From: Greg Kroah-Hartman Date: Fri, 4 May 2018 21:50:32 +0000 (-0700) Subject: drop a bunch of 4.4 patches X-Git-Tag: v4.9.99~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be5669c007359adf3d91261c8c699cdfa51a7dc7;p=thirdparty%2Fkernel%2Fstable-queue.git drop a bunch of 4.4 patches --- diff --git a/queue-4.4/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch b/queue-4.4/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch deleted file mode 100644 index c9e2a7e1750..00000000000 --- a/queue-4.4/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Lenny Szubowicz -Date: Tue, 27 Mar 2018 09:56:40 -0400 -Subject: ACPI: acpi_pad: Fix memory leak in power saving threads - -From: Lenny Szubowicz - -[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ] - -Fix once per second (round_robin_time) memory leak of about 1 KB in -each acpi_pad kernel idling thread that is activated. - -Found by testing with kmemleak. - -Signed-off-by: Lenny Szubowicz -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/acpi_pad.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/acpi/acpi_pad.c -+++ b/drivers/acpi/acpi_pad.c -@@ -108,6 +108,7 @@ static void round_robin_cpu(unsigned int - cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus); - if (cpumask_empty(tmp)) { - mutex_unlock(&round_robin_lock); -+ free_cpumask_var(tmp); - return; - } - for_each_cpu(cpu, tmp) { -@@ -125,6 +126,8 @@ static void round_robin_cpu(unsigned int - mutex_unlock(&round_robin_lock); - - set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu)); -+ -+ free_cpumask_var(tmp); - } - - static void exit_round_robin(unsigned int tsk_index) diff --git a/queue-4.4/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch b/queue-4.4/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch deleted file mode 100644 index 257fc10dff0..00000000000 --- a/queue-4.4/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch +++ /dev/null @@ -1,99 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Chen Yu -Date: Mon, 29 Jan 2018 10:26:46 +0800 -Subject: ACPI: processor_perflib: Do not send _PPC change notification if not ready - -From: Chen Yu - -[ Upstream commit ba1edb9a5125a617d612f98eead14b9b84e75c3a ] - -The following warning was triggered after resumed from S3 - -if all the nonboot CPUs were put offline before suspend: - -[ 1840.329515] unchecked MSR access error: RDMSR from 0x771 at rIP: 0xffffffff86061e3a (native_read_msr+0xa/0x30) -[ 1840.329516] Call Trace: -[ 1840.329521] __rdmsr_on_cpu+0x33/0x50 -[ 1840.329525] generic_exec_single+0x81/0xb0 -[ 1840.329527] smp_call_function_single+0xd2/0x100 -[ 1840.329530] ? acpi_ds_result_pop+0xdd/0xf2 -[ 1840.329532] ? acpi_ds_create_operand+0x215/0x23c -[ 1840.329534] rdmsrl_on_cpu+0x57/0x80 -[ 1840.329536] ? cpumask_next+0x1b/0x20 -[ 1840.329538] ? rdmsrl_on_cpu+0x57/0x80 -[ 1840.329541] intel_pstate_update_perf_limits+0xf3/0x220 -[ 1840.329544] ? notifier_call_chain+0x4a/0x70 -[ 1840.329546] intel_pstate_set_policy+0x4e/0x150 -[ 1840.329548] cpufreq_set_policy+0xcd/0x2f0 -[ 1840.329550] cpufreq_update_policy+0xb2/0x130 -[ 1840.329552] ? cpufreq_update_policy+0x130/0x130 -[ 1840.329556] acpi_processor_ppc_has_changed+0x65/0x80 -[ 1840.329558] acpi_processor_notify+0x80/0x100 -[ 1840.329561] acpi_ev_notify_dispatch+0x44/0x5c -[ 1840.329563] acpi_os_execute_deferred+0x14/0x20 -[ 1840.329565] process_one_work+0x193/0x3c0 -[ 1840.329567] worker_thread+0x35/0x3b0 -[ 1840.329569] kthread+0x125/0x140 -[ 1840.329571] ? process_one_work+0x3c0/0x3c0 -[ 1840.329572] ? kthread_park+0x60/0x60 -[ 1840.329575] ? do_syscall_64+0x67/0x180 -[ 1840.329577] ret_from_fork+0x25/0x30 -[ 1840.329585] unchecked MSR access error: WRMSR to 0x774 (tried to write 0x0000000000000000) at rIP: 0xffffffff86061f78 (native_write_msr+0x8/0x30) -[ 1840.329586] Call Trace: -[ 1840.329587] __wrmsr_on_cpu+0x37/0x40 -[ 1840.329589] generic_exec_single+0x81/0xb0 -[ 1840.329592] smp_call_function_single+0xd2/0x100 -[ 1840.329594] ? acpi_ds_create_operand+0x215/0x23c -[ 1840.329595] ? cpumask_next+0x1b/0x20 -[ 1840.329597] wrmsrl_on_cpu+0x57/0x70 -[ 1840.329598] ? rdmsrl_on_cpu+0x57/0x80 -[ 1840.329599] ? wrmsrl_on_cpu+0x57/0x70 -[ 1840.329602] intel_pstate_hwp_set+0xd3/0x150 -[ 1840.329604] intel_pstate_set_policy+0x119/0x150 -[ 1840.329606] cpufreq_set_policy+0xcd/0x2f0 -[ 1840.329607] cpufreq_update_policy+0xb2/0x130 -[ 1840.329610] ? cpufreq_update_policy+0x130/0x130 -[ 1840.329613] acpi_processor_ppc_has_changed+0x65/0x80 -[ 1840.329615] acpi_processor_notify+0x80/0x100 -[ 1840.329617] acpi_ev_notify_dispatch+0x44/0x5c -[ 1840.329619] acpi_os_execute_deferred+0x14/0x20 -[ 1840.329620] process_one_work+0x193/0x3c0 -[ 1840.329622] worker_thread+0x35/0x3b0 -[ 1840.329624] kthread+0x125/0x140 -[ 1840.329625] ? process_one_work+0x3c0/0x3c0 -[ 1840.329626] ? kthread_park+0x60/0x60 -[ 1840.329628] ? do_syscall_64+0x67/0x180 -[ 1840.329631] ret_from_fork+0x25/0x30 - -This is because if there's only one online CPU, the MSR_PM_ENABLE -(package wide)can not be enabled after resumed, due to -intel_pstate_hwp_enable() will only be invoked on AP's online -process after resumed - if there's no AP online, the HWP remains -disabled after resumed (BIOS has disabled it in S3). Then if -there comes a _PPC change notification which touches HWP register -during this stage, the warning is triggered. - -Since we don't call acpi_processor_register_performance() when -HWP is enabled, the pr->performance will be NULL. When this is -NULL we don't need to do _PPC change notification. - -Reported-by: Doug Smythies -Suggested-by: Srinivas Pandruvada -Signed-off-by: Yu Chen -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/processor_perflib.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/acpi/processor_perflib.c -+++ b/drivers/acpi/processor_perflib.c -@@ -161,7 +161,7 @@ int acpi_processor_ppc_has_changed(struc - { - int ret; - -- if (ignore_ppc) { -+ if (ignore_ppc || !pr->performance) { - /* - * Only when it is notification event, the _OST object - * will be evaluated. Otherwise it is skipped. diff --git a/queue-4.4/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch b/queue-4.4/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch deleted file mode 100644 index e3510ff7e1e..00000000000 --- a/queue-4.4/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch +++ /dev/null @@ -1,91 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Seunghun Han -Date: Wed, 14 Mar 2018 16:12:56 -0700 -Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c - -From: Seunghun Han - -[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ] - -I found an ACPI cache leak in ACPI early termination and boot continuing case. - -When early termination occurs due to malicious ACPI table, Linux kernel -terminates ACPI function and continues to boot process. While kernel terminates -ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. - -Boot log of ACPI operand cache leak is as follows: ->[ 0.464168] ACPI: Added _OSI(Module Device) ->[ 0.467022] ACPI: Added _OSI(Processor Device) ->[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) ->[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) ->[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) ->[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) ->[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) ->[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) ->[ 0.497683] ACPI: Interpreter enabled ->[ 0.499385] ACPI: (supports S0) ->[ 0.501151] ACPI: Using IOAPIC for interrupt routing ->[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) ->[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) ->[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) ->[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) ->[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) ->[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects ->[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 ->[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 ->[ 0.529668] Call Trace: ->[ 0.530811] ? dump_stack+0x5c/0x81 ->[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 ->[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 ->[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b ->[ 0.537237] ? acpi_terminate+0xa/0x14 ->[ 0.538701] ? acpi_init+0x2af/0x34f ->[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 ->[ 0.541593] ? do_one_initcall+0x4e/0x1a0 ->[ 0.543008] ? kernel_init_freeable+0x19e/0x21f ->[ 0.546202] ? rest_init+0x80/0x80 ->[ 0.547513] ? kernel_init+0xa/0x100 ->[ 0.548817] ? ret_from_fork+0x25/0x30 ->[ 0.550587] vgaarb: loaded ->[ 0.551716] EDAC MC: Ver: 3.0.0 ->[ 0.553744] PCI: Probing PCI hardware ->[ 0.555038] PCI host bridge to bus 0000:00 -> ... Continue to boot and log is omitted ... - -I analyzed this memory leak in detail and found acpi_ns_evaluate() function -only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors -occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is -also not null. Therefore, this causes acpi operand memory leak. - -This cache leak causes a security threat because an old kernel (<= 4.9) shows -memory locations of kernel functions in stack dump. Some malicious users -could use this information to neutralize kernel ASLR. - -I made a patch to fix ACPI operand cache leak. - -Signed-off-by: Seunghun Han -Signed-off-by: Erik Schmauss -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/acpica/nseval.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/acpi/acpica/nseval.c -+++ b/drivers/acpi/acpica/nseval.c -@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi - /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ - - status = AE_OK; -+ } else if (ACPI_FAILURE(status)) { -+ -+ /* If return_object exists, delete it */ -+ -+ if (info->return_object) { -+ acpi_ut_remove_reference(info->return_object); -+ info->return_object = NULL; -+ } - } - - ACPI_DEBUG_PRINT((ACPI_DB_NAMES, diff --git a/queue-4.4/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch b/queue-4.4/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch deleted file mode 100644 index bf3ed9027a2..00000000000 --- a/queue-4.4/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch +++ /dev/null @@ -1,45 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Erik Schmauss -Date: Wed, 14 Mar 2018 16:13:08 -0700 -Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read - -From: Erik Schmauss - -[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ] - -This ensures that acpi_ev_fixed_event_detect() does not use fixed_status -and and fixed_enable as uninitialized variables. - -Signed-off-by: Erik Schmauss -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/acpica/evevent.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/drivers/acpi/acpica/evevent.c -+++ b/drivers/acpi/acpica/evevent.c -@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void) - u32 fixed_status; - u32 fixed_enable; - u32 i; -+ acpi_status status; - - ACPI_FUNCTION_NAME(ev_fixed_event_detect); - -@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void) - * Read the fixed feature status and enable registers, as all the cases - * depend on their values. Ignore errors here. - */ -- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); -- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); -+ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); -+ status |= -+ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); -+ if (ACPI_FAILURE(status)) { -+ return (int_status); -+ } - - ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS, - "Fixed Event Block: Enable %08X Status %08X\n", diff --git a/queue-4.4/alsa-hda-use-is_reachable-for-dependency-on-input.patch b/queue-4.4/alsa-hda-use-is_reachable-for-dependency-on-input.patch deleted file mode 100644 index c619f26ffc1..00000000000 --- a/queue-4.4/alsa-hda-use-is_reachable-for-dependency-on-input.patch +++ /dev/null @@ -1,60 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Takashi Iwai -Date: Mon, 15 Jan 2018 10:44:35 +0100 -Subject: ALSA: hda - Use IS_REACHABLE() for dependency on input - -From: Takashi Iwai - -[ Upstream commit c469652bb5e8fb715db7d152f46d33b3740c9b87 ] - -The commit ffcd28d88e4f ("ALSA: hda - Select INPUT for Realtek -HD-audio codec") introduced the reverse-selection of CONFIG_INPUT for -Realtek codec in order to avoid the mess with dependency between -built-in and modules. Later on, we obtained IS_REACHABLE() macro -exactly for this kind of problems, and now we can remove th INPUT -selection in Kconfig and put IS_REACHABLE(INPUT) to the appropriate -places in the code, so that the driver doesn't need to select other -subsystem forcibly. - -Fixes: ffcd28d88e4f ("ALSA: hda - Select INPUT for Realtek HD-audio codec") -Reported-by: Randy Dunlap -Acked-by: Randy Dunlap # and build-tested -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/Kconfig | 1 - - sound/pci/hda/patch_realtek.c | 5 +++++ - 2 files changed, 5 insertions(+), 1 deletion(-) - ---- a/sound/pci/hda/Kconfig -+++ b/sound/pci/hda/Kconfig -@@ -84,7 +84,6 @@ config SND_HDA_PATCH_LOADER - config SND_HDA_CODEC_REALTEK - tristate "Build Realtek HD-audio codec support" - select SND_HDA_GENERIC -- select INPUT - help - Say Y or M here to include Realtek HD-audio codec support in - snd-hda-intel driver, such as ALC880. ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -3495,6 +3495,7 @@ static void alc280_fixup_hp_gpio4(struct - } - } - -+#if IS_REACHABLE(INPUT) - static void gpio2_mic_hotkey_event(struct hda_codec *codec, - struct hda_jack_callback *event) - { -@@ -3627,6 +3628,10 @@ static void alc233_fixup_lenovo_line2_mi - spec->kb_dev = NULL; - } - } -+#else /* INPUT */ -+#define alc280_fixup_hp_gpio2_mic_hotkey NULL -+#define alc233_fixup_lenovo_line2_mic_hotkey NULL -+#endif /* INPUT */ - - static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec, - const struct hda_fixup *fix, int action) diff --git a/queue-4.4/alsa-vmaster-propagate-slave-error.patch b/queue-4.4/alsa-vmaster-propagate-slave-error.patch deleted file mode 100644 index 4621e190683..00000000000 --- a/queue-4.4/alsa-vmaster-propagate-slave-error.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Takashi Iwai -Date: Thu, 8 Mar 2018 08:26:48 +0100 -Subject: ALSA: vmaster: Propagate slave error - -From: Takashi Iwai - -[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ] - -In slave_update() of vmaster code ignores the error from the slave -get() callback and copies the values. It's not only about the missing -error code but also that this may potentially lead to a leak of -uninitialized variables when the slave get() don't clear them. - -This patch fixes slave_update() not to copy the potentially -uninitialized values when an error is returned from the slave get() -callback, and to propagate the error value properly. - -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - sound/core/vmaster.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/sound/core/vmaster.c -+++ b/sound/core/vmaster.c -@@ -68,10 +68,13 @@ static int slave_update(struct link_slav - return -ENOMEM; - uctl->id = slave->slave.id; - err = slave->slave.get(&slave->slave, uctl); -+ if (err < 0) -+ goto error; - for (ch = 0; ch < slave->info.count; ch++) - slave->vals[ch] = uctl->value.integer.value[ch]; -+ error: - kfree(uctl); -- return 0; -+ return err < 0 ? err : 0; - } - - /* get the slave ctl info and save the initial values */ diff --git a/queue-4.4/arc-fix-malformed-arc_emul_unaligned-default.patch b/queue-4.4/arc-fix-malformed-arc_emul_unaligned-default.patch deleted file mode 100644 index 59558463fd5..00000000000 --- a/queue-4.4/arc-fix-malformed-arc_emul_unaligned-default.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ulf Magnusson -Date: Mon, 5 Feb 2018 02:21:31 +0100 -Subject: ARC: Fix malformed ARC_EMUL_UNALIGNED default - -From: Ulf Magnusson - -[ Upstream commit 827cc2fa024dd6517d62de7a44c7b42f32af371b ] - -'default N' should be 'default n', though they happen to have the same -effect here, due to undefined symbols (N in this case) evaluating to n -in a tristate sense. - -Remove the default from ARC_EMUL_UNALIGNED instead of changing it. bool -and tristate symbols implicitly default to n. - -Discovered with the -https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ulfalizer_Kconfiglib_blob_master_examples_list-5Fundefined.py&d=DwIBAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=c14YS-cH-kdhTOW89KozFhBtBJgs1zXscZojEZQ0THs&m=WxxD8ozR7QQUVzNCBksiznaisBGO_crN7PBOvAoju8s&s=1LmxsNqxwT-7wcInVpZ6Z1J27duZKSoyKxHIJclXU_M&e= -script. - -Signed-off-by: Ulf Magnusson -Signed-off-by: Vineet Gupta -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arc/Kconfig | 1 - - 1 file changed, 1 deletion(-) - ---- a/arch/arc/Kconfig -+++ b/arch/arc/Kconfig -@@ -479,7 +479,6 @@ config ARC_CURR_IN_REG - - config ARC_EMUL_UNALIGNED - bool "Emulate unaligned memory access (userspace only)" -- default N - select SYSCTL_ARCH_UNALIGN_NO_WARN - select SYSCTL_ARCH_UNALIGN_ALLOW - depends on ISA_ARCOMPACT diff --git a/queue-4.4/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch b/queue-4.4/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch deleted file mode 100644 index 4268449aa01..00000000000 --- a/queue-4.4/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch +++ /dev/null @@ -1,89 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jinbum Park -Date: Tue, 6 Mar 2018 01:37:21 +0100 -Subject: ARM: 8748/1: mm: Define vdso_start, vdso_end as array - -From: Jinbum Park - -[ Upstream commit 73b9160d0dfe44dfdaffd6465dc1224c38a4a73c ] - -Define vdso_start, vdso_end as array to avoid compile-time analysis error -for the case of built with CONFIG_FORTIFY_SOURCE. - -and, since vdso_start, vdso_end are used in vdso.c only, -move extern-declaration from vdso.h to vdso.c. - -If kernel is built with CONFIG_FORTIFY_SOURCE, -compile-time error happens at this code. -- if (memcmp(&vdso_start, "177ELF", 4)) - -The size of "&vdso_start" is recognized as 1 byte, but n is 4, -So that compile-time error is reported. - -Acked-by: Kees Cook -Signed-off-by: Jinbum Park -Signed-off-by: Russell King -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/include/asm/vdso.h | 2 -- - arch/arm/kernel/vdso.c | 12 +++++++----- - 2 files changed, 7 insertions(+), 7 deletions(-) - ---- a/arch/arm/include/asm/vdso.h -+++ b/arch/arm/include/asm/vdso.h -@@ -11,8 +11,6 @@ struct mm_struct; - - void arm_install_vdso(struct mm_struct *mm, unsigned long addr); - --extern char vdso_start, vdso_end; -- - extern unsigned int vdso_total_pages; - - #else /* CONFIG_VDSO */ ---- a/arch/arm/kernel/vdso.c -+++ b/arch/arm/kernel/vdso.c -@@ -38,6 +38,8 @@ - - static struct page **vdso_text_pagelist; - -+extern char vdso_start[], vdso_end[]; -+ - /* Total number of pages needed for the data and text portions of the VDSO. */ - unsigned int vdso_total_pages __read_mostly; - -@@ -178,13 +180,13 @@ static int __init vdso_init(void) - unsigned int text_pages; - int i; - -- if (memcmp(&vdso_start, "\177ELF", 4)) { -+ if (memcmp(vdso_start, "\177ELF", 4)) { - pr_err("VDSO is not a valid ELF object!\n"); - return -ENOEXEC; - } - -- text_pages = (&vdso_end - &vdso_start) >> PAGE_SHIFT; -- pr_debug("vdso: %i text pages at base %p\n", text_pages, &vdso_start); -+ text_pages = (vdso_end - vdso_start) >> PAGE_SHIFT; -+ pr_debug("vdso: %i text pages at base %p\n", text_pages, vdso_start); - - /* Allocate the VDSO text pagelist */ - vdso_text_pagelist = kcalloc(text_pages, sizeof(struct page *), -@@ -199,7 +201,7 @@ static int __init vdso_init(void) - for (i = 0; i < text_pages; i++) { - struct page *page; - -- page = virt_to_page(&vdso_start + i * PAGE_SIZE); -+ page = virt_to_page(vdso_start + i * PAGE_SIZE); - vdso_text_pagelist[i] = page; - } - -@@ -210,7 +212,7 @@ static int __init vdso_init(void) - - cntvct_ok = cntvct_functional(); - -- patch_vdso(&vdso_start); -+ patch_vdso(vdso_start); - - return 0; - } diff --git a/queue-4.4/arm-dts-ls1021a-specify-tbipa-register-address.patch b/queue-4.4/arm-dts-ls1021a-specify-tbipa-register-address.patch deleted file mode 100644 index 27534540403..00000000000 --- a/queue-4.4/arm-dts-ls1021a-specify-tbipa-register-address.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Esben Haabendal -Date: Fri, 6 Apr 2018 14:46:35 +0200 -Subject: ARM: dts: ls1021a: Specify TBIPA register address - -From: Esben Haabendal - -[ Upstream commit 5571196135abb6d51e01592812997403c136067c ] - -The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of -the TBIPA register on LS1021A, which happens to be read-only. -Changing TBI PHY address therefore does not work on LS1021A. - -The real (and documented) address of the TBIPA registere lies in the eTSEC -block and not in MDIO/MII, which is read/write, so using that fixes -the problem. - -Signed-off-by: Esben Haabendal -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/boot/dts/ls1021a.dtsi | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/arch/arm/boot/dts/ls1021a.dtsi -+++ b/arch/arm/boot/dts/ls1021a.dtsi -@@ -433,7 +433,8 @@ - device_type = "mdio"; - #address-cells = <1>; - #size-cells = <0>; -- reg = <0x0 0x2d24000 0x0 0x4000>; -+ reg = <0x0 0x2d24000 0x0 0x4000>, -+ <0x0 0x2d10030 0x0 0x4>; - }; - - enet0: ethernet@2d10000 { diff --git a/queue-4.4/arm-dts-socfpga-fix-gic-ppi-warning.patch b/queue-4.4/arm-dts-socfpga-fix-gic-ppi-warning.patch deleted file mode 100644 index 8c70db11f9a..00000000000 --- a/queue-4.4/arm-dts-socfpga-fix-gic-ppi-warning.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Philipp Puschmann -Date: Fri, 23 Mar 2018 10:22:15 +0100 -Subject: arm: dts: socfpga: fix GIC PPI warning - -From: Philipp Puschmann - -[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ] - -Fixes the warning "GIC: PPI13 is secure or misconfigured" by -changing the interrupt type from level_low to edge_raising - -Signed-off-by: Philipp Puschmann -Signed-off-by: Dinh Nguyen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/boot/dts/socfpga.dtsi | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/arm/boot/dts/socfpga.dtsi -+++ b/arch/arm/boot/dts/socfpga.dtsi -@@ -738,7 +738,7 @@ - timer@fffec600 { - compatible = "arm,cortex-a9-twd-timer"; - reg = <0xfffec600 0x100>; -- interrupts = <1 13 0xf04>; -+ interrupts = <1 13 0xf01>; - clocks = <&mpu_periph_clk>; - }; - diff --git a/queue-4.4/arm-omap-fix-dmtimer-init-for-omap1.patch b/queue-4.4/arm-omap-fix-dmtimer-init-for-omap1.patch deleted file mode 100644 index 9fdee0b46d6..00000000000 --- a/queue-4.4/arm-omap-fix-dmtimer-init-for-omap1.patch +++ /dev/null @@ -1,45 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tony Lindgren -Date: Thu, 22 Feb 2018 10:02:49 -0800 -Subject: ARM: OMAP: Fix dmtimer init for omap1 - -From: Tony Lindgren - -[ Upstream commit ba6887836178d43b3665b9da075c2c5dfe1d207c ] - -We need to enable PM runtime on omap1 also as otherwise we -will get errors: - -omap_timer omap_timer.1: omap_dm_timer_probe: pm_runtime_get_sync failed! -omap_timer: probe of omap_timer.1 failed with error -13 -... - -We are checking for OMAP_TIMER_NEEDS_RESET flag elsewhere so this is -safe to do. - -Cc: Aaro Koskinen -Cc: Keerthy -Cc: Ladislav Michl -Signed-off-by: Tony Lindgren -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/plat-omap/dmtimer.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - ---- a/arch/arm/plat-omap/dmtimer.c -+++ b/arch/arm/plat-omap/dmtimer.c -@@ -854,11 +854,8 @@ static int omap_dm_timer_probe(struct pl - timer->irq = irq->start; - timer->pdev = pdev; - -- /* Skip pm_runtime_enable for OMAP1 */ -- if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) { -- pm_runtime_enable(dev); -- pm_runtime_irq_safe(dev); -- } -+ pm_runtime_enable(dev); -+ pm_runtime_irq_safe(dev); - - if (!timer->reserved) { - ret = pm_runtime_get_sync(dev); diff --git a/queue-4.4/arm-omap1-clock-fix-debugfs_create_-usage.patch b/queue-4.4/arm-omap1-clock-fix-debugfs_create_-usage.patch deleted file mode 100644 index 7af0c051fb9..00000000000 --- a/queue-4.4/arm-omap1-clock-fix-debugfs_create_-usage.patch +++ /dev/null @@ -1,52 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Tue, 2 Jan 2018 16:25:35 +0100 -Subject: ARM: OMAP1: clock: Fix debugfs_create_*() usage - -From: Geert Uytterhoeven - -[ Upstream commit 8cbbf1745dcde7ba7e423dc70619d223de90fd43 ] - -When exposing data access through debugfs, the correct -debugfs_create_*() functions must be used, depending on data type. - -Remove all casts from data pointers passed to debugfs_create_*() -functions, as such casts prevent the compiler from flagging bugs. - -Correct all wrong usage: - - clk.rate is unsigned long, not u32, - - clk.flags is u8, not u32, which exposed the successive - clk.rate_offset and clk.src_offset fields. - -Signed-off-by: Geert Uytterhoeven -Acked-by: Aaro Koskinen -Signed-off-by: Tony Lindgren -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/mach-omap1/clock.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/arch/arm/mach-omap1/clock.c -+++ b/arch/arm/mach-omap1/clock.c -@@ -1031,17 +1031,17 @@ static int clk_debugfs_register_one(stru - return -ENOMEM; - c->dent = d; - -- d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount); -+ d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount); - if (!d) { - err = -ENOMEM; - goto err_out; - } -- d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate); -+ d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate); - if (!d) { - err = -ENOMEM; - goto err_out; - } -- d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags); -+ d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags); - if (!d) { - err = -ENOMEM; - goto err_out; diff --git a/queue-4.4/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch b/queue-4.4/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch deleted file mode 100644 index dd8965f3588..00000000000 --- a/queue-4.4/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch +++ /dev/null @@ -1,69 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Qi Hou -Date: Thu, 11 Jan 2018 12:54:43 +0800 -Subject: ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt - -From: Qi Hou - -[ Upstream commit db35340c536f1af0108ec9a0b2126a05d358d14a ] - -When more than one GP timers are used as kernel system timers and the -corresponding nodes in device-tree are marked with the same "disabled" -property, then the "attr" field of the property will be initialized -more than once as the property being added to sys file system via -__of_add_property_sysfs(). - -In __of_add_property_sysfs(), the "name" field of pp->attr.attr is set -directly to the return value of safe_name(), without taking care of -whether it's already a valid pointer to a memory block. If it is, its -old value will always be overwritten by the new one and the memory block -allocated before will a "ghost", then a kmemleak happened. - -That the same "disabled" property being added to different nodes of device -tree would cause that kind of kmemleak overhead, at least once. - -To fix it, allocate the property dynamically, and delete static one. - -Signed-off-by: Qi Hou -Signed-off-by: Tony Lindgren -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/mach-omap2/timer.c | 19 +++++++++++-------- - 1 file changed, 11 insertions(+), 8 deletions(-) - ---- a/arch/arm/mach-omap2/timer.c -+++ b/arch/arm/mach-omap2/timer.c -@@ -136,12 +136,6 @@ static struct clock_event_device clockev - .tick_resume = omap2_gp_timer_shutdown, - }; - --static struct property device_disabled = { -- .name = "status", -- .length = sizeof("disabled"), -- .value = "disabled", --}; -- - static const struct of_device_id omap_timer_match[] __initconst = { - { .compatible = "ti,omap2420-timer", }, - { .compatible = "ti,omap3430-timer", }, -@@ -183,8 +177,17 @@ static struct device_node * __init omap_ - of_get_property(np, "ti,timer-secure", NULL))) - continue; - -- if (!of_device_is_compatible(np, "ti,omap-counter32k")) -- of_add_property(np, &device_disabled); -+ if (!of_device_is_compatible(np, "ti,omap-counter32k")) { -+ struct property *prop; -+ -+ prop = kzalloc(sizeof(*prop), GFP_KERNEL); -+ if (!prop) -+ return NULL; -+ prop->name = "status"; -+ prop->value = "disabled"; -+ prop->length = strlen(prop->value); -+ of_add_property(np, prop); -+ } - return np; - } - diff --git a/queue-4.4/arm-omap3-fix-prm-wake-interrupt-for-resume.patch b/queue-4.4/arm-omap3-fix-prm-wake-interrupt-for-resume.patch deleted file mode 100644 index fec2d688db0..00000000000 --- a/queue-4.4/arm-omap3-fix-prm-wake-interrupt-for-resume.patch +++ /dev/null @@ -1,64 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tony Lindgren -Date: Fri, 9 Feb 2018 08:15:53 -0800 -Subject: ARM: OMAP3: Fix prm wake interrupt for resume - -From: Tony Lindgren - -[ Upstream commit d3be6d2a08bd26580562d9714d3d97ea9ba22c73 ] - -For platform_suspend_ops, the finish call is too late to re-enable wake -irqs and we need re-enable wake irqs on wake call instead. - -Otherwise noirq resume for devices has already happened. And then -dev_pm_disarm_wake_irq() has already disabled the dedicated wake irqs -when the interrupt triggers and the wake irq is never handled. - -For devices that are already in PM runtime suspended state when we -enter suspend this means that a possible wake irq will never trigger. - -And this can lead into a situation where a device has a pending padconf -wake irq, and the device will stay unresponsive to any further wake -irqs. - -This issue can be easily reproduced by setting serial console log level -to zero, letting the serial console idle, and suspend the system from -an ssh terminal. Then try to wake up the system by typing to the serial -console. - -Note that this affects only omap3 PRM interrupt as that's currently -the only omap variant that does anything in omap_pm_wake(). - -In general, for the wake irqs to work, the interrupt must have either -IRQF_NO_SUSPEND or IRQF_EARLY_RESUME set for it to trigger before -dev_pm_disarm_wake_irq() disables the wake irqs. - -Reported-by: Grygorii Strashko -Cc: Tero Kristo -Signed-off-by: Tony Lindgren -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/mach-omap2/pm.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/arm/mach-omap2/pm.c -+++ b/arch/arm/mach-omap2/pm.c -@@ -231,7 +231,7 @@ static void omap_pm_end(void) - cpu_idle_poll_ctrl(false); - } - --static void omap_pm_finish(void) -+static void omap_pm_wake(void) - { - if (cpu_is_omap34xx()) - omap_prcm_irq_complete(); -@@ -241,7 +241,7 @@ static const struct platform_suspend_ops - .begin = omap_pm_begin, - .end = omap_pm_end, - .enter = omap_pm_enter, -- .finish = omap_pm_finish, -+ .wake = omap_pm_wake, - .valid = suspend_valid_only_mem, - }; - diff --git a/queue-4.4/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch b/queue-4.4/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch deleted file mode 100644 index 207aaa8f35d..00000000000 --- a/queue-4.4/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Will Deacon -Date: Wed, 31 Jan 2018 12:12:20 +0000 -Subject: arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics - -From: Will Deacon - -[ Upstream commit 202fb4ef81e3ec765c23bd1e6746a5c25b797d0e ] - -If the spinlock "next" ticket wraps around between the initial LDR -and the cmpxchg in the LSE version of spin_trylock, then we can erroneously -think that we have successfuly acquired the lock because we only check -whether the next ticket return by the cmpxchg is equal to the owner ticket -in our updated lock word. - -This patch fixes the issue by performing a full 32-bit check of the lock -word when trying to determine whether or not the CASA instruction updated -memory. - -Reported-by: Catalin Marinas -Signed-off-by: Will Deacon -Signed-off-by: Catalin Marinas -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/spinlock.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/arm64/include/asm/spinlock.h -+++ b/arch/arm64/include/asm/spinlock.h -@@ -94,8 +94,8 @@ static inline int arch_spin_trylock(arch - " cbnz %w1, 1f\n" - " add %w1, %w0, %3\n" - " casa %w0, %w1, %2\n" -- " and %w1, %w1, #0xffff\n" -- " eor %w1, %w1, %w0, lsr #16\n" -+ " sub %w1, %w1, %3\n" -+ " eor %w1, %w1, %w0\n" - "1:") - : "=&r" (lockval), "=&r" (tmp), "+Q" (*lock) - : "I" (1 << TICKET_SHIFT) diff --git a/queue-4.4/asm-generic-provide-generic_pmdp_establish.patch b/queue-4.4/asm-generic-provide-generic_pmdp_establish.patch deleted file mode 100644 index 3f85623a8ab..00000000000 --- a/queue-4.4/asm-generic-provide-generic_pmdp_establish.patch +++ /dev/null @@ -1,87 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Kirill A. Shutemov" -Date: Wed, 31 Jan 2018 16:17:43 -0800 -Subject: asm-generic: provide generic_pmdp_establish() - -From: "Kirill A. Shutemov" - -[ Upstream commit c58f0bb77ed8bf93dfdde762b01cb67eebbdfc29 ] - -Patch series "Do not lose dirty bit on THP pages", v4. - -Vlastimil noted that pmdp_invalidate() is not atomic and we can lose -dirty and access bits if CPU sets them after pmdp dereference, but -before set_pmd_at(). - -The bug can lead to data loss, but the race window is tiny and I haven't -seen any reports that suggested that it happens in reality. So I don't -think it worth sending it to stable. - -Unfortunately, there's no way to address the issue in a generic way. We -need to fix all architectures that support THP one-by-one. - -All architectures that have THP supported have to provide atomic -pmdp_invalidate() that returns previous value. - -If generic implementation of pmdp_invalidate() is used, architecture -needs to provide atomic pmdp_estabish(). - -pmdp_estabish() is not used out-side generic implementation of -pmdp_invalidate() so far, but I think this can change in the future. - -This patch (of 12): - -This is an implementation of pmdp_establish() that is only suitable for -an architecture that doesn't have hardware dirty/accessed bits. In this -case we can't race with CPU which sets these bits and non-atomic -approach is fine. - -Link: http://lkml.kernel.org/r/20171213105756.69879-2-kirill.shutemov@linux.intel.com -Signed-off-by: Kirill A. Shutemov -Cc: Vlastimil Babka -Cc: Andrea Arcangeli -Cc: Michal Hocko -Cc: Aneesh Kumar K.V -Cc: Catalin Marinas -Cc: David Daney -Cc: David Miller -Cc: H. Peter Anvin -Cc: Hugh Dickins -Cc: Ingo Molnar -Cc: Martin Schwidefsky -Cc: Nitin Gupta -Cc: Ralf Baechle -Cc: Thomas Gleixner -Cc: Vineet Gupta -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/asm-generic/pgtable.h | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/include/asm-generic/pgtable.h -+++ b/include/asm-generic/pgtable.h -@@ -237,6 +237,21 @@ extern void pgtable_trans_huge_deposit(s - extern pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp); - #endif - -+#ifdef CONFIG_TRANSPARENT_HUGEPAGE -+/* -+ * This is an implementation of pmdp_establish() that is only suitable for an -+ * architecture that doesn't have hardware dirty/accessed bits. In this case we -+ * can't race with CPU which sets these bits and non-atomic aproach is fine. -+ */ -+static inline pmd_t generic_pmdp_establish(struct vm_area_struct *vma, -+ unsigned long address, pmd_t *pmdp, pmd_t pmd) -+{ -+ pmd_t old_pmd = *pmdp; -+ set_pmd_at(vma->vm_mm, address, pmdp, pmd); -+ return old_pmd; -+} -+#endif -+ - #ifndef __HAVE_ARCH_PMDP_INVALIDATE - extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, - pmd_t *pmdp); diff --git a/queue-4.4/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch b/queue-4.4/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch deleted file mode 100644 index f1099f12767..00000000000 --- a/queue-4.4/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch +++ /dev/null @@ -1,45 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dan Carpenter -Date: Mon, 15 Jan 2018 11:08:38 +0300 -Subject: ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() - -From: Dan Carpenter - -[ Upstream commit 123af9043e93cb6f235207d260d50f832cdb5439 ] - -The loop timeout doesn't work because it's a post op and ends with "tmo" -set to -1. I changed it from a post-op to a pre-op and I changed the -initial the starting value from 5 to 6 so we still iterate 5 times. I -left the other as it was because it's a large number. - -Fixes: b3c70c9ea62a ("ASoC: Alchemy AC97C/I2SC audio support") -Signed-off-by: Dan Carpenter -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/au1x/ac97c.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/sound/soc/au1x/ac97c.c -+++ b/sound/soc/au1x/ac97c.c -@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_rea - do { - mutex_lock(&ctx->lock); - -- tmo = 5; -- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) -+ tmo = 6; -+ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) - udelay(21); /* wait an ac97 frame time */ - if (!tmo) { - pr_debug("ac97rd timeout #1\n"); -@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_rea - * poll, Forrest, poll... - */ - tmo = 0x10000; -- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) -+ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) - asm volatile ("nop"); - data = RD(ctx, AC97_CMDRESP); - diff --git a/queue-4.4/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch b/queue-4.4/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch deleted file mode 100644 index 9aca4f834ae..00000000000 --- a/queue-4.4/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch +++ /dev/null @@ -1,53 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Sylwester Nawrocki -Date: Mon, 5 Feb 2018 16:43:56 +0100 -Subject: ASoC: samsung: i2s: Ensure the RCLK rate is properly determined - -From: Sylwester Nawrocki - -[ Upstream commit 647d04f8e07afc7c3b7a42b3ee01a8b28db29631 ] - -If the RCLK mux clock configuration is specified in DT and no set_sysclk() -callback is used in the sound card driver the sclk_srcrate field will remain -set to 0, leading to an incorrect PSR divider setting. -To fix this the frequency value is retrieved from the CLK_I2S_RCLK_SRC clock, -so the actual RCLK mux selection is taken into account. - -Signed-off-by: Sylwester Nawrocki -Acked-by: Krzysztof Kozlowski -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/samsung/i2s.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - ---- a/sound/soc/samsung/i2s.c -+++ b/sound/soc/samsung/i2s.c -@@ -640,8 +640,12 @@ static int i2s_set_fmt(struct snd_soc_da - tmp |= mod_slave; - break; - case SND_SOC_DAIFMT_CBS_CFS: -- /* Set default source clock in Master mode */ -- if (i2s->rclk_srcrate == 0) -+ /* -+ * Set default source clock in Master mode, only when the -+ * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any -+ * clock configuration assigned in DT is not overwritten. -+ */ -+ if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL) - i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0, - 0, SND_SOC_CLOCK_IN); - break; -@@ -856,6 +860,11 @@ static int config_setup(struct i2s_dai * - return 0; - - if (!(i2s->quirks & QUIRK_NO_MUXPSR)) { -+ struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC]; -+ -+ if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc)) -+ i2s->rclk_srcrate = clk_get_rate(rclksrc); -+ - psr = i2s->rclk_srcrate / i2s->frmclk / rfs; - writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR); - dev_dbg(&i2s->pdev->dev, diff --git a/queue-4.4/asoc-topology-create-tlv-data-for-dapm-widgets.patch b/queue-4.4/asoc-topology-create-tlv-data-for-dapm-widgets.patch deleted file mode 100644 index 1e5acba4d20..00000000000 --- a/queue-4.4/asoc-topology-create-tlv-data-for-dapm-widgets.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ranjani Sridharan -Date: Fri, 9 Mar 2018 11:11:17 -0800 -Subject: ASoC: topology: create TLV data for dapm widgets - -From: Ranjani Sridharan - -[ Upstream commit bde8b3887add8368ecf0ca71117baf2fd56a6fc9 ] - -This patch adds the change required to create the TLV data -for dapm widget kcontrols from topology. This also fixes the following -TLV read error shown in amixer while showing the card control contents. -"amixer: Control hw:1 element TLV read error: No such device or address" - -Signed-off-by: Ranjani Sridharan -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/soc-topology.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/sound/soc/soc-topology.c -+++ b/sound/soc/soc-topology.c -@@ -1188,6 +1188,9 @@ static struct snd_kcontrol_new *soc_tplg - kfree(sm); - continue; - } -+ -+ /* create any TLV data */ -+ soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr); - } - return kc; - diff --git a/queue-4.4/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch b/queue-4.4/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch deleted file mode 100644 index 93a2deb0654..00000000000 --- a/queue-4.4/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch +++ /dev/null @@ -1,104 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Karthikeyan Periyasamy -Date: Mon, 12 Mar 2018 17:09:40 +0530 -Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) - -From: Karthikeyan Periyasamy - -[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ] - -When attempt to run worker (ath10k_sta_rc_update_wk) after the station object -(ieee80211_sta) delete will trigger the kernel panic. - -This problem arise in AP + Mesh configuration, Where the current node AP VAP -and neighbor node mesh VAP MAC address are same. When the current mesh node -try to establish the mesh link with neighbor node, driver peer creation for -the neighbor mesh node fails due to duplication MAC address. Already the AP -VAP created with same MAC address. - -It is caused by the following scenario steps. - -Steps: -1. In above condition, ath10k driver sta_state callback (ath10k_sta_state) - fails to do the state change for a station from IEEE80211_STA_NOTEXIST - to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is - called from ieee80211_add_station() to handle the new station - (neighbor mesh node) request from the wpa_supplicant. -2. Concurrently ath10k receive the sta_rc_update callback notification from - the mesh_neighbour_update() to handle the beacon frames of the above - neighbor mesh node. since its atomic callback, ath10k driver queue the - work (ath10k_sta_rc_update_wk) to handle rc update. -3. Due to driver sta_state callback fails (step 1), mac80211 free the station - object. -4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access - the station object which is already deleted. so it will trigger kernel - panic. - -Added the peer exist check in sta_rc_update callback before queue the work. - -Kernel Panic log: - -Unable to handle kernel NULL pointer dereference at virtual address 00000000 -pgd = c0204000 -[00000000] *pgd=00000000 -Internal error: Oops: 17 [#1] PREEMPT SMP ARM -CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1 -task: dcef0000 ti: d72b6000 task.ti: d72b6000 -PC is at pwq_activate_delayed_work+0x10/0x40 -LR is at pwq_activate_delayed_work+0xc/0x40 -pc : [] lr : [] psr: 40000193 -sp : d72b7f18 ip : 0000007a fp : d72b6000 -r10: 00000000 r9 : dd404414 r8 : d8c31998 -r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300 -r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000 -Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel -Control: 10c5787d Table: 595bc06a DAC: 00000015 -... -Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238) -Stack: (0xd72b7f18 to 0xd72b8000) -7f00: 00000001 dcee1300 -7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089 -7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000 -7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000 -7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340 -7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000 -7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 -7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 -[] (pwq_activate_delayed_work) from [] (pwq_dec_nr_in_flight+0x58/0xc4) -[] (pwq_dec_nr_in_flight) from [] (worker_thread+0x228/0x360) -[] (worker_thread) from [] (kthread+0xd8/0xec) -[] (kthread) from [] (ret_from_fork+0x14/0x34) -Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs -Rebooting in 3 seconds.. - -Signed-off-by: Karthikeyan Periyasamy -Signed-off-by: Kalle Valo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/drivers/net/wireless/ath/ath10k/mac.c -+++ b/drivers/net/wireless/ath/ath10k/mac.c -@@ -6311,10 +6311,20 @@ static void ath10k_sta_rc_update(struct - { - struct ath10k *ar = hw->priv; - struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv; -+ struct ath10k_vif *arvif = (void *)vif->drv_priv; -+ struct ath10k_peer *peer; - u32 bw, smps; - - spin_lock_bh(&ar->data_lock); - -+ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr); -+ if (!peer) { -+ spin_unlock_bh(&ar->data_lock); -+ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n", -+ sta->addr, arvif->vdev_id); -+ return; -+ } -+ - ath10k_dbg(ar, ATH10K_DBG_MAC, - "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n", - sta->addr, changed, sta->bandwidth, sta->rx_nss, diff --git a/queue-4.4/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch b/queue-4.4/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch deleted file mode 100644 index 4d5c29b7f57..00000000000 --- a/queue-4.4/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Richard Guy Briggs -Date: Wed, 21 Feb 2018 04:30:07 -0500 -Subject: audit: return on memory error to avoid null pointer dereference - -From: Richard Guy Briggs - -[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ] - -If there is a memory allocation error when trying to change an audit -kernel feature value, the ignored allocation error will trigger a NULL -pointer dereference oops on subsequent use of that pointer. Return -instead. - -Passes audit-testsuite. -See: https://github.com/linux-audit/audit-kernel/issues/76 - -Signed-off-by: Richard Guy Briggs -[PM: not necessary (other funcs check for NULL), but a good practice] -Signed-off-by: Paul Moore -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/audit.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/kernel/audit.c -+++ b/kernel/audit.c -@@ -744,6 +744,8 @@ static void audit_log_feature_change(int - return; - - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); -+ if (!ab) -+ return; - audit_log_task_info(ab, current); - audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", - audit_feature_names[which], !!old_feature, !!new_feature, diff --git a/queue-4.4/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch b/queue-4.4/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch deleted file mode 100644 index 1d91523213c..00000000000 --- a/queue-4.4/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Matthias Schiffer -Date: Fri, 16 Mar 2018 11:29:10 +0100 -Subject: batman-adv: fix header size check in batadv_dbg_arp() - -From: Matthias Schiffer - -[ Upstream commit 6f27d2c2a8c236d296201c19abb8533ec20d212b ] - -Checking for 0 is insufficient: when an SKB without a batadv header, but -with a VLAN header is received, hdr_size will be 4, making the following -code interpret the Ethernet header as a batadv header. - -Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") -Signed-off-by: Matthias Schiffer -Signed-off-by: Sven Eckelmann -Signed-off-by: Simon Wunderlich -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/batman-adv/distributed-arp-table.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/batman-adv/distributed-arp-table.c -+++ b/net/batman-adv/distributed-arp-table.c -@@ -374,7 +374,7 @@ static void batadv_dbg_arp(struct batadv - batadv_arp_hw_src(skb, hdr_size), &ip_src, - batadv_arp_hw_dst(skb, hdr_size), &ip_dst); - -- if (hdr_size == 0) -+ if (hdr_size < sizeof(struct batadv_unicast_packet)) - return; - - unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data; diff --git a/queue-4.4/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch b/queue-4.4/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch deleted file mode 100644 index bb600b5b735..00000000000 --- a/queue-4.4/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Linus Lüssing" -Date: Tue, 20 Mar 2018 03:13:27 +0100 -Subject: batman-adv: fix multicast-via-unicast transmission with AP isolation - -From: "Linus Lüssing" - -[ Upstream commit f8fb3419ead44f9a3136995acd24e35da4525177 ] - -For multicast frames AP isolation is only supposed to be checked on -the receiving nodes and never on the originating one. - -Furthermore, the isolation or wifi flag bits should only be intepreted -as such for unicast and never multicast TT entries. - -By injecting flags to the multicast TT entry claimed by a single -target node it was verified in tests that this multicast address -becomes unreachable, leading to packet loss. - -Omitting the "src" parameter to the batadv_transtable_search() call -successfully skipped the AP isolation check and made the target -reachable again. - -Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets") -Signed-off-by: Linus LÃŒssing -Signed-off-by: Sven Eckelmann -Signed-off-by: Simon Wunderlich -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/batman-adv/multicast.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/batman-adv/multicast.c -+++ b/net/batman-adv/multicast.c -@@ -428,8 +428,8 @@ static struct batadv_orig_node * - batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv, - struct ethhdr *ethhdr) - { -- return batadv_transtable_search(bat_priv, ethhdr->h_source, -- ethhdr->h_dest, BATADV_NO_FLAGS); -+ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest, -+ BATADV_NO_FLAGS); - } - - /** diff --git a/queue-4.4/batman-adv-fix-packet-checksum-in-receive-path.patch b/queue-4.4/batman-adv-fix-packet-checksum-in-receive-path.patch deleted file mode 100644 index 40b35ae1536..00000000000 --- a/queue-4.4/batman-adv-fix-packet-checksum-in-receive-path.patch +++ /dev/null @@ -1,48 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Matthias Schiffer -Date: Tue, 23 Jan 2018 10:59:49 +0100 -Subject: batman-adv: fix packet checksum in receive path - -From: Matthias Schiffer - -[ Upstream commit abd6360591d3f8259f41c34e31ac4826dfe621b8 ] - -eth_type_trans() internally calls skb_pull(), which does not adjust the -skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the -form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are -received. - -Note that in usual setups, packets don't reach batman-adv with -CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see -batadv's ethtype?), which is why the log messages do not occur on every -system using batman-adv. I could reproduce this issue by stacking -batman-adv on top of a VXLAN interface. - -Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") -Tested-by: Maximilian Wilhelm -Signed-off-by: Matthias Schiffer -Signed-off-by: Sven Eckelmann -Signed-off-by: Simon Wunderlich -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/batman-adv/soft-interface.c | 8 +------- - 1 file changed, 1 insertion(+), 7 deletions(-) - ---- a/net/batman-adv/soft-interface.c -+++ b/net/batman-adv/soft-interface.c -@@ -430,13 +430,7 @@ void batadv_interface_rx(struct net_devi - - /* skb->dev & skb->pkt_type are set here */ - skb->protocol = eth_type_trans(skb, soft_iface); -- -- /* should not be necessary anymore as we use skb_pull_rcsum() -- * TODO: please verify this and remove this TODO -- * -- Dec 21st 2009, Simon Wunderlich -- */ -- -- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */ -+ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); - - batadv_inc_counter(bat_priv, BATADV_CNT_RX); - batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES, diff --git a/queue-4.4/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch b/queue-4.4/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch deleted file mode 100644 index fe01237d74c..00000000000 --- a/queue-4.4/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch +++ /dev/null @@ -1,77 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Linus Lüssing" -Date: Thu, 22 Mar 2018 00:21:32 +0100 -Subject: batman-adv: fix packet loss for broadcasted DHCP packets to a server - -From: "Linus Lüssing" - -[ Upstream commit a752c0a4524889cdc0765925258fd1fd72344100 ] - -DHCP connectivity issues can currently occur if the following conditions -are met: - -1) A DHCP packet from a client to a server -2) This packet has a multicast destination -3) This destination has a matching entry in the translation table - (FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03 - for IPv6) -4) The orig-node determined by TT for the multicast destination - does not match the orig-node determined by best-gateway-selection - -In this case the DHCP packet will be dropped. - -The "gateway-out-of-range" check is supposed to only be applied to -unicasted DHCP packets to a specific DHCP server. - -In that case dropping the the unicasted frame forces the client to -retry via a broadcasted one, but now directed to the new best -gateway. - -A DHCP packet with broadcast/multicast destination is already ensured to -always be delivered to the best gateway. Dropping a multicasted -DHCP packet here will only prevent completing DHCP as there is no -other fallback. - -So far, it seems the unicast check was implicitly performed by -expecting the batadv_transtable_search() to return NULL for multicast -destinations. However, a multicast address could have always ended up in -the translation table and in fact is now common. - -To fix this potential loss of a DHCP client-to-server packet to a -multicast address this patch adds an explicit multicast destination -check to reliably bail out of the gateway-out-of-range check for such -destinations. - -The issue and fix were tested in the following three node setup: - -- Line topology, A-B-C -- A: gateway client, DHCP client -- B: gateway server, hop-penalty increased: 30->60, DHCP server -- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF - -Without this patch, A would never transmit its DHCP Discover packet -due to an always "out-of-range" condition. With this patch, -a full DHCP handshake between A and B was possible again. - -Fixes: be7af5cf9cae ("batman-adv: refactoring gateway handling code") -Signed-off-by: Linus LÃŒssing -Signed-off-by: Sven Eckelmann -Signed-off-by: Simon Wunderlich -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/batman-adv/gateway_client.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/batman-adv/gateway_client.c -+++ b/net/batman-adv/gateway_client.c -@@ -798,6 +798,9 @@ bool batadv_gw_out_of_range(struct batad - - vid = batadv_get_vid(skb, 0); - -+ if (is_multicast_ether_addr(ethhdr->h_dest)) -+ goto out; -+ - orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source, - ethhdr->h_dest, vid); - if (!orig_dst_node) diff --git a/queue-4.4/batman-adv-invalidate-checksum-on-fragment-reassembly.patch b/queue-4.4/batman-adv-invalidate-checksum-on-fragment-reassembly.patch deleted file mode 100644 index 3e23ce501e5..00000000000 --- a/queue-4.4/batman-adv-invalidate-checksum-on-fragment-reassembly.patch +++ /dev/null @@ -1,44 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Matthias Schiffer -Date: Tue, 23 Jan 2018 10:59:50 +0100 -Subject: batman-adv: invalidate checksum on fragment reassembly - -From: Matthias Schiffer - -[ Upstream commit 3bf2a09da956b43ecfaa630a2ef9a477f991a46a ] - -A more sophisticated implementation could try to combine fragment checksums -when all fragments have CHECKSUM_COMPLETE and are split at even offsets. -For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure" -warnings in the kernel log when fragmented frames are received. In -consequence, skb_pull_rcsum() can be replaced with skb_pull(). - -Note that in usual setups, packets don't reach batman-adv with -CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see -batadv's ethtype?), which is why the log messages do not occur on every -system using batman-adv. I could reproduce this issue by stacking -batman-adv on top of a VXLAN interface. - -Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") -Tested-by: Maximilian Wilhelm -Signed-off-by: Matthias Schiffer -Signed-off-by: Sven Eckelmann -Signed-off-by: Simon Wunderlich -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/batman-adv/fragmentation.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/batman-adv/fragmentation.c -+++ b/net/batman-adv/fragmentation.c -@@ -278,7 +278,8 @@ batadv_frag_merge_packets(struct hlist_h - /* Move the existing MAC header to just before the payload. (Override - * the fragment header.) - */ -- skb_pull_rcsum(skb_out, hdr_size); -+ skb_pull(skb_out, hdr_size); -+ skb_out->ip_summed = CHECKSUM_NONE; - memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN); - skb_set_mac_header(skb_out, -ETH_HLEN); - skb_reset_network_header(skb_out); diff --git a/queue-4.4/bcache-fix-for-allocator-and-register-thread-race.patch b/queue-4.4/bcache-fix-for-allocator-and-register-thread-race.patch deleted file mode 100644 index 1fb52bc31d6..00000000000 --- a/queue-4.4/bcache-fix-for-allocator-and-register-thread-race.patch +++ /dev/null @@ -1,166 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tang Junhui -Date: Wed, 7 Feb 2018 11:41:43 -0800 -Subject: bcache: fix for allocator and register thread race - -From: Tang Junhui - -[ Upstream commit 682811b3ce1a5a4e20d700939a9042f01dbc66c4 ] - -After long time running of random small IO writing, -I reboot the machine, and after the machine power on, -I found bcache got stuck, the stack is: -[root@ceph153 ~]# cat /proc/2510/task/*/stack -[] closure_sync+0x25/0x90 [bcache] -[] bch_journal+0x118/0x2b0 [bcache] -[] bch_journal_meta+0x47/0x70 [bcache] -[] bch_prio_write+0x237/0x340 [bcache] -[] bch_allocator_thread+0x3c8/0x3d0 [bcache] -[] kthread+0xcf/0xe0 -[] ret_from_fork+0x58/0x90 -[] 0xffffffffffffffff -[root@ceph153 ~]# cat /proc/2038/task/*/stack -[] __bch_btree_map_nodes+0x12d/0x150 [bcache] -[] bch_btree_insert+0xf1/0x170 [bcache] -[] bch_journal_replay+0x13f/0x230 [bcache] -[] run_cache_set+0x79a/0x7c2 [bcache] -[] register_bcache+0xd48/0x1310 [bcache] -[] kobj_attr_store+0xf/0x20 -[] sysfs_write_file+0xc6/0x140 -[] vfs_write+0xbd/0x1e0 -[] SyS_write+0x7f/0xe0 -[] system_call_fastpath+0x16/0x1 -The stack shows the register thread and allocator thread -were getting stuck when registering cache device. - -I reboot the machine several times, the issue always -exsit in this machine. - -I debug the code, and found the call trace as bellow: -register_bcache() - ==>run_cache_set() - ==>bch_journal_replay() - ==>bch_btree_insert() - ==>__bch_btree_map_nodes() - ==>btree_insert_fn() - ==>btree_split() //node need split - ==>btree_check_reserve() -In btree_check_reserve(), It will check if there is enough buckets -of RESERVE_BTREE type, since allocator thread did not work yet, so -no buckets of RESERVE_BTREE type allocated, so the register thread -waits on c->btree_cache_wait, and goes to sleep. - -Then the allocator thread initialized, the call trace is bellow: -bch_allocator_thread() -==>bch_prio_write() - ==>bch_journal_meta() - ==>bch_journal() - ==>journal_wait_for_write() -In journal_wait_for_write(), It will check if journal is full by -journal_full(), but the long time random small IO writing -causes the exhaustion of journal buckets(journal.blocks_free=0), -In order to release the journal buckets, -the allocator calls btree_flush_write() to flush keys to -btree nodes, and waits on c->journal.wait until btree nodes writing -over or there has already some journal buckets space, then the -allocator thread goes to sleep. but in btree_flush_write(), since -bch_journal_replay() is not finished, so no btree nodes have journal -(condition "if (btree_current_write(b)->journal)" never satisfied), -so we got no btree node to flush, no journal bucket released, -and allocator sleep all the times. - -Through the above analysis, we can see that: -1) Register thread wait for allocator thread to allocate buckets of - RESERVE_BTREE type; -2) Alloctor thread wait for register thread to replay journal, so it - can flush btree nodes and get journal bucket. - then they are all got stuck by waiting for each other. - -Hua Rui provided a patch for me, by allocating some buckets of -RESERVE_BTREE type in advance, so the register thread can get bucket -when btree node splitting and no need to waiting for the allocator -thread. I tested it, it has effect, and register thread run a step -forward, but finally are still got stuck, the reason is only 8 bucket -of RESERVE_BTREE type were allocated, and in bch_journal_replay(), -after 2 btree nodes splitting, only 4 bucket of RESERVE_BTREE type left, -then btree_check_reserve() is not satisfied anymore, so it goes to sleep -again, and in the same time, alloctor thread did not flush enough btree -nodes to release a journal bucket, so they all got stuck again. - -So we need to allocate more buckets of RESERVE_BTREE type in advance, -but how much is enough? By experience and test, I think it should be -as much as journal buckets. Then I modify the code as this patch, -and test in the machine, and it works. - -This patch modified base on Hua Rui’s patch, and allocate more buckets -of RESERVE_BTREE type in advance to avoid register thread and allocate -thread going to wait for each other. - -[patch v2] ca->sb.njournal_buckets would be 0 in the first time after -cache creation, and no journal exists, so just 8 btree buckets is OK. - -Signed-off-by: Hua Rui -Signed-off-by: Tang Junhui -Reviewed-by: Michael Lyle -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/btree.c | 9 ++++++--- - drivers/md/bcache/super.c | 13 ++++++++++++- - 2 files changed, 18 insertions(+), 4 deletions(-) - ---- a/drivers/md/bcache/btree.c -+++ b/drivers/md/bcache/btree.c -@@ -1869,14 +1869,17 @@ void bch_initial_gc_finish(struct cache_ - */ - for_each_cache(ca, c, i) { - for_each_bucket(b, ca) { -- if (fifo_full(&ca->free[RESERVE_PRIO])) -+ if (fifo_full(&ca->free[RESERVE_PRIO]) && -+ fifo_full(&ca->free[RESERVE_BTREE])) - break; - - if (bch_can_invalidate_bucket(ca, b) && - !GC_MARK(b)) { - __bch_invalidate_one_bucket(ca, b); -- fifo_push(&ca->free[RESERVE_PRIO], -- b - ca->buckets); -+ if (!fifo_push(&ca->free[RESERVE_PRIO], -+ b - ca->buckets)) -+ fifo_push(&ca->free[RESERVE_BTREE], -+ b - ca->buckets); - } - } - } ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1828,6 +1828,7 @@ void bch_cache_release(struct kobject *k - static int cache_alloc(struct cache_sb *sb, struct cache *ca) - { - size_t free; -+ size_t btree_buckets; - struct bucket *b; - - __module_get(THIS_MODULE); -@@ -1837,9 +1838,19 @@ static int cache_alloc(struct cache_sb * - ca->journal.bio.bi_max_vecs = 8; - ca->journal.bio.bi_io_vec = ca->journal.bio.bi_inline_vecs; - -+ /* -+ * when ca->sb.njournal_buckets is not zero, journal exists, -+ * and in bch_journal_replay(), tree node may split, -+ * so bucket of RESERVE_BTREE type is needed, -+ * the worst situation is all journal buckets are valid journal, -+ * and all the keys need to replay, -+ * so the number of RESERVE_BTREE type buckets should be as much -+ * as journal buckets -+ */ -+ btree_buckets = ca->sb.njournal_buckets ?: 8; - free = roundup_pow_of_two(ca->sb.nbuckets) >> 10; - -- if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) || -+ if (!init_fifo(&ca->free[RESERVE_BTREE], btree_buckets, GFP_KERNEL) || - !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) || - !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) || - !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) || diff --git a/queue-4.4/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch b/queue-4.4/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch deleted file mode 100644 index 1937e1ea1d3..00000000000 --- a/queue-4.4/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch +++ /dev/null @@ -1,121 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tang Junhui -Date: Wed, 7 Feb 2018 11:41:46 -0800 -Subject: bcache: fix for data collapse after re-attaching an attached device - -From: Tang Junhui - -[ Upstream commit 73ac105be390c1de42a2f21643c9778a5e002930 ] - -back-end device sdm has already attached a cache_set with ID -f67ebe1f-f8bc-4d73-bfe5-9dc88607f119, then try to attach with -another cache set, and it returns with an error: -[root]# cd /sys/block/sdm/bcache -[root]# echo 5ccd0a63-148e-48b8-afa2-aca9cbd6279f > attach --bash: echo: write error: Invalid argument - -After that, execute a command to modify the label of bcache -device: -[root]# echo data_disk1 > label - -Then we reboot the system, when the system power on, the back-end -device can not attach to cache_set, a messages show in the log: -Feb 5 12:05:52 ceph152 kernel: [922385.508498] bcache: -bch_cached_dev_attach() couldn't find uuid for sdm in set - -In sysfs_attach(), dc->sb.set_uuid was assigned to the value -which input through sysfs, no matter whether it is success -or not in bch_cached_dev_attach(). For example, If the back-end -device has already attached to an cache set, bch_cached_dev_attach() -would fail, but dc->sb.set_uuid was changed. Then modify the -label of bcache device, it will call bch_write_bdev_super(), -which would write the dc->sb.set_uuid to the super block, so we -record a wrong cache set ID in the super block, after the system -reboot, the cache set couldn't find the uuid of the back-end -device, so the bcache device couldn't exist and use any more. - -In this patch, we don't assigned cache set ID to dc->sb.set_uuid -in sysfs_attach() directly, but input it into bch_cached_dev_attach(), -and assigned dc->sb.set_uuid to the cache set ID after the back-end -device attached to the cache set successful. - -Signed-off-by: Tang Junhui -Reviewed-by: Michael Lyle -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/bcache.h | 2 +- - drivers/md/bcache/super.c | 10 ++++++---- - drivers/md/bcache/sysfs.c | 6 ++++-- - 3 files changed, 11 insertions(+), 7 deletions(-) - ---- a/drivers/md/bcache/bcache.h -+++ b/drivers/md/bcache/bcache.h -@@ -904,7 +904,7 @@ void bcache_write_super(struct cache_set - - int bch_flash_dev_create(struct cache_set *c, uint64_t size); - --int bch_cached_dev_attach(struct cached_dev *, struct cache_set *); -+int bch_cached_dev_attach(struct cached_dev *, struct cache_set *, uint8_t *); - void bch_cached_dev_detach(struct cached_dev *); - void bch_cached_dev_run(struct cached_dev *); - void bcache_device_stop(struct bcache_device *); ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -936,7 +936,8 @@ void bch_cached_dev_detach(struct cached - cached_dev_put(dc); - } - --int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) -+int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c, -+ uint8_t *set_uuid) - { - uint32_t rtime = cpu_to_le32(get_seconds()); - struct uuid_entry *u; -@@ -945,7 +946,8 @@ int bch_cached_dev_attach(struct cached_ - - bdevname(dc->bdev, buf); - -- if (memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16)) -+ if ((set_uuid && memcmp(set_uuid, c->sb.set_uuid, 16)) || -+ (!set_uuid && memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16))) - return -ENOENT; - - if (dc->disk.c) { -@@ -1189,7 +1191,7 @@ static void register_bdev(struct cache_s - - list_add(&dc->list, &uncached_devices); - list_for_each_entry(c, &bch_cache_sets, list) -- bch_cached_dev_attach(dc, c); -+ bch_cached_dev_attach(dc, c, NULL); - - if (BDEV_STATE(&dc->sb) == BDEV_STATE_NONE || - BDEV_STATE(&dc->sb) == BDEV_STATE_STALE) -@@ -1711,7 +1713,7 @@ static void run_cache_set(struct cache_s - bcache_write_super(c); - - list_for_each_entry_safe(dc, t, &uncached_devices, list) -- bch_cached_dev_attach(dc, c); -+ bch_cached_dev_attach(dc, c, NULL); - - flash_devs_run(c); - ---- a/drivers/md/bcache/sysfs.c -+++ b/drivers/md/bcache/sysfs.c -@@ -263,11 +263,13 @@ STORE(__cached_dev) - } - - if (attr == &sysfs_attach) { -- if (bch_parse_uuid(buf, dc->sb.set_uuid) < 16) -+ uint8_t set_uuid[16]; -+ -+ if (bch_parse_uuid(buf, set_uuid) < 16) - return -EINVAL; - - list_for_each_entry(c, &bch_cache_sets, list) { -- v = bch_cached_dev_attach(dc, c); -+ v = bch_cached_dev_attach(dc, c, set_uuid); - if (!v) - return size; - } diff --git a/queue-4.4/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch b/queue-4.4/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch deleted file mode 100644 index 735f75c9b55..00000000000 --- a/queue-4.4/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch +++ /dev/null @@ -1,99 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tang Junhui -Date: Tue, 27 Feb 2018 09:49:30 -0800 -Subject: bcache: fix kcrashes with fio in RAID5 backend dev - -From: Tang Junhui - -[ Upstream commit 60eb34ec5526e264c2bbaea4f7512d714d791caf ] - -Kernel crashed when run fio in a RAID5 backend bcache device, the call -trace is bellow: -[ 440.012034] kernel BUG at block/blk-ioc.c:146! -[ 440.012696] invalid opcode: 0000 [#1] SMP NOPTI -[ 440.026537] CPU: 2 PID: 2205 Comm: md127_raid5 Not tainted 4.15.0 #8 -[ 440.027441] Hardware name: HP ProLiant MicroServer Gen8, BIOS J06 07/16 -/2015 -[ 440.028615] RIP: 0010:put_io_context+0x8b/0x90 -[ 440.029246] RSP: 0018:ffffa8c882b43af8 EFLAGS: 00010246 -[ 440.029990] RAX: 0000000000000000 RBX: ffffa8c88294fca0 RCX: 0000000000 -0f4240 -[ 440.031006] RDX: 0000000000000004 RSI: 0000000000000286 RDI: ffffa8c882 -94fca0 -[ 440.032030] RBP: ffffa8c882b43b10 R08: 0000000000000003 R09: ffff949cb8 -0c1700 -[ 440.033206] R10: 0000000000000104 R11: 000000000000b71c R12: 00000000000 -01000 -[ 440.034222] R13: 0000000000000000 R14: ffff949cad84db70 R15: ffff949cb11 -bd1e0 -[ 440.035239] FS: 0000000000000000(0000) GS:ffff949cba280000(0000) knlGS: -0000000000000000 -[ 440.060190] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 440.084967] CR2: 00007ff0493ef000 CR3: 00000002f1e0a002 CR4: 00000000001 -606e0 -[ 440.110498] Call Trace: -[ 440.135443] bio_disassociate_task+0x1b/0x60 -[ 440.160355] bio_free+0x1b/0x60 -[ 440.184666] bio_put+0x23/0x30 -[ 440.208272] search_free+0x23/0x40 [bcache] -[ 440.231448] cached_dev_write_complete+0x31/0x70 [bcache] -[ 440.254468] closure_put+0xb6/0xd0 [bcache] -[ 440.277087] request_endio+0x30/0x40 [bcache] -[ 440.298703] bio_endio+0xa1/0x120 -[ 440.319644] handle_stripe+0x418/0x2270 [raid456] -[ 440.340614] ? load_balance+0x17b/0x9c0 -[ 440.360506] handle_active_stripes.isra.58+0x387/0x5a0 [raid456] -[ 440.380675] ? __release_stripe+0x15/0x20 [raid456] -[ 440.400132] raid5d+0x3ed/0x5d0 [raid456] -[ 440.419193] ? schedule+0x36/0x80 -[ 440.437932] ? schedule_timeout+0x1d2/0x2f0 -[ 440.456136] md_thread+0x122/0x150 -[ 440.473687] ? wait_woken+0x80/0x80 -[ 440.491411] kthread+0x102/0x140 -[ 440.508636] ? find_pers+0x70/0x70 -[ 440.524927] ? kthread_associate_blkcg+0xa0/0xa0 -[ 440.541791] ret_from_fork+0x35/0x40 -[ 440.558020] Code: c2 48 00 5b 41 5c 41 5d 5d c3 48 89 c6 4c 89 e7 e8 bb c2 -48 00 48 8b 3d bc 36 4b 01 48 89 de e8 7c f7 e0 ff 5b 41 5c 41 5d 5d c3 <0f> 0b -0f 1f 00 0f 1f 44 00 00 55 48 8d 47 b8 48 89 e5 41 57 41 -[ 440.610020] RIP: put_io_context+0x8b/0x90 RSP: ffffa8c882b43af8 -[ 440.628575] ---[ end trace a1fd79d85643a73e ]-- - -All the crash issue happened when a bypass IO coming, in such scenario -s->iop.bio is pointed to the s->orig_bio. In search_free(), it finishes the -s->orig_bio by calling bio_complete(), and after that, s->iop.bio became -invalid, then kernel would crash when calling bio_put(). Maybe its upper -layer's faulty, since bio should not be freed before we calling bio_put(), -but we'd better calling bio_put() first before calling bio_complete() to -notify upper layer ending this bio. - -This patch moves bio_complete() under bio_put() to avoid kernel crash. - -[mlyle: fixed commit subject for character limits] - -Reported-by: Matthias Ferdinand -Tested-by: Matthias Ferdinand -Signed-off-by: Tang Junhui -Reviewed-by: Michael Lyle -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/request.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/md/bcache/request.c -+++ b/drivers/md/bcache/request.c -@@ -633,11 +633,11 @@ static void do_bio_hook(struct search *s - static void search_free(struct closure *cl) - { - struct search *s = container_of(cl, struct search, cl); -- bio_complete(s); - - if (s->iop.bio) - bio_put(s->iop.bio); - -+ bio_complete(s); - closure_debug_destroy(cl); - mempool_free(s, s->d->c->search); - } diff --git a/queue-4.4/bcache-properly-set-task-state-in-bch_writeback_thread.patch b/queue-4.4/bcache-properly-set-task-state-in-bch_writeback_thread.patch deleted file mode 100644 index bc4d1bc6623..00000000000 --- a/queue-4.4/bcache-properly-set-task-state-in-bch_writeback_thread.patch +++ /dev/null @@ -1,113 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Coly Li -Date: Wed, 7 Feb 2018 11:41:41 -0800 -Subject: bcache: properly set task state in bch_writeback_thread() - -From: Coly Li - -[ Upstream commit 99361bbf26337186f02561109c17a4c4b1a7536a ] - -Kernel thread routine bch_writeback_thread() has the following code block, - -447 down_write(&dc->writeback_lock); -448~450 if (check conditions) { -451 up_write(&dc->writeback_lock); -452 set_current_state(TASK_INTERRUPTIBLE); -453 -454 if (kthread_should_stop()) -455 return 0; -456 -457 schedule(); -458 continue; -459 } - -If condition check is true, its task state is set to TASK_INTERRUPTIBLE -and call schedule() to wait for others to wake up it. - -There are 2 issues in current code, -1, Task state is set to TASK_INTERRUPTIBLE after the condition checks, if - another process changes the condition and call wake_up_process(dc-> - writeback_thread), then at line 452 task state is set back to - TASK_INTERRUPTIBLE, the writeback kernel thread will lose a chance to be - waken up. -2, At line 454 if kthread_should_stop() is true, writeback kernel thread - will return to kernel/kthread.c:kthread() with TASK_INTERRUPTIBLE and - call do_exit(). It is not good to enter do_exit() with task state - TASK_INTERRUPTIBLE, in following code path might_sleep() is called and a - warning message is reported by __might_sleep(): "WARNING: do not call - blocking ops when !TASK_RUNNING; state=1 set at [xxxx]". - -For the first issue, task state should be set before condition checks. -Ineed because dc->writeback_lock is required when modifying all the -conditions, calling set_current_state() inside code block where dc-> -writeback_lock is hold is safe. But this is quite implicit, so I still move -set_current_state() before all the condition checks. - -For the second issue, frankley speaking it does not hurt when kernel thread -exits with TASK_INTERRUPTIBLE state, but this warning message scares users, -makes them feel there might be something risky with bcache and hurt their -data. Setting task state to TASK_RUNNING before returning fixes this -problem. - -In alloc.c:allocator_wait(), there is also a similar issue, and is also -fixed in this patch. - -Changelog: -v3: merge two similar fixes into one patch -v2: fix the race issue in v1 patch. -v1: initial buggy fix. - -Signed-off-by: Coly Li -Reviewed-by: Hannes Reinecke -Reviewed-by: Michael Lyle -Cc: Michael Lyle -Cc: Junhui Tang -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/alloc.c | 4 +++- - drivers/md/bcache/writeback.c | 7 +++++-- - 2 files changed, 8 insertions(+), 3 deletions(-) - ---- a/drivers/md/bcache/alloc.c -+++ b/drivers/md/bcache/alloc.c -@@ -285,8 +285,10 @@ do { \ - break; \ - \ - mutex_unlock(&(ca)->set->bucket_lock); \ -- if (kthread_should_stop()) \ -+ if (kthread_should_stop()) { \ -+ set_current_state(TASK_RUNNING); \ - return 0; \ -+ } \ - \ - try_to_freeze(); \ - schedule(); \ ---- a/drivers/md/bcache/writeback.c -+++ b/drivers/md/bcache/writeback.c -@@ -425,19 +425,22 @@ static int bch_writeback_thread(void *ar - - while (!kthread_should_stop()) { - down_write(&dc->writeback_lock); -+ set_current_state(TASK_INTERRUPTIBLE); - if (!atomic_read(&dc->has_dirty) || - (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && - !dc->writeback_running)) { - up_write(&dc->writeback_lock); -- set_current_state(TASK_INTERRUPTIBLE); - -- if (kthread_should_stop()) -+ if (kthread_should_stop()) { -+ set_current_state(TASK_RUNNING); - return 0; -+ } - - try_to_freeze(); - schedule(); - continue; - } -+ set_current_state(TASK_RUNNING); - - searched_full_index = refill_dirty(dc); - diff --git a/queue-4.4/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch b/queue-4.4/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch deleted file mode 100644 index 8b7b5870977..00000000000 --- a/queue-4.4/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch +++ /dev/null @@ -1,132 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Coly Li -Date: Sun, 18 Mar 2018 17:36:15 -0700 -Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set - -From: Coly Li - -[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ] - -In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()", -cached_dev_get() is called when creating dc->writeback_thread, and -cached_dev_put() is called when exiting dc->writeback_thread. This -modification works well unless people detach the bcache device manually by - 'echo 1 > /sys/block/bcache/bcache/detach' -Because this sysfs interface only calls bch_cached_dev_detach() which wakes -up dc->writeback_thread but does not stop it. The reason is, before patch -"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside -bch_writeback_thread(), if cache is not dirty after writeback, -cached_dev_put() will be called here. And in cached_dev_make_request() when -a new write request makes cache from clean to dirty, cached_dev_get() will -be called there. Since we don't operate dc->count in these locations, -refcount d->count cannot be dropped after cache becomes clean, and -cached_dev_detach_finish() won't be called to detach bcache device. - -This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is -set inside bch_writeback_thread(). If this bit is set and cache is clean -(no existing writeback_keys), break the while-loop, call cached_dev_put() -and quit the writeback thread. - -Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the -writeback thread should continue to perform writeback, this is the original -design of manually detach. - -It is safe to do the following check without locking, let me explain why, -+ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && -+ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { - -If the kenrel thread does not sleep and continue to run due to conditions -are not updated in time on the running CPU core, it just consumes more CPU -cycles and has no hurt. This should-sleep-but-run is safe here. We just -focus on the should-run-but-sleep condition, which means the writeback -thread goes to sleep in mistake while it should continue to run. -1, First of all, no matter the writeback thread is hung or not, - kthread_stop() from cached_dev_detach_finish() will wake up it and - terminate by making kthread_should_stop() return true. And in normal - run time, bit on index BCACHE_DEV_DETACHING is always cleared, the - condition - !