From: Greg Kroah-Hartman Date: Mon, 27 Nov 2017 16:06:02 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.85~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d431789ded84d38b324c1d8bf71213e6ca84fb15;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch alsa-usb-audio-add-sanity-checks-to-fe-parser.patch alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch autofs-don-t-fail-mount-for-transient-error.patch bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch fs-9p-compare-qid.path-in-v9fs_test_inode.patch iscsi-target-fix-non-immediate-tmr-reference-leak.patch isofs-fix-timestamps-beyond-2027.patch mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch mips-fix-an-n32-core-file-generation-regset-support-regression.patch nfs-fix-typo-in-nomigration-mount-option.patch nfs-fix-ugly-referral-attributes.patch nfsd-deal-with-revoked-delegations-appropriately.patch nilfs2-fix-race-condition-that-causes-file-system-corruption.patch rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch target-fix-queue_full-scsi-task-attribute-handling.patch --- diff --git a/queue-4.4/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch b/queue-4.4/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch new file mode 100644 index 00000000000..2ece2390c61 --- /dev/null +++ b/queue-4.4/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch @@ -0,0 +1,32 @@ +From 2d7fe6185722b0817bb345f62ab06b76a7b26542 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 22 Nov 2017 15:21:32 +0800 +Subject: ALSA: hda/realtek - Fix ALC700 family no sound issue + +From: Kailang Yang + +commit 2d7fe6185722b0817bb345f62ab06b76a7b26542 upstream. + +It maybe the typo for ALC700 support patch. +To fix the bit value on this patch. + +Fixes: 6fbae35a3170 ("ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703") +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6254,7 +6254,7 @@ static int patch_alc269(struct hda_codec + case 0x10ec0703: + spec->codec_variant = ALC269_TYPE_ALC700; + spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */ +- alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */ ++ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */ + break; + + } diff --git a/queue-4.4/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch b/queue-4.4/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch new file mode 100644 index 00000000000..e5b54993795 --- /dev/null +++ b/queue-4.4/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch @@ -0,0 +1,58 @@ +From 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 Mon Sep 17 00:00:00 2001 +From: Henrik Eriksson +Date: Tue, 21 Nov 2017 09:29:28 +0100 +Subject: ALSA: pcm: update tstamp only if audio_tstamp changed + +From: Henrik Eriksson + +commit 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 upstream. + +commit 3179f6200188 ("ALSA: core: add .get_time_info") had a side effect +of changing the behaviour of the PCM runtime tstamp. Prior to this +change tstamp was not updated by snd_pcm_update_hw_ptr0() unless the +hw_ptr had moved, after this change tstamp was always updated. + +For an application using alsa-lib, doing snd_pcm_readi() followed by +snd_pcm_status() to estimate the age of the read samples by subtracting +status->avail * [sample rate] from status->tstamp this change degraded +the accuracy of the estimate on devices where the pcm hw does not +provide a granular hw_ptr, e.g., devices using +soc-generic-dmaengine-pcm.c and a dma-engine with residue_granularity +DMA_RESIDUE_GRANULARITY_DESCRIPTOR. The accuracy of the estimate +depended on the latency between the PCM hw completing a period and the +driver called snd_pcm_period_elapsed() to notify ALSA core, typically +determined by interrupt handling latency. After the change the accuracy +of the estimate depended on the latency between the PCM hw completing a +period and the application calling snd_pcm_status(), determined by the +scheduling of the application process. The maximum error of the +estimate is one period length in both cases, but the error average and +variance is smaller when it depends on interrupt latency. + +Instead of always updating tstamp, update it only if audio_tstamp +changed. + +Fixes: 3179f6200188 ("ALSA: core: add .get_time_info") +Suggested-by: Pierre-Louis Bossart +Signed-off-by: Henrik Eriksson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_lib.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -264,8 +264,10 @@ static void update_audio_tstamp(struct s + runtime->rate); + *audio_tstamp = ns_to_timespec(audio_nsecs); + } +- runtime->status->audio_tstamp = *audio_tstamp; +- runtime->status->tstamp = *curr_tstamp; ++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) { ++ runtime->status->audio_tstamp = *audio_tstamp; ++ runtime->status->tstamp = *curr_tstamp; ++ } + + /* + * re-take a driver timestamp to let apps detect if the reference tstamp diff --git a/queue-4.4/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch b/queue-4.4/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch new file mode 100644 index 00000000000..077b6c48ed4 --- /dev/null +++ b/queue-4.4/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch @@ -0,0 +1,54 @@ +From 3d4e8303f2c747c8540a0a0126d0151514f6468b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 16:36:11 +0100 +Subject: ALSA: timer: Remove kernel warning at compat ioctl error paths + +From: Takashi Iwai + +commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream. + +Some timer compat ioctls have NULL checks of timer instance with +snd_BUG_ON() that bring up WARN_ON() when the debug option is set. +Actually the condition can be met in the normal situation and it's +confusing and bad to spew kernel warnings with stack trace there. +Let's remove snd_BUG_ON() invocation and replace with the simple +checks. Also, correct the error code to EBADFD to follow the native +ioctl error handling. + +Reported-by: syzbot +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer_compat.