From: Greg Kroah-Hartman Date: Mon, 4 Sep 2017 10:52:13 +0000 (+0200) Subject: 4.12-stable patches X-Git-Tag: v3.18.70~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f494a2b05618e4a2ee1ac2eab4a43e2643ba1113;p=thirdparty%2Fkernel%2Fstable-queue.git 4.12-stable patches added patches: alpha-uapi-add-support-for-__sane_userspace_types__.patch ceph-fix-readpage-from-fscache.patch cifs-fix-maximum-smb2-header-size.patch cifs-remove-endian-related-sparse-warning.patch cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch dm-mpath-do-not-lock-up-a-cpu-with-requeuing-activity.patch drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch drm-vmwgfx-fix-f26-wayland-screen-update-issue.patch lib-mpi-kunmap-after-finishing-accessing-buffer.patch mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch mm-uprobes-fix-multiple-free-of-uprobes_state.xol_area.patch mmc-sdhci-xenon-add-set_power-callback.patch wl1251-add-a-missing-spin_lock_init.patch xfrm-policy-check-policy-direction-value.patch --- diff --git a/queue-4.12/alpha-uapi-add-support-for-__sane_userspace_types__.patch b/queue-4.12/alpha-uapi-add-support-for-__sane_userspace_types__.patch new file mode 100644 index 00000000000..fc21f0670db --- /dev/null +++ b/queue-4.12/alpha-uapi-add-support-for-__sane_userspace_types__.patch @@ -0,0 +1,58 @@ +From cec80d82142ab25c71eee24b529cfeaf17c43062 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 1 Oct 2015 01:35:55 +0100 +Subject: alpha: uapi: Add support for __SANE_USERSPACE_TYPES__ + +From: Ben Hutchings + +commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream. + +This fixes compiler errors in perf such as: + +tests/attr.c: In function 'store_event': +tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=] + snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir, + ^ + +Signed-off-by: Ben Hutchings +Tested-by: Michael Cree +Signed-off-by: Matt Turner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/include/asm/types.h | 2 +- + arch/alpha/include/uapi/asm/types.h | 12 +++++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/alpha/include/asm/types.h ++++ b/arch/alpha/include/asm/types.h +@@ -1,6 +1,6 @@ + #ifndef _ALPHA_TYPES_H + #define _ALPHA_TYPES_H + +-#include ++#include + + #endif /* _ALPHA_TYPES_H */ +--- a/arch/alpha/include/uapi/asm/types.h ++++ b/arch/alpha/include/uapi/asm/types.h +@@ -9,8 +9,18 @@ + * need to be careful to avoid a name clashes. + */ + +-#ifndef __KERNEL__ ++/* ++ * This is here because we used to use l64 for alpha ++ * and we don't want to impact user mode with our change to ll64 ++ * in the kernel. ++ * ++ * However, some user programs are fine with this. They can ++ * flag __SANE_USERSPACE_TYPES__ to get int-ll64.h here. ++ */ ++#if !defined(__SANE_USERSPACE_TYPES__) && !defined(__KERNEL__) + #include ++#else ++#include + #endif + + #endif /* _UAPI_ALPHA_TYPES_H */ diff --git a/queue-4.12/ceph-fix-readpage-from-fscache.patch b/queue-4.12/ceph-fix-readpage-from-fscache.patch new file mode 100644 index 00000000000..26e34b19289 --- /dev/null +++ b/queue-4.12/ceph-fix-readpage-from-fscache.patch @@ -0,0 +1,121 @@ +From dd2bc473482eedc60c29cf00ad12568ce40ce511 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Fri, 4 Aug 2017 11:22:31 +0800 +Subject: ceph: fix readpage from fscache + +From: Yan, Zheng + +commit dd2bc473482eedc60c29cf00ad12568ce40ce511 upstream. + +ceph_readpage() unlocks page prematurely prematurely in the case +that page is reading from fscache. Caller of readpage expects that +page is uptodate when it get unlocked. So page shoule get locked +by completion callback of fscache_read_or_alloc_pages() + +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/addr.c | 24 +++++++++++++++--------- + fs/ceph/cache.c | 12 +++--------- + 2 files changed, 18 insertions(+), 18 