From: Greg Kroah-Hartman Date: Thu, 5 Oct 2017 09:02:30 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.74~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de0e9095abbfea09f59bba7371eb0a47f500cc9f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch audit-log-32-bit-socketcalls.patch drm-bridge-add-dt-bindings-for-ti-ths8135.patch exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch ib-ipoib-fix-deadlock-over-vlan_mutex.patch ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch libata-transport-remove-circular-dependency-at-free-time.patch md-raid10-submit-bio-directly-to-replacement-disk.patch mips-ensure-bss-section-ends-on-a-long-aligned-address.patch mips-kexec-do-not-reserve-invalid-crashkernel-memory-on-boot.patch mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch parisc-perf-fix-potential-null-pointer-dereference.patch partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch rds-ib-add-error-handle.patch rds-rdma-fix-the-composite-message-user-notification.patch sh_eth-use-correct-name-for-ecmr_mpde-bit.patch team-fix-memory-leaks.patch tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch usb-plusb-add-support-for-pl-27a1.patch usb-serial-mos7720-fix-control-message-error-handling.patch usb-serial-mos7840-fix-control-message-error-handling.patch xfs-remove-kmem_zalloc_greedy.patch --- diff --git a/queue-3.18/arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch b/queue-3.18/arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch new file mode 100644 index 00000000000..0e330931834 --- /dev/null +++ b/queue-3.18/arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Afzal Mohammed +Date: Sat, 7 Jan 2017 17:48:10 +0100 +Subject: ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM + +From: Afzal Mohammed + + +[ Upstream commit 8a792e9afbce84a0fdaf213fe42bb97382487094 ] + +REMAP_VECTORS_TO_RAM depends on DRAM_BASE, but since DRAM_BASE is a +hex, REMAP_VECTORS_TO_RAM could never get enabled. Also depending on +DRAM_BASE is redundant as whenever REMAP_VECTORS_TO_RAM makes itself +available to Kconfig, DRAM_BASE also is available as the Kconfig +gets sourced on !MMU. + +Signed-off-by: Afzal Mohammed +Reviewed-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Kconfig-nommu | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/Kconfig-nommu ++++ b/arch/arm/Kconfig-nommu +@@ -34,8 +34,7 @@ config PROCESSOR_ID + used instead of the auto-probing which utilizes the register. + + config REMAP_VECTORS_TO_RAM +- bool 'Install vectors to the beginning of RAM' if DRAM_BASE +- depends on DRAM_BASE ++ bool 'Install vectors to the beginning of RAM' + help + The kernel needs to change the hardware exception vectors. + In nommu mode, the hardware exception vectors are normally diff --git a/queue-3.18/audit-log-32-bit-socketcalls.patch b/queue-3.18/audit-log-32-bit-socketcalls.patch new file mode 100644 index 00000000000..ef7678ee578 --- /dev/null +++ b/queue-3.18/audit-log-32-bit-socketcalls.patch @@ -0,0 +1,101 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Richard Guy Briggs +Date: Tue, 17 Jan 2017 11:07:15 -0500 +Subject: audit: log 32-bit socketcalls + +From: Richard Guy Briggs + + +[ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ] + +32-bit socketcalls were not being logged by audit on x86_64 systems. +Log them. This is basically a duplicate of the call from +net/socket.c:sys_socketcall(), but it addresses the impedance mismatch +between 32-bit userspace process and 64-bit kernel audit. + +See: https://github.com/linux-audit/audit-kernel/issues/14 + +Signed-off-by: Richard Guy Briggs +Acked-by: David S. Miller +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/audit.h | 20 ++++++++++++++++++++ + net/compat.c | 17 ++++++++++++++--- + 2 files changed, 34 insertions(+), 3 deletions(-) + +--- a/include/linux/audit.h ++++ b/include/linux/audit.h +@@ -273,6 +273,20 @@ static inline int audit_socketcall(int n + return __audit_socketcall(nargs, args); + return 0; + } ++ ++static inline int audit_socketcall_compat(int nargs, u32 *args) ++{ ++ unsigned long a[AUDITSC_ARGS]; ++ int i; ++ ++ if (audit_dummy_context()) ++ return 0; ++ ++ for (i = 0; i < nargs; i++) ++ a[i] = (unsigned long)args[i]; ++ return __audit_socketcall(nargs, a); ++} ++ + static inline int audit_sockaddr(int len, void *addr) + { + if (unlikely(!audit_dummy_context())) +@@ -398,6 +412,12 @@ static inline int audit_socketcall(int n + { + return 0; + } ++ ++static inline int audit_socketcall_compat(int nargs, u32 *args) ++{ ++ return 0; ++} ++ + static inline void audit_fd_pair(int fd1, int fd2) + { } + static inline int audit_sockaddr(int len, void *addr) +--- a/net/compat.c ++++ b/net/compat.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -796,14 +797,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd + + COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) + { +- int ret; +- u32 a[6]; ++ u32 a[AUDITSC_ARGS]; ++ unsigned int len; + u32 a0, a1; ++ int ret; + + if (call < SYS_SOCKET || call > SYS_SENDMMSG) + return -EINVAL; +- if (copy_from_user(a, args, nas[call])) ++ len = nas[call]; ++ if (len > sizeof(a)) ++ return -EINVAL; ++ ++ if (copy_from_user(a, args, len)) + return -EFAULT; ++ ++ ret = audit_socketcall_compat(len / sizeof(a[0]), a); ++ if (ret) ++ return ret; ++ + a0 = a[0]; + a1 = a[1]; + diff --git a/queue-3.18/drm-bridge-add-dt-bindings-for-ti-ths8135.patch b/queue-3.18/drm-bridge-add-dt-bindings-for-ti-ths8135.patch new file mode 100644 index 00000000000..b3e617801ee --- /dev/null +++ b/queue-3.18/drm-bridge-add-dt-bindings-for-ti-ths8135.patch @@ -0,0 +1,73 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Bartosz Golaszewski +Date: Tue, 13 Dec 2016 11:09:16 +0100 +Subject: drm: bridge: add DT bindings for TI ths8135 + +From: Bartosz Golaszewski + + +[ Upstream commit 2e644be30fcc08c736f66b60f4898d274d4873ab ] + +THS8135 is a configurable video DAC. Add DT bindings for this chip. + +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Laurent Pinchart +Acked-by: Rob Herring +Signed-off-by: Archit Taneja +Link: http://patchwork.freedesktop.org/patch/msgid/1481623759-12786-3-git-send-email-bgolaszewski@baylibre.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt | 46 ++++++++++ + 1 file changed, 46 insertions(+) + create mode 100644 Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt + +--- /dev/null ++++ b/Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt +@@ -0,0 +1,46 @@ ++THS8135 Video DAC ++----------------- ++ ++This is the binding for Texas Instruments THS8135 Video DAC bridge. ++ ++Required properties: ++ ++- compatible: Must be "ti,ths8135" ++ ++Required nodes: ++ ++This device has two video ports. Their connections are modelled using the OF ++graph bindings specified in Documentation/devicetree/bindings/graph.txt. ++ ++- Video port 0 for RGB input ++- Video port 1 for VGA output ++ ++Example ++------- ++ ++vga-bridge { ++ compatible = "ti,ths8135"; ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ port@0 { ++ reg = <0>; ++ ++ vga_bridge_in: endpoint { ++ remote-endpoint = <&lcdc_out_vga>; ++ }; ++ }; ++ ++ port@1 { ++ reg = <1>; ++ ++ vga_bridge_out: endpoint { ++ remote-endpoint = <&vga_con_in>; ++ }; ++ }; ++ }; ++}; diff --git a/queue-3.18/exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch b/queue-3.18/exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch new file mode 100644 index 00000000000..ba1e9b16654 --- /dev/null +++ b/queue-3.18/exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Thibault Saunier +Date: Wed, 1 Feb 2017 18:05:21 -0200 +Subject: [media] exynos-gsc: Do not swap cb/cr for semi planar formats + +From: Thibault Saunier + + +[ Upstream commit d7f3e33df4fbdc9855fb151f4a328ec46447e3ba ] + +In the case of semi planar formats cb and cr are in the same plane +in memory, meaning that will be set to 'cb' whatever the format is, +and whatever the (packed) order of those components are. + +Suggested-by: Nicolas Dufresne +Signed-off-by: Thibault Saunier +Signed-off-by: Javier Martinez Canillas +Acked-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/exynos-gsc/gsc-core.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/media/platform/exynos-gsc/gsc-core.c ++++ b/drivers/media/platform/exynos-gsc/gsc-core.c +@@ -846,9 +846,7 @@ int gsc_prepare_addr(struct gsc_ctx *ctx + + if ((frame->fmt->pixelformat == V4L2_PIX_FMT_VYUY) || + (frame->fmt->pixelformat == V4L2_PIX_FMT_YVYU) || +- (frame->fmt->pixelformat == V4L2_PIX_FMT_NV61) || + (frame->fmt->pixelformat == V4L2_PIX_FMT_YVU420) || +- (frame->fmt->pixelformat == V4L2_PIX_FMT_NV21) || + (frame->fmt->pixelformat == V4L2_PIX_FMT_YVU420M)) + swap(addr->cb, addr->cr); + diff --git a/queue-3.18/hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch b/queue-3.18/hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch new file mode 100644 index 00000000000..0ebeba9dd0b --- /dev/null +++ b/queue-3.18/hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch @@ -0,0 +1,72 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Guenter Roeck +Date: Tue, 27 Dec 2016 14:15:07 -0800 +Subject: hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes + +From: Guenter Roeck + + +[ Upstream commit 87cdfa9d60f4f40e6d71b04b10b36d9df3c89282 ] + +Writes into limit attributes can overflow due to multplications and +additions with unbound input values. Writing into fan limit attributes +can result in a crash with a division by zero if very large values are +written and the fan divider is larger than 1. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/gl520sm.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/hwmon/gl520sm.c ++++ b/drivers/hwmon/gl520sm.c +@@ -208,11 +208,13 @@ static ssize_t get_cpu_vid(struct device + } + static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL); + +-#define VDD_FROM_REG(val) (((val) * 95 + 2) / 4) +-#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255) +- +-#define IN_FROM_REG(val) ((val) * 19) +-#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255) ++#define VDD_FROM_REG(val) DIV_ROUND_CLOSEST((val) * 95, 4) ++#define VDD_CLAMP(val) clamp_val(val, 0, 255 * 95 / 4) ++#define VDD_TO_REG(val) DIV_ROUND_CLOSEST(VDD_CLAMP(val) * 4, 95) ++ ++#define IN_FROM_REG(val) ((val) * 19) ++#define IN_CLAMP(val) clamp_val(val, 0, 255 * 19) ++#define IN_TO_REG(val) DIV_ROUND_CLOSEST(IN_CLAMP(val), 19) + + static ssize_t get_in_input(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -349,8 +351,13 @@ static SENSOR_DEVICE_ATTR(in4_max, S_IRU + + #define DIV_FROM_REG(val) (1 << (val)) + #define FAN_FROM_REG(val, div) ((val) == 0 ? 0 : (480000 / ((val) << (div)))) +-#define FAN_TO_REG(val, div) ((val) <= 0 ? 0 : \ +- clamp_val((480000 + ((val) << ((div)-1))) / ((val) << (div)), 1, 255)) ++ ++#define FAN_BASE(div) (480000 >> (div)) ++#define FAN_CLAMP(val, div) clamp_val(val, FAN_BASE(div) / 255, \ ++ FAN_BASE(div)) ++#define FAN_TO_REG(val, div) ((val) == 0 ? 0 : \ ++ DIV_ROUND_CLOSEST(480000, \ ++ FAN_CLAMP(val, div) << (div))) + + static ssize_t get_fan_input(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -513,9 +520,9 @@ static SENSOR_DEVICE_ATTR(fan2_div, S_IR + static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR, + get_fan_off, set_fan_off); + +-#define TEMP_FROM_REG(val) (((val) - 130) * 1000) +-#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \ +- (val) - 500 : (val) + 500) / 1000) + 130), 0, 255) ++#define TEMP_FROM_REG(val) (((val) - 130) * 1000) ++#define TEMP_CLAMP(val) clamp_val(val, -130000, 125000) ++#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(TEMP_CLAMP(val), 1000) + 130) + + static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr, + char *buf) diff --git a/queue-3.18/ib-ipoib-fix-deadlock-over-vlan_mutex.patch b/queue-3.18/ib-ipoib-fix-deadlock-over-vlan_mutex.patch new file mode 100644 index 00000000000..0f2fb95841b --- /dev/null +++ b/queue-3.18/ib-ipoib-fix-deadlock-over-vlan_mutex.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Feras Daoud +Date: Wed, 28 Dec 2016 14:47:22 +0200 +Subject: IB/ipoib: Fix deadlock over vlan_mutex + +From: Feras Daoud + + +[ Upstream commit 1c3098cdb05207e740715857df7b0998e372f527 ] + +This patch fixes Deadlock while executing ipoib_vlan_delete. + +The function takes the vlan_rwsem semaphore and calls +unregister_netdevice. The later function calls +ipoib_mcast_stop_thread that cause workqueue flush. + +When the queue has one of the ipoib_ib_dev_flush_xxx events, +a deadlock occur because these events also tries to catch the +same vlan_rwsem semaphore. + +To fix, unregister_netdevice should be called after releasing +the semaphore. + +Fixes: cbbe1efa4972 ("IPoIB: Fix deadlock between ipoib_open() and child interface create") +Signed-off-by: Feras Daoud +Signed-off-by: Erez Shitrit +Reviewed-by: Alex Vesker +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -187,7 +187,6 @@ int ipoib_vlan_delete(struct net_device + list_for_each_entry_safe(priv, tpriv, &ppriv->child_intfs, list) { + if (priv->pkey == pkey && + priv->child_type == IPOIB_LEGACY_CHILD) { +- unregister_netdevice(priv->dev); + list_del(&priv->list); + dev = priv->dev; + break; +@@ -195,6 +194,11 @@ int ipoib_vlan_delete(struct net_device + } + up_write(&ppriv->vlan_rwsem); + ++ if (dev) { ++ ipoib_dbg(ppriv, "delete child vlan %s\n", dev->name); ++ unregister_netdevice(dev); ++ } ++ + rtnl_unlock(); + + if (dev) { diff --git a/queue-3.18/ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch b/queue-3.18/ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch new file mode 100644 index 00000000000..4749d09b361 --- /dev/null +++ b/queue-3.18/ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Feras Daoud +Date: Wed, 28 Dec 2016 14:47:27 +0200 +Subject: IB/ipoib: Replace list_del of the neigh->list with list_del_init + +From: Feras Daoud + + +[ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ] + +In order to resolve a situation where a few process delete +the same list element in sequence and cause panic, list_del +is replaced with list_del_init. In this case if the first +process that calls list_del releases the lock before acquiring +it again, other processes who can acquire the lock will call +list_del_init. + +Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup") +Signed-off-by: Feras Daoud +Signed-off-by: Erez Shitrit +Reviewed-by: Alex Vesker +Signed-off-by: Leon Romanovsky +Reviewed-by: Yuval Shaia +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -958,7 +958,7 @@ static void __ipoib_reap_neigh(struct ip + rcu_dereference_protected(neigh->hnext, + lockdep_is_held(&priv->lock))); + /* remove from path/mc list */ +- list_del(&neigh->list); ++ list_del_init(&neigh->list); + call_rcu(&neigh->rcu, ipoib_neigh_reclaim); + } else { + np = &neigh->hnext; +@@ -1121,7 +1121,7 @@ void ipoib_neigh_free(struct ipoib_neigh + rcu_dereference_protected(neigh->hnext, + lockdep_is_held(&priv->lock))); + /* remove from parent list */ +- list_del(&neigh->list); ++ list_del_init(&neigh->list); + call_rcu(&neigh->rcu, ipoib_neigh_reclaim); + return; + } else { +@@ -1206,7 +1206,7 @@ void ipoib_del_neighs_by_gid(struct net_ + rcu_dereference_protected(neigh->hnext, + lockdep_is_held(&priv->lock))); + /* remove from parent list */ +- list_del(&neigh->list); ++ list_del_init(&neigh->list); + call_rcu(&neigh->rcu, ipoib_neigh_reclaim); + } else { + np = &neigh->hnext; +@@ -1248,7 +1248,7 @@ static void ipoib_flush_neighs(struct ip + rcu_dereference_protected(neigh->hnext, + lockdep_is_held(&priv->lock))); + /* remove from path/mc list */ +- list_del(&neigh->list); ++ list_del_init(&neigh->list); + call_rcu(&neigh->rcu, ipoib_neigh_reclaim); + } + } diff --git a/queue-3.18/ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch b/queue-3.18/ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch new file mode 100644 index 00000000000..c5246ce793a --- /dev/null +++ b/queue-3.18/ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Feras Daoud +Date: Wed, 28 Dec 2016 14:47:24 +0200 +Subject: IB/ipoib: rtnl_unlock can not come after free_netdev + +From: Feras Daoud + + +[ Upstream commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 ] + +The ipoib_vlan_add function calls rtnl_unlock after free_netdev, +rtnl_unlock not only releases the lock, but also calls netdev_run_todo. +The latter function browses the net_todo_list array and completes the +unregistration of all its net_device instances. If we call free_netdev +before rtnl_unlock, then netdev_run_todo call over the freed device causes +panic. +To fix, move rtnl_unlock call before free_netdev call. + +Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") +Cc: Or Gerlitz +Signed-off-by: Feras Daoud +Signed-off-by: Erez Shitrit +Reviewed-by: Yuval Shaia +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -162,11 +162,11 @@ int ipoib_vlan_add(struct net_device *pd + out: + up_write(&ppriv->vlan_rwsem); + ++ rtnl_unlock(); ++ + if (result) + free_netdev(priv->dev); + +- rtnl_unlock(); +- + return result; + } + diff --git a/queue-3.18/libata-transport-remove-circular-dependency-at-free-time.patch b/queue-3.18/libata-transport-remove-circular-dependency-at-free-time.patch new file mode 100644 index 00000000000..95aa565b35e --- /dev/null +++ b/queue-3.18/libata-transport-remove-circular-dependency-at-free-time.patch @@ -0,0 +1,89 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Gwendal Grignou +Date: Fri, 3 Mar 2017 09:00:09 -0800 +Subject: libata: transport: Remove circular dependency at free time + +From: Gwendal Grignou + + +[ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ] + +Without this patch, failed probe would not free resources like irq. + +ata port tdev object currently hold a reference to the ata port +object. Therefore the ata port object release function will not get +called until the ata_tport_release is called. But that would never +happen, releasing the last reference of ata port dev is done by +scsi_host_release, which is called by ata_host_release when the ata +port object is released. + +The ata device objects actually do not need to explicitly hold a +reference to their real counterpart, given the transport objects are +the children of these objects and device_add() is call for each child. +We know the parent will not be deleted until we call the child's +device_del(). + +Reported-by: Matthew Whitehead +Tested-by: Matthew Whitehead +Suggested-by: Tejun Heo +Signed-off-by: Gwendal Grignou +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-transport.