger Quadros + +commit 09424c50b7dff40cb30011c09114404a4656e023 upstream. + +The streaming_maxburst module parameter is 0 offset (0..15) +so we must add 1 while using it for wBytesPerInterval +calculation for the SuperSpeed companion descriptor. + +Without this host uvcvideo driver will always see the wrong +wBytesPerInterval for SuperSpeed uvc gadget and may not find +a suitable video interface endpoint. +e.g. for streaming_maxburst = 0 case it will always +fail as wBytePerInterval was evaluating to 0. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uvc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -643,7 +643,7 @@ uvc_function_bind(struct usb_configurati + uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst; + uvc_ss_streaming_comp.wBytesPerInterval = + cpu_to_le16(max_packet_size * max_packet_mult * +- opts->streaming_maxburst); ++ (opts->streaming_maxburst + 1)); + + /* Allocate endpoints. */ + ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep); diff --git a/queue-3.18/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch b/queue-3.18/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch new file mode 100644 index 00000000000..c233d1975db --- /dev/null +++ b/queue-3.18/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch @@ -0,0 +1,73 @@ +From 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 8 Mar 2017 10:19:36 -0800 +Subject: usb: hub: Fix crash after failure to read BOS descriptor + +From: Guenter Roeck + +commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream. + +If usb_get_bos_descriptor() returns an error, usb->bos will be NULL. +Nevertheless, it is dereferenced unconditionally in +hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set. +This results in a crash. + +usb 5-1: unable to get BOS descriptor +... +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = ffffffc00165f000 +[00000008] *pgd=000000000174f003, *pud=000000000174f003, + *pmd=0000000001750003, *pte=00e8000001751713 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ] +CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480 +Hardware name: Google Kevin (DT) +Workqueue: events driver_set_config_work +task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000 +PC is at hub_port_init+0xc3c/0xd10 +LR is at hub_port_init+0xc3c/0xd10 +... +Call trace: +[] hub_port_init+0xc3c/0xd10 +[] usb_reset_and_verify_device+0x15c/0x82c +[] usb_reset_device+0xe4/0x298 +[] rtl8152_probe+0x84/0x9b0 [r8152] +[] usb_probe_interface+0x244/0x2f8 +[] driver_probe_device+0x180/0x3b4 +[] __device_attach_driver+0xb4/0xe0 +[] bus_for_each_drv+0xb4/0xe4 +[] __device_attach+0xd0/0x158 +[] device_initial_probe+0x24/0x30 +[] bus_probe_device+0x50/0xe4 +[] device_add+0x414/0x738 +[] usb_set_configuration+0x89c/0x914 +[] driver_set_config_work+0xc0/0xf0 +[] process_one_work+0x390/0x6b8 +[] worker_thread+0x480/0x610 +[] kthread+0x164/0x178 +[] ret_from_fork+0x10/0x40 + +Since we don't know anything about LPM capabilities without BOS descriptor, +don't attempt to enable LPM if it is not available. + +Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...") +Cc: Mathias Nyman +Signed-off-by: Guenter Roeck +Acked-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4175,7 +4175,7 @@ static void hub_set_initial_usb2_lpm_pol + struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); + int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN; + +- if (!udev->usb2_hw_lpm_capable) ++ if (!udev->usb2_hw_lpm_capable || !udev->bos) + return; + + if (hub) diff --git a/queue-3.18/usb-idmouse-fix-null-deref-at-probe.patch b/queue-3.18/usb-idmouse-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..93dc6ec9323 --- /dev/null +++ b/queue-3.18/usb-idmouse-fix-null-deref-at-probe.patch @@ -0,0 +1,32 @@ +From b0addd3fa6bcd119be9428996d5d4522479ab240 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:48 +0100 +Subject: USB: idmouse: fix NULL-deref at probe + +From: Johan Hovold + +commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/idmouse.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_inte + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; + ++ if (iface_desc->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + /* allocate memory for our device state and initialize it */ + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (dev == NULL) diff --git a/queue-3.18/usb-lvtest-fix-null-deref-at-probe.patch b/queue-3.18/usb-lvtest-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..49987c93e32 --- /dev/null +++ b/queue-3.18/usb-lvtest-fix-null-deref-at-probe.patch @@ -0,0 +1,36 @@ +From 1dc56c52d2484be09c7398a5207d6b11a4256be9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:49 +0100 +Subject: USB: lvtest: fix NULL-deref at probe + +From: Johan Hovold + +commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should the probed device lack endpoints. + +Note that this driver does not bind to any devices by default. + +Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver") +Cc: Pratyush Anand +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/lvstest.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/misc/lvstest.c ++++ b/drivers/usb/misc/lvstest.c +@@ -370,6 +370,10 @@ static int lvs_rh_probe(struct usb_inter + + hdev = interface_to_usbdev(intf); + desc = intf->cur_altsetting; ++ ++ if (desc->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &desc->endpoint[0].desc; + + /* valid only for SS root hub */ diff --git a/queue-3.18/usb-serial-qcserial-add-dell-dw5811e.patch b/queue-3.18/usb-serial-qcserial-add-dell-dw5811e.patch new file mode 100644 index 00000000000..5a7adfb7d2a --- /dev/null +++ b/queue-3.18/usb-serial-qcserial-add-dell-dw5811e.patch @@ -0,0 +1,33 @@ +From 436ecf5519d892397af133a79ccd38a17c25fa51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 17 Mar 2017 17:21:28 +0100 +Subject: USB: serial: qcserial: add Dell DW5811e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream. + +This is a Dell branded Sierra Wireless EM7455. + +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -163,6 +163,8 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ ++ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ ++ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ + + /* Huawei devices */ + {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */ diff --git a/queue-3.18/usb-uss720-fix-null-deref-at-probe.patch b/queue-3.18/usb-uss720-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..fa195df9daf --- /dev/null +++ b/queue-3.18/usb-uss720-fix-null-deref-at-probe.patch @@ -0,0 +1,41 @@ +From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:50 +0100 +Subject: USB: uss720: fix NULL-deref at probe + +From: Johan Hovold + +commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Note that the endpoint access that causes the NULL-deref is currently +only used for debugging purposes during probe so the oops only happens +when dynamic debugging is enabled. This means the driver could be +rewritten to continue to accept device with only two endpoints, should +such devices exist. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/uss720.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -715,6 +715,11 @@ static int uss720_probe(struct usb_inter + + interface = intf->cur_altsetting; + ++ if (interface->desc.bNumEndpoints < 3) { ++ usb_put_dev(usbdev); ++ return -ENODEV; ++ } ++ + /* + * Allocate parport interface + */ diff --git a/queue-3.18/usb-wusbcore-fix-null-deref-at-probe.patch b/queue-3.18/usb-wusbcore-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..76a4c8df156 --- /dev/null +++ b/queue-3.18/usb-wusbcore-fix-null-deref-at-probe.patch @@ -0,0 +1,38 @@ +From 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:51 +0100 +Subject: USB: wusbcore: fix NULL-deref at probe + +From: Johan Hovold + +commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +This specifically fixes the NULL-pointer dereference when probing HWA HC +devices. + +Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/wusbcore/wa-hc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/wusbcore/wa-hc.c ++++ b/drivers/usb/wusbcore/wa-hc.c +@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct us + int result; + struct device *dev = &iface->dev; + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 3) ++ return -ENODEV; ++ + result = wa_rpipes_create(wa); + if (result < 0) + goto error_rpipes_create;