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/core/timer_compat.c ++++ b/sound/core/timer_compat.c +@@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(st + struct snd_timer *t; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + t = tu->timeri->timer; +- if (snd_BUG_ON(!t)) +- return -ENXIO; ++ if (!t) ++ return -EBADFD; + memset(&info, 0, sizeof(info)); + info.card = t->card ? t->card->number : -1; + if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) +@@ -73,8 +73,8 @@ static int snd_timer_user_status_compat( + struct snd_timer_status32 status; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + memset(&status, 0, sizeof(status)); + status.tstamp.tv_sec = tu->tstamp.tv_sec; + status.tstamp.tv_nsec = tu->tstamp.tv_nsec; diff --git a/queue-4.4/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch b/queue-4.4/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch new file mode 100644 index 00000000000..52b88972f48 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch @@ -0,0 +1,57 @@ +From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:28:06 +0100 +Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers + +From: Takashi Iwai + +commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream. + +The helper functions to parse and look for the clock source, selector +and multiplier unit may return the descriptor with a too short length +than required, while there is no sanity check in the caller side. +Add some sanity checks in the parsers, at least, to guarantee the +given descriptor size, for avoiding the potential crashes. + +Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices") +Reported-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/clock.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -43,7 +43,7 @@ static struct uac_clock_source_descripto + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SOURCE))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + +@@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SELECTOR))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { ++ if (cs->bLength < 5 + cs->bNrInPins) ++ return NULL; + return cs; ++ } + } + + return NULL; +@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_MULTIPLIER))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + diff --git a/queue-4.4/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch b/queue-4.4/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch new file mode 100644 index 00000000000..9cb4c82c759 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch @@ -0,0 +1,51 @@ +From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 16:55:51 +0100 +Subject: ALSA: usb-audio: Add sanity checks to FE parser + +From: Takashi Iwai + +commit d937cd6790a2bef2d07b500487646bd794c039bb upstream. + +When the usb-audio descriptor contains the malformed feature unit +description with a too short length, the driver may access +out-of-bounds. Add a sanity check of the header size at the beginning +of parse_audio_feature_unit(). + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Reported-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1397,6 +1397,12 @@ static int parse_audio_feature_unit(stru + __u8 *bmaControls; + + if (state->mixer->protocol == UAC_VERSION_1) { ++ if (hdr->bLength < 7) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = hdr->bControlSize; + if (!csize) { + usb_audio_dbg(state->chip, +@@ -1414,6 +1420,12 @@ static int parse_audio_feature_unit(stru + } + } else { + struct uac2_feature_unit_descriptor *ftr = _ftr; ++ if (hdr->bLength < 6) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = 4; + channels = (hdr->bLength - 6) / 4 - 1; + bmaControls = ftr->bmaControls; diff --git a/queue-4.4/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch b/queue-4.4/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch new file mode 100644 index 00000000000..bee0851f9a5 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch @@ -0,0 +1,34 @@ +From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:00:32 +0100 +Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU + +From: Takashi Iwai + +commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream. + +The usb-audio driver may trigger an out-of-bound access at parsing a +malformed selector unit, as it checks the header length only after +evaluating bNrInPins field, which can be already above the given +length. Fix it by adding the length check beforehand. + +Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2026,7 +2026,8 @@ static int parse_audio_selector_unit(str + const struct usbmix_name_map *map; + char **namelist; + +- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) { ++ if (desc->bLength < 5 || !desc->bNrInPins || ++ desc->bLength < 5 + desc->bNrInPins) { + usb_audio_err(state->chip, + "invalid SELECTOR UNIT descriptor %d\n", unitid); + return -EINVAL; diff --git a/queue-4.4/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch b/queue-4.4/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch new file mode 100644 index 00000000000..902c290b2b4 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch @@ -0,0 +1,39 @@ +From 8428a8ebde2db1e988e41a58497a28beb7ce1705 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:07:43 +0100 +Subject: ALSA: usb-audio: Fix potential zero-division at parsing FU + +From: Takashi Iwai + +commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream. + +parse_audio_feature_unit() contains a code dividing potentially with +zero when a malformed FU descriptor is passed. Although there is +already a sanity check, it checks only the value zero, hence it can +still lead to a zero-division when a value 1 is passed there. + +Fix it by correcting the sanity check (and the error message +thereof). + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1404,9 +1404,9 @@ static int parse_audio_feature_unit(stru + return -EINVAL; + } + csize = hdr->bControlSize; +- if (!csize) { ++ if (csize <= 1) { + usb_audio_dbg(state->chip, +- "unit %u: invalid bControlSize == 0\n", ++ "unit %u: invalid bControlSize <= 1\n", + unitid); + return -EINVAL; + } diff --git a/queue-4.4/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch b/queue-4.4/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch new file mode 100644 index 00000000000..1e5ddf06f09 --- /dev/null +++ b/queue-4.4/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch @@ -0,0 +1,39 @@ +From f1601113ddc0339a745e702f4fb1ca37d4875e65 Mon Sep 17 00:00:00 2001 +From: Rameshwar Prasad Sahu +Date: Thu, 2 Nov 2017 16:31:07 +0530 +Subject: ata: fixes kernel crash while tracing ata_eh_link_autopsy event + +From: Rameshwar Prasad Sahu + +commit f1601113ddc0339a745e702f4fb1ca37d4875e65 upstream. + +When tracing ata link error event, the kernel crashes when the disk is +removed due to NULL pointer access by trace_ata_eh_link_autopsy API. +This occurs as the dev is NULL when the disk disappeared. This patch +fixes this crash by calling trace_ata_eh_link_autopsy only if "dev" +is not NULL. + +v2 changes: + Removed direct passing "link" pointer instead of "dev" in trace API. + +Signed-off-by: Rameshwar Prasad Sahu +Signed-off-by: Tejun Heo +Fixes: 255c03d15a29 ("libata: Add tracepoints") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-eh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2245,8 +2245,8 @@ static void ata_eh_link_autopsy(struct a + if (dev->flags & ATA_DFLAG_DUBIOUS_XFER) + eflags |= ATA_EFLAG_DUBIOUS_XFER; + ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask); ++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + } +- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + DPRINTK("EXIT\n"); + } + diff --git a/queue-4.4/autofs-don-t-fail-mount-for-transient-error.patch b/queue-4.4/autofs-don-t-fail-mount-for-transient-error.patch new file mode 100644 index 00000000000..7e479d2ac32 --- /dev/null +++ b/queue-4.4/autofs-don-t-fail-mount-for-transient-error.patch @@ -0,0 +1,81 @@ +From ecc0c469f27765ed1e2b967be0aa17cee1a60b76 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 17 Nov 2017 15:29:13 -0800 +Subject: autofs: don't fail mount for transient error + +From: NeilBrown + +commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream. + +Currently if the autofs kernel module gets an error when writing to the +pipe which links to the daemon, then it marks the whole moutpoint as +catatonic, and it will stop working. + +It is possible that the error is transient. This can happen if the +daemon is slow and more than 16 requests queue up. If a subsequent +process tries to queue a request, and is then signalled, the write to +the pipe will return -ERESTARTSYS and autofs will take that as total +failure. + +So change the code to assess -ERESTARTSYS and -ENOMEM as transient +failures which only abort the current request, not the whole mountpoint. + +It isn't a crash or a data corruption, but having autofs mountpoints +suddenly stop working is rather inconvenient. + +Ian said: + +: And given the problems with a half dozen (or so) user space applications +: consuming large amounts of CPU under heavy mount and umount activity this +: could happen more easily than we expect. + +Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name +Signed-off-by: NeilBrown +Acked-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/autofs4/waitq.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -87,7 +87,8 @@ static int autofs4_write(struct autofs_s + spin_unlock_irqrestore(¤t->sighand->siglock, flags); + } + +- return (bytes > 0); ++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */ ++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO; + } + + static void autofs4_notify_daemon(struct autofs_sb_info *sbi, +@@ -101,6 +102,7 @@ static void autofs4_notify_daemon(struct + } pkt; + struct file *pipe = NULL; + size_t pktsz; ++ int ret; + + DPRINTK("wait id = 0x%08lx, name = %.*s, type=%d", + (unsigned long) wq->wait_queue_token, wq->name.len, wq->name.name, type); +@@ -173,7 +175,18 @@ static void autofs4_notify_daemon(struct + mutex_unlock(&sbi->wq_mutex); + + if (autofs4_write(sbi, pipe, &pkt, pktsz)) ++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { ++ case 0: ++ break; ++ case -ENOMEM: ++ case -ERESTARTSYS: ++ /* Just fail this one */ ++ autofs4_wait_release(sbi, wq->wait_queue_token, ret); ++ break; ++ default: + autofs4_catatonic_mode(sbi); ++ break; ++ } + fput(pipe); + } + diff --git a/queue-4.4/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch b/queue-4.4/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch new file mode 100644 index 00000000000..4340dc50496 --- /dev/null +++ b/queue-4.4/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch @@ -0,0 +1,46 @@ +From 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 13 Oct 2017 16:35:29 -0700 +Subject: bcache: check ca->alloc_thread initialized before wake up it + +From: Coly Li + +commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream. + +In bcache code, sysfs entries are created before all resources get +allocated, e.g. allocation thread of a cache set. + +There is posibility for NULL pointer deference if a resource is accessed +but which is not initialized yet. Indeed Jorg Bornschein catches one on +cache set allocation thread and gets a kernel oops. + +The reason for this bug is, when bch_bucket_alloc() is called during +cache set registration and attaching, ca->alloc_thread is not properly +allocated and initialized yet, call wake_up_process() on ca->alloc_thread +triggers NULL pointer deference failure. A simple and fast fix is, before +waking up ca->alloc_thread, checking whether it is allocated, and only +wake up ca->alloc_thread when it is not NULL. + +Signed-off-by: Coly Li +Reported-by: Jorg Bornschein +Cc: Kent Overstreet +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/alloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca, + + finish_wait(&ca->set->bucket_wait, &w); + out: +- wake_up_process(ca->alloc_thread); ++ if (ca->alloc_thread) ++ wake_up_process(ca->alloc_thread); + + trace_bcache_alloc(ca, reserve); + diff --git a/queue-4.4/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch b/queue-4.4/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch new file mode 100644 index 00000000000..73039d84ce1 --- /dev/null +++ b/queue-4.4/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch @@ -0,0 +1,76 @@ +From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 30 Oct 2017 14:46:31 -0700 +Subject: bcache: only permit to recovery read error when cache device is clean + +From: Coly Li + +commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream. + +When bcache does read I/Os, for example in writeback or writethrough mode, +if a read request on cache device is failed, bcache will try to recovery +the request by reading from cached device. If the data on cached device is +not synced with cache device, then requester will get a stale data. + +For critical storage system like database, providing stale data from +recovery may result an application level data corruption, which is +unacceptible. + +With this patch, for a failed read request in writeback or writethrough +mode, recovery a recoverable read request only happens when cache device +is clean. That is to say, all data on cached device is up to update. + +For other cache modes in bcache, read request will never hit +cached_dev_read_error(), they don't need this patch. + +Please note, because cache mode can be switched arbitrarily in run time, a +writethrough mode might be switched from a writeback mode. Therefore +checking dc->has_data in writethrough mode still makes sense. + +Changelog: +V4: Fix parens error pointed by Michael Lyle. +v3: By response from Kent Oversteet, he thinks recovering stale data is a + bug to fix, and option to permit it is unnecessary. So this version + the sysfs file is removed. +v2: rename sysfs entry from allow_stale_data_on_failure to + allow_stale_data_on_failure, and fix the confusing commit log. +v1: initial patch posted. + +[small change to patch comment spelling by mlyle] + +Signed-off-by: Coly Li +Signed-off-by: Michael Lyle +Reported-by: Arne Wolf +Reviewed-by: Michael Lyle +Cc: Kent Overstreet +Cc: Nix +Cc: Kai Krakow +Cc: Eric Wheeler +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -707,8 +707,16 @@ static void cached_dev_read_error(struct + { + struct search *s = container_of(cl, struct search, cl); + struct bio *bio = &s->bio.bio; ++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + +- if (s->recoverable) { ++ /* ++ * If cache device is dirty (dc->has_dirty is non-zero), then ++ * recovery a failed read request from cached device may get a ++ * stale data back. So read failure recovery is only permitted ++ * when cache device is clean. ++ */ ++ if (s->recoverable && ++ (dc && !atomic_read(&dc->has_dirty))) { + /* Retry from the backing device: */ + trace_bcache_read_retry(s->orig_bio); + diff --git a/queue-4.4/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch b/queue-4.4/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch new file mode 100644 index 00000000000..d5fdd249ee6 --- /dev/null +++ b/queue-4.4/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch @@ -0,0 +1,72 @@ +From b9a41d21dceadf8104812626ef85dc56ee8a60ed Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 1 Nov 2017 15:42:36 +0800 +Subject: dm: fix race between dm_get_from_kobject() and __dm_destroy() + +From: Hou Tao + +commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream. + +The following BUG_ON was hit when testing repeat creation and removal of +DM devices: + + kernel BUG at drivers/md/dm.c:2919! + CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44 + Call Trace: + [] dm_get_from_kobject+0x34/0x3a + [] dm_attr_show+0x2b/0x5e + [] ? mutex_lock+0x26/0x44 + [] sysfs_kf_seq_show+0x83/0xcf + [] kernfs_seq_show+0x23/0x25 + [] seq_read+0x16f/0x325 + [] kernfs_fop_read+0x3a/0x13f + [] __vfs_read+0x26/0x9d + [] ? security_file_permission+0x3c/0x44 + [] ? rw_verify_area+0x83/0xd9 + [] vfs_read+0x8f/0xcf + [] ? __fdget_pos+0x12/0x41 + [] SyS_read+0x4b/0x76 + [] system_call_fastpath+0x12/0x71 + +The bug can be easily triggered, if an extra delay (e.g. 10ms) is added +between the test of DMF_FREEING & DMF_DELETING and dm_get() in +dm_get_from_kobject(). + +To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and +dm_get() are done in an atomic way, so _minor_lock is used. + +The other callers of dm_get() have also been checked to be OK: some +callers invoke dm_get() under _minor_lock, some callers invoke it under +_hash_lock, and dm_start_request() invoke it after increasing +md->open_count. + +Signed-off-by: Hou Tao +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -3507,11 +3507,15 @@ struct mapped_device *dm_get_from_kobjec + + md = container_of(kobj, struct mapped_device, kobj_holder.kobj); + +- if (test_bit(DMF_FREEING, &md->flags) || +- dm_deleting_md(md)) +- return NULL; +- ++ spin_lock(&_minor_lock); ++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) { ++ md = NULL; ++ goto out; ++ } + dm_get(md); ++out: ++ spin_unlock(&_minor_lock); ++ + return md; + } + diff --git a/queue-4.4/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch b/queue-4.4/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch new file mode 100644 index 00000000000..a3caa67aa65 --- /dev/null +++ b/queue-4.4/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch @@ -0,0 +1,43 @@ +From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Aug 2017 23:41:28 +0300 +Subject: eCryptfs: use after free in ecryptfs_release_messaging() + +From: Dan Carpenter + +commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream. + +We're freeing the list iterator so we should be using the _safe() +version of hlist_for_each_entry(). + +Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism") +Signed-off-by: Dan Carpenter +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/messaging.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/ecryptfs/messaging.c ++++ b/fs/ecryptfs/messaging.c +@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void) + } + if (ecryptfs_daemon_hash) { + struct ecryptfs_daemon *daemon; ++ struct hlist_node *n; + int i; + + mutex_lock(&ecryptfs_daemon_hash_mux); + for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { + int rc; + +- hlist_for_each_entry(daemon, +- &ecryptfs_daemon_hash[i], +- euid_chain) { ++ hlist_for_each_entry_safe(daemon, n, ++ &ecryptfs_daemon_hash[i], ++ euid_chain) { + rc = ecryptfs_exorcise_daemon(daemon); + if (rc) + printk(KERN_ERR "%s: Error whilst " diff --git a/queue-4.4/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch b/queue-4.4/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch new file mode 100644 index 00000000000..e6aaa60a3e8 --- /dev/null +++ b/queue-4.4/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch @@ -0,0 +1,64 @@ +From 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 6 Oct 2017 23:09:55 -0400 +Subject: ext4: fix interaction between i_size, fallocate, and delalloc after a crash + +From: Theodore Ts'o + +commit 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 upstream. + +If there are pending writes subject to delayed allocation, then i_size +will show size after the writes have completed, while i_disksize +contains the value of i_size on the disk (since the writes have not +been persisted to disk). + +If fallocate(2) is called with the FALLOC_FL_KEEP_SIZE flag, either +with or without the FALLOC_FL_ZERO_RANGE flag set, and the new size +after the fallocate(2) is between i_size and i_disksize, then after a +crash, if a journal commit has resulted in the changes made by the +fallocate() call to be persisted after a crash, but the delayed +allocation write has not resolved itself, i_size would not be updated, +and this would cause the following e2fsck complaint: + +Inode 12, end of extent exceeds allowed value + (logical block 33, physical block 33441, len 7) + +This can only take place on a sparse file, where the fallocate(2) call +is allocating blocks in a range which is before a pending delayed +allocation write which is extending i_size. Since this situation is +quite rare, and the window in which the crash must take place is +typically < 30 seconds, in practice this condition will rarely happen. + +Nevertheless, it can be triggered in testing, and in particular by +xfstests generic/456. + +Signed-off-by: Theodore Ts'o +Reported-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4818,7 +4818,8 @@ static long ext4_zero_range(struct file + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) +@@ -4994,7 +4995,8 @@ long ext4_fallocate(struct file *file, i + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) diff --git a/queue-4.4/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch b/queue-4.4/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch new file mode 100644 index 00000000000..7bdd306cce3 --- /dev/null +++ b/queue-4.4/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch @@ -0,0 +1,40 @@ +From 11d49e9d089ccec81be87c2386dfdd010d7f7f6e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 24 Sep 2017 18:36:44 -0400 +Subject: fix a page leak in vhost_scsi_iov_to_sgl() error recovery + +From: Al Viro + +commit 11d49e9d089ccec81be87c2386dfdd010d7f7f6e upstream. + +we are advancing sg as we go, so the pages we need to drop in +case of error are *before* the current sg. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/scsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -703,6 +703,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_ + struct scatterlist *sg, int sg_count) + { + size_t off = iter->iov_offset; ++ struct scatterlist *p = sg; + int i, ret; + + for (i = 0; i < iter->nr_segs; i++) { +@@ -711,8 +712,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_ + + ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write); + if (ret < 0) { +- for (i = 0; i < sg_count; i++) { +- struct page *page = sg_page(&sg[i]); ++ while (p < sg) { ++ struct page *page = sg_page(p++); + if (page) + put_page(page); + } diff --git a/queue-4.4/fs-9p-compare-qid.path-in-v9fs_test_inode.patch b/queue-4.4/fs-9p-compare-qid.path-in-v9fs_test_inode.patch new file mode 100644 index 00000000000..6fa8fdf3e89 --- /dev/null +++ b/queue-4.4/fs-9p-compare-qid.path-in-v9fs_test_inode.patch @@ -0,0 +1,51 @@ +From 8ee031631546cf2f7859cc69593bd60bbdd70b46 Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Wed, 6 Sep 2017 17:59:07 +0300 +Subject: fs/9p: Compare qid.path in v9fs_test_inode + +From: Tuomas Tynkkynen + +commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream. + +Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details +and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked() +instead of iget_locked(). However, the test() callback is not checking +fid.path at all, which means that a lookup in the inode cache can now +accidentally locate a completely wrong inode from the same inode hash +bucket if the other fields (qid.type and qid.version) match. + +Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") +Reviewed-by: Latchesar Ionkov +Signed-off-by: Tuomas Tynkkynen +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_inode.c | 3 +++ + fs/9p/vfs_inode_dotl.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + diff --git a/queue-4.4/iscsi-target-fix-non-immediate-tmr-reference-leak.patch b/queue-4.4/iscsi-target-fix-non-immediate-tmr-reference-leak.patch new file mode 100644 index 00000000000..9339424952e --- /dev/null +++ b/queue-4.4/iscsi-target-fix-non-immediate-tmr-reference-leak.patch @@ -0,0 +1,47 @@ +From 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Oct 2017 20:52:56 -0700 +Subject: iscsi-target: Fix non-immediate TMR reference leak + +From: Nicholas Bellinger + +commit 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c upstream. + +This patch fixes a se_cmd->cmd_kref reference leak that can +occur when a non immediate TMR is proceeded our of command +sequence number order, and CMDSN_LOWER_THAN_EXP is returned +by iscsit_sequence_cmd(). + +To address this bug, call target_put_sess_cmd() during this +special case following what iscsit_process_scsi_cmd() does +upon CMDSN_LOWER_THAN_EXP. + +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1923,12 +1923,14 @@ attach: + + if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) { + int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn); +- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) ++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) { + out_of_order_cmdsn = 1; +- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) ++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) { ++ target_put_sess_cmd(&cmd->se_cmd); + return 0; +- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) ++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) { + return -1; ++ } + } + iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn)); + diff --git a/queue-4.4/isofs-fix-timestamps-beyond-2027.patch b/queue-4.4/isofs-fix-timestamps-beyond-2027.patch new file mode 100644 index 00000000000..03b40455923 --- /dev/null +++ b/queue-4.4/isofs-fix-timestamps-beyond-2027.patch @@ -0,0 +1,64 @@ +From 34be4dbf87fc3e474a842305394534216d428f5d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 19 Oct 2017 16:47:48 +0200 +Subject: isofs: fix timestamps beyond 2027 + +From: Arnd Bergmann + +commit 34be4dbf87fc3e474a842305394534216d428f5d upstream. + +isofs uses a 'char' variable to load the number of years since +1900 for an inode timestamp. On architectures that use a signed +char type by default, this results in an invalid date for +anything beyond 2027. + +This changes the function argument to a 'u8' array, which +is defined the same way on all architectures, and unambiguously +lets us use years until 2155. + +This should be backported to all kernels that might still be +in use by that date. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/isofs.h | 2 +- + fs/isofs/rock.h | 2 +- + fs/isofs/util.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(ch + /* Ignore bigendian datum due to broken mastering programs */ + return get_unaligned_le32(p); + } +-extern int iso_date(char *, int); ++extern int iso_date(u8 *, int); + + struct inode; /* To make gcc happy */ + +--- a/fs/isofs/rock.h ++++ b/fs/isofs/rock.h +@@ -65,7 +65,7 @@ struct RR_PL_s { + }; + + struct stamp { +- char time[7]; ++ __u8 time[7]; /* actually 6 unsigned, 1 signed */ + } __attribute__ ((packed)); + + struct RR_TF_s { +--- a/fs/isofs/util.c ++++ b/fs/isofs/util.c +@@ -15,7 +15,7 @@ + * to GMT. Thus we should always be correct. + */ + +-int iso_date(char * p, int flag) ++int iso_date(u8 *p, int flag) + { + int year, month, day, hour, minute, second, tz; + int crtime; diff --git a/queue-4.4/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch b/queue-4.4/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch new file mode 100644 index 00000000000..2c3ad4f00df --- /dev/null +++ b/queue-4.4/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch @@ -0,0 +1,39 @@ +From 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 Mon Sep 17 00:00:00 2001 +From: Mirko Parthey +Date: Thu, 18 May 2017 21:30:03 +0200 +Subject: MIPS: BCM47XX: Fix LED inversion for WRT54GSv1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirko Parthey + +commit 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 upstream. + +The WLAN LED on the Linksys WRT54GSv1 is active low, but the software +treats it as active high. Fix the inverted logic. + +Fixes: 