From: Greg Kroah-Hartman Date: Tue, 30 Aug 2016 08:52:48 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.78~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f25138989525ea3c194f8fd2031698321ffb3e04;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch arm64-define-at_vector_size_arch-for-arch_dlinfo.patch libnvdimm-nd_blk-mask-off-reserved-status-bits.patch parisc-fix-order-of-erefused-define-in-errno.h.patch perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch powerpc-eeh-eeh_pci_enable-fix-checking-of-post-request-state.patch sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch sunrpc-handle-eaddrnotavail-on-connection-failures.patch vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch virtio-fix-memory-leak-in-virtqueue_add.patch --- diff --git a/queue-4.4/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch b/queue-4.4/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch new file mode 100644 index 00000000000..7bede358f03 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch @@ -0,0 +1,31 @@ +From 7627e40c66b5547e12b6c5673646ceea84797a74 Mon Sep 17 00:00:00 2001 +From: Piotr Karasinski +Date: Sat, 6 Aug 2016 21:23:05 +0200 +Subject: ALSA: usb-audio: Add a sample rate quirk for Creative Live! Cam Socialize HD (VF0610) + +From: Piotr Karasinski + +commit 7627e40c66b5547e12b6c5673646ceea84797a74 upstream. + +VF0610 does not support reading the sample rate which leads to many +lines of "cannot get freq at ep 0x82". This patch adds the USB ID +(0x041E:4080) to snd_usb_get_sample_rate_quirk() list. + +Signed-off-by: Piotr Karasinski +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1129,6 +1129,7 @@ bool snd_usb_get_sample_rate_quirk(struc + { + /* devices which do not support reading the sample rate. */ + switch (chip->usb_id) { ++ case USB_ID(0x041E, 0x4080): /* Creative Live Cam VF0610 */ + case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */ + case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */ + case USB_ID(0x045E, 0x076E): /* MS Lifecam HD-5001 */ diff --git a/queue-4.4/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch b/queue-4.4/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch new file mode 100644 index 00000000000..cab9c7a3fcb --- /dev/null +++ b/queue-4.4/alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch @@ -0,0 +1,31 @@ +From 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 Mon Sep 17 00:00:00 2001 +From: "Vittorio Gambaletta (VittGam)" +Date: Mon, 8 Aug 2016 12:35:40 +0200 +Subject: ALSA: usb-audio: Add quirk for ELP HD USB Camera + +From: Vittorio Gambaletta (VittGam) + +commit 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 upstream. + +The ELP HD USB Camera (05a3:9420) needs this quirk for suppressing +the unsupported sample rate inquiry. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=98481 +Signed-off-by: Vittorio Gambaletta +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1140,6 +1140,7 @@ bool snd_usb_get_sample_rate_quirk(struc + case USB_ID(0x047F, 0xAA05): /* Plantronics DA45 */ + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */ + case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */ ++ case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */ + case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */ + case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */ + case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */ diff --git a/queue-4.4/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch b/queue-4.4/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch new file mode 100644 index 00000000000..e6b64975bd6 --- /dev/null +++ b/queue-4.4/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch @@ -0,0 +1,52 @@ +From 3146bc64d12377a74dbda12b96ea32da3774ae07 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Mon, 25 Jul 2016 16:59:52 +0100 +Subject: arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO + +From: James Hogan + +commit 3146bc64d12377a74dbda12b96ea32da3774ae07 