deletions(-) + +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -189,7 +189,7 @@ static int ceph_releasepage(struct page + /* + * read a single page, without unlocking it. + */ +-static int readpage_nounlock(struct file *filp, struct page *page) ++static int ceph_do_readpage(struct file *filp, struct page *page) + { + struct inode *inode = file_inode(filp); + struct ceph_inode_info *ci = ceph_inode(inode); +@@ -219,7 +219,7 @@ static int readpage_nounlock(struct file + + err = ceph_readpage_from_fscache(inode, page); + if (err == 0) +- goto out; ++ return -EINPROGRESS; + + dout("readpage inode %p file %p page %p index %lu\n", + inode, filp, page, page->index); +@@ -249,8 +249,11 @@ out: + + static int ceph_readpage(struct file *filp, struct page *page) + { +- int r = readpage_nounlock(filp, page); +- unlock_page(page); ++ int r = ceph_do_readpage(filp, page); ++ if (r != -EINPROGRESS) ++ unlock_page(page); ++ else ++ r = 0; + return r; + } + +@@ -1240,7 +1243,7 @@ retry_locked: + goto retry_locked; + r = writepage_nounlock(page, NULL); + if (r < 0) +- goto fail_nosnap; ++ goto fail_unlock; + goto retry_locked; + } + +@@ -1268,11 +1271,14 @@ retry_locked: + } + + /* we need to read it. */ +- r = readpage_nounlock(file, page); +- if (r < 0) +- goto fail_nosnap; ++ r = ceph_do_readpage(file, page); ++ if (r < 0) { ++ if (r == -EINPROGRESS) ++ return -EAGAIN; ++ goto fail_unlock; ++ } + goto retry_locked; +-fail_nosnap: ++fail_unlock: + unlock_page(page); + return r; + } +--- a/fs/ceph/cache.c ++++ b/fs/ceph/cache.c +@@ -240,13 +240,7 @@ void ceph_fscache_file_set_cookie(struct + } + } + +-static void ceph_vfs_readpage_complete(struct page *page, void *data, int error) +-{ +- if (!error) +- SetPageUptodate(page); +-} +- +-static void ceph_vfs_readpage_complete_unlock(struct page *page, void *data, int error) ++static void ceph_readpage_from_fscache_complete(struct page *page, void *data, int error) + { + if (!error) + SetPageUptodate(page); +@@ -274,7 +268,7 @@ int ceph_readpage_from_fscache(struct in + return -ENOBUFS; + + ret = fscache_read_or_alloc_page(ci->fscache, page, +- ceph_vfs_readpage_complete, NULL, ++ ceph_readpage_from_fscache_complete, NULL, + GFP_KERNEL); + + switch (ret) { +@@ -303,7 +297,7 @@ int ceph_readpages_from_fscache(struct i + return -ENOBUFS; + + ret = fscache_read_or_alloc_pages(ci->fscache, mapping, pages, nr_pages, +- ceph_vfs_readpage_complete_unlock, ++ ceph_readpage_from_fscache_complete, + NULL, mapping_gfp_mask(mapping)); + + switch (ret) { diff --git a/queue-4.12/cifs-fix-maximum-smb2-header-size.patch b/queue-4.12/cifs-fix-maximum-smb2-header-size.patch new file mode 100644 index 00000000000..2eb3997ba89 --- /dev/null +++ b/queue-4.12/cifs-fix-maximum-smb2-header-size.patch @@ -0,0 +1,37 @@ +From 9e37b1784f2be9397a903307574ee565bbadfd75 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 24 Aug 2017 15:16:40 -0700 +Subject: CIFS: Fix maximum SMB2 header size + +From: Pavel Shilovsky + +commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream. + +Currently the maximum size of SMB2/3 header is set incorrectly which +leads to hanging of directory listing operations on encrypted SMB3 +connections. Fix this by setting the maximum size to 170 bytes that +is calculated as RFC1002 length field size (4) + transform header +size (52) + SMB2 header size (64) + create response size (56). + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Acked-by: Sachin Prabhu +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -84,8 +84,8 @@ + + #define NUMBER_OF_SMB2_COMMANDS 0x0013 + +-/* BB FIXME - analyze following length BB */ +-#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */ ++/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */ ++#define MAX_SMB2_HDR_SIZE 0x00b0 + + #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe) + #define