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) - is always true and can be ignored as constant value. -2, If one of the following conditions is true, the writeback thread should - go to sleep, - "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)" - each of them independently controls the writeback thread should sleep or - not, let's analyse them one by one. -2.1 condition "!atomic_read(&dc->has_dirty)" - If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will - call bch_writeback_queue() immediately or call bch_writeback_add() which - indirectly calls bch_writeback_queue() too. In bch_writeback_queue(), - wake_up_process(dc->writeback_thread) is called. It sets writeback - thread's task state to TASK_RUNNING and following an implicit memory - barrier, then tries to wake up the writeback thread. - In writeback thread, its task state is set to TASK_INTERRUPTIBLE before - doing the condition check. If other CPU core sets the TASK_RUNNING state - after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread - will be scheduled to run very soon because its state is not - TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before - writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier - of wake_up_process() will make sure modification of dc->has_dirty on - other CPU core is updated and observed on the CPU core of writeback - thread. Therefore the condition check will correctly be false, and - continue writeback code without sleeping. -2.2 condition "!dc->writeback_running)" - dc->writeback_running can be changed via sysfs file, every time it is - modified, a following bch_writeback_queue() is alwasy called. So the - change is always observed on the CPU core of writeback thread. If - dc->writeback_running is changed from 0 to 1 on other CPU core, this - condition check will observe the modification and allow writeback - thread to continue to run without sleeping. -Now we can see, even without a locking protection, multiple conditions -check is safe here, no deadlock or process hang up will happen. - -I compose a separte patch because that patch "bcache: fix cached_dev->count -usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes -Reinecke. Also this fix is not trivial and good for a separate patch. - -Signed-off-by: Coly Li -Reviewed-by: Michael Lyle -Cc: Hannes Reinecke -Cc: Huijun Tang -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/writeback.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - ---- a/drivers/md/bcache/writeback.c -+++ b/drivers/md/bcache/writeback.c -@@ -426,9 +426,15 @@ static int bch_writeback_thread(void *ar - while (!kthread_should_stop()) { - down_write(&dc->writeback_lock); - set_current_state(TASK_INTERRUPTIBLE); -- if (!atomic_read(&dc->has_dirty) || -- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && -- !dc->writeback_running)) { -+ /* -+ * If the bache device is detaching, skip here and continue -+ * to perform writeback. Otherwise, if no dirty data on cache, -+ * or there is dirty data on cache but writeback is disabled, -+ * the writeback thread should sleep here and wait for others -+ * to wake up it. -+ */ -+ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && -+ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { - up_write(&dc->writeback_lock); - - if (kthread_should_stop()) { -@@ -450,6 +456,14 @@ static int bch_writeback_thread(void *ar - cached_dev_put(dc); - SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); - bch_write_bdev_super(dc, NULL); -+ /* -+ * If bcache device is detaching via sysfs interface, -+ * writeback thread should stop after there is no dirty -+ * data on cache. BCACHE_DEV_DETACHING flag is set in -+ * bch_cached_dev_detach(). -+ */ -+ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) -+ break; - } - - up_write(&dc->writeback_lock); diff --git a/queue-4.4/bcache-return-attach-error-when-no-cache-set-exist.patch b/queue-4.4/bcache-return-attach-error-when-no-cache-set-exist.patch deleted file mode 100644 index c5ec92d7c43..00000000000 --- a/queue-4.4/bcache-return-attach-error-when-no-cache-set-exist.patch +++ /dev/null @@ -1,60 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tang Junhui -Date: Wed, 7 Feb 2018 11:41:45 -0800 -Subject: bcache: return attach error when no cache set exist - -From: Tang Junhui - -[ Upstream commit 7f4fc93d4713394ee8f1cd44c238e046e11b4f15 ] - -I attach a back-end device to a cache set, and the cache set is not -registered yet, this back-end device did not attach successfully, and no -error returned: -[root]# echo 87859280-fec6-4bcc-20df7ca8f86b > /sys/block/sde/bcache/attach -[root]# - -In sysfs_attach(), the return value "v" is initialized to "size" in -the beginning, and if no cache set exist in bch_cache_sets, the "v" value -would not change any more, and return to sysfs, sysfs regard it as success -since the "size" is a positive number. - -This patch fixes this issue by assigning "v" with "-ENOENT" in the -initialization. - -Signed-off-by: Tang Junhui -Reviewed-by: Michael Lyle -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/sysfs.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/md/bcache/sysfs.c -+++ b/drivers/md/bcache/sysfs.c -@@ -191,7 +191,7 @@ STORE(__cached_dev) - { - struct cached_dev *dc = container_of(kobj, struct cached_dev, - disk.kobj); -- ssize_t v = size; -+ ssize_t v; - struct cache_set *c; - struct kobj_uevent_env *env; - -@@ -268,6 +268,7 @@ STORE(__cached_dev) - if (bch_parse_uuid(buf, set_uuid) < 16) - return -EINVAL; - -+ v = -ENOENT; - list_for_each_entry(c, &bch_cache_sets, list) { - v = bch_cached_dev_attach(dc, c, set_uuid); - if (!v) -@@ -275,7 +276,7 @@ STORE(__cached_dev) - } - - pr_err("Can't attach %s: cache set not found", buf); -- size = v; -+ return v; - } - - if (attr == &sysfs_detach && dc->disk.c) diff --git a/queue-4.4/bluetooth-btusb-add-device-id-for-rtl8822be.patch b/queue-4.4/bluetooth-btusb-add-device-id-for-rtl8822be.patch deleted file mode 100644 index 06502ca2c1d..00000000000 --- a/queue-4.4/bluetooth-btusb-add-device-id-for-rtl8822be.patch +++ /dev/null @@ -1,33 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Larry Finger -Date: Sun, 11 Feb 2018 12:24:32 -0600 -Subject: Bluetooth: btusb: Add device ID for RTL8822BE - -From: Larry Finger - -[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ] - -The Asus Z370-I contains a Realtek RTL8822BE device with an associated -BT chip using a USB ID of 0b05:185c. This device is added to the driver. - -Signed-off-by: Hon Weng Chong -Signed-off-by: Larry Finger -Signed-off-by: Marcel Holtmann -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bluetooth/btusb.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -346,6 +346,9 @@ static const struct usb_device_id blackl - { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, - { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, - -+ /* Additional Realtek 8822BE Bluetooth devices */ -+ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, -+ - /* Silicon Wave based devices */ - { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE }, - diff --git a/queue-4.4/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch b/queue-4.4/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch deleted file mode 100644 index 963ef12250e..00000000000 --- a/queue-4.4/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch +++ /dev/null @@ -1,74 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Vicente Bergas -Date: Tue, 20 Mar 2018 19:41:10 +0100 -Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB - -From: Vicente Bergas - -[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ] - -This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it. - -Product information: -https://wikidevi.com/wiki/Edimax_EW-7611ULB - ->From /sys/kernel/debug/usb/devices -T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 -D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 -P: Vendor=7392 ProdID=a611 Rev= 2.00 -S: Manufacturer=Realtek -S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter -S: SerialNumber=00e04c000001 -C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA -A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 -I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms -E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms -I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms -I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms -I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms -I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms -I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms -I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms -E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms -I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu -E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us -E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms -E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - -Tested-by: Vicente Bergas -Signed-off-by: Vicente Bergas -Signed-off-by: Marcel Holtmann -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bluetooth/btusb.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -336,6 +336,9 @@ static const struct usb_device_id blackl - { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, - { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK }, - -+ /* Additional Realtek 8723BU Bluetooth devices */ -+ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, -+ - /* Additional Realtek 8821AE Bluetooth devices */ - { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, - { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, diff --git a/queue-4.4/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch b/queue-4.4/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch deleted file mode 100644 index f9d1e486669..00000000000 --- a/queue-4.4/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Chan -Date: Fri, 9 Mar 2018 23:46:10 -0500 -Subject: bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa(). - -From: Michael Chan - -[ Upstream commit 3c4fe80b32c685bdc02b280814d0cfe80d441c72 ] - -During initialization, if we encounter errors, there is a code path that -calls bnxt_hwrm_vnic_set_tpa() with invalid VNIC ID. This may cause a -warning in firmware logs. - -Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") -Signed-off-by: Michael Chan -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c -+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c -@@ -2925,6 +2925,9 @@ static int bnxt_hwrm_vnic_set_tpa(struct - struct bnxt_vnic_info *vnic = &bp->vnic_info[vnic_id]; - struct hwrm_vnic_tpa_cfg_input req = {0}; - -+ if (vnic->fw_vnic_id == INVALID_HW_RING_ID) -+ return 0; -+ - bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_VNIC_TPA_CFG, -1, -1); - - if (tpa_flags) { diff --git a/queue-4.4/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch b/queue-4.4/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch deleted file mode 100644 index 7556e2249a7..00000000000 --- a/queue-4.4/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch +++ /dev/null @@ -1,172 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yonghong Song -Date: Fri, 2 Feb 2018 22:37:15 -0800 -Subject: bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y - -From: Yonghong Song - -[ Upstream commit 09584b406742413ac4c8d7e030374d4daa045b69 ] - -With CONFIG_BPF_JIT_ALWAYS_ON is defined in the config file, -tools/testing/selftests/bpf/test_kmod.sh failed like below: - [root@localhost bpf]# ./test_kmod.sh - sysctl: setting key "net.core.bpf_jit_enable": Invalid argument - [ JIT enabled:0 hardened:0 ] - [ 132.175681] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 - [ 132.458834] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] - [ JIT enabled:1 hardened:0 ] - [ 133.456025] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 - [ 133.730935] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] - [ JIT enabled:1 hardened:1 ] - [ 134.769730] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 - [ 135.050864] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] - [ JIT enabled:1 hardened:2 ] - [ 136.442882] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 - [ 136.821810] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] - [root@localhost bpf]# - -The test_kmod.sh load/remove test_bpf.ko multiple times with different -settings for sysctl net.core.bpf_jit_{enable,harden}. The failed test #297 -of test_bpf.ko is designed such that JIT always fails. - -Commit 290af86629b2 (bpf: introduce BPF_JIT_ALWAYS_ON config) -introduced the following tightening logic: - ... - if (!bpf_prog_is_dev_bound(fp->aux)) { - fp = bpf_int_jit_compile(fp); - #ifdef CONFIG_BPF_JIT_ALWAYS_ON - if (!fp->jited) { - *err = -ENOTSUPP; - return fp; - } - #endif - ... -With this logic, Test #297 always gets return value -ENOTSUPP -when CONFIG_BPF_JIT_ALWAYS_ON is defined, causing the test failure. - -This patch fixed the failure by marking Test #297 as expected failure -when CONFIG_BPF_JIT_ALWAYS_ON is defined. - -Fixes: 290af86629b2 (bpf: introduce BPF_JIT_ALWAYS_ON config) -Signed-off-by: Yonghong Song -Signed-off-by: Daniel Borkmann -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - lib/test_bpf.c | 31 ++++++++++++++++++++++++++----- - 1 file changed, 26 insertions(+), 5 deletions(-) - ---- a/lib/test_bpf.c -+++ b/lib/test_bpf.c -@@ -83,6 +83,7 @@ struct bpf_test { - __u32 result; - } test[MAX_SUBTESTS]; - int (*fill_helper)(struct bpf_test *self); -+ int expected_errcode; /* used when FLAG_EXPECTED_FAIL is set in the aux */ - __u8 frag_data[MAX_DATA]; - }; - -@@ -1780,7 +1781,9 @@ static struct bpf_test tests[] = { - }, - CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, - { }, -- { } -+ { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { - "check: div_k_0", -@@ -1790,7 +1793,9 @@ static struct bpf_test tests[] = { - }, - CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, - { }, -- { } -+ { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { - "check: unknown insn", -@@ -1801,7 +1806,9 @@ static struct bpf_test tests[] = { - }, - CLASSIC | FLAG_EXPECTED_FAIL, - { }, -- { } -+ { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { - "check: out of range spill/fill", -@@ -1811,7 +1818,9 @@ static struct bpf_test tests[] = { - }, - CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, - { }, -- { } -+ { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { - "JUMPS + HOLES", -@@ -1903,6 +1912,8 @@ static struct bpf_test tests[] = { - CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, - { }, - { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { - "check: LDX + RET X", -@@ -1913,6 +1924,8 @@ static struct bpf_test tests[] = { - CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, - { }, - { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { /* Mainly checking JIT here. */ - "M[]: alt STX + LDX", -@@ -2087,6 +2100,8 @@ static struct bpf_test tests[] = { - CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, - { }, - { }, -+ .fill_helper = NULL, -+ .expected_errcode = -EINVAL, - }, - { /* Passes checker but fails during runtime. */ - "LD [SKF_AD_OFF-1]", -@@ -4462,6 +4477,7 @@ static struct bpf_test tests[] = { - { }, - { }, - .fill_helper = bpf_fill_maxinsns4, -+ .expected_errcode = -EINVAL, - }, - { /* Mainly checking JIT here. */ - "BPF_MAXINSNS: Very long jump", -@@ -4517,10 +4533,15 @@ static struct bpf_test tests[] = { - { - "BPF_MAXINSNS: Jump, gap, jump, ...", - { }, -+#ifdef CONFIG_BPF_JIT_ALWAYS_ON -+ CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, -+#else - CLASSIC | FLAG_NO_DATA, -+#endif - { }, - { { 0, 0xababcbac } }, - .fill_helper = bpf_fill_maxinsns11, -+ .expected_errcode = -ENOTSUPP, - }, - { - "BPF_MAXINSNS: ld_abs+get_processor_id", -@@ -5290,7 +5311,7 @@ static struct bpf_prog *generate_filter( - - *err = bpf_prog_create(&fp, &fprog); - if (tests[which].aux & FLAG_EXPECTED_FAIL) { -- if (*err == -EINVAL) { -+ if (*err == tests[which].expected_errcode) { - pr_cont("PASS\n"); - /* Verifier rejected filter as expected. */ - *err = 0; diff --git a/queue-4.4/btrfs-bail-out-on-error-during-replay_dir_deletes.patch b/queue-4.4/btrfs-bail-out-on-error-during-replay_dir_deletes.patch deleted file mode 100644 index 4108d35c155..00000000000 --- a/queue-4.4/btrfs-bail-out-on-error-during-replay_dir_deletes.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Liu Bo -Date: Tue, 3 Apr 2018 01:59:48 +0800 -Subject: Btrfs: bail out on error during replay_dir_deletes - -From: Liu Bo - -[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ] - -If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs -to bail out, otherwise @ret would be forced to be 0 after 'break;' and -the caller won't be aware of it. - -Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") -Reviewed-by: Nikolay Borisov -Signed-off-by: Liu Bo -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/tree-log.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -2223,8 +2223,10 @@ again: - nritems = btrfs_header_nritems(path->nodes[0]); - if (path->slots[0] >= nritems) { - ret = btrfs_next_leaf(root, path); -- if (ret) -+ if (ret == 1) - break; -+ else if (ret < 0) -+ goto out; - } - btrfs_item_key_to_cpu(path->nodes[0], &found_key, - path->slots[0]); diff --git a/queue-4.4/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch b/queue-4.4/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch deleted file mode 100644 index 20a1bf2e036..00000000000 --- a/queue-4.4/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Filipe Manana -Date: Mon, 26 Mar 2018 23:59:12 +0100 -Subject: Btrfs: fix copy_items() return value when logging an inode - -From: Filipe Manana - -[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ] - -When logging an inode, at tree-log.c:copy_items(), if we call -btrfs_next_leaf() at the loop which checks for the need to log holes, we -need to make sure copy_items() returns the value 1 to its caller and -not 0 (on success). This is because the path the caller passed was -released and is now different from what is was before, and the caller -expects a return value of 0 to mean both success and that the path -has not changed, while a return value of 1 means both success and -signals the caller that it can not reuse the path, it has to perform -another tree search. - -Even though this is a case that should not be triggered on normal -circumstances or very rare at least, its consequences can be very -unpredictable (especially when replaying a log tree). - -Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents") -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/tree-log.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -3835,6 +3835,7 @@ fill_holes: - ASSERT(ret == 0); - src = src_path->nodes[0]; - i = 0; -+ need_find_last_extent = true; - } - - btrfs_item_key_to_cpu(src, &key, i); diff --git a/queue-4.4/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch b/queue-4.4/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch deleted file mode 100644 index 806c322c28f..00000000000 --- a/queue-4.4/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch +++ /dev/null @@ -1,436 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jeff Mahoney -Date: Fri, 16 Mar 2018 14:36:27 -0400 -Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers - -From: Jeff Mahoney - -[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ] - -While running btrfs/011, I hit the following lockdep splat. - -This is the important bit: - pcpu_alloc+0x1ac/0x5e0 - __percpu_counter_init+0x4e/0xb0 - btrfs_init_fs_root+0x99/0x1c0 [btrfs] - btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] - resolve_indirect_refs+0x130/0x830 [btrfs] - find_parent_nodes+0x69e/0xff0 [btrfs] - btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] - btrfs_find_all_roots+0x50/0x70 [btrfs] - btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] - btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] - -The percpu_counter_init call in btrfs_alloc_subvolume_writers -uses GFP_KERNEL, which we can't do during transaction commit. - -This switches it to GFP_NOFS. - -======================================================== -WARNING: possible irq lock inversion dependency detected -4.12.14-kvmsmall #8 Tainted: G W --------------------------------------------------------- -kswapd0/50 just changed the state of lock: - (&delayed_node->mutex){+.+.-.}, at: [] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] -but this lock took another, RECLAIM_FS-unsafe lock in the past: - (pcpu_alloc_mutex){+.+.+.} - -and interrupts could create inverse lock ordering between them. - -other info that might help us debug this: -Chain exists of: - &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex - - Possible interrupt unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(pcpu_alloc_mutex); - local_irq_disable(); - lock(&delayed_node->mutex); - lock(&found->groups_sem); - - lock(&delayed_node->mutex); - - *** DEADLOCK *** - -2 locks held by kswapd0/50: - #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x7f/0x5b0 - #1: (&type->s_umount_key#30){+++++.}, at: [] trylock_super+0x16/0x50 - -the shortest dependencies between 2nd lock and 1st lock: - -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 { - HARDIRQ-ON-W at: - __mutex_lock+0x4e/0x8c0 - pcpu_alloc+0x1ac/0x5e0 - alloc_kmem_cache_cpus.isra.70+0x25/0xa0 - __do_tune_cpucache+0x2c/0x220 - do_tune_cpucache+0x26/0xc0 - enable_cpucache+0x6d/0xf0 - kmem_cache_init_late+0x42/0x75 - start_kernel+0x343/0x4cb - x86_64_start_kernel+0x127/0x134 - secondary_startup_64+0xa5/0xb0 - SOFTIRQ-ON-W at: - __mutex_lock+0x4e/0x8c0 - pcpu_alloc+0x1ac/0x5e0 - alloc_kmem_cache_cpus.isra.70+0x25/0xa0 - __do_tune_cpucache+0x2c/0x220 - do_tune_cpucache+0x26/0xc0 - enable_cpucache+0x6d/0xf0 - kmem_cache_init_late+0x42/0x75 - start_kernel+0x343/0x4cb - x86_64_start_kernel+0x127/0x134 - secondary_startup_64+0xa5/0xb0 - RECLAIM_FS-ON-W at: - __kmalloc+0x47/0x310 - pcpu_extend_area_map+0x2b/0xc0 - pcpu_alloc+0x3ec/0x5e0 - alloc_kmem_cache_cpus.isra.70+0x25/0xa0 - __do_tune_cpucache+0x2c/0x220 - do_tune_cpucache+0x26/0xc0 - enable_cpucache+0x6d/0xf0 - __kmem_cache_create+0x1bf/0x390 - create_cache+0xba/0x1b0 - kmem_cache_create+0x1f8/0x2b0 - ksm_init+0x6f/0x19d - do_one_initcall+0x50/0x1b0 - kernel_init_freeable+0x201/0x289 - kernel_init+0xa/0x100 - ret_from_fork+0x3a/0x50 - INITIAL USE at: - __mutex_lock+0x4e/0x8c0 - pcpu_alloc+0x1ac/0x5e0 - alloc_kmem_cache_cpus.isra.70+0x25/0xa0 - setup_cpu_cache+0x2f/0x1f0 - __kmem_cache_create+0x1bf/0x390 - create_boot_cache+0x8b/0xb1 - kmem_cache_init+0xa1/0x19e - start_kernel+0x270/0x4cb - x86_64_start_kernel+0x127/0x134 - secondary_startup_64+0xa5/0xb0 - } - ... key at: [] pcpu_alloc_mutex+0x70/0xa0 - ... acquired at: - pcpu_alloc+0x1ac/0x5e0 - __percpu_counter_init+0x4e/0xb0 - btrfs_init_fs_root+0x99/0x1c0 [btrfs] - btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] - resolve_indirect_refs+0x130/0x830 [btrfs] - find_parent_nodes+0x69e/0xff0 [btrfs] - btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] - btrfs_find_all_roots+0x50/0x70 [btrfs] - btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] - btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] - transaction_kthread+0x176/0x1b0 [btrfs] - kthread+0x102/0x140 - ret_from_fork+0x3a/0x50 - - -> (&fs_info->commit_root_sem){++++..} ops: 1566382 { - HARDIRQ-ON-W at: - down_write+0x3e/0xa0 - cache_block_group+0x287/0x420 [btrfs] - find_free_extent+0x106c/0x12d0 [btrfs] - btrfs_reserve_extent+0xd8/0x170 [btrfs] - cow_file_range.isra.66+0x133/0x470 [btrfs] - run_delalloc_range+0x121/0x410 [btrfs] - writepage_delalloc.isra.50+0xfe/0x180 [btrfs] - __extent_writepage+0x19a/0x360 [btrfs] - extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] - extent_writepages+0x4d/0x60 [btrfs] - do_writepages+0x1a/0x70 - __filemap_fdatawrite_range+0xa7/0xe0 - btrfs_rename+0x5ee/0xdb0 [btrfs] - vfs_rename+0x52a/0x7e0 - SyS_rename+0x351/0x3b0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - HARDIRQ-ON-R at: - down_read+0x35/0x90 - caching_thread+0x57/0x560 [btrfs] - normal_work_helper+0x1c0/0x5e0 [btrfs] - process_one_work+0x1e0/0x5c0 - worker_thread+0x44/0x390 - kthread+0x102/0x140 - ret_from_fork+0x3a/0x50 - SOFTIRQ-ON-W at: - down_write+0x3e/0xa0 - cache_block_group+0x287/0x420 [btrfs] - find_free_extent+0x106c/0x12d0 [btrfs] - btrfs_reserve_extent+0xd8/0x170 [btrfs] - cow_file_range.isra.66+0x133/0x470 [btrfs] - run_delalloc_range+0x121/0x410 [btrfs] - writepage_delalloc.isra.50+0xfe/0x180 [btrfs] - __extent_writepage+0x19a/0x360 [btrfs] - extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] - extent_writepages+0x4d/0x60 [btrfs] - do_writepages+0x1a/0x70 - __filemap_fdatawrite_range+0xa7/0xe0 - btrfs_rename+0x5ee/0xdb0 [btrfs] - vfs_rename+0x52a/0x7e0 - SyS_rename+0x351/0x3b0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - SOFTIRQ-ON-R at: - down_read+0x35/0x90 - caching_thread+0x57/0x560 [btrfs] - normal_work_helper+0x1c0/0x5e0 [btrfs] - process_one_work+0x1e0/0x5c0 - worker_thread+0x44/0x390 - kthread+0x102/0x140 - ret_from_fork+0x3a/0x50 - INITIAL USE at: - down_write+0x3e/0xa0 - cache_block_group+0x287/0x420 [btrfs] - find_free_extent+0x106c/0x12d0 [btrfs] - btrfs_reserve_extent+0xd8/0x170 [btrfs] - cow_file_range.isra.66+0x133/0x470 [btrfs] - run_delalloc_range+0x121/0x410 [btrfs] - writepage_delalloc.isra.50+0xfe/0x180 [btrfs] - __extent_writepage+0x19a/0x360 [btrfs] - extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] - extent_writepages+0x4d/0x60 [btrfs] - do_writepages+0x1a/0x70 - __filemap_fdatawrite_range+0xa7/0xe0 - btrfs_rename+0x5ee/0xdb0 [btrfs] - vfs_rename+0x52a/0x7e0 - SyS_rename+0x351/0x3b0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - } - ... key at: [] __key.61970+0x0/0xfffffffffff9aa88 [btrfs] - ... acquired at: - cache_block_group+0x287/0x420 [btrfs] - find_free_extent+0x106c/0x12d0 [btrfs] - btrfs_reserve_extent+0xd8/0x170 [btrfs] - btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] - btrfs_create_tree+0xbb/0x2a0 [btrfs] - btrfs_create_uuid_tree+0x37/0x140 [btrfs] - open_ctree+0x23c0/0x2660 [btrfs] - btrfs_mount+0xd36/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - btrfs_mount+0x18c/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - do_mount+0x1c1/0xcc0 - SyS_mount+0x7e/0xd0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - - -> (&found->groups_sem){++++..} ops: 2134587 { - HARDIRQ-ON-W at: - down_write+0x3e/0xa0 - __link_block_group+0x34/0x130 [btrfs] - btrfs_read_block_groups+0x33d/0x7b0 [btrfs] - open_ctree+0x2054/0x2660 [btrfs] - btrfs_mount+0xd36/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - btrfs_mount+0x18c/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - do_mount+0x1c1/0xcc0 - SyS_mount+0x7e/0xd0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - HARDIRQ-ON-R at: - down_read+0x35/0x90 - btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] - open_ctree+0x207b/0x2660 [btrfs] - btrfs_mount+0xd36/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - btrfs_mount+0x18c/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - do_mount+0x1c1/0xcc0 - SyS_mount+0x7e/0xd0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - SOFTIRQ-ON-W at: - down_write+0x3e/0xa0 - __link_block_group+0x34/0x130 [btrfs] - btrfs_read_block_groups+0x33d/0x7b0 [btrfs] - open_ctree+0x2054/0x2660 [btrfs] - btrfs_mount+0xd36/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - btrfs_mount+0x18c/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - do_mount+0x1c1/0xcc0 - SyS_mount+0x7e/0xd0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - SOFTIRQ-ON-R at: - down_read+0x35/0x90 - btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] - open_ctree+0x207b/0x2660 [btrfs] - btrfs_mount+0xd36/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - btrfs_mount+0x18c/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - do_mount+0x1c1/0xcc0 - SyS_mount+0x7e/0xd0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - INITIAL USE at: - down_write+0x3e/0xa0 - __link_block_group+0x34/0x130 [btrfs] - btrfs_read_block_groups+0x33d/0x7b0 [btrfs] - open_ctree+0x2054/0x2660 [btrfs] - btrfs_mount+0xd36/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - btrfs_mount+0x18c/0xf90 [btrfs] - mount_fs+0x3a/0x160 - vfs_kern_mount+0x66/0x150 - do_mount+0x1c1/0xcc0 - SyS_mount+0x7e/0xd0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - } - ... key at: [] __key.59101+0x0/0xfffffffffff9ab78 [btrfs] - ... acquired at: - find_free_extent+0xcb4/0x12d0 [btrfs] - btrfs_reserve_extent+0xd8/0x170 [btrfs] - btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] - __btrfs_cow_block+0x110/0x5b0 [btrfs] - btrfs_cow_block+0xd7/0x290 [btrfs] - btrfs_search_slot+0x1f6/0x960 [btrfs] - btrfs_lookup_inode+0x2a/0x90 [btrfs] - __btrfs_update_delayed_inode+0x65/0x210 [btrfs] - btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs] - btrfs_evict_inode+0x3fe/0x6a0 [btrfs] - evict+0xc4/0x190 - __dentry_kill+0xbf/0x170 - dput+0x2ae/0x2f0 - SyS_rename+0x2a6/0x3b0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - --> (&delayed_node->mutex){+.+.-.} ops: 5580204 { - HARDIRQ-ON-W at: - __mutex_lock+0x4e/0x8c0 - btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] - btrfs_update_inode+0x83/0x110 [btrfs] - btrfs_dirty_inode+0x62/0xe0 [btrfs] - touch_atime+0x8c/0xb0 - do_generic_file_read+0x818/0xb10 - __vfs_read+0xdc/0x150 - vfs_read+0x8a/0x130 - SyS_read+0x45/0xa0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - SOFTIRQ-ON-W at: - __mutex_lock+0x4e/0x8c0 - btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] - btrfs_update_inode+0x83/0x110 [btrfs] - btrfs_dirty_inode+0x62/0xe0 [btrfs] - touch_atime+0x8c/0xb0 - do_generic_file_read+0x818/0xb10 - __vfs_read+0xdc/0x150 - vfs_read+0x8a/0x130 - SyS_read+0x45/0xa0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - IN-RECLAIM_FS-W at: - __mutex_lock+0x4e/0x8c0 - __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] - btrfs_evict_inode+0x22c/0x6a0 [btrfs] - evict+0xc4/0x190 - dispose_list+0x35/0x50 - prune_icache_sb+0x42/0x50 - super_cache_scan+0x139/0x190 - shrink_slab+0x262/0x5b0 - shrink_node+0x2eb/0x2f0 - kswapd+0x2eb/0x890 - kthread+0x102/0x140 - ret_from_fork+0x3a/0x50 - INITIAL USE at: - __mutex_lock+0x4e/0x8c0 - btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] - btrfs_update_inode+0x83/0x110 [btrfs] - btrfs_dirty_inode+0x62/0xe0 [btrfs] - touch_atime+0x8c/0xb0 - do_generic_file_read+0x818/0xb10 - __vfs_read+0xdc/0x150 - vfs_read+0x8a/0x130 - SyS_read+0x45/0xa0 - do_syscall_64+0x79/0x1e0 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - } - ... key at: [] __key.56935+0x0/0xfffffffffff96b78 [btrfs] - ... acquired at: - __lock_acquire+0x264/0x11c0 - lock_acquire+0xbd/0x1e0 - __mutex_lock+0x4e/0x8c0 - __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] - btrfs_evict_inode+0x22c/0x6a0 [btrfs] - evict+0xc4/0x190 - dispose_list+0x35/0x50 - prune_icache_sb+0x42/0x50 - super_cache_scan+0x139/0x190 - shrink_slab+0x262/0x5b0 - shrink_node+0x2eb/0x2f0 - kswapd+0x2eb/0x890 - kthread+0x102/0x140 - ret_from_fork+0x3a/0x50 - -stack backtrace: -CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased) -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 -Call Trace: - dump_stack+0x78/0xb7 - print_irq_inversion_bug.part.38+0x19f/0x1aa - check_usage_forwards+0x102/0x120 - ? ret_from_fork+0x3a/0x50 - ? check_usage_backwards+0x110/0x110 - mark_lock+0x16c/0x270 - __lock_acquire+0x264/0x11c0 - ? pagevec_lookup_entries+0x1a/0x30 - ? truncate_inode_pages_range+0x2b3/0x7f0 - lock_acquire+0xbd/0x1e0 - ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] - __mutex_lock+0x4e/0x8c0 - ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] - ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] - ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs] - __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] - btrfs_evict_inode+0x22c/0x6a0 [btrfs] - evict+0xc4/0x190 - dispose_list+0x35/0x50 - prune_icache_sb+0x42/0x50 - super_cache_scan+0x139/0x190 - shrink_slab+0x262/0x5b0 - shrink_node+0x2eb/0x2f0 - kswapd+0x2eb/0x890 - kthread+0x102/0x140 - ? mem_cgroup_shrink_node+0x2c0/0x2c0 - ? kthread_create_on_node+0x40/0x40 - ret_from_fork+0x3a/0x50 - -Signed-off-by: Jeff Mahoney -Reviewed-by: Liu Bo -Signed-off-by: David Sterba - -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/disk-io.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -1196,7 +1196,7 @@ static struct btrfs_subvolume_writers *b - if (!writers) - return ERR_PTR(-ENOMEM); - -- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL); -+ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS); - if (ret < 0) { - kfree(writers); - return ERR_PTR(ret); diff --git a/queue-4.4/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch b/queue-4.4/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch deleted file mode 100644 index 3759e710af4..00000000000 --- a/queue-4.4/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch +++ /dev/null @@ -1,39 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Liu Bo -Date: Tue, 3 Apr 2018 01:59:47 +0800 -Subject: Btrfs: fix NULL pointer dereference in log_dir_items - -From: Liu Bo - -[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ] - -0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is -returned, path->nodes[0] could be NULL, log_dir_items lacks such a -check for <0 and we may run into a null pointer dereference panic. - -Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") -Reviewed-by: Nikolay Borisov -Signed-off-by: Liu Bo -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/tree-log.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -3380,8 +3380,11 @@ static noinline int log_dir_items(struct - * from this directory and from this transaction - */ - ret = btrfs_next_leaf(root, path); -- if (ret == 1) { -- last_offset = (u64)-1; -+ if (ret) { -+ if (ret == 1) -+ last_offset = (u64)-1; -+ else -+ err = ret; - goto done; - } - btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]); diff --git a/queue-4.4/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch b/queue-4.4/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch deleted file mode 100644 index 66c82fc6459..00000000000 --- a/queue-4.4/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch +++ /dev/null @@ -1,64 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Nikolay Borisov -Date: Tue, 12 Dec 2017 11:14:49 +0200 -Subject: btrfs: Fix out of bounds access in btrfs_search_slot - -From: Nikolay Borisov - -[ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] - -When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then -the level variable is going to be 7 (this is the max height of the -tree). On the other hand btrfs_cow_block is always called with -"level + 1" as an index into the nodes and slots arrays. This leads to -an out of bounds access. Admittdely this will be benign since an OOB -access of the nodes array will likely read the 0th element from the -slots array, which in this case is going to be 0 (since we start CoW at -the top of the tree). The OOB access into the slots array in turn will -read the 0th and 1st values of the locks array, which would both be 0 -at the time. However, this benign behavior relies on the fact that the -path being passed hasn't been initialised, if it has already been used to -query a btree then it could potentially have populated the nodes/slots arrays. - -Fix it by explicitly checking if we are at level 7 (the maximum allowed -index in nodes/slots arrays) and explicitly call the CoW routine with -NULL for parent's node/slot. - -Signed-off-by: Nikolay Borisov -Fixes-coverity-id: 711515 -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/ctree.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - ---- a/fs/btrfs/ctree.c -+++ b/fs/btrfs/ctree.c -@@ -2769,6 +2769,8 @@ again: - * contention with the cow code - */ - if (cow) { -+ bool last_level = (level == (BTRFS_MAX_LEVEL - 1)); -+ - /* - * if we don't really need to cow this block - * then we don't want to set the path blocking, -@@ -2793,9 +2795,13 @@ again: - } - - btrfs_set_path_blocking(p); -- err = btrfs_cow_block(trans, root, b, -- p->nodes[level + 1], -- p->slots[level + 1], &b); -+ if (last_level) -+ err = btrfs_cow_block(trans, root, b, NULL, 0, -+ &b); -+ else -+ err = btrfs_cow_block(trans, root, b, -+ p->nodes[level + 1], -+ p->slots[level + 1], &b); - if (err) { - ret = err; - goto done; diff --git a/queue-4.4/btrfs-fix-possible-softlock-on-single-core-machines.patch b/queue-4.4/btrfs-fix-possible-softlock-on-single-core-machines.patch deleted file mode 100644 index f81cdd9e4bf..00000000000 --- a/queue-4.4/btrfs-fix-possible-softlock-on-single-core-machines.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Nikolay Borisov -Date: Thu, 5 Apr 2018 10:40:15 +0300 -Subject: btrfs: Fix possible softlock on single core machines - -From: Nikolay Borisov - -[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ] - -do_chunk_alloc implements a loop checking whether there is a pending -chunk allocation and if so causes the caller do loop. Generally this -loop is executed only once, however testing with btrfs/072 on a single -core vm machines uncovered an extreme case where the system could loop -indefinitely. This is due to a missing cond_resched when loop which -doesn't give a chance to the previous chunk allocator finish its job. - -The fix is to simply add the missing cond_resched. - -Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc") -Signed-off-by: Nikolay Borisov -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/extent-tree.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/btrfs/extent-tree.c -+++ b/fs/btrfs/extent-tree.c -@@ -4392,6 +4392,7 @@ again: - if (wait_for_alloc) { - mutex_unlock(&fs_info->chunk_mutex); - wait_for_alloc = 0; -+ cond_resched(); - goto again; - } - diff --git a/queue-4.4/btrfs-fix-scrub-to-repair-raid6-corruption.patch b/queue-4.4/btrfs-fix-scrub-to-repair-raid6-corruption.patch deleted file mode 100644 index d468d8980b0..00000000000 --- a/queue-4.4/btrfs-fix-scrub-to-repair-raid6-corruption.patch +++ /dev/null @@ -1,84 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Liu Bo -Date: Tue, 2 Jan 2018 13:36:41 -0700 -Subject: Btrfs: fix scrub to repair raid6 corruption - -From: Liu Bo - -[ Upstream commit 762221f095e3932669093466aaf4b85ed9ad2ac1 ] - -The raid6 corruption is that, -suppose that all disks can be read without problems and if the content -that was read out doesn't match its checksum, currently for raid6 -btrfs at most retries twice, - -- the 1st retry is to rebuild with all other stripes, it'll eventually - be a raid5 xor rebuild, -- if the 1st fails, the 2nd retry will deliberately fail parity p so - that it will do raid6 style rebuild, - -however, the chances are that another non-parity stripe content also -has something corrupted, so that the above retries are not able to -return correct content. - -We've fixed normal reads to rebuild raid6 correctly with more retries -in Patch "Btrfs: make raid6 rebuild retry more"[1], this is to fix -scrub to do the exactly same rebuild process. - -[1]: https://patchwork.kernel.org/patch/10091755/ - -Signed-off-by: Liu Bo -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/raid56.c | 18 ++++++++++++++---- - fs/btrfs/volumes.c | 9 ++++++++- - 2 files changed, 22 insertions(+), 5 deletions(-) - ---- a/fs/btrfs/raid56.c -+++ b/fs/btrfs/raid56.c -@@ -2160,11 +2160,21 @@ int raid56_parity_recover(struct btrfs_r - } - - /* -- * reconstruct from the q stripe if they are -- * asking for mirror 3 -+ * Loop retry: -+ * for 'mirror == 2', reconstruct from all other stripes. -+ * for 'mirror_num > 2', select a stripe to fail on every retry. - */ -- if (mirror_num == 3) -- rbio->failb = rbio->real_stripes - 2; -+ if (mirror_num > 2) { -+ /* -+ * 'mirror == 3' is to fail the p stripe and -+ * reconstruct from the q stripe. 'mirror > 3' is to -+ * fail a data stripe and reconstruct from p+q stripe. -+ */ -+ rbio->failb = rbio->real_stripes - (mirror_num - 1); -+ ASSERT(rbio->failb > 0); -+ if (rbio->failb <= rbio->faila) -+ rbio->failb--; -+ } - - ret = lock_stripe_add(rbio); - ---- a/fs/btrfs/volumes.c -+++ b/fs/btrfs/volumes.c -@@ -5047,7 +5047,14 @@ int btrfs_num_copies(struct btrfs_fs_inf - else if (map->type & BTRFS_BLOCK_GROUP_RAID5) - ret = 2; - else if (map->type & BTRFS_BLOCK_GROUP_RAID6) -- ret = 3; -+ /* -+ * There could be two corrupted data stripes, we need -+ * to loop retry in order to rebuild the correct data. -+ * -+ * Fail a stripe at a time on every retry except the -+ * stripe under reconstruction. -+ */ -+ ret = map->num_stripes; - else - ret = 1; - free_extent_map(em); diff --git a/queue-4.4/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch b/queue-4.4/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch deleted file mode 100644 index 80ae348b8d8..00000000000 --- a/queue-4.4/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch +++ /dev/null @@ -1,67 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Filipe Manana -Date: Tue, 6 Feb 2018 20:39:20 +0000 -Subject: Btrfs: send, fix issuing write op when processing hole in no data mode - -From: Filipe Manana - -[ Upstream commit d4dfc0f4d39475ccbbac947880b5464a74c30b99 ] - -When doing an incremental send of a filesystem with the no-holes feature -enabled, we end up issuing a write operation when using the no data mode -send flag, instead of issuing an update extent operation. Fix this by -issuing the update extent operation instead. - -Trivial reproducer: - - $ mkfs.btrfs -f -O no-holes /dev/sdc - $ mkfs.btrfs -f /dev/sdd - $ mount /dev/sdc /mnt/sdc - $ mount /dev/sdd /mnt/sdd - - $ xfs_io -f -c "pwrite -S 0xab 0 32K" /mnt/sdc/foobar - $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap1 - - $ xfs_io -c "fpunch 8K 8K" /mnt/sdc/foobar - $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap2 - - $ btrfs send /mnt/sdc/snap1 | btrfs receive /mnt/sdd - $ btrfs send --no-data -p /mnt/sdc/snap1 /mnt/sdc/snap2 \ - | btrfs receive -vv /mnt/sdd - -Before this change the output of the second receive command is: - - receiving snapshot snap2 uuid=f6922049-8c22-e544-9ff9-fc6755918447... - utimes - write foobar, offset 8192, len 8192 - utimes foobar - BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=f6922049-8c22-e544-9ff9-... - -After this change it is: - - receiving snapshot snap2 uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64... - utimes - update_extent foobar: offset=8192, len=8192 - utimes foobar - BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64... - -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/send.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/btrfs/send.c -+++ b/fs/btrfs/send.c -@@ -4674,6 +4674,9 @@ static int send_hole(struct send_ctx *sc - u64 len; - int ret = 0; - -+ if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA) -+ return send_update_extent(sctx, offset, end - offset); -+ - p = fs_path_alloc(); - if (!p) - return -ENOMEM; diff --git a/queue-4.4/btrfs-set-plug-for-fsync.patch b/queue-4.4/btrfs-set-plug-for-fsync.patch deleted file mode 100644 index 57646b32b00..00000000000 --- a/queue-4.4/btrfs-set-plug-for-fsync.patch +++ /dev/null @@ -1,51 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Liu Bo -Date: Wed, 15 Nov 2017 16:10:28 -0700 -Subject: Btrfs: set plug for fsync - -From: Liu Bo - -[ Upstream commit 343e4fc1c60971b0734de26dbbd475d433950982 ] - -Setting plug can merge adjacent IOs before dispatching IOs to the disk -driver. - -Without plug, it'd not be a problem for single disk usecases, but for -multiple disks using raid profile, a large IO can be split to several -IOs of stripe length, and plug can be helpful to bring them together -for each disk so that we can save several disk access. - -Moreover, fsync issues synchronous writes, so plug can really take -effect. - -Signed-off-by: Liu Bo -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/file.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/fs/btrfs/file.c -+++ b/fs/btrfs/file.c -@@ -1861,10 +1861,19 @@ int btrfs_release_file(struct inode *ino - static int start_ordered_ops(struct inode *inode, loff_t start, loff_t end) - { - int ret; -+ struct blk_plug plug; - -+ /* -+ * This is only called in fsync, which would do synchronous writes, so -+ * a plug can merge adjacent IOs as much as possible. Esp. in case of -+ * multiple disks using raid profile, a large IO can be split to -+ * several segments of stripe length (currently 64K). -+ */ -+ blk_start_plug(&plug); - atomic_inc(&BTRFS_I(inode)->sync_writers); - ret = btrfs_fdatawrite_range(inode, start, end); - atomic_dec(&BTRFS_I(inode)->sync_writers); -+ blk_finish_plug(&plug); - - return ret; - } diff --git a/queue-4.4/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch b/queue-4.4/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch deleted file mode 100644 index 933abdf53d8..00000000000 --- a/queue-4.4/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch +++ /dev/null @@ -1,52 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Qu Wenruo -Date: Tue, 27 Mar 2018 20:44:18 +0800 -Subject: btrfs: tests/qgroup: Fix wrong tree backref level - -From: Qu Wenruo - -[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ] - -The extent tree of the test fs is like the following: - - BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919 - item 0 key (4096 168 4096) itemoff 3944 itemsize 51 - extent refs 1 gen 1 flags 2 - tree block key (68719476736 0 0) level 1 - ^^^^^^^ - ref#0: tree block backref root 5 - -And it's using an empty tree for fs tree, so there is no way that its -level can be 1. - -For REAL (created by mkfs) fs tree backref with no skinny metadata, the -result should look like: - - item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51 - refs 1 gen 4 flags TREE_BLOCK - tree block key (256 INODE_ITEM 0) level 0 - ^^^^^^^ - tree block backref root 5 - -Fix the level to 0, so it won't break later tree level checker. - -Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code") -Signed-off-by: Qu Wenruo -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/tests/qgroup-tests.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/btrfs/tests/qgroup-tests.c -+++ b/fs/btrfs/tests/qgroup-tests.c -@@ -70,7 +70,7 @@ static int insert_normal_tree_ref(struct - btrfs_set_extent_generation(leaf, item, 1); - btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK); - block_info = (struct btrfs_tree_block_info *)(item + 1); -- btrfs_set_tree_block_level(leaf, block_info, 1); -+ btrfs_set_tree_block_level(leaf, block_info, 0); - iref = (struct btrfs_extent_inline_ref *)(block_info + 1); - if (parent > 0) { - btrfs_set_extent_inline_ref_type(leaf, iref, diff --git a/queue-4.4/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch b/queue-4.4/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch deleted file mode 100644 index 2cf46c8fca8..00000000000 --- a/queue-4.4/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch +++ /dev/null @@ -1,155 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Maurizio Lombardi -Date: Fri, 9 Mar 2018 13:59:06 +0100 -Subject: cdrom: do not call check_disk_change() inside cdrom_open() - -From: Maurizio Lombardi - -[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ] - -when mounting an ISO filesystem sometimes (very rarely) -the system hangs because of a race condition between two tasks. - -PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" - #0 [ffff880078447ae0] __schedule at ffffffff8168d605 - #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 - #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 - #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef - #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] - #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 - #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 - #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] - #8 [ffff880078447da8] mount_bdev at ffffffff81202570 - #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] -#10 [ffff880078447e28] mount_fs at ffffffff81202d09 -#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f -#12 [ffff880078447ea8] do_mount at ffffffff81220fee -#13 [ffff880078447f28] sys_mount at ffffffff812218d6 -#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 - RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 - RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 - RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 - RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 - R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 - R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 - ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b - -This task was trying to mount the cdrom. It allocated and configured a -super_block struct and owned the write-lock for the super_block->s_umount -rwsem. While exclusively owning the s_umount lock, it called -sr_block_ioctl and waited to acquire the global sr_mutex lock. - -PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" - #0 [ffff880078417898] __schedule at ffffffff8168d605 - #1 [ffff880078417900] schedule at ffffffff8168dc59 - #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 - #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 - #4 [ffff8800784179d0] down_read at ffffffff8168cde0 - #5 [ffff8800784179e8] get_super at ffffffff81201cc7 - #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de - #7 [ffff880078417a40] flush_disk at ffffffff8123a94b - #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 - #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] -#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] -#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 -#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 -#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b -#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 -#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf -#16 [ffff880078417d00] do_last at ffffffff8120d53d -#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 -#18 [ffff880078417e48] do_filp_open at ffffffff8121082b -#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 -#20 [ffff880078417f70] sys_open at ffffffff811fde4e -#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 - RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 - RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 - RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 - RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 - R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e - R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 - ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b - -This task tried to open the cdrom device, the sr_block_open function -acquired the global sr_mutex lock. The call to check_disk_change() -then saw an event flag indicating a possible media change and tried -to flush any cached data for the device. -As part of the flush, it tried to acquire the super_block->s_umount -lock associated with the cdrom device. -This was the same super_block as created and locked by the previous task. - -The first task acquires the s_umount lock and then the sr_mutex_lock; -the second task acquires the sr_mutex_lock and then the s_umount lock. - -This patch fixes the issue by moving check_disk_change() out of -cdrom_open() and let the caller take care of it. - -Signed-off-by: Maurizio Lombardi -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/block/paride/pcd.c | 2 ++ - drivers/cdrom/cdrom.c | 3 --- - drivers/cdrom/gdrom.c | 3 +++ - drivers/ide/ide-cd.c | 2 ++ - drivers/scsi/sr.c | 2 ++ - 5 files changed, 9 insertions(+), 3 deletions(-) - ---- a/drivers/block/paride/pcd.c -+++ b/drivers/block/paride/pcd.c -@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d - struct pcd_unit *cd = bdev->bd_disk->private_data; - int ret; - -+ check_disk_change(bdev); -+ - mutex_lock(&pcd_mutex); - ret = cdrom_open(&cd->info, bdev, mode); - mutex_unlock(&pcd_mutex); ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -1154,9 +1154,6 @@ int cdrom_open(struct cdrom_device_info - - cd_dbg(CD_OPEN, "entering cdrom_open\n"); - -- /* open is event synchronization point, check events first */ -- check_disk_change(bdev); -- - /* if this was a O_NONBLOCK open and we should honor the flags, - * do a quick open without drive/disc integrity checks. */ - cdi->use_count++; ---- a/drivers/cdrom/gdrom.c -+++ b/drivers/cdrom/gdrom.c -@@ -497,6 +497,9 @@ static struct cdrom_device_ops gdrom_ops - static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) - { - int ret; -+ -+ check_disk_change(bdev); -+ - mutex_lock(&gdrom_mutex); - ret = cdrom_open(gd.cd_info, bdev, mode); - mutex_unlock(&gdrom_mutex); ---- a/drivers/ide/ide-cd.c -+++ b/drivers/ide/ide-cd.c -@@ -1593,6 +1593,8 @@ static int idecd_open(struct block_devic - struct cdrom_info *info; - int rc = -ENXIO; - -+ check_disk_change(bdev); -+ - mutex_lock(&ide_cd_mutex); - info = ide_cd_get(bdev->bd_disk); - if (!info) ---- a/drivers/scsi/sr.c -+++ b/drivers/scsi/sr.c -@@ -522,6 +522,8 @@ static int sr_block_open(struct block_de - struct scsi_cd *cd; - int ret = -ENXIO; - -+ check_disk_change(bdev); -+ - mutex_lock(&sr_mutex); - cd = scsi_cd_get(bdev->bd_disk); - if (cd) { diff --git a/queue-4.4/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch b/queue-4.4/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch deleted file mode 100644 index 3819c40661c..00000000000 --- a/queue-4.4/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arnd Bergmann -Date: Fri, 2 Feb 2018 16:48:47 +0100 -Subject: cifs: silence compiler warnings showing up with gcc-8.0.0 - -From: Arnd Bergmann - -[ Upstream commit ade7db991b47ab3016a414468164f4966bd08202 ] - -This bug was fixed before, but came up again with the latest -compiler in another function: - -fs/cifs/cifssmb.c: In function 'CIFSSMBSetEA': -fs/cifs/cifssmb.c:6362:3: error: 'strncpy' offset 8 is out of the bounds [0, 4] [-Werror=array-bounds] - strncpy(parm_data->list[0].name, ea_name, name_len); - -Let's apply the same fix that was used for the other instances. - -Fixes: b2a3ad9ca502 ("cifs: silence compiler warnings showing up with gcc-4.7.0") -Signed-off-by: Arnd Bergmann -Signed-off-by: Steve French -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/cifs/cifssmb.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/fs/cifs/cifssmb.c -+++ b/fs/cifs/cifssmb.c -@@ -6421,9 +6421,7 @@ SetEARetry: - pSMB->InformationLevel = - cpu_to_le16(SMB_SET_FILE_EA); - -- parm_data = -- (struct fealist *) (((char *) &pSMB->hdr.Protocol) + -- offset); -+ parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset; - pSMB->ParameterOffset = cpu_to_le16(param_offset); - pSMB->DataOffset = cpu_to_le16(offset); - pSMB->SetupCount = 1; diff --git a/queue-4.4/clk-don-t-show-the-incorrect-clock-phase.patch b/queue-4.4/clk-don-t-show-the-incorrect-clock-phase.patch deleted file mode 100644 index 2ee0591f664..00000000000 --- a/queue-4.4/clk-don-t-show-the-incorrect-clock-phase.patch +++ /dev/null @@ -1,54 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Shawn Lin -Date: Wed, 14 Mar 2018 08:28:31 +0800 -Subject: clk: Don't show the incorrect clock phase - -From: Shawn Lin - -[ Upstream commit 1f9c63e8de3d7b377c9d74e4a17524cfb60e6384 ] - -It's found that the clock phase output from clk_summary is -wrong compared to the actual phase reading from the register. - -cat /sys/kernel/debug/clk/clk_summary | grep sdio_sample -sdio_sample 0 1 0 50000000 0 -22 - -It exposes an issue that clk core, clk_core_get_phase, always -returns the cached core->phase which should be either updated -by calling clk_set_phase or directly from the first place the -clk was registered. - -When registering the clk, the core->phase geting from ->get_phase() -may return negative value indicating error. This is quite common -since the clk's phase may be highly related to its parent chain, -but it was temporarily orphan when registered, since its parent -chains hadn't be ready at that time, so the clk drivers decide to -return error in this case. However, if no clk_set_phase is called or -maybe the ->set_phase() isn't even implemented, the core->phase would -never be updated. This is wrong, and we should try to update it when -all its parent chains are settled down, like the way of updating clock -rate for that. But it's not deserved to complicate the code now and -just update it anyway when calling clk_core_get_phase, which would be -much simple and enough. - -Signed-off-by: Shawn Lin -Acked-by: Jerome Brunet -Signed-off-by: Stephen Boyd -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/clk.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/clk/clk.c -+++ b/drivers/clk/clk.c -@@ -1905,6 +1905,9 @@ static int clk_core_get_phase(struct clk - int ret; - - clk_prepare_lock(); -+ /* Always try to update cached phase if possible */ -+ if (core->ops->get_phase) -+ core->phase = core->ops->get_phase(core->hw); - ret = core->phase; - clk_prepare_unlock(); - diff --git a/queue-4.4/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch b/queue-4.4/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch deleted file mode 100644 index 938a9b32897..00000000000 --- a/queue-4.4/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch +++ /dev/null @@ -1,64 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Shawn Lin -Date: Mon, 5 Mar 2018 11:25:58 +0800 -Subject: clk: rockchip: Prevent calculating mmc phase if clock rate is zero - -From: Shawn Lin - -[ Upstream commit 4bf59902b50012b1dddeeaa23b217d9c4956cdda ] - -The MMC sample and drv clock for rockchip platforms are derived from -the bus clock output to the MMC/SDIO card. So it should never happens -that the clk rate is zero given it should inherits the clock rate from -its parent. If something goes wrong and makes the clock rate to be zero, -the calculation would be wrong but may still make the mmc tuning process -work luckily. However it makes people harder to debug when the following -data transfer is unstable. - -Signed-off-by: Shawn Lin -Signed-off-by: Heiko Stuebner -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/rockchip/clk-mmc-phase.c | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - ---- a/drivers/clk/rockchip/clk-mmc-phase.c -+++ b/drivers/clk/rockchip/clk-mmc-phase.c -@@ -60,6 +60,12 @@ static int rockchip_mmc_get_phase(struct - u16 degrees; - u32 delay_num = 0; - -+ /* See the comment for rockchip_mmc_set_phase below */ -+ if (!rate) { -+ pr_err("%s: invalid clk rate\n", __func__); -+ return -EINVAL; -+ } -+ - raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); - - degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90; -@@ -86,6 +92,23 @@ static int rockchip_mmc_set_phase(struct - u32 raw_value; - u32 delay; - -+ /* -+ * The below calculation is based on the output clock from -+ * MMC host to the card, which expects the phase clock inherits -+ * the clock rate from its parent, namely the output clock -+ * provider of MMC host. However, things may go wrong if -+ * (1) It is orphan. -+ * (2) It is assigned to the wrong parent. -+ * -+ * This check help debug the case (1), which seems to be the -+ * most likely problem we often face and which makes it difficult -+ * for people to debug unstable mmc tuning results. -+ */ -+ if (!rate) { -+ pr_err("%s: invalid clk rate\n", __func__); -+ return -EINVAL; -+ } -+ - nineties = degrees / 90; - remainder = (degrees % 90); - diff --git a/queue-4.4/clk-samsung-exynos3250-fix-pll-rates.patch b/queue-4.4/clk-samsung-exynos3250-fix-pll-rates.patch deleted file mode 100644 index a904e65e3c4..00000000000 --- a/queue-4.4/clk-samsung-exynos3250-fix-pll-rates.patch +++ /dev/null @@ -1,55 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrzej Hajda -Date: Fri, 16 Feb 2018 15:57:48 +0100 -Subject: clk: samsung: exynos3250: Fix PLL rates - -From: Andrzej Hajda - -[ Upstream commit a8321e7887410a2b2e80ab89d1ef7b30562658ea ] - -Rates declared in PLL rate tables should match exactly rates calculated -from PLL coefficients. If that is not the case, rate of the PLL's child clock -might be set not as expected. For instance, if in the PLL rates table we have -a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate -callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate -will return 393216003. If we now attempt to set rate of a PLL's child divider -clock to 393216000/2 its rate will be 131072001, rather than 196608000. -That is, the divider will be set to 3 instead of 2, because 393216003/2 is -greater than 196608000. - -To fix this issue declared rates are changed to exactly match rates generated -by the PLL, as calculated from the P, M, S, K coefficients. - -In this patch an erroneous P value for 74176002 output frequency is also -corrected. - -Signed-off-by: Andrzej Hajda -Acked-by: Chanwoo Choi -Acked-by: Tomasz Figa -Signed-off-by: Sylwester Nawrocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/samsung/clk-exynos3250.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/clk/samsung/clk-exynos3250.c -+++ b/drivers/clk/samsung/clk-exynos3250.c -@@ -683,7 +683,7 @@ static struct samsung_pll_rate_table exy - PLL_36XX_RATE(144000000, 96, 2, 3, 0), - PLL_36XX_RATE( 96000000, 128, 2, 4, 0), - PLL_36XX_RATE( 84000000, 112, 2, 4, 0), -- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691), -+ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691), - PLL_36XX_RATE( 73728000, 98, 2, 4, 19923), - PLL_36XX_RATE( 67737598, 270, 3, 5, 62285), - PLL_36XX_RATE( 65535999, 174, 2, 5, 49982), -@@ -719,7 +719,7 @@ static struct samsung_pll_rate_table exy - PLL_36XX_RATE(148352005, 98, 2, 3, 59070), - PLL_36XX_RATE(108000000, 144, 2, 4, 0), - PLL_36XX_RATE( 74250000, 99, 2, 4, 0), -- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070), -+ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070), - PLL_36XX_RATE( 54054000, 216, 3, 5, 14156), - PLL_36XX_RATE( 54000000, 144, 2, 5, 0), - { /* sentinel */ } diff --git a/queue-4.4/clk-samsung-exynos5250-fix-pll-rates.patch b/queue-4.4/clk-samsung-exynos5250-fix-pll-rates.patch deleted file mode 100644 index 2c911a8034f..00000000000 --- a/queue-4.4/clk-samsung-exynos5250-fix-pll-rates.patch +++ /dev/null @@ -1,52 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrzej Hajda -Date: Fri, 16 Feb 2018 15:57:49 +0100 -Subject: clk: samsung: exynos5250: Fix PLL rates - -From: Andrzej Hajda - -[ Upstream commit 2ac051eeabaa411ef89ae7cd5bb8e60cb41ad780 ] - -Rates declared in PLL rate tables should match exactly rates calculated -from PLL coefficients. If that is not the case, rate of the PLL's child clock -might be set not as expected. For instance, if in the PLL rates table we have -a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate -callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate -will return 393216003. If we now attempt to set rate of a PLL's child divider -clock to 393216000/2 its rate will be 131072001, rather than 196608000. -That is, the divider will be set to 3 instead of 2, because 393216003/2 is -greater than 196608000. - -To fix this issue declared rates are changed to exactly match rates generated -by the PLL, as calculated from the P, M, S, K coefficients. - -Signed-off-by: Andrzej Hajda -Acked-by: Chanwoo Choi -Acked-by: Tomasz Figa -Signed-off-by: Sylwester Nawrocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/samsung/clk-exynos5250.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/drivers/clk/samsung/clk-exynos5250.c -+++ b/drivers/clk/samsung/clk-exynos5250.c -@@ -711,13 +711,13 @@ static struct samsung_pll_rate_table epl - /* sorted in descending order */ - /* PLL_36XX_RATE(rate, m, p, s, k) */ - PLL_36XX_RATE(192000000, 64, 2, 2, 0), -- PLL_36XX_RATE(180633600, 90, 3, 2, 20762), -+ PLL_36XX_RATE(180633605, 90, 3, 2, 20762), - PLL_36XX_RATE(180000000, 90, 3, 2, 0), - PLL_36XX_RATE(73728000, 98, 2, 4, 19923), -- PLL_36XX_RATE(67737600, 90, 2, 4, 20762), -+ PLL_36XX_RATE(67737602, 90, 2, 4, 20762), - PLL_36XX_RATE(49152000, 98, 3, 4, 19923), -- PLL_36XX_RATE(45158400, 90, 3, 4, 20762), -- PLL_36XX_RATE(32768000, 131, 3, 5, 4719), -+ PLL_36XX_RATE(45158401, 90, 3, 4, 20762), -+ PLL_36XX_RATE(32768001, 131, 3, 5, 4719), - { }, - }; - diff --git a/queue-4.4/clk-samsung-exynos5260-fix-pll-rates.patch b/queue-4.4/clk-samsung-exynos5260-fix-pll-rates.patch deleted file mode 100644 index 0f2ef0ccea5..00000000000 --- a/queue-4.4/clk-samsung-exynos5260-fix-pll-rates.patch +++ /dev/null @@ -1,43 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrzej Hajda -Date: Fri, 16 Feb 2018 15:57:50 +0100 -Subject: clk: samsung: exynos5260: Fix PLL rates - -From: Andrzej Hajda - -[ Upstream commit cdb68fbd4e7962be742c4f29475220c5bf28d8a5 ] - -Rates declared in PLL rate tables should match exactly rates calculated from -the PLL coefficients. If that is not the case, rate of the PLL's child clock -might be set not as expected. For instance, if in the PLL rates table we have -a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate -callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate -will return 393216003. If we now attempt to set rate of a PLL's child divider -clock to 393216000/2 its rate will be 131072001, rather than 196608000. -That is, the divider will be set to 3 instead of 2, because 393216003/2 is -greater than 196608000. - -To fix this issue declared rates are changed to exactly match rates generated -by the PLL, as calculated from the P, M, S, K coefficients. - -Signed-off-by: Andrzej Hajda -Acked-by: Tomasz Figa -Acked-by: Chanwoo Choi -Signed-off-by: Sylwester Nawrocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/samsung/clk-exynos5260.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/clk/samsung/clk-exynos5260.c -+++ b/drivers/clk/samsung/clk-exynos5260.c -@@ -65,7 +65,7 @@ static struct samsung_pll_rate_table pll - PLL_36XX_RATE(480000000, 160, 2, 2, 0), - PLL_36XX_RATE(432000000, 144, 2, 2, 0), - PLL_36XX_RATE(400000000, 200, 3, 2, 0), -- PLL_36XX_RATE(394073130, 459, 7, 2, 49282), -+ PLL_36XX_RATE(394073128, 459, 7, 2, 49282), - PLL_36XX_RATE(333000000, 111, 2, 2, 0), - PLL_36XX_RATE(300000000, 100, 2, 2, 0), - PLL_36XX_RATE(266000000, 266, 3, 3, 0), diff --git a/queue-4.4/clk-samsung-exynos5433-fix-pll-rates.patch b/queue-4.4/clk-samsung-exynos5433-fix-pll-rates.patch deleted file mode 100644 index 5082fc43285..00000000000 --- a/queue-4.4/clk-samsung-exynos5433-fix-pll-rates.patch +++ /dev/null @@ -1,61 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrzej Hajda -Date: Fri, 16 Feb 2018 15:57:51 +0100 -Subject: clk: samsung: exynos5433: Fix PLL rates - -From: Andrzej Hajda - -[ Upstream commit ab0447845cffc0fd752df2ccd6b4e34006000ce4 ] - -Rates declared in PLL rate tables should match exactly rates calculated from -the PLL coefficients. If that is not the case, rate of the PLL's child clock -might be set not as expected. For instance, if in the PLL rates table we have -a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate -callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate -will return 393216003. If we now attempt to set rate of a PLL's child divider -clock to 393216000/2 its rate will be 131072001, rather than 196608000. -That is, the divider will be set to 3 instead of 2, because 393216003/2 is -greater than 196608000. - -To fix this issue declared rates are changed to exactly match rates generated -by the PLL, as calculated from the P, M, S, K coefficients. - -Signed-off-by: Andrzej Hajda -Acked-by: Tomasz Figa -Acked-by: Chanwoo Choi -Signed-off-by: Sylwester Nawrocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/samsung/clk-exynos5433.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/drivers/clk/samsung/clk-exynos5433.c -+++ b/drivers/clk/samsung/clk-exynos5433.c -@@ -747,7 +747,7 @@ static struct samsung_pll_rate_table exy - PLL_35XX_RATE(800000000U, 400, 6, 1), - PLL_35XX_RATE(733000000U, 733, 12, 1), - PLL_35XX_RATE(700000000U, 175, 3, 1), -- PLL_35XX_RATE(667000000U, 222, 4, 1), -+ PLL_35XX_RATE(666000000U, 222, 4, 1), - PLL_35XX_RATE(633000000U, 211, 4, 1), - PLL_35XX_RATE(600000000U, 500, 5, 2), - PLL_35XX_RATE(552000000U, 460, 5, 2), -@@ -773,12 +773,12 @@ static struct samsung_pll_rate_table exy - /* AUD_PLL */ - static struct samsung_pll_rate_table exynos5443_aud_pll_rates[] = { - PLL_36XX_RATE(400000000U, 200, 3, 2, 0), -- PLL_36XX_RATE(393216000U, 197, 3, 2, -25690), -+ PLL_36XX_RATE(393216003U, 197, 3, 2, -25690), - PLL_36XX_RATE(384000000U, 128, 2, 2, 0), -- PLL_36XX_RATE(368640000U, 246, 4, 2, -15729), -- PLL_36XX_RATE(361507200U, 181, 3, 2, -16148), -- PLL_36XX_RATE(338688000U, 113, 2, 2, -6816), -- PLL_36XX_RATE(294912000U, 98, 1, 3, 19923), -+ PLL_36XX_RATE(368639991U, 246, 4, 2, -15729), -+ PLL_36XX_RATE(361507202U, 181, 3, 2, -16148), -+ PLL_36XX_RATE(338687988U, 113, 2, 2, -6816), -+ PLL_36XX_RATE(294912002U, 98, 1, 3, 19923), - PLL_36XX_RATE(288000000U, 96, 1, 3, 0), - PLL_36XX_RATE(252000000U, 84, 1, 3, 0), - { /* sentinel */ } diff --git a/queue-4.4/clk-samsung-s3c2410-fix-pll-rates.patch b/queue-4.4/clk-samsung-s3c2410-fix-pll-rates.patch deleted file mode 100644 index 59564b8e523..00000000000 --- a/queue-4.4/clk-samsung-s3c2410-fix-pll-rates.patch +++ /dev/null @@ -1,69 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrzej Hajda -Date: Fri, 16 Feb 2018 15:57:53 +0100 -Subject: clk: samsung: s3c2410: Fix PLL rates - -From: Andrzej Hajda - -[ Upstream commit 179db533c08431f509a3823077549773d519358b ] - -Rates declared in PLL rate tables should match exactly rates calculated from -the PLL coefficients. If that is not the case, rate of the PLL's child clock -might be set not as expected. For instance, if in the PLL rates table we have -a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate -callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate -will return 393216003. If we now attempt to set rate of a PLL's child divider -clock to 393216000/2 its rate will be 131072001, rather than 196608000. -That is, the divider will be set to 3 instead of 2, because 393216003/2 is -greater than 196608000. - -To fix this issue declared rates are changed to exactly match rates generated -by the PLL, as calculated from the P, M, S, K coefficients. - -Signed-off-by: Andrzej Hajda -Acked-by: Tomasz Figa -Acked-by: Chanwoo Choi -Signed-off-by: Sylwester Nawrocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clk/samsung/clk-s3c2410.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - ---- a/drivers/clk/samsung/clk-s3c2410.c -+++ b/drivers/clk/samsung/clk-s3c2410.c -@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll - PLL_35XX_RATE(226000000, 105, 1, 1), - PLL_35XX_RATE(210000000, 132, 2, 1), - /* 2410 common */ -- PLL_35XX_RATE(203000000, 161, 3, 1), -+ PLL_35XX_RATE(202800000, 161, 3, 1), - PLL_35XX_RATE(192000000, 88, 1, 1), - PLL_35XX_RATE(186000000, 85, 1, 1), - PLL_35XX_RATE(180000000, 82, 1, 1), -@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll - PLL_35XX_RATE(147000000, 90, 2, 1), - PLL_35XX_RATE(135000000, 82, 2, 1), - PLL_35XX_RATE(124000000, 116, 1, 2), -- PLL_35XX_RATE(118000000, 150, 2, 2), -+ PLL_35XX_RATE(118500000, 150, 2, 2), - PLL_35XX_RATE(113000000, 105, 1, 2), -- PLL_35XX_RATE(101000000, 127, 2, 2), -+ PLL_35XX_RATE(101250000, 127, 2, 2), - PLL_35XX_RATE(90000000, 112, 2, 2), -- PLL_35XX_RATE(85000000, 105, 2, 2), -+ PLL_35XX_RATE(84750000, 105, 2, 2), - PLL_35XX_RATE(79000000, 71, 1, 2), -- PLL_35XX_RATE(68000000, 82, 2, 2), -- PLL_35XX_RATE(56000000, 142, 2, 3), -+ PLL_35XX_RATE(67500000, 82, 2, 2), -+ PLL_35XX_RATE(56250000, 142, 2, 3), - PLL_35XX_RATE(48000000, 120, 2, 3), -- PLL_35XX_RATE(51000000, 161, 3, 3), -+ PLL_35XX_RATE(50700000, 161, 3, 3), - PLL_35XX_RATE(45000000, 82, 1, 3), -- PLL_35XX_RATE(34000000, 82, 2, 3), -+ PLL_35XX_RATE(33750000, 82, 2, 3), - { /* sentinel */ }, - }; - diff --git a/queue-4.4/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch b/queue-4.4/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch deleted file mode 100644 index b3a0d3c1e5c..00000000000 --- a/queue-4.4/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Colin Ian King -Date: Mon, 26 Feb 2018 11:36:14 +0000 -Subject: clocksource/drivers/fsl_ftm_timer: Fix error return checking - -From: Colin Ian King - -[ Upstream commit f287eb9013ccf199cbfa4eabd80c36fedfc15a73 ] - -The error checks on freq for a negative error return always fails because -freq is unsigned and can never be negative. Fix this by making freq a -signed long. - -Detected with Coccinelle: -drivers/clocksource/fsl_ftm_timer.c:287:5-9: WARNING: Unsigned expression -compared with zero: freq <= 0 -drivers/clocksource/fsl_ftm_timer.c:291:5-9: WARNING: Unsigned expression -compared with zero: freq <= 0 - -Fixes: 2529c3a33079 ("clocksource: Add Freescale FlexTimer Module (FTM) timer support") -Signed-off-by: Colin Ian King -Signed-off-by: Thomas Gleixner -Cc: Daniel Lezcano -Cc: kernel-janitors@vger.kernel.org -Link: https://lkml.kernel.org/r/20180226113614.3092-1-colin.king@canonical.com -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/clocksource/fsl_ftm_timer.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/clocksource/fsl_ftm_timer.c -+++ b/drivers/clocksource/fsl_ftm_timer.c -@@ -281,7 +281,7 @@ static int __init __ftm_clk_init(struct - - static unsigned long __init ftm_clk_init(struct device_node *np) - { -- unsigned long freq; -+ long freq; - - freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt"); - if (freq <= 0) diff --git a/queue-4.4/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch b/queue-4.4/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch deleted file mode 100644 index 7ab89c65360..00000000000 --- a/queue-4.4/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch +++ /dev/null @@ -1,53 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Shunyong Yang -Date: Fri, 6 Apr 2018 10:43:49 +0800 -Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs - -From: Shunyong Yang - -[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ] - -When multiple CPUs are related in one cpufreq policy, the first online -CPU will be chosen by default to handle cpufreq operations. Let's take -cpu0 and cpu1 as an example. - -When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf -capabilities should be initialized. Otherwise, perf capabilities are 0s -and speed change can not take effect. - -This patch copies perf capabilities of the first online CPU to other -shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY. - -Acked-by: Viresh Kumar -Signed-off-by: Shunyong Yang -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - ---- a/drivers/cpufreq/cppc_cpufreq.c -+++ b/drivers/cpufreq/cppc_cpufreq.c -@@ -100,9 +100,19 @@ static int cppc_cpufreq_cpu_init(struct - policy->cpuinfo.max_freq = policy->max; - policy->shared_type = cpu->shared_type; - -- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) -+ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) { -+ int i; -+ - cpumask_copy(policy->cpus, cpu->shared_cpu_map); -- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { -+ -+ for_each_cpu(i, policy->cpus) { -+ if (unlikely(i == policy->cpu)) -+ continue; -+ -+ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps, -+ sizeof(cpu->perf_caps)); -+ } -+ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { - /* Support only SW_ANY for now. */ - pr_debug("Unsupported CPU co-ord type\n"); - return -EFAULT; diff --git a/queue-4.4/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch b/queue-4.4/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch deleted file mode 100644 index 62615cd43a8..00000000000 --- a/queue-4.4/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch +++ /dev/null @@ -1,57 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Chunyu Hu -Date: Mon, 5 Mar 2018 13:40:38 +0800 -Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path - -From: Chunyu Hu - -[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ] - -Kmemleak reported the below leak. When cppc_cpufreq_init went into -failure path, the cpu mask is not freed. After fix, this report is -gone. And to avaoid potential NULL pointer reference, check the cpu -value first. - -unreferenced object 0xffff800fd5ea4880 (size 128): - comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s) - hex dump (first 32 bytes): - 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ........... - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - backtrace: - [] __kmalloc_node+0x278/0x634 - [] alloc_cpumask_var_node+0x28/0x60 - [] zalloc_cpumask_var+0x14/0x1c - [] cppc_cpufreq_init+0xd0/0x19c - [] do_one_initcall+0xec/0x15c - [] kernel_init_freeable+0x1f4/0x2a4 - [] kernel_init+0x18/0x10c - [] ret_from_fork+0x10/0x18 - [] 0xffffffffffffffff - -Signed-off-by: Chunyu Hu -Acked-by: Viresh Kumar -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/cpufreq/cppc_cpufreq.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/drivers/cpufreq/cppc_cpufreq.c -+++ b/drivers/cpufreq/cppc_cpufreq.c -@@ -176,8 +176,13 @@ static int __init cppc_cpufreq_init(void - return ret; - - out: -- for_each_possible_cpu(i) -- kfree(all_cpu_data[i]); -+ for_each_possible_cpu(i) { -+ cpu = all_cpu_data[i]; -+ if (!cpu) -+ break; -+ free_cpumask_var(cpu->shared_cpu_map); -+ kfree(cpu); -+ } - - kfree(all_cpu_data); - return -ENODEV; diff --git a/queue-4.4/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch b/queue-4.4/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch deleted file mode 100644 index 26f2ea21196..00000000000 --- a/queue-4.4/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch +++ /dev/null @@ -1,50 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Eric Dumazet -Date: Sat, 7 Apr 2018 13:42:36 -0700 -Subject: crypto: af_alg - fix possible uninit-value in alg_bind() - -From: Eric Dumazet - -[ Upstream commit a466856e0b7ab269cdf9461886d007e88ff575b0 ] - -syzbot reported : - -BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162 - -We need to check addr_len before dereferencing sa (or uaddr) - -Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Cc: Stephan Mueller -Cc: Herbert Xu -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - crypto/af_alg.