7bb26b169116 ("MIPS: BCM47xx: Fix LEDs on WRT54GS V1.0") +Signed-off-by: Mirko Parthey +Looks-ok-by: Rafał Miłecki +Cc: Hauke Mehrtens +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16071/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/bcm47xx/leds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/bcm47xx/leds.c ++++ b/arch/mips/bcm47xx/leds.c +@@ -330,7 +330,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __init + /* Verified on: WRT54GS V1.0 */ + static const struct gpio_led + bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = { +- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF), ++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF), + BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON), + BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF), + }; diff --git a/queue-4.4/mips-fix-an-n32-core-file-generation-regset-support-regression.patch b/queue-4.4/mips-fix-an-n32-core-file-generation-regset-support-regression.patch new file mode 100644 index 00000000000..90d77554e86 --- /dev/null +++ b/queue-4.4/mips-fix-an-n32-core-file-generation-regset-support-regression.patch @@ -0,0 +1,83 @@ +From 547da673173de51f73887377eb275304775064ad Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 7 Nov 2017 19:09:20 +0000 +Subject: MIPS: Fix an n32 core file generation regset support regression + +From: Maciej W. Rozycki + +commit 547da673173de51f73887377eb275304775064ad upstream. + +Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF +core dumper to use regsets.)", that caused n32 processes to dump o32 +core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file +header's `e_flags' member: + +$ file tls-core +tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...] +$ ./tls-core +Aborted (core dumped) +$ file core +core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style +$ + +Previously the flag was set as the result of a: + +statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the +regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is +no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the +`->e_flags' member of the regset view chosen is. We have the views +defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64 +one, and the latter is used for n32 as well. Consequently an o32 core +file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class +is chosen elsewhere, and the 32-bit one is correctly selected for n32). + +Correct the issue then by defining an n32 regset view and using it as +appropriate. Issue discovered in GDB testing. + +Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +Signed-off-by: Maciej W. Rozycki +Cc: Ralf Baechle +Cc: Djordje Todorovic +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17617/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -650,6 +650,19 @@ static const struct user_regset_view use + .n = ARRAY_SIZE(mips64_regsets), + }; + ++#ifdef CONFIG_MIPS32_N32 ++ ++static const struct user_regset_view user_mipsn32_view = { ++ .name = "mipsn32", ++ .e_flags = EF_MIPS_ABI2, ++ .e_machine = ELF_ARCH, ++ .ei_osabi = ELF_OSABI, ++ .regsets = mips64_regsets, ++ .n = ARRAY_SIZE(mips64_regsets), ++}; ++ ++#endif /* CONFIG_MIPS32_N32 */ ++ + #endif /* CONFIG_64BIT */ + + const struct user_regset_view *task_user_regset_view(struct task_struct *task) +@@ -661,6 +674,10 @@ const struct user_regset_view *task_user + if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) + return &user_mips_view; + #endif ++#ifdef CONFIG_MIPS32_N32 ++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR)) ++ return &user_mipsn32_view; ++#endif + return &user_mips64_view; + #endif + } diff --git a/queue-4.4/nfs-fix-typo-in-nomigration-mount-option.patch b/queue-4.4/nfs-fix-typo-in-nomigration-mount-option.patch new file mode 100644 index 00000000000..ef1a4cb4eae --- /dev/null +++ b/queue-4.4/nfs-fix-typo-in-nomigration-mount-option.patch @@ -0,0 +1,30 @@ +From f02fee227e5f21981152850744a6084ff3fa94ee Mon Sep 17 00:00:00 2001 +From: Joshua Watt +Date: Tue, 7 Nov 2017 16:25:47 -0600 +Subject: NFS: Fix typo in nomigration mount option + +From: Joshua Watt + +commit f02fee227e5f21981152850744a6084ff3fa94ee upstream. + +The option was incorrectly masking off all other options. + +Signed-off-by: Joshua Watt +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1322,7 +1322,7 @@ static int nfs_parse_mount_options(char + mnt->options |= NFS_OPTION_MIGRATION; + break; + case Opt_nomigration: +- mnt->options &= NFS_OPTION_MIGRATION; ++ mnt->options &= ~NFS_OPTION_MIGRATION; + break; + + /* diff --git a/queue-4.4/nfs-fix-ugly-referral-attributes.patch b/queue-4.4/nfs-fix-ugly-referral-attributes.patch new file mode 100644 index 00000000000..f33fae39d13 --- /dev/null +++ b/queue-4.4/nfs-fix-ugly-referral-attributes.patch @@ -0,0 +1,85 @@ +From c05cefcc72416a37eba5a2b35f0704ed758a9145 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 5 Nov 2017 15:45:22 -0500 +Subject: nfs: Fix ugly referral attributes + +From: Chuck Lever + +commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream. + +Before traversing a referral and performing a mount, the mounted-on +directory looks strange: + +dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0 + +nfs4_get_referral is wiping out any cached attributes with what was +returned via GETATTR(fs_locations), but the bit mask for that +operation does not request any file attributes. + +Retrieve owner and timestamp information so that the memcpy in +nfs4_get_referral fills in more attributes. + +Changes since v1: +- Don't request attributes that the client unconditionally replaces +- Request only MOUNTED_ON_FILEID or FILEID attribute, not both +- encode_fs_locations() doesn't use the third bitmask word + +Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral") +Suggested-by: Pradeep Thomas +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -242,15 +242,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT + }; + + const u32 nfs4_fs_locations_bitmap[3] = { +- FATTR4_WORD0_TYPE +- | FATTR4_WORD0_CHANGE ++ FATTR4_WORD0_CHANGE + | FATTR4_WORD0_SIZE + | FATTR4_WORD0_FSID + | FATTR4_WORD0_FILEID + | FATTR4_WORD0_FS_LOCATIONS, +- FATTR4_WORD1_MODE +- | FATTR4_WORD1_NUMLINKS +- | FATTR4_WORD1_OWNER ++ FATTR4_WORD1_OWNER + | FATTR4_WORD1_OWNER_GROUP + | FATTR4_WORD1_RAWDEV + | FATTR4_WORD1_SPACE_USED +@@ -6351,9 +6348,7 @@ static int _nfs4_proc_fs_locations(struc + struct page *page) + { + struct nfs_server *server = NFS_SERVER(dir); +- u32 bitmask[3] = { +- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS, +- }; ++ u32 bitmask[3]; + struct nfs4_fs_locations_arg args = { + .dir_fh = NFS_FH(dir), + .name = name, +@@ -6372,12 +6367,15 @@ static int _nfs4_proc_fs_locations(struc + + dprintk("%s: start\n", __func__); + ++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS; ++ bitmask[1] = nfs4_fattr_bitmap[1]; ++ + /* Ask for the fileid of the absent filesystem if mounted_on_fileid + * is not supported */ + if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID) +- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID; ++ bitmask[0] &= ~FATTR4_WORD0_FILEID; + else +- bitmask[0] |= FATTR4_WORD0_FILEID; ++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID; + + nfs_fattr_init(&fs_locations->fattr); + fs_locations->server = server; diff --git a/queue-4.4/nfsd-deal-with-revoked-delegations-appropriately.patch b/queue-4.4/nfsd-deal-with-revoked-delegations-appropriately.patch new file mode 100644 index 00000000000..221693d4e04 --- /dev/null +++ b/queue-4.4/nfsd-deal-with-revoked-delegations-appropriately.patch @@ -0,0 +1,84 @@ +From 95da1b3a5aded124dd1bda1e3cdb876184813140 Mon Sep 17 00:00:00 2001 +From: Andrew Elble +Date: Fri, 3 Nov 2017 14:06:31 -0400 +Subject: nfsd: deal with revoked delegations appropriately + +From: Andrew Elble + +commit 95da1b3a5aded124dd1bda1e3cdb876184813140 upstream. + +If a delegation has been revoked by the server, operations using that +delegation should error out with NFS4ERR_DELEG_REVOKED in the >4.1 +case, and NFS4ERR_BAD_STATEID otherwise. + +The server needs NFSv4.1 clients to explicitly free revoked delegations. +If the server returns NFS4ERR_DELEG_REVOKED, the client will do that; +otherwise it may just forget about the delegation and be unable to +recover when it later sees SEQ4_STATUS_RECALLABLE_STATE_REVOKED set on a +SEQUENCE reply. That can cause the Linux 4.1 client to loop in its +stage manager. + +Signed-off-by: Andrew Elble +Reviewed-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3829,7 +3829,8 @@ static struct nfs4_delegation *find_dele + { + struct nfs4_stid *ret; + +- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID); ++ ret = find_stateid_by_type(cl, s, ++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID); + if (!ret) + return NULL; + return delegstateid(ret); +@@ -3852,6 +3853,12 @@ nfs4_check_deleg(struct nfs4_client *cl, + deleg = find_deleg_stateid(cl, &open->op_delegate_stateid); + if (deleg == NULL) + goto out; ++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) { ++ nfs4_put_stid(&deleg->dl_stid); ++ if (cl->cl_minorversion) ++ status = nfserr_deleg_revoked; ++ goto out; ++ } + flags = share_access_to_flags(open->op_share_access); + status = nfs4_check_delegmode(deleg, flags); + if (status) { +@@ -4696,6 +4703,16 @@ nfsd4_lookup_stateid(struct nfsd4_compou + struct nfs4_stid **s, struct nfsd_net *nn) + { + __be32 status; ++ bool return_revoked = false; ++ ++ /* ++ * only return revoked delegations if explicitly asked. ++ * otherwise we report revoked or bad_stateid status. ++ */ ++ if (typemask & NFS4_REVOKED_DELEG_STID) ++ return_revoked = true; ++ else if (typemask & NFS4_DELEG_STID) ++ typemask |= NFS4_REVOKED_DELEG_STID; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) + return nfserr_bad_stateid; +@@ -4710,6 +4727,12 @@ nfsd4_lookup_stateid(struct nfsd4_compou + *s = find_stateid_by_type(cstate->clp, stateid, typemask); + if (!*s) + return nfserr_bad_stateid; ++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) { ++ nfs4_put_stid(*s); ++ if (cstate->minorversion) ++ return nfserr_deleg_revoked; ++ return nfserr_bad_stateid; ++ } + return nfs_ok; + } + diff --git a/queue-4.4/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch b/queue-4.4/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch new file mode 100644 index 00000000000..2ea945f3d38 --- /dev/null +++ b/queue-4.4/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch @@ -0,0 +1,84 @@ +From 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 Mon Sep 17 00:00:00 2001 +From: Andreas Rohner +Date: Fri, 17 Nov 2017 15:29:35 -0800 +Subject: nilfs2: fix race condition that causes file system corruption + +From: Andreas Rohner + +commit 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 upstream. + +There is a race condition between nilfs_dirty_inode() and +nilfs_set_file_dirty(). + +When a file is opened, nilfs_dirty_inode() is called to update the +access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a +separate transaction. __nilfs_mark_inode_dirty() caches the ifile +buffer_head in the i_bh field of the inode info structure and marks it +as dirty. + +After some data was written to the file in another transaction, the +function nilfs_set_file_dirty() is called, which adds the inode to the +ns_dirty_files list. + +Then the segment construction calls nilfs_segctor_collect_dirty_files(), +which goes through the ns_dirty_files list and checks the i_bh field. +If there is a cached buffer_head in i_bh it is not marked as dirty +again. + +Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate +transactions, it is possible that a segment construction that writes out +the ifile occurs in-between the two. If this happens the inode is not +on the ns_dirty_files list, but its ifile block is still marked as dirty +and written out. + +In the next segment construction, the data for the file is written out +and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root +is written into the i_bh block, which is not dirty, because it was +written out in another segment construction. + +As a result the bmap update can be lost, which leads to file system +corruption. Either the virtual block address points to an unallocated +DAT block, or the DAT entry will be reused for something different. + +The error can remain undetected for a long time. A typical error +message would be one of the "bad btree" errors or a warning that a DAT +entry could not be found. + +This bug can be reproduced reliably by a simple benchmark that creates +and overwrites millions of 4k files. + +Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp +Signed-off-by: Andreas Rohner +Signed-off-by: Ryusuke Konishi +Tested-by: Andreas Rohner +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/segment.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1945,8 +1945,6 @@ static int nilfs_segctor_collect_dirty_f + "failed to get inode block.