SMB2_TRANSFORM_PROTO_NUM cpu_to_le32(0x424d53fd) diff --git a/queue-4.12/cifs-remove-endian-related-sparse-warning.patch b/queue-4.12/cifs-remove-endian-related-sparse-warning.patch new file mode 100644 index 00000000000..2d51c63a5ca --- /dev/null +++ b/queue-4.12/cifs-remove-endian-related-sparse-warning.patch @@ -0,0 +1,32 @@ +From 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 27 Aug 2017 16:56:08 -0500 +Subject: CIFS: remove endian related sparse warning + +From: Steve French + +commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream. + +Recent patch had an endian warning ie +cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() + +Signed-off-by: Steve French +CC: Ronnie Sahlberg +Acked-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -205,7 +205,7 @@ check_name(struct dentry *direntry, stru + int i; + + if (unlikely(direntry->d_name.len > +- tcon->fsAttrInfo.MaxPathNameComponentLength)) ++ le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength))) + return -ENAMETOOLONG; + + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) { diff --git a/queue-4.12/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch b/queue-4.12/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch new file mode 100644 index 00000000000..2a9dd070581 --- /dev/null +++ b/queue-4.12/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch @@ -0,0 +1,51 @@ +From b339752d054fb32863418452dff350a1086885b1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 28 Aug 2017 14:51:27 -0700 +Subject: cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs + +From: Tejun Heo + +commit b339752d054fb32863418452dff350a1086885b1 upstream. + +When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of +@node. The assumption seems that if !NUMA, there shouldn't be more than +one node and thus reporting cpu_online_mask regardless of @node is +correct. However, that assumption was broken years ago to support +DISCONTIGMEM and whether a system has multiple nodes or not is +separately controlled by NEED_MULTIPLE_NODES. + +This means that, on a system with !NUMA && NEED_MULTIPLE_NODES, +cpumask_of_node() will report cpu_online_mask for all possible nodes, +indicating that the CPUs are associated with multiple nodes which is an +impossible configuration. + +This bug has been around forever but doesn't look like it has caused any +noticeable symptoms. However, it triggers a WARN recently added to +workqueue to verify NUMA affinity configuration. + +Fix it by reporting empty cpumask on non-zero nodes if !NUMA. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/topology.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/asm-generic/topology.h ++++ b/include/asm-generic/topology.h +@@ -48,7 +48,11 @@ + #define parent_node(node) ((void)(node),0) + #endif + #ifndef cpumask_of_node +-#define cpumask_of_node(node) ((void)node, cpu_online_mask) ++ #ifdef CONFIG_NEED_MULTIPLE_NODES ++ #define cpumask_of_node(node) ((node) == 0 ? cpu_online_mask : cpu_none_mask) ++ #else ++ #define cpumask_of_node(node) ((void)node, cpu_online_mask) ++ #endif + #endif + #ifndef pcibus_to_node + #define pcibus_to_node(bus) ((void)(bus), -1) diff --git a/queue-4.12/cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch b/queue-4.12/cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch new file mode 100644 index 00000000000..49ecfbae86a --- /dev/null +++ b/queue-4.12/cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch @@ -0,0 +1,34 @@ +From 1c08c22c874ac88799cab1f78c40f46110274915 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Thu, 24 Aug 2017 12:04:29 -0400 +Subject: cpuset: Fix incorrect memory_pressure control file mapping + +From: Waiman Long + +commit 1c08c22c874ac88799cab1f78c40f46110274915 upstream. + +The memory_pressure control file was incorrectly set up without +a private value (0, by