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, - void *private; - int err; - -- /* If caller uses non-allowed flag, return error. */ -- if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) -- return -EINVAL; -- - if (sock->state == SS_CONNECTED) - return -EINVAL; - - if (addr_len != sizeof(*sa)) - return -EINVAL; - -+ /* If caller uses non-allowed flag, return error. */ -+ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) -+ return -EINVAL; -+ - sa->salg_type[sizeof(sa->salg_type) - 1] = 0; - sa->salg_name[sizeof(sa->salg_name) - 1] = 0; - diff --git a/queue-4.4/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch b/queue-4.4/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch deleted file mode 100644 index c308683f7e2..00000000000 --- a/queue-4.4/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Peter Robinson -Date: Sun, 11 Feb 2018 23:15:37 +0000 -Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss - -From: Peter Robinson - -[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ] - -The MODULE_ALIAS is required to enable the sun4i-ss driver to load -automatically when built at a module. Tested on a Cubietruck. - -Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") -Signed-off-by: Peter Robinson -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c -+++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c -@@ -422,6 +422,7 @@ static struct platform_driver sun4i_ss_d - - module_platform_driver(sun4i_ss_driver); - -+MODULE_ALIAS("platform:sun4i-ss"); - MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator"); - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Corentin LABBE "); diff --git a/queue-4.4/dccp-initialize-ireq-ir_mark.patch b/queue-4.4/dccp-initialize-ireq-ir_mark.patch deleted file mode 100644 index f288af97d57..00000000000 --- a/queue-4.4/dccp-initialize-ireq-ir_mark.patch +++ /dev/null @@ -1,154 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Eric Dumazet -Date: Sat, 7 Apr 2018 13:42:41 -0700 -Subject: dccp: initialize ireq->ir_mark - -From: Eric Dumazet - -[ Upstream commit b855ff827476adbdc2259e9895681d82b7b26065 ] - -syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook() - -Thanks to the nice report, I tracked the problem to dccp not caring -of ireq->ir_mark for passive sessions. - -BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline] -BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84 -CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:17 [inline] - dump_stack+0x185/0x1d0 lib/dump_stack.c:53 - kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 - __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 - ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline] - iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84 - nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] - nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483 - nf_hook include/linux/netfilter.h:243 [inline] - __ip_local_out net/ipv4/ip_output.c:113 [inline] - ip_local_out net/ipv4/ip_output.c:122 [inline] - ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504 - dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142 - dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281 - dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363 - dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818 - inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 - sock_sendmsg_nosec net/socket.c:630 [inline] - sock_sendmsg net/socket.c:640 [inline] - ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 - __sys_sendmsg net/socket.c:2080 [inline] - SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 - SyS_sendmsg+0x54/0x80 net/socket.c:2087 - do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 -RIP: 0033:0x455259 -RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e -RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259 -RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015 -RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff -R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000 - -Uninit was stored to memory at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] - kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] - kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 - __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 - ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502 - dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142 - dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281 - dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363 - dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818 - inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 - sock_sendmsg_nosec net/socket.c:630 [inline] - sock_sendmsg net/socket.c:640 [inline] - ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 - __sys_sendmsg net/socket.c:2080 [inline] - SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 - SyS_sendmsg+0x54/0x80 net/socket.c:2087 - do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 -Uninit was stored to memory at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] - kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] - kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 - __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 - inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797 - dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92 - dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408 - dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414 - dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197 - dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840 - ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 - NF_HOOK include/linux/netfilter.h:288 [inline] - ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 - dst_input include/net/dst.h:449 [inline] - ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 - NF_HOOK include/linux/netfilter.h:288 [inline] - ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 - __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 - __netif_receive_skb net/core/dev.c:4627 [inline] - process_backlog+0x62d/0xe20 net/core/dev.c:5307 - napi_poll net/core/dev.c:5705 [inline] - net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 - __do_softirq+0x56d/0x93d kernel/softirq.c:285 -Uninit was created at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] - kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 - kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 - kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 - reqsk_alloc include/net/request_sock.h:88 [inline] - inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145 - dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600 - dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317 - dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612 - dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682 - dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578 - sk_backlog_rcv include/net/sock.h:908 [inline] - __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513 - dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874 - ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 - NF_HOOK include/linux/netfilter.h:288 [inline] - ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 - dst_input include/net/dst.h:449 [inline] - ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 - NF_HOOK include/linux/netfilter.h:288 [inline] - ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 - __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 - __netif_receive_skb net/core/dev.c:4627 [inline] - process_backlog+0x62d/0xe20 net/core/dev.c:5307 - napi_poll net/core/dev.c:5705 [inline] - net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 - __do_softirq+0x56d/0x93d kernel/softirq.c:285 - -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/dccp/ipv4.c | 1 + - net/dccp/ipv6.c | 1 + - 2 files changed, 2 insertions(+) - ---- a/net/dccp/ipv4.c -+++ b/net/dccp/ipv4.c -@@ -618,6 +618,7 @@ int dccp_v4_conn_request(struct sock *sk - ireq = inet_rsk(req); - sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); - sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); -+ ireq->ir_mark = inet_request_mark(sk, skb); - ireq->ireq_family = AF_INET; - ireq->ir_iif = sk->sk_bound_dev_if; - ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -345,6 +345,7 @@ static int dccp_v6_conn_request(struct s - ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; - ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; - ireq->ireq_family = AF_INET6; -+ ireq->ir_mark = inet_request_mark(sk, skb); - - if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || - np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || diff --git a/queue-4.4/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch b/queue-4.4/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch deleted file mode 100644 index b3aa8190670..00000000000 --- a/queue-4.4/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch +++ /dev/null @@ -1,44 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: mulhern -Date: Mon, 27 Nov 2017 10:02:39 -0500 -Subject: dm thin: fix documentation relative to low water mark threshold - -From: mulhern - -[ Upstream commit 9b28a1102efc75d81298198166ead87d643a29ce ] - -Fixes: -1. The use of "exceeds" when the opposite of exceeds, falls below, -was meant. -2. Properly speaking, a table can not exceed a threshold. - -It emphasizes the important point, which is that it is the userspace -daemon's responsibility to check for low free space when a device -is resumed, since it won't get a special event indicating low free -space in that situation. - -Signed-off-by: mulhern -Signed-off-by: Mike Snitzer -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/device-mapper/thin-provisioning.txt | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/Documentation/device-mapper/thin-provisioning.txt -+++ b/Documentation/device-mapper/thin-provisioning.txt -@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks o - free space on the data device drops below this level then a dm event - will be triggered which a userspace daemon should catch allowing it to - extend the pool device. Only one such event will be sent. --Resuming a device with a new table itself triggers an event so the --userspace daemon can use this to detect a situation where a new table --already exceeds the threshold. -+ -+No special event is triggered if a just resumed device's free space is below -+the low water mark. However, resuming a device always triggers an -+event; a userspace daemon should verify that free space exceeds the low -+water mark when handling this event. - - A low water mark for the metadata device is maintained in the kernel and - will trigger a dm event if free space on the metadata device drops below diff --git a/queue-4.4/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch b/queue-4.4/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch deleted file mode 100644 index cf54d7327b2..00000000000 --- a/queue-4.4/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch +++ /dev/null @@ -1,162 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Qi Hou -Date: Tue, 6 Mar 2018 09:13:37 +0800 -Subject: dmaengine: pl330: fix a race condition in case of threaded irqs - -From: Qi Hou - -[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ] - -When booting up with "threadirqs" in command line, all irq handlers of the DMA -controller pl330 will be threaded forcedly. These threads will race for the same -list, pl330->req_done. - -Before the callback, the spinlock was released. And after it, the spinlock was -taken. This opened an race window where another threaded irq handler could steal -the spinlock and be permitted to delete entries of the list, pl330->req_done. - -If the later deleted an entry that was still referred to by the former, there would -be a kernel panic when the former was scheduled and tried to get the next sibling -of the deleted entry. - -The scenario could be depicted as below: - - Thread: T1 pl330->req_done Thread: T2 - | | | - | -A-B-C-D- | - Locked | | - | | Waiting - Del A | | - | -B-C-D- | - Unlocked | | - | | Locked - Waiting | | - | | Del B - | | | - | -C-D- Unlocked - Waiting | | - | - Locked - | - get C via B - \ - - Kernel panic - -The kernel panic looked like as below: - -Unable to handle kernel paging request at virtual address dead000000000108 -pgd = ffffff8008c9e000 -[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000 -Internal error: Oops: 96000044 [#1] PREEMPT SMP -Modules linked in: -CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2 -Hardware name: Broadcom NS2 SVK (DT) -task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000 -PC is at pl330_irq_handler+0x27c/0x390 -LR is at pl330_irq_handler+0x2a8/0x390 -pc : [] lr : [] pstate: 800001c5 -sp : ffffffc1f5ce3d00 -x29: ffffffc1f5ce3d00 x28: 0000000000000140 -x27: ffffffc1f5c530b0 x26: dead000000000100 -x25: dead000000000200 x24: 0000000000418958 -x23: 0000000000000001 x22: ffffffc1f5ccd668 -x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418 -x19: dead000000000060 x18: 0000000000000001 -x17: 0000000000000007 x16: 0000000000000001 -x15: ffffffffffffffff x14: ffffffffffffffff -x13: ffffffffffffffff x12: 0000000000000000 -x11: 0000000000000001 x10: 0000000000000840 -x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338 -x7 : ffffff8008ce2020 x6 : 0000000000000000 -x5 : 0000000000000000 x4 : 0000000000000001 -x3 : dead000000000200 x2 : dead000000000100 -x1 : 0000000000000140 x0 : ffffffc1f5ccd590 - -Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020) -Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000) -3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600 -3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998 -3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000 -3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0 -3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001 -3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8 -3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00 -3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000 -3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68 -3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80 -3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648 -3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00 -3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90 -3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0 -3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000 -3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8 -Call trace: -Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60) -3b20: dead000000000060 0000008000000000 -3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88 -3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4 -3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc -3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000 -3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140 -3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000 -3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000 -3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff -3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007 -[] pl330_irq_handler+0x27c/0x390 -[] irq_forced_thread_fn+0x38/0x88 -[] irq_thread+0x140/0x200 -[] kthread+0xd8/0xf0 -[] ret_from_fork+0x10/0x40 -Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443) ----[ end trace f50005726d31199c ]--- -Kernel panic - not syncing: Fatal exception in interrupt -SMP: stopping secondary CPUs -SMP: failed to stop secondary CPUs 0-1 -Kernel Offset: disabled -Memory Limit: none ----[ end Kernel panic - not syncing: Fatal exception in interrupt - -To fix this, re-start with the list-head after dropping the lock then -re-takeing it. - -Reviewed-by: Frank Mori Hess -Tested-by: Frank Mori Hess -Signed-off-by: Qi Hou -Signed-off-by: Vinod Koul - -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/dma/pl330.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/dma/pl330.c -+++ b/drivers/dma/pl330.c -@@ -1533,7 +1533,7 @@ static void pl330_dotask(unsigned long d - /* Returns 1 if state was updated, 0 otherwise */ - static int pl330_update(struct pl330_dmac *pl330) - { -- struct dma_pl330_desc *descdone, *tmp; -+ struct dma_pl330_desc *descdone; - unsigned long flags; - void __iomem *regs; - u32 val; -@@ -1611,7 +1611,9 @@ static int pl330_update(struct pl330_dma - } - - /* Now that we are in no hurry, do the callbacks */ -- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) { -+ while (!list_empty(&pl330->req_done)) { -+ descdone = list_first_entry(&pl330->req_done, -+ struct dma_pl330_desc, rqd); - list_del(&descdone->rqd); - spin_unlock_irqrestore(&pl330->lock, flags); - dma_pl330_rqcb(descdone, PL330_ERR_NONE); diff --git a/queue-4.4/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch b/queue-4.4/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch deleted file mode 100644 index 75117d98335..00000000000 --- a/queue-4.4/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yoshihiro Shimoda -Date: Wed, 14 Feb 2018 18:40:12 +0900 -Subject: dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 - -From: Yoshihiro Shimoda - -[ Upstream commit d716d9b702bb759dd6fb50804f10a174bd156d71 ] - -According to R-Car Gen3 Rev.0.80 manual, the DMATCR can be set to -16,777,215 as maximum. So, this patch fixes the max_chunk_size for -safety on all of SoCs. Otherwise, a system may hang if the DMATCR -is set to 0 on R-Car Gen3. - -Signed-off-by: Yoshihiro Shimoda -Reviewed-by: Simon Horman -Signed-off-by: Vinod Koul -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/dma/sh/rcar-dmac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/dma/sh/rcar-dmac.c -+++ b/drivers/dma/sh/rcar-dmac.c -@@ -851,7 +851,7 @@ rcar_dmac_chan_prep_sg(struct rcar_dmac_ - - rcar_dmac_chan_configure_desc(chan, desc); - -- max_chunk_size = (RCAR_DMATCR_MASK + 1) << desc->xfer_shift; -+ max_chunk_size = RCAR_DMATCR_MASK << desc->xfer_shift; - - /* - * Allocate and fill the transfer chunk descriptors. We own the only diff --git a/queue-4.4/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch b/queue-4.4/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch deleted file mode 100644 index 788523fd0d0..00000000000 --- a/queue-4.4/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch +++ /dev/null @@ -1,56 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Esben Haabendal -Date: Sun, 8 Apr 2018 22:17:01 +0200 -Subject: dp83640: Ensure against premature access to PHY registers after reset - -From: Esben Haabendal - -[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ] - -The datasheet specifies a 3uS pause after performing a software -reset. The default implementation of genphy_soft_reset() does not -provide this, so implement soft_reset with the needed pause. - -Signed-off-by: Esben Haabendal -Reviewed-by: Andrew Lunn -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/phy/dp83640.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - ---- a/drivers/net/phy/dp83640.c -+++ b/drivers/net/phy/dp83640.c -@@ -1203,6 +1203,23 @@ static void dp83640_remove(struct phy_de - kfree(dp83640); - } - -+static int dp83640_soft_reset(struct phy_device *phydev) -+{ -+ int ret; -+ -+ ret = genphy_soft_reset(phydev); -+ if (ret < 0) -+ return ret; -+ -+ /* From DP83640 datasheet: "Software driver code must wait 3 us -+ * following a software reset before allowing further serial MII -+ * operations with the DP83640." -+ */ -+ udelay(10); /* Taking udelay inaccuracy into account */ -+ -+ return 0; -+} -+ - static int dp83640_config_init(struct phy_device *phydev) - { - struct dp83640_private *dp83640 = phydev->priv; -@@ -1496,6 +1513,7 @@ static struct phy_driver dp83640_driver - .flags = PHY_HAS_INTERRUPT, - .probe = dp83640_probe, - .remove = dp83640_remove, -+ .soft_reset = dp83640_soft_reset, - .config_init = dp83640_config_init, - .config_aneg = genphy_config_aneg, - .read_status = genphy_read_status, diff --git a/queue-4.4/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.4/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch deleted file mode 100644 index 5de2ae1dc73..00000000000 --- a/queue-4.4/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Wolfram Sang -Date: Mon, 5 Feb 2018 21:09:59 +0100 -Subject: drm/exynos: fix comparison to bitshift when dealing with a mask - -From: Wolfram Sang - -[ Upstream commit 1293b6191010672c0c9dacae8f71c6f3e4d70cbe ] - -Due to a typo, the mask was destroyed by a comparison instead of a bit -shift. - -Signed-off-by: Wolfram Sang -Signed-off-by: Inki Dae -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/exynos/regs-fimc.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/gpu/drm/exynos/regs-fimc.h -+++ b/drivers/gpu/drm/exynos/regs-fimc.h -@@ -569,7 +569,7 @@ - #define EXYNOS_CIIMGEFF_FIN_EMBOSSING (4 << 26) - #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE (5 << 26) - #define EXYNOS_CIIMGEFF_FIN_MASK (7 << 26) --#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff < 13) | (0xff < 0)) -+#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff << 13) | (0xff << 0)) - - /* Real input DMA size register */ - #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE (1 << 31) diff --git a/queue-4.4/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch b/queue-4.4/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch deleted file mode 100644 index 8edf84ab68e..00000000000 --- a/queue-4.4/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch +++ /dev/null @@ -1,44 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Markus Elfring -Date: Thu, 8 Feb 2018 18:42:51 +0100 -Subject: drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions - -From: Markus Elfring - -[ Upstream commit 6f0a60298bbbea43ab5e3955913ab19c153076f3 ] - -Omit an extra message for a memory allocation failure in these functions. - -This issue was detected by using the Coccinelle software. - -Signed-off-by: Markus Elfring -Signed-off-by: Inki Dae -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - ---- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c -+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c -@@ -270,7 +270,6 @@ static int g2d_init_cmdlist(struct g2d_d - - node = kcalloc(G2D_CMDLIST_NUM, sizeof(*node), GFP_KERNEL); - if (!node) { -- dev_err(dev, "failed to allocate memory\n"); - ret = -ENOMEM; - goto err; - } -@@ -1254,10 +1253,9 @@ int exynos_g2d_exec_ioctl(struct drm_dev - return -EFAULT; - - runqueue_node = kmem_cache_alloc(g2d->runqueue_slab, GFP_KERNEL); -- if (!runqueue_node) { -- dev_err(dev, "failed to allocate memory\n"); -+ if (!runqueue_node) - return -ENOMEM; -- } -+ - run_cmdlist = &runqueue_node->run_cmdlist; - event_list = &runqueue_node->event_list; - INIT_LIST_HEAD(run_cmdlist); diff --git a/queue-4.4/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch b/queue-4.4/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch deleted file mode 100644 index 55366e2a8a1..00000000000 --- a/queue-4.4/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch +++ /dev/null @@ -1,56 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Ørjan Eide" -Date: Tue, 30 Jan 2018 21:28:33 +0100 -Subject: drm/rockchip: Respect page offset for PRIME mmap calls - -From: "Ørjan Eide" - -[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ] - -When mapping external DMA-bufs through the PRIME mmap call, we might be -given an offset which has to be respected. However for the internal DRM -GEM mmap path, we have to ignore the fake mmap offset used to identify -the buffer only. Currently the code always zeroes out vma->vm_pgoff, -which breaks the former. - -This patch fixes the problem by moving the vm_pgoff assignment to a -function that is used only for GEM mmap path, so that the PRIME path -retains the original offset. - -Cc: Daniel Kurtz -Signed-off-by: Ørjan Eide -Signed-off-by: Tomasz Figa -Signed-off-by: Sean Paul -Signed-off-by: Thierry Escande -Tested-by: Heiko Stuebner -Signed-off-by: Heiko Stuebner -Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c -+++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c -@@ -67,7 +67,6 @@ static int rockchip_drm_gem_object_mmap( - * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap(). - */ - vma->vm_flags &= ~VM_PFNMAP; -- vma->vm_pgoff = 0; - - ret = dma_mmap_attrs(drm->dev, vma, rk_obj->kvaddr, rk_obj->dma_addr, - obj->size, &rk_obj->dma_attrs); -@@ -99,6 +98,12 @@ int rockchip_gem_mmap(struct file *filp, - if (ret) - return ret; - -+ /* -+ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the -+ * whole buffer from the start. -+ */ -+ vma->vm_pgoff = 0; -+ - obj = vma->vm_private_data; - - return rockchip_drm_gem_object_mmap(obj, vma); diff --git a/queue-4.4/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch b/queue-4.4/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch deleted file mode 100644 index 9e8b6d66b94..00000000000 --- a/queue-4.4/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch +++ /dev/null @@ -1,85 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Pierre-Yves Kerbrat -Date: Fri, 26 Jan 2018 11:24:12 +0100 -Subject: e1000e: allocate ring descriptors with dma_zalloc_coherent - -From: Pierre-Yves Kerbrat - -[ Upstream commit aea3fca005fb45f80869f2e8d56fd4e64c1d1fdb ] - -Descriptor rings were not initialized at zero when allocated -When area contained garbage data, it caused skb_over_panic in -e1000_clean_rx_irq (if data had E1000_RXD_STAT_DD bit set) - -This patch makes use of dma_zalloc_coherent to make sure the -ring is memset at 0 to prevent the area from containing garbage. - -Following is the signature of the panic: -IODDR0@0.0: skbuff: skb_over_panic: text:80407b20 len:64010 put:64010 head:ab46d800 data:ab46d842 tail:0xab47d24c end:0xab46df40 dev:eth0 -IODDR0@0.0: BUG: failure at net/core/skbuff.c:105/skb_panic()! -IODDR0@0.0: Kernel panic - not syncing: BUG! -IODDR0@0.0: -IODDR0@0.0: Process swapper/0 (pid: 0, threadinfo=81728000, task=8173cc00 ,cpu: 0) -IODDR0@0.0: SP = <815a1c0c> -IODDR0@0.0: Stack: 00000001 -IODDR0@0.0: b2d89800 815e33ac -IODDR0@0.0: ea73c040 00000001 -IODDR0@0.0: 60040003 0000fa0a -IODDR0@0.0: 00000002 -IODDR0@0.0: -IODDR0@0.0: 804540c0 815a1c70 -IODDR0@0.0: b2744000 602ac070 -IODDR0@0.0: 815a1c44 b2d89800 -IODDR0@0.0: 8173cc00 815a1c08 -IODDR0@0.0: -IODDR0@0.0: 00000006 -IODDR0@0.0: 815a1b50 00000000 -IODDR0@0.0: 80079434 00000001 -IODDR0@0.0: ab46df40 b2744000 -IODDR0@0.0: b2d89800 -IODDR0@0.0: -IODDR0@0.0: 0000fa0a 8045745c -IODDR0@0.0: 815a1c88 0000fa0a -IODDR0@0.0: 80407b20 b2789f80 -IODDR0@0.0: 00000005 80407b20 -IODDR0@0.0: -IODDR0@0.0: -IODDR0@0.0: Call Trace: -IODDR0@0.0: [<804540bc>] skb_panic+0xa4/0xa8 -IODDR0@0.0: [<80079430>] console_unlock+0x2f8/0x6d0 -IODDR0@0.0: [<80457458>] skb_put+0xa0/0xc0 -IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 -IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 -IODDR0@0.0: [<804079c8>] e1000_clean_rx_irq+0x188/0x3e8 -IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 -IODDR0@0.0: [<80468b48>] __dev_kfree_skb_any+0x88/0xa8 -IODDR0@0.0: [<804101ac>] e1000e_poll+0x94/0x288 -IODDR0@0.0: [<8046e9d4>] net_rx_action+0x19c/0x4e8 -IODDR0@0.0: ... -IODDR0@0.0: Maximum depth to print reached. Use kstack= To specify a custom value (where 0 means to display the full backtrace) -IODDR0@0.0: ---[ end Kernel panic - not syncing: BUG! - -Signed-off-by: Pierre-Yves Kerbrat -Signed-off-by: Marius Gligor -Tested-by: Aaron Brown -Reviewed-by: Alexander Duyck -Signed-off-by: Jeff Kirsher -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/net/ethernet/intel/e1000e/netdev.c -+++ b/drivers/net/ethernet/intel/e1000e/netdev.c -@@ -2330,8 +2330,8 @@ static int e1000_alloc_ring_dma(struct e - { - struct pci_dev *pdev = adapter->pdev; - -- ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma, -- GFP_KERNEL); -+ ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma, -+ GFP_KERNEL); - if (!ring->desc) - return -ENOMEM; - diff --git a/queue-4.4/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch b/queue-4.4/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch deleted file mode 100644 index 702e07ff4e7..00000000000 --- a/queue-4.4/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch +++ /dev/null @@ -1,48 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Benjamin Poirier -Date: Tue, 20 Feb 2018 15:12:00 +0900 -Subject: e1000e: Fix check_for_link return value with autoneg off - -From: Benjamin Poirier - -[ Upstream commit 4e7dc08e57c95673d2edaba8983c3de4dd1f65f5 ] - -When autoneg is off, the .check_for_link callback functions clear the -get_link_status flag and systematically return a "pseudo-error". This means -that the link is not detected as up until the next execution of the -e1000_watchdog_task() 2 seconds later. - -Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up") -Signed-off-by: Benjamin Poirier -Acked-by: Sasha Neftin -Tested-by: Aaron Brown -Signed-off-by: Jeff Kirsher -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +- - drivers/net/ethernet/intel/e1000e/mac.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c -+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c -@@ -1574,7 +1574,7 @@ static s32 e1000_check_for_copper_link_i - * we have already determined whether we have link or not. - */ - if (!mac->autoneg) -- return -E1000_ERR_CONFIG; -+ return 1; - - /* Auto-Neg is enabled. Auto Speed Detection takes care - * of MAC speed/duplex configuration. So we only need to ---- a/drivers/net/ethernet/intel/e1000e/mac.c -+++ b/drivers/net/ethernet/intel/e1000e/mac.c -@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct - * we have already determined whether we have link or not. - */ - if (!mac->autoneg) -- return -E1000_ERR_CONFIG; -+ return 1; - - /* Auto-Neg is enabled. Auto Speed Detection takes care - * of MAC speed/duplex configuration. So we only need to diff --git a/queue-4.4/enic-enable-rq-before-updating-rq-descriptors.patch b/queue-4.4/enic-enable-rq-before-updating-rq-descriptors.patch deleted file mode 100644 index 1571ef35005..00000000000 --- a/queue-4.4/enic-enable-rq-before-updating-rq-descriptors.patch +++ /dev/null @@ -1,54 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Govindarajulu Varadarajan -Date: Thu, 1 Mar 2018 11:07:23 -0800 -Subject: enic: enable rq before updating rq descriptors - -From: Govindarajulu Varadarajan - -[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ] - -rq should be enabled before posting the buffers to rq desc. If not hw sees -stale value and casuses DMAR errors. - -Signed-off-by: Govindarajulu Varadarajan -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/drivers/net/ethernet/cisco/enic/enic_main.c -+++ b/drivers/net/ethernet/cisco/enic/enic_main.c -@@ -1726,6 +1726,8 @@ static int enic_open(struct net_device * - } - - for (i = 0; i < enic->rq_count; i++) { -+ /* enable rq before updating rq desc */ -+ vnic_rq_enable(&enic->rq[i]); - vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf); - /* Need at least one buffer on ring to get going */ - if (vnic_rq_desc_used(&enic->rq[i]) == 0) { -@@ -1737,8 +1739,6 @@ static int enic_open(struct net_device * - - for (i = 0; i < enic->wq_count; i++) - vnic_wq_enable(&enic->wq[i]); -- for (i = 0; i < enic->rq_count; i++) -- vnic_rq_enable(&enic->rq[i]); - - if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) - enic_dev_add_station_addr(enic); -@@ -1765,8 +1765,12 @@ static int enic_open(struct net_device * - return 0; - - err_out_free_rq: -- for (i = 0; i < enic->rq_count; i++) -+ for (i = 0; i < enic->rq_count; i++) { -+ err = vnic_rq_disable(&enic->rq[i]); -+ if (err) -+ return err; - vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); -+ } - enic_dev_notify_unset(enic); - err_out_free_intr: - enic_unset_affinity_hint(enic); diff --git a/queue-4.4/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch b/queue-4.4/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch deleted file mode 100644 index e8bbf0dfa9f..00000000000 --- a/queue-4.4/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Peter Malone -Date: Wed, 7 Mar 2018 14:00:34 +0100 -Subject: fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). - -From: Peter Malone - -[ Upstream commit 250c6c49e3b68756b14983c076183568636e2bde ] - -Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in -sbusfb_ioctl_helper(). - -'index' is defined as an int in sbusfb_ioctl_helper(). -We retrieve this from the user: -if (get_user(index, &c->index) || - __get_user(count, &c->count) || - __get_user(ured, &c->red) || - __get_user(ugreen, &c->green) || - __get_user(ublue, &c->blue)) - return -EFAULT; - -and then we use 'index' in the following way: -red = cmap->red[index + i] >> 8; -green = cmap->green[index + i] >> 8; -blue = cmap->blue[index + i] >> 8; - -This is a classic information leak vulnerability. 'index' should be -an unsigned int, given its usage above. - -This patch is straight-forward; it changes 'index' to unsigned int -in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. - -This patch fixes CVE-2018-6412. - -Signed-off-by: Peter Malone -Acked-by: Mathieu Malaterre -Signed-off-by: Bartlomiej Zolnierkiewicz -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/video/fbdev/sbuslib.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/video/fbdev/sbuslib.c -+++ b/drivers/video/fbdev/sbuslib.c -@@ -121,7 +121,7 @@ int sbusfb_ioctl_helper(unsigned long cm - unsigned char __user *ured; - unsigned char __user *ugreen; - unsigned char __user *ublue; -- int index, count, i; -+ unsigned int index, count, i; - - if (get_user(index, &c->index) || - __get_user(count, &c->count) || -@@ -160,7 +160,7 @@ int sbusfb_ioctl_helper(unsigned long cm - unsigned char __user *ugreen; - unsigned char __user *ublue; - struct fb_cmap *cmap = &info->cmap; -- int index, count, i; -+ unsigned int index, count, i; - u8 red, green, blue; - - if (get_user(index, &c->index) || diff --git a/queue-4.4/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch b/queue-4.4/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch deleted file mode 100644 index e42d74cc11f..00000000000 --- a/queue-4.4/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Hector Martin -Date: Fri, 3 Nov 2017 20:28:57 +0900 -Subject: firewire-ohci: work around oversized DMA reads on JMicron controllers - -From: Hector Martin - -[ Upstream commit 188775181bc05f29372b305ef96485840e351fde ] - -At least some JMicron controllers issue buggy oversized DMA reads when -fetching context descriptors, always fetching 0x20 bytes at once for -descriptors which are only 0x10 bytes long. This is often harmless, but -can cause page faults on modern systems with IOMMUs: - -DMAR: [DMA Read] Request device [05:00.0] fault addr fff56000 [fault reason 06] PTE Read access is not set -firewire_ohci 0000:05:00.0: DMA context IT0 has stopped, error code: evt_descriptor_read - -This works around the problem by always leaving 0x10 padding bytes at -the end of descriptor buffer pages, which should be harmless to do -unconditionally for controllers in case others have the same behavior. - -Signed-off-by: Hector Martin -Reviewed-by: Clemens Ladisch -Signed-off-by: Stefan Richter -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/firewire/ohci.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/drivers/firewire/ohci.c -+++ b/drivers/firewire/ohci.c -@@ -1130,7 +1130,13 @@ static int context_add_buffer(struct con - return -ENOMEM; - - offset = (void *)&desc->buffer - (void *)desc; -- desc->buffer_size = PAGE_SIZE - offset; -+ /* -+ * Some controllers, like JMicron ones, always issue 0x20-byte DMA reads -+ * for descriptors, even 0x10-byte ones. This can cause page faults when -+ * an IOMMU is in use and the oversized read crosses a page boundary. -+ * Work around this by always leaving at least 0x10 bytes of padding. -+ */ -+ desc->buffer_size = PAGE_SIZE - offset - 0x10; - desc->buffer_bus = bus_addr + offset; - desc->used = 0; - diff --git a/queue-4.4/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch b/queue-4.4/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch deleted file mode 100644 index 3a222e62b26..00000000000 --- a/queue-4.4/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch +++ /dev/null @@ -1,85 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jean Delvare -Date: Sat, 3 Feb 2018 11:25:20 +0100 -Subject: firmware: dmi_scan: Fix handling of empty DMI strings - -From: Jean Delvare - -[ Upstream commit a7770ae194569e96a93c48aceb304edded9cc648 ] - -The handling of empty DMI strings looks quite broken to me: -* Strings from 1 to 7 spaces are not considered empty. -* True empty DMI strings (string index set to 0) are not considered - empty, and result in allocating a 0-char string. -* Strings with invalid index also result in allocating a 0-char - string. -* Strings starting with 8 spaces are all considered empty, even if - non-space characters follow (sounds like a weird thing to do, but - I have actually seen occurrences of this in DMI tables before.) -* Strings which are considered empty are reported as 8 spaces, - instead of being actually empty. - -Some of these issues are the result of an off-by-one error in memcmp, -the rest is incorrect by design. - -So let's get it square: missing strings and strings made of only -spaces, regardless of their length, should be treated as empty and -no memory should be allocated for them. All other strings are -non-empty and should be allocated. - -Signed-off-by: Jean Delvare -Fixes: 79da4721117f ("x86: fix DMI out of memory problems") -Cc: Parag Warudkar -Cc: Ingo Molnar -Cc: Thomas Gleixner -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/firmware/dmi_scan.c | 22 +++++++++------------- - 1 file changed, 9 insertions(+), 13 deletions(-) - ---- a/drivers/firmware/dmi_scan.c -+++ b/drivers/firmware/dmi_scan.c -@@ -18,7 +18,7 @@ EXPORT_SYMBOL_GPL(dmi_kobj); - * of and an antecedent to, SMBIOS, which stands for System - * Management BIOS. See further: http://www.dmtf.org/standards - */ --static const char dmi_empty_string[] = " "; -+static const char dmi_empty_string[] = ""; - - static u32 dmi_ver __initdata; - static u32 dmi_len; -@@ -44,25 +44,21 @@ static int dmi_memdev_nr; - static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s) - { - const u8 *bp = ((u8 *) dm) + dm->length; -+ const u8 *nsp; - - if (s) { -- s--; -- while (s > 0 && *bp) { -+ while (--s > 0 && *bp) - bp += strlen(bp) + 1; -- s--; -- } - -- if (*bp != 0) { -- size_t len = strlen(bp)+1; -- size_t cmp_len = len > 8 ? 8 : len; -- -- if (!memcmp(bp, dmi_empty_string, cmp_len)) -- return dmi_empty_string; -+ /* Strings containing only spaces are considered empty */ -+ nsp = bp; -+ while (*nsp == ' ') -+ nsp++; -+ if (*nsp != '\0') - return bp; -- } - } - -- return ""; -+ return dmi_empty_string; - } - - static const char * __init dmi_string(const struct dmi_header *dm, u8 s) diff --git a/queue-4.4/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch b/queue-4.4/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch deleted file mode 100644 index 2fadb95dacd..00000000000 --- a/queue-4.4/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch +++ /dev/null @@ -1,69 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Carlos Maiolino -Date: Tue, 10 Apr 2018 22:39:04 -0700 -Subject: Force log to disk before reading the AGF during a fstrim - -From: Carlos Maiolino - -[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ] - -Forcing the log to disk after reading the agf is wrong, we might be -calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held. - -This can cause a deadlock when racing a fstrim with a filesystem -shutdown. - -The deadlock has been identified due a miscalculation bug in device-mapper -dm-thin, which returns lack of space to its users earlier than the device itself -really runs out of space, changing the device-mapper volume into an error state. - -The problem happened while filling the filesystem with a single file, -triggering the bug in device-mapper, consequently causing an IO error -and shutting down the filesystem. - -If such file is removed, and fstrim executed before the XFS finishes the -shut down process, the fstrim process will end up holding the buffer -lock, and going to sleep on the cil wait queue. - -At this point, the shut down process will try to wake up all the threads -waiting on the cil wait queue, but for this, it will try to hold the -same buffer log already held my the fstrim, locking up the filesystem. - -Signed-off-by: Carlos Maiolino -Reviewed-by: Darrick J. Wong -Signed-off-by: Darrick J. Wong -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/xfs/xfs_discard.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - ---- a/fs/xfs/xfs_discard.c -+++ b/fs/xfs/xfs_discard.c -@@ -50,19 +50,19 @@ xfs_trim_extents( - - pag = xfs_perag_get(mp, agno); - -- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); -- if (error || !agbp) -- goto out_put_perag; -- -- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); -- - /* - * Force out the log. This means any transactions that might have freed -- * space before we took the AGF buffer lock are now on disk, and the -+ * space before we take the AGF buffer lock are now on disk, and the - * volatile disk cache is flushed. - */ - xfs_log_force(mp, XFS_LOG_SYNC); - -+ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); -+ if (error || !agbp) -+ goto out_put_perag; -+ -+ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); -+ - /* - * Look up the longest btree in the AGF and start with it. - */ diff --git a/queue-4.4/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch b/queue-4.4/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch deleted file mode 100644 index 69d7c8667e4..00000000000 --- a/queue-4.4/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch +++ /dev/null @@ -1,44 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Danilo Krummrich -Date: Tue, 10 Apr 2018 16:31:38 -0700 -Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table - -From: Danilo Krummrich - -[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ] - -proc_sys_link_fill_cache() does not take currently unregistering sysctl -tables into account, which might result into a page fault in -sysctl_follow_link() - add a check to fix it. - -This bug has been present since v3.4. - -Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de -Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") -Signed-off-by: Danilo Krummrich -Acked-by: Kees Cook -Reviewed-by: Andrew Morton -Cc: "Luis R . Rodriguez" -Cc: "Eric W. Biederman" -Cc: Alexey Dobriyan -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/proc/proc_sysctl.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/proc/proc_sysctl.c -+++ b/fs/proc/proc_sysctl.c -@@ -654,7 +654,10 @@ static bool proc_sys_link_fill_cache(str - struct ctl_table *table) - { - bool ret = true; -+ - head = sysctl_head_grab(head); -+ if (IS_ERR(head)) -+ return false; - - if (S_ISLNK(table->mode)) { - /* It is not an error if we can not follow the link ignore it */ diff --git a/queue-4.4/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch b/queue-4.4/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch deleted file mode 100644 index f27af3baa4e..00000000000 --- a/queue-4.4/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch +++ /dev/null @@ -1,71 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: David Howells -Date: Wed, 4 Apr 2018 13:41:26 +0100 -Subject: fscache: Fix hanging wait on page discarded by writeback - -From: David Howells - -[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ] - -If the fscache asynchronous write operation elects to discard a page that's -pending storage to the cache because the page would be over the store limit -then it needs to wake the page as someone may be waiting on completion of -the write. - -The problem is that the store limit may be updated by a different -asynchronous operation - and so may miss the write - and that the store -limit may not even get updated until later by the netfs. - -Fix the kernel hang by making fscache_write_op() mark as written any pages -that are over the limit. - -Signed-off-by: David Howells -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/fscache/page.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/fs/fscache/page.c -+++ b/fs/fscache/page.c -@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca - - _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage)); - -+again: - spin_lock(&object->lock); - cookie = object->cookie; - -@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca - goto superseded; - page = results[0]; - _debug("gang %d [%lx]", n, page->index); -- if (page->index >= op->store_limit) { -- fscache_stat(&fscache_n_store_pages_over_limit); -- goto superseded; -- } - - radix_tree_tag_set(&cookie->stores, page->index, - FSCACHE_COOKIE_STORING_TAG); -@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca - spin_unlock(&cookie->stores_lock); - spin_unlock(&object->lock); - -+ if (page->index >= op->store_limit) -+ goto discard_page; -+ - fscache_stat(&fscache_n_store_pages); - fscache_stat(&fscache_n_cop_write_page); - ret = object->cache->ops->write_page(op, page); -@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca - _leave(""); - return; - -+discard_page: -+ fscache_stat(&fscache_n_store_pages_over_limit); -+ fscache_end_page_write(object, page); -+ goto again; -+ - superseded: - /* this writer is going away and there aren't any more things to - * write */ diff --git a/queue-4.4/gfs2-fix-fallocate-chunk-size.patch b/queue-4.4/gfs2-fix-fallocate-chunk-size.patch deleted file mode 100644 index 29957670a32..00000000000 --- a/queue-4.4/gfs2-fix-fallocate-chunk-size.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andreas Gruenbacher -Date: Tue, 20 Feb 2018 08:03:24 -0700 -Subject: gfs2: Fix fallocate chunk size - -From: Andreas Gruenbacher - -[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ] - -The chunk size of allocations in __gfs2_fallocate is calculated -incorrectly. The size can collapse, causing __gfs2_fallocate to -allocate one block at a time, which is very inefficient. This needs -fixing in two places: - -In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate -that there is no quota limit. This fixes callers that rely on -ap->allowed to be set even when quotas are off. - -In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the -loop to make sure that allocation limits from one resource group won't -spill over into another resource group. - -Signed-off-by: Andreas Gruenbacher -Signed-off-by: Bob Peterson -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/gfs2/file.c | 5 +++-- - fs/gfs2/quota.h | 2 ++ - 2 files changed, 5 insertions(+), 2 deletions(-) - ---- a/fs/gfs2/file.c -+++ b/fs/gfs2/file.c -@@ -806,7 +806,7 @@ static long __gfs2_fallocate(struct file - struct gfs2_inode *ip = GFS2_I(inode); - struct gfs2_alloc_parms ap = { .aflags = 0, }; - unsigned int data_blocks = 0, ind_blocks = 0, rblocks; -- loff_t bytes, max_bytes, max_blks = UINT_MAX; -+ loff_t bytes, max_bytes, max_blks; - int error; - const loff_t pos = offset; - const loff_t count = len; -@@ -858,7 +858,8 @@ static long __gfs2_fallocate(struct file - return error; - /* ap.allowed tells us how many blocks quota will allow - * us to write. Check if this reduces max_blks */ -- if (ap.allowed && ap.allowed < max_blks) -+ max_blks = UINT_MAX; -+ if (ap.allowed) - max_blks = ap.allowed; - - error = gfs2_inplace_reserve(ip, &ap); ---- a/fs/gfs2/quota.h -+++ b/fs/gfs2/quota.h -@@ -43,6 +43,8 @@ static inline int gfs2_quota_lock_check( - { - struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); - int ret; -+ -+ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ - if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) - return 0; - ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); diff --git a/queue-4.4/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch b/queue-4.4/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch deleted file mode 100644 index 6ae17014732..00000000000 --- a/queue-4.4/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch +++ /dev/null @@ -1,56 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Claudiu Manoil -Date: Tue, 27 Feb 2018 17:33:10 +0200 -Subject: gianfar: Fix Rx byte accounting for ndev stats - -From: Claudiu Manoil - -[ Upstream commit 590399ddf9561f2ed0839311c8ae1be21597ba68 ] - -Don't include in the Rx bytecount of the packet sent up the stack: -the FCB (frame control block), and the padding bytes inserted by -the controller into the frame payload, nor the FCS. All these are -being pulled out of the skb by gfar_process_frame(). -This issue is old, likely from the driver's beginnings, however -it was amplified by recent: -commit d903ec77118c ("gianfar: simplify FCS handling and fix memory leak") -which basically added the FCS to the Rx bytecount, and so brought -this to my attention. - -Signed-off-by: Claudiu Manoil -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/freescale/gianfar.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/drivers/net/ethernet/freescale/gianfar.c -+++ b/drivers/net/ethernet/freescale/gianfar.c -@@ -3053,9 +3053,6 @@ static void gfar_process_frame(struct ne - if (ndev->features & NETIF_F_RXCSUM) - gfar_rx_checksum(skb, fcb); - -- /* Tell the skb what kind of packet this is */ -- skb->protocol = eth_type_trans(skb, ndev); -- - /* There's need to check for NETIF_F_HW_VLAN_CTAG_RX here. - * Even if vlan rx accel is disabled, on some chips - * RXFCB_VLN is pseudo randomly set. -@@ -3126,13 +3123,15 @@ int gfar_clean_rx_ring(struct gfar_priv_ - continue; - } - -+ gfar_process_frame(ndev, skb); -+ - /* Increment the number of packets */ - total_pkts++; - total_bytes += skb->len; - - skb_record_rx_queue(skb, rx_queue->qindex); - -- gfar_process_frame(ndev, skb); -+ skb->protocol = eth_type_trans(skb, ndev); - - /* Send the packet up the stack */ - napi_gro_receive(&rx_queue->grp->napi_rx, skb); diff --git a/queue-4.4/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch b/queue-4.4/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch deleted file mode 100644 index 01a4ec7650b..00000000000 --- a/queue-4.4/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dan Carpenter -Date: Wed, 10 Jan 2018 12:39:03 +0300 -Subject: HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() - -From: Dan Carpenter - -[ Upstream commit 7ad81482cad67cbe1ec808490d1ddfc420c42008 ] - -We get the "new_profile_index" value from the mouse device when we're -handling raw events. Smatch taints it as untrusted data and complains -that we need a bounds check. This seems like a reasonable warning -otherwise there is a small read beyond the end of the array. - -Fixes: 0e70f97f257e ("HID: roccat: Add support for Kova[+] mouse") -Signed-off-by: Dan Carpenter -Acked-by: Silvan Jegen -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hid/hid-roccat-kovaplus.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/hid/hid-roccat-kovaplus.c -+++ b/drivers/hid/hid-roccat-kovaplus.c -@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(u - static void kovaplus_profile_activated(struct kovaplus_device *kovaplus, - uint new_profile_index) - { -+ if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings)) -+ return; - kovaplus->actual_profile = new_profile_index; - kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level; - kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x; diff --git a/queue-4.4/hwmon-nct6775-fix-writing-pwmx_mode.patch b/queue-4.4/hwmon-nct6775-fix-writing-pwmx_mode.patch deleted file mode 100644 index 83f57eca9ca..00000000000 --- a/queue-4.4/hwmon-nct6775-fix-writing-pwmx_mode.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Guenter Roeck -Date: Mon, 26 Mar 2018 19:50:31 -0700 -Subject: hwmon: (nct6775) Fix writing pwmX_mode - -From: Guenter Roeck - -[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ] - -pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip -register bit is set to 1 for DC mode. This got mixed up, and writing -1 into pwmX_mode resulted in DC mode enabled. Fix it up by using -the ABI definition throughout the driver for consistency. - -Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ") -Signed-off-by: Guenter Roeck -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hwmon/nct6775.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/drivers/hwmon/nct6775.c -+++ b/drivers/hwmon/nct6775.c -@@ -1390,7 +1390,7 @@ static void nct6775_update_pwm(struct de - duty_is_dc = data->REG_PWM_MODE[i] && - (nct6775_read_value(data, data->REG_PWM_MODE[i]) - & data->PWM_MODE_MASK[i]); -- data->pwm_mode[i] = duty_is_dc; -+ data->pwm_mode[i] = !duty_is_dc; - - fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); - for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { -@@ -2267,7 +2267,7 @@ show_pwm_mode(struct device *dev, struct - struct nct6775_data *data = nct6775_update_device(dev); - struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr); - -- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); -+ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); - } - - static ssize_t -@@ -2288,9 +2288,9 @@ store_pwm_mode(struct device *dev, struc - if (val > 1) - return -EINVAL; - -- /* Setting DC mode is not supported for all chips/channels */ -+ /* Setting DC mode (0) is not supported for all chips/channels */ - if (data->REG_PWM_MODE[nr] == 0) { -- if (val) -+ if (!val) - return -EINVAL; - return count; - } -@@ -2299,7 +2299,7 @@ store_pwm_mode(struct device *dev, struc - data->pwm_mode[nr] = val; - reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); - reg &= ~data->PWM_MODE_MASK[nr]; -- if (val) -+ if (!val) - reg |= data->PWM_MODE_MASK[nr]; - nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); - mutex_unlock(&data->update_lock); diff --git a/queue-4.4/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch b/queue-4.4/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch deleted file mode 100644 index 826c56aaa37..00000000000 --- a/queue-4.4/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Guenter Roeck -Date: Sat, 10 Mar 2018 17:55:47 -0800 -Subject: hwmon: (pmbus/adm1275) Accept negative page register values - -From: Guenter Roeck - -[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ] - -A negative page register value means that no page needs to be -selected. This is used by status register read operations and needs -to be accepted. The failure to do so so results in missed status -and limit registers. - -Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") -Signed-off-by: Guenter Roeck -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hwmon/pmbus/adm1275.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/hwmon/pmbus/adm1275.c -+++ b/drivers/hwmon/pmbus/adm1275.c -@@ -141,7 +141,7 @@ static int adm1275_read_word_data(struct - const struct adm1275_data *data = to_adm1275_data(info); - int ret = 0; - -- if (page) -+ if (page > 0) - return -ENXIO; - - switch (reg) { -@@ -218,7 +218,7 @@ static int adm1275_write_word_data(struc - const struct adm1275_data *data = to_adm1275_data(info); - int ret; - -- if (page) -+ if (page > 0) - return -ENXIO; - - switch (reg) { diff --git a/queue-4.4/hwmon-pmbus-max8688-accept-negative-page-register-values.patch b/queue-4.4/hwmon-pmbus-max8688-accept-negative-page-register-values.patch deleted file mode 100644 index 6944dd2d08f..00000000000 --- a/queue-4.4/hwmon-pmbus-max8688-accept-negative-page-register-values.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Guenter Roeck -Date: Sat, 10 Mar 2018 17:49:47 -0800 -Subject: hwmon: (pmbus/max8688) Accept negative page register values - -From: Guenter Roeck - -[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ] - -A negative page register value means that no page needs to be -selected. This is used by status register evaluations and needs -to be accepted. - -Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") -Signed-off-by: Guenter Roeck -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hwmon/pmbus/max8688.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/hwmon/pmbus/max8688.c -+++ b/drivers/hwmon/pmbus/max8688.c -@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct - { - int ret; - -- if (page) -+ if (page > 0) - return -ENXIO; - - switch (reg) { diff --git a/queue-4.4/hwrng-stm32-add-reset-during-probe.patch b/queue-4.4/hwrng-stm32-add-reset-during-probe.patch deleted file mode 100644 index 1b9580dc7e7..00000000000 --- a/queue-4.4/hwrng-stm32-add-reset-during-probe.patch +++ /dev/null @@ -1,52 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "lionel.debieve@st.com" -Date: Thu, 15 Feb 2018 14:03:08 +0100 -Subject: hwrng: stm32 - add reset during probe - -From: "lionel.debieve@st.com" - -[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ] - -Avoid issue when probing the RNG without -reset if bad status has been detected previously - -Signed-off-by: Lionel Debieve -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/hw_random/stm32-rng.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/drivers/char/hw_random/stm32-rng.c -+++ b/drivers/char/hw_random/stm32-rng.c -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - #include - - #define RNG_CR 0x00 -@@ -46,6 +47,7 @@ struct stm32_rng_private { - struct hwrng rng; - void __iomem *base; - struct clk *clk; -+ struct reset_control *rst; - }; - - static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) -@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo - if (IS_ERR(priv->clk)) - return PTR_ERR(priv->clk); - -+ priv->rst = devm_reset_control_get(&ofdev->dev, NULL); -+ if (!IS_ERR(priv->rst)) { -+ reset_control_assert(priv->rst); -+ udelay(2); -+ reset_control_deassert(priv->rst); -+ } -+ - dev_set_drvdata(dev, priv); - - priv->rng.name = dev_driver_string(dev), diff --git a/queue-4.4/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch b/queue-4.4/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch deleted file mode 100644 index c64181dd6fc..00000000000 --- a/queue-4.4/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Gregory CLEMENT -Date: Wed, 14 Mar 2018 18:03:40 +0100 -Subject: i2c: mv64xxx: Apply errata delay only in standard mode - -From: Gregory CLEMENT - -[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ] - -The errata FE-8471889 description has been updated. There is still a -timing violation for repeated start. But the errata now states that it -was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz) -there is no issue. - -This patch limit the errata fix to the Standard mode. - -It has been tesed successfully on the clearfog (Aramda 388 based board). - -Signed-off-by: Gregory CLEMENT -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/i2c/busses/i2c-mv64xxx.c -+++ b/drivers/i2c/busses/i2c-mv64xxx.c -@@ -856,12 +856,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat - */ - if (of_device_is_compatible(np, "marvell,mv78230-i2c")) { - drv_data->offload_enabled = true; -- drv_data->errata_delay = true; -+ /* The delay is only needed in standard mode (100kHz) */ -+ if (bus_freq <= 100000) -+ drv_data->errata_delay = true; - } - - if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) { - drv_data->offload_enabled = false; -- drv_data->errata_delay = true; -+ /* The delay is only needed in standard mode (100kHz) */ -+ if (bus_freq <= 100000) -+ drv_data->errata_delay = true; - } - - if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) diff --git a/queue-4.4/ib-ipoib-fix-for-potential-no-carrier-state.patch b/queue-4.4/ib-ipoib-fix-for-potential-no-carrier-state.patch deleted file mode 100644 index a3509298c83..00000000000 --- a/queue-4.4/ib-ipoib-fix-for-potential-no-carrier-state.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Alex Estrin -Date: Thu, 1 Feb 2018 10:55:41 -0800 -Subject: IB/ipoib: Fix for potential no-carrier state - -From: Alex Estrin - -[ Upstream commit 1029361084d18cc270f64dfd39529fafa10cfe01 ] - -On reboot SM can program port pkey table before ipoib registered its -event handler, which could result in missing pkey event and leave root -interface with initial pkey value from index 0. - -Since OPA port starts with invalid pkey in index 0, root interface will -fail to initialize and stay down with no-carrier flag. - -For IB ipoib interface may end up with pkey different from value -opensm put in pkey table idx 0, resulting in connectivity issues -(different mcast groups, for example). - -Close the window by calling event handler after registration -to make sure ipoib pkey is in sync with port pkey table. - -Reviewed-by: Mike Marciniszyn -Reviewed-by: Ira Weiny -Signed-off-by: Alex Estrin -Signed-off-by: Dennis Dalessandro -Signed-off-by: Jason Gunthorpe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/infiniband/ulp/ipoib/ipoib_main.c -+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c -@@ -1953,6 +1953,9 @@ static struct net_device *ipoib_add_port - goto event_failed; - } - -+ /* call event handler to ensure pkey in sync */ -+ queue_work(ipoib_workqueue, &priv->flush_heavy); -+ - result = register_netdev(priv->dev); - if (result) { - printk(KERN_WARNING "%s: couldn't register ipoib port %d; error %d\n", diff --git a/queue-4.4/ima-fallback-to-the-builtin-hash-algorithm.patch b/queue-4.4/ima-fallback-to-the-builtin-hash-algorithm.patch deleted file mode 100644 index 1ea2ff0ac81..00000000000 --- a/queue-4.4/ima-fallback-to-the-builtin-hash-algorithm.patch +++ /dev/null @@ -1,119 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Petr Vorel -Date: Fri, 23 Mar 2018 14:41:08 +0100 -Subject: ima: Fallback to the builtin hash algorithm - -From: Petr Vorel - -[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ] - -IMA requires having it's hash algorithm be compiled-in due to it's -early use. The default IMA algorithm is protected by Kconfig to be -compiled-in. - -The ima_hash kernel parameter allows to choose the hash algorithm. When -the specified algorithm is not available or available as a module, IMA -initialization fails, which leads to a kernel panic (mknodat syscall calls -ima_post_path_mknod()). Therefore as fallback we force IMA to use -the default builtin Kconfig hash algorithm. - -Fixed crash: - -$ grep CONFIG_CRYPTO_MD4 .config -CONFIG_CRYPTO_MD4=m - -[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4 -... -[ 1.545190] ima: Can not allocate md4 (reason: -2) -... -[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null) -[ 2.611903] IP: ima_match_policy+0x23/0x390 -[ 2.612967] PGD 0 P4D 0 -[ 2.613080] Oops: 0000 [#1] SMP -[ 2.613080] Modules linked in: autofs4 -[ 2.613080] Supported: Yes -[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1 -[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 -[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000 -[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390 -[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296 -[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004 -[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728 -[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000 -[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f -[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000 -[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 -[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0 -[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 2.613080] Call Trace: -[ 2.613080] ? shmem_mknod+0xbf/0xd0 -[ 2.613080] ima_post_path_mknod+0x1c/0x40 -[ 2.613080] SyS_mknod+0x210/0x220 -[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5 -[ 2.613080] RIP: 0033:0x7f5c1bfde570 -[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 -[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570 -[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f -[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000 -[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660 -[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002 -[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20 -[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88 -[ 2.613080] CR2: 0000000000000000 -[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]--- -[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 -[ 2.673052] -[ 2.675337] Kernel Offset: disabled -[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 - -Signed-off-by: Petr Vorel -Signed-off-by: Mimi Zohar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - security/integrity/ima/ima_crypto.c | 2 ++ - security/integrity/ima/ima_main.c | 13 +++++++++++++ - 2 files changed, 15 insertions(+) - ---- a/security/integrity/ima/ima_crypto.c -+++ b/security/integrity/ima/ima_crypto.c -@@ -78,6 +78,8 @@ int __init ima_init_crypto(void) - hash_algo_name[ima_hash_algo], rc); - return rc; - } -+ pr_info("Allocated hash algorithm: %s\n", -+ hash_algo_name[ima_hash_algo]); - return 0; - } - ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -16,6 +16,9 @@ - * implements the IMA hooks: ima_bprm_check, ima_file_mmap, - * and ima_file_check. - */ -+ -+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -+ - #include - #include - #include -@@ -353,6 +356,16 @@ static int __init init_ima(void) - - hash_setup(CONFIG_IMA_DEFAULT_HASH); - error = ima_init(); -+ -+ if (error && strcmp(hash_algo_name[ima_hash_algo], -+ CONFIG_IMA_DEFAULT_HASH) != 0) { -+ pr_info("Allocating %s failed, going to use default hash algorithm %s\n", -+ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); -+ hash_setup_done = 0; -+ hash_setup(CONFIG_IMA_DEFAULT_HASH); -+ error = ima_init(); -+ } -+ - if (!error) { - ima_initialized = 1; - ima_update_policy_flag(); diff --git a/queue-4.4/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch b/queue-4.4/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch deleted file mode 100644 index 258718b5412..00000000000 --- a/queue-4.4/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jiandi An -Date: Tue, 6 Mar 2018 23:26:26 -0600 -Subject: ima: Fix Kconfig to select TPM 2.0 CRB interface - -From: Jiandi An - -[ Upstream commit fac37c628fd5d68fd7298d9b57ae8601ee1b4723 ] - -TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a -module, the TPM chip is registered after IMA init. tpm_pcr_read() in -IMA fails and displays the following message even though eventually -there is a TPM chip on the system. - -ima: No TPM chip found, activating TPM-bypass! (rc=-19) - -Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel -and initializes before IMA. - -Signed-off-by: Jiandi An -Signed-off-by: Mimi Zohar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - security/integrity/ima/Kconfig | 1 + - 1 file changed, 1 insertion(+) - ---- a/security/integrity/ima/Kconfig -+++ b/security/integrity/ima/Kconfig -@@ -10,6 +10,7 @@ config IMA - select CRYPTO_HASH_INFO - select TCG_TPM if HAS_IOMEM && !UML - select TCG_TIS if TCG_TPM && X86 -+ select TCG_CRB if TCG_TPM && ACPI - select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES - help - The Trusted Computing Group(TCG) runtime Integrity diff --git a/queue-4.4/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch b/queue-4.4/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch deleted file mode 100644 index 8138c0f851d..00000000000 --- a/queue-4.4/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Wei Yongjun -Date: Thu, 18 Jan 2018 01:43:19 +0000 -Subject: ipmi/powernv: Fix error return code in ipmi_powernv_probe() - -From: Wei Yongjun - -[ Upstream commit e749d328b0b450aa78d562fa26a0cd8872325dd9 ] - -Fix to return a negative error code from the request_irq() error -handling case instead of 0, as done elsewhere in this function. - -Fixes: dce143c3381c ("ipmi/powernv: Convert to irq event interface") -Signed-off-by: Wei Yongjun -Reviewed-by: Alexey Kardashevskiy -Signed-off-by: Corey Minyard -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/ipmi/ipmi_powernv.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/char/ipmi/ipmi_powernv.c -+++ b/drivers/char/ipmi/ipmi_powernv.c -@@ -251,8 +251,9 @@ static int ipmi_powernv_probe(struct pla - ipmi->irq = opal_event_request(prop); - } - -- if (request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, -- "opal-ipmi", ipmi)) { -+ rc = request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, -+ "opal-ipmi", ipmi); -+ if (rc) { - dev_warn(dev, "Unable to request irq\n"); - goto err_dispose; - } diff --git a/queue-4.4/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch b/queue-4.4/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch deleted file mode 100644 index 743c16acc9b..00000000000 --- a/queue-4.4/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch +++ /dev/null @@ -1,56 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Kamlakant Patel -Date: Tue, 13 Mar 2018 16:32:27 +0530 -Subject: ipmi_ssif: Fix kernel panic at msg_done_handler - -From: Kamlakant Patel - -[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ] - -This happens when BMC doesn't return any data and the code is trying -to print the value of data[2]. - -Getting following crash: -[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002 -[ 484.736496] pgd = ffff0000094a2000 -[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000 -[ 484.748158] Internal error: Oops: 96000005 [#1] SMP -[...] -[ 485.101451] Call trace: -[...] -[ 485.188473] [] msg_done_handler+0x668/0x700 [ipmi_ssif] -[ 485.195249] [] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif] -[ 485.202038] [] kthread+0x108/0x138 -[ 485.206994] [] ret_from_fork+0x10/0x30 -[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3) - -Adding a check to validate the data len before printing data[2] to fix this issue. - -Signed-off-by: Kamlakant Patel -Signed-off-by: Corey Minyard -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/ipmi/ipmi_ssif.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/char/ipmi/ipmi_ssif.c -+++ b/drivers/char/ipmi/ipmi_ssif.c -@@ -757,7 +757,7 @@ static void msg_done_handler(struct ssif - ssif_info->ssif_state = SSIF_NORMAL; - ipmi_ssif_unlock_cond(ssif_info, flags); - pr_warn(PFX "Error getting flags: %d %d, %x\n", -- result, len, data[2]); -+ result, len, (len >= 3) ? data[2] : 0); - } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 - || data[1] != IPMI_GET_MSG_FLAGS_CMD) { - /* -@@ -779,7 +779,7 @@ static void msg_done_handler(struct ssif - if ((result < 0) || (len < 3) || (data[2] != 0)) { - /* Error clearing flags */ - pr_warn(PFX "Error clearing flags: %d %d, %x\n", -- result, len, data[2]); -+ result, len, (len >= 3) ? data[2] : 0); - } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 - || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) { - pr_warn(PFX "Invalid response clearing flags: %x %x\n", diff --git a/queue-4.4/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch b/queue-4.4/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch deleted file mode 100644 index 6acb685a01d..00000000000 --- a/queue-4.4/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch +++ /dev/null @@ -1,221 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Sabrina Dubroca -Date: Wed, 14 Mar 2018 10:21:14 +0100 -Subject: ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu - -From: Sabrina Dubroca - -[ Upstream commit d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 ] - -Prior to the rework of PMTU information storage in commit -2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer."), -when a PMTU event advertising a PMTU smaller than -net.ipv4.route.min_pmtu was received, we would disable setting the DF -flag on packets by locking the MTU metric, and set the PMTU to -net.ipv4.route.min_pmtu. - -Since then, we don't disable DF, and set PMTU to -net.ipv4.route.min_pmtu, so the intermediate router that has this link -with a small MTU will have to drop the packets. - -This patch reestablishes pre-2.6.39 behavior by splitting -rtable->rt_pmtu into a bitfield with rt_mtu_locked and rt_pmtu. -rt_mtu_locked indicates that we shouldn't set the DF bit on that path, -and is checked in ip_dont_fragment(). - -One possible workaround is to set net.ipv4.route.min_pmtu to a value low -enough to accommodate the lowest MTU encountered. - -Fixes: 2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer.") -Signed-off-by: Sabrina Dubroca -Reviewed-by: Stefano Brivio -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/net/ip.h | 11 +++++++++-- - include/net/ip_fib.h | 1 + - include/net/route.h | 3 ++- - net/ipv4/route.c | 26 +++++++++++++++++++------- - net/ipv4/xfrm4_policy.c | 1 + - 5 files changed, 32 insertions(+), 10 deletions(-) - ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -279,6 +279,13 @@ int ip_decrease_ttl(struct iphdr *iph) - return --iph->ttl; - } - -+static inline int ip_mtu_locked(const struct dst_entry *dst) -+{ -+ const struct rtable *rt = (const struct rtable *)dst; -+ -+ return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU); -+} -+ - static inline - int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst) - { -@@ -286,7 +293,7 @@ int ip_dont_fragment(const struct sock * - - return pmtudisc == IP_PMTUDISC_DO || - (pmtudisc == IP_PMTUDISC_WANT && -- !(dst_metric_locked(dst, RTAX_MTU))); -+ !ip_mtu_locked(dst)); - } - - static inline bool ip_sk_accept_pmtu(const struct sock *sk) -@@ -312,7 +319,7 @@ static inline unsigned int ip_dst_mtu_ma - struct net *net = dev_net(dst->dev); - - if (net->ipv4.sysctl_ip_fwd_use_pmtu || -- dst_metric_locked(dst, RTAX_MTU) || -+ ip_mtu_locked(dst) || - !forwarding) - return dst_mtu(dst); - ---- a/include/net/ip_fib.h -+++ b/include/net/ip_fib.h -@@ -56,6 +56,7 @@ struct fib_nh_exception { - int fnhe_genid; - __be32 fnhe_daddr; - u32 fnhe_pmtu; -+ bool fnhe_mtu_locked; - __be32 fnhe_gw; - unsigned long fnhe_expires; - struct rtable __rcu *fnhe_rth_input; ---- a/include/net/route.h -+++ b/include/net/route.h -@@ -64,7 +64,8 @@ struct rtable { - __be32 rt_gateway; - - /* Miscellaneous cached information */ -- u32 rt_pmtu; -+ u32 rt_mtu_locked:1, -+ rt_pmtu:31; - - u32 rt_table_id; - ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -612,6 +612,7 @@ static inline u32 fnhe_hashfun(__be32 da - static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) - { - rt->rt_pmtu = fnhe->fnhe_pmtu; -+ rt->rt_mtu_locked = fnhe->fnhe_mtu_locked; - rt->dst.expires = fnhe->fnhe_expires; - - if (fnhe->fnhe_gw) { -@@ -622,7 +623,7 @@ static void fill_route_from_fnhe(struct - } - - static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, -- u32 pmtu, unsigned long expires) -+ u32 pmtu, bool lock, unsigned long expires) - { - struct fnhe_hash_bucket *hash; - struct fib_nh_exception *fnhe; -@@ -659,8 +660,10 @@ static void update_or_create_fnhe(struct - fnhe->fnhe_genid = genid; - if (gw) - fnhe->fnhe_gw = gw; -- if (pmtu) -+ if (pmtu) { - fnhe->fnhe_pmtu = pmtu; -+ fnhe->fnhe_mtu_locked = lock; -+ } - fnhe->fnhe_expires = max(1UL, expires); - /* Update all cached dsts too */ - rt = rcu_dereference(fnhe->fnhe_rth_input); -@@ -684,6 +687,7 @@ static void update_or_create_fnhe(struct - fnhe->fnhe_daddr = daddr; - fnhe->fnhe_gw = gw; - fnhe->fnhe_pmtu = pmtu; -+ fnhe->fnhe_mtu_locked = lock; - fnhe->fnhe_expires = expires; - - /* Exception created; mark the cached routes for the nexthop -@@ -765,7 +769,8 @@ static void __ip_do_redirect(struct rtab - struct fib_nh *nh = &FIB_RES_NH(res); - - update_or_create_fnhe(nh, fl4->daddr, new_gw, -- 0, jiffies + ip_rt_gc_timeout); -+ 0, false, -+ jiffies + ip_rt_gc_timeout); - } - if (kill_route) - rt->dst.obsolete = DST_OBSOLETE_KILL; -@@ -977,15 +982,18 @@ static void __ip_rt_update_pmtu(struct r - { - struct dst_entry *dst = &rt->dst; - struct fib_result res; -+ bool lock = false; - -- if (dst_metric_locked(dst, RTAX_MTU)) -+ if (ip_mtu_locked(dst)) - return; - - if (ipv4_mtu(dst) < mtu) - return; - -- if (mtu < ip_rt_min_pmtu) -+ if (mtu < ip_rt_min_pmtu) { -+ lock = true; - mtu = ip_rt_min_pmtu; -+ } - - if (rt->rt_pmtu == mtu && - time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2)) -@@ -995,7 +1003,7 @@ static void __ip_rt_update_pmtu(struct r - if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { - struct fib_nh *nh = &FIB_RES_NH(res); - -- update_or_create_fnhe(nh, fl4->daddr, 0, mtu, -+ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock, - jiffies + ip_rt_mtu_expires); - } - rcu_read_unlock(); -@@ -1250,7 +1258,7 @@ static unsigned int ipv4_mtu(const struc - - mtu = READ_ONCE(dst->dev->mtu); - -- if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { -+ if (unlikely(ip_mtu_locked(dst))) { - if (rt->rt_uses_gateway && mtu > 576) - mtu = 576; - } -@@ -1473,6 +1481,7 @@ static struct rtable *rt_dst_alloc(struc - rt->rt_is_input = 0; - rt->rt_iif = 0; - rt->rt_pmtu = 0; -+ rt->rt_mtu_locked = 0; - rt->rt_gateway = 0; - rt->rt_uses_gateway = 0; - rt->rt_table_id = 0; -@@ -2393,6 +2402,7 @@ struct dst_entry *ipv4_blackhole_route(s - rt->rt_is_input = ort->rt_is_input; - rt->rt_iif = ort->rt_iif; - rt->rt_pmtu = ort->rt_pmtu; -+ rt->rt_mtu_locked = ort->rt_mtu_locked; - - rt->rt_genid = rt_genid_ipv4(net); - rt->rt_flags = ort->rt_flags; -@@ -2495,6 +2505,8 @@ static int rt_fill_info(struct net *net, - memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics)); - if (rt->rt_pmtu && expires) - metrics[RTAX_MTU - 1] = rt->rt_pmtu; -+ if (rt->rt_mtu_locked && expires) -+ metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU); - if (rtnetlink_put_metrics(skb, metrics) < 0) - goto nla_put_failure; - ---- a/net/ipv4/xfrm4_policy.c -+++ b/net/ipv4/xfrm4_policy.c -@@ -97,6 +97,7 @@ static int xfrm4_fill_dst(struct xfrm_ds - xdst->u.rt.rt_gateway = rt->rt_gateway; - xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; - xdst->u.rt.rt_pmtu = rt->rt_pmtu; -+ xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked; - xdst->u.rt.rt_table_id = rt->rt_table_id; - INIT_LIST_HEAD(&xdst->u.rt.rt_uncached); - diff --git a/queue-4.4/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch b/queue-4.4/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch deleted file mode 100644 index 44ed198dcd0..00000000000 --- a/queue-4.4/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch +++ /dev/null @@ -1,161 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mark Salter -Date: Fri, 2 Feb 2018 09:20:29 -0500 -Subject: irqchip/gic-v3: Change pr_debug message to pr_devel - -From: Mark Salter - -[ Upstream commit b6dd4d83dc2f78cebc9a7e6e7e4bc2be4d29b94d ] - -The pr_debug() in gic-v3 gic_send_sgi() can trigger a circular locking -warning: - - GICv3: CPU10: ICC_SGI1R_EL1 5000400 - ====================================================== - WARNING: possible circular locking dependency detected - 4.15.0+ #1 Tainted: G W - ------------------------------------------------------ - dynamic_debug01/1873 is trying to acquire lock: - ((console_sem).lock){-...}, at: [<0000000099c891ec>] down_trylock+0x20/0x4c - - but task is already holding lock: - (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc - - which lock already depends on the new lock. - - the existing dependency chain (in reverse order) is: - - -> #2 (&rq->lock){-.-.}: - __lock_acquire+0x3b4/0x6e0 - lock_acquire+0xf4/0x2a8 - _raw_spin_lock+0x4c/0x60 - task_fork_fair+0x3c/0x148 - sched_fork+0x10c/0x214 - copy_process.isra.32.part.33+0x4e8/0x14f0 - _do_fork+0xe8/0x78c - kernel_thread+0x48/0x54 - rest_init+0x34/0x2a4 - start_kernel+0x45c/0x488 - - -> #1 (&p->pi_lock){-.