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/ata/libata-transport.c ++++ b/drivers/ata/libata-transport.c +@@ -223,7 +223,6 @@ static DECLARE_TRANSPORT_CLASS(ata_port_ + + static void ata_tport_release(struct device *dev) + { +- put_device(dev->parent); + } + + /** +@@ -283,7 +282,7 @@ int ata_tport_add(struct device *parent, + device_initialize(dev); + dev->type = &ata_port_type; + +- dev->parent = get_device(parent); ++ dev->parent = parent; + dev->release = ata_tport_release; + dev_set_name(dev, "ata%d", ap->print_id); + transport_setup_device(dev); +@@ -347,7 +346,6 @@ static DECLARE_TRANSPORT_CLASS(ata_link_ + + static void ata_tlink_release(struct device *dev) + { +- put_device(dev->parent); + } + + /** +@@ -409,7 +407,7 @@ int ata_tlink_add(struct ata_link *link) + int error; + + device_initialize(dev); +- dev->parent = get_device(&ap->tdev); ++ dev->parent = &ap->tdev; + dev->release = ata_tlink_release; + if (ata_is_host_link(link)) + dev_set_name(dev, "link%d", ap->print_id); +@@ -587,7 +585,6 @@ static DECLARE_TRANSPORT_CLASS(ata_dev_c + + static void ata_tdev_release(struct device *dev) + { +- put_device(dev->parent); + } + + /** +@@ -660,7 +657,7 @@ static int ata_tdev_add(struct ata_devic + int error; + + device_initialize(dev); +- dev->parent = get_device(&link->tdev); ++ dev->parent = &link->tdev; + dev->release = ata_tdev_release; + if (ata_is_host_link(link)) + dev_set_name(dev, "dev%d.%d", ap->print_id,ata_dev->devno); diff --git a/queue-3.18/md-raid10-submit-bio-directly-to-replacement-disk.patch b/queue-3.18/md-raid10-submit-bio-directly-to-replacement-disk.patch new file mode 100644 index 00000000000..62c03381f43 --- /dev/null +++ b/queue-3.18/md-raid10-submit-bio-directly-to-replacement-disk.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Shaohua Li +Date: Thu, 23 Feb 2017 12:26:41 -0800 +Subject: md/raid10: submit bio directly to replacement disk + +From: Shaohua Li + + +[ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ] + +Commit 57c67df(md/raid10: submit IO from originating thread instead of +md thread) submits bio directly for normal disks but not for replacement +disks. There is no point we shouldn't do this for replacement disks. + +Cc: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1514,11 +1514,24 @@ retry_write: + mbio->bi_private = r10_bio; + + atomic_inc(&r10_bio->remaining); ++ ++ cb = blk_check_plugged(raid10_unplug, mddev, ++ sizeof(*plug)); ++ if (cb) ++ plug = container_of(cb, struct raid10_plug_cb, ++ cb); ++ else ++ plug = NULL; + spin_lock_irqsave(&conf->device_lock, flags); +- bio_list_add(&conf->pending_bio_list, mbio); +- conf->pending_count++; ++ if (plug) { ++ bio_list_add(&plug->pending, mbio); ++ plug->pending_cnt++; ++ } else { ++ bio_list_add(&conf->pending_bio_list, mbio); ++ conf->pending_count++; ++ } + spin_unlock_irqrestore(&conf->device_lock, flags); +- if (!mddev_check_plugged(mddev)) ++ if (!plug) + md_wakeup_thread(mddev->thread); + } + } diff --git a/queue-3.18/mips-ensure-bss-section-ends-on-a-long-aligned-address.patch b/queue-3.18/mips-ensure-bss-section-ends-on-a-long-aligned-address.patch new file mode 100644 index 00000000000..15e13dc7970 --- /dev/null +++ b/queue-3.18/mips-ensure-bss-section-ends-on-a-long-aligned-address.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Paul Burton +Date: Mon, 7 Nov 2016 11:52:19 +0000 +Subject: MIPS: Ensure bss section ends on a long-aligned address + +From: Paul Burton + + +[ Upstream commit 3f00f4d8f083bc61005d0a1ef592b149f5c88bbd ] + +When clearing the .bss section in kernel_entry we do so using LONG_S +instructions, and branch whilst the current write address doesn't equal +the end of the .bss section minus the size of a long integer. The .bss +section always begins at a long-aligned address and we always increment +the write pointer by the size of a long integer - we therefore rely upon +the .bss section ending at a long-aligned address. If this is not the +case then the long-aligned write address can never be equal to the +non-long-aligned end address & we will continue to increment past the +end of the .bss section, attempting to zero the rest of memory. + +Despite this requirement that .bss end at a long-aligned address we pass +0 as the end alignment requirement to the BSS_SECTION macro and thus +don't guarantee any particular alignment, allowing us to hit the error +condition described above. + +Fix this by instead passing 8 bytes as the end alignment argument to +the BSS_SECTION macro, ensuring that the end of the .bss section is +always at least long-aligned. + +Signed-off-by: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14526/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/vmlinux.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/vmlinux.lds.S ++++ b/arch/mips/kernel/vmlinux.lds.S +@@ -141,7 +141,7 @@ SECTIONS + * Force .bss to 64K alignment so that .bss..swapper_pg_dir + * gets that alignment. .sbss should be empty, so there will be + * no holes after __init_end. */ +- BSS_SECTION(0, 0x10000, 0) ++ BSS_SECTION(0, 0x10000, 8) + + _end = . ; + diff --git a/queue-3.18/mips-kexec-do-not-reserve-invalid-crashkernel-memory-on-boot.patch b/queue-3.18/mips-kexec-do-not-reserve-invalid-crashkernel-memory-on-boot.patch new file mode 100644 index 00000000000..972ae0b448d --- /dev/null +++ b/queue-3.18/mips-kexec-do-not-reserve-invalid-crashkernel-memory-on-boot.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Marcin Nowakowski +Date: Wed, 23 Nov 2016 14:43:50 +0100 +Subject: MIPS: kexec: Do not reserve invalid crashkernel memory on boot + +From: Marcin Nowakowski + + +[ Upstream commit a8f108d70c74d83574c157648383eb2e4285a190 ] + +Do not reserve memory for the crashkernel if the commandline argument +points to a wrong location. This can happen if the location is specified +wrong or if the same commandline is reused when starting the crashkernel +- in the latter case the reserved memory would point to the location +from which the crashkernel is executing. + +Signed-off-by: Marcin Nowakowski +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14612/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/setup.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -585,6 +585,11 @@ static void __init mips_parse_crashkerne + if (ret != 0 || crash_size <= 0) + return; + ++ if (!memory_region_available(crash_base, crash_size)) { ++ pr_warn("Invalid memory region reserved for crash kernel\n"); ++ return; ++ } ++ + crashk_res.start = crash_base; + crashk_res.end = crash_base + crash_size - 1; + } diff --git a/queue-3.18/mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch b/queue-3.18/mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch new file mode 100644 index 00000000000..e0aa3fb8a4a --- /dev/null +++ b/queue-3.18/mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch @@ -0,0 +1,67 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Heiner Kallweit +Date: Wed, 29 Mar 2017 20:54:37 +0200 +Subject: mmc: sdio: fix alignment issue in struct sdio_func + +From: Heiner Kallweit + + +[ Upstream commit 5ef1ecf060f28ecef313b5723f1fd39bf5a35f56 ] + +Certain 64-bit systems (e.g. Amlogic Meson GX) require buffers to be +used for DMA to be 8-byte-aligned. struct sdio_func has an embedded +small DMA buffer not meeting this requirement. +When testing switching to descriptor chain mode in meson-gx driver +SDIO is broken therefore. Fix this by allocating the small DMA buffer +separately as kmalloc ensures that the returned memory area is +properly aligned for every basic data type. + +Signed-off-by: Heiner Kallweit +Tested-by: Helmut Klein +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio_bus.c | 12 +++++++++++- + include/linux/mmc/sdio_func.h | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/core/sdio_bus.c ++++ b/drivers/mmc/core/sdio_bus.c +@@ -265,7 +265,7 @@ static void sdio_release_func(struct dev + sdio_free_func_cis(func); + + kfree(func->info); +- ++ kfree(func->tmpbuf); + kfree(func); + } + +@@ -280,6 +280,16 @@ struct sdio_func *sdio_alloc_func(struct + if (!func) + return ERR_PTR(-ENOMEM); + ++ /* ++ * allocate buffer separately to make sure it's properly aligned for ++ * DMA usage (incl. 64 bit DMA) ++ */ ++ func->tmpbuf = kmalloc(4, GFP_KERNEL); ++ if (!func->tmpbuf) { ++ kfree(func); ++ return ERR_PTR(-ENOMEM); ++ } ++ + func->card = card; + + device_initialize(&func->dev); +--- a/include/linux/mmc/sdio_func.h ++++ b/include/linux/mmc/sdio_func.h +@@ -53,7 +53,7 @@ struct sdio_func { + unsigned int state; /* function state */ + #define SDIO_STATE_PRESENT (1<<0) /* present in sysfs */ + +- u8 tmpbuf[4]; /* DMA:able scratch buffer */ ++ u8 *tmpbuf; /* DMA:able scratch buffer */ + + unsigned num_info; /* number of info strings */ + const char **info; /* info strings */ diff --git a/queue-3.18/net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch b/queue-3.18/net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch new file mode 100644 index 00000000000..219a48527e2 --- /dev/null +++ b/queue-3.18/net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Myungho Jung +Date: Tue, 25 Apr 2017 11:58:15 -0700 +Subject: net: core: Prevent from dereferencing null pointer when releasing SKB + +From: Myungho Jung + + +[ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ] + +Added NULL check to make __dev_kfree_skb_irq consistent with kfree +family of functions. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 + +Signed-off-by: Myungho Jung +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2225,6 +2225,9 @@ void __dev_kfree_skb_irq(struct sk_buff + { + unsigned long flags; + ++ if (unlikely(!skb)) ++ return; ++ + if (likely(atomic_read(&skb->users) == 1)) { + smp_rmb(); + atomic_set(&skb->users, 0); diff --git a/queue-3.18/net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch b/queue-3.18/net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch new file mode 100644 index 00000000000..17d83dfa3e0 --- /dev/null +++ b/queue-3.18/net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Alexander Potapenko +Date: Tue, 25 Apr 2017 18:51:46 +0200 +Subject: net/packet: check length in getsockopt() called with PACKET_HDRLEN + +From: Alexander Potapenko + + +[ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ] + +In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 +|val| remains uninitialized and the syscall may behave differently +depending on its value, and even copy garbage to userspace on certain +architectures. To fix this we now return -EINVAL if optlen is too small. + +This bug has been detected with KMSAN. + +Signed-off-by: Alexander Potapenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3482,6 +3482,8 @@ static int packet_getsockopt(struct sock + case PACKET_HDRLEN: + if (len > sizeof(int)) + len = sizeof(int); ++ if (len < sizeof(int)) ++ return -EINVAL; + if (copy_from_user(&val, optval, len)) + return -EFAULT; + switch (val) { diff --git a/queue-3.18/netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch b/queue-3.18/netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch new file mode 100644 index 00000000000..57bbfefd2eb --- /dev/null +++ b/queue-3.18/netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch @@ -0,0 +1,101 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Liping Zhang +Date: Sat, 25 Mar 2017 08:53:12 +0800 +Subject: netfilter: invoke synchronize_rcu after set the _hook_ to NULL + +From: Liping Zhang + + +[ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ] + +Otherwise, another CPU may access the invalid pointer. For example: + CPU0 CPU1 + - rcu_read_lock(); + - pfunc = _hook_; + _hook_ = NULL; - + mod unload - + - pfunc(); // invalid, panic + - rcu_read_unlock(); + +So we must call synchronize_rcu() to wait the rcu reader to finish. + +Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked +by later nf_conntrack_helper_unregister, but I'm inclined to add a +explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend +on such obscure assumptions is not a good idea. + +Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object, +so in cttimeout_exit, invoking rcu_barrier() is not necessary at all, +remove it too. + +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 + + net/netfilter/nf_conntrack_ecache.c | 2 ++ + net/netfilter/nf_conntrack_netlink.c | 1 + + net/netfilter/nf_nat_core.c | 2 ++ + net/netfilter/nfnetlink_cttimeout.c | 1 + + 5 files changed, 7 insertions(+) + +--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c ++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c +@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init + static void __exit nf_nat_snmp_basic_fini(void) + { + RCU_INIT_POINTER(nf_nat_snmp_hook, NULL); ++ synchronize_rcu(); + nf_conntrack_helper_unregister(&snmp_trap_helper); + } + +--- a/net/netfilter/nf_conntrack_ecache.c ++++ b/net/netfilter/nf_conntrack_ecache.c +@@ -200,6 +200,7 @@ void nf_conntrack_unregister_notifier(st + BUG_ON(notify != new); + RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL); + mutex_unlock(&nf_ct_ecache_mutex); ++ /* synchronize_rcu() is called from ctnetlink_exit. */ + } + EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier); + +@@ -236,6 +237,7 @@ void nf_ct_expect_unregister_notifier(st + BUG_ON(notify != new); + RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL); + mutex_unlock(&nf_ct_ecache_mutex); ++ /* synchronize_rcu() is called from ctnetlink_exit. */ + } + EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier); + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3242,6 +3242,7 @@ static void __exit ctnetlink_exit(void) + #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT + RCU_INIT_POINTER(nfq_ct_hook, NULL); + #endif ++ synchronize_rcu(); + } + + module_init(ctnetlink_init); +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -888,6 +888,8 @@ static void __exit nf_nat_cleanup(void) + #ifdef CONFIG_XFRM + RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL); + #endif ++ synchronize_rcu(); ++ + for (i = 0; i < NFPROTO_NUMPROTO; i++) + kfree(nf_nat_l4protos[i]); + synchronize_net(); +--- a/net/netfilter/nfnetlink_cttimeout.c ++++ b/net/netfilter/nfnetlink_cttimeout.c +@@ -578,6 +578,7 @@ static void __exit cttimeout_exit(void) + #ifdef CONFIG_NF_CONNTRACK_TIMEOUT + RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL); + RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL); ++ synchronize_rcu(); + #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ + } + diff --git a/queue-3.18/netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch b/queue-3.18/netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch new file mode 100644 index 00000000000..d6afdbad2ea --- /dev/null +++ b/queue-3.18/netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch @@ -0,0 +1,91 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Liping Zhang +Date: Sun, 19 Mar 2017 22:35:59 +0800 +Subject: netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max + +From: Liping Zhang + + +[ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ] + +The helper->expect_class_max must be set to the total number of +expect_policy minus 1, since we will use the statement "if (class > +helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in +ctnetlink_alloc_expect. + +So for compatibility, set the helper->expect_class_max to the +NFCTH_POLICY_SET_NUM attr's value minus 1. + +Also: it's invalid when the NFCTH_POLICY_SET_NUM attr's value is zero. +1. this will result "expect_policy = kzalloc(0, GFP_KERNEL);"; +2. we cannot set the helper->expect_class_max to a proper value. + +So if nla_get_be32(tb[NFCTH_POLICY_SET_NUM]) is zero, report -EINVAL to +the userspace. + +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nfnetlink_cthelper.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -161,6 +161,7 @@ nfnl_cthelper_parse_expect_policy(struct + int i, ret; + struct nf_conntrack_expect_policy *expect_policy; + struct nlattr *tb[NFCTH_POLICY_SET_MAX+1]; ++ unsigned int class_max; + + ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr, + nfnl_cthelper_expect_policy_set); +@@ -170,19 +171,18 @@ nfnl_cthelper_parse_expect_policy(struct + if (!tb[NFCTH_POLICY_SET_NUM]) + return -EINVAL; + +- helper->expect_class_max = +- ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM])); +- +- if (helper->expect_class_max != 0 && +- helper->expect_class_max > NF_CT_MAX_EXPECT_CLASSES) ++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM])); ++ if (class_max == 0) ++ return -EINVAL; ++ if (class_max > NF_CT_MAX_EXPECT_CLASSES) + return -EOVERFLOW; + + expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) * +- helper->expect_class_max, GFP_KERNEL); ++ class_max, GFP_KERNEL); + if (expect_policy == NULL) + return -ENOMEM; + +- for (i=0; iexpect_class_max; i++) { ++ for (i = 0; i < class_max; i++) { + if (!tb[NFCTH_POLICY_SET+i]) + goto err; + +@@ -191,6 +191,8 @@ nfnl_cthelper_parse_expect_policy(struct + if (ret < 0) + goto err; + } ++ ++ helper->expect_class_max = class_max - 1; + helper->expect_policy = expect_policy; + return 0; + err: +@@ -377,10 +379,10 @@ nfnl_cthelper_dump_policy(struct sk_buff + goto nla_put_failure; + + if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM, +- htonl(helper->expect_class_max))) ++ htonl(helper->expect_class_max + 1))) + goto nla_put_failure; + +- for (i=0; iexpect_class_max; i++) { ++ for (i = 0; i < helper->expect_class_max + 1; i++) { + nest_parms2 = nla_nest_start(skb, + (NFCTH_POLICY_SET+i) | NLA_F_NESTED); + if (nest_parms2 == NULL) diff --git a/queue-3.18/parisc-perf-fix-potential-null-pointer-dereference.patch b/queue-3.18/parisc-perf-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..9fc1fdae7a6 --- /dev/null +++ b/queue-3.18/parisc-perf-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,327 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Arvind Yadav +Date: Tue, 14 Mar 2017 15:24:51 +0530 +Subject: parisc: perf: Fix potential NULL pointer dereference + +From: Arvind Yadav + + +[ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ] + +Fix potential NULL pointer dereference and clean up +coding style errors (code indent, trailing whitespaces). + +Signed-off-by: Arvind Yadav +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/perf.c | 94 +++++++++++++++++++++++----------------------- + 1 file changed, 49 insertions(+), 45 deletions(-) + +--- a/arch/parisc/kernel/perf.c ++++ b/arch/parisc/kernel/perf.c +@@ -39,7 +39,7 @@ + * the PDC INTRIGUE calls. This is done to eliminate bugs introduced + * in various PDC revisions. The code is much more maintainable + * and reliable this way vs having to debug on every version of PDC +- * on every box. ++ * on every box. + */ + + #include +@@ -195,8 +195,8 @@ static int perf_config(uint32_t *image_p + static int perf_release(struct inode *inode, struct file *file); + static int perf_open(struct inode *inode, struct file *file); + static ssize_t perf_read(struct file *file, char __user *buf, size_t cnt, loff_t *ppos); +-static ssize_t perf_write(struct file *file, const char __user *buf, size_t count, +- loff_t *ppos); ++static ssize_t perf_write(struct file *file, const char __user *buf, ++ size_t count, loff_t *ppos); + static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg); + static void perf_start_counters(void); + static int perf_stop_counters(uint32_t *raddr); +@@ -222,7 +222,7 @@ extern void perf_intrigue_disable_perf_c + /* + * configure: + * +- * Configure the cpu with a given data image. First turn off the counters, ++ * Configure the cpu with a given data image. First turn off the counters, + * then download the image, then turn the counters back on. + */ + static int perf_config(uint32_t *image_ptr) +@@ -234,7 +234,7 @@ static int perf_config(uint32_t *image_p + error = perf_stop_counters(raddr); + if (error != 0) { + printk("perf_config: perf_stop_counters = %ld\n", error); +- return -EINVAL; ++ return -EINVAL; + } + + printk("Preparing to write image\n"); +@@ -242,7 +242,7 @@ printk("Preparing to write image\n"); + error = perf_write_image((uint64_t *)image_ptr); + if (error != 0) { + printk("perf_config: DOWNLOAD = %ld\n", error); +- return -EINVAL; ++ return -EINVAL; + } + + printk("Preparing to start counters\n"); +@@ -254,7 +254,7 @@ printk("Preparing to start counters\n"); + } + + /* +- * Open the device and initialize all of its memory. The device is only ++ * Open the device and initialize all of its memory. The device is only + * opened once, but can be "queried" by multiple processes that know its + * file descriptor. + */ +@@ -298,8 +298,8 @@ static ssize_t perf_read(struct file *fi + * called on the processor that the download should happen + * on. + */ +-static ssize_t perf_write(struct file *file, const char __user *buf, size_t count, +- loff_t *ppos) ++static ssize_t perf_write(struct file *file, const char __user *buf, ++ size_t count, loff_t *ppos) + { + int err; + size_t image_size; +@@ -307,11 +307,11 @@ static ssize_t perf_write(struct file *f + uint32_t interface_type; + uint32_t test; + +- if (perf_processor_interface == ONYX_INTF) ++ if (perf_processor_interface == ONYX_INTF) + image_size = PCXU_IMAGE_SIZE; +- else if (perf_processor_interface == CUDA_INTF) ++ else if (perf_processor_interface == CUDA_INTF) + image_size = PCXW_IMAGE_SIZE; +- else ++ else + return -EFAULT; + + if (!capable(CAP_SYS_ADMIN)) +@@ -331,22 +331,22 @@ static ssize_t perf_write(struct file *f + + /* First check the machine type is correct for + the requested image */ +- if (((perf_processor_interface == CUDA_INTF) && +- (interface_type != CUDA_INTF)) || +- ((perf_processor_interface == ONYX_INTF) && +- (interface_type != ONYX_INTF))) ++ if (((perf_processor_interface == CUDA_INTF) && ++ (interface_type != CUDA_INTF)) || ++ ((perf_processor_interface == ONYX_INTF) && ++ (interface_type != ONYX_INTF))) + return -EINVAL; + + /* Next check to make sure the requested image + is valid */ +- if (((interface_type == CUDA_INTF) && ++ if (((interface_type == CUDA_INTF) && + (test >= MAX_CUDA_IMAGES)) || +- ((interface_type == ONYX_INTF) && +- (test >= MAX_ONYX_IMAGES))) ++ ((interface_type == ONYX_INTF) && ++ (test >= MAX_ONYX_IMAGES))) + return -EINVAL; + + /* Copy the image into the processor */ +- if (interface_type == CUDA_INTF) ++ if (interface_type == CUDA_INTF) + return perf_config(cuda_images[test]); + else + return perf_config(onyx_images[test]); +@@ -360,7 +360,7 @@ static ssize_t perf_write(struct file *f + static void perf_patch_images(void) + { + #if 0 /* FIXME!! */ +-/* ++/* + * NOTE: this routine is VERY specific to the current TLB image. + * If the image is changed, this routine might also need to be changed. + */ +@@ -368,9 +368,9 @@ static void perf_patch_images(void) + extern void $i_dtlb_miss_2_0(); + extern void PA2_0_iva(); + +- /* ++ /* + * We can only use the lower 32-bits, the upper 32-bits should be 0 +- * anyway given this is in the kernel ++ * anyway given this is in the kernel + */ + uint32_t itlb_addr = (uint32_t)&($i_itlb_miss_2_0); + uint32_t dtlb_addr = (uint32_t)&($i_dtlb_miss_2_0); +@@ -378,21 +378,21 @@ static void perf_patch_images(void) + + if (perf_processor_interface == ONYX_INTF) { + /* clear last 2 bytes */ +- onyx_images[TLBMISS][15] &= 0xffffff00; ++ onyx_images[TLBMISS][15] &= 0xffffff00; + /* set 2 bytes */ + onyx_images[TLBMISS][15] |= (0x000000ff&((dtlb_addr) >> 24)); + onyx_images[TLBMISS][16] = (dtlb_addr << 8)&0xffffff00; + onyx_images[TLBMISS][17] = itlb_addr; + + /* clear last 2 bytes */ +- onyx_images[TLBHANDMISS][15] &= 0xffffff00; ++ onyx_images[TLBHANDMISS][15] &= 0xffffff00; + /* set 2 bytes */ + onyx_images[TLBHANDMISS][15] |= (0x000000ff&((dtlb_addr) >> 24)); + onyx_images[TLBHANDMISS][16] = (dtlb_addr << 8)&0xffffff00; + onyx_images[TLBHANDMISS][17] = itlb_addr; + + /* clear last 2 bytes */ +- onyx_images[BIG_CPI][15] &= 0xffffff00; ++ onyx_images[BIG_CPI][15] &= 0xffffff00; + /* set 2 bytes */ + onyx_images[BIG_CPI][15] |= (0x000000ff&((dtlb_addr) >> 24)); + onyx_images[BIG_CPI][16] = (dtlb_addr << 8)&0xffffff00; +@@ -405,24 +405,24 @@ static void perf_patch_images(void) + + } else if (perf_processor_interface == CUDA_INTF) { + /* Cuda interface */ +- cuda_images[TLBMISS][16] = ++ cuda_images[TLBMISS][16] = + (cuda_images[TLBMISS][16]&0xffff0000) | + ((dtlb_addr >> 8)&0x0000ffff); +- cuda_images[TLBMISS][17] = ++ cuda_images[TLBMISS][17] = + ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff); + cuda_images[TLBMISS][18] = (itlb_addr << 16)&0xffff0000; + +- cuda_images[TLBHANDMISS][16] = ++ cuda_images[TLBHANDMISS][16] = + (cuda_images[TLBHANDMISS][16]&0xffff0000) | + ((dtlb_addr >> 8)&0x0000ffff); +- cuda_images[TLBHANDMISS][17] = ++ cuda_images[TLBHANDMISS][17] = + ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff); + cuda_images[TLBHANDMISS][18] = (itlb_addr << 16)&0xffff0000; + +- cuda_images[BIG_CPI][16] = ++ cuda_images[BIG_CPI][16] = + (cuda_images[BIG_CPI][16]&0xffff0000) | + ((dtlb_addr >> 8)&0x0000ffff); +- cuda_images[BIG_CPI][17] = ++ cuda_images[BIG_CPI][17] = + ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff); + cuda_images[BIG_CPI][18] = (itlb_addr << 16)&0xffff0000; + } else { +@@ -434,7 +434,7 @@ static void perf_patch_images(void) + + /* + * ioctl routine +- * All routines effect the processor that they are executed on. Thus you ++ * All routines effect the processor that they are executed on. Thus you + * must be running on the processor that you wish to change. + */ + +@@ -460,7 +460,7 @@ static long perf_ioctl(struct file *file + } + + /* copy out the Counters */ +- if (copy_to_user((void __user *)arg, raddr, ++ if (copy_to_user((void __user *)arg, raddr, + sizeof (raddr)) != 0) { + error = -EFAULT; + break; +@@ -488,7 +488,7 @@ static const struct file_operations perf + .open = perf_open, + .release = perf_release + }; +- ++ + static struct miscdevice perf_dev = { + MISC_DYNAMIC_MINOR, + PA_PERF_DEV, +@@ -595,7 +595,7 @@ static int perf_stop_counters(uint32_t * + /* OR sticky2 (bit 1496) to counter2 bit 32 */ + tmp64 |= (userbuf[23] >> 8) & 0x0000000080000000; + raddr[2] = (uint32_t)tmp64; +- ++ + /* Counter3 is bits 1497 to 1528 */ + tmp64 = (userbuf[23] >> 7) & 0x00000000ffffffff; + /* OR sticky3 (bit 1529) to counter3 bit 32 */ +@@ -617,7 +617,7 @@ static int perf_stop_counters(uint32_t * + userbuf[22] = 0; + userbuf[23] = 0; + +- /* ++ /* + * Write back the zeroed bytes + the image given + * the read was destructive. + */ +@@ -625,13 +625,13 @@ static int perf_stop_counters(uint32_t * + } else { + + /* +- * Read RDR-15 which contains the counters and sticky bits ++ * Read RDR-15 which contains the counters and sticky bits + */ + if (!perf_rdr_read_ubuf(15, userbuf)) { + return -13; + } + +- /* ++ /* + * Clear out the counters + */ + perf_rdr_clear(15); +@@ -644,7 +644,7 @@ static int perf_stop_counters(uint32_t * + raddr[2] = (uint32_t)((userbuf[1] >> 32) & 0x00000000ffffffffUL); + raddr[3] = (uint32_t)(userbuf[1] & 0x00000000ffffffffUL); + } +- ++ + return 0; + } + +@@ -682,7 +682,7 @@ static int perf_rdr_read_ubuf(uint32_t r + i = tentry->num_words; + while (i--) { + buffer[i] = 0; +- } ++ } + + /* Check for bits an even number of 64 */ + if ((xbits = width & 0x03f) != 0) { +@@ -808,18 +808,22 @@ static int perf_write_image(uint64_t *me + } + + runway = ioremap_nocache(cpu_device->hpa.start, 4096); ++ if (!runway) { ++ pr_err("perf_write_image: ioremap failed!