default). As a result, this control +file was treated like memory_migrate on read. By adding back the +FILE_MEMORY_PRESSURE private value, the correct memory pressure value +will be returned. + +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Fixes: 7dbdb199d3bf ("cgroup: replace cftype->mode with CFTYPE_WORLD_WRITABLE") +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cpuset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1907,6 +1907,7 @@ static struct cftype files[] = { + { + .name = "memory_pressure", + .read_u64 = cpuset_read_u64, ++ .private = FILE_MEMORY_PRESSURE, + }, + + { diff --git a/queue-4.12/dm-mpath-do-not-lock-up-a-cpu-with-requeuing-activity.patch b/queue-4.12/dm-mpath-do-not-lock-up-a-cpu-with-requeuing-activity.patch new file mode 100644 index 00000000000..f255727cc70 --- /dev/null +++ b/queue-4.12/dm-mpath-do-not-lock-up-a-cpu-with-requeuing-activity.patch @@ -0,0 +1,36 @@ +From 1c23484c355ec360ca2f37914f8a4802c6baeead Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 9 Aug 2017 11:32:12 -0700 +Subject: dm mpath: do not lock up a CPU with requeuing activity + +From: Bart Van Assche + +commit 1c23484c355ec360ca2f37914f8a4802c6baeead upstream. + +When using the block layer in single queue mode, get_request() +returns ERR_PTR(-EAGAIN) if the queue is dying and the REQ_NOWAIT +flag has been passed to get_request(). Avoid that the kernel +reports soft lockup complaints in this case due to continuous +requeuing activity. + +Fixes: 7083abbbf ("dm mpath: avoid that path removal can trigger an infinite loop") +Signed-off-by: Bart Van Assche +Tested-by: Laurence Oberman +Reviewed-by: Christoph Hellwig +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -504,7 +504,6 @@ static int multipath_clone_and_map(struc + if (queue_dying) { + atomic_inc(&m->pg_init_in_progress); + activate_or_offline_path(pgpath); +- return DM_MAPIO_REQUEUE; + } + return DM_MAPIO_DELAY_REQUEUE; + } diff --git a/queue-4.12/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch b/queue-4.12/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch new file mode 100644 index 00000000000..742e09e91ee --- /dev/null +++ b/queue-4.12/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch @@ -0,0 +1,37 @@ +From 9afae2719273fa1d406829bf3498f82dbdba71c7 Mon Sep 17 00:00:00 2001 +From: "Xiangliang.Yu" +Date: Wed, 16 Aug 2017 14:25:51 +0800 +Subject: drm/ttm: Fix accounting error when fail to get pages for pool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiangliang.Yu + +commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream. + +When fail to get needed page for pool, need to put allocated pages +into pool. But current code has a miscalculation of allocated pages, +correct it. + +Signed-off-by: Xiangliang.Yu +Reviewed-by: Christian König +Reviewed-by: Monk Liu +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c +@@ -615,7 +615,7 @@ static void ttm_page_pool_fill_locked(st + } else { + pr_err("Failed to fill pool (%p)\n", pool); + /* If we have any pages left put them to the pool. */ +- list_for_each_entry(p, &pool->list, lru) { ++ list_for_each_entry(p, &new_pages, lru) { + ++cpages; + } + list_splice(&new_pages, &pool->list); diff --git a/queue-4.12/drm-vmwgfx-fix-f26-wayland-screen-update-issue.patch b/queue-4.12/drm-vmwgfx-fix-f26-wayland-screen-update-issue.patch new file mode 100644 index 00000000000..1f7b43b560b --- /dev/null +++ b/queue-4.12/drm-vmwgfx-fix-f26-wayland-screen-update-issue.patch @@ -0,0 +1,62 @@ +From 021aba761f2a6c12158afb9993524c300c01fae2 Mon Sep 17 00:00:00 2001 +From: Sinclair Yeh +Date: Tue, 29 Aug 2017 18:55:09 +0200 +Subject: drm/vmwgfx: Fix F26 Wayland screen update issue + +From: Sinclair Yeh + +commit 021aba761f2a6c12158afb9993524c300c01fae2 upstream. + +vmwgfx currently cannot support non-blocking commit because when +vmw_*_crtc_page_flip is called, drm_atomic_nonblocking_commit() +schedules the update on a thread. This means vmw_*_crtc_page_flip +cannot rely on the new surface being bound before the subsequent +dirty and flush operations happen. + +Signed-off-by: Sinclair Yeh +Reviewed-by: Thomas Hellstrom +Reviewed-by: Charmaine Lee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -1567,10 +1567,34 @@ vmw_kms_atomic_check_modeset(struct drm_ + } + + ++/** ++ * vmw_kms_atomic_commit - Perform an atomic state commit ++ * ++ * @dev: DRM device ++ * @state: the driver state object ++ * @nonblock: Whether nonblocking behaviour is requested ++ * ++ * This is a simple wrapper around drm_atomic_helper_commit() for ++ * us to clear the nonblocking value. ++ * ++ * Nonblocking commits currently cause synchronization issues ++ * for vmwgfx. ++ * ++ * RETURNS ++ * Zero for success or negative error code on failure. ++ */ ++int vmw_kms_atomic_commit(struct drm_device *dev, ++ struct drm_atomic_state *state, ++ bool nonblock) ++{ ++ return drm_atomic_helper_commit(dev, state, false); ++} ++ ++ + static const struct drm_mode_config_funcs vmw_kms_funcs = { + .fb_create = vmw_kms_fb_create, + .atomic_check = vmw_kms_atomic_check_modeset, +- .atomic_commit = drm_atomic_helper_commit, ++ .atomic_commit = vmw_kms_atomic_commit, + }; + + static int vmw_kms_generic_present(struct vmw_private *dev_priv, diff --git a/queue-4.12/lib-mpi-kunmap-after-finishing-accessing-buffer.patch b/queue-4.12/lib-mpi-kunmap-after-finishing-accessing-buffer.patch new file mode 100644 index 00000000000..1bd087cdd60 --- /dev/null +++ b/queue-4.12/lib-mpi-kunmap-after-finishing-accessing-buffer.patch @@ -0,0 +1,49 @@ +From dea3eb8b452e36cf2dd572b0a797915ccf452ae6 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 10 Aug 2017 08:06:18 +0200 +Subject: lib/mpi: kunmap after finishing accessing buffer + +From: Stephan Mueller + +commit dea3eb8b452e36cf2dd572b0a797915ccf452ae6 upstream. + +Using sg_miter_start and sg_miter_next, the buffer of an SG is kmap'ed +to *buff. The current code calls sg_miter_stop (and thus kunmap) on the +SG entry before the last access of *buff. + +The patch moves the sg_miter_stop call after the last access to *buff to +ensure that the memory pointed to by *buff is still mapped. + +Fixes: 4816c9406430 ("lib/mpi: Fix SG miter leak") +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/mpi/mpicoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/lib/mpi/mpicoder.c ++++ b/lib/mpi/mpicoder.c +@@ -364,11 +364,11 @@ MPI mpi_read_raw_from_sgl(struct scatter + } + + miter.consumed = lzeros; +- sg_miter_stop(&miter); + + nbytes -= lzeros; + nbits = nbytes * 8; + if (nbits > MAX_EXTERN_MPI_BITS) { ++ sg_miter_stop(&miter); + pr_info("MPI: mpi too large (%u bits)\n", nbits); + return NULL; + } +@@ -376,6 +376,8 @@ MPI mpi_read_raw_from_sgl(struct scatter + if (nbytes > 0) + nbits -= count_leading_zeros(*buff) - (BITS_PER_LONG - 8); + ++ sg_miter_stop(&miter); ++ + nlimbs = DIV_ROUND_UP(nbytes, BYTES_PER_MPI_LIMB); + val = mpi_alloc(nlimbs); + if (!val) diff --git a/queue-4.12/mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch b/queue-4.12/mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch new file mode 100644 index 00000000000..754b74c90e0 --- /dev/null +++ b/queue-4.12/mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch @@ -0,0 +1,65 @@ +From c461ad6a63b37ba74632e90c063d14823c884247 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 31 Aug 2017 16:15:30 -0700 +Subject: mm, madvise: ensure poisoned pages are removed from per-cpu lists + +From: Mel Gorman + +commit c461ad6a63b37ba74632e90c063d14823c884247 upstream. + +Wendy Wang reported off-list that a RAS HWPOISON-SOFT test case failed +and bisected it to the commit 479f854a207c ("mm, page_alloc: defer +debugging checks