-.}: - __lock_acquire+0x3b4/0x6e0 - lock_acquire+0xf4/0x2a8 - _raw_spin_lock_irqsave+0x58/0x70 - try_to_wake_up+0x48/0x600 - wake_up_process+0x28/0x34 - __up.isra.0+0x60/0x6c - up+0x60/0x68 - __up_console_sem+0x4c/0x7c - console_unlock+0x328/0x634 - vprintk_emit+0x25c/0x390 - dev_vprintk_emit+0xc4/0x1fc - dev_printk_emit+0x88/0xa8 - __dev_printk+0x58/0x9c - _dev_info+0x84/0xa8 - usb_new_device+0x100/0x474 - hub_port_connect+0x280/0x92c - hub_event+0x740/0xa84 - process_one_work+0x240/0x70c - worker_thread+0x60/0x400 - kthread+0x110/0x13c - ret_from_fork+0x10/0x18 - - -> #0 ((console_sem).lock){-...}: - validate_chain.isra.34+0x6e4/0xa20 - __lock_acquire+0x3b4/0x6e0 - lock_acquire+0xf4/0x2a8 - _raw_spin_lock_irqsave+0x58/0x70 - down_trylock+0x20/0x4c - __down_trylock_console_sem+0x3c/0x9c - console_trylock+0x20/0xb0 - vprintk_emit+0x254/0x390 - vprintk_default+0x58/0x90 - vprintk_func+0xbc/0x164 - printk+0x80/0xa0 - __dynamic_pr_debug+0x84/0xac - gic_raise_softirq+0x184/0x18c - smp_cross_call+0xac/0x218 - smp_send_reschedule+0x3c/0x48 - resched_curr+0x60/0x9c - check_preempt_curr+0x70/0xdc - wake_up_new_task+0x310/0x470 - _do_fork+0x188/0x78c - SyS_clone+0x44/0x50 - __sys_trace_return+0x0/0x4 - - other info that might help us debug this: - - Chain exists of: - (console_sem).lock --> &p->pi_lock --> &rq->lock - - Possible unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(&rq->lock); - lock(&p->pi_lock); - lock(&rq->lock); - lock((console_sem).lock); - - *** DEADLOCK *** - - 2 locks held by dynamic_debug01/1873: - #0: (&p->pi_lock){-.-.}, at: [<000000001366df53>] wake_up_new_task+0x40/0x470 - #1: (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc - - stack backtrace: - CPU: 10 PID: 1873 Comm: dynamic_debug01 Tainted: G W 4.15.0+ #1 - Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS T48 10/02/2017 - Call trace: - dump_backtrace+0x0/0x188 - show_stack+0x24/0x2c - dump_stack+0xa4/0xe0 - print_circular_bug.isra.31+0x29c/0x2b8 - check_prev_add.constprop.39+0x6c8/0x6dc - validate_chain.isra.34+0x6e4/0xa20 - __lock_acquire+0x3b4/0x6e0 - lock_acquire+0xf4/0x2a8 - _raw_spin_lock_irqsave+0x58/0x70 - down_trylock+0x20/0x4c - __down_trylock_console_sem+0x3c/0x9c - console_trylock+0x20/0xb0 - vprintk_emit+0x254/0x390 - vprintk_default+0x58/0x90 - vprintk_func+0xbc/0x164 - printk+0x80/0xa0 - __dynamic_pr_debug+0x84/0xac - gic_raise_softirq+0x184/0x18c - smp_cross_call+0xac/0x218 - smp_send_reschedule+0x3c/0x48 - resched_curr+0x60/0x9c - check_preempt_curr+0x70/0xdc - wake_up_new_task+0x310/0x470 - _do_fork+0x188/0x78c - SyS_clone+0x44/0x50 - __sys_trace_return+0x0/0x4 - GICv3: CPU0: ICC_SGI1R_EL1 12000 - -This could be fixed with printk_deferred() but that might lessen its -usefulness for debugging. So change it to pr_devel to keep it out of -production kernels. Developers working on gic-v3 can enable it as -needed in their kernels. - -Signed-off-by: Mark Salter -Signed-off-by: Marc Zyngier -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/irqchip/irq-gic-v3.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/irqchip/irq-gic-v3.c -+++ b/drivers/irqchip/irq-gic-v3.c -@@ -589,7 +589,7 @@ static void gic_send_sgi(u64 cluster_id, - MPIDR_TO_SGI_AFFINITY(cluster_id, 1) | - tlist << ICC_SGI1R_TARGET_LIST_SHIFT); - -- pr_debug("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); -+ pr_devel("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); - gic_write_sgi1r(val); - } - diff --git a/queue-4.4/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch b/queue-4.4/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch deleted file mode 100644 index 3cd25bc64b2..00000000000 --- a/queue-4.4/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch +++ /dev/null @@ -1,85 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jake Daryll Obina -Date: Fri, 22 Sep 2017 00:00:14 +0800 -Subject: jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path - -From: Jake Daryll Obina - -[ Upstream commit 5bdd0c6f89fba430e18d636493398389dadc3b17 ] - -If jffs2_iget() fails for a newly-allocated inode, jffs2_do_clear_inode() -can get called twice in the error handling path, the first call in -jffs2_iget() itself and the second through iget_failed(). This can result -to a use-after-free error in the second jffs2_do_clear_inode() call, such -as shown by the oops below wherein the second jffs2_do_clear_inode() call -was trying to free node fragments that were already freed in the first -jffs2_do_clear_inode() call. - -[ 78.178860] jffs2: error: (1904) jffs2_do_read_inode_internal: CRC failed for read_inode of inode 24 at physical location 0x1fc00c -[ 78.178914] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b7b -[ 78.185871] pgd = ffffffc03a567000 -[ 78.188794] [6b6b6b6b6b6b6b7b] *pgd=0000000000000000, *pud=0000000000000000 -[ 78.194968] Internal error: Oops: 96000004 [#1] PREEMPT SMP -... -[ 78.513147] PC is at rb_first_postorder+0xc/0x28 -[ 78.516503] LR is at jffs2_kill_fragtree+0x28/0x90 [jffs2] -[ 78.520672] pc : [] lr : [] pstate: 60000105 -[ 78.526757] sp : ffffff800cea38f0 -[ 78.528753] x29: ffffff800cea38f0 x28: ffffffc01f3f8e80 -[ 78.532754] x27: 0000000000000000 x26: ffffff800cea3c70 -[ 78.536756] x25: 00000000dc67c8ae x24: ffffffc033d6945d -[ 78.540759] x23: ffffffc036811740 x22: ffffff800891a5b8 -[ 78.544760] x21: 0000000000000000 x20: 0000000000000000 -[ 78.548762] x19: ffffffc037d48910 x18: ffffff800891a588 -[ 78.552764] x17: 0000000000000800 x16: 0000000000000c00 -[ 78.556766] x15: 0000000000000010 x14: 6f2065646f6e695f -[ 78.560767] x13: 6461657220726f66 x12: 2064656c69616620 -[ 78.564769] x11: 435243203a6c616e x10: 7265746e695f6564 -[ 78.568771] x9 : 6f6e695f64616572 x8 : ffffffc037974038 -[ 78.572774] x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008 -[ 78.576775] x5 : 002f91d85bd44a2f x4 : 0000000000000000 -[ 78.580777] x3 : 0000000000000000 x2 : 000000403755e000 -[ 78.584779] x1 : 6b6b6b6b6b6b6b6b x0 : 6b6b6b6b6b6b6b6b -... -[ 79.038551] [] rb_first_postorder+0xc/0x28 -[ 79.042962] [] jffs2_do_clear_inode+0x88/0x100 [jffs2] -[ 79.048395] [] jffs2_evict_inode+0x3c/0x48 [jffs2] -[ 79.053443] [] evict+0xb0/0x168 -[ 79.056835] [] iput+0x1c0/0x200 -[ 79.060228] [] iget_failed+0x30/0x3c -[ 79.064097] [] jffs2_iget+0x2d8/0x360 [jffs2] -[ 79.068740] [] jffs2_lookup+0xe8/0x130 [jffs2] -[ 79.073434] [] lookup_slow+0x118/0x190 -[ 79.077435] [] walk_component+0xfc/0x28c -[ 79.081610] [] path_lookupat+0x84/0x108 -[ 79.085699] [] filename_lookup+0x88/0x100 -[ 79.089960] [] user_path_at_empty+0x58/0x6c -[ 79.094396] [] vfs_statx+0xa4/0x114 -[ 79.098138] [] SyS_newfstatat+0x58/0x98 -[ 79.102227] [] __sys_trace_return+0x0/0x4 -[ 79.106489] Code: d65f03c0 f9400001 b40000e1 aa0103e0 (f9400821) - -The jffs2_do_clear_inode() call in jffs2_iget() is unnecessary since -iget_failed() will eventually call jffs2_do_clear_inode() if needed, so -just remove it. - -Fixes: 5451f79f5f81 ("iget: stop JFFS2 from using iget() and read_inode()") -Reviewed-by: Richard Weinberger -Signed-off-by: Jake Daryll Obina -Signed-off-by: Al Viro -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/jffs2/fs.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/fs/jffs2/fs.c -+++ b/fs/jffs2/fs.c -@@ -361,7 +361,6 @@ error_io: - ret = -EIO; - error: - mutex_unlock(&f->sem); -- jffs2_do_clear_inode(c, f); - iget_failed(inode); - return ERR_PTR(ret); - } diff --git a/queue-4.4/kconfig-don-t-leak-main-menus-during-parsing.patch b/queue-4.4/kconfig-don-t-leak-main-menus-during-parsing.patch deleted file mode 100644 index 424b0cd873b..00000000000 --- a/queue-4.4/kconfig-don-t-leak-main-menus-during-parsing.patch +++ /dev/null @@ -1,115 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ulf Magnusson -Date: Sun, 8 Oct 2017 19:11:21 +0200 -Subject: kconfig: Don't leak main menus during parsing - -From: Ulf Magnusson - -[ Upstream commit 0724a7c32a54e3e50d28e19e30c59014f61d4e2c ] - -If a 'mainmenu' entry appeared in the Kconfig files, two things would -leak: - - - The 'struct property' allocated for the default "Linux Kernel - Configuration" prompt. - - - The string for the T_WORD/T_WORD_QUOTE prompt after the - T_MAINMENU token, allocated on the heap in zconf.l. - -To fix it, introduce a new 'no_mainmenu_stmt' nonterminal that matches -if there's no 'mainmenu' and adds the default prompt. That means the -prompt only gets allocated once regardless of whether there's a -'mainmenu' statement or not, and managing it becomes simple. - -Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: - - LEAK SUMMARY: - definitely lost: 344,568 bytes in 14,352 blocks - ... - -Summary after the fix: - - LEAK SUMMARY: - definitely lost: 344,440 bytes in 14,350 blocks - ... - -Signed-off-by: Ulf Magnusson -Signed-off-by: Masahiro Yamada -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - scripts/kconfig/zconf.y | 33 ++++++++++++++++++++++++--------- - 1 file changed, 24 insertions(+), 9 deletions(-) - ---- a/scripts/kconfig/zconf.y -+++ b/scripts/kconfig/zconf.y -@@ -107,7 +107,27 @@ static struct menu *current_menu, *curre - %% - input: nl start | start; - --start: mainmenu_stmt stmt_list | stmt_list; -+start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list; -+ -+/* mainmenu entry */ -+ -+mainmenu_stmt: T_MAINMENU prompt nl -+{ -+ menu_add_prompt(P_MENU, $2, NULL); -+}; -+ -+/* Default main menu, if there's no mainmenu entry */ -+ -+no_mainmenu_stmt: /* empty */ -+{ -+ /* -+ * Hack: Keep the main menu title on the heap so we can safely free it -+ * later regardless of whether it comes from the 'prompt' in -+ * mainmenu_stmt or here -+ */ -+ menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL); -+}; -+ - - stmt_list: - /* empty */ -@@ -344,13 +364,6 @@ if_block: - | if_block choice_stmt - ; - --/* mainmenu entry */ -- --mainmenu_stmt: T_MAINMENU prompt nl --{ -- menu_add_prompt(P_MENU, $2, NULL); --}; -- - /* menu entry */ - - menu: T_MENU prompt T_EOL -@@ -495,6 +508,7 @@ word_opt: /* empty */ { $$ = NULL; } - - void conf_parse(const char *name) - { -+ const char *tmp; - struct symbol *sym; - int i; - -@@ -502,7 +516,6 @@ void conf_parse(const char *name) - - sym_init(); - _menu_init(); -- rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL); - - if (getenv("ZCONF_DEBUG")) - zconfdebug = 1; -@@ -512,8 +525,10 @@ void conf_parse(const char *name) - if (!modules_sym) - modules_sym = sym_find( "n" ); - -+ tmp = rootmenu.prompt->text; - rootmenu.prompt->text = _(rootmenu.prompt->text); - rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text); -+ free((char*)tmp); - - menu_finalize(&rootmenu); - for_all_symbols(i, sym) { diff --git a/queue-4.4/kconfig-fix-automatic-menu-creation-mem-leak.patch b/queue-4.4/kconfig-fix-automatic-menu-creation-mem-leak.patch deleted file mode 100644 index 9b9ccfb4296..00000000000 --- a/queue-4.4/kconfig-fix-automatic-menu-creation-mem-leak.patch +++ /dev/null @@ -1,58 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ulf Magnusson -Date: Sun, 8 Oct 2017 19:35:44 +0200 -Subject: kconfig: Fix automatic menu creation mem leak - -From: Ulf Magnusson - -[ Upstream commit ae7440ef0c8013d68c00dad6900e7cce5311bb1c ] - -expr_trans_compare() always allocates and returns a new expression, -giving the following leak outline: - - ... - *Allocate* - basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no); - ... - for (menu = parent->next; menu; menu = menu->next) { - ... - *Copy* - dep2 = expr_copy(basedep); - ... - *Free copy* - expr_free(dep2); - } - *basedep lost!* - -Fix by freeing 'basedep' after the loop. - -Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: - - LEAK SUMMARY: - definitely lost: 344,376 bytes in 14,349 blocks - ... - -Summary after the fix: - - LEAK SUMMARY: - definitely lost: 44,448 bytes in 1,852 blocks - ... - -Signed-off-by: Ulf Magnusson -Signed-off-by: Masahiro Yamada -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - scripts/kconfig/menu.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/scripts/kconfig/menu.c -+++ b/scripts/kconfig/menu.c -@@ -364,6 +364,7 @@ void menu_finalize(struct menu *parent) - menu->parent = parent; - last_menu = menu; - } -+ expr_free(basedep); - if (last_menu) { - parent->list = parent->next; - parent->next = last_menu->next; diff --git a/queue-4.4/kconfig-fix-expr_free-e_not-leak.patch b/queue-4.4/kconfig-fix-expr_free-e_not-leak.patch deleted file mode 100644 index 68445cf4ede..00000000000 --- a/queue-4.4/kconfig-fix-expr_free-e_not-leak.patch +++ /dev/null @@ -1,55 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ulf Magnusson -Date: Sun, 8 Oct 2017 19:35:45 +0200 -Subject: kconfig: Fix expr_free() E_NOT leak - -From: Ulf Magnusson - -[ Upstream commit 5b1374b3b3c2fc4f63a398adfa446fb8eff791a4 ] - -Only the E_NOT operand and not the E_NOT node itself was freed, due to -accidentally returning too early in expr_free(). Outline of leak: - - switch (e->type) { - ... - case E_NOT: - expr_free(e->left.expr); - return; - ... - } - *Never reached, 'e' leaked* - free(e); - -Fix by changing the 'return' to a 'break'. - -Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: - - LEAK SUMMARY: - definitely lost: 44,448 bytes in 1,852 blocks - ... - -Summary after the fix: - - LEAK SUMMARY: - definitely lost: 1,608 bytes in 67 blocks - ... - -Signed-off-by: Ulf Magnusson -Signed-off-by: Masahiro Yamada -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - scripts/kconfig/expr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/scripts/kconfig/expr.c -+++ b/scripts/kconfig/expr.c -@@ -113,7 +113,7 @@ void expr_free(struct expr *e) - break; - case E_NOT: - expr_free(e->left.expr); -- return; -+ break; - case E_EQUAL: - case E_GEQ: - case E_GTH: diff --git a/queue-4.4/kdb-make-mdr-command-repeat.patch b/queue-4.4/kdb-make-mdr-command-repeat.patch deleted file mode 100644 index 21ec480f0ec..00000000000 --- a/queue-4.4/kdb-make-mdr-command-repeat.patch +++ /dev/null @@ -1,88 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Randy Dunlap -Date: Fri, 8 Dec 2017 10:19:19 -0800 -Subject: kdb: make "mdr" command repeat - -From: Randy Dunlap - -[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ] - -The "mdr" command should repeat (continue) when only Enter/Return -is pressed, so make it do so. - -Signed-off-by: Randy Dunlap -Cc: Daniel Thompson -Cc: Jason Wessel -Cc: kgdb-bugreport@lists.sourceforge.net -Signed-off-by: Jason Wessel -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------ - 1 file changed, 21 insertions(+), 6 deletions(-) - ---- a/kernel/debug/kdb/kdb_main.c -+++ b/kernel/debug/kdb/kdb_main.c -@@ -1564,6 +1564,7 @@ static int kdb_md(int argc, const char * - int symbolic = 0; - int valid = 0; - int phys = 0; -+ int raw = 0; - - kdbgetintenv("MDCOUNT", &mdcount); - kdbgetintenv("RADIX", &radix); -@@ -1573,9 +1574,10 @@ static int kdb_md(int argc, const char * - repeat = mdcount * 16 / bytesperword; - - if (strcmp(argv[0], "mdr") == 0) { -- if (argc != 2) -+ if (argc == 2 || (argc == 0 && last_addr != 0)) -+ valid = raw = 1; -+ else - return KDB_ARGCOUNT; -- valid = 1; - } else if (isdigit(argv[0][2])) { - bytesperword = (int)(argv[0][2] - '0'); - if (bytesperword == 0) { -@@ -1611,7 +1613,10 @@ static int kdb_md(int argc, const char * - radix = last_radix; - bytesperword = last_bytesperword; - repeat = last_repeat; -- mdcount = ((repeat * bytesperword) + 15) / 16; -+ if (raw) -+ mdcount = repeat; -+ else -+ mdcount = ((repeat * bytesperword) + 15) / 16; - } - - if (argc) { -@@ -1628,7 +1633,10 @@ static int kdb_md(int argc, const char * - diag = kdbgetularg(argv[nextarg], &val); - if (!diag) { - mdcount = (int) val; -- repeat = mdcount * 16 / bytesperword; -+ if (raw) -+ repeat = mdcount; -+ else -+ repeat = mdcount * 16 / bytesperword; - } - } - if (argc >= nextarg+1) { -@@ -1638,8 +1646,15 @@ static int kdb_md(int argc, const char * - } - } - -- if (strcmp(argv[0], "mdr") == 0) -- return kdb_mdr(addr, mdcount); -+ if (strcmp(argv[0], "mdr") == 0) { -+ int ret; -+ last_addr = addr; -+ ret = kdb_mdr(addr, mdcount); -+ last_addr += mdcount; -+ last_repeat = mdcount; -+ last_bytesperword = bytesperword; // to make REPEAT happy -+ return ret; -+ } - - switch (radix) { - case 10: diff --git a/queue-4.4/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch b/queue-4.4/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch deleted file mode 100644 index e97f339e8f8..00000000000 --- a/queue-4.4/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch +++ /dev/null @@ -1,44 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: David Rientjes -Date: Wed, 21 Feb 2018 14:45:32 -0800 -Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE - -From: David Rientjes - -[ Upstream commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e ] - -chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc() -of chan->n_subbufs * sizeof(size_t *). - -kmalloc_slab() will generate a warning when this fails if -chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE. - -Limit chan->n_subbufs to the maximum allowed kmalloc() size. - -Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com -Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()") -Signed-off-by: David Rientjes -Reviewed-by: Andrew Morton -Cc: Jens Axboe -Cc: Dave Jiang -Cc: Al Viro -Cc: Dan Carpenter -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/relay.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/kernel/relay.c -+++ b/kernel/relay.c -@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu - { - struct rchan_buf *buf; - -- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) -+ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) - return NULL; - - buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); diff --git a/queue-4.4/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch b/queue-4.4/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch deleted file mode 100644 index fc476811ff4..00000000000 --- a/queue-4.4/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch +++ /dev/null @@ -1,49 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Vitaly Kuznetsov -Date: Fri, 9 Feb 2018 14:01:33 +0100 -Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use - -From: Vitaly Kuznetsov - -[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ] - -Devices which use level-triggered interrupts under Windows 2016 with -Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV -unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC -version which has no EOI register so EOI never happens. - -The issue was discovered and discussed a while ago: -https://www.spinics.net/lists/kvm/msg148098.html - -While this is a guest OS bug (it should check that IOAPIC has the required -capabilities before disabling EOI broadcast) we can workaround it in KVM: -advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. - -Signed-off-by: Vitaly Kuznetsov -Signed-off-by: Radim Krčmář -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/lapic.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - ---- a/arch/x86/kvm/lapic.c -+++ b/arch/x86/kvm/lapic.c -@@ -288,8 +288,16 @@ void kvm_apic_set_version(struct kvm_vcp - if (!kvm_vcpu_has_lapic(vcpu)) - return; - -+ /* -+ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) -+ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with -+ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC -+ * version first and level-triggered interrupts never get EOIed in -+ * IOAPIC. -+ */ - feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); -- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31)))) -+ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && -+ !ioapic_in_kernel(vcpu->kvm)) - v |= APIC_LVR_DIRECTED_EOI; - apic_set_reg(apic, APIC_LVR, v); - } diff --git a/queue-4.4/kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch b/queue-4.4/kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch deleted file mode 100644 index 2d2c4e03cc2..00000000000 --- a/queue-4.4/kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch +++ /dev/null @@ -1,54 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Paul Mackerras -Date: Fri, 2 Mar 2018 15:38:04 +1100 -Subject: KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing - -From: Paul Mackerras - -[ Upstream commit debd574f4195e205ba505b25e19b2b797f4bcd94 ] - -The current code for initializing the VRMA (virtual real memory area) -for HPT guests requires the page size of the backing memory to be one -of 4kB, 64kB or 16MB. With a radix host we have the possibility that -the backing memory page size can be 2MB or 1GB. In these cases, if the -guest switches to HPT mode, KVM will not initialize the VRMA and the -guest will fail to run. - -In fact it is not necessary that the VRMA page size is the same as the -backing memory page size; any VRMA page size less than or equal to the -backing memory page size is acceptable. Therefore we now choose the -largest page size out of the set {4k, 64k, 16M} which is not larger -than the backing memory page size. - -Signed-off-by: Paul Mackerras -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/kvm/book3s_hv.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/arch/powerpc/kvm/book3s_hv.c -+++ b/arch/powerpc/kvm/book3s_hv.c -@@ -3002,15 +3002,17 @@ static int kvmppc_hv_setup_htab_rma(stru - goto up_out; - - psize = vma_kernel_pagesize(vma); -- porder = __ilog2(psize); - - up_read(¤t->mm->mmap_sem); - - /* We can handle 4k, 64k or 16M pages in the VRMA */ -- err = -EINVAL; -- if (!(psize == 0x1000 || psize == 0x10000 || -- psize == 0x1000000)) -- goto out_srcu; -+ if (psize >= 0x1000000) -+ psize = 0x1000000; -+ else if (psize >= 0x10000) -+ psize = 0x10000; -+ else -+ psize = 0x1000; -+ porder = __ilog2(psize); - - /* Update VRMASD field in the LPCR */ - senc = slb_pgsize_encoding(psize); diff --git a/queue-4.4/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch b/queue-4.4/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch deleted file mode 100644 index dd15b885537..00000000000 --- a/queue-4.4/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch +++ /dev/null @@ -1,83 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Sean Christopherson -Date: Fri, 23 Mar 2018 09:34:00 -0700 -Subject: KVM: VMX: raise internal error for exception during invalid protected mode state - -From: Sean Christopherson - -[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ] - -Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter -an exception in Protected Mode while emulating guest due to invalid -guest state. Unlike Big RM, KVM doesn't support emulating exceptions -in PM, i.e. PM exceptions are always injected via the VMCS. Because -we will never do VMRESUME due to emulation_required, the exception is -never realized and we'll keep emulating the faulting instruction over -and over until we receive a signal. - -Exit to userspace iff there is a pending exception, i.e. don't exit -simply on a requested event. The purpose of this check and exit is to -aid in debugging a guest that is in all likelihood already doomed. -Invalid guest state in PM is extremely limited in normal operation, -e.g. it generally only occurs for a few instructions early in BIOS, -and any exception at this time is all but guaranteed to be fatal. -Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly -handled/emulated, while checking for vectored interrupts, e.g. INTR -and NMI, without hitting false positives would add a fair amount of -complexity for almost no benefit (getting hit by lightning seems -more likely than encountering this specific scenario). - -Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an -exception via the VMCS and emulation_required is true. - -Signed-off-by: Sean Christopherson -Signed-off-by: Radim Krčmář -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/vmx.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -2319,6 +2319,8 @@ static void vmx_queue_exception(struct k - return; - } - -+ WARN_ON_ONCE(vmx->emulation_required); -+ - if (kvm_exception_is_soft(nr)) { - vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, - vmx->vcpu.arch.event_exit_inst_len); -@@ -6037,12 +6039,12 @@ static int handle_invalid_guest_state(st - goto out; - } - -- if (err != EMULATE_DONE) { -- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; -- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; -- vcpu->run->internal.ndata = 0; -- return 0; -- } -+ if (err != EMULATE_DONE) -+ goto emulation_error; -+ -+ if (vmx->emulation_required && !vmx->rmode.vm86_active && -+ vcpu->arch.exception.pending) -+ goto emulation_error; - - if (vcpu->arch.halt_request) { - vcpu->arch.halt_request = 0; -@@ -6058,6 +6060,12 @@ static int handle_invalid_guest_state(st - - out: - return ret; -+ -+emulation_error: -+ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; -+ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; -+ vcpu->run->internal.ndata = 0; -+ return 0; - } - - static int __grow_ple_window(int val) diff --git a/queue-4.4/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch b/queue-4.4/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch deleted file mode 100644 index 856f3f18483..00000000000 --- a/queue-4.4/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch +++ /dev/null @@ -1,51 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Paolo Bonzini -Date: Thu, 26 Oct 2017 15:45:47 +0200 -Subject: kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl - -From: Paolo Bonzini - -[ Upstream commit 51776043afa415435c7e4636204fbe4f7edc4501 ] - -This ioctl is obsolete (it was used by Xenner as far as I know) but -still let's not break it gratuitously... Its handler is copying -directly into struct kvm. Go through a bounce buffer instead, with -the added benefit that we can actually do something useful with the -flags argument---the previous code was exiting with -EINVAL but still -doing the copy. - -This technically is a userspace ABI breakage, but since no one should be -using the ioctl, it's a good occasion to see if someone actually -complains. - -Cc: kernel-hardening@lists.openwall.com -Cc: Kees Cook -Cc: Radim Krčmář -Signed-off-by: Paolo Bonzini -Signed-off-by: Kees Cook -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/x86.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -3973,13 +3973,14 @@ long kvm_arch_vm_ioctl(struct file *filp - mutex_unlock(&kvm->lock); - break; - case KVM_XEN_HVM_CONFIG: { -+ struct kvm_xen_hvm_config xhc; - r = -EFAULT; -- if (copy_from_user(&kvm->arch.xen_hvm_config, argp, -- sizeof(struct kvm_xen_hvm_config))) -+ if (copy_from_user(&xhc, argp, sizeof(xhc))) - goto out; - r = -EINVAL; -- if (kvm->arch.xen_hvm_config.flags) -+ if (xhc.flags) - goto out; -+ memcpy(&kvm->arch.xen_hvm_config, &xhc, sizeof(xhc)); - r = 0; - break; - } diff --git a/queue-4.4/llc-properly-handle-dev_queue_xmit-return-value.patch b/queue-4.4/llc-properly-handle-dev_queue_xmit-return-value.patch deleted file mode 100644 index 8ecee76a31e..00000000000 --- a/queue-4.4/llc-properly-handle-dev_queue_xmit-return-value.patch +++ /dev/null @@ -1,171 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Cong Wang -Date: Mon, 26 Mar 2018 15:08:33 -0700 -Subject: llc: properly handle dev_queue_xmit() return value - -From: Cong Wang - -[ Upstream commit b85ab56c3f81c5a24b5a5213374f549df06430da ] - -llc_conn_send_pdu() pushes the skb into write queue and -calls llc_conn_send_pdus() to flush them out. However, the -status of dev_queue_xmit() is not returned to caller, -in this case, llc_conn_state_process(). - -llc_conn_state_process() needs hold the skb no matter -success or failure, because it still uses it after that, -therefore we should hold skb before dev_queue_xmit() when -that skb is the one being processed by llc_conn_state_process(). - -For other callers, they can just pass NULL and ignore -the return value as they are. - -Reported-by: Noam Rathaus -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/net/llc_conn.h | 2 +- - net/llc/llc_c_ac.c | 15 +++++++++------ - net/llc/llc_conn.c | 32 +++++++++++++++++++++++--------- - 3 files changed, 33 insertions(+), 16 deletions(-) - ---- a/include/net/llc_conn.h -+++ b/include/net/llc_conn.h -@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); - - /* Access to a connection */ - int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); --void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); -+int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); - void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); - void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); - void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); ---- a/net/llc/llc_c_ac.c -+++ b/net/llc/llc_c_ac.c -@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_ - llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); - rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); - if (likely(!rc)) { -- llc_conn_send_pdu(sk, skb); -+ rc = llc_conn_send_pdu(sk, skb); - llc_conn_ac_inc_vs_by_1(sk, skb); - } - return rc; -@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ - llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); - rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); - if (likely(!rc)) { -- llc_conn_send_pdu(sk, skb); -+ rc = llc_conn_send_pdu(sk, skb); - llc_conn_ac_inc_vs_by_1(sk, skb); - } - return rc; -@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ - int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb) - { - struct llc_sock *llc = llc_sk(sk); -+ int ret; - - if (llc->ack_must_be_send) { -- llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); -+ ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); - llc->ack_must_be_send = 0 ; - llc->ack_pf = 0; -- } else -- llc_conn_ac_send_i_cmd_p_set_0(sk, skb); -- return 0; -+ } else { -+ ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb); -+ } -+ -+ return ret; - } - - /** ---- a/net/llc/llc_conn.c -+++ b/net/llc/llc_conn.c -@@ -30,7 +30,7 @@ - #endif - - static int llc_find_offset(int state, int ev_type); --static void llc_conn_send_pdus(struct sock *sk); -+static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb); - static int llc_conn_service(struct sock *sk, struct sk_buff *skb); - static int llc_exec_conn_trans_actions(struct sock *sk, - struct llc_conn_state_trans *trans, -@@ -193,11 +193,11 @@ out_skb_put: - return rc; - } - --void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) -+int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) - { - /* queue PDU to send to MAC layer */ - skb_queue_tail(&sk->sk_write_queue, skb); -- llc_conn_send_pdus(sk); -+ return llc_conn_send_pdus(sk, skb); - } - - /** -@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct - if (howmany_resend > 0) - llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; - /* any PDUs to re-send are queued up; start sending to MAC */ -- llc_conn_send_pdus(sk); -+ llc_conn_send_pdus(sk, NULL); - out:; - } - -@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct - if (howmany_resend > 0) - llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; - /* any PDUs to re-send are queued up; start sending to MAC */ -- llc_conn_send_pdus(sk); -+ llc_conn_send_pdus(sk, NULL); - out:; - } - -@@ -340,12 +340,16 @@ out: - /** - * llc_conn_send_pdus - Sends queued PDUs - * @sk: active connection -+ * @hold_skb: the skb held by caller, or NULL if does not care - * -- * Sends queued pdus to MAC layer for transmission. -+ * Sends queued pdus to MAC layer for transmission. When @hold_skb is -+ * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent -+ * successfully, or 1 for failure. - */ --static void llc_conn_send_pdus(struct sock *sk) -+static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) - { - struct sk_buff *skb; -+ int ret = 0; - - while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { - struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); -@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct so - skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); - if (!skb2) - break; -- skb = skb2; -+ dev_queue_xmit(skb2); -+ } else { -+ bool is_target = skb == hold_skb; -+ int rc; -+ -+ if (is_target) -+ skb_get(skb); -+ rc = dev_queue_xmit(skb); -+ if (is_target) -+ ret = rc; - } -- dev_queue_xmit(skb); - } -+ -+ return ret; - } - - /** diff --git a/queue-4.4/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch b/queue-4.4/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch deleted file mode 100644 index 39b7e823fc1..00000000000 --- a/queue-4.4/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch +++ /dev/null @@ -1,52 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Will Deacon -Date: Tue, 13 Feb 2018 13:22:57 +0000 -Subject: locking/qspinlock: Ensure node->count is updated before initialising node - -From: Will Deacon - -[ Upstream commit 11dc13224c975efcec96647a4768a6f1bb7a19a8 ] - -When queuing on the qspinlock, the count field for the current CPU's head -node is incremented. This needn't be atomic because locking in e.g. IRQ -context is balanced and so an IRQ will return with node->count as it -found it. - -However, the compiler could in theory reorder the initialisation of -node[idx] before the increment of the head node->count, causing an -IRQ to overwrite the initialised node and potentially corrupt the lock -state. - -Avoid the potential for this harmful compiler reordering by placing a -barrier() between the increment of the head node->count and the subsequent -node initialisation. - -Signed-off-by: Will Deacon -Acked-by: Peter Zijlstra (Intel) -Cc: Linus Torvalds -Cc: Thomas Gleixner -Link: http://lkml.kernel.org/r/1518528177-19169-3-git-send-email-will.deacon@arm.com -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/locking/qspinlock.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/kernel/locking/qspinlock.c -+++ b/kernel/locking/qspinlock.c -@@ -423,6 +423,14 @@ queue: - tail = encode_tail(smp_processor_id(), idx); - - node += idx; -+ -+ /* -+ * Ensure that we increment the head node->count before initialising -+ * the actual node. If the compiler is kind enough to reorder these -+ * stores, then an IRQ could overwrite our assignments. -+ */ -+ barrier(); -+ - node->locked = 0; - node->next = NULL; - pv_init_node(node); diff --git a/queue-4.4/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch b/queue-4.4/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch deleted file mode 100644 index 08e2e06d561..00000000000 --- a/queue-4.4/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch +++ /dev/null @@ -1,97 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrea Parri -Date: Tue, 20 Feb 2018 19:45:56 +0100 -Subject: locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() - -From: Andrea Parri - -[ Upstream commit cb13b424e986aed68d74cbaec3449ea23c50e167 ] - -Continuing along with the fight against smp_read_barrier_depends() [1] -(or rather, against its improper use), add an unconditional barrier to -cmpxchg. This guarantees that dependency ordering is preserved when a -dependency is headed by an unsuccessful cmpxchg. As it turns out, the -change could enable further simplification of LKMM as proposed in [2]. - -[1] https://marc.info/?l=linux-kernel&m=150884953419377&w=2 - https://marc.info/?l=linux-kernel&m=150884946319353&w=2 - https://marc.info/?l=linux-kernel&m=151215810824468&w=2 - https://marc.info/?l=linux-kernel&m=151215816324484&w=2 - -[2] https://marc.info/?l=linux-kernel&m=151881978314872&w=2 - -Signed-off-by: Andrea Parri -Acked-by: Peter Zijlstra -Acked-by: Paul E. McKenney -Cc: Alan Stern -Cc: Ivan Kokshaysky -Cc: Linus Torvalds -Cc: Matt Turner -Cc: Richard Henderson -Cc: Thomas Gleixner -Cc: Will Deacon -Cc: linux-alpha@vger.kernel.org -Link: http://lkml.kernel.org/r/1519152356-4804-1-git-send-email-parri.andrea@gmail.com -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/alpha/include/asm/xchg.h | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - ---- a/arch/alpha/include/asm/xchg.h -+++ b/arch/alpha/include/asm/xchg.h -@@ -127,10 +127,9 @@ ____xchg(, volatile void *ptr, unsigned - * store NEW in MEM. Return the initial value in MEM. Success is - * indicated by comparing RETURN with OLD. - * -- * The memory barrier should be placed in SMP only when we actually -- * make the change. If we don't change anything (so if the returned -- * prev is equal to old) then we aren't acquiring anything new and -- * we don't need any memory barrier as far I can tell. -+ * The memory barrier is placed in SMP unconditionally, in order to -+ * guarantee that dependency ordering is preserved when a dependency -+ * is headed by an unsuccessful operation. - */ - - static inline unsigned long -@@ -149,8 +148,8 @@ ____cmpxchg(_u8, volatile char *m, unsig - " or %1,%2,%2\n" - " stq_c %2,0(%4)\n" - " beq %2,3f\n" -- __ASM__MB - "2:\n" -+ __ASM__MB - ".subsection 2\n" - "3: br 1b\n" - ".previous" -@@ -176,8 +175,8 @@ ____cmpxchg(_u16, volatile short *m, uns - " or %1,%2,%2\n" - " stq_c %2,0(%4)\n" - " beq %2,3f\n" -- __ASM__MB - "2:\n" -+ __ASM__MB - ".subsection 2\n" - "3: br 1b\n" - ".previous" -@@ -199,8 +198,8 @@ ____cmpxchg(_u32, volatile int *m, int o - " mov %4,%1\n" - " stl_c %1,%2\n" - " beq %1,3f\n" -- __ASM__MB - "2:\n" -+ __ASM__MB - ".subsection 2\n" - "3: br 1b\n" - ".previous" -@@ -222,8 +221,8 @@ ____cmpxchg(_u64, volatile long *m, unsi - " mov %4,%1\n" - " stq_c %1,%2\n" - " beq %1,3f\n" -- __ASM__MB - "2:\n" -+ __ASM__MB - ".subsection 2\n" - "3: br 1b\n" - ".previous" diff --git a/queue-4.4/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch b/queue-4.4/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch deleted file mode 100644 index 7401494c3d5..00000000000 --- a/queue-4.4/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch +++ /dev/null @@ -1,141 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andrea Parri -Date: Thu, 22 Feb 2018 10:24:48 +0100 -Subject: locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs - -From: Andrea Parri - -[ Upstream commit 472e8c55cf6622d1c112dc2bc777f68bbd4189db ] - -Successful RMW operations are supposed to be fully ordered, but -Alpha's xchg() and cmpxchg() do not meet this requirement. - -Will Deacon noticed the bug: - - > So MP using xchg: - > - > WRITE_ONCE(x, 1) - > xchg(y, 1) - > - > smp_load_acquire(y) == 1 - > READ_ONCE(x) == 0 - > - > would be allowed. - -... which thus violates the above requirement. - -Fix it by adding a leading smp_mb() to the xchg() and cmpxchg() implementations. - -Reported-by: Will Deacon -Signed-off-by: Andrea Parri -Acked-by: Paul E. McKenney -Cc: Alan Stern -Cc: Andrew Morton -Cc: Ivan Kokshaysky -Cc: Linus Torvalds -Cc: Matt Turner -Cc: Peter Zijlstra -Cc: Richard Henderson -Cc: Thomas Gleixner -Cc: linux-alpha@vger.kernel.org -Link: http://lkml.kernel.org/r/1519291488-5752-1-git-send-email-parri.andrea@gmail.com -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/alpha/include/asm/xchg.h | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - ---- a/arch/alpha/include/asm/xchg.h -+++ b/arch/alpha/include/asm/xchg.h -@@ -11,6 +11,10 @@ - * Atomic exchange. - * Since it can be used to implement critical sections - * it must clobber "memory" (also for interrupts in UP). -+ * -+ * The leading and the trailing memory barriers guarantee that these -+ * operations are fully ordered. -+ * - */ - - static inline unsigned long -@@ -18,6 +22,7 @@ ____xchg(_u8, volatile char *m, unsigned - { - unsigned long ret, tmp, addr64; - -+ smp_mb(); - __asm__ __volatile__( - " andnot %4,7,%3\n" - " insbl %1,%4,%1\n" -@@ -42,6 +47,7 @@ ____xchg(_u16, volatile short *m, unsign - { - unsigned long ret, tmp, addr64; - -+ smp_mb(); - __asm__ __volatile__( - " andnot %4,7,%3\n" - " inswl %1,%4,%1\n" -@@ -66,6 +72,7 @@ ____xchg(_u32, volatile int *m, unsigned - { - unsigned long dummy; - -+ smp_mb(); - __asm__ __volatile__( - "1: ldl_l %0,%4\n" - " bis $31,%3,%1\n" -@@ -86,6 +93,7 @@ ____xchg(_u64, volatile long *m, unsigne - { - unsigned long dummy; - -+ smp_mb(); - __asm__ __volatile__( - "1: ldq_l %0,%4\n" - " bis $31,%3,%1\n" -@@ -127,9 +135,12 @@ ____xchg(, volatile void *ptr, unsigned - * store NEW in MEM. Return the initial value in MEM. Success is - * indicated by comparing RETURN with OLD. - * -- * The memory barrier is placed in SMP unconditionally, in order to -- * guarantee that dependency ordering is preserved when a dependency -- * is headed by an unsuccessful operation. -+ * The leading and the trailing memory barriers guarantee that these -+ * operations are fully ordered. -+ * -+ * The trailing memory barrier is placed in SMP unconditionally, in -+ * order to guarantee that dependency ordering is preserved when a -+ * dependency is headed by an unsuccessful operation. - */ - - static inline unsigned long -@@ -137,6 +148,7 @@ ____cmpxchg(_u8, volatile char *m, unsig - { - unsigned long prev, tmp, cmp, addr64; - -+ smp_mb(); - __asm__ __volatile__( - " andnot %5,7,%4\n" - " insbl %1,%5,%1\n" -@@ -164,6 +176,7 @@ ____cmpxchg(_u16, volatile short *m, uns - { - unsigned long prev, tmp, cmp, addr64; - -+ smp_mb(); - __asm__ __volatile__( - " andnot %5,7,%4\n" - " inswl %1,%5,%1\n" -@@ -191,6 +204,7 @@ ____cmpxchg(_u32, volatile int *m, int o - { - unsigned long prev, cmp; - -+ smp_mb(); - __asm__ __volatile__( - "1: ldl_l %0,%5\n" - " cmpeq %0,%3,%1\n" -@@ -214,6 +228,7 @@ ____cmpxchg(_u64, volatile long *m, unsi - { - unsigned long prev, cmp; - -+ smp_mb(); - __asm__ __volatile__( - "1: ldq_l %0,%5\n" - " cmpeq %0,%3,%1\n" diff --git a/queue-4.4/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch b/queue-4.4/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch deleted file mode 100644 index 48a74c16d12..00000000000 --- a/queue-4.4/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch +++ /dev/null @@ -1,72 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Greg Ungerer -Date: Wed, 28 Mar 2018 17:12:18 +1000 -Subject: m68k: set dma and coherent masks for platform FEC ethernets - -From: Greg Ungerer - -[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ] - -As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no -coherent_dma_mask") the Freescale FEC driver is issuing the following -warning on driver initialization on ColdFire systems: - -WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20 -Modules linked in: -CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4 -Stack from 41833dd8: - 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000 - 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d - 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000 - 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8 - 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c - 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000 -Call Trace: - [<40025534>] 0x40025534 - [<4004e514>] 0x4004e514 - [<400255de>] 0x400255de - [<40159e20>] 0x40159e20 - [<40159e20>] 0x40159e20 - -It is not fatal, the driver and the system continue to function normally. - -As per the warning the coherent_dma_mask is not set on this device. -There is nothing special about the DMA memory coherency on this hardware -so we can just set the mask to 32bits in the platform data for the FEC -ethernet devices. - -Signed-off-by: Greg Ungerer -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/m68k/coldfire/device.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - ---- a/arch/m68k/coldfire/device.c -+++ b/arch/m68k/coldfire/device.c -@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = - .id = 0, - .num_resources = ARRAY_SIZE(mcf_fec0_resources), - .resource = mcf_fec0_resources, -- .dev.platform_data = FEC_PDATA, -+ .dev = { -+ .dma_mask = &mcf_fec0.dev.coherent_dma_mask, -+ .coherent_dma_mask = DMA_BIT_MASK(32), -+ .platform_data = FEC_PDATA, -+ } - }; - - #ifdef MCFFEC_BASE1 -@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = - .id = 1, - .num_resources = ARRAY_SIZE(mcf_fec1_resources), - .resource = mcf_fec1_resources, -- .dev.platform_data = FEC_PDATA, -+ .dev = { -+ .dma_mask = &mcf_fec1.dev.coherent_dma_mask, -+ .coherent_dma_mask = DMA_BIT_MASK(32), -+ .platform_data = FEC_PDATA, -+ } - }; - #endif /* MCFFEC_BASE1 */ - #endif /* CONFIG_FEC */ diff --git a/queue-4.4/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch b/queue-4.4/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch deleted file mode 100644 index 9828854bdb6..00000000000 --- a/queue-4.4/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Felix Fietkau -Date: Sat, 10 Feb 2018 13:20:34 +0100 -Subject: mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 - -From: Felix Fietkau - -[ Upstream commit 651b9920d7a694ffb1f885aef2bbb068a25d9d66 ] - -This ensures that mac80211 allocated management frames are properly -aligned, which makes copying them more efficient. -For instance, mt76 uses iowrite32_copy to copy beacon frames to beacon -template memory on the chip. -Misaligned 32-bit accesses cause CPU exceptions on MIPS and should be -avoided. - -Signed-off-by: Felix Fietkau -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/net/mac80211.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/include/net/mac80211.h -+++ b/include/net/mac80211.h -@@ -3888,7 +3888,7 @@ static inline int ieee80211_sta_ps_trans - * The TX headroom reserved by mac80211 for its own tx_status functions. - * This is enough for the radiotap header. - */ --#define IEEE80211_TX_STATUS_HEADROOM 14 -+#define IEEE80211_TX_STATUS_HEADROOM ALIGN(14, 4) - - /** - * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames diff --git a/queue-4.4/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch b/queue-4.4/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch deleted file mode 100644 index 5d7590019ed..00000000000 --- a/queue-4.4/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "weiyongjun (A)" -Date: Thu, 18 Jan 2018 02:23:34 +0000 -Subject: mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl() - -From: "weiyongjun (A)" - -[ Upstream commit 0ddcff49b672239dda94d70d0fcf50317a9f4b51 ] - -'hwname' is malloced in hwsim_new_radio_nl() and should be freed -before leaving from the error handling cases, otherwise it will cause -memory leak. - -Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length") -Signed-off-by: Wei Yongjun -Reviewed-by: Ben Hutchings -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/wireless/mac80211_hwsim.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/net/wireless/mac80211_hwsim.c -+++ b/drivers/net/wireless/mac80211_hwsim.c -@@ -2925,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_ - if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) { - u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]); - -- if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) -+ if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) { -+ kfree(hwname); - return -EINVAL; -+ } - param.regd = hwsim_world_regdom_custom[idx]; - } - diff --git a/queue-4.4/md-raid1-fix-null-pointer-dereference.patch b/queue-4.4/md-raid1-fix-null-pointer-dereference.patch deleted file mode 100644 index 579136896c5..00000000000 --- a/queue-4.4/md-raid1-fix-null-pointer-dereference.patch +++ /dev/null @@ -1,90 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yufen Yu -Date: Sat, 24 Feb 2018 12:05:56 +0800 -Subject: md/raid1: fix NULL pointer dereference - -From: Yufen Yu - -[ Upstream commit 3de59bb9d551428cbdc76a9ea57883f82e350b4d ] - -In handle_write_finished(), if r1_bio->bios[m] != NULL, it thinks -the corresponding conf->mirrors[m].rdev is also not NULL. But, it -is not always true. - -Even if some io hold replacement rdev(i.e. rdev->nr_pending.count > 0), -raid1_remove_disk() can also set the rdev as NULL. That means, -bios[m] != NULL, but mirrors[m].rdev is NULL, resulting in NULL -pointer dereference in handle_write_finished and sync_request_write. - -This patch can fix BUGs as follows: - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000140 - IP: [] raid1d+0x2bd/0xfc0 - PGD 12ab52067 PUD 12f587067 PMD 0 - Oops: 0000 [#1] SMP - CPU: 1 PID: 2008 Comm: md3_raid1 Not tainted 4.1.44+ #130 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 - Call Trace: - ? schedule+0x37/0x90 - ? prepare_to_wait_event+0x83/0xf0 - md_thread+0x144/0x150 - ? wake_atomic_t_function+0x70/0x70 - ? md_start_sync+0xf0/0xf0 - kthread+0xd8/0xf0 - ? kthread_worker_fn+0x160/0x160 - ret_from_fork+0x42/0x70 - ? kthread_worker_fn+0x160/0x160 - - BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8 - IP: sync_request_write+0x9e/0x980 - PGD 800000007c518067 P4D 800000007c518067 PUD 8002b067 PMD 0 - Oops: 0000 [#1] SMP PTI - CPU: 24 PID: 2549 Comm: md3_raid1 Not tainted 4.15.0+ #118 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 - Call Trace: - ? sched_clock+0x5/0x10 - ? sched_clock_cpu+0xc/0xb0 - ? flush_pending_writes+0x3a/0xd0 - ? pick_next_task_fair+0x4d5/0x5f0 - ? __switch_to+0xa2/0x430 - raid1d+0x65a/0x870 - ? find_pers+0x70/0x70 - ? find_pers+0x70/0x70 - ? md_thread+0x11c/0x160 - md_thread+0x11c/0x160 - ? finish_wait+0x80/0x80 - kthread+0x111/0x130 - ? kthread_create_worker_on_cpu+0x70/0x70 - ? do_syscall_64+0x6f/0x190 - ? SyS_exit_group+0x10/0x10 - ret_from_fork+0x35/0x40 - -Reviewed-by: NeilBrown -Signed-off-by: Yufen Yu -Signed-off-by: Shaohua Li -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/raid1.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -1686,6 +1686,17 @@ static int raid1_remove_disk(struct mdde - struct md_rdev *repl = - conf->mirrors[conf->raid_disks + number].rdev; - freeze_array(conf, 0); -+ if (atomic_read(&repl->nr_pending)) { -+ /* It means that some queued IO of retry_list -+ * hold repl. Thus, we cannot set replacement -+ * as NULL, avoiding rdev NULL pointer -+ * dereference in sync_request_write and -+ * handle_write_finished. -+ */ -+ err = -EBUSY; -+ unfreeze_array(conf); -+ goto abort; -+ } - clear_bit(Replacement, &repl->flags); - p->rdev = repl; - conf->mirrors[conf->raid_disks + number].rdev = NULL; diff --git a/queue-4.4/md-raid10-fix-null-deference-in-handle_write_completed.patch b/queue-4.4/md-raid10-fix-null-deference-in-handle_write_completed.patch deleted file mode 100644 index f0af65b2576..00000000000 --- a/queue-4.4/md-raid10-fix-null-deference-in-handle_write_completed.patch +++ /dev/null @@ -1,62 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yufen Yu -Date: Tue, 6 Feb 2018 17:39:15 +0800 -Subject: md raid10: fix NULL deference in handle_write_completed() - -From: Yufen Yu - -[ Upstream commit 01a69cab01c184d3786af09e9339311123d63d22 ] - -In the case of 'recover', an r10bio with R10BIO_WriteError & -R10BIO_IsRecover will be progressed by handle_write_completed(). -This function traverses all r10bio->devs[copies]. -If devs[m].repl_bio != NULL, it thinks conf->mirrors[dev].replacement -is also not NULL. However, this is not always true. - -When there is an rdev of raid10 has replacement, then each r10bio -->devs[m].repl_bio != NULL in conf->r10buf_pool. However, in 'recover', -even if corresponded replacement is NULL, it doesn't clear r10bio -->devs[m].repl_bio, resulting in replacement NULL deference. - -This bug was introduced when replacement support for raid10 was -added in Linux 3.3. - -As NeilBrown suggested: - Elsewhere the determination of "is this device part of the - resync/recovery" is made by resting bio->bi_end_io. - If this is end_sync_write, then we tried to write here. - If it is NULL, then we didn't try to write. - -Fixes: 9ad1aefc8ae8 ("md/raid10: Handle replacement devices during resync.") -Cc: stable (V3.3+) -Suggested-by: NeilBrown -Signed-off-by: Yufen Yu -Signed-off-by: Shaohua Li -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/raid10.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -2630,7 +2630,8 @@ static void handle_write_completed(struc - for (m = 0; m < conf->copies; m++) { - int dev = r10_bio->devs[m].devnum; - rdev = conf->mirrors[dev].rdev; -- if (r10_bio->devs[m].bio == NULL) -+ if (r10_bio->devs[m].bio == NULL || -+ r10_bio->devs[m].bio->bi_end_io == NULL) - continue; - if (!r10_bio->devs[m].bio->bi_error) { - rdev_clear_badblocks( -@@ -2645,7 +2646,8 @@ static void handle_write_completed(struc - md_error(conf->mddev, rdev); - } - rdev = conf->mirrors[dev].replacement; -- if (r10_bio->devs[m].repl_bio == NULL) -+ if (r10_bio->devs[m].repl_bio == NULL || -+ r10_bio->devs[m].repl_bio->bi_end_io == NULL) - continue; - - if (!r10_bio->devs[m].repl_bio->bi_error) { diff --git a/queue-4.4/md-raid5-avoid-string-overflow-warning.patch b/queue-4.4/md-raid5-avoid-string-overflow-warning.patch deleted file mode 100644 index ba3663bc95f..00000000000 --- a/queue-4.4/md-raid5-avoid-string-overflow-warning.patch +++ /dev/null @@ -1,65 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arnd Bergmann -Date: Tue, 20 Feb 2018 14:09:11 +0100 -Subject: md: raid5: avoid string overflow warning - -From: Arnd Bergmann - -[ Upstream commit 53b8d89ddbdbb0e4625a46d2cdbb6f106c52f801 ] - -gcc warns about a possible overflow of the kmem_cache string, when adding -four characters to a string of the same length: - -drivers/md/raid5.c: In function 'setup_conf': -drivers/md/raid5.c:2207:34: error: '-alt' directive writing 4 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] - sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); - ^~~~ -drivers/md/raid5.c:2207:2: note: 'sprintf' output between 5 and 36 bytes into a destination of size 32 - sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If I'm counting correctly, we need 11 characters for the fixed part -of the string and 18 characters for a 64-bit pointer (when no gendisk -is used), so that leaves three characters for conf->level, which should -always be sufficient. - -This makes the code use snprintf() with the correct length, to -make the code more robust against changes, and to get the compiler -to shut up. - -In commit f4be6b43f1ac ("md/raid5: ensure we create a unique name for -kmem_cache when mddev has no gendisk") from 2010, Neil said that -the pointer could be removed "shortly" once devices without gendisk -are disallowed. I have no idea if that happened, but if it did, that -should probably be changed as well. - -Signed-off-by: Arnd Bergmann -Signed-off-by: Shaohua Li -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/raid5.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -2028,15 +2028,16 @@ static int grow_one_stripe(struct r5conf - static int grow_stripes(struct r5conf *conf, int num) - { - struct kmem_cache *sc; -+ size_t namelen = sizeof(conf->cache_name[0]); - int devs = max(conf->raid_disks, conf->previous_raid_disks); - - if (conf->mddev->gendisk) -- sprintf(conf->cache_name[0], -+ snprintf(conf->cache_name[0], namelen, - "raid%d-%s", conf->level, mdname(conf->mddev)); - else -- sprintf(conf->cache_name[0], -+ snprintf(conf->cache_name[0], namelen, - "raid%d-%p", conf->level, conf->mddev); -- sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); -+ snprintf(conf->cache_name[1], namelen, "%.27s-alt", conf->cache_name[0]); - - conf->active_name = 0; - sc = kmem_cache_create(conf->cache_name[conf->active_name], diff --git a/queue-4.4/media-cx23885-override-888-impactvcbe-crystal-frequency.patch b/queue-4.4/media-cx23885-override-888-impactvcbe-crystal-frequency.patch deleted file mode 100644 index 32bb534844a..00000000000 --- a/queue-4.4/media-cx23885-override-888-impactvcbe-crystal-frequency.patch +++ /dev/null @@ -1,43 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Brad Love -Date: Tue, 6 Mar 2018 14:15:37 -0500 -Subject: media: cx23885: Override 888 ImpactVCBe crystal frequency - -From: Brad Love - -[ Upstream commit 779c79d4b833ec646b0aed878da38edb45bbe156 ] - -Hauppauge produced a revision of ImpactVCBe using an 888, -with a 25MHz crystal, instead of using the default third -overtone 50Mhz crystal. This overrides that frequency so -that the cx25840 is properly configured. Without the proper -crystal setup the cx25840 cannot load the firmware or -decode video. - -Signed-off-by: Brad Love -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/pci/cx23885/cx23885-core.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/drivers/media/pci/cx23885/cx23885-core.c -+++ b/drivers/media/pci/cx23885/cx23885-core.c -@@ -872,6 +872,16 @@ static int cx23885_dev_setup(struct cx23 - if (cx23885_boards[dev->board].clk_freq > 0) - dev->clk_freq = cx23885_boards[dev->board].clk_freq; - -+ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE && -+ dev->pci->subsystem_device == 0x7137) { -+ /* Hauppauge ImpactVCBe device ID 0x7137 is populated -+ * with an 888, and a 25Mhz crystal, instead of the -+ * usual third overtone 50Mhz. The default clock rate must -+ * be overridden so the cx25840 is properly configured -+ */ -+ dev->clk_freq = 25000000; -+ } -+ - dev->pci_bus = dev->pci->bus->number; - dev->pci_slot = PCI_SLOT(dev->pci->devfn); - cx23885_irq_add(dev, 0x001f00); diff --git a/queue-4.4/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch b/queue-4.4/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch deleted file mode 100644 index 0f14589145c..00000000000 --- a/queue-4.4/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Brad Love -Date: Tue, 6 Mar 2018 14:15:36 -0500 -Subject: media: cx23885: Set subdev host data to clk_freq pointer - -From: Brad Love - -[ Upstream commit 5ceade1d97fc6687e050c44c257382c192f56276 ] - -Currently clk_freq is ignored entirely, because the cx235840 driver -configures the xtal at the chip defaults. This is an issue if a -board is produced with a non-default frequency crystal. If clk_freq -is not zero the cx25840 will attempt to use the setting provided, -or fall back to defaults otherwise. - -Signed-off-by: Brad Love -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/pci/cx23885/cx23885-cards.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/media/pci/cx23885/cx23885-cards.c -+++ b/drivers/media/pci/cx23885/cx23885-cards.c -@@ -2124,6 +2124,10 @@ void cx23885_card_setup(struct cx23885_d - &dev->i2c_bus[2].i2c_adap, - "cx25840", 0x88 >> 1, NULL); - if (dev->sd_cx25840) { -+ /* set host data for clk_freq configuration */ -+ v4l2_set_subdev_hostdata(dev->sd_cx25840, -+ &dev->clk_freq); -+ - dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE; - v4l2_subdev_call(dev->sd_cx25840, core, load_fw); - } diff --git a/queue-4.4/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch b/queue-4.4/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch deleted file mode 100644 index 31c013e78c4..00000000000 --- a/queue-4.4/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch +++ /dev/null @@ -1,53 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Colin Ian King -Date: Wed, 31 Jan 2018 12:33:09 -0500 -Subject: media: cx25821: prevent out-of-bounds read on array card - -From: Colin Ian King - -[ Upstream commit 67300abdbe9f1717532aaf4e037222762716d0f6 ] - -Currently an out of range dev->nr is detected by just reporting the -issue and later on an out-of-bounds read on array card occurs because -of this. Fix this by checking the upper range of dev->nr with the size -of array card (removes the hard coded size), move this check earlier -and also exit with the error -ENOSYS to avoid the later out-of-bounds -array read. - -Detected by CoverityScan, CID#711191 ("Out-of-bounds-read") - -Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver") - -Signed-off-by: Colin Ian King -Signed-off-by: Hans Verkuil -[hans.verkuil@cisco.com: %ld -> %zd] -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/pci/cx25821/cx25821-core.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/drivers/media/pci/cx25821/cx25821-core.c -+++ b/drivers/media/pci/cx25821/cx25821-core.c -@@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25 - dev->nr = ++cx25821_devcount; - sprintf(dev->name, "cx25821[%d]", dev->nr); - -+ if (dev->nr >= ARRAY_SIZE(card)) { -+ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card)); -+ return -ENODEV; -+ } - if (dev->pci->device != 0x8210) { - pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", - __func__, dev->pci->device); -@@ -886,9 +890,6 @@ static int cx25821_dev_setup(struct cx25 - dev->channels[i].sram_channels = &cx25821_sram_channels[i]; - } - -- if (dev->nr > 1) -- CX25821_INFO("dev->nr > 1!"); -- - /* board config */ - dev->board = 1; /* card[dev->nr]; */ - dev->_max_num_decoders = MAX_DECODERS; diff --git a/queue-4.4/media-dmxdev-fix-error-code-for-invalid-ioctls.patch b/queue-4.4/media-dmxdev-fix-error-code-for-invalid-ioctls.patch deleted file mode 100644 index 5148fe79589..00000000000 --- a/queue-4.4/media-dmxdev-fix-error-code-for-invalid-ioctls.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mauro Carvalho Chehab -Date: Sun, 11 Feb 2018 05:44:21 -0500 -Subject: media: dmxdev: fix error code for invalid ioctls - -From: Mauro Carvalho Chehab - -[ Upstream commit a145f64c6107d3aa5a7cec9f8977d04ac2a896c9 ] - -Returning -EINVAL when an ioctl is not implemented is a very -bad idea, as it is hard to distinguish from other error -contitions that an ioctl could lead. Replace it by its -right error code: -ENOTTY. - -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/dvb-core/dmxdev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/media/dvb-core/dmxdev.c -+++ b/drivers/media/dvb-core/dmxdev.c -@@ -1071,7 +1071,7 @@ static int dvb_demux_do_ioctl(struct fil - break; - - default: -- ret = -EINVAL; -+ ret = -ENOTTY; - break; - } - mutex_unlock(&dmxdev->mutex); diff --git a/queue-4.4/media-em28xx-usb-bulk-packet-size-fix.patch b/queue-4.4/media-em28xx-usb-bulk-packet-size-fix.patch deleted file mode 100644 index c79fe109508..00000000000 --- a/queue-4.4/media-em28xx-usb-bulk-packet-size-fix.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Brad Love -Date: Thu, 4 Jan 2018 19:04:13 -0500 -Subject: media: em28xx: USB bulk packet size fix - -From: Brad Love - -[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ] - -Hauppauge em28xx bulk devices exhibit continuity errors and corrupted -packets, when run in VMWare virtual machines. Unknown if other -manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected. - -According to documentation the maximum packet multiplier for em28xx in bulk -transfer mode is 256 * 188 bytes. This changes the size of bulk transfers -to maximum supported value and have a bonus beneficial alignment. - -Before: - -After: - -This sets up USB to expect just as many bytes as the em28xx is set to emit. - -Successful usage under load afterwards natively and in both VMWare -and KVM/Qemu virtual machines. - -Signed-off-by: Brad Love -Reviewed-by: Michael Ira Krufky -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/usb/em28xx/em28xx.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/media/usb/em28xx/em28xx.h -+++ b/drivers/media/usb/em28xx/em28xx.h -@@ -187,7 +187,7 @@ - USB 2.0 spec says bulk packet size is always 512 bytes - */ - #define EM28XX_BULK_PACKET_MULTIPLIER 384 --#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384 -+#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94 - - #define EM28XX_INTERLACED_DEFAULT 1 - diff --git a/queue-4.4/media-s3c-camif-fix-out-of-bounds-array-access.patch b/queue-4.4/media-s3c-camif-fix-out-of-bounds-array-access.patch deleted file mode 100644 index e8c81c4ea4e..00000000000 --- a/queue-4.4/media-s3c-camif-fix-out-of-bounds-array-access.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arnd Bergmann -Date: Tue, 16 Jan 2018 16:52:15 -0500 -Subject: media: s3c-camif: fix out-of-bounds array access - -From: Arnd Bergmann - -[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ] - -While experimenting with older compiler versions, I ran -into a warning that no longer shows up on gcc-4.8 or newer: - -drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': -drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds - -This is an off-by-one bug, leading to an access before the start of the -array, while newer compilers silently assume this undefined behavior -cannot happen and leave the loop at index 0 if no other entry matches. - -As Sylvester explains, we actually need to ensure that the -value is within the range, so this reworks the loop to be -easier to parse correctly, and an additional check to fall -back on the first format value for any unexpected input. - -I found an existing gcc bug for it and added a reduced version -of the function there. - -Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 -Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") - -Signed-off-by: Arnd Bergmann -Reviewed-by: Laurent Pinchart -Acked-by: Sakari Ailus -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/drivers/media/platform/s3c-camif/camif-capture.c -+++ b/drivers/media/platform/s3c-camif/camif-capture.c -@@ -1268,16 +1268,17 @@ static void __camif_subdev_try_format(st - { - const struct s3c_camif_variant *variant = camif->variant; - const struct vp_pix_limits *pix_lim; -- int i = ARRAY_SIZE(camif_mbus_formats); -+ unsigned int i; - - /* FIXME: constraints against codec or preview path ? */ - pix_lim = &variant->vp_pix_limits[VP_CODEC]; - -- while (i-- >= 0) -+ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) - if (camif_mbus_formats[i] == mf->code) - break; - -- mf->code = camif_mbus_formats[i]; -+ if (i == ARRAY_SIZE(camif_mbus_formats)) -+ mf->code = camif_mbus_formats[0]; - - if (pad == CAMIF_SD_PAD_SINK) { - v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH, diff --git a/queue-4.4/microblaze-switch-to-no_bootmem.patch b/queue-4.4/microblaze-switch-to-no_bootmem.patch deleted file mode 100644 index 81f2cdd02ce..00000000000 --- a/queue-4.4/microblaze-switch-to-no_bootmem.patch +++ /dev/null @@ -1,155 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Rob Herring -Date: Fri, 9 Mar 2018 09:54:07 -0600 -Subject: microblaze: switch to NO_BOOTMEM - -From: Rob Herring - -[ Upstream commit 101646a24a2f9cdb61d7732459fbf068a7bbb542 ] - -Microblaze doesn't set CONFIG_NO_BOOTMEM and so memblock_virt_alloc() -doesn't work for CONFIG_HAVE_MEMBLOCK && !CONFIG_NO_BOOTMEM. - -Similar change was already done by others architectures -"ARM: mm: Remove bootmem code and switch to NO_BOOTMEM" -(sha1: 84f452b1e8fc73ac0e31254c66e3e2260ce5263d) -or -"openrisc: Consolidate setup to use memblock instead of bootmem" -(sha1: 266c7fad157265bb54d17db1c9545f2aaa488643) -or -"parisc: Drop bootmem and switch to memblock" -(sha1: 4fe9e1d957e45ad8eba9885ee860a0e93d13a7c7) -or -"powerpc: Remove bootmem allocator" -(sha1: 10239733ee8617bac3f1c1769af43a88ed979324) -or -"s390/mm: Convert bootmem to memblock" -(sha1: 50be634507284eea38df78154d22615d21200b42) -or -"sparc64: Convert over to NO_BOOTMEM." -(sha1: 625d693e9784f988371e69c2b41a2172c0be6c11) -or -"xtensa: drop sysmem and switch to memblock" -(sha1: 0e46c1115f5816949220d62dd3ff04aa68e7ac6b) - -Issue was introduced by: -"of/fdt: use memblock_virt_alloc for early alloc" -(sha1: 0fa1c579349fdd90173381712ad78aa99c09d38b) - -Signed-off-by: Rob Herring -Tested-by: Alvaro Gamez Machado -Tested-by: Michal Simek -Signed-off-by: Michal Simek -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/microblaze/Kconfig | 1 - arch/microblaze/mm/init.c | 56 ++++------------------------------------------ - 2 files changed, 7 insertions(+), 50 deletions(-) - ---- a/arch/microblaze/Kconfig -+++ b/arch/microblaze/Kconfig -@@ -24,6 +24,7 @@ config MICROBLAZE - select HAVE_FTRACE_MCOUNT_RECORD - select HAVE_FUNCTION_GRAPH_TRACER - select HAVE_FUNCTION_TRACER -+ select NO_BOOTMEM - select HAVE_MEMBLOCK - select HAVE_MEMBLOCK_NODE_MAP - select HAVE_OPROFILE ---- a/arch/microblaze/mm/init.c -+++ b/arch/microblaze/mm/init.c -@@ -32,9 +32,6 @@ int mem_init_done; - #ifndef CONFIG_MMU - unsigned int __page_offset; - EXPORT_SYMBOL(__page_offset); -- --#else --static int init_bootmem_done; - #endif /* CONFIG_MMU */ - - char *klimit = _end; -@@ -117,7 +114,6 @@ static void __init paging_init(void) - - void __init setup_memory(void) - { -- unsigned long map_size; - struct memblock_region *reg; - - #ifndef CONFIG_MMU -@@ -174,17 +170,6 @@ void __init setup_memory(void) - pr_info("%s: max_low_pfn: %#lx\n", __func__, max_low_pfn); - pr_info("%s: max_pfn: %#lx\n", __func__, max_pfn); - -- /* -- * Find an area to use for the bootmem bitmap. -- * We look for the first area which is at least -- * 128kB in length (128kB is enough for a bitmap -- * for 4GB of memory, using 4kB pages), plus 1 page -- * (in case the address isn't page-aligned). -- */ -- map_size = init_bootmem_node(NODE_DATA(0), -- PFN_UP(TOPHYS((u32)klimit)), min_low_pfn, max_low_pfn); -- memblock_reserve(PFN_UP(TOPHYS((u32)klimit)) << PAGE_SHIFT, map_size); -- - /* Add active regions with valid PFNs */ - for_each_memblock(memory, reg) { - unsigned long start_pfn, end_pfn; -@@ -196,32 +181,9 @@ void __init setup_memory(void) - &memblock.memory, 0); - } - -- /* free bootmem is whole main memory */ -- free_bootmem_with_active_regions(0, max_low_pfn); -- -- /* reserve allocate blocks */ -- for_each_memblock(reserved, reg) { -- unsigned long top = reg->base + reg->size - 1; -- -- pr_debug("reserved - 0x%08x-0x%08x, %lx, %lx\n", -- (u32) reg->base, (u32) reg->size, top, -- memory_start + lowmem_size - 1); -- -- if (top <= (memory_start + lowmem_size - 1)) { -- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT); -- } else if (reg->base < (memory_start + lowmem_size - 1)) { -- unsigned long trunc_size = memory_start + lowmem_size - -- reg->base; -- reserve_bootmem(reg->base, trunc_size, BOOTMEM_DEFAULT); -- } -- } -- - /* XXX need to clip this if using highmem? */ - sparse_memory_present_with_active_regions(0); - --#ifdef CONFIG_MMU -- init_bootmem_done = 1; --#endif - paging_init(); - } - -@@ -398,18 +360,12 @@ asmlinkage void __init mmu_init(void) - /* This is only called until mem_init is done. */ - void __init *early_get_page(void) - { -- void *p; -- if (init_bootmem_done) { -- p = alloc_bootmem_pages(PAGE_SIZE); -- } else { -- /* -- * Mem start + kernel_tlb -> here is limit -- * because of mem mapping from head.S -- */ -- p = __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE, -- memory_start + kernel_tlb)); -- } -- return p; -+ /* -+ * Mem start + kernel_tlb -> here is limit -+ * because of mem mapping from head.S -+ */ -+ return __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE, -+ memory_start + kernel_tlb)); - } - - #endif /* CONFIG_MMU */ diff --git a/queue-4.4/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch b/queue-4.4/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch deleted file mode 100644 index d06574b6b26..00000000000 --- a/queue-4.4/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch +++ /dev/null @@ -1,39 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mathias Kresin -Date: Thu, 11 May 2017 08:18:24 +0200 -Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset - -From: Mathias Kresin - -[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ] - -According to the QCA u-boot source the "PCIE Phase Lock Loop -Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the -QCA955X and QCA956X at offset 0x10. - -Since the PCIE PLL config register is only defined for the AR724x fix -only this value. The value is wrong since the day it was added and isn't -used by any driver yet. - -Signed-off-by: Mathias Kresin -Cc: Ralf Baechle -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/16048/ -Signed-off-by: James Hogan -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h -+++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h -@@ -167,7 +167,7 @@ - #define AR71XX_AHB_DIV_MASK 0x7 - - #define AR724X_PLL_REG_CPU_CONFIG 0x00 --#define AR724X_PLL_REG_PCIE_CONFIG 0x18 -+#define AR724X_PLL_REG_PCIE_CONFIG 0x10 - - #define AR724X_PLL_FB_SHIFT 0 - #define AR724X_PLL_FB_MASK 0x3ff diff --git a/queue-4.4/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch b/queue-4.4/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch deleted file mode 100644 index a0892a784bc..00000000000 --- a/queue-4.4/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Joe Perches -Date: Tue, 5 Dec 2017 23:04:58 -0800 -Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines - -From: Joe Perches - -[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ] - -Using a period after a newline causes bad output. - -Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") -Signed-off-by: Joe Perches -Cc: Ralf Baechle -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/17886/ -Signed-off-by: James Hogan -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/cavium-octeon/octeon-irq.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/arch/mips/cavium-octeon/octeon-irq.c -+++ b/arch/mips/cavium-octeon/octeon-irq.c -@@ -2240,7 +2240,7 @@ static int __init octeon_irq_init_cib(st - - parent_irq = irq_of_parse_and_map(ciu_node, 0); - if (!parent_irq) { -- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.", -+ pr_err("ERROR: Couldn't acquire parent_irq for %s\n", - ciu_node->name); - return -EINVAL; - } -@@ -2252,7 +2252,7 @@ static int __init octeon_irq_init_cib(st - - addr = of_get_address(ciu_node, 0, NULL, NULL); - if (!addr) { -- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name); -+ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name); - return -EINVAL; - } - host_data->raw_reg = (u64)phys_to_virt( -@@ -2260,7 +2260,7 @@ static int __init octeon_irq_init_cib(st - - addr = of_get_address(ciu_node, 1, NULL, NULL); - if (!addr) { -- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name); -+ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name); - return -EINVAL; - } - host_data->en_reg = (u64)phys_to_virt( -@@ -2268,7 +2268,7 @@ static int __init octeon_irq_init_cib(st - - r = of_property_read_u32(ciu_node, "cavium,max-bits", &val); - if (r) { -- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.", -+ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n", - ciu_node->name); - return r; - } -@@ -2278,7 +2278,7 @@ static int __init octeon_irq_init_cib(st - &octeon_irq_domain_cib_ops, - host_data); - if (!cib_domain) { -- pr_err("ERROR: Couldn't irq_domain_add_linear()\n."); -+ pr_err("ERROR: Couldn't irq_domain_add_linear()\n"); - return -ENOMEM; - } - diff --git a/queue-4.4/mips-txx9-use-is_builtin-for-config_leds_class.patch b/queue-4.4/mips-txx9-use-is_builtin-for-config_leds_class.patch deleted file mode 100644 index 3b4869ae5d3..00000000000 --- a/queue-4.4/mips-txx9-use-is_builtin-for-config_leds_class.patch +++ /dev/null @@ -1,60 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Matt Redfearn -Date: Mon, 29 Jan 2018 11:26:45 +0000 -Subject: MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS - -From: Matt Redfearn - -[ Upstream commit 0cde5b44a30f1daaef1c34e08191239dc63271c4 ] - -When commit b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support") -added board support for the RBTX4939, it added a call to -led_classdev_register even if the LED class is built as a module. -Built-in arch code cannot call module code directly like this. Commit -b33b44073734 ("MIPS: TXX9: use IS_ENABLED() macro") subsequently -changed the inclusion of this code to a single check that -CONFIG_LEDS_CLASS is either builtin or a module, but the same issue -remains. - -This leads to MIPS allmodconfig builds failing when CONFIG_MACH_TX49XX=y -is set: - -arch/mips/txx9/rbtx4939/setup.o: In function `rbtx4939_led_probe': -setup.c:(.init.text+0xc0): undefined reference to `of_led_classdev_register' -make: *** [Makefile:999: vmlinux] Error 1 - -Fix this by using the IS_BUILTIN() macro instead. - -Fixes: b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support") -Signed-off-by: Matt Redfearn -Reviewed-by: James Hogan -Cc: Ralf Baechle -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/18544/ -Signed-off-by: James Hogan -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/txx9/rbtx4939/setup.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/mips/txx9/rbtx4939/setup.c -+++ b/arch/mips/txx9/rbtx4939/setup.c -@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_p - - #define RBTX4939_MAX_7SEGLEDS 8 - --#if IS_ENABLED(CONFIG_LEDS_CLASS) -+#if IS_BUILTIN(CONFIG_LEDS_CLASS) - static u8 led_val[RBTX4939_MAX_7SEGLEDS]; - struct rbtx4939_led_data { - struct led_classdev cdev; -@@ -261,7 +261,7 @@ static inline void rbtx4939_led_setup(vo - - static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val) - { --#if IS_ENABLED(CONFIG_LEDS_CLASS) -+#if IS_BUILTIN(CONFIG_LEDS_CLASS) - unsigned long flags; - local_irq_save(flags); - /* bit7: reserved for LED class */ diff --git a/queue-4.4/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch b/queue-4.4/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch deleted file mode 100644 index 75310701d2d..00000000000 --- a/queue-4.4/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch +++ /dev/null @@ -1,78 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Huang Ying -Date: Thu, 5 Apr 2018 16:23:20 -0700 -Subject: mm: fix races between address_space dereference and free in page_evicatable - -From: Huang Ying - -[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ] - -When page_mapping() is called and the mapping is dereferenced in -page_evicatable() through shrink_active_list(), it is possible for the -inode to be truncated and the embedded address space to be freed at the -same time. This may lead to the following race. - -CPU1 CPU2 - -truncate(inode) shrink_active_list() - ... page_evictable(page) - truncate_inode_page(mapping, page); - delete_from_page_cache(page) - spin_lock_irqsave(&mapping->tree_lock, flags); - __delete_from_page_cache(page, NULL) - page_cache_tree_delete(..) - ... mapping = page_mapping(page); - page->mapping = NULL; - ... - spin_unlock_irqrestore(&mapping->tree_lock, flags); - page_cache_free_page(mapping, page) - put_page(page) - if (put_page_testzero(page)) -> false -- inode now has no pages and can be freed including embedded address_space - - mapping_unevictable(mapping) - test_bit(AS_UNEVICTABLE, &mapping->flags); -- we've dereferenced mapping which is potentially already free. - -Similar race exists between swap cache freeing and page_evicatable() -too. - -The address_space in inode and swap cache will be freed after a RCU -grace period. So the races are fixed via enclosing the page_mapping() -and address_space usage in rcu_read_lock/unlock(). Some comments are -added in code to make it clear what is protected by the RCU read lock. - -Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com -Signed-off-by: "Huang, Ying" -Reviewed-by: Jan Kara -Reviewed-by: Andrew Morton -Cc: Mel Gorman -Cc: Minchan Kim -Cc: "Huang, Ying" -Cc: Johannes Weiner -Cc: Michal Hocko -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -3835,7 +3835,13 @@ int zone_reclaim(struct zone *zone, gfp_ - */ - int page_evictable(struct page *page) - { -- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); -+ int ret; -+ -+ /* Prevent address_space of inode and swap cache from being freed */ -+ rcu_read_lock(); -+ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); -+ rcu_read_unlock(); -+ return ret; - } - - #ifdef CONFIG_SHMEM diff --git a/queue-4.4/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch b/queue-4.4/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch deleted file mode 100644 index 142d6b17563..00000000000 --- a/queue-4.4/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch +++ /dev/null @@ -1,79 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Vinayak Menon -Date: Wed, 28 Mar 2018 16:01:16 -0700 -Subject: mm/kmemleak.c: wait for scan completion before disabling free - -From: Vinayak Menon - -[ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ] - -A crash is observed when kmemleak_scan accesses the object->pointer, -likely due to the following race. - - TASK A TASK B TASK C - kmemleak_write - (with "scan" and - NOT "scan=on") - kmemleak_scan() - create_object - kmem_cache_alloc fails - kmemleak_disable - kmemleak_do_cleanup - kmemleak_free_enabled = 0 - kfree - kmemleak_free bails out - (kmemleak_free_enabled is 0) - slub frees object->pointer - update_checksum - crash - object->pointer - freed (DEBUG_PAGEALLOC) - -kmemleak_do_cleanup waits for the scan thread to complete, but not for -direct call to kmemleak_scan via kmemleak_write. So add a wait for -kmemleak_scan completion before disabling kmemleak_free, and while at it -fix the comment on stop_scan_thread. - -[vinmenon@codeaurora.org: fix stop_scan_thread comment] - Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org -Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org -Signed-off-by: Vinayak Menon -Reviewed-by: Catalin Marinas -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/kmemleak.