\n"); ++ return -ENOMEM; ++ } + + /* Merge intrigue bits into Runway STATUS 0 */ + tmp64 = __raw_readq(runway + RUNWAY_STATUS) & 0xffecfffffffffffful; +- __raw_writeq(tmp64 | (*memaddr++ & 0x0013000000000000ul), ++ __raw_writeq(tmp64 | (*memaddr++ & 0x0013000000000000ul), + runway + RUNWAY_STATUS); +- ++ + /* Write RUNWAY DEBUG registers */ + for (i = 0; i < 8; i++) { + __raw_writeq(*memaddr++, runway + RUNWAY_DEBUG); + } + +- return 0; ++ return 0; + } + + /* +@@ -843,7 +847,7 @@ printk("perf_rdr_write\n"); + perf_rdr_shift_out_U(rdr_num, buffer[i]); + } else { + perf_rdr_shift_out_W(rdr_num, buffer[i]); +- } ++ } + } + printk("perf_rdr_write done\n"); + } diff --git a/queue-3.18/partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch b/queue-3.18/partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch new file mode 100644 index 00000000000..b89cf2cb08e --- /dev/null +++ b/queue-3.18/partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch @@ -0,0 +1,77 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Alden Tondettar +Date: Sun, 15 Jan 2017 15:31:56 -0700 +Subject: partitions/efi: Fix integer overflow in GPT size calculation + +From: Alden Tondettar + + +[ Upstream commit c5082b70adfe8e1ea1cf4a8eff92c9f260e364d2 ] + +If a GUID Partition Table claims to have more than 2**25 entries, the +calculation of the partition table size in alloc_read_gpt_entries() will +overflow a 32-bit integer and not enough space will be allocated for the +table. + +Nothing seems to get written out of bounds, but later efi_partition() will +read up to 32768 bytes from a 128 byte buffer, possibly OOPSing or exposing +information to /proc/partitions and uevents. + +The problem exists on both 64-bit and 32-bit platforms. + +Fix the overflow and also print a meaningful debug message if the table +size is too large. + +Signed-off-by: Alden Tondettar +Acked-by: Ard Biesheuvel +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/efi.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/block/partitions/efi.c ++++ b/block/partitions/efi.c +@@ -293,7 +293,7 @@ static gpt_entry *alloc_read_gpt_entries + if (!gpt) + return NULL; + +- count = le32_to_cpu(gpt->num_partition_entries) * ++ count = (size_t)le32_to_cpu(gpt->num_partition_entries) * + le32_to_cpu(gpt->sizeof_partition_entry); + if (!count) + return NULL; +@@ -352,7 +352,7 @@ static int is_gpt_valid(struct parsed_pa + gpt_header **gpt, gpt_entry **ptes) + { + u32 crc, origcrc; +- u64 lastlba; ++ u64 lastlba, pt_size; + + if (!ptes) + return 0; +@@ -434,13 +434,20 @@ static int is_gpt_valid(struct parsed_pa + goto fail; + } + ++ /* Sanity check partition table size */ ++ pt_size = (u64)le32_to_cpu((*gpt)->num_partition_entries) * ++ le32_to_cpu((*gpt)->sizeof_partition_entry); ++ if (pt_size > KMALLOC_MAX_SIZE) { ++ pr_debug("GUID Partition Table is too large: %llu > %lu bytes\n", ++ (unsigned long long)pt_size, KMALLOC_MAX_SIZE); ++ goto fail; ++ } ++ + if (!(*ptes = alloc_read_gpt_entries(state, *gpt))) + goto fail; + + /* Check the GUID Partition Entry Array CRC */ +- crc = efi_crc32((const unsigned char *) (*ptes), +- le32_to_cpu((*gpt)->num_partition_entries) * +- le32_to_cpu((*gpt)->sizeof_partition_entry)); ++ crc = efi_crc32((const unsigned char *) (*ptes), pt_size); + + if (crc != le32_to_cpu((*gpt)->partition_entry_array_crc32)) { + pr_debug("GUID Partitition Entry Array CRC check failed.\n"); diff --git a/queue-3.18/pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch b/queue-3.18/pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch new file mode 100644 index 00000000000..6cd65b9c5df --- /dev/null +++ b/queue-3.18/pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Markus Elfring +Date: Thu, 12 Jan 2017 16:51:00 +0100 +Subject: pinctrl: mvebu: Use seq_puts() in mvebu_pinconf_group_dbg_show() + +From: Markus Elfring + + +[ Upstream commit 420dc61642920849d824a0de2aa853db59f5244f ] + +Strings which did not contain data format specifications should be put +into a sequence. Thus use the corresponding function "seq_puts". + +This issue was detected by using the Coccinelle software. + +Signed-off-by: Markus Elfring +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/mvebu/pinctrl-mvebu.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c ++++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c +@@ -195,11 +195,12 @@ static void mvebu_pinconf_group_dbg_show + seq_printf(s, "o"); + seq_printf(s, ")"); + } +- } else +- seq_printf(s, "current: UNKNOWN"); ++ } else { ++ seq_puts(s, "current: UNKNOWN"); ++ } + + if (grp->num_settings > 1) { +- seq_printf(s, ", available = ["); ++ seq_puts(s, ", available = ["); + for (n = 0; n < grp->num_settings; n++) { + if (curr == &grp->settings[n]) + continue; +@@ -222,7 +223,7 @@ static void mvebu_pinconf_group_dbg_show + seq_printf(s, ")"); + } + } +- seq_printf(s, " ]"); ++ seq_puts(s, " ]"); + } + return; + } diff --git a/queue-3.18/rds-ib-add-error-handle.patch b/queue-3.18/rds-ib-add-error-handle.patch new file mode 100644 index 00000000000..78e754aa8f7 --- /dev/null +++ b/queue-3.18/rds-ib-add-error-handle.patch @@ -0,0 +1,149 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Zhu Yanjun +Date: Tue, 7 Mar 2017 02:48:36 -0500 +Subject: rds: ib: add error handle + +From: Zhu Yanjun + + +[ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ] + +In the function rds_ib_setup_qp, the error handle is missing. When some +error occurs, it is possible that memory leak occurs. As such, error +handle is added. + +Cc: Joe Jin +Reviewed-by: Junxiao Bi +Reviewed-by: Guanglei Li +Signed-off-by: Zhu Yanjun +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_cm.c | 47 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 36 insertions(+), 11 deletions(-) + +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -298,7 +298,7 @@ static int rds_ib_setup_qp(struct rds_co + ret = PTR_ERR(ic->i_send_cq); + ic->i_send_cq = NULL; + rdsdebug("ib_create_cq send failed: %d\n", ret); +- goto out; ++ goto rds_ibdev_out; + } + + ic->i_recv_cq = ib_create_cq(dev, rds_ib_recv_cq_comp_handler, +@@ -308,19 +308,19 @@ static int rds_ib_setup_qp(struct rds_co + ret = PTR_ERR(ic->i_recv_cq); + ic->i_recv_cq = NULL; + rdsdebug("ib_create_cq recv failed: %d\n", ret); +- goto out; ++ goto send_cq_out; + } + + ret = ib_req_notify_cq(ic->i_send_cq, IB_CQ_NEXT_COMP); + if (ret) { + rdsdebug("ib_req_notify_cq send failed: %d\n", ret); +- goto out; ++ goto recv_cq_out; + } + + ret = ib_req_notify_cq(ic->i_recv_cq, IB_CQ_SOLICITED); + if (ret) { + rdsdebug("ib_req_notify_cq recv failed: %d\n", ret); +- goto out; ++ goto recv_cq_out; + } + + /* XXX negotiate max send/recv with remote? */ +@@ -344,7 +344,7 @@ static int rds_ib_setup_qp(struct rds_co + ret = rdma_create_qp(ic->i_cm_id, ic->i_pd, &attr); + if (ret) { + rdsdebug("rdma_create_qp failed: %d\n", ret); +- goto out; ++ goto recv_cq_out; + } + + ic->i_send_hdrs = ib_dma_alloc_coherent(dev, +@@ -354,7 +354,7 @@ static int rds_ib_setup_qp(struct rds_co + if (!ic->i_send_hdrs) { + ret = -ENOMEM; + rdsdebug("ib_dma_alloc_coherent send failed\n"); +- goto out; ++ goto qp_out; + } + + ic->i_recv_hdrs = ib_dma_alloc_coherent(dev, +@@ -364,7 +364,7 @@ static int rds_ib_setup_qp(struct rds_co + if (!ic->i_recv_hdrs) { + ret = -ENOMEM; + rdsdebug("ib_dma_alloc_coherent recv failed\n"); +- goto out; ++ goto send_hdrs_dma_out; + } + + ic->i_ack = ib_dma_alloc_coherent(dev, sizeof(struct rds_header), +@@ -372,7 +372,7 @@ static int rds_ib_setup_qp(struct rds_co + if (!ic->i_ack) { + ret = -ENOMEM; + rdsdebug("ib_dma_alloc_coherent ack failed\n"); +- goto out; ++ goto recv_hdrs_dma_out; + } + + ic->i_sends = vzalloc_node(ic->i_send_ring.w_nr * sizeof(struct rds_ib_send_work), +@@ -380,7 +380,7 @@ static int rds_ib_setup_qp(struct rds_co + if (!ic->i_sends) { + ret = -ENOMEM; + rdsdebug("send allocation failed\n"); +- goto out; ++ goto ack_dma_out; + } + + ic->i_recvs = vzalloc_node(ic->i_recv_ring.w_nr * sizeof(struct rds_ib_recv_work), +@@ -388,7 +388,7 @@ static int rds_ib_setup_qp(struct rds_co + if (!ic->i_recvs) { + ret = -ENOMEM; + rdsdebug("recv allocation failed\n"); +- goto out; ++ goto sends_out; + } + + rds_ib_recv_init_ack(ic); +@@ -396,8 +396,33 @@ static int rds_ib_setup_qp(struct rds_co + rdsdebug("conn %p pd %p mr %p cq %p %p\n", conn, ic->i_pd, ic->i_mr, + ic->i_send_cq, ic->i_recv_cq); + +-out: ++ return ret; ++ ++sends_out: ++ vfree(ic->i_sends); ++ack_dma_out: ++ ib_dma_free_coherent(dev, sizeof(struct rds_header), ++ ic->i_ack, ic->i_ack_dma); ++recv_hdrs_dma_out: ++ ib_dma_free_coherent(dev, ic->i_recv_ring.w_nr * ++ sizeof(struct rds_header), ++ ic->i_recv_hdrs, ic->i_recv_hdrs_dma); ++send_hdrs_dma_out: ++ ib_dma_free_coherent(dev, ic->i_send_ring.w_nr * ++ sizeof(struct rds_header), ++ ic->i_send_hdrs, ic->i_send_hdrs_dma); ++qp_out: ++ rdma_destroy_qp(ic->i_cm_id); ++recv_cq_out: ++ if (!ib_destroy_cq(ic->i_recv_cq)) ++ ic->i_recv_cq = NULL; ++send_cq_out: ++ if (!ib_destroy_cq(ic->i_send_cq)) ++ ic->i_send_cq = NULL; ++rds_ibdev_out: ++ rds_ib_remove_conn(rds_ibdev, conn); + rds_ib_dev_put(rds_ibdev); ++ + return ret; + } + diff --git a/queue-3.18/rds-rdma-fix-the-composite-message-user-notification.patch b/queue-3.18/rds-rdma-fix-the-composite-message-user-notification.patch new file mode 100644 index 00000000000..f795bac3c19 --- /dev/null +++ b/queue-3.18/rds-rdma-fix-the-composite-message-user-notification.patch @@ -0,0 +1,123 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Santosh Shilimkar +Date: Thu, 18 Feb 2016 20:06:47 -0800 +Subject: RDS: RDMA: Fix the composite message user notification + +From: Santosh Shilimkar + + +[ Upstream commit 941f8d55f6d613a460a5e080d25a38509f45eb75 ] + +When application sends an RDS RDMA composite message consist of +RDMA transfer to be followed up by non RDMA payload, it expect to +be notified *only* when the full message gets delivered. RDS RDMA +notification doesn't behave this way though. + +Thanks to Venkat for debug and root casuing the issue +where only first part of the message(RDMA) was +successfully delivered but remainder payload delivery failed. +In that case, application should not be notified with +a false positive of message delivery success. + +Fix this case by making sure the user gets notified only after +the full message delivery. + +Reviewed-by: Venkat Venkatsubra +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_send.c | 25 +++++++++++++++---------- + net/rds/rdma.c | 10 ++++++++++ + net/rds/rds.h | 1 + + net/rds/send.c | 4 +++- + 4 files changed, 29 insertions(+), 11 deletions(-) + +--- a/net/rds/ib_send.c ++++ b/net/rds/ib_send.c +@@ -102,16 +102,6 @@ static void rds_ib_send_complete(struct + complete(rm, notify_status); + } + +-static void rds_ib_send_unmap_data(struct rds_ib_connection *ic, +- struct rm_data_op *op, +- int wc_status) +-{ +- if (op->op_nents) +- ib_dma_unmap_sg(ic->i_cm_id->device, +- op->op_sg, op->op_nents, +- DMA_TO_DEVICE); +-} +- + static void rds_ib_send_unmap_rdma(struct rds_ib_connection *ic, + struct rm_rdma_op *op, + int wc_status) +@@ -172,6 +162,21 @@ static void rds_ib_send_unmap_atomic(str + rds_ib_stats_inc(s_ib_atomic_fadd); + } + ++static void rds_ib_send_unmap_data(struct rds_ib_connection *ic, ++ struct rm_data_op *op, ++ int wc_status) ++{ ++ struct rds_message *rm = container_of(op, struct rds_message, data); ++ ++ if (op->op_nents) ++ ib_dma_unmap_sg(ic->i_cm_id->device, ++ op->op_sg, op->op_nents, ++ DMA_TO_DEVICE); ++ ++ if (rm->rdma.op_active && rm->data.op_notify) ++ rds_ib_send_unmap_rdma(ic, &rm->rdma, wc_status); ++} ++ + /* + * Unmap the resources associated with a struct send_work. + * +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -625,6 +625,16 @@ int rds_cmsg_rdma_args(struct rds_sock * + } + op->op_notifier->n_user_token = args->user_token; + op->op_notifier->n_status = RDS_RDMA_SUCCESS; ++ ++ /* Enable rmda notification on data operation for composite ++ * rds messages and make sure notification is enabled only ++ * for the data operation which follows it so that application ++ * gets notified only after full message gets delivered. ++ */ ++ if (rm->data.op_sg) { ++ rm->rdma.op_notify = 0; ++ rm->data.op_notify = !!(args->flags & RDS_RDMA_NOTIFY_ME); ++ } + } + + /* The cookie contains the R_Key of the remote memory region, and +--- a/net/rds/rds.h ++++ b/net/rds/rds.h +@@ -360,6 +360,7 @@ struct rds_message { + } rdma; + struct rm_data_op { + unsigned int op_active:1; ++ unsigned int op_notify:1; + unsigned int op_nents; + unsigned int op_count; + struct scatterlist *op_sg; +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -425,12 +425,14 @@ void rds_rdma_send_complete(struct rds_m + struct rm_rdma_op *ro; + struct rds_notifier *notifier; + unsigned long flags; ++ unsigned int notify = 0; + + spin_lock_irqsave(&rm->m_rs_lock, flags); + ++ notify = rm->rdma.op_notify | rm->data.op_notify; + ro = &rm->rdma; + if (test_bit(RDS_MSG_ON_SOCK, &rm->m_flags) && +- ro->op_active && ro->op_notify && ro->op_notifier) { ++ ro->op_active && notify && ro->op_notifier) { + notifier = ro->op_notifier; + rs = rm->m_rs; + sock_hold(rds_rs_to_sk(rs)); diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..aa8d12868de --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,29 @@ +drm-bridge-add-dt-bindings-for-ti-ths8135.patch +rds-rdma-fix-the-composite-message-user-notification.patch +mips-ensure-bss-section-ends-on-a-long-aligned-address.patch +mips-kexec-do-not-reserve-invalid-crashkernel-memory-on-boot.patch +sh_eth-use-correct-name-for-ecmr_mpde-bit.patch +hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch +arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch +tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch +ib-ipoib-fix-deadlock-over-vlan_mutex.patch +ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch +ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch +usb-serial-mos7720-fix-control-message-error-handling.patch +usb-serial-mos7840-fix-control-message-error-handling.patch +pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch +partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch +audit-log-32-bit-socketcalls.patch +net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch +net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch +team-fix-memory-leaks.patch +usb-plusb-add-support-for-pl-27a1.patch +mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch +netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch +exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch +netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch +parisc-perf-fix-potential-null-pointer-dereference.patch +rds-ib-add-error-handle.patch +md-raid10-submit-bio-directly-to-replacement-disk.patch +xfs-remove-kmem_zalloc_greedy.patch +libata-transport-remove-circular-dependency-at-free-time.patch diff --git a/queue-3.18/sh_eth-use-correct-name-for-ecmr_mpde-bit.patch b/queue-3.18/sh_eth-use-correct-name-for-ecmr_mpde-bit.patch new file mode 100644 index 00000000000..3b19343dc70 --- /dev/null +++ b/queue-3.18/sh_eth-use-correct-name-for-ecmr_mpde-bit.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Niklas Söderlund +Date: Mon, 9 Jan 2017 16:34:04 +0100 +Subject: sh_eth: use correct name for ECMR_MPDE bit + +From: Niklas Söderlund + + +[ Upstream commit 6dcf45e514974a1ff10755015b5e06746a033e5f ] + +This bit was wrongly named due to a typo, Sergei checked the SH7734/63 +manuals and this bit should be named MPDE. + +Suggested-by: Sergei Shtylyov +Signed-off-by: Niklas Söderlund +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -326,7 +326,7 @@ enum FELIC_MODE_BIT { + ECMR_DPAD = 0x00200000, ECMR_RZPF = 0x00100000, + ECMR_ZPF = 0x00080000, ECMR_PFR = 0x00040000, ECMR_RXF = 0x00020000, + ECMR_TXF = 0x00010000, ECMR_MCT = 0x00002000, ECMR_PRCEF = 0x00001000, +- ECMR_PMDE = 0x00000200, ECMR_RE = 0x00000040, ECMR_TE = 0x00000020, ++ ECMR_MPDE = 0x00000200, ECMR_RE = 0x00000040, ECMR_TE = 0x00000020, + ECMR_RTM = 0x00000010, ECMR_ILB = 0x00000008, ECMR_ELB = 0x00000004, + ECMR_DM = 0x00000002, ECMR_PRM = 0x00000001, + }; diff --git a/queue-3.18/team-fix-memory-leaks.patch b/queue-3.18/team-fix-memory-leaks.patch new file mode 100644 index 00000000000..76eb2d0c8d9 --- /dev/null +++ b/queue-3.18/team-fix-memory-leaks.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Pan Bian +Date: Mon, 24 Apr 2017 18:29:16 +0800 +Subject: team: fix memory leaks + +From: Pan Bian + + +[ Upstream commit 72ec0bc64b9a5d8e0efcb717abfc757746b101b7 ] + +In functions team_nl_send_port_list_get() and +team_nl_send_options_get(), pointer skb keeps the return value of +nlmsg_new(). When the call to genlmsg_put() fails, the memory is not +freed(). This will result in memory leak bugs. + +Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers") +Signed-off-by: Pan Bian +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2331,8 +2331,10 @@ start_again: + + hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI, + TEAM_CMD_OPTIONS_GET); +- if (!hdr) ++ if (!hdr) { ++ nlmsg_free(skb); + return -EMSGSIZE; ++ } + + if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex)) + goto nla_put_failure; +@@ -2599,8 +2601,10 @@ start_again: + + hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI, + TEAM_CMD_PORT_LIST_GET); +- if (!hdr) ++ if (!hdr) { ++ nlmsg_free(skb); + return -EMSGSIZE; ++ } + + if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex)) + goto nla_put_failure; diff --git a/queue-3.18/tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch b/queue-3.18/tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch new file mode 100644 index 00000000000..cb1ac5b0a84 --- /dev/null +++ b/queue-3.18/tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Christophe JAILLET +Date: Mon, 9 Jan 2017 01:26:37 +0100 +Subject: tty: goldfish: Fix a parameter of a call to free_irq + +From: Christophe JAILLET + + +[ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ] + +'request_irq()' and 'free_irq()' should be called with the same dev_id. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/goldfish.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/goldfish.c ++++ b/drivers/tty/goldfish.c +@@ -295,7 +295,7 @@ static int goldfish_tty_probe(struct pla + + tty_unregister_device(goldfish_tty_driver, i); + err_tty_register_device_failed: +- free_irq(irq, pdev); ++ free_irq(irq, qtty); + err_request_irq_failed: + goldfish_tty_current_line_count--; + if (goldfish_tty_current_line_count == 0) diff --git a/queue-3.18/usb-plusb-add-support-for-pl-27a1.patch b/queue-3.18/usb-plusb-add-support-for-pl-27a1.patch new file mode 100644 index 00000000000..dd62275f4d5 --- /dev/null +++ b/queue-3.18/usb-plusb-add-support-for-pl-27a1.patch @@ -0,0 +1,70 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Roman Spychała +Date: Thu, 20 Apr 2017 12:04:10 +0200 +Subject: usb: plusb: Add support for PL-27A1 + +From: Roman Spychała + + +[ Upstream commit 6f2aee0c0de65013333bbc26fe50c9c7b09a37f7 ] + +This patch adds support for the PL-27A1 by adding the appropriate +USB ID's. This chip is used in the goobay Active USB 3.0 Data Link +and Unitek Y-3501 cables. + +Signed-off-by: Roman Spychała +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/Kconfig | 2 +- + drivers/net/usb/plusb.c | 15 +++++++++++++-- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/Kconfig ++++ b/drivers/net/usb/Kconfig +@@ -350,7 +350,7 @@ config USB_NET_NET1080 + optionally with LEDs that indicate traffic + + config USB_NET_PLUSB +- tristate "Prolific PL-2301/2302/25A1 based cables" ++ tristate "Prolific PL-2301/2302/25A1/27A1 based cables" + # if the handshake/init/reset problems, from original 'plusb', + # are ever resolved ... then remove "experimental" + depends on USB_USBNET +--- a/drivers/net/usb/plusb.c ++++ b/drivers/net/usb/plusb.c +@@ -102,7 +102,7 @@ static int pl_reset(struct usbnet *dev) + } + + static const struct driver_info prolific_info = { +- .description = "Prolific PL-2301/PL-2302/PL-25A1", ++ .description = "Prolific PL-2301/PL-2302/PL-25A1/PL-27A1", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT, + /* some PL-2302 versions seem to fail usb_set_interface() */ + .reset = pl_reset, +@@ -139,6 +139,17 @@ static const struct usb_device_id produc + * Host-to-Host Cable + */ + .driver_info = (unsigned long) &prolific_info, ++ ++}, ++ ++/* super speed cables */ ++{ ++ USB_DEVICE(0x067b, 0x27a1), /* PL-27A1, no eeprom ++ * also: goobay Active USB 3.0 ++ * Data Link, ++ * Unitek Y-3501 ++ */ ++ .driver_info = (unsigned long) &prolific_info, + }, + + { }, // END +@@ -158,5 +169,5 @@ static struct usb_driver plusb_driver = + module_usb_driver(plusb_driver); + + MODULE_AUTHOR("David Brownell"); +-MODULE_DESCRIPTION("Prolific PL-2301/2302/25A1 USB Host to Host Link Driver"); ++MODULE_DESCRIPTION("Prolific PL-2301/2302/25A1/27A1 USB Host to Host Link Driver"); + MODULE_LICENSE("GPL"); diff --git a/queue-3.18/usb-serial-mos7720-fix-control-message-error-handling.patch b/queue-3.18/usb-serial-mos7720-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..b0fafef4b48 --- /dev/null +++ b/queue-3.18/usb-serial-mos7720-fix-control-message-error-handling.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:17 +0100 +Subject: USB: serial: mos7720: fix control-message error handling + +From: Johan Hovold + + +[ Upstream commit 0d130367abf582e7cbf60075c2a7ab53817b1d14 ] + +Make sure to log an error on short transfers when reading a device +register. + +Also clear the provided buffer (which if often an uninitialised +automatic variable) on errors as the driver currently does not bother to +check for errors. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/mos7720.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -236,11 +236,16 @@ static int read_mos_reg(struct usb_seria + + status = usb_control_msg(usbdev, pipe, request, requesttype, value, + index, buf, 1, MOS_WDR_TIMEOUT); +- if (status == 1) ++ if (status == 1) { + *data = *buf; +- else if (status < 0) ++ } else { + dev_err(&usbdev->dev, + "mos7720: usb_control_msg() failed: %d\n", status); ++ if (status >= 0) ++ status = -EIO; ++ *data = 0; ++ } ++ + kfree(buf); + + return status; diff --git a/queue-3.18/usb-serial-mos7840-fix-control-message-error-handling.patch b/queue-3.18/usb-serial-mos7840-fix-control-message-error-handling.patch new file mode 100644 index 00000000000..b99cdce4bdc --- /dev/null +++ b/queue-3.18/usb-serial-mos7840-fix-control-message-error-handling.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:18 +0100 +Subject: USB: serial: mos7840: fix control-message error handling + +From: Johan Hovold + + +[ Upstream commit cd8db057e93ddaacbec025b567490555d2bca280 ] + +Make sure to detect short transfers when reading a device register. + +The modem-status handling had sufficient error checks in place, but move +handling of short transfers into the register accessor function itself +for consistency. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/mos7840.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -285,9 +285,15 @@ static int mos7840_get_reg_sync(struct u + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ, + MCS_RD_RTYPE, 0, reg, buf, VENDOR_READ_LENGTH, + MOS_WDR_TIMEOUT); ++ if (ret < VENDOR_READ_LENGTH) { ++ if (ret >= 0) ++ ret = -EIO; ++ goto out; ++ } ++ + *val = buf[0]; + dev_dbg(&port->dev, "%s offset is %x, return val %x\n", __func__, reg, *val); +- ++out: + kfree(buf); + return ret; + } +@@ -353,8 +359,13 @@ static int mos7840_get_uart_reg(struct u + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ, + MCS_RD_RTYPE, Wval, reg, buf, VENDOR_READ_LENGTH, + MOS_WDR_TIMEOUT); ++ if (ret < VENDOR_READ_LENGTH) { ++ if (ret >= 0) ++ ret = -EIO; ++ goto out; ++ } + *val = buf[0]; +- ++out: + kfree(buf); + return ret; + } +@@ -1518,10 +1529,10 @@ static int mos7840_tiocmget(struct tty_s + return -ENODEV; + + status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr); +- if (status != 1) ++ if (status < 0) + return -EIO; + status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr); +- if (status != 1) ++ if (status < 0) + return -EIO; + result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0) + | ((mcr & MCR_RTS) ? TIOCM_RTS : 0) diff --git a/queue-3.18/xfs-remove-kmem_zalloc_greedy.patch b/queue-3.18/xfs-remove-kmem_zalloc_greedy.patch new file mode 100644 index 00000000000..35bb66e791e --- /dev/null +++ b/queue-3.18/xfs-remove-kmem_zalloc_greedy.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Oct 5 10:58:04 CEST 2017 +From: "Darrick J. Wong" +Date: Mon, 6 Mar 2017 11:58:20 -0800 +Subject: xfs: remove kmem_zalloc_greedy + +From: "Darrick J. Wong" + + +[ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ] + +The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses +it to grab 1-4 pages for staging of inobt records. The infinite loop in +the greedy allocation function is causing hangs[1] in generic/269, so +just get rid of the greedy allocator in favor of kmem_zalloc_large. +This makes bulkstat somewhat more likely to ENOMEM if there's really no +pages to spare, but eliminates a source of hangs. + +[1] http://lkml.kernel.org/r/20170301044634.rgidgdqqiiwsmfpj%40XZHOUW.usersys.redhat.com + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- +v2: remove single-page fallback + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/kmem.c | 18 ------------------ + fs/xfs/kmem.h | 2 -- + fs/xfs/xfs_itable.c | 6 ++---- + 3 files changed, 2 insertions(+), 24 deletions(-) + +--- a/fs/xfs/kmem.c ++++ b/fs/xfs/kmem.c +@@ -24,24 +24,6 @@ + #include "kmem.h" + #include "xfs_message.h" + +-/* +- * Greedy allocation. May fail and may return vmalloced memory. +- */ +-void * +-kmem_zalloc_greedy(size_t *size, size_t minsize, size_t maxsize) +-{ +- void *ptr; +- size_t kmsize = maxsize; +- +- while (!(ptr = vzalloc(kmsize))) { +- if ((kmsize >>= 1) <= minsize) +- kmsize = minsize; +- } +- if (ptr) +- *size = kmsize; +- return ptr; +-} +- + void * + kmem_alloc(size_t size, xfs_km_flags_t flags) + { +--- a/fs/xfs/kmem.h ++++ b/fs/xfs/kmem.h +@@ -66,8 +66,6 @@ extern void *kmem_realloc(const void *, + extern void kmem_free(const void *); + + +-extern void *kmem_zalloc_greedy(size_t *, size_t, size_t); +- + static inline void * + kmem_zalloc(size_t size, xfs_km_flags_t flags) + { +--- a/fs/xfs/xfs_itable.c ++++ b/fs/xfs/xfs_itable.c +@@ -356,7 +356,6 @@ xfs_bulkstat( + xfs_agino_t agino; /* inode # in allocation group */ + xfs_agnumber_t agno; /* allocation group number */ + xfs_btree_cur_t *cur; /* btree cursor for ialloc btree */ +- size_t irbsize; /* size of irec buffer in bytes */ + xfs_inobt_rec_incore_t *irbuf; /* start of irec buffer */ + int nirbuf; /* size of irbuf */ + int ubcount; /* size of user's buffer */ +@@ -383,11 +382,10 @@ xfs_bulkstat( + *ubcountp = 0; + *done = 0; + +- irbuf = kmem_zalloc_greedy(&irbsize, PAGE_SIZE, PAGE_SIZE * 4); ++ irbuf = kmem_zalloc_large(PAGE_SIZE * 4, KM_SLEEP); + if (!irbuf) + return -ENOMEM; +- +- nirbuf = irbsize / sizeof(*irbuf); ++ nirbuf = (PAGE_SIZE * 4) / sizeof(*irbuf); + + /* + * Loop over the allocation groups, starting from the last