\n"); + return err; + } +- mark_buffer_dirty(ibh); +- nilfs_mdt_mark_dirty(ifile); + spin_lock(&nilfs->ns_inode_lock); + if (likely(!ii->i_bh)) + ii->i_bh = ibh; +@@ -1955,6 +1953,10 @@ static int nilfs_segctor_collect_dirty_f + goto retry; + } + ++ // Always redirty the buffer to avoid race condition ++ mark_buffer_dirty(ii->i_bh); ++ nilfs_mdt_mark_dirty(ifile); ++ + clear_bit(NILFS_I_QUEUED, &ii->i_state); + set_bit(NILFS_I_BUSY, &ii->i_state); + list_move_tail(&ii->i_dirty, &sci->sc_dirty_files); diff --git a/queue-4.4/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch b/queue-4.4/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch new file mode 100644 index 00000000000..f58da39158e --- /dev/null +++ b/queue-4.4/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch @@ -0,0 +1,37 @@ +From 3f2a162fab15aee243178b5308bb5d1206fc4043 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 6 Nov 2017 14:55:35 +0100 +Subject: rtlwifi: fix uninitialized rtlhal->last_suspend_sec time + +From: Arnd Bergmann + +commit 3f2a162fab15aee243178b5308bb5d1206fc4043 upstream. + +We set rtlhal->last_suspend_sec to an uninitialized stack variable, +but unfortunately gcc never warned about this, I only found it +while working on another patch. I opened a gcc bug for this. + +Presumably the value of rtlhal->last_suspend_sec is not all that +important, but it does get used, so we probably want the +patch backported to stable kernels. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82839 +Signed-off-by: Arnd Bergmann +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1377,6 +1377,7 @@ static void _rtl8821ae_get_wakeup_reason + + ppsc->wakeup_reason = 0; + ++ do_gettimeofday(&ts); + rtlhal->last_suspend_sec = ts.tv_sec; + + switch (fw_reason) { diff --git a/queue-4.4/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch b/queue-4.4/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch new file mode 100644 index 00000000000..0495fa6427e --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch @@ -0,0 +1,47 @@ +From 519ce2f933fa14acf69d5c8cabcc18711943d629 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Thu, 14 Sep 2017 13:17:44 -0500 +Subject: rtlwifi: rtl8192ee: Fix memory leak when loading firmware + +From: Larry Finger + +commit 519ce2f933fa14acf69d5c8cabcc18711943d629 upstream. + +In routine rtl92ee_set_fw_rsvdpagepkt(), the driver allocates an skb, but +never calls rtl_cmd_send_packet(), which will free the buffer. All other +rtlwifi drivers perform this operation correctly. + +This problem has been in the driver since it was included in the kernel. +Fortunately, each firmware load only leaks 4 buffers, which likely +explains why it has not previously been detected. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c +@@ -664,7 +664,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); + struct sk_buff *skb = NULL; +- ++ bool rtstatus; + u32 totalpacketlen; + u8 u1rsvdpageloc[5] = { 0 }; + bool b_dlok = false; +@@ -727,7 +727,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i + memcpy((u8 *)skb_put(skb, totalpacketlen), + &reserved_page_packet, totalpacketlen); + +- b_dlok = true; ++ rtstatus = rtl_cmd_send_packet(hw, skb); ++ if (rtstatus) ++ b_dlok = true; + + if (b_dlok) { + RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD , diff --git a/queue-4.4/series b/queue-4.4/series index 2fb0fe7ce93..176183466c6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -14,3 +14,30 @@ mips-ralink-fix-mt7628-pinmux.patch mips-ralink-fix-typo-in-mt7628-pinmux-function.patch alsa-hda-add-raven-pci-id.patch dm-bufio-fix-integer-overflow-when-limiting-maximum-cache-size.patch +dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch +mips-fix-an-n32-core-file-generation-regset-support-regression.patch +mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch +autofs-don-t-fail-mount-for-transient-error.patch +nilfs2-fix-race-condition-that-causes-file-system-corruption.patch +ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch +bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch +bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch +isofs-fix-timestamps-beyond-2027.patch +nfs-fix-typo-in-nomigration-mount-option.patch +nfs-fix-ugly-referral-attributes.patch +nfsd-deal-with-revoked-delegations-appropriately.patch +rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch +rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch +ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch +ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch +alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch +alsa-usb-audio-add-sanity-checks-to-fe-parser.patch +alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch +alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch +alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch +alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch +alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch +fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch +fs-9p-compare-qid.path-in-v9fs_test_inode.patch +iscsi-target-fix-non-immediate-tmr-reference-leak.patch +target-fix-queue_full-scsi-task-attribute-handling.patch diff --git a/queue-4.4/target-fix-queue_full-scsi-task-attribute-handling.patch b/queue-4.4/target-fix-queue_full-scsi-task-attribute-handling.patch new file mode 100644 index 00000000000..fff827a4337 --- /dev/null +++ b/queue-4.4/target-fix-queue_full-scsi-task-attribute-handling.patch @@ -0,0 +1,57 @@ +From 1c79df1f349fb6050016cea4ef1dfbc3853a5685 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 22 Sep 2017 16:48:28 -0700 +Subject: target: Fix QUEUE_FULL + SCSI task attribute handling + +From: Nicholas Bellinger + +commit 1c79df1f349fb6050016cea4ef1dfbc3853a5685 upstream. + +This patch fixes a bug during QUEUE_FULL where transport_complete_qf() +calls transport_complete_task_attr() after it's already been invoked +by target_complete_ok_work() or transport_generic_request_failure() +during initial completion, preceeding QUEUE_FULL. + +This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id +and/or se_device->dev_ordered_sync being updated multiple times for +a single se_cmd. + +To address this bug, clear SCF_TASK_ATTR_SET after the first call +to transport_complete_task_attr(), and avoid updating SCSI task +attribute related counters for any subsequent calls. + +Also, when a se_cmd is deferred due to ordered tags and executed +via target_restart_delayed_cmds(), set CMD_T_SENT before execution +matching what target_execute_cmd() does. + +Cc: Michael Cyr +Cc: Bryant G. Ly +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1970,6 +1970,8 @@ static void target_restart_delayed_cmds( + list_del(&cmd->se_delayed_node); + spin_unlock(&dev->delayed_cmd_lock); + ++ cmd->transport_state |= CMD_T_SENT; ++ + __target_execute_cmd(cmd, true); + + if (cmd->sam_task_attr == TCM_ORDERED_TAG) +@@ -2007,6 +2009,8 @@ static void transport_complete_task_attr + pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n", + dev->dev_cur_ordered_id); + } ++ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET; ++ + restart: + target_restart_delayed_cmds(dev); + }