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/mm/kmemleak.c -+++ b/mm/kmemleak.c -@@ -1524,8 +1524,7 @@ static void start_scan_thread(void) - } - - /* -- * Stop the automatic memory scanning thread. This function must be called -- * with the scan_mutex held. -+ * Stop the automatic memory scanning thread. - */ - static void stop_scan_thread(void) - { -@@ -1788,12 +1787,15 @@ static void kmemleak_do_cleanup(struct w - { - stop_scan_thread(); - -+ mutex_lock(&scan_mutex); - /* -- * Once the scan thread has stopped, it is safe to no longer track -- * object freeing. Ordering of the scan thread stopping and the memory -- * accesses below is guaranteed by the kthread_stop() function. -+ * Once it is made sure that kmemleak_scan has stopped, it is safe to no -+ * longer track object freeing. Ordering of the scan thread stopping and -+ * the memory accesses below is guaranteed by the kthread_stop() -+ * function. - */ - kmemleak_free_enabled = 0; -+ mutex_unlock(&scan_mutex); - - if (!kmemleak_found_leaks) - __kmemleak_do_cleanup(); diff --git a/queue-4.4/mm-ksm-fix-interaction-with-thp.patch b/queue-4.4/mm-ksm-fix-interaction-with-thp.patch deleted file mode 100644 index 96e82848934..00000000000 --- a/queue-4.4/mm-ksm-fix-interaction-with-thp.patch +++ /dev/null @@ -1,103 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Claudio Imbrenda -Date: Thu, 5 Apr 2018 16:25:41 -0700 -Subject: mm/ksm: fix interaction with THP - -From: Claudio Imbrenda - -[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ] - -This patch fixes a corner case for KSM. When two pages belong or -belonged to the same transparent hugepage, and they should be merged, -KSM fails to split the page, and therefore no merging happens. - -This bug can be reproduced by: -* making sure ksm is running (in case disabling ksmtuned) -* enabling transparent hugepages -* allocating a THP-aligned 1-THP-sized buffer - e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21) -* filling it with the same values - e.g. memset(p, 42, 1<<21) -* performing madvise to make it mergeable - e.g. madvise(p, 1<<21, MADV_MERGEABLE) -* waiting for KSM to perform a few scans - -The expected outcome is that the all the pages get merged (1 shared and -the rest sharing); the actual outcome is that no pages get merged (1 -unshared and the rest volatile) - -The reason of this behaviour is that we increase the reference count -once for both pages we want to merge, but if they belong to the same -hugepage (or compound page), the reference counter used in both cases is -the one of the head of the compound page. This means that -split_huge_page will find a value of the reference counter too high and -will fail. - -This patch solves this problem by testing if the two pages to merge -belong to the same hugepage when attempting to merge them. If so, the -hugepage is split safely. This means that the hugepage is not split if -not necessary. - -Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com -Signed-off-by: Claudio Imbrenda -Co-authored-by: Gerald Schaefer -Reviewed-by: Andrew Morton -Cc: Andrea Arcangeli -Cc: Minchan Kim -Cc: Kirill A. Shutemov -Cc: Hugh Dickins -Cc: Christian Borntraeger -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/ksm.c | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) - ---- a/mm/ksm.c -+++ b/mm/ksm.c -@@ -1494,8 +1494,22 @@ static void cmp_and_merge_page(struct pa - tree_rmap_item = - unstable_tree_search_insert(rmap_item, page, &tree_page); - if (tree_rmap_item) { -+ bool split; -+ - kpage = try_to_merge_two_pages(rmap_item, page, - tree_rmap_item, tree_page); -+ /* -+ * If both pages we tried to merge belong to the same compound -+ * page, then we actually ended up increasing the reference -+ * count of the same compound page twice, and split_huge_page -+ * failed. -+ * Here we set a flag if that happened, and we use it later to -+ * try split_huge_page again. Since we call put_page right -+ * afterwards, the reference count will be correct and -+ * split_huge_page should succeed. -+ */ -+ split = PageTransCompound(page) -+ && compound_head(page) == compound_head(tree_page); - put_page(tree_page); - if (kpage) { - /* -@@ -1520,6 +1534,20 @@ static void cmp_and_merge_page(struct pa - break_cow(tree_rmap_item); - break_cow(rmap_item); - } -+ } else if (split) { -+ /* -+ * We are here if we tried to merge two pages and -+ * failed because they both belonged to the same -+ * compound page. We will split the page now, but no -+ * merging will take place. -+ * We do not want to add the cost of a full lock; if -+ * the page is locked, it is better to skip it and -+ * perhaps try again later. -+ */ -+ if (!trylock_page(page)) -+ return; -+ split_huge_page(page); -+ unlock_page(page); - } - } - } diff --git a/queue-4.4/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch b/queue-4.4/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch deleted file mode 100644 index 6f781e2fe82..00000000000 --- a/queue-4.4/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yisheng Xie -Date: Wed, 31 Jan 2018 16:16:15 -0800 -Subject: mm/mempolicy: add nodes_empty check in SYSC_migrate_pages - -From: Yisheng Xie - -[ Upstream commit 0486a38bcc4749808edbc848f1bcf232042770fc ] - -As in manpage of migrate_pages, the errno should be set to EINVAL when -none of the node IDs specified by new_nodes are on-line and allowed by -the process's current cpuset context, or none of the specified nodes -contain memory. However, when test by following case: - - new_nodes = 0; - old_nodes = 0xf; - ret = migrate_pages(pid, old_nodes, new_nodes, MAX); - -The ret will be 0 and no errno is set. As the new_nodes is empty, we -should expect EINVAL as documented. - -To fix the case like above, this patch check whether target nodes AND -current task_nodes is empty, and then check whether AND -node_states[N_MEMORY] is empty. - -Link: http://lkml.kernel.org/r/1510882624-44342-4-git-send-email-xieyisheng1@huawei.com -Signed-off-by: Yisheng Xie -Acked-by: Vlastimil Babka -Cc: Andi Kleen -Cc: Chris Salls -Cc: Christopher Lameter -Cc: David Rientjes -Cc: Ingo Molnar -Cc: Naoya Horiguchi -Cc: Tan Xiaojun -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/mempolicy.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -1410,10 +1410,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi - goto out_put; - } - -- if (!nodes_subset(*new, node_states[N_MEMORY])) { -- err = -EINVAL; -+ task_nodes = cpuset_mems_allowed(current); -+ nodes_and(*new, *new, task_nodes); -+ if (nodes_empty(*new)) -+ goto out_put; -+ -+ nodes_and(*new, *new, node_states[N_MEMORY]); -+ if (nodes_empty(*new)) - goto out_put; -- } - - err = security_task_movememory(task); - if (err) diff --git a/queue-4.4/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch b/queue-4.4/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch deleted file mode 100644 index 233da1cb4db..00000000000 --- a/queue-4.4/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch +++ /dev/null @@ -1,110 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yisheng Xie -Date: Wed, 31 Jan 2018 16:16:11 -0800 -Subject: mm/mempolicy: fix the check of nodemask from user - -From: Yisheng Xie - -[ Upstream commit 56521e7a02b7b84a5e72691a1fb15570e6055545 ] - -As Xiaojun reported the ltp of migrate_pages01 will fail on arm64 system -which has 4 nodes[0...3], all have memory and CONFIG_NODES_SHIFT=2: - - migrate_pages01 0 TINFO : test_invalid_nodes - migrate_pages01 14 TFAIL : migrate_pages_common.c:45: unexpected failure - returned value = 0, expected: -1 - migrate_pages01 15 TFAIL : migrate_pages_common.c:55: call succeeded unexpectedly - -In this case the test_invalid_nodes of migrate_pages01 will call: -SYSC_migrate_pages as: - - migrate_pages(0, , {0x0000000000000001}, 64, , {0x0000000000000010}, 64) = 0 - -The new nodes specifies one or more node IDs that are greater than the -maximum supported node ID, however, the errno is not set to EINVAL as -expected. - -As man pages of set_mempolicy[1], mbind[2], and migrate_pages[3] -mentioned, when nodemask specifies one or more node IDs that are greater -than the maximum supported node ID, the errno should set to EINVAL. -However, get_nodes only check whether the part of bits -[BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES), maxnode) is zero or not, and -remain [MAX_NUMNODES, BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES) -unchecked. - -This patch is to check the bits of [MAX_NUMNODES, maxnode) in get_nodes -to let migrate_pages set the errno to EINVAL when nodemask specifies one -or more node IDs that are greater than the maximum supported node ID, -which follows the manpage's guide. - -[1] http://man7.org/linux/man-pages/man2/set_mempolicy.2.html -[2] http://man7.org/linux/man-pages/man2/mbind.2.html -[3] http://man7.org/linux/man-pages/man2/migrate_pages.2.html - -Link: http://lkml.kernel.org/r/1510882624-44342-3-git-send-email-xieyisheng1@huawei.com -Signed-off-by: Yisheng Xie -Reported-by: Tan Xiaojun -Acked-by: Vlastimil Babka -Cc: Andi Kleen -Cc: Chris Salls -Cc: Christopher Lameter -Cc: David Rientjes -Cc: Ingo Molnar -Cc: Naoya Horiguchi -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/mempolicy.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -1232,6 +1232,7 @@ static int get_nodes(nodemask_t *nodes, - unsigned long maxnode) - { - unsigned long k; -+ unsigned long t; - unsigned long nlongs; - unsigned long endmask; - -@@ -1248,13 +1249,19 @@ static int get_nodes(nodemask_t *nodes, - else - endmask = (1UL << (maxnode % BITS_PER_LONG)) - 1; - -- /* When the user specified more nodes than supported just check -- if the non supported part is all zero. */ -+ /* -+ * When the user specified more nodes than supported just check -+ * if the non supported part is all zero. -+ * -+ * If maxnode have more longs than MAX_NUMNODES, check -+ * the bits in that area first. And then go through to -+ * check the rest bits which equal or bigger than MAX_NUMNODES. -+ * Otherwise, just check bits [MAX_NUMNODES, maxnode). -+ */ - if (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) { - if (nlongs > PAGE_SIZE/sizeof(long)) - return -EINVAL; - for (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) { -- unsigned long t; - if (get_user(t, nmask + k)) - return -EFAULT; - if (k == nlongs - 1) { -@@ -1267,6 +1274,16 @@ static int get_nodes(nodemask_t *nodes, - endmask = ~0UL; - } - -+ if (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) { -+ unsigned long valid_mask = endmask; -+ -+ valid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1); -+ if (get_user(t, nmask + nlongs - 1)) -+ return -EFAULT; -+ if (t & valid_mask) -+ return -EINVAL; -+ } -+ - if (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long))) - return -EFAULT; - nodes_addr(*nodes)[nlongs-1] &= endmask; diff --git a/queue-4.4/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch b/queue-4.4/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch deleted file mode 100644 index 066c8e6861c..00000000000 --- a/queue-4.4/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yisheng Xie -Date: Thu, 22 Mar 2018 16:17:02 -0700 -Subject: mm/mempolicy.c: avoid use uninitialized preferred_node - -From: Yisheng Xie - -[ Upstream commit 8970a63e965b43288c4f5f40efbc2bbf80de7f16 ] - -Alexander reported a use of uninitialized memory in __mpol_equal(), -which is caused by incorrect use of preferred_node. - -When mempolicy in mode MPOL_PREFERRED with flags MPOL_F_LOCAL, it uses -numa_node_id() instead of preferred_node, however, __mpol_equal() uses -preferred_node without checking whether it is MPOL_F_LOCAL or not. - -[akpm@linux-foundation.org: slight comment tweak] -Link: http://lkml.kernel.org/r/4ebee1c2-57f6-bcb8-0e2d-1833d1ee0bb7@huawei.com -Fixes: fc36b8d3d819 ("mempolicy: use MPOL_F_LOCAL to Indicate Preferred Local Policy") -Signed-off-by: Yisheng Xie -Reported-by: Alexander Potapenko -Tested-by: Alexander Potapenko -Reviewed-by: Andrew Morton -Cc: Dmitriy Vyukov -Cc: Vlastimil Babka -Cc: Michal Hocko -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/mempolicy.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -2142,6 +2142,9 @@ bool __mpol_equal(struct mempolicy *a, s - case MPOL_INTERLEAVE: - return !!nodes_equal(a->v.nodes, b->v.nodes); - case MPOL_PREFERRED: -+ /* a's ->flags is the same as b's */ -+ if (a->flags & MPOL_F_LOCAL) -+ return true; - return a->v.preferred_node == b->v.preferred_node; - default: - BUG(); diff --git a/queue-4.4/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch b/queue-4.4/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch deleted file mode 100644 index 8d742df2233..00000000000 --- a/queue-4.4/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch +++ /dev/null @@ -1,96 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mel Gorman -Date: Wed, 31 Jan 2018 16:19:52 -0800 -Subject: mm: pin address_space before dereferencing it while isolating an LRU page - -From: Mel Gorman - -[ Upstream commit 69d763fc6d3aee787a3e8c8c35092b4f4960fa5d ] - -Minchan Kim asked the following question -- what locks protects -address_space destroying when race happens between inode trauncation and -__isolate_lru_page? Jan Kara clarified by describing the race as follows - -CPU1 CPU2 - -truncate(inode) __isolate_lru_page() - ... - truncate_inode_page(mapping, page); - delete_from_page_cache(page) - spin_lock_irqsave(&mapping->tree_lock, flags); - __delete_from_page_cache(page, NULL) - page_cache_tree_delete(..) - ... mapping = page_mapping(page); - page->mapping = NULL; - ... - spin_unlock_irqrestore(&mapping->tree_lock, flags); - page_cache_free_page(mapping, page) - put_page(page) - if (put_page_testzero(page)) -> false -- inode now has no pages and can be freed including embedded address_space - - if (mapping && !mapping->a_ops->migratepage) -- we've dereferenced mapping which is potentially already free. - -The race is theoretically possible but unlikely. Before the -delete_from_page_cache, truncate_cleanup_page is called so the page is -likely to be !PageDirty or PageWriteback which gets skipped by the only -caller that checks the mappping in __isolate_lru_page. Even if the race -occurs, a substantial amount of work has to happen during a tiny window -with no preemption but it could potentially be done using a virtual -machine to artifically slow one CPU or halt it during the critical -window. - -This patch should eliminate the race with truncation by try-locking the -page before derefencing mapping and aborting if the lock was not -acquired. There was a suggestion from Huang Ying to use RCU as a -side-effect to prevent mapping being freed. However, I do not like the -solution as it's an unconventional means of preserving a mapping and -it's not a context where rcu_read_lock is obviously protecting rcu data. - -Link: http://lkml.kernel.org/r/20180104102512.2qos3h5vqzeisrek@techsingularity.net -Fixes: c82449352854 ("mm: compaction: make isolate_lru_page() filter-aware again") -Signed-off-by: Mel Gorman -Acked-by: Minchan Kim -Cc: "Huang, Ying" -Cc: Jan Kara -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -1312,6 +1312,7 @@ int __isolate_lru_page(struct page *page - - if (PageDirty(page)) { - struct address_space *mapping; -+ bool migrate_dirty; - - /* ISOLATE_CLEAN means only clean pages */ - if (mode & ISOLATE_CLEAN) -@@ -1320,10 +1321,19 @@ int __isolate_lru_page(struct page *page - /* - * Only pages without mappings or that have a - * ->migratepage callback are possible to migrate -- * without blocking -+ * without blocking. However, we can be racing with -+ * truncation so it's necessary to lock the page -+ * to stabilise the mapping as truncation holds -+ * the page lock until after the page is removed -+ * from the page cache. - */ -+ if (!trylock_page(page)) -+ return ret; -+ - mapping = page_mapping(page); -- if (mapping && !mapping->a_ops->migratepage) -+ migrate_dirty = mapping && mapping->a_ops->migratepage; -+ unlock_page(page); -+ if (!migrate_dirty) - return ret; - } - } diff --git a/queue-4.4/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch b/queue-4.4/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch deleted file mode 100644 index a30bb2db4b6..00000000000 --- a/queue-4.4/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Florian Fainelli -Date: Sun, 1 Apr 2018 10:26:30 -0700 -Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() - -From: Florian Fainelli - -[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ] - -bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian -32-bit word without using proper accessors, fix this, and because a -length cannot be negative, use unsigned int while at it. - -Fixes: 9cde94506eac ("bgmac: implement scatter/gather support") -Signed-off-by: Florian Fainelli -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/bgmac.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/net/ethernet/broadcom/bgmac.c -+++ b/drivers/net/ethernet/broadcom/bgmac.c -@@ -531,7 +531,8 @@ static void bgmac_dma_tx_ring_free(struc - int i; - - for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) { -- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN; -+ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1); -+ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN; - - slot = &ring->slots[i]; - dev_kfree_skb(slot->skb); diff --git a/queue-4.4/net-fix-untag-for-vlan-packets-without-ethernet-header.patch b/queue-4.4/net-fix-untag-for-vlan-packets-without-ethernet-header.patch deleted file mode 100644 index acd00eebfa0..00000000000 --- a/queue-4.4/net-fix-untag-for-vlan-packets-without-ethernet-header.patch +++ /dev/null @@ -1,99 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Toshiaki Makita -Date: Thu, 29 Mar 2018 19:05:29 +0900 -Subject: net: Fix untag for vlan packets without ethernet header - -From: Toshiaki Makita - -[ Upstream commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 ] - -In some situation vlan packets do not have ethernet headers. One example -is packets from tun devices. Users can specify vlan protocol in tun_pi -field instead of IP protocol, and skb_vlan_untag() attempts to untag such -packets. - -skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it) -however did not expect packets without ethernet headers, so in such a case -size argument for memmove() underflowed and triggered crash. - -==== -BUG: unable to handle kernel paging request at ffff8801cccb8000 -IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 -PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101 -Oops: 000b [#1] SMP KASAN -Dumping ftrace buffer: - (ftrace buffer empty) -Modules linked in: -CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 -RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287 -RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2 -RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000 -RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899 -R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4 -R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40 -FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0 -DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 -Call Trace: - memmove include/linux/string.h:360 [inline] - skb_reorder_vlan_header net/core/skbuff.c:5031 [inline] - skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061 - __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460 - __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627 - netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701 - netif_receive_skb+0xae/0x390 net/core/dev.c:4725 - tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555 - tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962 - tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990 - call_write_iter include/linux/fs.h:1782 [inline] - new_sync_write fs/read_write.c:469 [inline] - __vfs_write+0x684/0x970 fs/read_write.c:482 - vfs_write+0x189/0x510 fs/read_write.c:544 - SYSC_write fs/read_write.c:589 [inline] - SyS_write+0xef/0x220 fs/read_write.c:581 - do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 -RIP: 0033:0x454879 -RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 -RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879 -RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014 -RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff -R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000 -Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 -RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28 -CR2: ffff8801cccb8000 -==== - -We don't need to copy headers for packets which do not have preceding -headers of vlan headers, so skip memmove() in that case. - -Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off") -Reported-by: Eric Dumazet -Signed-off-by: Toshiaki Makita -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/core/skbuff.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -4302,8 +4302,10 @@ static struct sk_buff *skb_reorder_vlan_ - } - - mac_len = skb->data - skb_mac_header(skb); -- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), -- mac_len - VLAN_HLEN - ETH_TLEN); -+ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) { -+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), -+ mac_len - VLAN_HLEN - ETH_TLEN); -+ } - skb->mac_header += VLAN_HLEN; - return skb; - } diff --git a/queue-4.4/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch b/queue-4.4/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch deleted file mode 100644 index 33ebb5f8e5d..00000000000 --- a/queue-4.4/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch +++ /dev/null @@ -1,120 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Toshiaki Makita -Date: Tue, 13 Mar 2018 14:51:27 +0900 -Subject: net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off - -From: Toshiaki Makita - -[ Upstream commit 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61 ] - -When we have a bridge with vlan_filtering on and a vlan device on top of -it, packets would be corrupted in skb_vlan_untag() called from -br_dev_xmit(). - -The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(), -which makes use of skb->mac_len. In this function mac_len is meant for -handling rx path with vlan devices with reorder_header disabled, but in -tx path mac_len is typically 0 and cannot be used, which is the problem -in this case. - -The current code even does not properly handle rx path (skb_vlan_untag() -called from __netif_receive_skb_core()) with reorder_header off actually. - -In rx path single tag case, it works as follows: - -- Before skb_reorder_vlan_header() - - mac_header data - v v - +-------------------+-------------+------+---- - | ETH | VLAN | ETH | - | ADDRS | TPID | TCI | TYPE | - +-------------------+-------------+------+---- - <-------- mac_len ---------> - <-------------> - to be removed - -- After skb_reorder_vlan_header() - - mac_header data - v v - +-------------------+------+---- - | ETH | ETH | - | ADDRS | TYPE | - +-------------------+------+---- - <-------- mac_len ---------> - -This is ok, but in rx double tag case, it corrupts packets: - -- Before skb_reorder_vlan_header() - - mac_header data - v v - +-------------------+-------------+-------------+------+---- - | ETH | VLAN | VLAN | ETH | - | ADDRS | TPID | TCI | TPID | TCI | TYPE | - +-------------------+-------------+-------------+------+---- - <--------------- mac_len ----------------> - <-------------> - should be removed - <---------------------------> - actually will be removed - -- After skb_reorder_vlan_header() - - mac_header data - v v - +-------------------+------+---- - | ETH | ETH | - | ADDRS | TYPE | - +-------------------+------+---- - <--------------- mac_len ----------------> - -So, two of vlan tags are both removed while only inner one should be -removed and mac_header (and mac_len) is broken. - -skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2), -so use skb->data and skb->mac_header to calculate the right offset. - -Reported-by: Brandon Carpenter -Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off") -Signed-off-by: Toshiaki Makita -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/uapi/linux/if_ether.h | 1 + - net/core/skbuff.c | 7 +++++-- - 2 files changed, 6 insertions(+), 2 deletions(-) - ---- a/include/uapi/linux/if_ether.h -+++ b/include/uapi/linux/if_ether.h -@@ -29,6 +29,7 @@ - */ - - #define ETH_ALEN 6 /* Octets in one ethernet addr */ -+#define ETH_TLEN 2 /* Octets in ethernet type field */ - #define ETH_HLEN 14 /* Total octets in header. */ - #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */ - #define ETH_DATA_LEN 1500 /* Max. octets in payload */ ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -4294,13 +4294,16 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_segl - - static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) - { -+ int mac_len; -+ - if (skb_cow(skb, skb_headroom(skb)) < 0) { - kfree_skb(skb); - return NULL; - } - -- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, -- 2 * ETH_ALEN); -+ mac_len = skb->data - skb_mac_header(skb); -+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), -+ mac_len - VLAN_HLEN - ETH_TLEN); - skb->mac_header += VLAN_HLEN; - return skb; - } diff --git a/queue-4.4/net-mlx5-protect-from-command-bit-overflow.patch b/queue-4.4/net-mlx5-protect-from-command-bit-overflow.patch deleted file mode 100644 index 8d946d4df77..00000000000 --- a/queue-4.4/net-mlx5-protect-from-command-bit-overflow.patch +++ /dev/null @@ -1,60 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Leon Romanovsky -Date: Tue, 2 Jan 2018 16:49:56 +0200 -Subject: net/mlx5: Protect from command bit overflow - -From: Leon Romanovsky - -[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ] - -The system with CONFIG_UBSAN enabled on produces the following error -during driver initialization. The reason to it that max_reg_cmds can be -larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long. - -================================================================================ -UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42 -signed integer overflow: --2147483648 - 1 cannot be represented in type 'int' -CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 -Call Trace: - dump_stack+0xe9/0x18f - ? dma_virt_alloc+0x81/0x81 - ubsan_epilogue+0xe/0x4e - handle_overflow+0x187/0x20c - mlx5_cmd_init+0x73a/0x12b0 - mlx5_load_one+0x1c3d/0x1d30 - init_one+0xd02/0xf10 - pci_device_probe+0x26c/0x3b0 - driver_probe_device+0x622/0xb40 - __driver_attach+0x175/0x1b0 - bus_for_each_dev+0xef/0x190 - bus_add_driver+0x2db/0x490 - driver_register+0x16b/0x1e0 - __pci_register_driver+0x177/0x1b0 - init+0x6d/0x92 - do_one_initcall+0x15b/0x270 - kernel_init_freeable+0x2d8/0x3d0 - kernel_init+0x14/0x190 - ret_from_fork+0x24/0x30 -================================================================================ - -Signed-off-by: Leon Romanovsky -Signed-off-by: Saeed Mahameed -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c -@@ -1623,7 +1623,7 @@ int mlx5_cmd_init(struct mlx5_core_dev * - - cmd->checksum_disabled = 1; - cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; -- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1; -+ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; - - cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; - if (cmd->cmdif_rev > CMD_IF_REV) { diff --git a/queue-4.4/net-mvneta-fix-enable-of-all-initialized-rxqs.patch b/queue-4.4/net-mvneta-fix-enable-of-all-initialized-rxqs.patch deleted file mode 100644 index cafdf2f4e09..00000000000 --- a/queue-4.4/net-mvneta-fix-enable-of-all-initialized-rxqs.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Yelena Krivosheev -Date: Fri, 30 Mar 2018 12:05:31 +0200 -Subject: net: mvneta: fix enable of all initialized RXQs - -From: Yelena Krivosheev - -[ Upstream commit e81b5e01c14add8395dfba7130f8829206bb507d ] - -In mvneta_port_up() we enable relevant RX and TX port queues by write -queues bit map to an appropriate register. - -q_map must be ZERO in the beginning of this process. - -Signed-off-by: Yelena Krivosheev -Signed-off-by: Gregory CLEMENT -Acked-by: Thomas Petazzoni -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/marvell/mvneta.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/ethernet/marvell/mvneta.c -+++ b/drivers/net/ethernet/marvell/mvneta.c -@@ -818,6 +818,7 @@ static void mvneta_port_up(struct mvneta - } - mvreg_write(pp, MVNETA_TXQ_CMD, q_map); - -+ q_map = 0; - /* Enable all initialized RXQs. */ - mvreg_write(pp, MVNETA_RXQ_CMD, BIT(rxq_def)); - } diff --git a/queue-4.4/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch b/queue-4.4/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch deleted file mode 100644 index c006bf292b5..00000000000 --- a/queue-4.4/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Pawel Dembicki -Date: Sat, 24 Mar 2018 22:08:14 +0100 -Subject: net: qmi_wwan: add BroadMobi BM806U 2020:2033 - -From: Pawel Dembicki - -[ Upstream commit 743989254ea9f132517806d8893ca9b6cf9dc86b ] - -BroadMobi BM806U is an Qualcomm MDM9225 based 3G/4G modem. -Tested hardware BM806U is mounted on D-Link DWR-921-C3 router. -The USB id is added to qmi_wwan.c to allow QMI communication with -the BM806U. - -Tested on 4.14 kernel and OpenWRT. - -Signed-off-by: Pawel Dembicki -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/usb/qmi_wwan.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/usb/qmi_wwan.c -+++ b/drivers/net/usb/qmi_wwan.c -@@ -712,6 +712,7 @@ static const struct usb_device_id produc - {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ - {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ - {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ -+ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ - {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ - {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ - {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ diff --git a/queue-4.4/net-tcp-illinois-replace-broken-algorithm-reference-link.patch b/queue-4.4/net-tcp-illinois-replace-broken-algorithm-reference-link.patch deleted file mode 100644 index 2708eb8a701..00000000000 --- a/queue-4.4/net-tcp-illinois-replace-broken-algorithm-reference-link.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Joey Pabalinas -Date: Tue, 27 Feb 2018 22:05:53 -1000 -Subject: net/tcp/illinois: replace broken algorithm reference link - -From: Joey Pabalinas - -[ Upstream commit ecc832758a654e375924ebf06a4ac971acb5ce60 ] - -The link to the pdf containing the algorithm description is now a -dead link; it seems http://www.ifp.illinois.edu/~srikant/ has been -moved to https://sites.google.com/a/illinois.edu/srikant/ and none of -the original papers can be found there... - -I have replaced it with the only working copy I was able to find. - -n.b. there is also a copy available at: - -http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.6350&rep=rep1&type=pdf - -However, this seems to only be a *cached* version, so I am unsure -exactly how reliable that link can be expected to remain over time -and have decided against using that one. - -Signed-off-by: Joey Pabalinas - - net/ipv4/tcp_illinois.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/tcp_illinois.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv4/tcp_illinois.c -+++ b/net/ipv4/tcp_illinois.c -@@ -6,7 +6,7 @@ - * The algorithm is described in: - * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm - * for High-Speed Networks" -- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf -+ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf - * - * Implemented from description in paper and ns-2 simulation. - * Copyright (C) 2007 Stephen Hemminger diff --git a/queue-4.4/net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch b/queue-4.4/net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch deleted file mode 100644 index 0b4b4278d9b..00000000000 --- a/queue-4.4/net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch +++ /dev/null @@ -1,67 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Giuseppe Lippolis -Date: Mon, 26 Mar 2018 16:34:39 +0200 -Subject: net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 - -From: Giuseppe Lippolis - -[ Upstream commit d4c4bc11353f3bea6754f7d21e3612c9f32d1d64 ] - -This modem is embedded on dlink dwr-921 router. - The oem configuration states: - - T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 - D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 - P: Vendor=1435 ProdID=0918 Rev= 2.32 - S: Manufacturer=Android - S: Product=Android - S: SerialNumber=0123456789ABCDEF - C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA - I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option - E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) - E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option - E: Ad=84(I) Atr=03(Int.) MxPS= 64 Ivl=32ms - E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan - E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=32ms - E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan - E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms - E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan - E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=32ms - E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms - I:* If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) - E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms - E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=125us - -Tested on openwrt distribution - -Signed-off-by: Giuseppe Lippolis -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/usb/qmi_wwan.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/net/usb/qmi_wwan.c -+++ b/drivers/net/usb/qmi_wwan.c -@@ -636,6 +636,9 @@ static const struct usb_device_id produc - {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, - {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ - {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ -+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ -+ {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */ -+ {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */ - {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */ - {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */ - {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */ diff --git a/queue-4.4/net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch b/queue-4.4/net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch deleted file mode 100644 index 0321873dc29..00000000000 --- a/queue-4.4/net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch +++ /dev/null @@ -1,29 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Torsten Hilbrich -Date: Mon, 26 Mar 2018 07:19:57 +0200 -Subject: net/usb/qmi_wwan.c: Add USB id for lt4120 modem - -From: Torsten Hilbrich - -[ Upstream commit f3d801baf118c9d452ee7c278df16880c892e669 ] - -This is needed to support the modem found in HP EliteBook 820 G3. - -Signed-off-by: Torsten Hilbrich -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/usb/qmi_wwan.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/usb/qmi_wwan.c -+++ b/drivers/net/usb/qmi_wwan.c -@@ -762,6 +762,7 @@ static const struct usb_device_id produc - {QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ - {QMI_FIXED_INTF(0x413c, 0x81b1, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ - {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ -+ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ - {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ - {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */ - diff --git a/queue-4.4/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch b/queue-4.4/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch deleted file mode 100644 index 0b2fdae97ff..00000000000 --- a/queue-4.4/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch +++ /dev/null @@ -1,107 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Florian Westphal -Date: Mon, 19 Feb 2018 01:24:53 +0100 -Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs - -From: Florian Westphal - -[ Upstream commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca ] - -All of these conditions are not fatal and should have -been WARN_ONs from the get-go. - -Convert them to WARN_ONs and bail out. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++--------- - 1 file changed, 18 insertions(+), 9 deletions(-) - ---- a/net/bridge/netfilter/ebtables.c -+++ b/net/bridge/netfilter/ebtables.c -@@ -1614,7 +1614,8 @@ static int compat_match_to_user(struct e - int off = ebt_compat_match_offset(match, m->match_size); - compat_uint_t msize = m->match_size - off; - -- BUG_ON(off >= m->match_size); -+ if (WARN_ON(off >= m->match_size)) -+ return -EINVAL; - - if (copy_to_user(cm->u.name, match->name, - strlen(match->name) + 1) || put_user(msize, &cm->match_size)) -@@ -1641,7 +1642,8 @@ static int compat_target_to_user(struct - int off = xt_compat_target_offset(target); - compat_uint_t tsize = t->target_size - off; - -- BUG_ON(off >= t->target_size); -+ if (WARN_ON(off >= t->target_size)) -+ return -EINVAL; - - if (copy_to_user(cm->u.name, target->name, - strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) -@@ -1869,7 +1871,8 @@ static int ebt_buf_add(struct ebt_entrie - if (state->buf_kern_start == NULL) - goto count_only; - -- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); -+ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len)) -+ return -EINVAL; - - memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); - -@@ -1882,7 +1885,8 @@ static int ebt_buf_add_pad(struct ebt_en - { - char *b = state->buf_kern_start; - -- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); -+ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len)) -+ return -EINVAL; - - if (b != NULL && sz > 0) - memset(b + state->buf_kern_offset, 0, sz); -@@ -1959,8 +1963,10 @@ static int compat_mtw_from_user(struct c - pad = XT_ALIGN(size_kern) - size_kern; - - if (pad > 0 && dst) { -- BUG_ON(state->buf_kern_len <= pad); -- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); -+ if (WARN_ON(state->buf_kern_len <= pad)) -+ return -EINVAL; -+ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad)) -+ return -EINVAL; - memset(dst + size_kern, 0, pad); - } - return off + match_size; -@@ -2011,7 +2017,8 @@ static int ebt_size_mwt(struct compat_eb - if (ret < 0) - return ret; - -- BUG_ON(ret < match32->match_size); -+ if (WARN_ON(ret < match32->match_size)) -+ return -EINVAL; - growth += ret - match32->match_size; - growth += ebt_compat_entry_padsize(); - -@@ -2121,7 +2128,8 @@ static int size_entry_mwt(struct ebt_ent - - startoff = state->buf_user_offset - startoff; - -- BUG_ON(*total < startoff); -+ if (WARN_ON(*total < startoff)) -+ return -EINVAL; - *total -= startoff; - return 0; - } -@@ -2249,7 +2257,8 @@ static int compat_do_replace(struct net - state.buf_kern_len = size64; - - ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); -- BUG_ON(ret < 0); /* parses same data again */ -+ if (WARN_ON(ret < 0)) -+ goto out_unlock; - - vfree(entries_tmp); - tmp.entries_size = size64; diff --git a/queue-4.4/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch b/queue-4.4/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch deleted file mode 100644 index 2382094f3c5..00000000000 --- a/queue-4.4/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Florian Westphal -Date: Thu, 8 Mar 2018 12:54:19 +0100 -Subject: netfilter: ebtables: fix erroneous reject of last rule - -From: Florian Westphal - -[ Upstream commit 932909d9b28d27e807ff8eecb68c7748f6701628 ] - -The last rule in the blob has next_entry offset that is same as total size. -This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. - -Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/bridge/netfilter/ebtables.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/net/bridge/netfilter/ebtables.c -+++ b/net/bridge/netfilter/ebtables.c -@@ -2088,8 +2088,12 @@ static int size_entry_mwt(struct ebt_ent - * offsets are relative to beginning of struct ebt_entry (i.e., 0). - */ - for (i = 0; i < 4 ; ++i) { -- if (offsets[i] >= *total) -+ if (offsets[i] > *total) - return -EINVAL; -+ -+ if (i < 3 && offsets[i] == *total) -+ return -EINVAL; -+ - if (i == 0) - continue; - if (offsets[i-1] > offsets[i]) diff --git a/queue-4.4/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch b/queue-4.4/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch deleted file mode 100644 index 80e1b9c905b..00000000000 --- a/queue-4.4/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Richard Haines -Date: Mon, 13 Nov 2017 20:54:22 +0000 -Subject: netlabel: If PF_INET6, check sk_buff ip header version - -From: Richard Haines - -[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ] - -When resolving a fallback label, check the sk_buff version as it -is possible (e.g. SCTP) to have family = PF_INET6 while -receiving ip_hdr(skb)->version = 4. - -Signed-off-by: Richard Haines -Acked-by: Paul Moore -Signed-off-by: Paul Moore -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/netlabel/netlabel_unlabeled.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/net/netlabel/netlabel_unlabeled.c -+++ b/net/netlabel/netlabel_unlabeled.c -@@ -1469,6 +1469,16 @@ int netlbl_unlabel_getattr(const struct - iface = rcu_dereference(netlbl_unlhsh_def); - if (iface == NULL || !iface->valid) - goto unlabel_getattr_nolabel; -+ -+#if IS_ENABLED(CONFIG_IPV6) -+ /* When resolving a fallback label, check the sk_buff version as -+ * it is possible (e.g. SCTP) to have family = PF_INET6 while -+ * receiving ip_hdr(skb)->version = 4. -+ */ -+ if (family == PF_INET6 && ip_hdr(skb)->version == 4) -+ family = PF_INET; -+#endif /* IPv6 */ -+ - switch (family) { - case PF_INET: { - struct iphdr *hdr4; diff --git a/queue-4.4/nfc-llcp-limit-size-of-sdp-uri.patch b/queue-4.4/nfc-llcp-limit-size-of-sdp-uri.patch deleted file mode 100644 index 278d1f2552f..00000000000 --- a/queue-4.4/nfc-llcp-limit-size-of-sdp-uri.patch +++ /dev/null @@ -1,48 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Kees Cook -Date: Wed, 14 Feb 2018 15:45:07 -0800 -Subject: NFC: llcp: Limit size of SDP URI - -From: Kees Cook - -[ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ] - -The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce -this both in the NLA policy and in the code that performs the allocation -and copy, to avoid writing past the end of the allocated buffer. - -Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface") -Signed-off-by: Kees Cook -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/nfc/llcp_commands.c | 4 ++++ - net/nfc/netlink.c | 3 ++- - 2 files changed, 6 insertions(+), 1 deletion(-) - ---- a/net/nfc/llcp_commands.c -+++ b/net/nfc/llcp_commands.c -@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_ - - pr_debug("uri: %s, len: %zu\n", uri, uri_len); - -+ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ -+ if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) -+ return NULL; -+ - sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); - if (sdreq == NULL) - return NULL; ---- a/net/nfc/netlink.c -+++ b/net/nfc/netlink.c -@@ -68,7 +68,8 @@ static const struct nla_policy nfc_genl_ - }; - - static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { -- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, -+ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, -+ .len = U8_MAX - 4 }, - [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, - }; - diff --git a/queue-4.4/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch b/queue-4.4/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch deleted file mode 100644 index 7a11350113b..00000000000 --- a/queue-4.4/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jan Chochol -Date: Fri, 5 Jan 2018 08:39:12 +0100 -Subject: nfs: Do not convert nfs_idmap_cache_timeout to jiffies - -From: Jan Chochol - -[ Upstream commit cbebc6ef4fc830f4040d4140bf53484812d5d5d9 ] - -Since commit 57e62324e469 ("NFS: Store the legacy idmapper result in the -keyring") nfs_idmap_cache_timeout changed units from jiffies to seconds. -Unfortunately sysctl interface was not updated accordingly. - -As a effect updating /proc/sys/fs/nfs/idmap_cache_timeout with some -value will incorrectly multiply this value by HZ. -Also reading /proc/sys/fs/nfs/idmap_cache_timeout will show real value -divided by HZ. - -Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring") -Signed-off-by: Jan Chochol -Signed-off-by: Trond Myklebust -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/nfs/nfs4sysctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/nfs/nfs4sysctl.c -+++ b/fs/nfs/nfs4sysctl.c -@@ -31,7 +31,7 @@ static struct ctl_table nfs4_cb_sysctls[ - .data = &nfs_idmap_cache_timeout, - .maxlen = sizeof(int), - .mode = 0644, -- .proc_handler = proc_dointvec_jiffies, -+ .proc_handler = proc_dointvec, - }, - { } - }; diff --git a/queue-4.4/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch b/queue-4.4/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch deleted file mode 100644 index 387d2dd3752..00000000000 --- a/queue-4.4/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch +++ /dev/null @@ -1,104 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: NeilBrown -Date: Wed, 13 Dec 2017 09:57:09 +1100 -Subject: NFSv4: always set NFS_LOCK_LOST when a lock is lost. - -From: NeilBrown - -[ Upstream commit dce2630c7da73b0634686bca557cc8945cc450c8 ] - -There are 2 comments in the NFSv4 code which suggest that -SIGLOST should possibly be sent to a process. In these -cases a lock has been lost. -The current practice is to set NFS_LOCK_LOST so that -read/write returns EIO when a lock is lost. -So change these comments to code when sets NFS_LOCK_LOST. - -One case is when lock recovery after apparent server restart -fails with NFS4ERR_DENIED, NFS4ERR_RECLAIM_BAD, or -NFS4ERRO_RECLAIM_CONFLICT. The other case is when a lock -attempt as part of lease recovery fails with NFS4ERR_DENIED. - -In an ideal world, these should not happen. However I have -a packet trace showing an NFSv4.1 session getting -NFS4ERR_BADSESSION after an extended network parition. The -NFSv4.1 client treats this like server reboot until/unless -it get NFS4ERR_NO_GRACE, in which case it switches over to -"nograce" recovery mode. In this network trace, the client -attempts to recover a lock and the server (incorrectly) -reports NFS4ERR_DENIED rather than NFS4ERR_NO_GRACE. This -leads to the ineffective comment and the client then -continues to write using the OPEN stateid. - -Signed-off-by: NeilBrown -Signed-off-by: Trond Myklebust -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/nfs/nfs4proc.c | 12 ++++++++---- - fs/nfs/nfs4state.c | 5 ++++- - 2 files changed, 12 insertions(+), 5 deletions(-) - ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -1780,7 +1780,7 @@ static int nfs4_open_reclaim(struct nfs4 - return ret; - } - --static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, int err) -+static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, struct file_lock *fl, int err) - { - switch (err) { - default: -@@ -1827,7 +1827,11 @@ static int nfs4_handle_delegation_recall - return -EAGAIN; - case -ENOMEM: - case -NFS4ERR_DENIED: -- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ -+ if (fl) { -+ struct nfs4_lock_state *lsp = fl->fl_u.nfs4_fl.owner; -+ if (lsp) -+ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); -+ } - return 0; - } - return err; -@@ -1863,7 +1867,7 @@ int nfs4_open_delegation_recall(struct n - err = nfs4_open_recover_helper(opendata, FMODE_READ); - } - nfs4_opendata_put(opendata); -- return nfs4_handle_delegation_recall_error(server, state, stateid, err); -+ return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err); - } - - static void nfs4_open_confirm_prepare(struct rpc_task *task, void *calldata) -@@ -6157,7 +6161,7 @@ int nfs4_lock_delegation_recall(struct f - if (err != 0) - return err; - err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW); -- return nfs4_handle_delegation_recall_error(server, state, stateid, err); -+ return nfs4_handle_delegation_recall_error(server, state, stateid, fl, err); - } - - struct nfs_release_lockowner_data { ---- a/fs/nfs/nfs4state.c -+++ b/fs/nfs/nfs4state.c -@@ -1386,6 +1386,7 @@ static int nfs4_reclaim_locks(struct nfs - struct inode *inode = state->inode; - struct nfs_inode *nfsi = NFS_I(inode); - struct file_lock *fl; -+ struct nfs4_lock_state *lsp; - int status = 0; - struct file_lock_context *flctx = inode->i_flctx; - struct list_head *list; -@@ -1426,7 +1427,9 @@ restart: - case -NFS4ERR_DENIED: - case -NFS4ERR_RECLAIM_BAD: - case -NFS4ERR_RECLAIM_CONFLICT: -- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ -+ lsp = fl->fl_u.nfs4_fl.owner; -+ if (lsp) -+ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); - status = 0; - } - spin_lock(&flctx->flc_lock); diff --git a/queue-4.4/ntb_transport-fix-bug-with-max_mw_size-parameter.patch b/queue-4.4/ntb_transport-fix-bug-with-max_mw_size-parameter.patch deleted file mode 100644 index e40b1c9718c..00000000000 --- a/queue-4.4/ntb_transport-fix-bug-with-max_mw_size-parameter.patch +++ /dev/null @@ -1,45 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Logan Gunthorpe -Date: Mon, 18 Dec 2017 11:25:05 -0700 -Subject: ntb_transport: Fix bug with max_mw_size parameter - -From: Logan Gunthorpe - -[ Upstream commit cbd27448faff4843ac4b66cc71445a10623ff48d ] - -When using the max_mw_size parameter of ntb_transport to limit the size of -the Memory windows, communication cannot be established and the queues -freeze. - -This is because the mw_size that's reported to the peer is correctly -limited but the size used locally is not. So the MW is initialized -with a buffer smaller than the window but the TX side is using the -full window. This means the TX side will be writing to a region of the -window that points nowhere. - -This is easily fixed by applying the same limit to tx_size in -ntb_transport_init_queue(). - -Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") -Signed-off-by: Logan Gunthorpe -Acked-by: Allen Hubbe -Cc: Dave Jiang -Signed-off-by: Jon Mason -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/ntb/ntb_transport.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/ntb/ntb_transport.c -+++ b/drivers/ntb/ntb_transport.c -@@ -955,6 +955,9 @@ static int ntb_transport_init_queue(stru - mw_base = nt->mw_vec[mw_num].phys_addr; - mw_size = nt->mw_vec[mw_num].phys_size; - -+ if (max_mw_size && mw_size > max_mw_size) -+ mw_size = max_mw_size; -+ - tx_size = (unsigned int)mw_size / num_qps_mw; - qp_offset = tx_size * (qp_num / mw_count); - diff --git a/queue-4.4/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch b/queue-4.4/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch deleted file mode 100644 index 340e331b8ce..00000000000 --- a/queue-4.4/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jianchao Wang -Date: Thu, 15 Feb 2018 19:13:41 +0800 -Subject: nvme-pci: Fix nvme queue cleanup if IRQ setup fails - -From: Jianchao Wang - -[ Upstream commit f25a2dfc20e3a3ed8fe6618c331799dd7bd01190 ] - -This patch fixes nvme queue cleanup if requesting an IRQ handler for -the queue's vector fails. It does this by resetting the cq_vector to -the uninitialized value of -1 so it is ignored for a controller reset. - -Signed-off-by: Jianchao Wang -[changelog updates, removed misc whitespace changes] -Signed-off-by: Keith Busch -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/nvme/host/pci.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/nvme/host/pci.c -+++ b/drivers/nvme/host/pci.c -@@ -1583,7 +1583,7 @@ static int nvme_create_queue(struct nvme - nvmeq->cq_vector = qid - 1; - result = adapter_alloc_cq(dev, qid, nvmeq); - if (result < 0) -- return result; -+ goto release_vector; - - result = adapter_alloc_sq(dev, qid, nvmeq); - if (result < 0) -@@ -1597,9 +1597,12 @@ static int nvme_create_queue(struct nvme - return result; - - release_sq: -+ dev->online_queues--; - adapter_delete_sq(dev, qid); - release_cq: - adapter_delete_cq(dev, qid); -+ release_vector: -+ nvmeq->cq_vector = -1; - return result; - } - diff --git a/queue-4.4/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch b/queue-4.4/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch deleted file mode 100644 index 4ecc984721c..00000000000 --- a/queue-4.4/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch +++ /dev/null @@ -1,91 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: piaojun -Date: Wed, 31 Jan 2018 16:14:59 -0800 -Subject: ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute - -From: piaojun - -[ Upstream commit 16c8d569f5704a84164f30ff01b29879f3438065 ] - -The race between *set_acl and *get_acl will cause getting incomplete -xattr data as below: - - processA processB - - ocfs2_set_acl - ocfs2_xattr_set - __ocfs2_xattr_set_handle - - ocfs2_get_acl_nolock - ocfs2_xattr_get_nolock: - -processB may get incomplete xattr data if processA hasn't set_acl done. - -So we should use 'ip_xattr_sem' to protect getting extended attribute in -ocfs2_get_acl_nolock(), as other processes could be changing it -concurrently. - -Link: http://lkml.kernel.org/r/5A5DDCFF.7030001@huawei.com -Signed-off-by: Jun Piao -Reviewed-by: Alex Chen -Cc: Mark Fasheh -Cc: Joel Becker -Cc: Junxiao Bi -Cc: Joseph Qi -Cc: Changwei Ge -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/acl.c | 6 ++++++ - fs/ocfs2/xattr.c | 2 ++ - 2 files changed, 8 insertions(+) - ---- a/fs/ocfs2/acl.c -+++ b/fs/ocfs2/acl.c -@@ -314,7 +314,9 @@ struct posix_acl *ocfs2_iop_get_acl(stru - return ERR_PTR(ret); - } - -+ down_read(&OCFS2_I(inode)->ip_xattr_sem); - acl = ocfs2_get_acl_nolock(inode, type, di_bh); -+ up_read(&OCFS2_I(inode)->ip_xattr_sem); - - ocfs2_inode_unlock(inode, 0); - brelse(di_bh); -@@ -333,7 +335,9 @@ int ocfs2_acl_chmod(struct inode *inode, - if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL)) - return 0; - -+ down_read(&OCFS2_I(inode)->ip_xattr_sem); - acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh); -+ up_read(&OCFS2_I(inode)->ip_xattr_sem); - if (IS_ERR(acl) || !acl) - return PTR_ERR(acl); - ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); -@@ -364,8 +368,10 @@ int ocfs2_init_acl(handle_t *handle, - - if (!S_ISLNK(inode->i_mode)) { - if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { -+ down_read(&OCFS2_I(dir)->ip_xattr_sem); - acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT, - dir_bh); -+ up_read(&OCFS2_I(dir)->ip_xattr_sem); - if (IS_ERR(acl)) - return PTR_ERR(acl); - } ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -639,9 +639,11 @@ int ocfs2_calc_xattr_init(struct inode * - si->value_len); - - if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { -+ down_read(&OCFS2_I(dir)->ip_xattr_sem); - acl_len = ocfs2_xattr_get_nolock(dir, dir_bh, - OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT, - "", NULL, 0); -+ up_read(&OCFS2_I(dir)->ip_xattr_sem); - if (acl_len > 0) { - a_size = ocfs2_xattr_entry_real_size(0, acl_len); - if (S_ISDIR(mode)) diff --git a/queue-4.4/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch b/queue-4.4/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch deleted file mode 100644 index 7ac33006b97..00000000000 --- a/queue-4.4/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch +++ /dev/null @@ -1,133 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jun Piao -Date: Thu, 5 Apr 2018 16:18:48 -0700 -Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown - -From: Jun Piao - -[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ] - -We should not handle migrate lockres if we are already in -'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving -dlm domain. At last other nodes will get stuck into infinite loop when -requsting lock from us. - -The problem is caused by concurrency umount between nodes. Before -receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the -migrate target. So N2 will continue sending lockres to N1 even though -N1 has left domain. - - N1 N2 (owner) - touch file - - access the file, - and get pr lock - - begin leave domain and - pick up N1 as new owner - - begin leave domain and - migrate all lockres done - - begin migrate lockres to N1 - - end leave domain, but - the lockres left - unexpectedly, because - migrate task has passed - -[piaojun@huawei.com: v3] - Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com -Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com -Signed-off-by: Jun Piao -Reviewed-by: Yiwen Jiang -Reviewed-by: Joseph Qi -Reviewed-by: Changwei Ge -Cc: Mark Fasheh -Cc: Joel Becker -Cc: Junxiao Bi -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/dlm/dlmdomain.c | 14 -------------- - fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++- - fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++ - 3 files changed, 33 insertions(+), 15 deletions(-) - ---- a/fs/ocfs2/dlm/dlmdomain.c -+++ b/fs/ocfs2/dlm/dlmdomain.c -@@ -674,20 +674,6 @@ static void dlm_leave_domain(struct dlm_ - spin_unlock(&dlm->spinlock); - } - --int dlm_shutting_down(struct dlm_ctxt *dlm) --{ -- int ret = 0; -- -- spin_lock(&dlm_domain_lock); -- -- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) -- ret = 1; -- -- spin_unlock(&dlm_domain_lock); -- -- return ret; --} -- - void dlm_unregister_domain(struct dlm_ctxt *dlm) - { - int leave = 0; ---- a/fs/ocfs2/dlm/dlmdomain.h -+++ b/fs/ocfs2/dlm/dlmdomain.h -@@ -28,7 +28,30 @@ - extern spinlock_t dlm_domain_lock; - extern struct list_head dlm_domains; - --int dlm_shutting_down(struct dlm_ctxt *dlm); -+static inline int dlm_joined(struct dlm_ctxt *dlm) -+{ -+ int ret = 0; -+ -+ spin_lock(&dlm_domain_lock); -+ if (dlm->dlm_state == DLM_CTXT_JOINED) -+ ret = 1; -+ spin_unlock(&dlm_domain_lock); -+ -+ return ret; -+} -+ -+static inline int dlm_shutting_down(struct dlm_ctxt *dlm) -+{ -+ int ret = 0; -+ -+ spin_lock(&dlm_domain_lock); -+ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) -+ ret = 1; -+ spin_unlock(&dlm_domain_lock); -+ -+ return ret; -+} -+ - void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm, - int node_num); - ---- a/fs/ocfs2/dlm/dlmrecovery.c -+++ b/fs/ocfs2/dlm/dlmrecovery.c -@@ -1377,6 +1377,15 @@ int dlm_mig_lockres_handler(struct o2net - if (!dlm_grab(dlm)) - return -EINVAL; - -+ if (!dlm_joined(dlm)) { -+ mlog(ML_ERROR, "Domain %s not joined! " -+ "lockres %.*s, master %u\n", -+ dlm->name, mres->lockname_len, -+ mres->lockname, mres->master); -+ dlm_put(dlm); -+ return -EINVAL; -+ } -+ - BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION))); - - real_master = mres->master; diff --git a/queue-4.4/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch b/queue-4.4/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch deleted file mode 100644 index 5213d9df7df..00000000000 --- a/queue-4.4/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch +++ /dev/null @@ -1,66 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: piaojun -Date: Wed, 31 Jan 2018 16:14:44 -0800 -Subject: ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid - -From: piaojun - -[ Upstream commit 025bcbde3634b2c9b316f227fed13ad6ad6817fb ] - -If metadata is corrupted such as 'invalid inode block', we will get -failed by calling 'mount()' and then set filesystem readonly as below: - - ocfs2_mount - ocfs2_initialize_super - ocfs2_init_global_system_inodes - ocfs2_iget - ocfs2_read_locked_inode - ocfs2_validate_inode_block - ocfs2_error - ocfs2_handle_error - ocfs2_set_ro_flag(osb, 0); // set readonly - -In this situation we need return -EROFS to 'mount.ocfs2', so that user -can fix it by fsck. And then mount again. In addition, 'mount.ocfs2' -should be updated correspondingly as it only return 1 for all errno. -And I will post a patch for 'mount.ocfs2' too. - -Link: http://lkml.kernel.org/r/5A4302FA.2010606@huawei.com -Signed-off-by: Jun Piao -Reviewed-by: Alex Chen -Reviewed-by: Joseph Qi -Reviewed-by: Changwei Ge -Reviewed-by: Gang He -Cc: Mark Fasheh -Cc: Joel Becker -Cc: Junxiao Bi -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/super.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - ---- a/fs/ocfs2/super.c -+++ b/fs/ocfs2/super.c -@@ -477,9 +477,8 @@ static int ocfs2_init_global_system_inod - new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); - if (!new) { - ocfs2_release_system_inodes(osb); -- status = -EINVAL; -+ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; - mlog_errno(status); -- /* FIXME: Should ERROR_RO_FS */ - mlog(ML_ERROR, "Unable to load system inode %d, " - "possibly corrupt fs?", i); - goto bail; -@@ -508,7 +507,7 @@ static int ocfs2_init_local_system_inode - new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); - if (!new) { - ocfs2_release_system_inodes(osb); -- status = -EINVAL; -+ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; - mlog(ML_ERROR, "status=%d, sysfile=%d, slot=%d\n", - status, i, osb->slot_num); - goto bail; diff --git a/queue-4.4/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch b/queue-4.4/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch deleted file mode 100644 index 283ebad42d6..00000000000 --- a/queue-4.4/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch +++ /dev/null @@ -1,98 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: piaojun -Date: Wed, 31 Jan 2018 16:15:32 -0800 -Subject: ocfs2: return error when we attempt to access a dirty bh in jbd2 - -From: piaojun - -[ Upstream commit d984187e3a1ad7d12447a7ab2c43ce3717a2b5b3 ] - -We should not reuse the dirty bh in jbd2 directly due to the following -situation: - -1. When removing extent rec, we will dirty the bhs of extent rec and - truncate log at the same time, and hand them over to jbd2. - -2. The bhs are submitted to jbd2 area successfully. - -3. The write-back thread of device help flush the bhs to disk but - encounter write error due to abnormal storage link. - -4. After a while the storage link become normal. Truncate log flush - worker triggered by the next space reclaiming found the dirty bh of - truncate log and clear its 'BH_Write_EIO' and then set it uptodate in - __ocfs2_journal_access(): - - ocfs2_truncate_log_worker - ocfs2_flush_truncate_log - __ocfs2_flush_truncate_log - ocfs2_replay_truncate_records - ocfs2_journal_access_di - __ocfs2_journal_access // here we clear io_error and set 'tl_bh' uptodata. - -5. Then jbd2 will flush the bh of truncate log to disk, but the bh of - extent rec is still in error state, and unfortunately nobody will - take care of it. - -6. At last the space of extent rec was not reduced, but truncate log - flush worker have given it back to globalalloc. That will cause - duplicate cluster problem which could be identified by fsck.ocfs2. - -Sadly we can hardly revert this but set fs read-only in case of ruining -atomicity and consistency of space reclaim. - -Link: http://lkml.kernel.org/r/5A6E8092.8090701@huawei.com -Fixes: acf8fdbe6afb ("ocfs2: do not BUG if buffer not uptodate in __ocfs2_journal_access") -Signed-off-by: Jun Piao -Reviewed-by: Yiwen Jiang -Reviewed-by: Changwei Ge -Cc: Mark Fasheh -Cc: Joel Becker -Cc: Junxiao Bi -Cc: Joseph Qi -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/ocfs2/journal.c | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - ---- a/fs/ocfs2/journal.c -+++ b/fs/ocfs2/journal.c -@@ -666,23 +666,24 @@ static int __ocfs2_journal_access(handle - /* we can safely remove this assertion after testing. */ - if (!buffer_uptodate(bh)) { - mlog(ML_ERROR, "giving me a buffer that's not uptodate!\n"); -- mlog(ML_ERROR, "b_blocknr=%llu\n", -- (unsigned long long)bh->b_blocknr); -+ mlog(ML_ERROR, "b_blocknr=%llu, b_state=0x%lx\n", -+ (unsigned long long)bh->b_blocknr, bh->b_state); - - lock_buffer(bh); - /* -- * A previous attempt to write this buffer head failed. -- * Nothing we can do but to retry the write and hope for -- * the best. -+ * A previous transaction with a couple of buffer heads fail -+ * to checkpoint, so all the bhs are marked as BH_Write_EIO. -+ * For current transaction, the bh is just among those error -+ * bhs which previous transaction handle. We can't just clear -+ * its BH_Write_EIO and reuse directly, since other bhs are -+ * not written to disk yet and that will cause metadata -+ * inconsistency. So we should set fs read-only to avoid -+ * further damage. - */ - if (buffer_write_io_error(bh) && !buffer_uptodate(bh)) { -- clear_buffer_write_io_error(bh); -- set_buffer_uptodate(bh); -- } -- -- if (!buffer_uptodate(bh)) { - unlock_buffer(bh); -- return -EIO; -+ return ocfs2_error(osb->sb, "A previous attempt to " -+ "write this buffer head failed\n"); - } - unlock_buffer(bh); - } diff --git a/queue-4.4/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch b/queue-4.4/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch deleted file mode 100644 index 94cd8febd8b..00000000000 --- a/queue-4.4/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch +++ /dev/null @@ -1,62 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Helge Deller -Date: Sun, 25 Mar 2018 14:04:22 +0200 -Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode - -From: Helge Deller - -[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ] - -Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy -I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card. - -To avoid such instability, this patch switches the LBA PCI bus from Hard Fail -mode into Soft Fail mode. In this mode the bus will return -1UL for timed out -MMIO transactions, which is exactly how the x86 (and most other architectures) -PCI busses behave. - -This patch is based on a proposal by Grant Grundler and Kyle McMartin 10 -years ago: -https://www.spinics.net/lists/linux-parisc/msg01027.html - -Cc: Carlo Pisani -Cc: Kyle McMartin -Reviewed-by: Grant Grundler -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/parisc/lba_pci.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - ---- a/drivers/parisc/lba_pci.c -+++ b/drivers/parisc/lba_pci.c -@@ -1365,9 +1365,27 @@ lba_hw_init(struct lba_device *d) - WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG); - } - -- /* Set HF mode as the default (vs. -1 mode). */ -+ -+ /* -+ * Hard Fail vs. Soft Fail on PCI "Master Abort". -+ * -+ * "Master Abort" means the MMIO transaction timed out - usually due to -+ * the device not responding to an MMIO read. We would like HF to be -+ * enabled to find driver problems, though it means the system will -+ * crash with a HPMC. -+ * -+ * In SoftFail mode "~0L" is returned as a result of a timeout on the -+ * pci bus. This is like how PCI busses on x86 and most other -+ * architectures behave. In order to increase compatibility with -+ * existing (x86) PCI hardware and existing Linux drivers we enable -+ * Soft Faul mode on PA-RISC now too. -+ */ - stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL); -+#if defined(ENABLE_HARDFAIL) - WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); -+#else -+ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); -+#endif - - /* - ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal diff --git a/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch b/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch deleted file mode 100644 index 19786fac9a7..00000000000 --- a/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Thomas Vincent-Cross -Date: Tue, 27 Feb 2018 20:20:36 +1100 -Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 - -From: Thomas Vincent-Cross - -[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ] - -Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 -Signed-off-by: Thomas Vincent-Cross -Signed-off-by: Bjorn Helgaas -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/quirks.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -3628,6 +3628,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M - /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, - quirk_dma_func1_alias); -+/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, -+ quirk_dma_func1_alias); - /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, - quirk_dma_func1_alias); diff --git a/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch b/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch deleted file mode 100644 index 533de6f5253..00000000000 --- a/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Alex Williamson -Date: Tue, 16 Jan 2018 10:05:26 -0700 -Subject: PCI: Add function 1 DMA alias quirk for Marvell 9128 - -From: Alex Williamson - -[ Upstream commit aa008206634363ef800fbd5f0262016c9ff81dea ] - -The Marvell 9128 is the original device generating bug 42679, from which -many other Marvell DMA alias quirks have been sourced, but we didn't have -positive confirmation of the fix on 9128 until now. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 -Link: https://www.spinics.net/lists/kvm/msg161459.html -Reported-by: Binarus -Tested-by: Binarus -Signed-off-by: Alex Williamson -Signed-off-by: Bjorn Helgaas -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/quirks.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -3614,6 +3614,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M - quirk_dma_func1_alias); - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, - quirk_dma_func1_alias); -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, -+ quirk_dma_func1_alias); - /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, - quirk_dma_func1_alias); diff --git a/queue-4.4/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch b/queue-4.4/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch deleted file mode 100644 index fb95d744223..00000000000 --- a/queue-4.4/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch +++ /dev/null @@ -1,87 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Rafael J. Wysocki" -Date: Sat, 3 Mar 2018 10:53:24 +0100 -Subject: PCI: Restore config space on runtime resume despite being unbound - -From: "Rafael J. Wysocki" - -[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ] - -We leave PCI devices not bound to a driver in D0 during runtime suspend. -But they may have a parent which is bound and can be transitioned to -D3cold at runtime. Once the parent goes to D3cold, the unbound child -may go to D3cold as well. When the child goes to D3cold, its internal -state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost. - -One example are recent hybrid graphics laptops which cut power to the -discrete GPU when the root port above it goes to ACPI power state D3. -Users may provoke this by unbinding the GPU driver and allowing runtime -PM on the GPU via sysfs: The PM core will then treat the GPU as -"suspended", which in turn allows the root port to runtime suspend, -causing the power resources listed in its _PR3 object to be powered off. -The GPU's BARs will be uninitialized when a driver later probes it. - -Another example are hybrid graphics laptops where the GPU itself (rather -than the root port) is capable of runtime suspending to D3cold. If the -GPU's integrated HDA controller is not bound and the GPU's driver -decides to runtime suspend to D3cold, the HDA controller's BARs will be -uninitialized when a driver later probes it. - -Fix by saving and restoring config space over a runtime suspend cycle -even if the device is not bound. - -Acked-by: Bjorn Helgaas -Tested-by: Peter Wu # Nvidia Optimus -Tested-by: Lukas Wunner # MacBook Pro -Signed-off-by: Rafael J. Wysocki -[lukas: add commit message, bikeshed code comments for clarity] -Signed-off-by: Lukas Wunner -Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/pci-driver.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - ---- a/drivers/pci/pci-driver.c -+++ b/drivers/pci/pci-driver.c -@@ -1140,11 +1140,14 @@ static int pci_pm_runtime_suspend(struct - int error; - - /* -- * If pci_dev->driver is not set (unbound), the device should -- * always remain in D0 regardless of the runtime PM status -+ * If pci_dev->driver is not set (unbound), we leave the device in D0, -+ * but it may go to D3cold when the bridge above it runtime suspends. -+ * Save its config space in case that happens. - */ -- if (!pci_dev->driver) -+ if (!pci_dev->driver) { -+ pci_save_state(pci_dev); - return 0; -+ } - - if (!pm || !pm->runtime_suspend) - return -ENOSYS; -@@ -1195,16 +1198,18 @@ static int pci_pm_runtime_resume(struct - const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; - - /* -- * If pci_dev->driver is not set (unbound), the device should -- * always remain in D0 regardless of the runtime PM status -+ * Restoring config space is necessary even if the device is not bound -+ * to a driver because although we left it in D0, it may have gone to -+ * D3cold when the bridge above it runtime suspended. - */ -+ pci_restore_standard_config(pci_dev); -+ - if (!pci_dev->driver) - return 0; - - if (!pm || !pm->runtime_resume) - return -ENOSYS; - -- pci_restore_standard_config(pci_dev); - pci_fixup_device(pci_fixup_resume_early, pci_dev); - __pci_enable_wake(pci_dev, PCI_D0, true, false); - pci_fixup_device(pci_fixup_resume, pci_dev); diff --git a/queue-4.4/percpu-add-a-schedule-point-in-pcpu_balance_workfn.patch b/queue-4.4/percpu-add-a-schedule-point-in-pcpu_balance_workfn.patch deleted file mode 100644 index a334a015c8d..00000000000 --- a/queue-4.4/percpu-add-a-schedule-point-in-pcpu_balance_workfn.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Eric Dumazet -Date: Fri, 23 Feb 2018 08:12:42 -0800 -Subject: percpu: add a schedule point in pcpu_balance_workfn() - -From: Eric Dumazet - -[ Upstream commit accd4f36a7d11c2d54544007eb65e10604dcf2f5 ] - -When a large BPF percpu map is destroyed, I have seen -pcpu_balance_workfn() holding cpu for hundreds of milliseconds. - -On KASAN config and 112 hyperthreads, average time to destroy a chunk -is ~4 ms. - -[ 2489.841376] destroy chunk 1 in 4148689 ns -... -[ 2490.093428] destroy chunk 32 in 4072718 ns - -Signed-off-by: Eric Dumazet -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/percpu.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/mm/percpu.c -+++ b/mm/percpu.c -@@ -1146,6 +1146,7 @@ static void pcpu_balance_workfn(struct w - spin_unlock_irq(&pcpu_lock); - } - pcpu_destroy_chunk(chunk); -+ cond_resched(); - } - - /* service chunks which requested async area map extension */ diff --git a/queue-4.4/perf-callchain-fix-attr.sample_max_stack-setting.patch b/queue-4.4/perf-callchain-fix-attr.sample_max_stack-setting.patch deleted file mode 100644 index ba8f694c3fd..00000000000 --- a/queue-4.4/perf-callchain-fix-attr.sample_max_stack-setting.patch +++ /dev/null @@ -1,101 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arnaldo Carvalho de Melo -Date: Mon, 15 Jan 2018 11:07:58 -0300 -Subject: perf callchain: Fix attr.sample_max_stack setting - -From: Arnaldo Carvalho de Melo - -[ Upstream commit 249d98e567e25dd03e015e2d31e1b7b9648f34df ] - -When setting the "dwarf" unwinder for a specific event and not -specifying the max-stack, the attr.sample_max_stack ended up using an -uninitialized callchain_param.max_stack, fix it by using designated -initializers for that callchain_param variable, zeroing all non -explicitely initialized struct members. - -Here is what happened: - - # perf trace -vv --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 - callchain: type DWARF - callchain: stack dump size 8192 - perf_event_attr: - type 2 - size 112 - config 0x730 - { sample_period, sample_freq } 1 - sample_type IP|TID|TIME|ADDR|CALLCHAIN|CPU|PERIOD|RAW|REGS_USER|STACK_USER|DATA_SRC - exclude_callchain_user 1 - { wakeup_events, wakeup_watermark } 1 - sample_regs_user 0xff0fff - sample_stack_user 8192 - sample_max_stack 50656 - sys_perf_event_open failed, error -75 - Value too large for defined data type - # perf trace -vv --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 - callchain: type DWARF - callchain: stack dump size 8192 - perf_event_attr: - type 2 - size 112 - config 0x730 - sample_type IP|TID|TIME|ADDR|CALLCHAIN|CPU|PERIOD|RAW|REGS_USER|STACK_USER|DATA_SRC - exclude_callchain_user 1 - sample_regs_user 0xff0fff - sample_stack_user 8192 - sample_max_stack 30448 - sys_perf_event_open failed, error -75 - Value too large for defined data type - # - -Now the attr.sample_max_stack is set to zero and the above works as -expected: - - # perf trace --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 - PING ::1(::1) 56 data bytes - 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.072 ms - - --- ::1 ping statistics --- - 1 packets transmitted, 1 received, 0% packet loss, time 0ms - rtt min/avg/max/mdev = 0.072/0.072/0.072/0.000 ms - 0.000 probe_libc:inet_pton:(7feb7a998350)) - __inet_pton (inlined) - gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) - __GI_getaddrinfo (inlined) - [0xffffaa39b6108f3f] (/usr/bin/ping) - # - -Cc: Adrian Hunter -Cc: David Ahern -Cc: Hendrick Brueckner -Cc: Jiri Olsa -Cc: Namhyung Kim -Cc: Thomas Richter -Cc: Wang Nan -Link: https://lkml.kernel.org/n/tip-is9tramondqa9jlxxsgcm9iz@git.kernel.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/util/evsel.