of pages allocated from the PCP"). + +The problem is that a page that was poisoned with madvise() is reused. +The commit removed a check that would trigger if DEBUG_VM was enabled +but re-enabling the check only fixes the problem as a side-effect by +printing a bad_page warning and recovering. + +The root of the problem is that an madvise() can leave a poisoned page +on the per-cpu list. This patch drains all per-cpu lists after pages +are poisoned so that they will not be reused. Wendy reports that the +test case in question passes with this patch applied. While this could +be done in a targeted fashion, it is over-complicated for such a rare +operation. + +Link: http://lkml.kernel.org/r/20170828133414.7qro57jbepdcyz5x@techsingularity.net +Fixes: 479f854a207c ("mm, page_alloc: defer debugging checks of pages allocated from the PCP") +Signed-off-by: Mel Gorman +Reported-by: Wang, Wendy +Tested-by: Wang, Wendy +Acked-by: David Rientjes +Acked-by: Vlastimil Babka +Cc: "Hansen, Dave" +Cc: "Luck, Tony" +Cc: Naoya Horiguchi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/madvise.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -610,6 +610,7 @@ static int madvise_inject_error(int beha + unsigned long start, unsigned long end) + { + struct page *page; ++ struct zone *zone; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -643,6 +644,11 @@ static int madvise_inject_error(int beha + if (ret) + return ret; + } ++ ++ /* Ensure that all poisoned pages are removed from per-cpu lists */ ++ for_each_populated_zone(zone) ++ drain_all_pages(zone); ++ + return 0; + } + #endif diff --git a/queue-4.12/mm-uprobes-fix-multiple-free-of-uprobes_state.xol_area.patch b/queue-4.12/mm-uprobes-fix-multiple-free-of-uprobes_state.xol_area.patch new file mode 100644 index 00000000000..656b89fe98c --- /dev/null +++ b/queue-4.12/mm-uprobes-fix-multiple-free-of-uprobes_state.xol_area.patch @@ -0,0 +1,142 @@ +From 355627f518978b5167256d27492fe0b343aaf2f2 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 31 Aug 2017 16:15:26 -0700 +Subject: mm, uprobes: fix multiple free of ->uprobes_state.xol_area + +From: Eric Biggers + +commit 355627f518978b5167256d27492fe0b343aaf2f2 upstream. + +Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for +write killable") made it possible to kill a forking task while it is +waiting to acquire its ->mmap_sem for write, in dup_mmap(). + +However, it was overlooked that this introduced an new error path before +the new mm_struct's ->uprobes_state.xol_area has been set to NULL after +being copied from the old mm_struct by the memcpy in dup_mm(). For a +task that has previously hit a uprobe tracepoint, this resulted in the +'struct xol_area' being freed multiple times if the task was killed at +just the right time while forking. + +Fix it by setting ->uprobes_state.xol_area to NULL in mm_init() rather +than in uprobe_dup_mmap(). + +With CONFIG_UPROBE_EVENTS=y, the bug can be reproduced by the same C +program given by commit 2b7e8665b4ff ("fork: fix incorrect fput of +->exe_file causing use-after-free"), provided that a uprobe tracepoint +has been set on the fork_thread() function. For example: + + $ gcc reproducer.c -o reproducer -lpthread + $ nm reproducer | grep fork_thread + 0000000000400719 t fork_thread + $ echo "p $PWD/reproducer:0x719" > /sys/kernel/debug/tracing/uprobe_events + $ echo 1 > /sys/kernel/debug/tracing/events/uprobes/enable + $ ./reproducer + +Here is the use-after-free reported by KASAN: + + BUG: KASAN: use-after-free in uprobe_clear_state+0x1c4/0x200 + Read of size 8 at addr ffff8800320a8b88 by task reproducer/198 + + CPU: 1 PID: 198 Comm: reproducer Not tainted 4.13.0-rc7-00015-g36fde05f3fb5 #255 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 + Call Trace: + dump_stack+0xdb/0x185 + print_address_description+0x7e/0x290 + kasan_report+0x23b/0x350 + __asan_report_load8_noabort+0x19/0x20 + uprobe_clear_state+0x1c4/0x200 + mmput+0xd6/0x360 + do_exit+0x740/0x1670 + do_group_exit+0x13f/0x380 + get_signal+0x597/0x17d0 + do_signal+0x99/0x1df0 + exit_to_usermode_loop+0x166/0x1e0 + syscall_return_slowpath+0x258/0x2c0 + entry_SYSCALL_64_fastpath+0xbc/0xbe + + ... + + Allocated by task 199: + save_stack_trace+0x1b/0x20 + kasan_kmalloc+0xfc/0x180 + kmem_cache_alloc_trace+0xf3/0x330 + __create_xol_area+0x10f/0x780 + uprobe_notify_resume+0x1674/0x2210 + exit_to_usermode_loop+0x150/0x1e0 + prepare_exit_to_usermode+0x14b/0x180 + retint_user+0x8/0x20 + + Freed by task 199: + save_stack_trace+0x1b/0x20 + kasan_slab_free+0xa8/0x1a0 + kfree+0xba/0x210 + uprobe_clear_state+0x151/0x200 + mmput+0xd6/0x360 + copy_process.part.8+0x605f/0x65d0 + _do_fork+0x1a5/0xbd0 + SyS_clone+0x19/0x20 + do_syscall_64+0x22f/0x660 + return_from_SYSCALL_64+0x0/0x7a + +Note: without KASAN, you may instead see a "Bad page state" message, or +simply a general protection fault. + +Link: http://lkml.kernel.org/r/20170830033303.17927-1-ebiggers3@gmail.com +Fixes: 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for write killable") +Signed-off-by: Eric Biggers +Reported-by: Oleg Nesterov +Acked-by: Oleg Nesterov +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Dmitry Vyukov +Cc: Ingo Molnar +Cc: Konstantin Khlebnikov +Cc: Mark Rutland +Cc: Michal Hocko +Cc: Peter Zijlstra +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/uprobes.c | 2 -- + kernel/fork.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1262,8 +1262,6 @@ void uprobe_end_dup_mmap(void) + + void uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm) + { +- newmm->uprobes_state.xol_area = NULL; +- + if (test_bit(MMF_HAS_UPROBES, &oldmm->flags)) { + set_bit(MMF_HAS_UPROBES, &newmm->flags); + /* unconditionally, dup_mmap() skips VM_DONTCOPY vmas */ +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -781,6 +781,13 @@ static void mm_init_owner(struct mm_stru + #endif + } + ++static void mm_init_uprobes_state(struct mm_struct *mm) ++{ ++#ifdef CONFIG_UPROBES ++ mm->uprobes_state.xol_area = NULL; ++#endif ++} ++ + static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, + struct user_namespace *user_ns) + { +@@ -808,6 +815,7 @@ static struct mm_struct *mm_init(struct + #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS + mm->pmd_huge_pte = NULL; + #endif ++ mm_init_uprobes_state(mm); + + if (current->mm) { + mm->flags = current->mm->flags & MMF_INIT_MASK; diff --git a/queue-4.12/mmc-sdhci-xenon-add-set_power-callback.patch b/queue-4.12/mmc-sdhci-xenon-add-set_power-callback.patch new file mode 100644 index 00000000000..0d29e3f66c9 --- /dev/null +++ b/queue-4.12/mmc-sdhci-xenon-add-set_power-callback.patch @@ -0,0 +1,56 @@ +From 99c14fc360dbbb583a03ab985551b12b5c5ca4f1 Mon Sep 17 00:00:00 2001 +From: Zhoujie Wu +Date: Mon, 21 Aug 2017 11:02:09 -0700 +Subject: mmc: sdhci-xenon: add set_power callback + +From: Zhoujie Wu + +commit 99c14fc360dbbb583a03ab985551b12b5c5ca4f1 upstream. + +Xenon sdh controller requests proper SD bus voltage select +bits programmed even with vmmc power supply. Any reserved +value(100b-000b) programmed in this field will lead to controller +ignore SD bus power bit and keep its value at zero. +Add set_power callback to handle this. + +Signed-off-by: Zhoujie Wu +Acked-by: Adrian Hunter +Tested-by: Gregory CLEMENT +Fixes: 3a3748dba881 ("mmc: sdhci-xenon: Add Marvell Xenon SDHC core functionality") +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-xenon.