upstream. + +AT_VECTOR_SIZE_ARCH should be defined with the maximum number of +NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined +for arm64 at all even though ARCH_DLINFO will contain one NEW_AUX_ENT +for the VDSO address. + +This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for +AT_BASE_PLATFORM which arm64 doesn't use, but lets define it now and add +the comment above ARCH_DLINFO as found in several other architectures to +remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to +date. + +Fixes: f668cd1673aa ("arm64: ELF definitions") +Signed-off-by: James Hogan +Cc: Catalin Marinas +Cc: Will Deacon +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/elf.h | 1 + + arch/arm64/include/uapi/asm/auxvec.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -136,6 +136,7 @@ typedef struct user_fpsimd_state elf_fpr + + #define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT); + ++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */ + #define ARCH_DLINFO \ + do { \ + NEW_AUX_ENT(AT_SYSINFO_EHDR, \ +--- a/arch/arm64/include/uapi/asm/auxvec.h ++++ b/arch/arm64/include/uapi/asm/auxvec.h +@@ -19,4 +19,6 @@ + /* vDSO location */ + #define AT_SYSINFO_EHDR 33 + ++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */ ++ + #endif diff --git a/queue-4.4/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch b/queue-4.4/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch new file mode 100644 index 00000000000..51f15389963 --- /dev/null +++ b/queue-4.4/libnvdimm-nd_blk-mask-off-reserved-status-bits.patch @@ -0,0 +1,54 @@ +From 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Fri, 29 Jul 2016 14:59:12 -0600 +Subject: libnvdimm, nd_blk: mask off reserved status bits + +From: Ross Zwisler + +commit 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c upstream. + +The "NVDIMM Block Window Driver Writer's Guide": + + http://pmem.io/documents/NVDIMM_DriverWritersGuide-July-2016.pdf + +...defines the layout of the block window status register. For the July +2016 version of the spec linked to above, this happens in Figure 4 on +page 26. + +The only bits defined in this spec are bits 31, 5, 4, 2, 1 and 0. The +rest of the bits in the status register are reserved, and there is a +warning following the diagram that says: + + Note: The driver cannot assume the value of the RESERVED bits in the + status register are zero. These reserved bits need to be masked off, and + the driver must avoid checking the state of those bits. + +This change ensures that for hardware implementations that set these +reserved bits in the status register, the driver won't incorrectly fail the +block I/Os. + +Reviewed-by: Lee, Chun-Yi +Signed-off-by: Ross Zwisler +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/nfit.c ++++ b/drivers/acpi/nfit.c +@@ -1072,11 +1072,12 @@ static u32 read_blk_stat(struct nfit_blk + { + struct nfit_blk_mmio *mmio = &nfit_blk->mmio[DCR]; + u64 offset = nfit_blk->stat_offset + mmio->size * bw; ++ const u32 STATUS_MASK = 0x80000037; + + if (mmio->num_lines) + offset = to_interleave_offset(offset, mmio); + +- return readl(mmio->addr.base + offset); ++ return readl(mmio->addr.base + offset) & STATUS_MASK; + } + + static void write_blk_ctl(struct nfit_blk *nfit_blk, unsigned int bw, diff --git a/queue-4.4/parisc-fix-order-of-erefused-define-in-errno.h.patch b/queue-4.4/parisc-fix-order-of-erefused-define-in-errno.h.patch new file mode 100644 index 00000000000..dac19c0e78a --- /dev/null +++ b/queue-4.4/parisc-fix-order-of-erefused-define-in-errno.h.patch @@ -0,0 +1,41 @@ +From 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 20 Aug 2016 11:51:38 +0200 +Subject: parisc: Fix order of EREFUSED define in errno.h + +From: Helge Deller + +commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream. + +When building gccgo in userspace, errno.h gets parsed and the go include file +sysinfo.go is generated. + +Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED +is defined later on in errno.h, this leads to go complaining that EREFUSED +isn't defined yet. + +Fix this trivial problem by moving the define of EREFUSED down after +ECONNREFUSED in errno.h (and clean up the indenting while touching this line). + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/errno.