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/tools/perf/util/evsel.c -+++ b/tools/perf/util/evsel.c -@@ -624,13 +624,13 @@ static void apply_config_terms(struct pe - struct perf_evsel_config_term *term; - struct list_head *config_terms = &evsel->config_terms; - struct perf_event_attr *attr = &evsel->attr; -- struct callchain_param param; -+ /* callgraph default */ -+ struct callchain_param param = { -+ .record_mode = callchain_param.record_mode, -+ }; - u32 dump_size = 0; - char *callgraph_buf = NULL; - -- /* callgraph default */ -- param.record_mode = callchain_param.record_mode; -- - list_for_each_entry(term, config_terms, list) { - switch (term->type) { - case PERF_EVSEL__CONFIG_TERM_PERIOD: diff --git a/queue-4.4/perf-cgroup-fix-child-event-counting-bug.patch b/queue-4.4/perf-cgroup-fix-child-event-counting-bug.patch deleted file mode 100644 index 229c4ab3974..00000000000 --- a/queue-4.4/perf-cgroup-fix-child-event-counting-bug.patch +++ /dev/null @@ -1,105 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Song Liu -Date: Mon, 12 Mar 2018 09:59:43 -0700 -Subject: perf/cgroup: Fix child event counting bug - -From: Song Liu - -[ Upstream commit c917e0f259908e75bd2a65877e25f9d90c22c848 ] - -When a perf_event is attached to parent cgroup, it should count events -for all children cgroups: - - parent_group <---- perf_event - \ - - child_group <---- process(es) - -However, in our tests, we found this perf_event cannot report reliable -results. Here is an example case: - - # create cgroups - mkdir -p /sys/fs/cgroup/p/c - # start perf for parent group - perf stat -e instructions -G "p" - - # on another console, run test process in child cgroup: - stressapptest -s 2 -M 1000 & echo $! > /sys/fs/cgroup/p/c/cgroup.procs - - # after the test process is done, stop perf in the first console shows - - instructions p - -The instruction should not be "not counted" as the process runs in the -child cgroup. - -We found this is because perf_event->cgrp and cpuctx->cgrp are not -identical, thus perf_event->cgrp are not updated properly. - -This patch fixes this by updating perf_cgroup properly for ancestor -cgroup(s). - -Reported-by: Ephraim Park -Signed-off-by: Song Liu -Signed-off-by: Peter Zijlstra (Intel) -Cc: -Cc: -Cc: Alexander Shishkin -Cc: Arnaldo Carvalho de Melo -Cc: Jiri Olsa -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Stephane Eranian -Cc: Thomas Gleixner -Cc: Vince Weaver -Link: http://lkml.kernel.org/r/20180312165943.1057894-1-songliubraving@fb.com -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/events/core.c | 21 ++++++++++++++++----- - 1 file changed, 16 insertions(+), 5 deletions(-) - ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -419,9 +419,15 @@ static inline void __update_cgrp_time(st - - static inline void update_cgrp_time_from_cpuctx(struct perf_cpu_context *cpuctx) - { -- struct perf_cgroup *cgrp_out = cpuctx->cgrp; -- if (cgrp_out) -- __update_cgrp_time(cgrp_out); -+ struct perf_cgroup *cgrp = cpuctx->cgrp; -+ struct cgroup_subsys_state *css; -+ -+ if (cgrp) { -+ for (css = &cgrp->css; css; css = css->parent) { -+ cgrp = container_of(css, struct perf_cgroup, css); -+ __update_cgrp_time(cgrp); -+ } -+ } - } - - static inline void update_cgrp_time_from_event(struct perf_event *event) -@@ -449,6 +455,7 @@ perf_cgroup_set_timestamp(struct task_st - { - struct perf_cgroup *cgrp; - struct perf_cgroup_info *info; -+ struct cgroup_subsys_state *css; - - /* - * ctx->lock held by caller -@@ -459,8 +466,12 @@ perf_cgroup_set_timestamp(struct task_st - return; - - cgrp = perf_cgroup_from_task(task, ctx); -- info = this_cpu_ptr(cgrp->info); -- info->timestamp = ctx->timestamp; -+ -+ for (css = &cgrp->css; css; css = css->parent) { -+ cgrp = container_of(css, struct perf_cgroup, css); -+ info = this_cpu_ptr(cgrp->info); -+ info->timestamp = ctx->timestamp; -+ } - } - - #define PERF_CGROUP_SWOUT 0x1 /* cgroup switch out every event */ diff --git a/queue-4.4/perf-core-fix-perf_output_read_group.patch b/queue-4.4/perf-core-fix-perf_output_read_group.patch deleted file mode 100644 index ebedb0fde47..00000000000 --- a/queue-4.4/perf-core-fix-perf_output_read_group.patch +++ /dev/null @@ -1,78 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Peter Zijlstra -Date: Fri, 9 Mar 2018 12:52:04 +0100 -Subject: perf/core: Fix perf_output_read_group() - -From: Peter Zijlstra - -[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ] - -Mark reported his arm64 perf fuzzer runs sometimes splat like: - - armv8pmu_read_counter+0x1e8/0x2d8 - armpmu_event_update+0x8c/0x188 - armpmu_read+0xc/0x18 - perf_output_read+0x550/0x11e8 - perf_event_read_event+0x1d0/0x248 - perf_event_exit_task+0x468/0xbb8 - do_exit+0x690/0x1310 - do_group_exit+0xd0/0x2b0 - get_signal+0x2e8/0x17a8 - do_signal+0x144/0x4f8 - do_notify_resume+0x148/0x1e8 - work_pending+0x8/0x14 - -which asserts that we only call pmu::read() on ACTIVE events. - -The above callchain does: - - perf_event_exit_task() - perf_event_exit_task_context() - task_ctx_sched_out() // INACTIVE - perf_event_exit_event() - perf_event_set_state(EXIT) // EXIT - sync_child_event() - perf_event_read_event() - perf_output_read() - perf_output_read_group() - leader->pmu->read() - -Which results in doing a pmu::read() on an !ACTIVE event. - -I _think_ this is 'new' since we added attr.inherit_stat, which added -the perf_event_read_event() to the exit path, without that -perf_event_read_output() would only trigger from samples and for -@event to trigger a sample, it's leader _must_ be ACTIVE too. - -Still, adding this check makes it consistent with the @sub case for -the siblings. - -Reported-and-Tested-by: Mark Rutland -Signed-off-by: Peter Zijlstra (Intel) -Cc: Alexander Shishkin -Cc: Arnaldo Carvalho de Melo -Cc: Jiri Olsa -Cc: Linus Torvalds -Cc: Stephane Eranian -Cc: Thomas Gleixner -Cc: Vince Weaver -Cc: linux-kernel@vger.kernel.org -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/events/core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -5299,7 +5299,8 @@ static void perf_output_read_group(struc - if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) - values[n++] = running; - -- if (leader != event) -+ if ((leader != event) && -+ (leader->state == PERF_EVENT_STATE_ACTIVE)) - leader->pmu->read(leader); - - values[n++] = perf_event_count(leader); diff --git a/queue-4.4/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch b/queue-4.4/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch deleted file mode 100644 index da1055b08f1..00000000000 --- a/queue-4.4/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch +++ /dev/null @@ -1,101 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jiri Olsa -Date: Fri, 16 Feb 2018 13:36:19 +0100 -Subject: perf report: Fix memory corruption in --branch-history mode --branch-history - -From: Jiri Olsa - -[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ] - -Jin Yao reported memory corrupton in perf report with -branch info used for stack trace: - - > Following command lines will cause perf crash. - - > perf record -j call -g -a - > perf report --branch-history - > - > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 *** - > ======= Backtrace: ========= - > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725] - > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a] - > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc] - > perf[0x51b914] - > perf(hist_entry_iter__add+0x1e5)[0x51f305] - > perf[0x43cf01] - > perf[0x4fa3bf] - > perf[0x4fa923] - > perf[0x4fd396] - > perf[0x4f9614] - > perf(perf_session__process_events+0x89e)[0x4fc38e] - > perf(cmd_report+0x15d2)[0x43f202] - > perf[0x4a059f] - > perf(main+0x631)[0x427b71] - > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830] - > perf(_start+0x29)[0x427d89] - -For the cumulative output, we allocate the he_cache array based on the ---max-stack option value and populate it with data from 'callchain_cursor'. - -The --max-stack option value does not ensure now the limit for number of -callchain_cursor nodes, so the cumulative iter code will allocate smaller array -than it's actually needed and cause above corruption. - -I think the --max-stack limit does not apply here anyway, because we add -callchain data as normal hist entries, while the --max-stack control the limit -of single entry callchain depth. - -Using the callchain_cursor.nr as he_cache array count to fix this. Also -removing struct hist_entry_iter::max_stack, because there's no longer any use -for it. - -We need more fixes to ensure that the branch stack code follows properly the -logic of --max-stack, which is not the case at the moment. - -Original-patch-by: Jin Yao -Signed-off-by: Jiri Olsa -Reported-by: Jin Yao -Cc: Alexander Shishkin -Cc: Andi Kleen -Cc: Jiri Olsa -Cc: Kan Liang -Cc: Peter Zijlstra -Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/util/hist.c | 4 +--- - tools/perf/util/hist.h | 1 - - 2 files changed, 1 insertion(+), 4 deletions(-) - ---- a/tools/perf/util/hist.c -+++ b/tools/perf/util/hist.c -@@ -720,7 +720,7 @@ iter_prepare_cumulative_entry(struct his - * cumulated only one time to prevent entries more than 100% - * overhead. - */ -- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1)); -+ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1)); - if (he_cache == NULL) - return -ENOMEM; - -@@ -881,8 +881,6 @@ int hist_entry_iter__add(struct hist_ent - if (err) - return err; - -- iter->max_stack = max_stack_depth; -- - err = iter->ops->prepare_entry(iter, al); - if (err) - goto out; ---- a/tools/perf/util/hist.h -+++ b/tools/perf/util/hist.h -@@ -91,7 +91,6 @@ struct hist_entry_iter { - int curr; - - bool hide_unresolved; -- int max_stack; - - struct perf_evsel *evsel; - struct perf_sample *sample; diff --git a/queue-4.4/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch b/queue-4.4/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch deleted file mode 100644 index d8948855a84..00000000000 --- a/queue-4.4/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch +++ /dev/null @@ -1,57 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jiri Olsa -Date: Thu, 15 Feb 2018 13:26:35 +0100 -Subject: perf tests: Use arch__compare_symbol_names to compare symbols - -From: Jiri Olsa - -[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ] - -The symbol search called by machine__find_kernel_symbol_by_name is using -internally arch__compare_symbol_names function to compare 2 symbol -names, because different archs have different ways of comparing symbols. -Mostly for skipping '.' prefixes and similar. - -In test 1 when we try to find matching symbols in kallsyms and vmlinux, -by address and by symbol name. When either is found we compare the pair -symbol names by simple strcmp, which is not good enough for reasons -explained in previous paragraph. - -On powerpc this can cause lockup, because even thought we found the -pair, the compared names are different and don't match simple strcmp. -Following code path is executed, that leads to lockup: - - - we find the pair in kallsyms by sym->start -next_pair: - - we compare the names and it fails - - we find the pair by sym->name - - the pair addresses match so we call goto next_pair - because we assume the names match in this case - -Signed-off-by: Jiri Olsa -Tested-by: Naveen N. Rao -Acked-by: Naveen N. Rao -Cc: Alexander Shishkin -Cc: David Ahern -Cc: Namhyung Kim -Cc: Peter Zijlstra -Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically") -Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/tests/vmlinux-kallsyms.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/perf/tests/vmlinux-kallsyms.c -+++ b/tools/perf/tests/vmlinux-kallsyms.c -@@ -126,7 +126,7 @@ int test__vmlinux_matches_kallsyms(void) - - if (pair && UM(pair->start) == mem_start) { - next_pair: -- if (strcmp(sym->name, pair->name) == 0) { -+ if (arch__compare_symbol_names(sym->name, pair->name) == 0) { - /* - * kallsyms don't have the symbol end, so we - * set that by using the next symbol start - 1, diff --git a/queue-4.4/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch b/queue-4.4/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch deleted file mode 100644 index c6cc35b9e6e..00000000000 --- a/queue-4.4/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch +++ /dev/null @@ -1,33 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mathieu Malaterre -Date: Sun, 25 Feb 2018 18:22:29 +0100 -Subject: powerpc: Add missing prototype for arch_irq_work_raise() - -From: Mathieu Malaterre - -[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ] - -In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new -function arch_irq_work_raise() was added without a prototype in header -irq_work.h. - -Fix the following warning (treated as error in W=1): - arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’ - -Signed-off-by: Mathieu Malaterre -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/include/asm/irq_work.h | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/powerpc/include/asm/irq_work.h -+++ b/arch/powerpc/include/asm/irq_work.h -@@ -5,5 +5,6 @@ static inline bool arch_irq_work_has_int - { - return true; - } -+extern void arch_irq_work_raise(void); - - #endif /* _ASM_POWERPC_IRQ_WORK_H */ diff --git a/queue-4.4/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch b/queue-4.4/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch deleted file mode 100644 index f985c8ab066..00000000000 --- a/queue-4.4/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch +++ /dev/null @@ -1,39 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mark Lord -Date: Tue, 20 Feb 2018 14:49:20 -0500 -Subject: powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access - -From: Mark Lord - -[ Upstream commit 083b20907185b076f21c265b30fe5b5f24c03d8c ] - -I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed -that the JIT compiler was failing on the BPF even though the -interpreter was working fine. - -The issue was that the compiler was missing one of the instructions -used by SECCOMP, so here is a patch to enable JIT for that -instruction. - -Fixes: eb84bab0fb38 ("ppc: Kconfig: Enable BPF JIT on ppc32") -Signed-off-by: Mark Lord -Acked-by: Naveen N. Rao -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/net/bpf_jit_comp.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/arch/powerpc/net/bpf_jit_comp.c -+++ b/arch/powerpc/net/bpf_jit_comp.c -@@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf - BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); - PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); - break; -+ case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ -+ PPC_LWZ_OFFS(r_A, r_skb, K); -+ break; - case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ - PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); - break; diff --git a/queue-4.4/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch b/queue-4.4/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch deleted file mode 100644 index 50e7dc526ef..00000000000 --- a/queue-4.4/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Ellerman -Date: Fri, 30 Mar 2018 23:27:25 +1100 -Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask() - -From: Michael Ellerman - -[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ] - -In mpic_physmask() we loop over all CPUs up to 32, then get the hard -SMP processor id of that CPU. - -Currently that's possibly walking off the end of the paca array, but -in a future patch we will change the paca array to be an array of -pointers, and in that case we will get a NULL for missing CPUs and -oops. eg: - - Unable to handle kernel paging request for data at address 0x88888888888888b8 - Faulting instruction address: 0xc00000000004e380 - Oops: Kernel access of bad area, sig: 11 [#1] - ... - NIP .mpic_set_affinity+0x60/0x1a0 - LR .irq_do_set_affinity+0x48/0x100 - -Fix it by checking the CPU is possible, this also fixes the code if -there are gaps in the CPU numbering which probably never happens on -mpic systems but who knows. - -Debugged-by: Nicholas Piggin -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/sysdev/mpic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/powerpc/sysdev/mpic.c -+++ b/arch/powerpc/sysdev/mpic.c -@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum - int i; - u32 mask = 0; - -- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1) -+ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1) - mask |= (cpumask & 1) << get_hard_smp_processor_id(i); - return mask; - } diff --git a/queue-4.4/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch b/queue-4.4/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch deleted file mode 100644 index d78fbe37861..00000000000 --- a/queue-4.4/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch +++ /dev/null @@ -1,136 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Bringmann -Date: Tue, 28 Nov 2017 16:58:40 -0600 -Subject: powerpc/numa: Ensure nodes initialized for hotplug - -From: Michael Bringmann - -[ Upstream commit ea05ba7c559c8e5a5946c3a94a2a266e9a6680a6 ] - -This patch fixes some problems encountered at runtime with -configurations that support memory-less nodes, or that hot-add CPUs -into nodes that are memoryless during system execution after boot. The -problems of interest include: - -* Nodes known to powerpc to be memoryless at boot, but to have CPUs in - them are allowed to be 'possible' and 'online'. Memory allocations - for those nodes are taken from another node that does have memory - until and if memory is hot-added to the node. - -* Nodes which have no resources assigned at boot, but which may still - be referenced subsequently by affinity or associativity attributes, - are kept in the list of 'possible' nodes for powerpc. Hot-add of - memory or CPUs to the system can reference these nodes and bring - them online instead of redirecting the references to one of the set - of nodes known to have memory at boot. - -Note that this software operates under the context of CPU hotplug. We -are not doing memory hotplug in this code, but rather updating the -kernel's CPU topology (i.e. arch_update_cpu_topology / -numa_update_cpu_topology). We are initializing a node that may be used -by CPUs or memory before it can be referenced as invalid by a CPU -hotplug operation. CPU hotplug operations are protected by a range of -APIs including cpu_maps_update_begin/cpu_maps_update_done, -cpus_read/write_lock / cpus_read/write_unlock, device locks, and more. -Memory hotplug operations, including try_online_node, are protected by -mem_hotplug_begin/mem_hotplug_done, device locks, and more. In the -case of CPUs being hot-added to a previously memoryless node, the -try_online_node operation occurs wholly within the CPU locks with no -overlap. Using HMC hot-add/hot-remove operations, we have been able to -add and remove CPUs to any possible node without failures. HMC -operations involve a degree self-serialization, though. - -Signed-off-by: Michael Bringmann -Reviewed-by: Nathan Fontenot -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/mm/numa.c | 47 +++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 37 insertions(+), 10 deletions(-) - ---- a/arch/powerpc/mm/numa.c -+++ b/arch/powerpc/mm/numa.c -@@ -551,7 +551,7 @@ static int numa_setup_cpu(unsigned long - nid = of_node_to_nid_single(cpu); - - out_present: -- if (nid < 0 || !node_online(nid)) -+ if (nid < 0 || !node_possible(nid)) - nid = first_online_node; - - map_cpu_to_node(lcpu, nid); -@@ -969,10 +969,8 @@ static void __init find_possible_nodes(v - goto out; - - for (i = 0; i < numnodes; i++) { -- if (!node_possible(i)) { -- setup_node_data(i, 0, 0); -+ if (!node_possible(i)) - node_set(i, node_possible_map); -- } - } - - out: -@@ -1335,6 +1333,40 @@ static long vphn_get_associativity(unsig - return rc; - } - -+static inline int find_and_online_cpu_nid(int cpu) -+{ -+ __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; -+ int new_nid; -+ -+ /* Use associativity from first thread for all siblings */ -+ vphn_get_associativity(cpu, associativity); -+ new_nid = associativity_to_nid(associativity); -+ if (new_nid < 0 || !node_possible(new_nid)) -+ new_nid = first_online_node; -+ -+ if (NODE_DATA(new_nid) == NULL) { -+#ifdef CONFIG_MEMORY_HOTPLUG -+ /* -+ * Need to ensure that NODE_DATA is initialized for a node from -+ * available memory (see memblock_alloc_try_nid). If unable to -+ * init the node, then default to nearest node that has memory -+ * installed. -+ */ -+ if (try_online_node(new_nid)) -+ new_nid = first_online_node; -+#else -+ /* -+ * Default to using the nearest node that has memory installed. -+ * Otherwise, it would be necessary to patch the kernel MM code -+ * to deal with more memoryless-node error conditions. -+ */ -+ new_nid = first_online_node; -+#endif -+ } -+ -+ return new_nid; -+} -+ - /* - * Update the CPU maps and sysfs entries for a single CPU when its NUMA - * characteristics change. This function doesn't perform any locking and is -@@ -1400,7 +1432,6 @@ int arch_update_cpu_topology(void) - { - unsigned int cpu, sibling, changed = 0; - struct topology_update_data *updates, *ud; -- __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; - cpumask_t updated_cpus; - struct device *dev; - int weight, new_nid, i = 0; -@@ -1435,11 +1466,7 @@ int arch_update_cpu_topology(void) - continue; - } - -- /* Use associativity from first thread for all siblings */ -- vphn_get_associativity(cpu, associativity); -- new_nid = associativity_to_nid(associativity); -- if (new_nid < 0 || !node_online(new_nid)) -- new_nid = first_online_node; -+ new_nid = find_and_online_cpu_nid(cpu); - - if (new_nid == numa_cpu_lookup_table[cpu]) { - cpumask_andnot(&cpu_associativity_changes_mask, diff --git a/queue-4.4/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch b/queue-4.4/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch deleted file mode 100644 index 284c9e22d4d..00000000000 --- a/queue-4.4/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch +++ /dev/null @@ -1,131 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Bringmann -Date: Tue, 28 Nov 2017 16:58:36 -0600 -Subject: powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes - -From: Michael Bringmann - -[ Upstream commit a346137e9142b039fd13af2e59696e3d40c487ef ] - -On powerpc systems which allow 'hot-add' of CPU or memory resources, -it may occur that the new resources are to be inserted into nodes that -were not used for these resources at bootup. In the kernel, any node -that is used must be defined and initialized. These empty nodes may -occur when, - -* Dedicated vs. shared resources. Shared resources require information - such as the VPHN hcall for CPU assignment to nodes. Associativity - decisions made based on dedicated resource rules, such as - associativity properties in the device tree, may vary from decisions - made using the values returned by the VPHN hcall. - -* memoryless nodes at boot. Nodes need to be defined as 'possible' at - boot for operation with other code modules. Previously, the powerpc - code would limit the set of possible nodes to those which have - memory assigned at boot, and were thus online. Subsequent add/remove - of CPUs or memory would only work with this subset of possible - nodes. - -* memoryless nodes with CPUs at boot. Due to the previous restriction - on nodes, nodes that had CPUs but no memory were being collapsed - into other nodes that did have memory at boot. In practice this - meant that the node assignment presented by the runtime kernel - differed from the affinity and associativity attributes presented by - the device tree or VPHN hcalls. Nodes that might be known to the - pHyp were not 'possible' in the runtime kernel because they did not - have memory at boot. - -This patch ensures that sufficient nodes are defined to support -configuration requirements after boot, as well as at boot. This patch -set fixes a couple of problems. - -* Nodes known to powerpc to be memoryless at boot, but to have CPUs in - them are allowed to be 'possible' and 'online'. Memory allocations - for those nodes are taken from another node that does have memory - until and if memory is hot-added to the node. * Nodes which have no - resources assigned at boot, but which may still be referenced - subsequently by affinity or associativity attributes, are kept in - the list of 'possible' nodes for powerpc. Hot-add of memory or CPUs - to the system can reference these nodes and bring them online - instead of redirecting to one of the set of nodes that were known to - have memory at boot. - -This patch extracts the value of the lowest domain level (number of -allocable resources) from the device tree property -"ibm,max-associativity-domains" to use as the maximum number of nodes -to setup as possibly available in the system. This new setting will -override the instruction: - - nodes_and(node_possible_map, node_possible_map, node_online_map); - -presently seen in the function arch/powerpc/mm/numa.c:initmem_init(). - -If the "ibm,max-associativity-domains" property is not present at -boot, no operation will be performed to define or enable additional -nodes, or enable the above 'nodes_and()'. - -Signed-off-by: Michael Bringmann -Reviewed-by: Nathan Fontenot -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/mm/numa.c | 37 ++++++++++++++++++++++++++++++++++--- - 1 file changed, 34 insertions(+), 3 deletions(-) - ---- a/arch/powerpc/mm/numa.c -+++ b/arch/powerpc/mm/numa.c -@@ -951,6 +951,34 @@ static void __init setup_node_data(int n - NODE_DATA(nid)->node_spanned_pages = spanned_pages; - } - -+static void __init find_possible_nodes(void) -+{ -+ struct device_node *rtas; -+ u32 numnodes, i; -+ -+ if (min_common_depth <= 0) -+ return; -+ -+ rtas = of_find_node_by_path("/rtas"); -+ if (!rtas) -+ return; -+ -+ if (of_property_read_u32_index(rtas, -+ "ibm,max-associativity-domains", -+ min_common_depth, &numnodes)) -+ goto out; -+ -+ for (i = 0; i < numnodes; i++) { -+ if (!node_possible(i)) { -+ setup_node_data(i, 0, 0); -+ node_set(i, node_possible_map); -+ } -+ } -+ -+out: -+ of_node_put(rtas); -+} -+ - void __init initmem_init(void) - { - int nid, cpu; -@@ -966,12 +994,15 @@ void __init initmem_init(void) - memblock_dump_all(); - - /* -- * Reduce the possible NUMA nodes to the online NUMA nodes, -- * since we do not support node hotplug. This ensures that we -- * lower the maximum NUMA node ID to what is actually present. -+ * Modify the set of possible NUMA nodes to reflect information -+ * available about the set of online nodes, and the set of nodes -+ * that we expect to make use of for this platform's affinity -+ * calculations. - */ - nodes_and(node_possible_map, node_possible_map, node_online_map); - -+ find_possible_nodes(); -+ - for_each_online_node(nid) { - unsigned long start_pfn, end_pfn; - diff --git a/queue-4.4/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch b/queue-4.4/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch deleted file mode 100644 index f67321dd8b3..00000000000 --- a/queue-4.4/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch +++ /dev/null @@ -1,72 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Ellerman -Date: Wed, 21 Mar 2018 17:10:24 +0530 -Subject: powerpc/perf: Fix kernel address leak via sampling registers - -From: Michael Ellerman - -[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ] - -Current code in power_pmu_disable() does not clear the sampling -registers like Sampling Instruction Address Register (SIAR) and -Sampling Data Address Register (SDAR) after disabling the PMU. Since -these are userspace readable and could contain kernel addresses, add -code to explicitly clear the content of these registers. - -Also add a "context synchronizing instruction" to enforce no further -updates to these registers as suggested by Power ISA v3.0B. From -section 9.4, on page 1108: - - "If an mtspr instruction is executed that changes the value of a - Performance Monitor register other than SIAR, SDAR, and SIER, the - change is not guaranteed to have taken effect until after a - subsequent context synchronizing instruction has been executed (see - Chapter 11. "Synchronization Requirements for Context Alterations" - on page 1133)." - -Signed-off-by: Madhavan Srinivasan -[mpe: Massage change log and add ISA reference] -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/arch/powerpc/perf/core-book3s.c -+++ b/arch/powerpc/perf/core-book3s.c -@@ -1198,6 +1198,7 @@ static void power_pmu_disable(struct pmu - */ - write_mmcr0(cpuhw, val); - mb(); -+ isync(); - - /* - * Disable instruction sampling if it was enabled -@@ -1206,12 +1207,26 @@ static void power_pmu_disable(struct pmu - mtspr(SPRN_MMCRA, - cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE); - mb(); -+ isync(); - } - - cpuhw->disabled = 1; - cpuhw->n_added = 0; - - ebb_switch_out(mmcr0); -+ -+#ifdef CONFIG_PPC64 -+ /* -+ * These are readable by userspace, may contain kernel -+ * addresses and are not switched by context switch, so clear -+ * them now to avoid leaking anything to userspace in general -+ * including to another process. -+ */ -+ if (ppmu->flags & PPMU_ARCH_207S) { -+ mtspr(SPRN_SDAR, 0); -+ mtspr(SPRN_SIAR, 0); -+ } -+#endif - } - - local_irq_restore(flags); diff --git a/queue-4.4/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch b/queue-4.4/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch deleted file mode 100644 index c3a5a8aedd0..00000000000 --- a/queue-4.4/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Madhavan Srinivasan -Date: Wed, 21 Mar 2018 17:10:25 +0530 -Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer - -From: Madhavan Srinivasan - -[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] - -The current Branch History Rolling Buffer (BHRB) code does not check -for any privilege levels before updating the data from BHRB. This -could leak kernel addresses to userspace even when profiling only with -userspace privileges. Add proper checks to prevent it. - -Acked-by: Balbir Singh -Signed-off-by: Madhavan Srinivasan -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/perf/core-book3s.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/arch/powerpc/perf/core-book3s.c -+++ b/arch/powerpc/perf/core-book3s.c -@@ -448,6 +448,16 @@ static void power_pmu_bhrb_read(struct c - /* invalid entry */ - continue; - -+ /* -+ * BHRB rolling buffer could very much contain the kernel -+ * addresses at this point. Check the privileges before -+ * exporting it to userspace (avoid exposure of regions -+ * where we could have speculative execution) -+ */ -+ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && -+ is_kernel_addr(addr)) -+ continue; -+ - /* Branches are read most recent first (ie. mfbhrb 0 is - * the most recent branch). - * There are two types of valid entries: diff --git a/queue-4.4/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch b/queue-4.4/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch deleted file mode 100644 index f74ce6fc1bf..00000000000 --- a/queue-4.4/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch +++ /dev/null @@ -1,81 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Vaibhav Jain -Date: Sun, 4 Mar 2018 23:00:25 +0530 -Subject: powerpc/xmon: Setup debugger hooks when first break-point is set - -From: Vaibhav Jain - -[ Upstream commit e1368d0c9edbc366e45216e7295fd61ae55c2b12 ] - -Presently sysrq key for xmon('x') is registered during kernel init -irrespective of the value of kernel param 'xmon'. Thus xmon is enabled -even if 'xmon=off' is passed on the kernel command line. However this -doesn't enable the kernel debugger hooks needed for instruction or -data breakpoints. Thus when a break-point is hit with xmon=off a -kernel oops of the form below is reported: - - Oops: Exception in kernel mode, sig: 5 [#1] - < snip > - Trace/breakpoint trap - -To fix this the patch checks and enables debugger hooks when an -instruction or data break-point is set via xmon console. - -Signed-off-by: Vaibhav Jain -Reviewed-by: Balbir Singh -[mpe: Just printf directly, no need for static const char[]] -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/xmon/xmon.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - ---- a/arch/powerpc/xmon/xmon.c -+++ b/arch/powerpc/xmon/xmon.c -@@ -1173,6 +1173,16 @@ static long check_bp_loc(unsigned long a - return 1; - } - -+/* Force enable xmon if not already enabled */ -+static inline void force_enable_xmon(void) -+{ -+ /* Enable xmon hooks if needed */ -+ if (!xmon_on) { -+ printf("xmon: Enabling debugger hooks\n"); -+ xmon_on = 1; -+ } -+} -+ - static char *breakpoint_help_string = - "Breakpoint command usage:\n" - "b show breakpoints\n" -@@ -1215,6 +1225,8 @@ bpt_cmds(void) - dabr.address &= ~HW_BRK_TYPE_DABR; - dabr.enabled = mode | BP_DABR; - } -+ -+ force_enable_xmon(); - break; - - case 'i': /* bi - hardware instr breakpoint */ -@@ -1235,6 +1247,7 @@ bpt_cmds(void) - if (bp != NULL) { - bp->enabled |= BP_CIABR; - iabr = bp; -+ force_enable_xmon(); - } - break; - #endif -@@ -1299,8 +1312,10 @@ bpt_cmds(void) - if (!check_bp_loc(a)) - break; - bp = new_breakpoint(a); -- if (bp != NULL) -+ if (bp != NULL) { - bp->enabled |= BP_TRAP; -+ force_enable_xmon(); -+ } - break; - } - } diff --git a/queue-4.4/proc-fix-proc-map_files-lookup.patch b/queue-4.4/proc-fix-proc-map_files-lookup.patch deleted file mode 100644 index 331f05ad215..00000000000 --- a/queue-4.4/proc-fix-proc-map_files-lookup.patch +++ /dev/null @@ -1,105 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Alexey Dobriyan -Date: Tue, 6 Feb 2018 15:36:59 -0800 -Subject: proc: fix /proc/*/map_files lookup - -From: Alexey Dobriyan - -[ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] - -Current code does: - - if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) - -However sscanf() is broken garbage. - -It silently accepts whitespace between format specifiers -(did you know that?). - -It silently accepts valid strings which result in integer overflow. - -Do not use sscanf() for any even remotely reliable parsing code. - - OK - # readlink '/proc/1/map_files/55a23af39000-55a23b05b000' - /lib/systemd/systemd - - broken - # readlink '/proc/1/map_files/ 55a23af39000-55a23b05b000' - /lib/systemd/systemd - - broken - # readlink '/proc/1/map_files/55a23af39000-55a23b05b000 ' - /lib/systemd/systemd - - very broken - # readlink '/proc/1/map_files/1000000000000000055a23af39000-55a23b05b000' - /lib/systemd/systemd - -Andrei said: - -: This patch breaks criu. It was a bug in criu. And this bug is on a minor -: path, which works when memfd_create() isn't available. It is a reason why -: I ask to not backport this patch to stable kernels. -: -: In CRIU this bug can be triggered, only if this patch will be backported -: to a kernel which version is lower than v3.16. - -Link: http://lkml.kernel.org/r/20171120212706.GA14325@avx2 -Signed-off-by: Alexey Dobriyan -Cc: Pavel Emelyanov -Cc: Andrei Vagin -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/proc/base.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -94,6 +94,8 @@ - #include "internal.h" - #include "fd.h" - -+#include "../../lib/kstrtox.h" -+ - /* NOTE: - * Implementing inode permission operations in /proc is almost - * certainly an error. Permission checks need to happen during -@@ -1829,8 +1831,33 @@ end_instantiate: - static int dname_to_vma_addr(struct dentry *dentry, - unsigned long *start, unsigned long *end) - { -- if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) -+ const char *str = dentry->d_name.name; -+ unsigned long long sval, eval; -+ unsigned int len; -+ -+ len = _parse_integer(str, 16, &sval); -+ if (len & KSTRTOX_OVERFLOW) -+ return -EINVAL; -+ if (sval != (unsigned long)sval) - return -EINVAL; -+ str += len; -+ -+ if (*str != '-') -+ return -EINVAL; -+ str++; -+ -+ len = _parse_integer(str, 16, &eval); -+ if (len & KSTRTOX_OVERFLOW) -+ return -EINVAL; -+ if (eval != (unsigned long)eval) -+ return -EINVAL; -+ str += len; -+ -+ if (*str != '\0') -+ return -EINVAL; -+ -+ *start = sval; -+ *end = eval; - - return 0; - } diff --git a/queue-4.4/r8152-fix-tx-packets-accounting.patch b/queue-4.4/r8152-fix-tx-packets-accounting.patch deleted file mode 100644 index d18fd696f74..00000000000 --- a/queue-4.4/r8152-fix-tx-packets-accounting.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Eric Dumazet -Date: Sun, 25 Feb 2018 19:12:10 -0800 -Subject: r8152: fix tx packets accounting - -From: Eric Dumazet - -[ Upstream commit 4c27bf3c5b7434ccb9ab962301da661c26b467a4 ] - -r8152 driver handles TSO packets (limited to ~16KB) quite well, -but pretends each TSO logical packet is a single packet on the wire. - -There is also some error since headers are accounted once, but -error rate is small enough that we do not care. - -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/usb/r8152.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/usb/r8152.c -+++ b/drivers/net/usb/r8152.c -@@ -1610,7 +1610,7 @@ static int r8152_tx_agg_fill(struct r815 - - tx_data += len; - agg->skb_len += len; -- agg->skb_num++; -+ agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1; - - dev_kfree_skb_any(skb); - diff --git a/queue-4.4/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch b/queue-4.4/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch deleted file mode 100644 index 743d3792f83..00000000000 --- a/queue-4.4/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Leon Romanovsky -Date: Sun, 28 Jan 2018 11:25:30 +0200 -Subject: RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure - -From: Leon Romanovsky - -[ Upstream commit b081808a66345ba725b77ecd8d759bee874cd937 ] - -Failure in XRCD FW deallocation command leaves memory leaked and -returns error to the user which he can't do anything about it. - -This patch changes behavior to always free memory and always return -success to the user. - -Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") -Reviewed-by: Majd Dibbiny -Signed-off-by: Leon Romanovsky -Reviewed-by: Yuval Shaia -Signed-off-by: Jason Gunthorpe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/infiniband/hw/mlx5/qp.c | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - ---- a/drivers/infiniband/hw/mlx5/qp.c -+++ b/drivers/infiniband/hw/mlx5/qp.c -@@ -3157,12 +3157,9 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd - int err; - - err = mlx5_core_xrcd_dealloc(dev->mdev, xrcdn); -- if (err) { -+ if (err) - mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn); -- return err; -- } - - kfree(xrcd); -- - return 0; - } diff --git a/queue-4.4/rdma-ucma-correct-option-size-check-using-optlen.patch b/queue-4.4/rdma-ucma-correct-option-size-check-using-optlen.patch deleted file mode 100644 index 0dd8721004f..00000000000 --- a/queue-4.4/rdma-ucma-correct-option-size-check-using-optlen.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Chien Tin Tung -Date: Wed, 21 Mar 2018 13:09:25 -0500 -Subject: RDMA/ucma: Correct option size check using optlen - -From: Chien Tin Tung - -[ Upstream commit 5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2 ] - -The option size check is using optval instead of optlen -causing the set option call to fail. Use the correct -field, optlen, for size check. - -Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") -Signed-off-by: Chien Tin Tung -Signed-off-by: Shiraz Saleem -Reviewed-by: Leon Romanovsky -Signed-off-by: Jason Gunthorpe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/infiniband/core/ucma.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/infiniband/core/ucma.c -+++ b/drivers/infiniband/core/ucma.c -@@ -1295,7 +1295,7 @@ static ssize_t ucma_set_option(struct uc - if (IS_ERR(ctx)) - return PTR_ERR(ctx); - -- if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) -+ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) - return -EINVAL; - - optval = memdup_user((void __user *) (unsigned long) cmd.optval, diff --git a/queue-4.4/rds-ib-fix-null-pointer-issue.patch b/queue-4.4/rds-ib-fix-null-pointer-issue.patch deleted file mode 100644 index f7deba4e099..00000000000 --- a/queue-4.4/rds-ib-fix-null-pointer-issue.patch +++ /dev/null @@ -1,84 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Guanglei Li -Date: Tue, 6 Feb 2018 10:43:21 +0800 -Subject: RDS: IB: Fix null pointer issue - -From: Guanglei Li - -[ Upstream commit 2c0aa08631b86a4678dbc93b9caa5248014b4458 ] - -Scenario: -1. Port down and do fail over -2. Ap do rds_bind syscall - -PID: 47039 TASK: ffff89887e2fe640 CPU: 47 COMMAND: "kworker/u:6" - #0 [ffff898e35f159f0] machine_kexec at ffffffff8103abf9 - #1 [ffff898e35f15a60] crash_kexec at ffffffff810b96e3 - #2 [ffff898e35f15b30] oops_end at ffffffff8150f518 - #3 [ffff898e35f15b60] no_context at ffffffff8104854c - #4 [ffff898e35f15ba0] __bad_area_nosemaphore at ffffffff81048675 - #5 [ffff898e35f15bf0] bad_area_nosemaphore at ffffffff810487d3 - #6 [ffff898e35f15c00] do_page_fault at ffffffff815120b8 - #7 [ffff898e35f15d10] page_fault at ffffffff8150ea95 - [exception RIP: unknown or invalid address] - RIP: 0000000000000000 RSP: ffff898e35f15dc8 RFLAGS: 00010282 - RAX: 00000000fffffffe RBX: ffff889b77f6fc00 RCX:ffffffff81c99d88 - RDX: 0000000000000000 RSI: ffff896019ee08e8 RDI:ffff889b77f6fc00 - RBP: ffff898e35f15df0 R8: ffff896019ee08c8 R9:0000000000000000 - R10: 0000000000000400 R11: 0000000000000000 R12:ffff896019ee08c0 - R13: ffff889b77f6fe68 R14: ffffffff81c99d80 R15: ffffffffa022a1e0 - ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 - #8 [ffff898e35f15dc8] cma_ndev_work_handler at ffffffffa022a228 [rdma_cm] - #9 [ffff898e35f15df8] process_one_work at ffffffff8108a7c6 - #10 [ffff898e35f15e58] worker_thread at ffffffff8108bda0 - #11 [ffff898e35f15ee8] kthread at ffffffff81090fe6 - -PID: 45659 TASK: ffff880d313d2500 CPU: 31 COMMAND: "oracle_45659_ap" - #0 [ffff881024ccfc98] __schedule at ffffffff8150bac4 - #1 [ffff881024ccfd40] schedule at ffffffff8150c2cf - #2 [ffff881024ccfd50] __mutex_lock_slowpath at ffffffff8150cee7 - #3 [ffff881024ccfdc0] mutex_lock at ffffffff8150cdeb - #4 [ffff881024ccfde0] rdma_destroy_id at ffffffffa022a027 [rdma_cm] - #5 [ffff881024ccfe10] rds_ib_laddr_check at ffffffffa0357857 [rds_rdma] - #6 [ffff881024ccfe50] rds_trans_get_preferred at ffffffffa0324c2a [rds] - #7 [ffff881024ccfe80] rds_bind at ffffffffa031d690 [rds] - #8 [ffff881024ccfeb0] sys_bind at ffffffff8142a670 - -PID: 45659 PID: 47039 -rds_ib_laddr_check - /* create id_priv with a null event_handler */ - rdma_create_id - rdma_bind_addr - cma_acquire_dev - /* add id_priv to cma_dev->id_list */ - cma_attach_to_dev - cma_ndev_work_handler - /* event_hanlder is null */ - id_priv->id.event_handler - -Signed-off-by: Guanglei Li -Signed-off-by: Honglei Wang -Reviewed-by: Junxiao Bi -Reviewed-by: Yanjun Zhu -Reviewed-by: Leon Romanovsky -Acked-by: Santosh Shilimkar -Acked-by: Doug Ledford -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/rds/ib.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/rds/ib.c -+++ b/net/rds/ib.c -@@ -336,7 +336,8 @@ static int rds_ib_laddr_check(struct net - /* Create a CMA ID and try to bind it. This catches both - * IB and iWARP capable NICs. - */ -- cm_id = rdma_create_id(&init_net, NULL, NULL, RDMA_PS_TCP, IB_QPT_RC); -+ cm_id = rdma_create_id(&init_net, rds_rdma_cm_event_handler, -+ NULL, RDMA_PS_TCP, IB_QPT_RC); - if (IS_ERR(cm_id)) - return PTR_ERR(cm_id); - diff --git a/queue-4.4/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch b/queue-4.4/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch deleted file mode 100644 index e7e6199b948..00000000000 --- a/queue-4.4/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch +++ /dev/null @@ -1,30 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Christophe JAILLET -Date: Fri, 26 Jan 2018 23:13:44 +0100 -Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' - -From: Christophe JAILLET - -[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ] - -If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must -release the reference on the current 'child' node before returning. - -Signed-off-by: Christophe JAILLET -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/regulator/of_regulator.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/regulator/of_regulator.c -+++ b/drivers/regulator/of_regulator.c -@@ -274,6 +274,7 @@ int of_regulator_match(struct device *de - dev_err(dev, - "failed to parse DT for regulator %s\n", - child->name); -+ of_node_put(child); - return -EINVAL; - } - match->of_node = of_node_get(child); diff --git a/queue-4.4/regulatory-add-nul-to-request-alpha2.patch b/queue-4.4/regulatory-add-nul-to-request-alpha2.patch deleted file mode 100644 index 56b1b010b81..00000000000 --- a/queue-4.4/regulatory-add-nul-to-request-alpha2.patch +++ /dev/null @@ -1,33 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Johannes Berg -Date: Thu, 22 Feb 2018 20:55:28 +0100 -Subject: regulatory: add NUL to request alpha2 - -From: Johannes Berg - -[ Upstream commit 657308f73e674e86b60509a430a46e569bf02846 ] - -Similar to the ancient commit a5fe8e7695dc ("regulatory: add NUL -to alpha2"), add another byte to alpha2 in the request struct so -that when we use nla_put_string(), we don't overrun anything. - -Fixes: 73d54c9e74c4 ("cfg80211: add regulatory netlink multicast group") -Reported-by: Kees Cook -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/net/regulatory.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/include/net/regulatory.h -+++ b/include/net/regulatory.h -@@ -78,7 +78,7 @@ struct regulatory_request { - int wiphy_idx; - enum nl80211_reg_initiator initiator; - enum nl80211_user_reg_hint_type user_reg_hint_type; -- char alpha2[2]; -+ char alpha2[3]; - enum nl80211_dfs_regions dfs_region; - bool intersect; - bool processed; diff --git a/queue-4.4/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch b/queue-4.4/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch deleted file mode 100644 index 101fadc07a5..00000000000 --- a/queue-4.4/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch +++ /dev/null @@ -1,45 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Alexandre Belloni -Date: Thu, 8 Mar 2018 23:27:31 +0100 -Subject: rtc: hctosys: Ensure system time doesn't overflow time_t - -From: Alexandre Belloni - -[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ] - -On 32bit platforms, time_t is still a signed 32bit long. If it is -overflowed, userspace and the kernel cant agree on the current system time. -This causes multiple issues, in particular with systemd: -https://github.com/systemd/systemd/issues/1143 - -A good workaround is to simply avoid using hctosys which is something I -greatly encourage as the time is better set by userspace. - -However, many distribution enable it and use systemd which is rendering the -system unusable in case the RTC holds a date after 2038 (and more so after -2106). Many drivers have workaround for this case and they should be -eliminated so there is only one place left to fix when userspace is able to -cope with dates after the 31bit overflow. - -Acked-by: Arnd Bergmann -Signed-off-by: Alexandre Belloni -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/rtc/hctosys.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/rtc/hctosys.c -+++ b/drivers/rtc/hctosys.c -@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void) - - tv64.tv_sec = rtc_tm_to_time64(&tm); - -+#if BITS_PER_LONG == 32 -+ if (tv64.tv_sec > INT_MAX) -+ goto err_read; -+#endif -+ - err = do_settimeofday64(&tv64); - - dev_info(rtc->dev.parent, diff --git a/queue-4.4/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch b/queue-4.4/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch deleted file mode 100644 index 81a9dfe275a..00000000000 --- a/queue-4.4/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch +++ /dev/null @@ -1,91 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Bryan O'Donoghue -Date: Wed, 28 Mar 2018 20:14:05 +0100 -Subject: rtc: snvs: Fix usage of snvs_rtc_enable - -From: Bryan O'Donoghue - -[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ] - -commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces -the SNVS RTC driver with a function snvs_rtc_enable(). - -snvs_rtc_enable() can return an error on the enable path however this -driver does not currently trap that failure on the probe() path and -consequently if enabling the RTC fails we encounter a later error spinning -forever in rtc_write_sync_lp(). - -[ 36.093481] [] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x34/0x44) -[ 36.102122] [] (_raw_spin_unlock_irqrestore) from [] (regmap_read+0x4c/0x5c) -[ 36.110938] [] (regmap_read) from [] (rtc_write_sync_lp+0x6c/0x98) -[ 36.118881] [] (rtc_write_sync_lp) from [] (snvs_rtc_alarm_irq_enable+0x40/0x4c) -[ 36.128041] [] (snvs_rtc_alarm_irq_enable) from [] (rtc_timer_do_work+0xd8/0x1a8) -[ 36.137291] [] (rtc_timer_do_work) from [] (process_one_work+0x28c/0x76c) -[ 36.145840] [] (process_one_work) from [] (worker_thread+0x34/0x58c) -[ 36.153961] [] (worker_thread) from [] (kthread+0x138/0x150) -[ 36.161388] [] (kthread) from [] (ret_from_fork+0x14/0x20) -[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 -[ 36.178564] rcu_sched R running task 0 8 2 0x00000000 -[ 36.185664] [] (__schedule) from [] (schedule+0x3c/0xa0) -[ 36.192739] [] (schedule) from [] (schedule_timeout+0x78/0x4e0) -[ 36.200422] [] (schedule_timeout) from [] (rcu_gp_kthread+0x648/0x1864) -[ 36.208800] [] (rcu_gp_kthread) from [] (kthread+0x138/0x150) -[ 36.216309] [] (kthread) from [] (ret_from_fork+0x14/0x20) - -This patch fixes by parsing the result of rtc_write_sync_lp() and -propagating both in the probe and elsewhere. If the RTC doesn't start we -don't proceed loading the driver and don't get into this loop mess later -on. - -Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") -Signed-off-by: Bryan O'Donoghue -Acked-by: Shawn Guo -Signed-off-by: Alexandre Belloni -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/rtc/rtc-snvs.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - ---- a/drivers/rtc/rtc-snvs.c -+++ b/drivers/rtc/rtc-snvs.c -@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi - { - struct snvs_rtc_data *data = dev_get_drvdata(dev); - unsigned long time; -+ int ret; - - rtc_tm_to_time(tm, &time); - - /* Disable RTC first */ -- snvs_rtc_enable(data, false); -+ ret = snvs_rtc_enable(data, false); -+ if (ret) -+ return ret; - - /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */ - regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH); - regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH)); - - /* Enable RTC again */ -- snvs_rtc_enable(data, true); -+ ret = snvs_rtc_enable(data, true); - -- return 0; -+ return ret; - } - - static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) -@@ -287,7 +290,11 @@ static int snvs_rtc_probe(struct platfor - regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff); - - /* Enable RTC */ -- snvs_rtc_enable(data, true); -+ ret = snvs_rtc_enable(data, true); -+ if (ret) { -+ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret); -+ goto error_rtc_device_register; -+ } - - device_init_wakeup(&pdev->dev, true); - diff --git a/queue-4.4/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch b/queue-4.4/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch deleted file mode 100644 index 91d6ac56774..00000000000 --- a/queue-4.4/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch +++ /dev/null @@ -1,48 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Colin Ian King -Date: Thu, 15 Feb 2018 19:36:14 +0000 -Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift - -From: Colin Ian King - -[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ] - -The shifting of buf[5] by 24 bits to the left will be promoted to -a 32 bit signed int and then sign-extended to an unsigned long. If -the top bit of buf[5] is set then all then all the upper bits sec -end up as also being set because of the sign-extension. Fix this by -casting buf[5] to an unsigned long before the shift. - -Detected by CoverityScan, CID#1465292 ("Unintended sign extension") - -Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver") -Signed-off-by: Colin Ian King -Signed-off-by: Alexandre Belloni -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/rtc/rtc-tx4939.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/rtc/rtc-tx4939.c -+++ b/drivers/rtc/rtc-tx4939.c -@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d - for (i = 2; i < 6; i++) - buf[i] = __raw_readl(&rtcreg->dat); - spin_unlock_irq(&pdata->lock); -- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; -+ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | -+ (buf[3] << 8) | buf[2]; - rtc_time_to_tm(sec, tm); - return rtc_valid_tm(tm); - } -@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct - alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; - alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; - spin_unlock_irq(&pdata->lock); -- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; -+ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | -+ (buf[3] << 8) | buf[2]; - rtc_time_to_tm(sec, &alrm->time); - return rtc_valid_tm(&alrm->time); - } diff --git a/queue-4.4/s390-cio-clear-timer-when-terminating-driver-i-o.patch b/queue-4.4/s390-cio-clear-timer-when-terminating-driver-i-o.patch deleted file mode 100644 index 1c06408a7f3..00000000000 --- a/queue-4.4/s390-cio-clear-timer-when-terminating-driver-i-o.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Sebastian Ott -Date: Mon, 12 Feb 2018 12:01:03 +0100 -Subject: s390/cio: clear timer when terminating driver I/O - -From: Sebastian Ott - -[ Upstream commit 410d5e13e7638bc146321671e223d56495fbf3c7 ] - -When we terminate driver I/O (because we need to stop using a certain -channel path) we also need to ensure that a timer (which may have been -set up using ccw_device_start_timeout) is cleared. - -Signed-off-by: Sebastian Ott -Signed-off-by: Martin Schwidefsky -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/s390/cio/device_fsm.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/s390/cio/device_fsm.c -+++ b/drivers/s390/cio/device_fsm.c -@@ -923,6 +923,7 @@ void ccw_device_kill_io(struct ccw_devic - { - int ret; - -+ ccw_device_set_timeout(cdev, 0); - cdev->private->iretry = 255; - cdev->private->async_kill_io_rc = -EIO; - ret = ccw_device_cancel_halt_clear(cdev); diff --git a/queue-4.4/s390-cio-fix-return-code-after-missing-interrupt.patch b/queue-4.4/s390-cio-fix-return-code-after-missing-interrupt.patch deleted file mode 100644 index 78754450322..00000000000 --- a/queue-4.4/s390-cio-fix-return-code-after-missing-interrupt.patch +++ /dev/null @@ -1,71 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Sebastian Ott -Date: Wed, 7 Feb 2018 13:18:19 +0100 -Subject: s390/cio: fix return code after missing interrupt - -From: Sebastian Ott - -[ Upstream commit 770b55c995d171f026a9efb85e71e3b1ea47b93d ] - -When a timeout occurs for users of ccw_device_start_timeout -we will stop the IO and call the drivers int handler with -the irb pointer set to ERR_PTR(-ETIMEDOUT). Sometimes -however we'd set the irb pointer to ERR_PTR(-EIO) which is -not intended. Just set the correct value in all codepaths. - -Reported-by: Julian Wiedmann -Signed-off-by: Sebastian Ott -Signed-off-by: Martin Schwidefsky -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/s390/cio/device_fsm.c | 6 ++++-- - drivers/s390/cio/io_sch.h | 1 + - 2 files changed, 5 insertions(+), 2 deletions(-) - ---- a/drivers/s390/cio/device_fsm.c -+++ b/drivers/s390/cio/device_fsm.c -@@ -822,6 +822,7 @@ ccw_device_online_timeout(struct ccw_dev - - ccw_device_set_timeout(cdev, 0); - cdev->private->iretry = 255; -+ cdev->private->async_kill_io_rc = -ETIMEDOUT; - ret = ccw_device_cancel_halt_clear(cdev); - if (ret == -EBUSY) { - ccw_device_set_timeout(cdev, 3*HZ); -@@ -898,7 +899,7 @@ ccw_device_killing_irq(struct ccw_device - /* OK, i/o is dead now. Call interrupt handler. */ - if (cdev->handler) - cdev->handler(cdev, cdev->private->intparm, -- ERR_PTR(-EIO)); -+ ERR_PTR(cdev->private->async_kill_io_rc)); - } - - static void -@@ -915,7 +916,7 @@ ccw_device_killing_timeout(struct ccw_de - ccw_device_online_verify(cdev, 0); - if (cdev->handler) - cdev->handler(cdev, cdev->private->intparm, -- ERR_PTR(-EIO)); -+ ERR_PTR(cdev->private->async_kill_io_rc)); - } - - void ccw_device_kill_io(struct ccw_device *cdev) -@@ -923,6 +924,7 @@ void ccw_device_kill_io(struct ccw_devic - int ret; - - cdev->private->iretry = 255; -+ cdev->private->async_kill_io_rc = -EIO; - ret = ccw_device_cancel_halt_clear(cdev); - if (ret == -EBUSY) { - ccw_device_set_timeout(cdev, 3*HZ); ---- a/drivers/s390/cio/io_sch.h -+++ b/drivers/s390/cio/io_sch.h -@@ -155,6 +155,7 @@ struct ccw_device_private { - unsigned long intparm; /* user interruption parameter */ - struct qdio_irq *qdio_data; - struct irb irb; /* device status */ -+ int async_kill_io_rc; - struct senseid senseid; /* SenseID info */ - struct pgid pgid[8]; /* path group IDs per chpid*/ - struct ccw1 iccws[2]; /* ccws for SNID/SID/SPGID commands */ diff --git a/queue-4.4/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch b/queue-4.4/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch deleted file mode 100644 index 85488eda880..00000000000 --- a/queue-4.4/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch +++ /dev/null @@ -1,74 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Davidlohr Bueso -Date: Mon, 2 Apr 2018 09:49:54 -0700 -Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning - -From: Davidlohr Bueso - -[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ] - -While running rt-tests' pi_stress program I got the following splat: - - rq->clock_update_flags < RQCF_ACT_SKIP - WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20 - - [...] - - - enqueue_top_rt_rq+0xf4/0x150 - ? cpufreq_dbs_governor_start+0x170/0x170 - sched_rt_rq_enqueue+0x65/0x80 - sched_rt_period_timer+0x156/0x360 - ? sched_rt_rq_enqueue+0x80/0x80 - __hrtimer_run_queues+0xfa/0x260 - hrtimer_interrupt+0xcb/0x220 - smp_apic_timer_interrupt+0x62/0x120 - apic_timer_interrupt+0xf/0x20 - - - [...] - - do_idle+0x183/0x1e0 - cpu_startup_entry+0x5f/0x70 - start_secondary+0x192/0x1d0 - secondary_startup_64+0xa5/0xb0 - -We can get rid of it be the "traditional" means of adding an -update_rq_clock() call after acquiring the rq->lock in -do_sched_rt_period_timer(). - -The case for the RT task throttling (which this workload also hits) -can be ignored in that the skip_update call is actually bogus and -quite the contrary (the request bits are removed/reverted). - -By setting RQCF_UPDATED we really don't care if the skip is happening -or not and will therefore make the assert_clock_updated() check happy. - -Signed-off-by: Davidlohr Bueso -Reviewed-by: Matt Fleming -Acked-by: Peter Zijlstra (Intel) -Cc: Linus Torvalds -Cc: Mike Galbraith -Cc: Thomas Gleixner -Cc: dave@stgolabs.net -Cc: linux-kernel@vger.kernel.org -Cc: rostedt@goodmis.org -Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/sched/rt.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/kernel/sched/rt.c -+++ b/kernel/sched/rt.c -@@ -822,6 +822,8 @@ static int do_sched_rt_period_timer(stru - struct rq *rq = rq_of_rt_rq(rt_rq); - - raw_spin_lock(&rq->lock); -+ update_rq_clock(rq); -+ - if (rt_rq->rt_time) { - u64 runtime; - diff --git a/queue-4.4/scsi-aacraid-fix-shutdown-crash-when-init-fails.patch b/queue-4.4/scsi-aacraid-fix-shutdown-crash-when-init-fails.patch deleted file mode 100644 index 1d8ef582e0d..00000000000 --- a/queue-4.4/scsi-aacraid-fix-shutdown-crash-when-init-fails.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Meelis Roos -Date: Fri, 9 Feb 2018 08:57:44 +0200 -Subject: scsi: aacraid: fix shutdown crash when init fails - -From: Meelis Roos - -[ Upstream commit 00c20cdc79259c6c5bf978b21af96c2d3edb646d ] - -When aacraid init fails with "AAC0: adapter self-test failed.", shutdown -leads to UBSAN warning and then oops: - -[154316.118423] ================================================================================ -[154316.118508] UBSAN: Undefined behaviour in drivers/scsi/scsi_lib.c:2328:27 -[154316.118566] member access within null pointer of type 'struct Scsi_Host' -[154316.118631] CPU: 2 PID: 14530 Comm: reboot Tainted: G W 4.15.0-dirty #89 -[154316.118701] Hardware name: Hewlett Packard HP NetServer/HP System Board, BIOS 4.06.46 PW 06/25/2003 -[154316.118774] Call Trace: -[154316.118848] dump_stack+0x48/0x65 -[154316.118916] ubsan_epilogue+0xe/0x40 -[154316.118976] __ubsan_handle_type_mismatch+0xfb/0x180 -[154316.119043] scsi_block_requests+0x20/0x30 -[154316.119135] aac_shutdown+0x18/0x40 [aacraid] -[154316.119196] pci_device_shutdown+0x33/0x50 -[154316.119269] device_shutdown+0x18a/0x390 -[...] -[154316.123435] BUG: unable to handle kernel NULL pointer dereference at 000000f4 -[154316.123515] IP: scsi_block_requests+0xa/0x30 - -This is because aac_shutdown() does - - struct Scsi_Host *shost = pci_get_drvdata(dev); - scsi_block_requests(shost); - -and that assumes shost has been assigned with pci_set_drvdata(). - -However, pci_set_drvdata(pdev, shost) is done in aac_probe_one() far -after bailing out with error from calling the init function -((*aac_drivers[index].init)(aac)), and when the init function fails, no -error is returned from aac_probe_one() so PCI layer assumes there is -driver attached, and tries to shut it down later. - -Fix it by returning error from aac_probe_one() when card-specific init -function fails. - -This fixes reboot on my HP NetRAID-4M with dead battery. - -Signed-off-by: Meelis Roos -Reviewed-by: Dave Carroll -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/aacraid/linit.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/aacraid/linit.c -+++ b/drivers/scsi/aacraid/linit.c -@@ -1189,8 +1189,10 @@ static int aac_probe_one(struct pci_dev - * Map in the registers from the adapter. - */ - aac->base_size = AAC_MIN_FOOTPRINT_SIZE; -- if ((*aac_drivers[index].init)(aac)) -+ if ((*aac_drivers[index].init)(aac)) { -+ error = -ENODEV; - goto out_unmap; -+ } - - if (aac->sync_mode) { - if (aac_sync_mode) diff --git a/queue-4.4/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch b/queue-4.4/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch deleted file mode 100644 index 5bb224a88d0..00000000000 --- a/queue-4.4/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch +++ /dev/null @@ -1,89 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dave Carroll -Date: Tue, 3 Apr 2018 15:50:42 -0600 -Subject: scsi: aacraid: Insure command thread is not recursively stopped - -From: Dave Carroll - -[ Upstream commit 1c6b41fb92936fa5facea464d5d7cbf855966d04 ] - -If a recursive IOP_RESET is invoked, usually due to the eh_thread -handling errors after the first reset, be sure we flag that the command -thread has been stopped to avoid an Oops of the form; - - [ 336.620256] CPU: 28 PID: 1193 Comm: scsi_eh_0 Kdump: loaded Not tainted 4.14.0-49.el7a.ppc64le #1 - [ 336.620297] task: c000003fd630b800 task.stack: c000003fd61a4000 - [ 336.620326] NIP: c000000000176794 LR: c00000000013038c CTR: c00000000024bc10 - [ 336.620361] REGS: c000003fd61a7720 TRAP: 0300 Not tainted (4.14.0-49.el7a.ppc64le) - [ 336.620395] MSR: 9000000000009033 CR: 22084022 XER: 20040000 - [ 336.620435] CFAR: c000000000130388 DAR: 0000000000000000 DSISR: 40000000 SOFTE: 1 - [ 336.620435] GPR00: c00000000013038c c000003fd61a79a0 c0000000014c7e00 0000000000000000 - [ 336.620435] GPR04: 000000000000000c 000000000000000c 9000000000009033 0000000000000477 - [ 336.620435] GPR08: 0000000000000477 0000000000000000 0000000000000000 c008000010f7d940 - [ 336.620435] GPR12: c00000000024bc10 c000000007a33400 c0000000001708a8 c000003fe3b881d8 - [ 336.620435] GPR16: c000003fe3b88060 c000003fd61a7d10 fffffffffffff000 000000000000001e - [ 336.620435] GPR20: 0000000000000001 c000000000ebf1a0 0000000000000001 c000003fe3b88000 - [ 336.620435] GPR24: 0000000000000003 0000000000000002 c000003fe3b88840 c000003fe3b887e8 - [ 336.620435] GPR28: c000003fe3b88000 c000003fc8181788 0000000000000000 c000003fc8181700 - [ 336.620750] NIP [c000000000176794] exit_creds+0x34/0x160 - [ 336.620775] LR [c00000000013038c] __put_task_struct+0x8c/0x1f0 - [ 336.620804] Call Trace: - [ 336.620817] [c000003fd61a79a0] [c000003fe3b88000] 0xc000003fe3b88000 (unreliable) - [ 336.620853] [c000003fd61a79d0] [c00000000013038c] __put_task_struct+0x8c/0x1f0 - [ 336.620889] [c000003fd61a7a00] [c000000000171418] kthread_stop+0x1e8/0x1f0 - [ 336.620922] [c000003fd61a7a40] [c008000010f7448c] aac_reset_adapter+0x14c/0x8d0 [aacraid] - [ 336.620959] [c000003fd61a7b00] [c008000010f60174] aac_eh_host_reset+0x84/0x100 [aacraid] - [ 336.621010] [c000003fd61a7b30] [c000000000864f24] scsi_try_host_reset+0x74/0x180 - [ 336.621046] [c000003fd61a7bb0] [c000000000867ac0] scsi_eh_ready_devs+0xc00/0x14d0 - [ 336.625165] [c000003fd61a7ca0] [c0000000008699e0] scsi_error_handler+0x550/0x730 - [ 336.632101] [c000003fd61a7dc0] [c000000000170a08] kthread+0x168/0x1b0 - [ 336.639031] [c000003fd61a7e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4 - [ 336.645971] Instruction dump: - [ 336.648743] 384216a0 7c0802a6 fbe1fff8 f8010010 f821ffd1 7c7f1b78 60000000 60000000 - [ 336.657056] 39400000 e87f0838 f95f0838 7c0004ac <7d401828> 314affff 7d40192d 40c2fff4 - [ 336.663997] -[ end trace 4640cf8d4945ad95 ]- - -So flag when the thread is stopped by setting the thread pointer to NULL. - -Signed-off-by: Dave Carroll -Reviewed-by: Raghava Aditya Renukunta -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/aacraid/commsup.c | 4 +++- - drivers/scsi/aacraid/linit.c | 1 + - 2 files changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/aacraid/commsup.c -+++ b/drivers/scsi/aacraid/commsup.c -@@ -1321,9 +1321,10 @@ static int _aac_reset_adapter(struct aac - host = aac->scsi_host_ptr; - scsi_block_requests(host); - aac_adapter_disable_int(aac); -- if (aac->thread->pid != current->pid) { -+ if (aac->thread && aac->thread->pid != current->pid) { - spin_unlock_irq(host->host_lock); - kthread_stop(aac->thread); -+ aac->thread = NULL; - jafo = 1; - } - -@@ -1392,6 +1393,7 @@ static int _aac_reset_adapter(struct aac - aac->name); - if (IS_ERR(aac->thread)) { - retval = PTR_ERR(aac->thread); -+ aac->thread = NULL; - goto out; - } - } ---- a/drivers/scsi/aacraid/linit.c -+++ b/drivers/scsi/aacraid/linit.c -@@ -1085,6 +1085,7 @@ static void __aac_shutdown(struct aac_de - up(&fib->event_wait); - } - kthread_stop(aac->thread); -+ aac->thread = NULL; - } - aac_send_shutdown(aac); - aac_adapter_disable_int(aac); diff --git a/queue-4.4/scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch b/queue-4.4/scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch deleted file mode 100644 index 7e1d47980df..00000000000 --- a/queue-4.4/scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Chad Dupuis -Date: Wed, 24 Jan 2018 08:07:06 -0800 -Subject: scsi: bnx2fc: Fix check in SCSI completion handler for timed out request - -From: Chad Dupuis - -[ Upstream commit ecf7ff49945f5741fa1da112f994939f942031d3 ] - -When a request times out we set the io_req flag BNX2FC_FLAG_IO_COMPL so -that if a subsequent completion comes in on that task ID we will ignore -it. The issue is that in the check for this flag there is a missing -return so we will continue to process a request which may have already -been returned to the ownership of the SCSI layer. This can cause -unpredictable results. - -Solution is to add in the missing return. - -[mkp: typo plus title shortening] - -Signed-off-by: Chad Dupuis -Reviewed-by: Laurence Oberman -Tested-by: Laurence Oberman -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/bnx2fc/bnx2fc_io.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/scsi/bnx2fc/bnx2fc_io.c -+++ b/drivers/scsi/bnx2fc/bnx2fc_io.c -@@ -1858,6 +1858,7 @@ void bnx2fc_process_scsi_cmd_compl(struc - /* we will not receive ABTS response for this IO */ - BNX2FC_IO_DBG(io_req, "Timer context finished processing " - "this scsi cmd\n"); -+ return; - } - - /* Cancel the timeout_work, as we received IO completion */ diff --git a/queue-4.4/scsi-fas216-fix-sense-buffer-initialization.patch b/queue-4.4/scsi-fas216-fix-sense-buffer-initialization.patch deleted file mode 100644 index d2586d87a49..00000000000 --- a/queue-4.4/scsi-fas216-fix-sense-buffer-initialization.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arnd Bergmann -Date: Thu, 18 Jan 2018 14:16:38 +0100 -Subject: scsi: fas216: fix sense buffer initialization - -From: Arnd Bergmann - -[ Upstream commit 96d5eaa9bb74d299508d811d865c2c41b38b0301 ] - -While testing with the ARM specific memset() macro removed, I ran into a -compiler warning that shows an old bug: - -drivers/scsi/arm/fas216.c: In function 'fas216_rq_sns_done': -drivers/scsi/arm/fas216.c:2014:40: error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Werror=sizeof-pointer-memaccess] - -It turns out that the definition of the scsi_cmd structure changed back -in linux-2.6.25, so now we clear only four bytes (sizeof(pointer)) -instead of 96 (SCSI_SENSE_BUFFERSIZE). I did not check whether we -actually need to initialize the buffer here, but it's clear that if we -do it, we should use the correct size. - -Fixes: de25deb18016 ("[SCSI] use dynamically allocated sense buffer") -Signed-off-by: Arnd Bergmann -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/arm/fas216.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/scsi/arm/fas216.c -+++ b/drivers/scsi/arm/fas216.c -@@ -2009,7 +2009,7 @@ static void fas216_rq_sns_done(FAS216_In - * have valid data in the sense buffer that could - * confuse the higher levels. - */ -- memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer)); -+ memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE); - //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id); - //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); } - /* diff --git a/queue-4.4/scsi-libsas-defer-ata-device-eh-commands-to-libata.patch b/queue-4.4/scsi-libsas-defer-ata-device-eh-commands-to-libata.patch deleted file mode 100644 index a4cadb1cc7e..00000000000 --- a/queue-4.4/scsi-libsas-defer-ata-device-eh-commands-to-libata.patch +++ /dev/null @@ -1,131 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jason Yan -Date: Thu, 8 Mar 2018 10:34:53 +0800 -Subject: scsi: libsas: defer ata device eh commands to libata - -From: Jason Yan - -[ Upstream commit 318aaf34f1179b39fa9c30fa0f3288b645beee39 ] - -When ata device doing EH, some commands still attached with tasks are -not passed to libata when abort failed or recover failed, so libata did -not handle these commands. After these commands done, sas task is freed, -but ata qc is not freed. This will cause ata qc leak and trigger a -warning like below: - -WARNING: CPU: 0 PID: 28512 at drivers/ata/libata-eh.c:4037 -ata_eh_finish+0xb4/0xcc -CPU: 0 PID: 28512 Comm: kworker/u32:2 Tainted: G W OE 4.14.0#1 -...... -Call trace: -[] ata_eh_finish+0xb4/0xcc -[] ata_do_eh+0xc4/0xd8 -[] ata_std_error_handler+0x44/0x8c -[] ata_scsi_port_error_handler+0x480/0x694 -[] async_sas_ata_eh+0x4c/0x80 -[] async_run_entry_fn+0x4c/0x170 -[] process_one_work+0x144/0x390 -[] worker_thread+0x144/0x418 -[] kthread+0x10c/0x138 -[] ret_from_fork+0x10/0x18 - -If ata qc leaked too many, ata tag allocation will fail and io blocked -for ever. - -As suggested by Dan Williams, defer ata device commands to libata and -merge sas_eh_finish_cmd() with sas_eh_defer_cmd(). libata will handle -ata qcs correctly after this. - -Signed-off-by: Jason Yan -CC: Xiaofei Tan -CC: John Garry -CC: Dan Williams -Reviewed-by: Dan Williams -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/libsas/sas_scsi_host.c | 33 +++++++++++++-------------------- - 1 file changed, 13 insertions(+), 20 deletions(-) - ---- a/drivers/scsi/libsas/sas_scsi_host.c -+++ b/drivers/scsi/libsas/sas_scsi_host.c -@@ -222,6 +222,7 @@ out_done: - static void sas_eh_finish_cmd(struct scsi_cmnd *cmd) - { - struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host); -+ struct domain_device *dev = cmd_to_domain_dev(cmd); - struct sas_task *task = TO_SAS_TASK(cmd); - - /* At this point, we only get called following an actual abort -@@ -230,6 +231,14 @@ static void sas_eh_finish_cmd(struct scs - */ - sas_end_task(cmd, task); - -+ if (dev_is_sata(dev)) { -+ /* defer commands to libata so that libata EH can -+ * handle ata qcs correctly -+ */ -+ list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q); -+ return; -+ } -+ - /* now finish the command and move it on to the error - * handler done list, this also takes it off the - * error handler pending list. -@@ -237,22 +246,6 @@ static void sas_eh_finish_cmd(struct scs - scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q); - } - --static void sas_eh_defer_cmd(struct scsi_cmnd *cmd) --{ -- struct domain_device *dev = cmd_to_domain_dev(cmd); -- struct sas_ha_struct *ha = dev->port->ha; -- struct sas_task *task = TO_SAS_TASK(cmd); -- -- if (!dev_is_sata(dev)) { -- sas_eh_finish_cmd(cmd); -- return; -- } -- -- /* report the timeout to libata */ -- sas_end_task(cmd, task); -- list_move_tail(&cmd->eh_entry, &ha->eh_ata_q); --} -- - static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd) - { - struct scsi_cmnd *cmd, *n; -@@ -260,7 +253,7 @@ static void sas_scsi_clear_queue_lu(stru - list_for_each_entry_safe(cmd, n, error_q, eh_entry) { - if (cmd->device->sdev_target == my_cmd->device->sdev_target && - cmd->device->lun == my_cmd->device->lun) -- sas_eh_defer_cmd(cmd); -+ sas_eh_finish_cmd(cmd); - } - } - -@@ -622,12 +615,12 @@ static void sas_eh_handle_sas_errors(str - case TASK_IS_DONE: - SAS_DPRINTK("%s: task 0x%p is done\n", __func__, - task); -- sas_eh_defer_cmd(cmd); -+ sas_eh_finish_cmd(cmd); - continue; - case TASK_IS_ABORTED: - SAS_DPRINTK("%s: task 0x%p is aborted\n", - __func__, task); -- sas_eh_defer_cmd(cmd); -+ sas_eh_finish_cmd(cmd); - continue; - case TASK_IS_AT_LU: - SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task); -@@ -638,7 +631,7 @@ static void sas_eh_handle_sas_errors(str - "recovered\n", - SAS_ADDR(task->dev), - cmd->device->lun); -- sas_eh_defer_cmd(cmd); -+ sas_eh_finish_cmd(cmd); - sas_scsi_clear_queue_lu(work_q, cmd); - goto Again; - } diff --git a/queue-4.4/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch b/queue-4.4/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch deleted file mode 100644 index 8039264dd78..00000000000 --- a/queue-4.4/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: James Smart -Date: Tue, 30 Jan 2018 15:58:45 -0800 -Subject: scsi: lpfc: Fix frequency of Release WQE CQEs - -From: James Smart - -[ Upstream commit 04673e38f56b30cd39b1fa0f386137d818b17781 ] - -The driver controls when the hardware sends completions that communicate -consumption of elements from the WQ. This is done by setting a WQEC bit -on a WQE. - -The current driver sets it on every Nth WQE posting. However, the driver -isn't clearing the bit if the WQE is reused. Thus, if the queue depth -isn't evenly divisible by N, with enough time, it can be set on every -element, creating a lot of overhead and risking CQ full conditions. - -Correct by clearing the bit when not setting it on an Nth element. - -Signed-off-by: Dick Kennedy -Signed-off-by: James Smart -Reviewed-by: Hannes Reinecke -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/lpfc/lpfc_sli.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/scsi/lpfc/lpfc_sli.c -+++ b/drivers/scsi/lpfc/lpfc_sli.c -@@ -115,6 +115,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, u - /* set consumption flag every once in a while */ - if (!((q->host_index + 1) % q->entry_repost)) - bf_set(wqe_wqec, &wqe->generic.wqe_com, 1); -+ else -+ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0); - if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED) - bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id); - lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size); diff --git a/queue-4.4/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch b/queue-4.4/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch deleted file mode 100644 index ad8ddc05a58..00000000000 --- a/queue-4.4/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: James Smart -Date: Tue, 30 Jan 2018 15:58:55 -0800 -Subject: scsi: lpfc: Fix issue_lip if link is disabled - -From: James Smart - -[ Upstream commit 2289e9598dde9705400559ca2606fb8c145c34f0 ] - -The driver ignored checks on whether the link should be kept -administratively down after a link bounce. Correct the checks. - -Signed-off-by: Dick Kennedy -Signed-off-by: James Smart -Reviewed-by: Hannes Reinecke -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/lpfc/lpfc_attr.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/scsi/lpfc/lpfc_attr.c -+++ b/drivers/scsi/lpfc/lpfc_attr.c -@@ -634,7 +634,12 @@ lpfc_issue_lip(struct Scsi_Host *shost) - LPFC_MBOXQ_t *pmboxq; - int mbxstatus = MBXERR_ERROR; - -+ /* -+ * If the link is offline, disabled or BLOCK_MGMT_IO -+ * it doesn't make any sense to allow issue_lip -+ */ - if ((vport->fc_flag & FC_OFFLINE_MODE) || -+ (phba->hba_flag & LINK_DISABLED) || - (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO)) - return -EPERM; - diff --git a/queue-4.4/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch b/queue-4.4/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch deleted file mode 100644 index 1bc536175fe..00000000000 --- a/queue-4.4/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch +++ /dev/null @@ -1,50 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: James Smart -Date: Tue, 30 Jan 2018 15:58:54 -0800 -Subject: scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing - -From: James Smart - -[ Upstream commit 161df4f09987ae2e9f0f97f0b38eee298b4a39ff ] - -During link bounce testing in a point-to-point topology, the host may -enter a soft lockup on the lpfc_worker thread: - - Call Trace: - lpfc_work_done+0x1f3/0x1390 [lpfc] - lpfc_do_work+0x16f/0x180 [lpfc] - kthread+0xc7/0xe0 - ret_from_fork+0x3f/0x70 - -The driver was simultaneously setting a combination of flags that caused -lpfc_do_work()to effectively spin between slow path work and new event -data, causing the lockup. - -Ensure in the typical wq completions, that new event data flags are set -if the slow path flag is running. The slow path will eventually -reschedule the wq handling. - -Signed-off-by: Dick Kennedy -Signed-off-by: James Smart -Reviewed-by: Hannes Reinecke -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/scsi/lpfc/lpfc_hbadisc.c -+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c -@@ -691,8 +691,9 @@ lpfc_work_done(struct lpfc_hba *phba) - (phba->hba_flag & HBA_SP_QUEUE_EVT)) { - if (pring->flag & LPFC_STOP_IOCB_EVENT) { - pring->flag |= LPFC_DEFERRED_RING_EVENT; -- /* Set the lpfc data pending flag */ -- set_bit(LPFC_DATA_READY, &phba->data_flags); -+ /* Preserve legacy behavior. */ -+ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT)) -+ set_bit(LPFC_DATA_READY, &phba->data_flags); - } else { - if (phba->link_state >= LPFC_LINK_UP) { - pring->flag &= ~LPFC_DEFERRED_RING_EVENT; diff --git a/queue-4.4/scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch b/queue-4.4/scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch deleted file mode 100644 index e2eeb562545..00000000000 --- a/queue-4.4/scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Hannes Reinecke -Date: Mon, 26 Feb 2018 15:26:01 +0100 -Subject: scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM - -From: Hannes Reinecke - -[ Upstream commit 864449eea7c600596e305ffdc4a6a846414b222c ] - -The firmware event workqueue should not be marked as WQ_MEM_RECLAIM -as it's doesn't need to make forward progress under memory pressure. -In the current state it will result in a deadlock if the device had been -forcefully removed. - -Cc: Sreekanth Reddy -Cc: Suganath Prabu Subramani -Acked-by: Sreekanth Reddy -Signed-off-by: Hannes Reinecke -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c -+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -@@ -8637,7 +8637,7 @@ _scsih_probe(struct pci_dev *pdev, const - snprintf(ioc->firmware_event_name, sizeof(ioc->firmware_event_name), - "fw_event_%s%d", ioc->driver_name, ioc->id); - ioc->firmware_event_thread = alloc_ordered_workqueue( -- ioc->firmware_event_name, WQ_MEM_RECLAIM); -+ ioc->firmware_event_name, 0); - if (!ioc->firmware_event_thread) { - pr_err(MPT3SAS_FMT "failure at %s:%d/%s()!\n", - ioc->name, __FILE__, __LINE__, __func__); diff --git a/queue-4.4/scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch b/queue-4.4/scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch deleted file mode 100644 index c8b1d134b16..00000000000 --- a/queue-4.4/scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dan Carpenter -Date: Thu, 25 Jan 2018 17:27:27 +0300 -Subject: scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() - -From: Dan Carpenter - -[ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ] - -My static checker complains about an out of bounds read: - - drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() - error: buffer overflow 'hd->sel_timeout' 255 <= u32max. - -It's true that we probably should have a bounds check here. - -Signed-off-by: Dan Carpenter -Reviewed-by: Johannes Thumshirn -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/message/fusion/mptctl.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/message/fusion/mptctl.c -+++ b/drivers/message/fusion/mptctl.c -@@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg) - __FILE__, __LINE__, iocnum); - return -ENODEV; - } -+ if (karg.hdr.id >= MPT_MAX_FC_DEVICES) -+ return -EINVAL; - dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n", - ioc->name)); - diff --git a/queue-4.4/scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch b/queue-4.4/scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch deleted file mode 100644 index 785ef6a5bf7..00000000000 --- a/queue-4.4/scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch +++ /dev/null @@ -1,78 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Bart Van Assche -Date: Thu, 25 Jan 2018 08:24:29 -0800 -Subject: scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() - -From: Bart Van Assche - -[ Upstream commit c02189e12ce3bf3808cb880569d3b10249f50bd9 ] - -A left shift must shift less than the bit width of the left argument. -Avoid triggering undefined behavior if ha->mbx_count == 32. - -This patch avoids that UBSAN reports the following complaint: - -UBSAN: Undefined behaviour in drivers/scsi/qla2xxx/qla_isr.c:275:14 -shift exponent 32 is too large for 32-bit type 'int' -Call Trace: - dump_stack+0x4e/0x6c - ubsan_epilogue+0xd/0x3b - __ubsan_handle_shift_out_of_bounds+0x112/0x14c - qla2x00_mbx_completion+0x1c5/0x25d [qla2xxx] - qla2300_intr_handler+0x1ea/0x3bb [qla2xxx] - qla2x00_mailbox_command+0x77b/0x139a [qla2xxx] - qla2x00_mbx_reg_test+0x83/0x114 [qla2xxx] - qla2x00_chip_diag+0x354/0x45f [qla2xxx] - qla2x00_initialize_adapter+0x2c2/0xa4e [qla2xxx] - qla2x00_probe_one+0x1681/0x392e [qla2xxx] - pci_device_probe+0x10b/0x1f1 - driver_probe_device+0x21f/0x3a4 - __driver_attach+0xa9/0xe1 - bus_for_each_dev+0x6e/0xb5 - driver_attach+0x22/0x3c - bus_add_driver+0x1d1/0x2ae - driver_register+0x78/0x130 - __pci_register_driver+0x75/0xa8 - qla2x00_module_init+0x21b/0x267 [qla2xxx] - do_one_initcall+0x5a/0x1e2 - do_init_module+0x9d/0x285 - load_module+0x20db/0x38e3 - SYSC_finit_module+0xa8/0xbc - SyS_finit_module+0x9/0xb - do_syscall_64+0x77/0x271 - entry_SYSCALL64_slow_path+0x25/0x25 - -Reported-by: Meelis Roos -Signed-off-by: Bart Van Assche -Cc: Himanshu Madhani -Reviewed-by: Laurence Oberman -Acked-by: Himanshu Madhani -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_isr.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -268,7 +268,8 @@ qla2x00_mbx_completion(scsi_qla_host_t * - struct device_reg_2xxx __iomem *reg = &ha->iobase->isp; - - /* Read all mbox registers? */ -- mboxes = (1 << ha->mbx_count) - 1; -+ WARN_ON_ONCE(ha->mbx_count > 32); -+ mboxes = (1ULL << ha->mbx_count) - 1; - if (!ha->mcp) - ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n"); - else -@@ -2495,7 +2496,8 @@ qla24xx_mbx_completion(scsi_qla_host_t * - struct device_reg_24xx __iomem *reg = &ha->iobase->isp24; - - /* Read all mbox registers? */ -- mboxes = (1 << ha->mbx_count) - 1; -+ WARN_ON_ONCE(ha->mbx_count > 32); -+ mboxes = (1ULL << ha->mbx_count) - 1; - if (!ha->mcp) - ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n"); - else diff --git a/queue-4.4/scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch b/queue-4.4/scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch deleted file mode 100644 index 9f356588b81..00000000000 --- a/queue-4.4/scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch +++ /dev/null @@ -1,138 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Manish Rangankar -Date: Sun, 11 Feb 2018 22:48:41 -0800 -Subject: scsi: qla4xxx: skip error recovery in case of register disconnect. - -From: Manish Rangankar - -[ Upstream commit 1bc5ad3a6acdcf56f83272f2de1cd2389ea9e9e2 ] - -A system crashes when continuously removing/re-adding the storage -controller. - -Signed-off-by: Manish Rangankar -Reviewed-by: Ewan D. Milne -Reviewed-by: Tomas Henzl -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla4xxx/ql4_def.h | 2 + - drivers/scsi/qla4xxx/ql4_os.c | 46 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 48 insertions(+) - ---- a/drivers/scsi/qla4xxx/ql4_def.h -+++ b/drivers/scsi/qla4xxx/ql4_def.h -@@ -168,6 +168,8 @@ - #define DEV_DB_NON_PERSISTENT 0 - #define DEV_DB_PERSISTENT 1 - -+#define QL4_ISP_REG_DISCONNECT 0xffffffffU -+ - #define COPY_ISID(dst_isid, src_isid) { \ - int i, j; \ - for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;) \ ---- a/drivers/scsi/qla4xxx/ql4_os.c -+++ b/drivers/scsi/qla4xxx/ql4_os.c -@@ -262,6 +262,24 @@ static struct iscsi_transport qla4xxx_is - - static struct scsi_transport_template *qla4xxx_scsi_transport; - -+static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha) -+{ -+ u32 reg_val = 0; -+ int rval = QLA_SUCCESS; -+ -+ if (is_qla8022(ha)) -+ reg_val = readl(&ha->qla4_82xx_reg->host_status); -+ else if (is_qla8032(ha) || is_qla8042(ha)) -+ reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER); -+ else -+ reg_val = readw(&ha->reg->ctrl_status); -+ -+ if (reg_val == QL4_ISP_REG_DISCONNECT) -+ rval = QLA_ERROR; -+ -+ return rval; -+} -+ - static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num, - uint32_t iface_type, uint32_t payload_size, - uint32_t pid, struct sockaddr *dst_addr) -@@ -9196,10 +9214,17 @@ static int qla4xxx_eh_abort(struct scsi_ - struct srb *srb = NULL; - int ret = SUCCESS; - int wait = 0; -+ int rval; - - ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n", - ha->host_no, id, lun, cmd, cmd->cmnd[0]); - -+ rval = qla4xxx_isp_check_reg(ha); -+ if (rval != QLA_SUCCESS) { -+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); -+ return FAILED; -+ } -+ - spin_lock_irqsave(&ha->hardware_lock, flags); - srb = (struct srb *) CMD_SP(cmd); - if (!srb) { -@@ -9251,6 +9276,7 @@ static int qla4xxx_eh_device_reset(struc - struct scsi_qla_host *ha = to_qla_host(cmd->device->host); - struct ddb_entry *ddb_entry = cmd->device->hostdata; - int ret = FAILED, stat; -+ int rval; - - if (!ddb_entry) - return ret; -@@ -9270,6 +9296,12 @@ static int qla4xxx_eh_device_reset(struc - cmd, jiffies, cmd->request->timeout / HZ, - ha->dpc_flags, cmd->result, cmd->allowed)); - -+ rval = qla4xxx_isp_check_reg(ha); -+ if (rval != QLA_SUCCESS) { -+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); -+ return FAILED; -+ } -+ - /* FIXME: wait for hba to go online */ - stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun); - if (stat != QLA_SUCCESS) { -@@ -9313,6 +9345,7 @@ static int qla4xxx_eh_target_reset(struc - struct scsi_qla_host *ha = to_qla_host(cmd->device->host); - struct ddb_entry *ddb_entry = cmd->device->hostdata; - int stat, ret; -+ int rval; - - if (!ddb_entry) - return FAILED; -@@ -9330,6 +9363,12 @@ static int qla4xxx_eh_target_reset(struc - ha->host_no, cmd, jiffies, cmd->request->timeout / HZ, - ha->dpc_flags, cmd->result, cmd->allowed)); - -+ rval = qla4xxx_isp_check_reg(ha); -+ if (rval != QLA_SUCCESS) { -+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); -+ return FAILED; -+ } -+ - stat = qla4xxx_reset_target(ha, ddb_entry); - if (stat != QLA_SUCCESS) { - starget_printk(KERN_INFO, scsi_target(cmd->device), -@@ -9384,9 +9423,16 @@ static int qla4xxx_eh_host_reset(struct - { - int return_status = FAILED; - struct scsi_qla_host *ha; -+ int rval; - - ha = to_qla_host(cmd->device->host); - -+ rval = qla4xxx_isp_check_reg(ha); -+ if (rval != QLA_SUCCESS) { -+ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); -+ return FAILED; -+ } -+ - if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba) - qla4_83xx_set_idc_dontreset(ha); - diff --git a/queue-4.4/scsi-sd-keep-disk-read-only-when-re-reading-partition.patch b/queue-4.4/scsi-sd-keep-disk-read-only-when-re-reading-partition.patch deleted file mode 100644 index ca3210e3d33..00000000000 --- a/queue-4.4/scsi-sd-keep-disk-read-only-when-re-reading-partition.patch +++ /dev/null @@ -1,49 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jeremy Cline -Date: Tue, 6 Mar 2018 21:47:32 +0000 -Subject: scsi: sd: Keep disk read-only when re-reading partition - -From: Jeremy Cline - -[ Upstream commit 20bd1d026aacc5399464f8328f305985c493cde3 ] - -If the read-only flag is true on a SCSI disk, re-reading the partition -table sets the flag back to false. - -To observe this bug, you can run: - -1. blockdev --setro /dev/sda -2. blockdev --rereadpt /dev/sda -3. blockdev --getro /dev/sda - -This commit reads the disk's old state and combines it with the device -disk-reported state rather than unconditionally marking it as RW. - -Reported-by: Li Ning -Signed-off-by: Jeremy Cline -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/sd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -2395,6 +2395,7 @@ sd_read_write_protect_flag(struct scsi_d - int res; - struct scsi_device *sdp = sdkp->device; - struct scsi_mode_data data; -+ int disk_ro = get_disk_ro(sdkp->disk); - int old_wp = sdkp->write_prot; - - set_disk_ro(sdkp->disk, 0); -@@ -2435,7 +2436,7 @@ sd_read_write_protect_flag(struct scsi_d - "Test WP failed, assume Write Enabled\n"); - } else { - sdkp->write_prot = ((data.device_specific & 0x80) != 0); -- set_disk_ro(sdkp->disk, sdkp->write_prot); -+ set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro); - if (sdkp->first_scan || old_wp != sdkp->write_prot) { - sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n", - sdkp->write_prot ? "on" : "off"); diff --git a/queue-4.4/scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch b/queue-4.4/scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch deleted file mode 100644 index ac696fec9e8..00000000000 --- a/queue-4.4/scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Michael Kelley (EOSG)" -Date: Wed, 24 Jan 2018 22:49:57 +0000 -Subject: scsi: storvsc: Increase cmd_per_lun for higher speed devices - -From: "Michael Kelley (EOSG)" - -[ Upstream commit cabe92a55e3a12005a4ac4d3954c9a174b0efe2a ] - -Increase cmd_per_lun to allow more I/Os in progress per device, -particularly for NVMe's. The Hyper-V host side can handle the higher -count with no issues. - -Signed-off-by: Michael Kelley -Reviewed-by: K. Y. Srinivasan -Acked-by: K. Y. Srinivasan -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/storvsc_drv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/scsi/storvsc_drv.c -+++ b/drivers/scsi/storvsc_drv.c -@@ -1538,7 +1538,7 @@ static struct scsi_host_template scsi_dr - .eh_timed_out = storvsc_eh_timed_out, - .slave_alloc = storvsc_device_alloc, - .slave_configure = storvsc_device_configure, -- .cmd_per_lun = 255, -+ .cmd_per_lun = 2048, - .this_id = -1, - .use_clustering = ENABLE_CLUSTERING, - /* Make sure we dont get a sg segment crosses a page boundary */ diff --git a/queue-4.4/scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch b/queue-4.4/scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch deleted file mode 100644 index 4bd80a3554e..00000000000 --- a/queue-4.4/scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dan Carpenter -Date: Thu, 25 Jan 2018 17:13:40 +0300 -Subject: scsi: sym53c8xx_2: iterator underflow in sym_getsync() - -From: Dan Carpenter - -[ Upstream commit e6f791d95313c85f3dd4a26141e28e50ae9aa0ae ] - -We wanted to exit the loop with "div" set to zero, but instead, if we -don't hit the break then "div" is -1 when we finish the loop. It leads -to an array underflow a few lines later. - -Signed-off-by: Dan Carpenter -Reviewed-by: Johannes Thumshirn -Acked-by: Matthew Wilcox -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/sym53c8xx_2/sym_hipd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/scsi/sym53c8xx_2/sym_hipd.c -+++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c -@@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char d - * Look for the greatest clock divisor that allows an - * input speed faster than the period. - */ -- while (div-- > 0) -+ while (--div > 0) - if (kpc >= (div_10M[div] << 2)) break; - - /* diff --git a/queue-4.4/scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch b/queue-4.4/scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch deleted file mode 100644 index d0d72190bca..00000000000 --- a/queue-4.4/scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Sujit Reddy Thumma -Date: Wed, 24 Jan 2018 09:52:35 +0530 -Subject: scsi: ufs: Enable quirk to ignore sending WRITE_SAME command - -From: Sujit Reddy Thumma - -[ Upstream commit 84af7e8b895088d89f246d6b0f82717fafdebf61 ] - -WRITE_SAME command is not supported by UFS. Enable a quirk for the upper -level drivers to not send WRITE SAME command. - -[mkp: botched patch, applied by hand] - -Signed-off-by: Sujit Reddy Thumma -Signed-off-by: Subhash Jadavani -Signed-off-by: Asutosh Das -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/ufs/ufshcd.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/scsi/ufs/ufshcd.c -+++ b/drivers/scsi/ufs/ufshcd.c -@@ -2923,6 +2923,8 @@ static int ufshcd_slave_alloc(struct scs - /* REPORT SUPPORTED OPERATION CODES is not supported */ - sdev->no_report_opcodes = 1; - -+ /* WRITE_SAME command is not supported */ -+ sdev->no_write_same = 1; - - ufshcd_set_queue_depth(sdev); - diff --git a/queue-4.4/selftests-ftrace-add-a-testcase-for-probepoint.patch b/queue-4.4/selftests-ftrace-add-a-testcase-for-probepoint.patch deleted file mode 100644 index b34f3bcefd3..00000000000 --- a/queue-4.4/selftests-ftrace-add-a-testcase-for-probepoint.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Masami Hiramatsu -Date: Sat, 17 Mar 2018 21:40:31 +0900 -Subject: selftests: ftrace: Add a testcase for probepoint - -From: Masami Hiramatsu - -[ Upstream commit dfa453bc90eca0febff33c8d292a656e53702158 ] - -Add a testcase for probe point definition. This tests -symbol, address and symbol+offset syntax. The offset -must be positive and smaller than UINT_MAX. - -Link: http://lkml.kernel.org/r/152129043097.31874.14273580606301767394.stgit@devbox - -Signed-off-by: Masami Hiramatsu -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc | 43 +++++++++++++ - 1 file changed, 43 insertions(+) - create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc - ---- /dev/null -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc -@@ -0,0 +1,43 @@ -+#!/bin/sh -+# SPDX-License-Identifier: GPL-2.0 -+# description: Kprobe events - probe points -+ -+[ -f kprobe_events ] || exit_unsupported # this is configurable -+ -+TARGET_FUNC=create_trace_kprobe -+ -+dec_addr() { # hexaddr -+ printf "%d" "0x"`echo $1 | tail -c 8` -+} -+ -+set_offs() { # prev target next -+ A1=`dec_addr $1` -+ A2=`dec_addr $2` -+ A3=`dec_addr $3` -+ TARGET="0x$2" # an address -+ PREV=`expr $A1 - $A2` # offset to previous symbol -+ NEXT=+`expr $A3 - $A2` # offset to next symbol -+ OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol -+} -+ -+# We have to decode symbol addresses to get correct offsets. -+# If the offset is not an instruction boundary, it cause -EILSEQ. -+set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs` -+ -+UINT_TEST=no -+# printf "%x" -1 returns (unsigned long)-1. -+if [ `printf "%x" -1 | wc -c` != 9 ]; then -+ UINT_TEST=yes -+fi -+ -+echo 0 > events/enable -+echo > kprobe_events -+echo "p:testprobe ${TARGET_FUNC}" > kprobe_events -+echo "p:testprobe ${TARGET}" > kprobe_events -+echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events -+! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events -+if [ "${UINT_TEST}" = yes ]; then -+! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events -+fi -+echo > kprobe_events -+clear_trace diff --git a/queue-4.4/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch b/queue-4.4/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch deleted file mode 100644 index 1ad604c796b..00000000000 --- a/queue-4.4/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch +++ /dev/null @@ -1,73 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Masami Hiramatsu -Date: Sat, 17 Mar 2018 21:39:44 +0900 -Subject: selftests: ftrace: Add a testcase for string type with kprobe_event - -From: Masami Hiramatsu - -[ Upstream commit 5fbdbed797b6d12d043a5121fdbc8d8b49d10e80 ] - -Add a testcase for string type with kprobe event. -This tests good/bad syntax combinations and also -the traced data is correct in several way. - -Link: http://lkml.kernel.org/r/152129038381.31874.9201387794548737554.stgit@devbox - -Signed-off-by: Masami Hiramatsu -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 46 ++++++++++ - 1 file changed, 46 insertions(+) - create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc - ---- /dev/null -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc -@@ -0,0 +1,46 @@ -+#!/bin/sh -+# SPDX-License-Identifier: GPL-2.0 -+# description: Kprobe event string type argument -+ -+[ -f kprobe_events ] || exit_unsupported # this is configurable -+ -+echo 0 > events/enable -+echo > kprobe_events -+ -+case `uname -m` in -+x86_64) -+ ARG2=%si -+ OFFS=8 -+;; -+i[3456]86) -+ ARG2=%cx -+ OFFS=4 -+;; -+aarch64) -+ ARG2=%x1 -+ OFFS=8 -+;; -+arm*) -+ ARG2=%r1 -+ OFFS=4 -+;; -+*) -+ echo "Please implement other architecture here" -+ exit_untested -+esac -+ -+: "Test get argument (1)" -+echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events -+echo 1 > events/kprobes/testprobe/enable -+! echo test >> kprobe_events -+tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\"" -+ -+echo 0 > events/kprobes/testprobe/enable -+: "Test get argument (2)" -+echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events -+echo 1 > events/kprobes/testprobe/enable -+! echo test1 test2 >> kprobe_events -+tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\"" -+ -+echo 0 > events/enable -+echo > kprobe_events diff --git a/queue-4.4/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch b/queue-4.4/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch deleted file mode 100644 index f4085c6bb96..00000000000 --- a/queue-4.4/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch +++ /dev/null @@ -1,124 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Masami Hiramatsu -Date: Sat, 17 Mar 2018 21:38:56 +0900 -Subject: selftests: ftrace: Add probe event argument syntax testcase - -From: Masami Hiramatsu - -[ Upstream commit 871bef2000968c312a4000b2f56d370dcedbc93c ] - -Add a testcase for probe event argument syntax which -ensures the kprobe_events interface correctly parses -given event arguments. - -Link: http://lkml.kernel.org/r/152129033679.31874.12705519603869152799.stgit@devbox - -Signed-off-by: Masami Hiramatsu -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 97 ++++++++++ - 1 file changed, 97 insertions(+) - create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc - ---- /dev/null -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc -@@ -0,0 +1,97 @@ -+#!/bin/sh -+# SPDX-License-Identifier: GPL-2.0 -+# description: Kprobe event argument syntax -+ -+[ -f kprobe_events ] || exit_unsupported # this is configurable -+ -+grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue -+ -+echo 0 > events/enable -+echo > kprobe_events -+ -+PROBEFUNC="vfs_read" -+GOODREG= -+BADREG= -+GOODSYM="_sdata" -+if ! grep -qw ${GOODSYM} /proc/kallsyms ; then -+ GOODSYM=$PROBEFUNC -+fi -+BADSYM="deaqswdefr" -+SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "` -+GOODTYPE="x16" -+BADTYPE="y16" -+ -+case `uname -m` in -+x86_64|i[3456]86) -+ GOODREG=%ax -+ BADREG=%ex -+;; -+aarch64) -+ GOODREG=%x0 -+ BADREG=%ax -+;; -+arm*) -+ GOODREG=%r0 -+ BADREG=%ax -+;; -+esac -+ -+test_goodarg() # Good-args -+{ -+ while [ "$1" ]; do -+ echo "p ${PROBEFUNC} $1" > kprobe_events -+ shift 1 -+ done; -+} -+ -+test_badarg() # Bad-args -+{ -+ while [ "$1" ]; do -+ ! echo "p ${PROBEFUNC} $1" > kprobe_events -+ shift 1 -+ done; -+} -+ -+echo > kprobe_events -+ -+: "Register access" -+test_goodarg ${GOODREG} -+test_badarg ${BADREG} -+ -+: "Symbol access" -+test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10" -+test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \ -+ "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10" -+ -+: "Stack access" -+test_goodarg "\$stack" "\$stack0" "\$stack1" -+test_badarg "\$stackp" "\$stack0+10" "\$stack1-10" -+ -+: "Retval access" -+echo "r ${PROBEFUNC} \$retval" > kprobe_events -+! echo "p ${PROBEFUNC} \$retval" > kprobe_events -+ -+: "Comm access" -+test_goodarg "\$comm" -+ -+: "Indirect memory access" -+test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \ -+ "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))" -+test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \ -+ "+10(\$comm)" "+0(${GOODREG})+10" -+ -+: "Name assignment" -+test_goodarg "varname=${GOODREG}" -+test_badarg "varname=varname2=${GOODREG}" -+ -+: "Type syntax" -+test_goodarg "${GOODREG}:${GOODTYPE}" -+test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \ -+ "${GOODTYPE}:${GOODREG}" -+ -+: "Combination check" -+ -+test_goodarg "\$comm:string" "+0(\$stack):string" -+test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string" -+ -+echo > kprobe_events diff --git a/queue-4.4/selftests-memfd-add-config-fragment-for-fuse.patch b/queue-4.4/selftests-memfd-add-config-fragment-for-fuse.patch deleted file mode 100644 index 02a6352b415..00000000000 --- a/queue-4.4/selftests-memfd-add-config-fragment-for-fuse.patch +++ /dev/null @@ -1,25 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Anders Roxell -Date: Tue, 6 Feb 2018 16:20:44 -0600 -Subject: selftests: memfd: add config fragment for fuse - -From: Anders Roxell - -[ Upstream commit 9a606f8d55cfc932ec02172aaed4124fdc150047 ] - -The memfd test requires to insert the fuse module (CONFIG_FUSE_FS). - -Signed-off-by: Anders Roxell -Signed-off-by: Daniel Díaz -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/memfd/config | 1 + - 1 file changed, 1 insertion(+) - create mode 100644 tools/testing/selftests/memfd/config - ---- /dev/null -+++ b/tools/testing/selftests/memfd/config -@@ -0,0 +1 @@ -+CONFIG_FUSE_FS=m diff --git a/queue-4.4/selftests-net-fixes-psock_fanout-ebpf-test-case.patch b/queue-4.4/selftests-net-fixes-psock_fanout-ebpf-test-case.patch deleted file mode 100644 index 2296fb6a05b..00000000000 --- a/queue-4.4/selftests-net-fixes-psock_fanout-ebpf-test-case.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Prashant Bhole -Date: Thu, 15 Feb 2018 09:19:26 +0900 -Subject: selftests/net: fixes psock_fanout eBPF test case - -From: Prashant Bhole - -[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ] - -eBPF test fails due to verifier failure because log_buf is too small. -Fixed by increasing log_buf size - -Signed-off-by: Prashant Bhole -Acked-by: Willem de Bruijn -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/net/psock_fanout.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/tools/testing/selftests/net/psock_fanout.c -+++ b/tools/testing/selftests/net/psock_fanout.c -@@ -97,6 +97,8 @@ static int sock_fanout_open(uint16_t typ - - static void sock_fanout_set_ebpf(int fd) - { -+ static char log_buf[65536]; -+ - const int len_off = __builtin_offsetof(struct __sk_buff, len); - struct bpf_insn prog[] = { - { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 }, -@@ -109,7 +111,6 @@ static void sock_fanout_set_ebpf(int fd) - { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 }, - { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 } - }; -- char log_buf[512]; - union bpf_attr attr; - int pfd; - diff --git a/queue-4.4/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch b/queue-4.4/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch deleted file mode 100644 index 6fd052cddc0..00000000000 --- a/queue-4.4/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch +++ /dev/null @@ -1,65 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Ellerman -Date: Mon, 26 Feb 2018 15:22:22 +1100 -Subject: selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable - -From: Michael Ellerman - -[ Upstream commit cd4a6f3ab4d80cb919d15897eb3cbc85c2009d4b ] - -The subpage_prot syscall is only functional when the system is using -the Hash MMU. Since commit 5b2b80714796 ("powerpc/mm: Invalidate -subpage_prot() system call on radix platforms") it returns ENOENT when -the Radix MMU is active. Currently this just makes the test fail. - -Additionally the syscall is not available if the kernel is built with -4K pages, or if CONFIG_PPC_SUBPAGE_PROT=n, in which case it returns -ENOSYS because the syscall is missing entirely. - -So check explicitly for ENOENT and ENOSYS and skip if we see either of -those. - -Signed-off-by: Michael Ellerman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/powerpc/mm/subpage_prot.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/tools/testing/selftests/powerpc/mm/subpage_prot.c -+++ b/tools/testing/selftests/powerpc/mm/subpage_prot.c -@@ -135,6 +135,16 @@ static int run_test(void *addr, unsigned - return 0; - } - -+static int syscall_available(void) -+{ -+ int rc; -+ -+ errno = 0; -+ rc = syscall(__NR_subpage_prot, 0, 0, 0); -+ -+ return rc == 0 || (errno != ENOENT && errno != ENOSYS); -+} -+ - int test_anon(void) - { - unsigned long align; -@@ -145,6 +155,8 @@ int test_anon(void) - void *mallocblock; - unsigned long mallocsize; - -+ SKIP_IF(!syscall_available()); -+ - if (getpagesize() != 0x10000) { - fprintf(stderr, "Kernel page size must be 64K!\n"); - return 1; -@@ -180,6 +192,8 @@ int test_file(void) - off_t filesize; - int fd; - -+ SKIP_IF(!syscall_available()); -+ - fd = open(file_name, O_RDWR); - if (fd == -1) { - perror("failed to open file"); diff --git a/queue-4.4/selftests-print-the-test-we-re-running-to-dev-kmsg.patch b/queue-4.4/selftests-print-the-test-we-re-running-to-dev-kmsg.patch deleted file mode 100644 index 75c67b91655..00000000000 --- a/queue-4.4/selftests-print-the-test-we-re-running-to-dev-kmsg.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Ellerman -Date: Fri, 23 Mar 2018 20:44:27 +1100 -Subject: selftests: Print the test we're running to /dev/kmsg - -From: Michael Ellerman - -[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ] - -Some tests cause the kernel to print things to the kernel log -buffer (ie. printk), in particular oops and warnings etc. However when -running all the tests in succession it's not always obvious which -test(s) caused the kernel to print something. - -We can narrow it down by printing which test directory we're running -in to /dev/kmsg, if it's writable. - -Example output: - - [ 170.149149] kselftest: Running tests in powerpc - [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes - left - [ 808.915456] kselftest: Running tests in pstore - -Signed-off-by: Michael Ellerman -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/selftests/Makefile | 1 + - 1 file changed, 1 insertion(+) - ---- a/tools/testing/selftests/Makefile -+++ b/tools/testing/selftests/Makefile -@@ -90,6 +90,7 @@ ifdef INSTALL_PATH - for TARGET in $(TARGETS); do \ - echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \ - echo "echo ========================================" >> $(ALL_SCRIPT); \ -+ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \ - echo "cd $$TARGET" >> $(ALL_SCRIPT); \ - make -s --no-print-directory -C $$TARGET emit_tests >> $(ALL_SCRIPT); \ - echo "cd \$$ROOT" >> $(ALL_SCRIPT); \ diff --git a/queue-4.4/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.4/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch deleted file mode 100644 index e843106b9e0..00000000000 --- a/queue-4.4/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Fri, 23 Feb 2018 14:38:29 +0100 -Subject: serial: arc_uart: Fix out-of-bounds access through DT alias - -From: Geert Uytterhoeven - -[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ] - -The arc_uart_ports[] array is indexed using a value derived from the -"serialN" alias in DT, which may lead to an out-of-bounds access. - -Fix this by adding a range check. - -Note that the array size is defined by a Kconfig symbol -(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a -legitimate DTB. - -Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/arc_uart.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/tty/serial/arc_uart.c -+++ b/drivers/tty/serial/arc_uart.c -@@ -597,6 +597,11 @@ static int arc_serial_probe(struct platf - if (dev_id < 0) - dev_id = 0; - -+ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { -+ dev_err(&pdev->dev, "serial%d out of range\n", dev_id); -+ return -EINVAL; -+ } -+ - uart = &arc_uart_ports[dev_id]; - port = &uart->port; - diff --git a/queue-4.4/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.4/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch deleted file mode 100644 index 602c2dfed88..00000000000 --- a/queue-4.4/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Fri, 23 Feb 2018 14:38:30 +0100 -Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias - -From: Geert Uytterhoeven - -[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ] - -The lpuart_ports[] array is indexed using a value derived from the -"serialN" alias in DT, which may lead to an out-of-bounds access. - -Fix this by adding a range check. - -Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/fsl_lpuart.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/tty/serial/fsl_lpuart.c -+++ b/drivers/tty/serial/fsl_lpuart.c -@@ -1818,6 +1818,10 @@ static int lpuart_probe(struct platform_ - dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); - return ret; - } -+ if (ret >= ARRAY_SIZE(lpuart_ports)) { -+ dev_err(&pdev->dev, "serial%d out of range\n", ret); -+ return -EINVAL; -+ } - sport->port.line = ret; - sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart"); - diff --git a/queue-4.4/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.4/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch deleted file mode 100644 index f7d7d38e46d..00000000000 --- a/queue-4.4/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Fri, 23 Feb 2018 14:38:31 +0100 -Subject: serial: imx: Fix out-of-bounds access through serial port index - -From: Geert Uytterhoeven - -[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ] - -The imx_ports[] array is indexed using a value derived from the -"serialN" alias in DT, or from platform data, which may lead to an -out-of-bounds access. - -Fix this by adding a range check. - -Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") -Signed-off-by: Geert Uytterhoeven -Reviewed-by: Uwe Kleine-König -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/imx.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/tty/serial/imx.c -+++ b/drivers/tty/serial/imx.c -@@ -1923,6 +1923,12 @@ static int serial_imx_probe(struct platf - else if (ret < 0) - return ret; - -+ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { -+ dev_err(&pdev->dev, "serial%d out of range\n", -+ sport->port.line); -+ return -EINVAL; -+ } -+ - res = platform_get_resource(pdev, IORESOURCE_MEM, 0); - base = devm_ioremap_resource(&pdev->dev, res); - if (IS_ERR(base)) diff --git a/queue-4.4/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.4/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch deleted file mode 100644 index 096cb232330..00000000000 --- a/queue-4.4/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Fri, 23 Feb 2018 14:38:32 +0100 -Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index - -From: Geert Uytterhoeven - -[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ] - -The auart_port[] array is indexed using a value derived from the -"serialN" alias in DT, or from platform data, which may lead to an -out-of-bounds access. - -Fix this by adding a range check. - -Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/mxs-auart.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/tty/serial/mxs-auart.c -+++ b/drivers/tty/serial/mxs-auart.c -@@ -1274,6 +1274,10 @@ static int mxs_auart_probe(struct platfo - s->port.line = pdev->id < 0 ? 0 : pdev->id; - else if (ret < 0) - return ret; -+ if (s->port.line >= ARRAY_SIZE(auart_port)) { -+ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); -+ return -EINVAL; -+ } - - if (of_id) { - pdev->id_entry = of_id->data; diff --git a/queue-4.4/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.4/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch deleted file mode 100644 index f06db755b4f..00000000000 --- a/queue-4.4/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Fri, 23 Feb 2018 14:38:34 +0100 -Subject: serial: samsung: Fix out-of-bounds access through serial port index - -From: Geert Uytterhoeven - -[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ] - -The s3c24xx_serial_ports[] array is indexed using a value derived from -the "serialN" alias in DT, or from an incrementing probe index, which -may lead to an out-of-bounds access. - -Fix this by adding a range check. - -Note that the array size is defined by a Kconfig symbol -(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using -a legitimate DTB or legitimate board code. - -Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports") -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/samsung.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/tty/serial/samsung.c -+++ b/drivers/tty/serial/samsung.c -@@ -1807,6 +1807,10 @@ static int s3c24xx_serial_probe(struct p - - dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index); - -+ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) { -+ dev_err(&pdev->dev, "serial%d out of range\n", index); -+ return -EINVAL; -+ } - ourport = &s3c24xx_serial_ports[index]; - - ourport->drv_data = s3c24xx_get_driver_data(pdev); diff --git a/queue-4.4/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.4/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch deleted file mode 100644 index 43386696605..00000000000 --- a/queue-4.4/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Geert Uytterhoeven -Date: Fri, 23 Feb 2018 14:38:37 +0100 -Subject: serial: xuartps: Fix out-of-bounds access through DT alias - -From: Geert Uytterhoeven - -[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ] - -The cdns_uart_port[] array is indexed using a value derived from the -"serialN" alias in DT, which may lead to an out-of-bounds access. - -Fix this by adding a range check. - -Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") -Signed-off-by: Geert Uytterhoeven -Reviewed-by: Michal Simek -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/xilinx_uartps.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/tty/serial/xilinx_uartps.c -+++ b/drivers/tty/serial/xilinx_uartps.c -@@ -1026,7 +1026,7 @@ static struct uart_port *cdns_uart_get_p - struct uart_port *port; - - /* Try the given port id if failed use default method */ -- if (cdns_uart_port[id].mapbase != 0) { -+ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { - /* Find the next unused port */ - for (id = 0; id < CDNS_UART_NR_PORTS; id++) - if (cdns_uart_port[id].mapbase == 0) diff --git a/queue-4.4/series b/queue-4.4/series index 857c038d22a..7a1e90179eb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,268 +1,9 @@ perf-core-fix-the-perf_cpu_time_max_percent-check.patch bpf-map_get_next_key-to-return-first-key-on-null.patch -firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch -nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch -alsa-hda-use-is_reachable-for-dependency-on-input.patch -asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch -kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch -tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch -pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch -tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch -perf-callchain-fix-attr.sample_max_stack-setting.patch -tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch tpm-do-not-suspend-resume-if-power-stays-on.patch tpm-self-test-failure-should-not-cause-suspend-to-fail.patch kvm-s390-enable-all-facility-bits-that-are-known-good-for-passthrough.patch -dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch -nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch -watchdog-sp5100_tco-fix-watchdog-disable-bit.patch -kconfig-don-t-leak-main-menus-during-parsing.patch -kconfig-fix-automatic-menu-creation-mem-leak.patch -kconfig-fix-expr_free-e_not-leak.patch -mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch -ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch -btrfs-set-plug-for-fsync.patch -btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch -btrfs-fix-scrub-to-repair-raid6-corruption.patch -scsi-fas216-fix-sense-buffer-initialization.patch -hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch -jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch -powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch -powerpc-numa-ensure-nodes-initialized-for-hotplug.patch -rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch -ntb_transport-fix-bug-with-max_mw_size-parameter.patch -ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch -ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch -ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch -mm-mempolicy-fix-the-check-of-nodemask-from-user.patch -mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch -asm-generic-provide-generic_pmdp_establish.patch -mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch -ib-ipoib-fix-for-potential-no-carrier-state.patch -x86-power-fix-swsusp_arch_resume-prototype.patch -firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch -acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch -bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch -mips-txx9-use-is_builtin-for-config_leds_class.patch -xen-netfront-fix-race-between-device-setup-and-open.patch -xen-grant-table-use-put_page-instead-of-free_page.patch -rds-ib-fix-null-pointer-issue.patch -arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch -proc-fix-proc-map_files-lookup.patch -cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch -bcache-properly-set-task-state-in-bch_writeback_thread.patch -bcache-fix-for-allocator-and-register-thread-race.patch -bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch -bcache-return-attach-error-when-no-cache-set-exist.patch -tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch -locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch -irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch -scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch -scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch -scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch -scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch -scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch -arc-fix-malformed-arc_emul_unaligned-default.patch -usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch -usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch -usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch -selftests-memfd-add-config-fragment-for-fuse.patch -scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch -scsi-aacraid-fix-shutdown-crash-when-init-fails.patch -scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch -arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch -arm-omap3-fix-prm-wake-interrupt-for-resume.patch -arm-omap1-clock-fix-debugfs_create_-usage.patch -usb-serial-option-add-support-for-quectel-ep06.patch -nfc-llcp-limit-size-of-sdp-uri.patch -mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch -md-raid10-fix-null-deference-in-handle_write_completed.patch -drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch -drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch -usb-musb-fix-enumeration-after-resume.patch -locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch -md-raid5-avoid-string-overflow-warning.patch -kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch -powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch -s390-cio-fix-return-code-after-missing-interrupt.patch -s390-cio-clear-timer-when-terminating-driver-i-o.patch -arm-omap-fix-dmtimer-init-for-omap1.patch -smsc75xx-fix-smsc75xx_set_features.patch -regulatory-add-nul-to-request-alpha2.patch -locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch -x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch -media-dmxdev-fix-error-code-for-invalid-ioctls.patch percpu-include-linux-sched.h-for-cond_resched.patch -percpu-add-a-schedule-point-in-pcpu_balance_workfn.patch -md-raid1-fix-null-pointer-dereference.patch -batman-adv-fix-packet-checksum-in-receive-path.patch -batman-adv-invalidate-checksum-on-fragment-reassembly.patch -netfilter-ebtables-convert-bug_ons-to-warn_ons.patch -nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch -clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch -r8152-fix-tx-packets-accounting.patch -virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch -dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch -bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch -sit-fix-ifla_mtu-ignored-on-newlink.patch -gianfar-fix-rx-byte-accounting-for-ndev-stats.patch -net-tcp-illinois-replace-broken-algorithm-reference-link.patch -xen-pirq-fix-error-path-cleanup-when-binding-msis.patch -btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch -selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch -kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch -watchdog-f71808e_wdt-fix-magic-close-handling.patch -e1000e-fix-check_for_link-return-value-with-autoneg-off.patch -e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch -usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch -scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch -scsi-sd-keep-disk-read-only-when-re-reading-partition.patch -fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch -xen-xenbus-use-put_device-instead-of-kfree.patch -usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch -netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch -bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch -scsi-libsas-defer-ata-device-eh-commands-to-libata.patch -workqueue-use-put_device-instead-of-kfree.patch -ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch -sunvnet-does-not-support-gso-for-sctp.patch -microblaze-switch-to-no_bootmem.patch -net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch -batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch -vti4-don-t-count-header-length-twice-on-tunnel-setup.patch -vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch -perf-cgroup-fix-child-event-counting-bug.patch -rdma-ucma-correct-option-size-check-using-optlen.patch -mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch -selftests-ftrace-add-probe-event-argument-syntax-testcase.patch -selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch -selftests-ftrace-add-a-testcase-for-probepoint.patch -batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch -batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch -arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch -net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch -net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch -net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch -llc-properly-handle-dev_queue_xmit-return-value.patch -mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch -net-fix-untag-for-vlan-packets-without-ethernet-header.patch -net-mvneta-fix-enable-of-all-initialized-rxqs.patch -sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch -x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch -fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch -swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch -sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch -force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch -tracing-uprobe_event-fix-strncpy-corner-case.patch -cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch -scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch -dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch -arm-dts-ls1021a-specify-tbipa-register-address.patch -crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch -soreuseport-initialise-timewait-reuseport-field.patch -dccp-initialize-ireq-ir_mark.patch -mm-ksm-fix-interaction-with-thp.patch -mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch -btrfs-bail-out-on-error-during-replay_dir_deletes.patch -btrfs-fix-null-pointer-dereference-in-log_dir_items.patch -btrfs-fix-possible-softlock-on-single-core-machines.patch -ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch -sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch -kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch -fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch -sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch -rtc-snvs-fix-usage-of-snvs_rtc_enable.patch -net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch -bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch -btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch -btrfs-fix-copy_items-return-value-when-logging-an-inode.patch -btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch -xen-acpi-off-by-one-in-read_acpi_id.patch -acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch -powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch -m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch -parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch -hwmon-nct6775-fix-writing-pwmx_mode.patch -rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch -powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch -powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch -tools-thermal-tmon-fix-for-segfault.patch -selftests-print-the-test-we-re-running-to-dev-kmsg.patch -net-mlx5-protect-from-command-bit-overflow.patch -ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch -ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch -ima-fallback-to-the-builtin-hash-algorithm.patch -virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch -arm-dts-socfpga-fix-gic-ppi-warning.patch -usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch -cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch -clk-don-t-show-the-incorrect-clock-phase.patch -zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch -bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch -acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch -acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch -i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch -kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch -xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch -mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch -pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch -ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch -usb-dwc2-fix-interval-type-issue.patch -usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch -usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch -powerpc-add-missing-prototype-for-arch_irq_work_raise.patch -powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch -asoc-topology-create-tlv-data-for-dapm-widgets.patch -perf-core-fix-perf_output_read_group.patch -hwmon-pmbus-max8688-accept-negative-page-register-values.patch -hwmon-pmbus-adm1275-accept-negative-page-register-values.patch -cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch -gfs2-fix-fallocate-chunk-size.patch -usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch -usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch -x86-devicetree-initialize-device-tree-before-using-it.patch -x86-devicetree-fix-device-irq-settings-in-dt.patch -alsa-vmaster-propagate-slave-error.patch -media-cx23885-override-888-impactvcbe-crystal-frequency.patch -media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch -media-s3c-camif-fix-out-of-bounds-array-access.patch -dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch -media-em28xx-usb-bulk-packet-size-fix.patch -clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch -enic-enable-rq-before-updating-rq-descriptors.patch -hwrng-stm32-add-reset-during-probe.patch -staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch -rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch -serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch -serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch -serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch -serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch -serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch -serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch -pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch -udf-provide-saner-default-for-invalid-uid-gid.patch -media-cx25821-prevent-out-of-bounds-read-on-array-card.patch -clk-samsung-s3c2410-fix-pll-rates.patch -clk-samsung-exynos5260-fix-pll-rates.patch -clk-samsung-exynos5433-fix-pll-rates.patch -clk-samsung-exynos5250-fix-pll-rates.patch -clk-samsung-exynos3250-fix-pll-rates.patch -crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch -audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch -mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch -drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch -x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch -perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch -perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch -selftests-net-fixes-psock_fanout-ebpf-test-case.patch -netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch -scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch -scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch -scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch -regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch -asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch -bluetooth-btusb-add-device-id-for-rtl8822be.patch -kdb-make-mdr-command-repeat.patch mac80211-allow-not-sending-mic-up-from-driver-for-hw-crypto.patch mac80211-allow-same-pn-for-amsdu-sub-frames.patch mac80211-add-rx-flag-to-indicate-icv-stripped.patch diff --git a/queue-4.4/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch b/queue-4.4/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch deleted file mode 100644 index c3810e8c6fb..00000000000 --- a/queue-4.4/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Rich Felker -Date: Thu, 15 Mar 2018 20:01:36 -0400 -Subject: sh: fix debug trap failure to process signals before return to user - -From: Rich Felker - -[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ] - -When responding to a debug trap (breakpoint) in userspace, the -kernel's trap handler raised SIGTRAP but returned from the trap via a -code path that ignored pending signals, resulting in an infinite loop -re-executing the trapping instruction. - -Signed-off-by: Rich Felker -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/sh/kernel/entry-common.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/sh/kernel/entry-common.S -+++ b/arch/sh/kernel/entry-common.S -@@ -255,7 +255,7 @@ debug_trap: - mov.l @r8, r8 - jsr @r8 - nop -- bra __restore_all -+ bra ret_from_exception - nop - CFI_ENDPROC - diff --git a/queue-4.4/sit-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.4/sit-fix-ifla_mtu-ignored-on-newlink.patch deleted file mode 100644 index f8c0916f047..00000000000 --- a/queue-4.4/sit-fix-ifla_mtu-ignored-on-newlink.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Xin Long -Date: Tue, 27 Feb 2018 19:19:41 +0800 -Subject: sit: fix IFLA_MTU ignored on NEWLINK - -From: Xin Long - -[ Upstream commit 2b3957c34b6d7f03544b12ebbf875eee430745db ] - -Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len -correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same -mtu fix is also needed for sit. - -Note that dev->hard_header_len setting for sit works fine, no need to -fix it. sit is actually ipv4 tunnel, it can't call ip6_tnl_change_mtu -to set mtu. - -Reported-by: Jianlin Shi -Signed-off-by: Xin Long -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv6/sit.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -1574,6 +1574,13 @@ static int ipip6_newlink(struct net *src - if (err < 0) - return err; - -+ if (tb[IFLA_MTU]) { -+ u32 mtu = nla_get_u32(tb[IFLA_MTU]); -+ -+ if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len) -+ dev->mtu = mtu; -+ } -+ - #ifdef CONFIG_IPV6_SIT_6RD - if (ipip6_netlink_6rd_parms(data, &ip6rd)) - err = ipip6_tunnel_update_6rd(nt, &ip6rd); diff --git a/queue-4.4/smsc75xx-fix-smsc75xx_set_features.patch b/queue-4.4/smsc75xx-fix-smsc75xx_set_features.patch deleted file mode 100644 index 87e82e125ef..00000000000 --- a/queue-4.4/smsc75xx-fix-smsc75xx_set_features.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Eric Dumazet -Date: Tue, 20 Feb 2018 21:42:26 -0800 -Subject: smsc75xx: fix smsc75xx_set_features() - -From: Eric Dumazet - -[ Upstream commit 88e80c62671ceecdbb77c902731ec95a4bfa62f9 ] - -If an attempt is made to disable RX checksums, USB adapter is changed -but netdev->features is not, because smsc75xx_set_features() returns a -non zero value. - -This throws errors from netdev_rx_csum_fault() : -: hw csum failure - -Signed-off-by: Eric Dumazet -Cc: Steve Glendinning -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/usb/smsc75xx.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- a/drivers/net/usb/smsc75xx.c -+++ b/drivers/net/usb/smsc75xx.c -@@ -945,10 +945,11 @@ static int smsc75xx_set_features(struct - /* it's racing here! */ - - ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); -- if (ret < 0) -+ if (ret < 0) { - netdev_warn(dev->net, "Error writing RFE_CTL\n"); -- -- return ret; -+ return ret; -+ } -+ return 0; - } - - static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm) diff --git a/queue-4.4/soreuseport-initialise-timewait-reuseport-field.patch b/queue-4.4/soreuseport-initialise-timewait-reuseport-field.patch deleted file mode 100644 index 1aeff10d156..00000000000 --- a/queue-4.4/soreuseport-initialise-timewait-reuseport-field.patch +++ /dev/null @@ -1,149 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Eric Dumazet -Date: Sat, 7 Apr 2018 13:42:43 -0700 -Subject: soreuseport: initialise timewait reuseport field - -From: Eric Dumazet - -[ Upstream commit 3099a52918937ab86ec47038ad80d377ba16c531 ] - -syzbot reported an uninit-value in inet_csk_bind_conflict() [1] - -It turns out we never propagated sk->sk_reuseport into timewait socket. - -[1] -BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151 -CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:17 [inline] - dump_stack+0x185/0x1d0 lib/dump_stack.c:53 - kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 - __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 - inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151 - inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320 - inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399 - SYSC_bind+0x3f2/0x4b0 net/socket.c:1474 - SyS_bind+0x54/0x80 net/socket.c:1460 - do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 -RIP: 0033:0x4416e9 -RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031 -RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9 -RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004 -RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08 -R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478 -R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 - -Uninit was stored to memory at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] - kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] - kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 - __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 - tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283 - tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 - tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 - sk_backlog_rcv include/net/sock.h:908 [inline] - __release_sock+0x2d6/0x680 net/core/sock.c:2271 - release_sock+0x97/0x2a0 net/core/sock.c:2786 - tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 - inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 - inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 - sock_release net/socket.c:595 [inline] - sock_close+0xe0/0x300 net/socket.c:1149 - __fput+0x49e/0xa10 fs/file_table.c:209 - ____fput+0x37/0x40 fs/file_table.c:243 - task_work_run+0x243/0x2c0 kernel/task_work.c:113 - exit_task_work include/linux/task_work.h:22 [inline] - do_exit+0x10e1/0x38d0 kernel/exit.c:867 - do_group_exit+0x1a0/0x360 kernel/exit.c:970 - SYSC_exit_group+0x21/0x30 kernel/exit.c:981 - SyS_exit_group+0x25/0x30 kernel/exit.c:979 - do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 -Uninit was stored to memory at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] - kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] - kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 - __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 - inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182 - tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258 - tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 - tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 - sk_backlog_rcv include/net/sock.h:908 [inline] - __release_sock+0x2d6/0x680 net/core/sock.c:2271 - release_sock+0x97/0x2a0 net/core/sock.c:2786 - tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 - inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 - inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 - sock_release net/socket.c:595 [inline] - sock_close+0xe0/0x300 net/socket.c:1149 - __fput+0x49e/0xa10 fs/file_table.c:209 - ____fput+0x37/0x40 fs/file_table.c:243 - task_work_run+0x243/0x2c0 kernel/task_work.c:113 - exit_task_work include/linux/task_work.h:22 [inline] - do_exit+0x10e1/0x38d0 kernel/exit.c:867 - do_group_exit+0x1a0/0x360 kernel/exit.c:970 - SYSC_exit_group+0x21/0x30 kernel/exit.c:981 - SyS_exit_group+0x25/0x30 kernel/exit.c:979 - do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 -Uninit was created at: - kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] - kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 - kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 - kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 - inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163 - tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258 - tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 - tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 - sk_backlog_rcv include/net/sock.h:908 [inline] - __release_sock+0x2d6/0x680 net/core/sock.c:2271 - release_sock+0x97/0x2a0 net/core/sock.c:2786 - tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 - inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 - inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 - sock_release net/socket.c:595 [inline] - sock_close+0xe0/0x300 net/socket.c:1149 - __fput+0x49e/0xa10 fs/file_table.c:209 - ____fput+0x37/0x40 fs/file_table.c:243 - task_work_run+0x243/0x2c0 kernel/task_work.c:113 - exit_task_work include/linux/task_work.h:22 [inline] - do_exit+0x10e1/0x38d0 kernel/exit.c:867 - do_group_exit+0x1a0/0x360 kernel/exit.c:970 - SYSC_exit_group+0x21/0x30 kernel/exit.c:981 - SyS_exit_group+0x25/0x30 kernel/exit.c:979 - do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 - -Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation") -Signed-off-by: Eric Dumazet -Reported-by: syzbot -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/net/inet_timewait_sock.h | 1 + - net/ipv4/inet_timewait_sock.c | 1 + - 2 files changed, 2 insertions(+) - ---- a/include/net/inet_timewait_sock.h -+++ b/include/net/inet_timewait_sock.h -@@ -55,6 +55,7 @@ struct inet_timewait_sock { - #define tw_family __tw_common.skc_family - #define tw_state __tw_common.skc_state - #define tw_reuse __tw_common.skc_reuse -+#define tw_reuseport __tw_common.skc_reuseport - #define tw_ipv6only __tw_common.skc_ipv6only - #define tw_bound_dev_if __tw_common.skc_bound_dev_if - #define tw_node __tw_common.skc_nulls_node ---- a/net/ipv4/inet_timewait_sock.c -+++ b/net/ipv4/inet_timewait_sock.c -@@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_all - tw->tw_dport = inet->inet_dport; - tw->tw_family = sk->sk_family; - tw->tw_reuse = sk->sk_reuse; -+ tw->tw_reuseport = sk->sk_reuseport; - tw->tw_hash = sk->sk_hash; - tw->tw_ipv6only = 0; - tw->tw_transparent = inet->transparent; diff --git a/queue-4.4/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch b/queue-4.4/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch deleted file mode 100644 index 02b19010fb3..00000000000 --- a/queue-4.4/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "David S. Miller" -Date: Tue, 3 Apr 2018 08:24:35 -0700 -Subject: sparc64: Make atomic_xchg() an inline function rather than a macro. - -From: "David S. Miller" - -[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ] - -This avoids a lot of -Wunused warnings such as: - -==================== -kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: -./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] - #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) - -./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’ - #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) - ^~~~ -kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’ - atomic_xchg(&kgdb_active, cpu); - ^~~~~~~~~~~ -==================== - -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/sparc/include/asm/atomic_64.h | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/arch/sparc/include/asm/atomic_64.h -+++ b/arch/sparc/include/asm/atomic_64.h -@@ -74,7 +74,11 @@ ATOMIC_OP(xor) - #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0) - - #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) --#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) -+ -+static inline int atomic_xchg(atomic_t *v, int new) -+{ -+ return xchg(&v->counter, new); -+} - - static inline int __atomic_add_unless(atomic_t *v, int a, int u) - { diff --git a/queue-4.4/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch b/queue-4.4/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch deleted file mode 100644 index 405e2c6d7c1..00000000000 --- a/queue-4.4/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch +++ /dev/null @@ -1,119 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jens Axboe -Date: Wed, 11 Apr 2018 11:26:09 -0600 -Subject: sr: get/drop reference to device in revalidate and check_events - -From: Jens Axboe - -[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ] - -We can't just use scsi_cd() to get the scsi_cd structure, we have -to grab a live reference to the device. For both callbacks, we're -not inside an open where we already hold a reference to the device. - -This fixes device removal/addition under concurrent device access, -which otherwise could result in the below oops. - -NULL pointer dereference at 0000000000000010 -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP -Modules linked in: -sr 12:0:0:0: [sr2] scsi-1 drive - scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl -sr 12:0:0:0: Attached scsi CD-ROM sr2 - sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc -sr 12:0:0:0: Attached scsi generic sg7 type 5 - igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif] -CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650 -Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016 -RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod] -RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292 -RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66 -RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000 -RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000 -R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d -R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000 -FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - ? __invalidate_device+0x48/0x60 - check_disk_change+0x4c/0x60 - sr_block_open+0x16/0xd0 [sr_mod] - __blkdev_get+0xb9/0x450 - ? iget5_locked+0x1c0/0x1e0 - blkdev_get+0x11e/0x320 - ? bdget+0x11d/0x150 - ? _raw_spin_unlock+0xa/0x20 - ? bd_acquire+0xc0/0xc0 - do_dentry_open+0x1b0/0x320 - ? inode_permission+0x24/0xc0 - path_openat+0x4e6/0x1420 - ? cpumask_any_but+0x1f/0x40 - ? flush_tlb_mm_range+0xa0/0x120 - do_filp_open+0x8c/0xf0 - ? __seccomp_filter+0x28/0x230 - ? _raw_spin_unlock+0xa/0x20 - ? __handle_mm_fault+0x7d6/0x9b0 - ? list_lru_add+0xa8/0xc0 - ? _raw_spin_unlock+0xa/0x20 - ? __alloc_fd+0xaf/0x160 - ? do_sys_open+0x1a6/0x230 - do_sys_open+0x1a6/0x230 - do_syscall_64+0x5a/0x100 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 - -Reviewed-by: Lee Duncan -Reviewed-by: Jan Kara -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/sr.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - ---- a/drivers/scsi/sr.c -+++ b/drivers/scsi/sr.c -@@ -582,18 +582,28 @@ out: - static unsigned int sr_block_check_events(struct gendisk *disk, - unsigned int clearing) - { -- struct scsi_cd *cd = scsi_cd(disk); -+ unsigned int ret = 0; -+ struct scsi_cd *cd; - -- if (atomic_read(&cd->device->disk_events_disable_depth)) -+ cd = scsi_cd_get(disk); -+ if (!cd) - return 0; - -- return cdrom_check_events(&cd->cdi, clearing); -+ if (!atomic_read(&cd->device->disk_events_disable_depth)) -+ ret = cdrom_check_events(&cd->cdi, clearing); -+ -+ scsi_cd_put(cd); -+ return ret; - } - - static int sr_block_revalidate_disk(struct gendisk *disk) - { -- struct scsi_cd *cd = scsi_cd(disk); - struct scsi_sense_hdr sshdr; -+ struct scsi_cd *cd; -+ -+ cd = scsi_cd_get(disk); -+ if (!cd) -+ return -ENXIO; - - /* if the unit is not ready, nothing more to do */ - if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) -@@ -602,6 +612,7 @@ static int sr_block_revalidate_disk(stru - sr_cd_check(&cd->cdi); - get_sectorsize(cd); - out: -+ scsi_cd_put(cd); - return 0; - } - diff --git a/queue-4.4/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch b/queue-4.4/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch deleted file mode 100644 index 155d2d94e3e..00000000000 --- a/queue-4.4/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Colin Ian King -Date: Wed, 28 Feb 2018 11:28:49 +0000 -Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr - -From: Colin Ian King - -[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ] - -Currently the allocation of priv->oldaddr is not null checked which will -lead to subsequent errors when accessing priv->oldaddr. Fix this with -a null pointer check and a return of -ENOMEM on allocation failure. - -Detected with Coccinelle: -drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test, -possible model on line 1723 - -Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") -Signed-off-by: Colin Ian King -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/rtl8192u/r8192U_core.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/staging/rtl8192u/r8192U_core.c -+++ b/drivers/staging/rtl8192u/r8192U_core.c -@@ -1749,6 +1749,8 @@ static short rtl8192_usb_initendpoints(s - - priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); - priv->oldaddr = kmalloc(16, GFP_KERNEL); -+ if (!priv->oldaddr) -+ return -ENOMEM; - oldaddr = priv->oldaddr; - align = ((long)oldaddr) & 3; - if (align) { diff --git a/queue-4.4/sunvnet-does-not-support-gso-for-sctp.patch b/queue-4.4/sunvnet-does-not-support-gso-for-sctp.patch deleted file mode 100644 index 88b3ba13dc5..00000000000 --- a/queue-4.4/sunvnet-does-not-support-gso-for-sctp.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Cathy Zhou -Date: Wed, 14 Mar 2018 10:56:07 -0700 -Subject: sunvnet: does not support GSO for sctp - -From: Cathy Zhou - -[ Upstream commit cf55612a945039476abfd73e39064b2e721c3272 ] - -The NETIF_F_GSO_SOFTWARE implies support for GSO on SCTP, but the -sunvnet driver does not support GSO for sctp. Here we remove the -NETIF_F_GSO_SOFTWARE feature flag and only report NETIF_F_ALL_TSO -instead. - -Signed-off-by: Cathy Zhou -Signed-off-by: Shannon Nelson -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/sun/sunvnet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/sun/sunvnet.c -+++ b/drivers/net/ethernet/sun/sunvnet.c -@@ -1787,7 +1787,7 @@ static struct vnet *vnet_new(const u64 * - dev->ethtool_ops = &vnet_ethtool_ops; - dev->watchdog_timeo = VNET_TX_TIMEOUT; - -- dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE | -+ dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO | - NETIF_F_HW_CSUM | NETIF_F_SG; - dev->features = dev->hw_features; - diff --git a/queue-4.4/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch b/queue-4.4/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch deleted file mode 100644 index 990168c61eb..00000000000 --- a/queue-4.4/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch +++ /dev/null @@ -1,54 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Tom Abraham -Date: Tue, 10 Apr 2018 16:29:48 -0700 -Subject: swap: divide-by-zero when zero length swap file on ssd - -From: Tom Abraham - -[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ] - -Calling swapon() on a zero length swap file on SSD can lead to a -divide-by-zero. - -Although creating such files isn't possible with mkswap and they woud be -considered invalid, it would be better for the swapon code to be more -robust and handle this condition gracefully (return -EINVAL). -Especially since the fix is small and straightforward. - -To help with wear leveling on SSD, the swapon syscall calculates a -random position in the swap file using modulo p->highest_bit, which is -set to maxpages - 1 in read_swap_header. - -If the swap file is zero length, read_swap_header sets maxpages=1 and -last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we -modulo p->highest_bit in swapon syscall. - -This can be prevented by having read_swap_header return zero if -last_page is zero. - -Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com -Signed-off-by: Thomas Abraham -Reported-by: -Reviewed-by: Andrew Morton -Cc: Randy Dunlap -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - mm/swapfile.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/mm/swapfile.c -+++ b/mm/swapfile.c -@@ -2258,6 +2258,10 @@ static unsigned long read_swap_header(st - maxpages = swp_offset(pte_to_swp_entry( - swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; - last_page = swap_header->info.last_page; -+ if (!last_page) { -+ pr_warn("Empty swap-file\n"); -+ return 0; -+ } - if (last_page > maxpages) { - pr_warn("Truncating oversized swap area, only using %luk out of %luk\n", - maxpages << (PAGE_SHIFT - 10), diff --git a/queue-4.4/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch b/queue-4.4/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch deleted file mode 100644 index eb65aae338a..00000000000 --- a/queue-4.4/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch +++ /dev/null @@ -1,55 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Steven Rostedt (VMware)" -Date: Thu, 11 Jan 2018 19:47:51 -0500 -Subject: tools lib traceevent: Fix get_field_str() for dynamic strings - -From: "Steven Rostedt (VMware)" - -[ Upstream commit d777f8de99b05d399c0e4e51cdce016f26bd971b ] - -If a field is a dynamic string, get_field_str() returned just the -offset/size value and not the string. Have it parse the offset/size -correctly to return the actual string. Otherwise filtering fails when -trying to filter fields that are dynamic strings. - -Reported-by: Gopanapalli Pradeep -Signed-off-by: Steven Rostedt -Acked-by: Namhyung Kim -Cc: Andrew Morton -Link: http://lkml.kernel.org/r/20180112004823.146333275@goodmis.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/lib/traceevent/parse-filter.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - ---- a/tools/lib/traceevent/parse-filter.c -+++ b/tools/lib/traceevent/parse-filter.c -@@ -1867,17 +1867,25 @@ static const char *get_field_str(struct - struct pevent *pevent; - unsigned long long addr; - const char *val = NULL; -+ unsigned int size; - char hex[64]; - - /* If the field is not a string convert it */ - if (arg->str.field->flags & FIELD_IS_STRING) { - val = record->data + arg->str.field->offset; -+ size = arg->str.field->size; -+ -+ if (arg->str.field->flags & FIELD_IS_DYNAMIC) { -+ addr = *(unsigned int *)val; -+ val = record->data + (addr & 0xffff); -+ size = addr >> 16; -+ } - - /* - * We need to copy the data since we can't be sure the field - * is null terminated. - */ -- if (*(val + arg->str.field->size - 1)) { -+ if (*(val + size - 1)) { - /* copy it */ - memcpy(arg->str.buffer, val, arg->str.field->size); - /* the buffer is already NULL terminated */ diff --git a/queue-4.4/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch b/queue-4.4/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch deleted file mode 100644 index 8660798434a..00000000000 --- a/queue-4.4/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch +++ /dev/null @@ -1,60 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: "Steven Rostedt (VMware)" -Date: Thu, 11 Jan 2018 19:47:45 -0500 -Subject: tools lib traceevent: Simplify pointer print logic and fix %pF - -From: "Steven Rostedt (VMware)" - -[ Upstream commit 38d70b7ca1769f26c0b79f3c08ff2cc949712b59 ] - -When processing %pX in pretty_print(), simplify the logic slightly by -incrementing the ptr to the format string if isalnum(ptr[1]) is true. -This follows the logic a bit more closely to what is in the kernel. - -Also, this fixes a small bug where %pF was not giving the offset of the -function. - -Signed-off-by: Steven Rostedt -Acked-by: Namhyung Kim -Cc: Andrew Morton -Link: http://lkml.kernel.org/r/20180112004822.260262257@goodmis.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/lib/traceevent/event-parse.