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/uapi/asm/errno.h ++++ b/arch/parisc/include/uapi/asm/errno.h +@@ -97,10 +97,10 @@ + #define ENOTCONN 235 /* Transport endpoint is not connected */ + #define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */ + #define ETOOMANYREFS 237 /* Too many references: cannot splice */ +-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ + #define ETIMEDOUT 238 /* Connection timed out */ + #define ECONNREFUSED 239 /* Connection refused */ +-#define EREMOTERELEASE 240 /* Remote peer released connection */ ++#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */ ++#define EREMOTERELEASE 240 /* Remote peer released connection */ + #define EHOSTDOWN 241 /* Host is down */ + #define EHOSTUNREACH 242 /* No route to host */ + diff --git a/queue-4.4/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch b/queue-4.4/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch new file mode 100644 index 00000000000..38125412b84 --- /dev/null +++ b/queue-4.4/perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch @@ -0,0 +1,59 @@ +From 3d918fb13abdbeca7947578f5d7e426eafad7f5e Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Aug 2016 10:23:04 +0300 +Subject: perf intel-pt: Fix occasional decoding errors when tracing system-wide + +From: Adrian Hunter + +commit 3d918fb13abdbeca7947578f5d7e426eafad7f5e upstream. + +In order to successfully decode Intel PT traces, context switch events +are needed from the moment the trace starts. Currently that is ensured +by using the 'immediate' flag which enables the switch event when it is +opened. + +However, since commit 86c2786994bd ("perf intel-pt: Add support for +PERF_RECORD_SWITCH") that might not always happen. When tracing +system-wide the context switch event is added to the tracking event +which was not set as 'immediate'. Change that so it is. + +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Fixes: 86c2786994bd ("perf intel-pt: Add support for PERF_RECORD_SWITCH") +Link: http://lkml.kernel.org/r/1471245784-22580-1-git-send-email-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/arch/x86/util/intel-pt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/perf/arch/x86/util/intel-pt.c ++++ b/tools/perf/arch/x86/util/intel-pt.c +@@ -499,7 +499,7 @@ static int intel_pt_recording_options(st + struct intel_pt_recording *ptr = + container_of(itr, struct intel_pt_recording, itr); + struct perf_pmu *intel_pt_pmu = ptr->intel_pt_pmu; +- bool have_timing_info; ++ bool have_timing_info, need_immediate = false; + struct perf_evsel *evsel, *intel_pt_evsel = NULL; + const struct cpu_map *cpus = evlist->cpus; + bool privileged = geteuid() == 0 || perf_event_paranoid() < 0; +@@ -653,6 +653,7 @@ static int intel_pt_recording_options(st + ptr->have_sched_switch = 3; + } else { + opts->record_switch_events = true; ++ need_immediate = true; + if (cpu_wide) + ptr->have_sched_switch = 3; + else +@@ -698,6 +699,9 @@ static int intel_pt_recording_options(st + tracking_evsel->attr.freq = 0; + tracking_evsel->attr.sample_period = 1; + ++ if (need_immediate) ++ tracking_evsel->immediate = true; ++ + /* In per-cpu case, always need the time of mmap events etc */ + if (!cpu_map__empty(cpus)) { + perf_evsel__set_sample_bit(tracking_evsel, TIME); diff --git a/queue-4.4/powerpc-eeh-eeh_pci_enable-fix-checking-of-post-request-state.patch b/queue-4.4/powerpc-eeh-eeh_pci_enable-fix-checking-of-post-request-state.patch new file mode 100644 index 00000000000..3a6da7d1a7a --- /dev/null +++ b/queue-4.4/powerpc-eeh-eeh_pci_enable-fix-checking-of-post-request-state.patch @@ -0,0 +1,53 @@ +From 949e9b827eb4736d96df520c67d07a54c64e99b8 Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Fri, 23 Oct 2015 17:19:46 +1100 +Subject: powerpc/eeh: eeh_pci_enable(): fix checking of post-request state + +From: Andrew Donnellan + +commit 949e9b827eb4736d96df520c67d07a54c64e99b8 upstream. + +In eeh_pci_enable(), after making the request to set the new options, we +call eeh_ops->wait_state() to check that the request finished successfully. + +At the moment, if eeh_ops->wait_state() returns 0, we return 0 without +checking that it reflects the expected outcome. This can lead to callers +further up the chain incorrectly assuming the slot has been successfully +unfrozen and continuing to attempt recovery. + +On powernv, this will occur if pnv_eeh_get_pe_state() or +pnv_eeh_get_phb_state() return 0, which in turn occurs if the relevant OPAL +call returns OPAL_EEH_STOPPED_MMIO_DMA_FREEZE or +OPAL_EEH_PHB_ERROR respectively. + +On pseries, this will occur if pseries_eeh_get_state() returns 0, which in +turn occurs if RTAS reports that the PE is in the MMIO Stopped and DMA +Stopped states. + +Obviously, none of these cases represent a successful completion of a +request to thaw MMIO or DMA. + +Fix the check so that a wait_state() return value of 0 won't be considered +successful for the EEH_OPT_THAW_MMIO or EEH_OPT_THAW_DMA cases. + +Signed-off-by: Andrew Donnellan +Acked-by: Gavin Shan +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -677,7 +677,7 @@ int eeh_pci_enable(struct eeh_pe *pe, in + /* Check if the request is finished successfully */ + if (active_flag) { + rc = eeh_ops->wait_state(pe, PCI_BUS_RESET_WAIT_MSEC); +- if (rc <= 0) ++ if (rc < 0) + return rc; + + if (rc & active_flag) diff --git a/queue-4.4/series b/queue-4.4/series index af3fbe063d8..9b17e4f9511 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -2,3 +2,14 @@ hugetlb-fix-nr_pmds-accounting-with-shared-page-tables.patch x86-mm-disable-preemption-during-cr3-read-write.patch uprobes-x86-fix-rip-relative-handling-of-evex-encoded-instructions.patch tools-testing-nvdimm-fix-sigterm-vs-hotplug-crash.patch +sunrpc-handle-eaddrnotavail-on-connection-failures.patch +sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch +powerpc-eeh-eeh_pci_enable-fix-checking-of-post-request-state.patch +alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch +alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch +arm64-define-at_vector_size_arch-for-arch_dlinfo.patch +parisc-fix-order-of-erefused-define-in-errno.h.patch +virtio-fix-memory-leak-in-virtqueue_add.patch +vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch +perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch +libnvdimm-nd_blk-mask-off-reserved-status-bits.patch diff --git a/queue-4.4/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch b/queue-4.4/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch new file mode 100644 index 00000000000..de0b0c3c132 --- /dev/null +++ b/queue-4.4/sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch @@ -0,0 +1,59 @@ +From 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Wed, 3 Aug 2016 20:19:48 -0400 +Subject: SUNRPC: allow for upcalls for same uid but different gss service + +From: Olga Kornievskaia + +commit 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 upstream. + +It's possible to have simultaneous upcalls for the same UIDs but +different GSS service. In that case, we need to allow for the +upcall to gssd to proceed so that not the same context is used +by two different GSS services. Some servers lock the use of context +to the GSS service. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/auth_gss.