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - ---- a/tools/lib/traceevent/event-parse.c -+++ b/tools/lib/traceevent/event-parse.c -@@ -4905,21 +4905,22 @@ static void pretty_print(struct trace_se - else - ls = 2; - -- if (*(ptr+1) == 'F' || *(ptr+1) == 'f' || -- *(ptr+1) == 'S' || *(ptr+1) == 's') { -+ if (isalnum(ptr[1])) - ptr++; -+ -+ if (*ptr == 'F' || *ptr == 'f' || -+ *ptr == 'S' || *ptr == 's') { - show_func = *ptr; -- } else if (*(ptr+1) == 'M' || *(ptr+1) == 'm') { -- print_mac_arg(s, *(ptr+1), data, size, event, arg); -- ptr++; -+ } else if (*ptr == 'M' || *ptr == 'm') { -+ print_mac_arg(s, *ptr, data, size, event, arg); - arg = arg->next; - break; -- } else if (*(ptr+1) == 'I' || *(ptr+1) == 'i') { -+ } else if (*ptr == 'I' || *ptr == 'i') { - int n; - -- n = print_ip_arg(s, ptr+1, data, size, event, arg); -+ n = print_ip_arg(s, ptr, data, size, event, arg); - if (n > 0) { -- ptr += n; -+ ptr += n - 1; - arg = arg->next; - break; - } diff --git a/queue-4.4/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch b/queue-4.4/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch deleted file mode 100644 index 992528af890..00000000000 --- a/queue-4.4/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch +++ /dev/null @@ -1,88 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jesper Dangaard Brouer -Date: Thu, 8 Feb 2018 12:48:32 +0100 -Subject: tools/libbpf: handle issues with bpf ELF objects containing .eh_frames - -From: Jesper Dangaard Brouer - -[ Upstream commit e3d91b0ca523d53158f435a3e13df7f0cb360ea2 ] - -V3: More generic skipping of relo-section (suggested by Daniel) - -If clang >= 4.0.1 is missing the option '-target bpf', it will cause -llc/llvm to create two ELF sections for "Exception Frames", with -section names '.eh_frame' and '.rel.eh_frame'. - -The BPF ELF loader library libbpf fails when loading files with these -sections. The other in-kernel BPF ELF loader in samples/bpf/bpf_load.c, -handle this gracefully. And iproute2 loader also seems to work with these -"eh" sections. - -The issue in libbpf is caused by bpf_object__elf_collect() skipping -some sections, and later when performing relocation it will be -pointing to a skipped section, as these sections cannot be found by -bpf_object__find_prog_by_idx() in bpf_object__collect_reloc(). - -This is a general issue that also occurs for other sections, like -debug sections which are also skipped and can have relo section. - -As suggested by Daniel. To avoid keeping state about all skipped -sections, instead perform a direct qlookup in the ELF object. Lookup -the section that the relo-section points to and check if it contains -executable machine instructions (denoted by the sh_flags -SHF_EXECINSTR). Use this check to also skip irrelevant relo-sections. - -Note, for samples/bpf/ the '-target bpf' parameter to clang cannot be used -due to incompatibility with asm embedded headers, that some of the samples -include. This is explained in more details by Yonghong Song in bpf_devel_QA. - -Signed-off-by: Jesper Dangaard Brouer -Signed-off-by: Daniel Borkmann -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/lib/bpf/libbpf.c | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - ---- a/tools/lib/bpf/libbpf.c -+++ b/tools/lib/bpf/libbpf.c -@@ -487,6 +487,24 @@ bpf_object__init_maps(struct bpf_object - return 0; - } - -+static bool section_have_execinstr(struct bpf_object *obj, int idx) -+{ -+ Elf_Scn *scn; -+ GElf_Shdr sh; -+ -+ scn = elf_getscn(obj->efile.elf, idx); -+ if (!scn) -+ return false; -+ -+ if (gelf_getshdr(scn, &sh) != &sh) -+ return false; -+ -+ if (sh.sh_flags & SHF_EXECINSTR) -+ return true; -+ -+ return false; -+} -+ - static int bpf_object__elf_collect(struct bpf_object *obj) - { - Elf *elf = obj->efile.elf; -@@ -567,6 +585,14 @@ static int bpf_object__elf_collect(struc - } else if (sh.sh_type == SHT_REL) { - void *reloc = obj->efile.reloc; - int nr_reloc = obj->efile.nr_reloc + 1; -+ int sec = sh.sh_info; /* points to other section */ -+ -+ /* Only do relo for section with exec instructions */ -+ if (!section_have_execinstr(obj, sec)) { -+ pr_debug("skip relo %s(%d) for section(%d)\n", -+ name, idx, sec); -+ continue; -+ } - - reloc = realloc(reloc, - sizeof(*obj->efile.reloc) * nr_reloc); diff --git a/queue-4.4/tools-thermal-tmon-fix-for-segfault.patch b/queue-4.4/tools-thermal-tmon-fix-for-segfault.patch deleted file mode 100644 index eef21638597..00000000000 --- a/queue-4.4/tools-thermal-tmon-fix-for-segfault.patch +++ /dev/null @@ -1,81 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Frank Asseg -Date: Mon, 12 Mar 2018 19:57:06 +0100 -Subject: tools/thermal: tmon: fix for segfault - -From: Frank Asseg - -[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ] - -Fixes a segfault occurring when e.g. is pressed multiple times in the -ncurses tmon application. The segfault is caused by incrementing -cur_thermal_record in the main function without checking if it's value reached -NR_THERMAL_RECORD immediately. Since the boundary check only occurred in -update_thermal_data a race condition existed, which lead to an attempted read -beyond the last element of the trec array. - -The fix was implemented by moving the cur_thermal_record incrementation to the -update_thermal_data function using a temporary variable on which the boundary -condition is checked before updating cur_thread_record, so that the variable is -never incremented beyond the trec array's boundary. - -It seems the segfault does not occur on every machine: On a HP EliteBook G4 the -segfault happens, while it does not happen on a Thinkpad T540p. - -Signed-off-by: Frank Asseg -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - tools/thermal/tmon/sysfs.c | 12 +++++++----- - tools/thermal/tmon/tmon.c | 1 - - 2 files changed, 7 insertions(+), 6 deletions(-) - ---- a/tools/thermal/tmon/sysfs.c -+++ b/tools/thermal/tmon/sysfs.c -@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst - int update_thermal_data() - { - int i; -+ int next_thermal_record = cur_thermal_record + 1; - char tz_name[256]; - static unsigned long samples; - -@@ -495,9 +496,9 @@ int update_thermal_data() - } - - /* circular buffer for keeping historic data */ -- if (cur_thermal_record >= NR_THERMAL_RECORDS) -- cur_thermal_record = 0; -- gettimeofday(&trec[cur_thermal_record].tv, NULL); -+ if (next_thermal_record >= NR_THERMAL_RECORDS) -+ next_thermal_record = 0; -+ gettimeofday(&trec[next_thermal_record].tv, NULL); - if (tmon_log) { - fprintf(tmon_log, "%lu ", ++samples); - fprintf(tmon_log, "%3.1f ", p_param.t_target); -@@ -507,11 +508,12 @@ int update_thermal_data() - snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, - ptdata.tzi[i].instance); - sysfs_get_ulong(tz_name, "temp", -- &trec[cur_thermal_record].temp[i]); -+ &trec[next_thermal_record].temp[i]); - if (tmon_log) - fprintf(tmon_log, "%lu ", -- trec[cur_thermal_record].temp[i]/1000); -+ trec[next_thermal_record].temp[i] / 1000); - } -+ cur_thermal_record = next_thermal_record; - for (i = 0; i < ptdata.nr_cooling_dev; i++) { - char cdev_name[256]; - unsigned long val; ---- a/tools/thermal/tmon/tmon.c -+++ b/tools/thermal/tmon/tmon.c -@@ -336,7 +336,6 @@ int main(int argc, char **argv) - show_data_w(); - show_cooling_device(); - } -- cur_thermal_record++; - time_elapsed += ticktime; - controller_handler(trec[0].temp[target_tz_index] / 1000, - &yk); diff --git a/queue-4.4/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch b/queue-4.4/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch deleted file mode 100644 index cbffc5d9217..00000000000 --- a/queue-4.4/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch +++ /dev/null @@ -1,68 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Anna-Maria Gleixner -Date: Thu, 21 Dec 2017 11:41:37 +0100 -Subject: tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account - -From: Anna-Maria Gleixner - -[ Upstream commit 91633eed73a3ac37aaece5c8c1f93a18bae616a9 ] - -So far only CLOCK_MONOTONIC and CLOCK_REALTIME were taken into account as -well as HRTIMER_MODE_ABS/REL in the hrtimer_init tracepoint. The query for -detecting the ABS or REL timer modes is not valid anymore, it got broken -by the introduction of HRTIMER_MODE_PINNED. - -HRTIMER_MODE_PINNED is not evaluated in the hrtimer_init() call, but for the -sake of completeness print all given modes. - -Signed-off-by: Anna-Maria Gleixner -Cc: Christoph Hellwig -Cc: John Stultz -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: keescook@chromium.org -Link: http://lkml.kernel.org/r/20171221104205.7269-9-anna-maria@linutronix.de -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - include/trace/events/timer.h | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - ---- a/include/trace/events/timer.h -+++ b/include/trace/events/timer.h -@@ -125,6 +125,20 @@ DEFINE_EVENT(timer_class, timer_cancel, - TP_ARGS(timer) - ); - -+#define decode_clockid(type) \ -+ __print_symbolic(type, \ -+ { CLOCK_REALTIME, "CLOCK_REALTIME" }, \ -+ { CLOCK_MONOTONIC, "CLOCK_MONOTONIC" }, \ -+ { CLOCK_BOOTTIME, "CLOCK_BOOTTIME" }, \ -+ { CLOCK_TAI, "CLOCK_TAI" }) -+ -+#define decode_hrtimer_mode(mode) \ -+ __print_symbolic(mode, \ -+ { HRTIMER_MODE_ABS, "ABS" }, \ -+ { HRTIMER_MODE_REL, "REL" }, \ -+ { HRTIMER_MODE_ABS_PINNED, "ABS|PINNED" }, \ -+ { HRTIMER_MODE_REL_PINNED, "REL|PINNED" }) -+ - /** - * hrtimer_init - called when the hrtimer is initialized - * @hrtimer: pointer to struct hrtimer -@@ -151,10 +165,8 @@ TRACE_EVENT(hrtimer_init, - ), - - TP_printk("hrtimer=%p clockid=%s mode=%s", __entry->hrtimer, -- __entry->clockid == CLOCK_REALTIME ? -- "CLOCK_REALTIME" : "CLOCK_MONOTONIC", -- __entry->mode == HRTIMER_MODE_ABS ? -- "HRTIMER_MODE_ABS" : "HRTIMER_MODE_REL") -+ decode_clockid(__entry->clockid), -+ decode_hrtimer_mode(__entry->mode)) - ); - - /** diff --git a/queue-4.4/tracing-uprobe_event-fix-strncpy-corner-case.patch b/queue-4.4/tracing-uprobe_event-fix-strncpy-corner-case.patch deleted file mode 100644 index 1cfd6ad1a33..00000000000 --- a/queue-4.4/tracing-uprobe_event-fix-strncpy-corner-case.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Masami Hiramatsu -Date: Tue, 10 Apr 2018 21:20:08 +0900 -Subject: tracing/uprobe_event: Fix strncpy corner case - -From: Masami Hiramatsu - -[ Upstream commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 ] - -Fix string fetch function to terminate with NUL. -It is OK to drop the rest of string. - -Signed-off-by: Masami Hiramatsu -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Song Liu -Cc: Thomas Gleixner -Cc: security@kernel.org -Cc: 范龙飞 -Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_uprobe.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/kernel/trace/trace_uprobe.c -+++ b/kernel/trace/trace_uprobe.c -@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, stri - return; - - ret = strncpy_from_user(dst, src, maxlen); -+ if (ret == maxlen) -+ dst[--ret] = '\0'; - - if (ret < 0) { /* Failed to fetch string */ - ((u8 *)get_rloc_data(dest))[0] = '\0'; diff --git a/queue-4.4/udf-provide-saner-default-for-invalid-uid-gid.patch b/queue-4.4/udf-provide-saner-default-for-invalid-uid-gid.patch deleted file mode 100644 index 8edb5dd6f72..00000000000 --- a/queue-4.4/udf-provide-saner-default-for-invalid-uid-gid.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jan Kara -Date: Thu, 22 Feb 2018 10:39:52 +0100 -Subject: udf: Provide saner default for invalid uid / gid - -From: Jan Kara - -[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ] - -Currently when UDF filesystem is recorded without uid / gid (ids are set -to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid= -and gid= mount options. In such case filesystem could not be modified in -any way as VFS refuses to modify files with invalid ids (even by root). -This is confusing to users and not very useful default since such media -mode is generally used for removable media. Use overflow[ug]id instead -so that at least root can modify the filesystem. - -Reported-by: Steve Kenton -Reviewed-by: Pali Rohár -Signed-off-by: Jan Kara -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/udf/super.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/fs/udf/super.c -+++ b/fs/udf/super.c -@@ -2073,8 +2073,9 @@ static int udf_fill_super(struct super_b - bool lvid_open = false; - - uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT); -- uopt.uid = INVALID_UID; -- uopt.gid = INVALID_GID; -+ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */ -+ uopt.uid = make_kuid(current_user_ns(), overflowuid); -+ uopt.gid = make_kgid(current_user_ns(), overflowgid); - uopt.umask = 0; - uopt.fmode = UDF_INVALID_MODE; - uopt.dmode = UDF_INVALID_MODE; diff --git a/queue-4.4/usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch b/queue-4.4/usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch deleted file mode 100644 index 4c957d834cb..00000000000 --- a/queue-4.4/usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch +++ /dev/null @@ -1,55 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Vardan Mikayelyan -Date: Tue, 16 Jan 2018 16:04:24 +0400 -Subject: usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() - -From: Vardan Mikayelyan - -[ Upstream commit 755d739534f998d92e348fba8ffb0478416576e7 ] - -We should call dwc2_hsotg_enqueue_setup() after properly -setting lx_state. Because it may cause error-out from -dwc2_hsotg_enqueue_setup() due to wrong value in lx_state. - -Issue can be reproduced by loading driver while connected -A-Connector (start in A-HOST mode) then disconnect A-Connector -to switch to B-DEVICE. - -Acked-by: John Youn -Signed-off-by: Vardan Mikayelyan -Signed-off-by: Grigor Tovmasyan -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/dwc2/gadget.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/drivers/usb/dwc2/gadget.c -+++ b/drivers/usb/dwc2/gadget.c -@@ -2424,12 +2424,6 @@ void dwc2_hsotg_core_init_disconnected(s - dwc2_writel(dwc2_hsotg_ep0_mps(hsotg->eps_out[0]->ep.maxpacket) | - DXEPCTL_USBACTEP, hsotg->regs + DIEPCTL0); - -- dwc2_hsotg_enqueue_setup(hsotg); -- -- dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n", -- dwc2_readl(hsotg->regs + DIEPCTL0), -- dwc2_readl(hsotg->regs + DOEPCTL0)); -- - /* clear global NAKs */ - val = DCTL_CGOUTNAK | DCTL_CGNPINNAK; - if (!is_usb_reset) -@@ -2440,6 +2434,12 @@ void dwc2_hsotg_core_init_disconnected(s - mdelay(3); - - hsotg->lx_state = DWC2_L0; -+ -+ dwc2_hsotg_enqueue_setup(hsotg); -+ -+ dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n", -+ dwc2_readl(hsotg->regs + DIEPCTL0), -+ dwc2_readl(hsotg->regs + DOEPCTL0)); - } - - static void dwc2_hsotg_core_disconnect(struct dwc2_hsotg *hsotg) diff --git a/queue-4.4/usb-dwc2-fix-interval-type-issue.patch b/queue-4.4/usb-dwc2-fix-interval-type-issue.patch deleted file mode 100644 index 10a2eaadf39..00000000000 --- a/queue-4.4/usb-dwc2-fix-interval-type-issue.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Grigor Tovmasyan -Date: Tue, 6 Feb 2018 19:07:38 +0400 -Subject: usb: dwc2: Fix interval type issue - -From: Grigor Tovmasyan - -[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ] - -The maximum value that unsigned char can hold is 255, meanwhile -the maximum value of interval is 2^(bIntervalMax-1)=2^15. - -Signed-off-by: Grigor Tovmasyan -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/dwc2/core.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/dwc2/core.h -+++ b/drivers/usb/dwc2/core.h -@@ -187,7 +187,7 @@ struct dwc2_hsotg_ep { - unsigned char dir_in; - unsigned char index; - unsigned char mc; -- unsigned char interval; -+ u16 interval; - - unsigned int halted:1; - unsigned int periodic:1; diff --git a/queue-4.4/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch b/queue-4.4/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch deleted file mode 100644 index eac68730f7b..00000000000 --- a/queue-4.4/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Thinh Nguyen -Date: Fri, 16 Mar 2018 15:33:54 -0700 -Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields - -From: Thinh Nguyen - -[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ] - -Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP -is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM. - -The GTXFIFOSIZ register for DWC_usb31 is as follows: - +-------+-----------+----------------------------------+ - | BITS | Name | Description | - +=======+===========+==================================+ - | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address | - | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO | - | 14:0 | TXFDEP | TXFIFO Depth | - +-------+-----------+----------------------------------+ - -Signed-off-by: Thinh Nguyen -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/dwc3/core.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/dwc3/core.h -+++ b/drivers/usb/dwc3/core.h -@@ -202,6 +202,8 @@ - #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1) - - /* Global TX Fifo Size Register */ -+#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */ -+#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */ - #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff) - #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000) - diff --git a/queue-4.4/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch b/queue-4.4/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch deleted file mode 100644 index 4f0169e3c45..00000000000 --- a/queue-4.4/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch +++ /dev/null @@ -1,158 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Chris Dickens -Date: Sun, 31 Dec 2017 18:59:42 -0800 -Subject: usb: gadget: composite: fix incorrect handling of OS desc requests - -From: Chris Dickens - -[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ] - -When handling an OS descriptor request, one of the first operations is -to zero out the request buffer using the wLength from the setup packet. -There is no bounds checking, so a wLength > 4096 would clobber memory -adjacent to the request buffer. Fix this by taking the min of wLength -and the request buffer length prior to the memset. While at it, define -the buffer length in a header file so that magic numbers don't appear -throughout the code. - -When returning data to the host, the data length should be the min of -the wLength and the valid data we have to return. Currently we are -returning wLength, thus requests for a wLength greater than the amount -of data in the OS descriptor buffer would return invalid (albeit zero'd) -data following the valid descriptor data. Fix this by counting the -number of bytes when constructing the data and using this when -determining the length of the request. - -Signed-off-by: Chris Dickens -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/composite.c | 40 +++++++++++++++++++--------------------- - include/linux/usb/composite.h | 3 +++ - 2 files changed, 22 insertions(+), 21 deletions(-) - ---- a/drivers/usb/gadget/composite.c -+++ b/drivers/usb/gadget/composite.c -@@ -1328,7 +1328,7 @@ static int count_ext_compat(struct usb_c - return res; - } - --static void fill_ext_compat(struct usb_configuration *c, u8 *buf) -+static int fill_ext_compat(struct usb_configuration *c, u8 *buf) - { - int i, count; - -@@ -1355,10 +1355,12 @@ static void fill_ext_compat(struct usb_c - buf += 23; - } - count += 24; -- if (count >= 4096) -- return; -+ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ) -+ return count; - } - } -+ -+ return count; - } - - static int count_ext_prop(struct usb_configuration *c, int interface) -@@ -1403,25 +1405,20 @@ static int fill_ext_prop(struct usb_conf - struct usb_os_desc *d; - struct usb_os_desc_ext_prop *ext_prop; - int j, count, n, ret; -- u8 *start = buf; - - f = c->interface[interface]; -+ count = 10; /* header length */ - for (j = 0; j < f->os_desc_n; ++j) { - if (interface != f->os_desc_table[j].if_id) - continue; - d = f->os_desc_table[j].os_desc; - if (d) - list_for_each_entry(ext_prop, &d->ext_prop, entry) { -- /* 4kB minus header length */ -- n = buf - start; -- if (n >= 4086) -- return 0; -- -- count = ext_prop->data_len + -+ n = ext_prop->data_len + - ext_prop->name_len + 14; -- if (count > 4086 - n) -- return -EINVAL; -- usb_ext_prop_put_size(buf, count); -+ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ) -+ return count; -+ usb_ext_prop_put_size(buf, n); - usb_ext_prop_put_type(buf, ext_prop->type); - ret = usb_ext_prop_put_name(buf, ext_prop->name, - ext_prop->name_len); -@@ -1447,11 +1444,12 @@ static int fill_ext_prop(struct usb_conf - default: - return -EINVAL; - } -- buf += count; -+ buf += n; -+ count += n; - } - } - -- return 0; -+ return count; - } - - /* -@@ -1720,6 +1718,7 @@ unknown: - req->complete = composite_setup_complete; - buf = req->buf; - os_desc_cfg = cdev->os_desc_config; -+ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ); - memset(buf, 0, w_length); - buf[5] = 0x01; - switch (ctrl->bRequestType & USB_RECIP_MASK) { -@@ -1743,8 +1742,8 @@ unknown: - count += 16; /* header */ - put_unaligned_le32(count, buf); - buf += 16; -- fill_ext_compat(os_desc_cfg, buf); -- value = w_length; -+ value = fill_ext_compat(os_desc_cfg, buf); -+ value = min_t(u16, w_length, value); - } - break; - case USB_RECIP_INTERFACE: -@@ -1773,8 +1772,7 @@ unknown: - interface, buf); - if (value < 0) - return value; -- -- value = w_length; -+ value = min_t(u16, w_length, value); - } - break; - } -@@ -2038,8 +2036,8 @@ int composite_os_desc_req_prepare(struct - goto end; - } - -- /* OS feature descriptor length <= 4kB */ -- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); -+ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ, -+ GFP_KERNEL); - if (!cdev->os_desc_req->buf) { - ret = PTR_ERR(cdev->os_desc_req->buf); - kfree(cdev->os_desc_req); ---- a/include/linux/usb/composite.h -+++ b/include/linux/usb/composite.h -@@ -53,6 +53,9 @@ - /* big enough to hold our biggest descriptor */ - #define USB_COMP_EP0_BUFSIZ 1024 - -+/* OS feature descriptor length <= 4kB */ -+#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096 -+ - #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) - struct usb_configuration; - diff --git a/queue-4.4/usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch b/queue-4.4/usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch deleted file mode 100644 index 29b6f18aa68..00000000000 --- a/queue-4.4/usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: John Keeping -Date: Fri, 12 Jan 2018 18:43:32 +0000 -Subject: usb: gadget: f_uac2: fix bFirstInterface in composite gadget - -From: John Keeping - -[ Upstream commit 8813a59ed892305b5ac1b5b901740b1ad4b5fefa ] - -If there are multiple functions associated with a configuration, then -the UAC2 interfaces may not start at zero. Set the correct first -interface number in the association descriptor so that the audio -interfaces are enumerated correctly in this case. - -Reviewed-by: Krzysztof Opasiak -Signed-off-by: John Keeping -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/function/f_uac2.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/gadget/function/f_uac2.c -+++ b/drivers/usb/gadget/function/f_uac2.c -@@ -1052,6 +1052,8 @@ afunc_bind(struct usb_configuration *cfg - dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); - return ret; - } -+ iad_desc.bFirstInterface = ret; -+ - std_ac_if_desc.bInterfaceNumber = ret; - agdev->ac_intf = ret; - agdev->ac_alt = 0; diff --git a/queue-4.4/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch b/queue-4.4/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch deleted file mode 100644 index cd86147e634..00000000000 --- a/queue-4.4/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Lars-Peter Clausen -Date: Fri, 12 Jan 2018 11:05:02 +0100 -Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set - -From: Lars-Peter Clausen - -[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ] - -When using a AIO read() operation on the function FS gadget driver a URB is -submitted asynchronously and on URB completion the received data is copied -to the userspace buffer associated with the read operation. - -This is done from a kernel worker thread invoking copy_to_user() (through -copy_to_iter()). And while the user space process memory is made available -to the kernel thread using use_mm(), some architecture require in addition -to this that the operation runs with USER_DS set. Otherwise the userspace -memory access will fail. - -For example on ARM64 with Privileged Access Never (PAN) and User Access -Override (UAO) enabled the following crash occurs. - - Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP - Modules linked in: - CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487 - Hardware name: ZynqMP ZCU102 Rev1.0 (DT) - Workqueue: events ffs_user_copy_worker - task: ffffffc87afc8080 task.stack: ffffffc87a00c000 - PC is at __arch_copy_to_user+0x190/0x220 - LR is at copy_to_iter+0x78/0x3c8 - [...] - [] __arch_copy_to_user+0x190/0x220 - [] ffs_user_copy_worker+0x70/0x130 - [] process_one_work+0x1dc/0x460 - [] worker_thread+0x50/0x4b0 - [] kthread+0xd8/0xf0 - [] ret_from_fork+0x10/0x50 - -Address this by placing a set_fs(USER_DS) before of the copy operation -and revert it again once the copy operation has finished. - -This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in -vhost_worker thread") which addresses the same underlying issue. - -Signed-off-by: Lars-Peter Clausen -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/function/f_fs.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -649,11 +649,15 @@ static void ffs_user_copy_worker(struct - bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; - - if (io_data->read && ret > 0) { -+ mm_segment_t oldfs = get_fs(); -+ -+ set_fs(USER_DS); - use_mm(io_data->mm); - ret = copy_to_iter(io_data->buf, ret, &io_data->data); - if (ret != io_data->req->actual && iov_iter_count(&io_data->data)) - ret = -EFAULT; - unuse_mm(io_data->mm); -+ set_fs(oldfs); - } - - io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); diff --git a/queue-4.4/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch b/queue-4.4/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch deleted file mode 100644 index 0e22e8a09db..00000000000 --- a/queue-4.4/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch +++ /dev/null @@ -1,53 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Lars-Peter Clausen -Date: Fri, 12 Jan 2018 11:26:16 +0100 -Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS - -From: Lars-Peter Clausen - -[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ] - -Some UDC drivers (like the DWC3) expect that the response to a setup() -request is queued from within the setup function itself so that it is -available as soon as setup() has completed. - -Upon receiving a setup request the function fs driver creates an event that -is made available to userspace. And only once userspace has acknowledged -that event the response to the setup request is queued. - -So it violates the requirement of those UDC drivers and random failures can -be observed. This is basically a race condition and if userspace is able to -read the event and queue the response fast enough all is good. But if it is -not, for example because other processes are currently scheduled to run, -the USB host that sent the setup request will observe an error. - -To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS -return code. If a setup() callback returns this value the UDC driver is -aware that response is not yet available and can uses the appropriate -methods to handle this case. - -Since in the case of function fs the response will never be available when -the setup() function returns make sure that this status code is used. - -This fixed random occasional failures that were previously observed on a -DWC3 based system under high system load. - -Signed-off-by: Lars-Peter Clausen -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/function/f_fs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -3033,7 +3033,7 @@ static int ffs_func_setup(struct usb_fun - __ffs_event_add(ffs, FUNCTIONFS_SETUP); - spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); - -- return 0; -+ return USB_GADGET_DELAYED_STATUS; - } - - static void ffs_func_suspend(struct usb_function *f) diff --git a/queue-4.4/usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch b/queue-4.4/usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch deleted file mode 100644 index 89f6ba5e613..00000000000 --- a/queue-4.4/usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Stefan Agner -Date: Mon, 12 Feb 2018 00:14:42 +0100 -Subject: usb: gadget: fsl_udc_core: fix ep valid checks - -From: Stefan Agner - -[ Upstream commit 20c63f4089cceab803438c383631963e34c4d8e5 ] - -Clang reports the following warning: - drivers/usb/gadget/udc/fsl_udc_core.c:1312:10: warning: address of array - 'ep->name' will always evaluate to 'true' [-Wpointer-bool-conversion] - if (ep->name) - ~~ ~~~~^~~~ - -It seems that the authors intention was to check if the ep has been -configured through struct_ep_setup. Check whether struct usb_ep name -pointer has been set instead. - -Signed-off-by: Stefan Agner -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/fsl_udc_core.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/usb/gadget/udc/fsl_udc_core.c -+++ b/drivers/usb/gadget/udc/fsl_udc_core.c -@@ -1310,7 +1310,7 @@ static void udc_reset_ep_queue(struct fs - { - struct fsl_ep *ep = get_ep_by_pipe(udc, pipe); - -- if (ep->name) -+ if (ep->ep.name) - nuke(ep, -ESHUTDOWN); - } - -@@ -1698,7 +1698,7 @@ static void dtd_complete_irq(struct fsl_ - curr_ep = get_ep_by_pipe(udc, i); - - /* If the ep is configured */ -- if (curr_ep->name == NULL) { -+ if (!curr_ep->ep.name) { - WARNING("Invalid EP?"); - continue; - } diff --git a/queue-4.4/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.4/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch deleted file mode 100644 index e59ecd452a0..00000000000 --- a/queue-4.4/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Wolfram Sang -Date: Tue, 6 Feb 2018 09:50:40 +0100 -Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask - -From: Wolfram Sang - -[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ] - -Due to a typo, the mask was destroyed by a comparison instead of a bit -shift. - -Reported-by: Geert Uytterhoeven -Signed-off-by: Wolfram Sang -Signed-off-by: Felipe Balbi -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/goku_udc.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/gadget/udc/goku_udc.h -+++ b/drivers/usb/gadget/udc/goku_udc.h -@@ -28,7 +28,7 @@ struct goku_udc_regs { - # define INT_EP1DATASET 0x00040 - # define INT_EP2DATASET 0x00080 - # define INT_EP3DATASET 0x00100 --#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */ -+#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */ - # define INT_EP1NAK 0x00200 - # define INT_EP2NAK 0x00400 - # define INT_EP3NAK 0x00800 diff --git a/queue-4.4/usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch b/queue-4.4/usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch deleted file mode 100644 index 54c6f720a56..00000000000 --- a/queue-4.4/usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch +++ /dev/null @@ -1,55 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Merlijn Wajer -Date: Mon, 5 Mar 2018 11:35:10 -0600 -Subject: usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers - -From: Merlijn Wajer - -[ Upstream commit df6b074dbe248d8c43a82131e8fd429e401841a5 ] - -Without pm_runtime_{get,put}_sync calls in place, reading -vbus status via /sys causes the following error: - -Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa0ab060 -pgd = b333e822 -[fa0ab060] *pgd=48011452(bad) - -[] (musb_default_readb) from [] (musb_vbus_show+0x58/0xe4) -[] (musb_vbus_show) from [] (dev_attr_show+0x20/0x44) -[] (dev_attr_show) from [] (sysfs_kf_seq_show+0x80/0xdc) -[] (sysfs_kf_seq_show) from [] (seq_read+0x250/0x448) -[] (seq_read) from [] (__vfs_read+0x1c/0x118) -[] (__vfs_read) from [] (vfs_read+0x90/0x144) -[] (vfs_read) from [] (SyS_read+0x3c/0x74) -[] (SyS_read) from [] (ret_fast_syscall+0x0/0x54) - -Solution was suggested by Tony Lindgren . - -Signed-off-by: Merlijn Wajer -Acked-by: Tony Lindgren -Signed-off-by: Bin Liu -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/musb/musb_core.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/musb/musb_core.c -+++ b/drivers/usb/musb/musb_core.c -@@ -1775,6 +1775,7 @@ musb_vbus_show(struct device *dev, struc - int vbus; - u8 devctl; - -+ pm_runtime_get_sync(dev); - spin_lock_irqsave(&musb->lock, flags); - val = musb->a_wait_bcon; - vbus = musb_platform_get_vbus_status(musb); -@@ -1788,6 +1789,7 @@ musb_vbus_show(struct device *dev, struc - vbus = 0; - } - spin_unlock_irqrestore(&musb->lock, flags); -+ pm_runtime_put_sync(dev); - - return sprintf(buf, "Vbus %s, timeout %lu msec\n", - vbus ? "on" : "off", val); diff --git a/queue-4.4/usb-musb-fix-enumeration-after-resume.patch b/queue-4.4/usb-musb-fix-enumeration-after-resume.patch deleted file mode 100644 index 6ac9828ecaf..00000000000 --- a/queue-4.4/usb-musb-fix-enumeration-after-resume.patch +++ /dev/null @@ -1,49 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Andreas Kemnade -Date: Tue, 20 Feb 2018 07:30:10 -0600 -Subject: usb: musb: fix enumeration after resume - -From: Andreas Kemnade - -[ Upstream commit 17539f2f4f0b7fa906b508765c8ada07a1e45f52 ] - -On dm3730 there are enumeration problems after resume. -Investigation led to the cause that the MUSB_POWER_SOFTCONN -bit is not set. If it was set before suspend (because it -was enabled via musb_pullup()), it is set in -musb_restore_context() so the pullup is enabled. But then -musb_start() is called which overwrites MUSB_POWER and -therefore disables MUSB_POWER_SOFTCONN, so no pullup is -enabled and the device is not enumerated. - -So let's do a subset of what musb_start() does -in the same way as musb_suspend() does it. Platform-specific -stuff it still called as there might be some phy-related stuff -which needs to be enabled. -Also interrupts are enabled, as it was the original idea -of calling musb_start() in musb_resume() according to -Commit 6fc6f4b87cb3 ("usb: musb: Disable interrupts on suspend, -enable them on resume") - -Signed-off-by: Andreas Kemnade -Tested-by: Tony Lindgren -Signed-off-by: Bin Liu -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/musb/musb_core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/usb/musb/musb_core.c -+++ b/drivers/usb/musb/musb_core.c -@@ -2522,7 +2522,8 @@ static int musb_resume(struct device *de - pm_runtime_set_active(dev); - pm_runtime_enable(dev); - -- musb_start(musb); -+ musb_enable_interrupts(musb); -+ musb_platform_enable(musb); - - return 0; - } diff --git a/queue-4.4/usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch b/queue-4.4/usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch deleted file mode 100644 index 4713dbc604b..00000000000 --- a/queue-4.4/usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch +++ /dev/null @@ -1,66 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Fredrik Noring -Date: Fri, 9 Mar 2018 18:34:34 +0100 -Subject: USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM - -From: Fredrik Noring - -[ Upstream commit d6c931ea32dc08ac2665bb5f009f9c40ad1bbdb3 ] - -Scatter-gather needs to be disabled when using dma_declare_coherent_memory -and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers -in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs -that use HCD_LOCAL_MEM". - -The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers: - -------------[ cut here ]------------ -WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8 -Modules linked in: -CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014 -Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031 - 805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000 - 00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420 - 805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538 - 00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000 - ... -Call Trace: -[<578af360>] show_stack+0x74/0x104 -[<2f3702c6>] __warn+0x118/0x120 -[] warn_slowpath_null+0x44/0x58 -[] hcd_alloc_coherent+0x4c/0xc8 -[<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534 -[<110bc94c>] usb_hcd_submit_urb+0x82c/0x834 -[<02eb5baf>] usb_sg_wait+0x14c/0x1a0 -[] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124 -[<87a5c34c>] usb_stor_bulk_srb+0x40/0x60 -[] usb_stor_Bulk_transport+0x160/0x37c -[] usb_stor_invoke_transport+0x3c/0x500 -[<004754f4>] usb_stor_control_thread+0x258/0x28c -[<22edf42e>] kthread+0x134/0x13c -[] ret_from_kernel_thread+0x14/0x1c ----[ end trace bcdb825805eefdcc ]--- - -Signed-off-by: Fredrik Noring -Acked-by: Alan Stern - -Signed-off-by: Greg Kroah-Hartman - -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/host/ohci-hcd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/usb/host/ohci-hcd.c -+++ b/drivers/usb/host/ohci-hcd.c -@@ -444,7 +444,8 @@ static int ohci_init (struct ohci_hcd *o - struct usb_hcd *hcd = ohci_to_hcd(ohci); - - /* Accept arbitrarily long scatter-gather lists */ -- hcd->self.sg_tablesize = ~0; -+ if (!(hcd->driver->flags & HCD_LOCAL_MEM)) -+ hcd->self.sg_tablesize = ~0; - - if (distrust_firmware) - ohci->flags |= OHCI_QUIRK_HUB_POWER; diff --git a/queue-4.4/usb-serial-option-add-support-for-quectel-ep06.patch b/queue-4.4/usb-serial-option-add-support-for-quectel-ep06.patch deleted file mode 100644 index 40952f1ba69..00000000000 --- a/queue-4.4/usb-serial-option-add-support-for-quectel-ep06.patch +++ /dev/null @@ -1,65 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Kristian Evensen -Date: Thu, 1 Feb 2018 10:32:32 +0100 -Subject: USB: serial: option: Add support for Quectel EP06 - -From: Kristian Evensen - -[ Upstream commit 71a0483d56e784b1e11f38f10d7e22d265dbe244 ] - -The Quectel EP06 is a Cat. 6 LTE modem, and the interface mapping is as -follows: - -0: Diag -1: NMEA -2: AT -3: Modem - -Interface 4 is QMI and interface 5 is ADB, so they are blacklisted. - -This patch should also be considered for -stable. The QMI-patch for this -modem is already in the -stable-queue. - -v1->v2: -* Updated commit prefix (thanks Johan Hovold) -* Updated commit message slightly. - -Signed-off-by: Kristian Evensen -Acked-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/option.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -244,6 +244,7 @@ static void option_instat_callback(struc - #define QUECTEL_PRODUCT_EC21 0x0121 - #define QUECTEL_PRODUCT_EC25 0x0125 - #define QUECTEL_PRODUCT_BG96 0x0296 -+#define QUECTEL_PRODUCT_EP06 0x0306 - - #define CMOTECH_VENDOR_ID 0x16d8 - #define CMOTECH_PRODUCT_6001 0x6001 -@@ -692,6 +693,10 @@ static const struct option_blacklist_inf - .reserved = BIT(1) | BIT(4), - }; - -+static const struct option_blacklist_info quectel_ep06_blacklist = { -+ .reserved = BIT(4) | BIT(5), -+}; -+ - static const struct usb_device_id option_ids[] = { - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, - { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, -@@ -1206,6 +1211,8 @@ static const struct usb_device_id option - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, - { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96), - .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, -+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06), -+ .driver_info = (kernel_ulong_t)&quectel_ep06_blacklist }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, - { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), diff --git a/queue-4.4/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch b/queue-4.4/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch deleted file mode 100644 index 953b0f03c5d..00000000000 --- a/queue-4.4/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch +++ /dev/null @@ -1,79 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dave Airlie -Date: Wed, 21 Feb 2018 11:50:03 +1000 -Subject: virtio-gpu: fix ioctl and expose the fixed status to userspace. - -From: Dave Airlie - -[ Upstream commit 9a191b114906457c4b2494c474f58ae4142d4e67 ] - -This exposes to mesa that it can use the fixed ioctl for querying -later cap sets, cap set 1 is forever frozen in time. - -Signed-off-by: Dave Airlie -Link: http://patchwork.freedesktop.org/patch/msgid/20180221015003.22884-1-airlied@gmail.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/virtio/virtgpu_ioctl.c | 17 +++++++++++------ - include/uapi/drm/virtgpu_drm.h | 1 + - 2 files changed, 12 insertions(+), 6 deletions(-) - ---- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c -+++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c -@@ -208,6 +208,9 @@ static int virtio_gpu_getparam_ioctl(str - case VIRTGPU_PARAM_3D_FEATURES: - value = vgdev->has_virgl_3d == true ? 1 : 0; - break; -+ case VIRTGPU_PARAM_CAPSET_QUERY_FIX: -+ value = 1; -+ break; - default: - return -EINVAL; - } -@@ -483,7 +486,7 @@ static int virtio_gpu_get_caps_ioctl(str - { - struct virtio_gpu_device *vgdev = dev->dev_private; - struct drm_virtgpu_get_caps *args = data; -- int size; -+ unsigned size, host_caps_size; - int i; - int found_valid = -1; - int ret; -@@ -492,6 +495,10 @@ static int virtio_gpu_get_caps_ioctl(str - if (vgdev->num_capsets == 0) - return -ENOSYS; - -+ /* don't allow userspace to pass 0 */ -+ if (args->size == 0) -+ return -EINVAL; -+ - spin_lock(&vgdev->display_info_lock); - for (i = 0; i < vgdev->num_capsets; i++) { - if (vgdev->capsets[i].id == args->cap_set_id) { -@@ -507,11 +514,9 @@ static int virtio_gpu_get_caps_ioctl(str - return -EINVAL; - } - -- size = vgdev->capsets[found_valid].max_size; -- if (args->size > size) { -- spin_unlock(&vgdev->display_info_lock); -- return -EINVAL; -- } -+ host_caps_size = vgdev->capsets[found_valid].max_size; -+ /* only copy to user the minimum of the host caps size or the guest caps size */ -+ size = min(args->size, host_caps_size); - - list_for_each_entry(cache_ent, &vgdev->cap_cache, head) { - if (cache_ent->id == args->cap_set_id && ---- a/include/uapi/drm/virtgpu_drm.h -+++ b/include/uapi/drm/virtgpu_drm.h -@@ -60,6 +60,7 @@ struct drm_virtgpu_execbuffer { - }; - - #define VIRTGPU_PARAM_3D_FEATURES 1 /* do we have 3D features in the hw */ -+#define VIRTGPU_PARAM_CAPSET_QUERY_FIX 2 /* do we have the capset fix */ - - struct drm_virtgpu_getparam { - uint64_t param; diff --git a/queue-4.4/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch b/queue-4.4/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch deleted file mode 100644 index 5033cfbc23d..00000000000 --- a/queue-4.4/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch +++ /dev/null @@ -1,51 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Jay Vosburgh -Date: Thu, 22 Mar 2018 14:42:41 +0000 -Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS - -From: Jay Vosburgh - -[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ] - -The operstate update logic will leave an interface in the -default UNKNOWN operstate if the interface carrier state never changes -from the default carrier up state set at creation. This includes the -case of an explicit call to netif_carrier_on, as the carrier on to on -transition has no effect on operstate. - - This affects virtio-net for the case that the virtio peer does -not support VIRTIO_NET_F_STATUS (the feature that provides carrier state -updates). Without this feature, the virtio specification states that -"the link should be assumed active," so, logically, the operstate should -be UP instead of UNKNOWN. This has impact on user space applications -that use the operstate to make availability decisions for the interface. - - Resolve this by changing the virtio probe logic slightly to call -netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS -cases, and then the existing call to netif_carrier_on for the "without" -case will cause an operstate transition. - -Cc: "Michael S. Tsirkin" -Cc: Jason Wang -Cc: Ben Hutchings -Signed-off-by: Jay Vosburgh -Acked-by: Michael S. Tsirkin -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/virtio_net.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/virtio_net.c -+++ b/drivers/net/virtio_net.c -@@ -1912,8 +1912,8 @@ static int virtnet_probe(struct virtio_d - - /* Assume link up if device can't report link status, - otherwise get link status from config. */ -+ netif_carrier_off(dev); - if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) { -- netif_carrier_off(dev); - schedule_work(&vi->config_work); - } else { - vi->status = VIRTIO_NET_S_LINK_UP; diff --git a/queue-4.4/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch b/queue-4.4/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch deleted file mode 100644 index b564ba872b3..00000000000 --- a/queue-4.4/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch +++ /dev/null @@ -1,66 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Stefano Brivio -Date: Thu, 15 Mar 2018 17:16:27 +0100 -Subject: vti4: Don't count header length twice on tunnel setup - -From: Stefano Brivio - -[ Upstream commit dd1df24737727e119c263acf1be2a92763938297 ] - -This re-introduces the effect of commit a32452366b72 ("vti4: -Don't count header length twice.") which was accidentally -reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of -git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec"). - -The commit message from Steffen Klassert said: - - We currently count the size of LL_MAX_HEADER and struct iphdr - twice for vti4 devices, this leads to a wrong device mtu. - The size of LL_MAX_HEADER and struct iphdr is already counted in - ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init(). - -And this is still the case now: ip_tunnel_bind_dev() already -accounts for the header length of the link layer (not -necessarily LL_MAX_HEADER, if the output device is found), plus -one IP header. - -For example, with a vti device on top of veth, with MTU of 1500, -the existing implementation would set the initial vti MTU to -1332, accounting once for LL_MAX_HEADER (128, included in -hard_header_len by vti) and twice for the same IP header (once -from hard_header_len, once from ip_tunnel_bind_dev()). - -It should instead be 1480, because ip_tunnel_bind_dev() is able -to figure out that the output device is veth, so no additional -link layer header is attached, and will properly count one -single IP header. - -The existing issue had the side effect of avoiding PMTUD for -most xfrm policies, by arbitrarily lowering the initial MTU. -However, the only way to get a consistent PMTU value is to let -the xfrm PMTU discovery do its course, and commit d6af1a31cc72 -("vti: Add pmtu handling to vti_xmit.") now takes care of local -delivery cases where the application ignores local socket -notifications. - -Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code") -Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec") -Signed-off-by: Stefano Brivio -Acked-by: Sabrina Dubroca -Signed-off-by: Steffen Klassert -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/ip_vti.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/net/ipv4/ip_vti.c -+++ b/net/ipv4/ip_vti.c -@@ -366,7 +366,6 @@ static int vti_tunnel_init(struct net_de - memcpy(dev->dev_addr, &iph->saddr, 4); - memcpy(dev->broadcast, &iph->daddr, 4); - -- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr); - dev->mtu = ETH_DATA_LEN; - dev->flags = IFF_NOARP; - dev->addr_len = 4; diff --git a/queue-4.4/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch b/queue-4.4/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch deleted file mode 100644 index b8dbc8bf3cb..00000000000 --- a/queue-4.4/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch +++ /dev/null @@ -1,33 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Stefano Brivio -Date: Thu, 15 Mar 2018 17:16:29 +0100 -Subject: vti4: Don't override MTU passed on link creation via IFLA_MTU - -From: Stefano Brivio - -[ Upstream commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 ] - -Don't hardcode a MTU value on vti tunnel initialization, -ip_tunnel_newlink() is able to deal with this already. See also -commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK"). - -Fixes: 1181412c1a67 ("net/ipv4: VTI support new module for ip_vti.") -Signed-off-by: Stefano Brivio -Acked-by: Sabrina Dubroca -Signed-off-by: Steffen Klassert -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/ip_vti.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/net/ipv4/ip_vti.c -+++ b/net/ipv4/ip_vti.c -@@ -366,7 +366,6 @@ static int vti_tunnel_init(struct net_de - memcpy(dev->dev_addr, &iph->saddr, 4); - memcpy(dev->broadcast, &iph->daddr, 4); - -- dev->mtu = ETH_DATA_LEN; - dev->flags = IFF_NOARP; - dev->addr_len = 4; - dev->features |= NETIF_F_LLTX; diff --git a/queue-4.4/watchdog-f71808e_wdt-fix-magic-close-handling.patch b/queue-4.4/watchdog-f71808e_wdt-fix-magic-close-handling.patch deleted file mode 100644 index b25c8d5471f..00000000000 --- a/queue-4.4/watchdog-f71808e_wdt-fix-magic-close-handling.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Igor Pylypiv -Date: Wed, 28 Feb 2018 00:59:12 -0800 -Subject: watchdog: f71808e_wdt: Fix magic close handling - -From: Igor Pylypiv - -[ Upstream commit 7bd3e7b743956afbec30fb525bc3c5e22e3d475c ] - -Watchdog close is "expected" when any byte is 'V' not just the last one. -Writing "V" to the device fails because the last byte is the end of string. - -$ echo V > /dev/watchdog -f71808e_wdt: Unexpected close, not stopping watchdog! - -Signed-off-by: Igor Pylypiv -Reviewed-by: Guenter Roeck -Signed-off-by: Guenter Roeck -Signed-off-by: Wim Van Sebroeck -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/watchdog/f71808e_wdt.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/watchdog/f71808e_wdt.c -+++ b/drivers/watchdog/f71808e_wdt.c -@@ -520,7 +520,8 @@ static ssize_t watchdog_write(struct fil - char c; - if (get_user(c, buf + i)) - return -EFAULT; -- expect_close = (c == 'V'); -+ if (c == 'V') -+ expect_close = true; - } - - /* Properly order writes across fork()ed processes */ diff --git a/queue-4.4/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch b/queue-4.4/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch deleted file mode 100644 index 717d9a4d924..00000000000 --- a/queue-4.4/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Guenter Roeck -Date: Sun, 24 Dec 2017 13:04:07 -0800 -Subject: watchdog: sp5100_tco: Fix watchdog disable bit - -From: Guenter Roeck - -[ Upstream commit f541c09ebfc61697b586b38c9ebaf4b70defb278 ] - -According to all published information, the watchdog disable bit for SB800 -compatible controllers is bit 1 of PM register 0x48, not bit 2. For the -most part that doesn't matter in practice, since the bit has to be cleared -to enable watchdog address decoding, which is the default setting, but it -still needs to be fixed. - -Cc: Zoltán Böszörményi -Signed-off-by: Guenter Roeck -Signed-off-by: Wim Van Sebroeck -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/watchdog/sp5100_tco.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/watchdog/sp5100_tco.h -+++ b/drivers/watchdog/sp5100_tco.h -@@ -54,7 +54,7 @@ - #define SB800_PM_WATCHDOG_CONFIG 0x4C - - #define SB800_PCI_WATCHDOG_DECODE_EN (1 << 0) --#define SB800_PM_WATCHDOG_DISABLE (1 << 2) -+#define SB800_PM_WATCHDOG_DISABLE (1 << 1) - #define SB800_PM_WATCHDOG_SECOND_RES (3 << 0) - #define SB800_ACPI_MMIO_DECODE_EN (1 << 0) - #define SB800_ACPI_MMIO_SEL (1 << 1) diff --git a/queue-4.4/workqueue-use-put_device-instead-of-kfree.patch b/queue-4.4/workqueue-use-put_device-instead-of-kfree.patch deleted file mode 100644 index 9258eed0e37..00000000000 --- a/queue-4.4/workqueue-use-put_device-instead-of-kfree.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arvind Yadav -Date: Tue, 6 Mar 2018 15:35:43 +0530 -Subject: workqueue: use put_device() instead of kfree() - -From: Arvind Yadav - -[ Upstream commit 537f4146c53c95aac977852b371bafb9c6755ee1 ] - -Never directly free @dev after calling device_register(), even -if it returned an error! Always use put_device() to give up the -reference initialized in this function instead. - -Signed-off-by: Arvind Yadav -Signed-off-by: Tejun Heo -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - kernel/workqueue.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -5199,7 +5199,7 @@ int workqueue_sysfs_register(struct work - - ret = device_register(&wq_dev->dev); - if (ret) { -- kfree(wq_dev); -+ put_device(&wq_dev->dev); - wq->wq_dev = NULL; - return ret; - } diff --git a/queue-4.4/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch b/queue-4.4/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch deleted file mode 100644 index b22599abd5a..00000000000 --- a/queue-4.4/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch +++ /dev/null @@ -1,58 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Baoquan He -Date: Wed, 14 Feb 2018 13:46:56 +0800 -Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified - -From: Baoquan He - -[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ] - -Currently the kdump kernel becomes very slow if 'noapic' is specified. -Normal kernel doesn't have this bug. - -Kernel parameter 'noapic' is used to disable IO-APIC in system for -testing or special purpose. Here the root cause is that in kdump -kernel LAPIC is disabled since commit: - - 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC") - -In this case we need set up through-local-APIC on boot CPU in -setup_local_APIC(). - -In normal kernel the legacy irq mode is enabled by the BIOS. If -it is virtual wire mode, the local-APIC has been enabled and set as -through-local-APIC. - -Though we fixed the regression introduced by commit 522e664644, -to further improve robustness set up the through-local-APIC mode -explicitly, do not rely on the default boot IRQ mode. - -Signed-off-by: Baoquan He -Reviewed-by: Eric W. Biederman -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: douly.fnst@cn.fujitsu.com -Cc: joro@8bytes.org -Cc: prarit@redhat.com -Cc: uobergfe@redhat.com -Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com -[ Rewrote the changelog. ] -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/apic/apic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/x86/kernel/apic/apic.c -+++ b/arch/x86/kernel/apic/apic.c -@@ -1368,7 +1368,7 @@ void setup_local_APIC(void) - * TODO: set up through-local-APIC from through-I/O-APIC? --macro - */ - value = apic_read(APIC_LVT0) & APIC_LVT_MASKED; -- if (!cpu && (pic_mode || !value)) { -+ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) { - value = APIC_DM_EXTINT; - apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu); - } else { diff --git a/queue-4.4/x86-devicetree-fix-device-irq-settings-in-dt.patch b/queue-4.4/x86-devicetree-fix-device-irq-settings-in-dt.patch deleted file mode 100644 index a683673058e..00000000000 --- a/queue-4.4/x86-devicetree-fix-device-irq-settings-in-dt.patch +++ /dev/null @@ -1,62 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ivan Gorinov -Date: Wed, 7 Mar 2018 11:46:53 -0800 -Subject: x86/devicetree: Fix device IRQ settings in DT - -From: Ivan Gorinov - -[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ] - -IRQ parameters for the SoC devices connected directly to I/O APIC lines -(without PCI IRQ routing) may be specified in the Device Tree. - -Called from DT IRQ parser, irq_create_fwspec_mapping() calls -irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg. - -But x86-specific DT IRQ allocation code casts @arg to of_phandle_args -structure pointer and crashes trying to read the IRQ parameters. The -function was not converted when the mapping descriptor was changed to -irq_fwspec in the generic irqdomain code. - -Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure") -Signed-off-by: Ivan Gorinov -Signed-off-by: Thomas Gleixner -Cc: Mark Rutland -Cc: Rob Herring -Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/devicetree.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - ---- a/arch/x86/kernel/devicetree.c -+++ b/arch/x86/kernel/devicetree.c -@@ -200,19 +200,22 @@ static struct of_ioapic_type of_ioapic_t - static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, - unsigned int nr_irqs, void *arg) - { -- struct of_phandle_args *irq_data = (void *)arg; -+ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg; - struct of_ioapic_type *it; - struct irq_alloc_info tmp; -+ int type_index; - -- if (WARN_ON(irq_data->args_count < 2)) -+ if (WARN_ON(fwspec->param_count < 2)) - return -EINVAL; -- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type)) -+ -+ type_index = fwspec->param[1]; -+ if (type_index >= ARRAY_SIZE(of_ioapic_type)) - return -EINVAL; - -- it = &of_ioapic_type[irq_data->args[1]]; -+ it = &of_ioapic_type[type_index]; - ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity); - tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain)); -- tmp.ioapic_pin = irq_data->args[0]; -+ tmp.ioapic_pin = fwspec->param[0]; - - return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp); - } diff --git a/queue-4.4/x86-devicetree-initialize-device-tree-before-using-it.patch b/queue-4.4/x86-devicetree-initialize-device-tree-before-using-it.patch deleted file mode 100644 index 5b10f6b4993..00000000000 --- a/queue-4.4/x86-devicetree-initialize-device-tree-before-using-it.patch +++ /dev/null @@ -1,58 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ivan Gorinov -Date: Wed, 7 Mar 2018 11:46:29 -0800 -Subject: x86/devicetree: Initialize device tree before using it - -From: Ivan Gorinov - -[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ] - -Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and -checking in late initcall of_fdt_raw_init(), making early_init_dt_verify() -mandatory. - -The required call to early_init_dt_verify() was not added to the -x86-specific implementation, causing failure to create the sysfs entry in -of_fdt_raw_init(). - -Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt") -Signed-off-by: Ivan Gorinov -Signed-off-by: Thomas Gleixner -Cc: Mark Rutland -Cc: Rob Herring -Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/devicetree.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/arch/x86/kernel/devicetree.c -+++ b/arch/x86/kernel/devicetree.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -276,14 +277,15 @@ static void __init x86_flattree_get_conf - - map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128); - -- initial_boot_params = dt = early_memremap(initial_dtb, map_len); -- size = of_get_flat_dt_size(); -+ dt = early_memremap(initial_dtb, map_len); -+ size = fdt_totalsize(dt); - if (map_len < size) { - early_memunmap(dt, map_len); -- initial_boot_params = dt = early_memremap(initial_dtb, size); -+ dt = early_memremap(initial_dtb, size); - map_len = size; - } - -+ early_init_dt_verify(dt); - unflatten_and_copy_device_tree(); - early_memunmap(dt, map_len); - } diff --git a/queue-4.4/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch b/queue-4.4/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch deleted file mode 100644 index 39e4b3d96ad..00000000000 --- a/queue-4.4/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch +++ /dev/null @@ -1,98 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Joerg Roedel -Date: Wed, 11 Apr 2018 17:24:38 +0200 -Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries - -From: Joerg Roedel - -[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ] - -The pmd_set_huge() and pud_set_huge() functions are used from -the generic ioremap() code to establish large mappings where this -is possible. - -But the generic ioremap() code does not check whether the -PMD/PUD entries are already populated with a non-leaf entry, -so that any page-table pages these entries point to will be -lost. - -Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a -BUG_ON() in vmalloc_sync_one() when PMD entries are synced -from swapper_pg_dir to the current page-table. This happens -because the PMD entry from swapper_pg_dir was promoted to a -huge-page entry while the current PGD still contains the -non-leaf entry. Because both entries are present and point -to a different page, the BUG_ON() triggers. - -This was actually triggered with pti-x32 enabled in a KVM -virtual machine by the graphics driver. - -A real and better fix for that would be to improve the -page-table handling in the generic ioremap() code. But that is -out-of-scope for this patch-set and left for later work. - -Reported-by: David H. Gutteridge -Signed-off-by: Joerg Roedel -Reviewed-by: Thomas Gleixner -Cc: Andrea Arcangeli -Cc: Andy Lutomirski -Cc: Boris Ostrovsky -Cc: Borislav Petkov -Cc: Brian Gerst -Cc: Dave Hansen -Cc: David Laight -Cc: Denys Vlasenko -Cc: Eduardo Valentin -Cc: Greg KH -Cc: Jiri Kosina -Cc: Josh Poimboeuf -Cc: Juergen Gross -Cc: Linus Torvalds -Cc: Pavel Machek -Cc: Peter Zijlstra -Cc: Waiman Long -Cc: Will Deacon -Cc: aliguori@amazon.com -Cc: daniel.gruss@iaik.tugraz.at -Cc: hughd@google.com -Cc: keescook@google.com -Cc: linux-mm@kvack.org -Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/mm/pgtable.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/arch/x86/mm/pgtable.c -+++ b/arch/x86/mm/pgtable.c -@@ -1,5 +1,6 @@ - #include - #include -+#include - #include - #include - #include -@@ -600,6 +601,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t - (mtrr != MTRR_TYPE_WRBACK)) - return 0; - -+ /* Bail out if we are we on a populated non-leaf entry: */ -+ if (pud_present(*pud) && !pud_huge(*pud)) -+ return 0; -+ - prot = pgprot_4k_2_large(prot); - - set_pte((pte_t *)pud, pfn_pte( -@@ -628,6 +633,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t - return 0; - } - -+ /* Bail out if we are we on a populated non-leaf entry: */ -+ if (pmd_present(*pmd) && !pmd_huge(*pmd)) -+ return 0; -+ - prot = pgprot_4k_2_large(prot); - - set_pte((pte_t *)pmd, pfn_pte( diff --git a/queue-4.4/x86-power-fix-swsusp_arch_resume-prototype.patch b/queue-4.4/x86-power-fix-swsusp_arch_resume-prototype.patch deleted file mode 100644 index 8f9841bb056..00000000000 --- a/queue-4.4/x86-power-fix-swsusp_arch_resume-prototype.patch +++ /dev/null @@ -1,87 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arnd Bergmann -Date: Fri, 2 Feb 2018 15:56:18 +0100 -Subject: x86/power: Fix swsusp_arch_resume prototype - -From: Arnd Bergmann - -[ Upstream commit 328008a72d38b5bde6491e463405c34a81a65d3e ] - -The declaration for swsusp_arch_resume marks it as 'asmlinkage', but the -definition in x86-32 does not, and it fails to include the header with the -declaration. This leads to a warning when building with -link-time-optimizations: - -kernel/power/power.h:108:23: error: type of 'swsusp_arch_resume' does not match original declaration [-Werror=lto-type-mismatch] - extern asmlinkage int swsusp_arch_resume(void); - ^ -arch/x86/power/hibernate_32.c:148:0: note: 'swsusp_arch_resume' was previously declared here - int swsusp_arch_resume(void) - -This moves the declaration into a globally visible header file and fixes up -both x86 definitions to match it. - -Signed-off-by: Arnd Bergmann -Signed-off-by: Thomas Gleixner -Cc: Len Brown -Cc: Andi Kleen -Cc: Nicolas Pitre -Cc: linux-pm@vger.kernel.org -Cc: "Rafael J. Wysocki" -Cc: Pavel Machek -Cc: Bart Van Assche -Link: https://lkml.kernel.org/r/20180202145634.200291-2-arnd@arndb.de -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/power/hibernate_32.c | 2 +- - arch/x86/power/hibernate_64.c | 2 +- - include/linux/suspend.h | 2 ++ - kernel/power/power.h | 3 --- - 4 files changed, 4 insertions(+), 5 deletions(-) - ---- a/arch/x86/power/hibernate_32.c -+++ b/arch/x86/power/hibernate_32.c -@@ -142,7 +142,7 @@ static inline void resume_init_first_lev - #endif - } - --int swsusp_arch_resume(void) -+asmlinkage int swsusp_arch_resume(void) - { - int error; - ---- a/arch/x86/power/hibernate_64.c -+++ b/arch/x86/power/hibernate_64.c -@@ -78,7 +78,7 @@ static int set_up_temporary_mappings(voi - return 0; - } - --int swsusp_arch_resume(void) -+asmlinkage int swsusp_arch_resume(void) - { - int error; - ---- a/include/linux/suspend.h -+++ b/include/linux/suspend.h -@@ -377,6 +377,8 @@ extern int swsusp_page_is_forbidden(stru - extern void swsusp_set_page_free(struct page *); - extern void swsusp_unset_page_free(struct page *); - extern unsigned long get_safe_page(gfp_t gfp_mask); -+extern asmlinkage int swsusp_arch_suspend(void); -+extern asmlinkage int swsusp_arch_resume(void); - - extern void hibernation_set_ops(const struct platform_hibernation_ops *ops); - extern int hibernate(void); ---- a/kernel/power/power.h -+++ b/kernel/power/power.h -@@ -85,9 +85,6 @@ extern int in_suspend; - extern dev_t swsusp_resume_device; - extern sector_t swsusp_resume_block; - --extern asmlinkage int swsusp_arch_suspend(void); --extern asmlinkage int swsusp_arch_resume(void); -- - extern int create_basic_memory_bitmaps(void); - extern void free_basic_memory_bitmaps(void); - extern int hibernate_preallocate_memory(void); diff --git a/queue-4.4/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch b/queue-4.4/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch deleted file mode 100644 index 1449ba5a451..00000000000 --- a/queue-4.4/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch +++ /dev/null @@ -1,53 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Samuel Neves -Date: Wed, 21 Feb 2018 20:50:36 +0000 -Subject: x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations - -From: Samuel Neves - -[ Upstream commit 4596749339e06dc7a424fc08a15eded850ed78b7 ] - -Without this fix, /proc/cpuinfo will display an incorrect amount -of CPU cores, after bringing them offline and online again, as -exemplified below: - - $ cat /proc/cpuinfo | grep cores - cpu cores : 4 - cpu cores : 8 - cpu cores : 8 - cpu cores : 20 - cpu cores : 4 - cpu cores : 3 - cpu cores : 2 - cpu cores : 2 - -This patch fixes this by always zeroing the booted_cores variable -upon turning off a logical CPU. - -Tested-by: Dou Liyang -Signed-off-by: Samuel Neves -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: jgross@suse.com -Cc: luto@kernel.org -Cc: prarit@redhat.com -Cc: vkuznets@redhat.com -Link: http://lkml.kernel.org/r/20180221205036.5244-1-sneves@dei.uc.pt -Signed-off-by: Ingo Molnar -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/smpboot.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/x86/kernel/smpboot.c -+++ b/arch/x86/kernel/smpboot.c -@@ -1344,6 +1344,7 @@ static void remove_siblinginfo(int cpu) - cpumask_clear(topology_core_cpumask(cpu)); - c->phys_proc_id = 0; - c->cpu_core_id = 0; -+ c->booted_cores = 0; - cpumask_clear_cpu(cpu, cpu_sibling_setup_mask); - } - diff --git a/queue-4.4/xen-acpi-off-by-one-in-read_acpi_id.patch b/queue-4.4/xen-acpi-off-by-one-in-read_acpi_id.patch deleted file mode 100644 index a7353d73048..00000000000 --- a/queue-4.4/xen-acpi-off-by-one-in-read_acpi_id.patch +++ /dev/null @@ -1,39 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Dan Carpenter -Date: Thu, 29 Mar 2018 12:01:53 +0300 -Subject: xen/acpi: off by one in read_acpi_id() - -From: Dan Carpenter - -[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ] - -If acpi_id is == nr_acpi_bits, then we access one element beyond the end -of the acpi_psd[] array or we set one bit beyond the end of the bit map -when we do __set_bit(acpi_id, acpi_id_present); - -Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.") -Signed-off-by: Dan Carpenter -Reviewed-by: Joao Martins -Reviewed-by: Juergen Gross -Signed-off-by: Boris Ostrovsky -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/xen-acpi-processor.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/xen/xen-acpi-processor.c -+++ b/drivers/xen/xen-acpi-processor.c -@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl - } - /* There are more ACPI Processor objects than in x2APIC or MADT. - * This can happen with incorrect ACPI SSDT declerations. */ -- if (acpi_id > nr_acpi_bits) { -- pr_debug("We only have %u, trying to set %u\n", -- nr_acpi_bits, acpi_id); -+ if (acpi_id >= nr_acpi_bits) { -+ pr_debug("max acpi id %u, trying to set %u\n", -+ nr_acpi_bits - 1, acpi_id); - return AE_OK; - } - /* OK, There is a ACPI Processor object */ diff --git a/queue-4.4/xen-grant-table-use-put_page-instead-of-free_page.patch b/queue-4.4/xen-grant-table-use-put_page-instead-of-free_page.patch deleted file mode 100644 index 0076a9df171..00000000000 --- a/queue-4.4/xen-grant-table-use-put_page-instead-of-free_page.patch +++ /dev/null @@ -1,50 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ross Lagerwall -Date: Thu, 11 Jan 2018 09:36:37 +0000 -Subject: xen/grant-table: Use put_page instead of free_page - -From: Ross Lagerwall - -[ Upstream commit 3ac7292a25db1c607a50752055a18aba32ac2176 ] - -The page given to gnttab_end_foreign_access() to free could be a -compound page so use put_page() instead of free_page() since it can -handle both compound and single pages correctly. - -This bug was discovered when migrating a Xen VM with several VIFs and -CONFIG_DEBUG_VM enabled. It hits a BUG usually after fewer than 10 -iterations. All netfront devices disconnect from the backend during a -suspend/resume and this will call gnttab_end_foreign_access() if a -netfront queue has an outstanding skb. The mismatch between calling -get_page() and free_page() on a compound page causes a reference -counting error which is detected when DEBUG_VM is enabled. - -Signed-off-by: Ross Lagerwall -Reviewed-by: Boris Ostrovsky -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/grant-table.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/xen/grant-table.c -+++ b/drivers/xen/grant-table.c -@@ -328,7 +328,7 @@ static void gnttab_handle_deferred(unsig - if (entry->page) { - pr_debug("freeing g.e. %#x (pfn %#lx)\n", - entry->ref, page_to_pfn(entry->page)); -- __free_page(entry->page); -+ put_page(entry->page); - } else - pr_info("freeing g.e. %#x\n", entry->ref); - kfree(entry); -@@ -384,7 +384,7 @@ void gnttab_end_foreign_access(grant_ref - if (gnttab_end_foreign_access_ref(ref, readonly)) { - put_free_entry(ref); - if (page != 0) -- free_page(page); -+ put_page(virt_to_page(page)); - } else - gnttab_add_deferred(ref, readonly, - page ? virt_to_page(page) : NULL); diff --git a/queue-4.4/xen-netfront-fix-race-between-device-setup-and-open.patch b/queue-4.4/xen-netfront-fix-race-between-device-setup-and-open.patch deleted file mode 100644 index 68d706b20dd..00000000000 --- a/queue-4.4/xen-netfront-fix-race-between-device-setup-and-open.patch +++ /dev/null @@ -1,177 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Ross Lagerwall -Date: Thu, 11 Jan 2018 09:36:38 +0000 -Subject: xen-netfront: Fix race between device setup and open - -From: Ross Lagerwall - -[ Upstream commit f599c64fdf7d9c108e8717fb04bc41c680120da4 ] - -When a netfront device is set up it registers a netdev fairly early on, -before it has set up the queues and is actually usable. A userspace tool -like NetworkManager will immediately try to open it and access its state -as soon as it appears. The bug can be reproduced by hotplugging VIFs -until the VM runs out of grant refs. It registers the netdev but fails -to set up any queues (since there are no more grant refs). In the -meantime, NetworkManager opens the device and the kernel crashes trying -to access the queues (of which there are none). - -Fix this in two ways: -* For initial setup, register the netdev much later, after the queues -are setup. This avoids the race entirely. -* During a suspend/resume cycle, the frontend reconnects to the backend -and the queues are recreated. It is possible (though highly unlikely) to -race with something opening the device and accessing the queues after -they have been destroyed but before they have been recreated. Extend the -region covered by the rtnl semaphore to protect against this race. There -is a possibility that we fail to recreate the queues so check for this -in the open function. - -Signed-off-by: Ross Lagerwall -Reviewed-by: Boris Ostrovsky -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/xen-netfront.c | 46 +++++++++++++++++++++++---------------------- - 1 file changed, 24 insertions(+), 22 deletions(-) - ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -342,6 +342,9 @@ static int xennet_open(struct net_device - unsigned int i = 0; - struct netfront_queue *queue = NULL; - -+ if (!np->queues) -+ return -ENODEV; -+ - for (i = 0; i < num_queues; ++i) { - queue = &np->queues[i]; - napi_enable(&queue->napi); -@@ -1363,18 +1366,8 @@ static int netfront_probe(struct xenbus_ - #ifdef CONFIG_SYSFS - info->netdev->sysfs_groups[0] = &xennet_dev_group; - #endif -- err = register_netdev(info->netdev); -- if (err) { -- pr_warn("%s: register_netdev err=%d\n", __func__, err); -- goto fail; -- } - - return 0; -- -- fail: -- xennet_free_netdev(netdev); -- dev_set_drvdata(&dev->dev, NULL); -- return err; - } - - static void xennet_end_access(int ref, void *page) -@@ -1743,8 +1736,6 @@ static void xennet_destroy_queues(struct - { - unsigned int i; - -- rtnl_lock(); -- - for (i = 0; i < info->netdev->real_num_tx_queues; i++) { - struct netfront_queue *queue = &info->queues[i]; - -@@ -1753,8 +1744,6 @@ static void xennet_destroy_queues(struct - netif_napi_del(&queue->napi); - } - -- rtnl_unlock(); -- - kfree(info->queues); - info->queues = NULL; - } -@@ -1770,8 +1759,6 @@ static int xennet_create_queues(struct n - if (!info->queues) - return -ENOMEM; - -- rtnl_lock(); -- - for (i = 0; i < *num_queues; i++) { - struct netfront_queue *queue = &info->queues[i]; - -@@ -1780,7 +1767,7 @@ static int xennet_create_queues(struct n - - ret = xennet_init_queue(queue); - if (ret < 0) { -- dev_warn(&info->netdev->dev, -+ dev_warn(&info->xbdev->dev, - "only created %d queues\n", i); - *num_queues = i; - break; -@@ -1794,10 +1781,8 @@ static int xennet_create_queues(struct n - - netif_set_real_num_tx_queues(info->netdev, *num_queues); - -- rtnl_unlock(); -- - if (*num_queues == 0) { -- dev_err(&info->netdev->dev, "no queues\n"); -+ dev_err(&info->xbdev->dev, "no queues\n"); - return -EINVAL; - } - return 0; -@@ -1839,6 +1824,7 @@ static int talk_to_netback(struct xenbus - goto out; - } - -+ rtnl_lock(); - if (info->queues) - xennet_destroy_queues(info); - -@@ -1849,6 +1835,7 @@ static int talk_to_netback(struct xenbus - info->queues = NULL; - goto out; - } -+ rtnl_unlock(); - - /* Create shared ring, alloc event channel -- for each queue */ - for (i = 0; i < num_queues; ++i) { -@@ -1945,8 +1932,10 @@ abort_transaction_no_dev_fatal: - xenbus_transaction_end(xbt, 1); - destroy_ring: - xennet_disconnect_backend(info); -+ rtnl_lock(); - xennet_destroy_queues(info); - out: -+ rtnl_unlock(); - device_unregister(&dev->dev); - return err; - } -@@ -1982,6 +1971,15 @@ static int xennet_connect(struct net_dev - netdev_update_features(dev); - rtnl_unlock(); - -+ if (dev->reg_state == NETREG_UNINITIALIZED) { -+ err = register_netdev(dev); -+ if (err) { -+ pr_warn("%s: register_netdev err=%d\n", __func__, err); -+ device_unregister(&np->xbdev->dev); -+ return err; -+ } -+ } -+ - /* - * All public and private state should now be sane. Get - * ready to start sending and receiving packets and give the driver -@@ -2172,10 +2170,14 @@ static int xennet_remove(struct xenbus_d - - xennet_disconnect_backend(info); - -- unregister_netdev(info->netdev); -+ if (info->netdev->reg_state == NETREG_REGISTERED) -+ unregister_netdev(info->netdev); - -- if (info->queues) -+ if (info->queues) { -+ rtnl_lock(); - xennet_destroy_queues(info); -+ rtnl_unlock(); -+ } - xennet_free_netdev(info->netdev); - - return 0; diff --git a/queue-4.4/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch b/queue-4.4/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch deleted file mode 100644 index 117b33ace80..00000000000 --- a/queue-4.4/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch +++ /dev/null @@ -1,44 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Roger Pau Monne -Date: Wed, 28 Feb 2018 09:19:03 +0000 -Subject: xen/pirq: fix error path cleanup when binding MSIs - -From: Roger Pau Monne - -[ Upstream commit 910f8befdf5bccf25287d9f1743e3e546bcb7ce0 ] - -Current cleanup in the error path of xen_bind_pirq_msi_to_irq is -wrong. First of all there's an off-by-one in the cleanup loop, which -can lead to unbinding wrong IRQs. - -Secondly IRQs not bound won't be freed, thus leaking IRQ numbers. - -Note that there's no need to differentiate between bound and unbound -IRQs when freeing them, __unbind_from_irq will deal with both of them -correctly. - -Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") -Reported-by: Hooman Mirhadi -Signed-off-by: Roger Pau Monné -Reviewed-by: Amit Shah -Reviewed-by: Boris Ostrovsky -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/events/events_base.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/xen/events/events_base.c -+++ b/drivers/xen/events/events_base.c -@@ -764,8 +764,8 @@ out: - mutex_unlock(&irq_mapping_update_lock); - return irq; - error_irq: -- for (; i >= 0; i--) -- __unbind_from_irq(irq + i); -+ while (nvec--) -+ __unbind_from_irq(irq + nvec); - mutex_unlock(&irq_mapping_update_lock); - return ret; - } diff --git a/queue-4.4/xen-xenbus-use-put_device-instead-of-kfree.patch b/queue-4.4/xen-xenbus-use-put_device-instead-of-kfree.patch deleted file mode 100644 index 705491c1e51..00000000000 --- a/queue-4.4/xen-xenbus-use-put_device-instead-of-kfree.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Arvind Yadav -Date: Tue, 6 Mar 2018 15:40:37 +0530 -Subject: xen: xenbus: use put_device() instead of kfree() - -From: Arvind Yadav - -[ Upstream commit 351b2bccede1cb673ec7957b35ea997ea24c8884 ] - -Never directly free @dev after calling device_register(), even -if it returned an error! Always use put_device() to give up the -reference initialized. - -Signed-off-by: Arvind Yadav -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/xenbus/xenbus_probe.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/xen/xenbus/xenbus_probe.c -+++ b/drivers/xen/xenbus/xenbus_probe.c -@@ -470,8 +470,11 @@ int xenbus_probe_node(struct xen_bus_typ - - /* Register with generic device framework. */ - err = device_register(&xendev->dev); -- if (err) -+ if (err) { -+ put_device(&xendev->dev); -+ xendev = NULL; - goto fail; -+ } - - return 0; - fail: diff --git a/queue-4.4/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch b/queue-4.4/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch deleted file mode 100644 index 8342bc7a408..00000000000 --- a/queue-4.4/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Mathias Nyman -Date: Fri, 16 Mar 2018 16:33:01 +0200 -Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot - -From: Mathias Nyman - -[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ] - -set udev->slot_id to zero when disabling and freeing the xhci slot. -Prevents usb core from calling xhci with a stale slot id. - -xHC controller may be reset during resume to recover from some error. -All slots are unusable as they are disabled and freed. -xhci driver starts slot enumeration again from 1 in the order they are -enabled. In the worst case a stale udev->slot_id for one device matches -a newly enabled slot_id for a different device, causing us to -perform a action on the wrong device. - -Signed-off-by: Mathias Nyman -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/host/xhci-mem.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/host/xhci-mem.c -+++ b/drivers/usb/host/xhci-mem.c -@@ -960,6 +960,8 @@ void xhci_free_virt_device(struct xhci_h - if (dev->out_ctx) - xhci_free_container_ctx(xhci, dev->out_ctx); - -+ if (dev->udev && dev->udev->slot_id) -+ dev->udev->slot_id = 0; - kfree(xhci->devs[slot_id]); - xhci->devs[slot_id] = NULL; - } diff --git a/queue-4.4/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch b/queue-4.4/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch deleted file mode 100644 index 1458d0685f4..00000000000 --- a/queue-4.4/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch +++ /dev/null @@ -1,55 +0,0 @@ -From foo@baz Wed May 2 11:39:22 PDT 2018 -From: Michael Schmitz -Date: Sat, 3 Mar 2018 12:04:13 +1300 -Subject: zorro: Set up z->dev.dma_mask for the DMA API - -From: Michael Schmitz - -[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ] - -The generic DMA API uses dev->dma_mask to check the DMA addressable -memory bitmask, and warns if no mask is set or even allocated. - -Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask -to point to z->dev.dma_coherent_mask so device drivers that need DMA have -everything set up to avoid warnings from dma_alloc_coherent(). Drivers can -still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask. - -Signed-off-by: Michael Schmitz -[geert: Handle Zorro II with 24-bit address space] -Acked-by: Christoph Hellwig -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/zorro/zorro.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - ---- a/drivers/zorro/zorro.c -+++ b/drivers/zorro/zorro.c -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - #include - - #include -@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru - z->dev.parent = &bus->dev; - z->dev.bus = &zorro_bus_type; - z->dev.id = i; -+ switch (z->rom.er_Type & ERT_TYPEMASK) { -+ case ERT_ZORROIII: -+ z->dev.coherent_dma_mask = DMA_BIT_MASK(32); -+ break; -+ -+ case ERT_ZORROII: -+ default: -+ z->dev.coherent_dma_mask = DMA_BIT_MASK(24); -+ break; -+ } -+ z->dev.dma_mask = &z->dev.coherent_dma_mask; - } - - /* ... then register them */