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -340,12 +340,14 @@ gss_release_msg(struct gss_upcall_msg *g + } + + static struct gss_upcall_msg * +-__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid) ++__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth) + { + struct gss_upcall_msg *pos; + list_for_each_entry(pos, &pipe->in_downcall, list) { + if (!uid_eq(pos->uid, uid)) + continue; ++ if (auth && pos->auth->service != auth->service) ++ continue; + atomic_inc(&pos->count); + dprintk("RPC: %s found msg %p\n", __func__, pos); + return pos; +@@ -365,7 +367,7 @@ gss_add_msg(struct gss_upcall_msg *gss_m + struct gss_upcall_msg *old; + + spin_lock(&pipe->lock); +- old = __gss_find_upcall(pipe, gss_msg->uid); ++ old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth); + if (old == NULL) { + atomic_inc(&gss_msg->count); + list_add(&gss_msg->list, &pipe->in_downcall); +@@ -714,7 +716,7 @@ gss_pipe_downcall(struct file *filp, con + err = -ENOENT; + /* Find a matching upcall */ + spin_lock(&pipe->lock); +- gss_msg = __gss_find_upcall(pipe, uid); ++ gss_msg = __gss_find_upcall(pipe, uid, NULL); + if (gss_msg == NULL) { + spin_unlock(&pipe->lock); + goto err_put_ctx; diff --git a/queue-4.4/sunrpc-handle-eaddrnotavail-on-connection-failures.patch b/queue-4.4/sunrpc-handle-eaddrnotavail-on-connection-failures.patch new file mode 100644 index 00000000000..27aa0741ea2 --- /dev/null +++ b/queue-4.4/sunrpc-handle-eaddrnotavail-on-connection-failures.patch @@ -0,0 +1,36 @@ +From 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 1 Aug 2016 13:36:08 -0400 +Subject: SUNRPC: Handle EADDRNOTAVAIL on connection failures + +From: Trond Myklebust + +commit 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d upstream. + +If the connect attempt immediately fails with an EADDRNOTAVAIL error, then +that means our choice of source port number was bad. +This error is expected when we set the SO_REUSEPORT socket option and we +have 2 sockets sharing the same source and destination address and port +combinations. + +Signed-off-by: Trond Myklebust +Fixes: 402e23b4ed9ed ("SUNRPC: Fix stupid typo in xs_sock_set_reuseport") +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtsock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2286,6 +2286,10 @@ static int xs_tcp_finish_connecting(stru + /* SYN_SENT! */ + if (xprt->reestablish_timeout < XS_TCP_INIT_REEST_TO) + xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO; ++ break; ++ case -EADDRNOTAVAIL: ++ /* Source port number is unavailable. Try a new one! */ ++ transport->srcport = 0; + } + out: + return ret; diff --git a/queue-4.4/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch b/queue-4.4/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch new file mode 100644 index 00000000000..71c53b7794e --- /dev/null +++ b/queue-4.4/vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch @@ -0,0 +1,153 @@ +From c8952a707556e04374d7b2fdb3a079d63ddf6f2f Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 8 Aug 2016 16:16:23 -0600 +Subject: vfio/pci: Fix NULL pointer oops in error interrupt setup handling + +From: Alex Williamson + +commit c8952a707556e04374d7b2fdb3a079d63ddf6f2f upstream. + +There are multiple cases in vfio_pci_set_ctx_trigger_single() where +we assume we can safely read from our data pointer without actually +checking whether the user has passed any data via the count field. +VFIO_IRQ_SET_DATA_NONE in particular is entirely broken since we +attempt to pull an int32_t file descriptor out before even checking +the data type. The other data types assume the data pointer contains +one element of their type as well. + +In part this is good news because we were previously restricted from +doing much sanitization of parameters because it was missed in the +past and we didn't want to break existing users. Clearly DATA_NONE +is completely broken, so it must not have any users and we can fix +it up completely. For DATA_BOOL and DATA_EVENTFD, we'll just +protect ourselves, returning error when count is zero since we +previously would have oopsed. + +Signed-off-by: Alex Williamson +Reported-by: Chris Thompson +Reviewed-by: Eric Auger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_intrs.c | 85 +++++++++++++++++++++----------------- + 1 file changed, 49 insertions(+), 36 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -563,67 +563,80 @@ static int vfio_pci_set_msi_trigger(stru + } + + static int vfio_pci_set_ctx_trigger_single(struct eventfd_ctx **ctx, +- uint32_t flags, void *data) ++ unsigned int count, uint32_t flags, ++ void *data) + { +- int32_t fd = *(int32_t *)data; +- +- if (!(flags & VFIO_IRQ_SET_DATA_TYPE_MASK)) +- return -EINVAL; +- + /* DATA_NONE/DATA_BOOL enables loopback testing */ + if (flags & VFIO_IRQ_SET_DATA_NONE) { +- if (*ctx) +- eventfd_signal(*ctx, 1); +- return 0; ++ if (*ctx) { ++ if (count) { ++ eventfd_signal(*ctx, 1); ++ } else { ++ eventfd_ctx_put(*ctx); ++ *ctx = NULL; ++ } ++ return 0; ++ } + } else if (flags & VFIO_IRQ_SET_DATA_BOOL) { +- uint8_t trigger = *(uint8_t *)data; ++ uint8_t trigger; ++ ++ if (!count) ++ return -EINVAL; ++ ++ trigger = *(uint8_t *)data; + if (trigger && *ctx) + eventfd_signal(*ctx, 1); +- return 0; +- } + +- /* Handle SET_DATA_EVENTFD */ +- if (fd == -1) { +- if (*ctx) +- eventfd_ctx_put(*ctx); +- *ctx = NULL; + return 0; +- } else if (fd >= 0) { +- struct eventfd_ctx *efdctx; +- efdctx = eventfd_ctx_fdget(fd); +- if (IS_ERR(efdctx)) +- return PTR_ERR(efdctx); +- if (*ctx) +- eventfd_ctx_put(*ctx); +- *ctx = efdctx; ++ } else if (flags & VFIO_IRQ_SET_DATA_EVENTFD) { ++ int32_t fd; ++ ++ if (!count) ++ return -EINVAL; ++ ++ fd = *(int32_t *)data; ++ if (fd == -1) { ++ if (*ctx) ++ eventfd_ctx_put(*ctx); ++ *ctx = NULL; ++ } else if (fd >= 0) { ++ struct eventfd_ctx *efdctx; ++ ++ efdctx = eventfd_ctx_fdget(fd); ++ if (IS_ERR(efdctx)) ++ return PTR_ERR(efdctx); ++ ++ if (*ctx) ++ eventfd_ctx_put(*ctx); ++ ++ *ctx = efdctx; ++ } + return 0; +- } else +- return -EINVAL; ++ } ++ ++ return -EINVAL; + } + + static int vfio_pci_set_err_trigger(struct vfio_pci_device *vdev, + unsigned index, unsigned start, + unsigned count, uint32_t flags, void *data) + { +- if (index != VFIO_PCI_ERR_IRQ_INDEX) ++ if (index != VFIO_PCI_ERR_IRQ_INDEX || start != 0 || count > 1) + return -EINVAL; + +- /* +- * We should sanitize start & count, but that wasn't caught +- * originally, so this IRQ index must forever ignore them :-( +- */ +- +- return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger, flags, data); ++ return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger, ++ count, flags, data); + } + + static int vfio_pci_set_req_trigger(struct vfio_pci_device *vdev, + unsigned index, unsigned start, + unsigned count, uint32_t flags, void *data) + { +- if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count != 1) ++ if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count > 1) + return -EINVAL; + +- return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger, flags, data); ++ return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger, ++ count, flags, data); + } + + int vfio_pci_set_irqs_ioctl(struct vfio_pci_device *vdev, uint32_t flags, diff --git a/queue-4.4/virtio-fix-memory-leak-in-virtqueue_add.patch b/queue-4.4/virtio-fix-memory-leak-in-virtqueue_add.patch new file mode 100644 index 00000000000..c514420e306 --- /dev/null +++ b/queue-4.4/virtio-fix-memory-leak-in-virtqueue_add.patch @@ -0,0 +1,35 @@ +From 58625edf9e2515ed41dac2a24fa8004030a87b87 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 2 Aug 2016 14:16:31 +0000 +Subject: virtio: fix memory leak in virtqueue_add() + +From: Wei Yongjun + +commit 58625edf9e2515ed41dac2a24fa8004030a87b87 upstream. + +When using the indirect buffers feature, 'desc' is allocated in +virtqueue_add() but isn't freed before leaving on a ring full error, +causing a memory leak. + +For example, it seems rather clear that this can trigger +with virtio net if mergeable buffers are not used. + +Signed-off-by: Wei Yongjun +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -202,6 +202,8 @@ static inline int virtqueue_add(struct v + * host should service the ring ASAP. */ + if (out_sgs) + vq->notify(&vq->vq); ++ if (indirect) ++ kfree(desc); + END_USE(vq); + return -ENOSPC; + }