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/mmc/host/sdhci-xenon.c ++++ b/drivers/mmc/host/sdhci-xenon.c +@@ -210,8 +210,27 @@ static void xenon_set_uhs_signaling(stru + sdhci_writew(host, ctrl_2, SDHCI_HOST_CONTROL2); + } + ++static void xenon_set_power(struct sdhci_host *host, unsigned char mode, ++ unsigned short vdd) ++{ ++ struct mmc_host *mmc = host->mmc; ++ u8 pwr = host->pwr; ++ ++ sdhci_set_power_noreg(host, mode, vdd); ++ ++ if (host->pwr == pwr) ++ return; ++ ++ if (host->pwr == 0) ++ vdd = 0; ++ ++ if (!IS_ERR(mmc->supply.vmmc)) ++ mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd); ++} ++ + static const struct sdhci_ops sdhci_xenon_ops = { + .set_clock = sdhci_set_clock, ++ .set_power = xenon_set_power, + .set_bus_width = sdhci_set_bus_width, + .reset = xenon_reset, + .set_uhs_signaling = xenon_set_uhs_signaling, diff --git a/queue-4.12/series b/queue-4.12/series index b81065223f8..6e9e3f3440f 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -7,3 +7,18 @@ crypto-chacha20-fix-handling-of-chunked-input.patch i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch +mm-uprobes-fix-multiple-free-of-uprobes_state.xol_area.patch +mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch +ceph-fix-readpage-from-fscache.patch +cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch +cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch +alpha-uapi-add-support-for-__sane_userspace_types__.patch +cifs-fix-maximum-smb2-header-size.patch +cifs-remove-endian-related-sparse-warning.patch +dm-mpath-do-not-lock-up-a-cpu-with-requeuing-activity.patch +drm-vmwgfx-fix-f26-wayland-screen-update-issue.patch +wl1251-add-a-missing-spin_lock_init.patch +mmc-sdhci-xenon-add-set_power-callback.patch +lib-mpi-kunmap-after-finishing-accessing-buffer.patch +xfrm-policy-check-policy-direction-value.patch +drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch diff --git a/queue-4.12/wl1251-add-a-missing-spin_lock_init.patch b/queue-4.12/wl1251-add-a-missing-spin_lock_init.patch new file mode 100644 index 00000000000..431b28847b0 --- /dev/null +++ b/queue-4.12/wl1251-add-a-missing-spin_lock_init.patch @@ -0,0 +1,67 @@ +From f581a0dd744fe32b0a8805e279c59ec1ac676d60 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Thu, 31 Aug 2017 16:47:43 +0200 +Subject: wl1251: add a missing spin_lock_init() + +From: Cong Wang + +commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream. + +wl1251: add a missing spin_lock_init() + +This fixes the following kernel warning: + + [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745 + [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: /-1, + .owner_cpu: 0 + [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W + 4.12.0-03002-gec979a4-dirty #40 + [ 5668.772796] Hardware name: Nokia RX-51 board + [ 5668.773071] Workqueue: phy1 wl1251_irq_work + [ 5668.773345] [] (unwind_backtrace) from [] + (show_stack+0x10/0x14) + [ 5668.773803] [] (show_stack) from [] + (do_raw_spin_lock+0x6c/0xa0) + [ 5668.774230] [] (do_raw_spin_lock) from [] + (_raw_spin_lock_irqsave+0x10/0x18) + [ 5668.774658] [] (_raw_spin_lock_irqsave) from [] + (wl1251_op_tx+0x38/0x5c) + [ 5668.775115] [] (wl1251_op_tx) from [] + (ieee80211_tx_frags+0x188/0x1c0) + [ 5668.775543] [] (ieee80211_tx_frags) from [] + (__ieee80211_tx+0x6c/0x130) + [ 5668.775970] [] (__ieee80211_tx) from [] + (ieee80211_tx+0xdc/0x104) + [ 5668.776367] [] (ieee80211_tx) from [] + (__ieee80211_subif_start_xmit+0x454/0x8c8) + [ 5668.776824] [] (__ieee80211_subif_start_xmit) from + [] (ieee80211_subif_start_xmit+0x30/0x2fc) + [ 5668.777343] [] (ieee80211_subif_start_xmit) from + [] (dev_hard_start_xmit+0x80/0x118) +... + + by adding the missing spin_lock_init(). + +Reported-by: Pavel Machek +Cc: Kalle Valo +Signed-off-by: Cong Wang +Acked-by: Pavel Machek +Signed-off-by: Kalle Valo +Signed-off-by: Pavel Machek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wl1251/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ti/wl1251/main.c ++++ b/drivers/net/wireless/ti/wl1251/main.c +@@ -1571,6 +1571,7 @@ struct ieee80211_hw *wl1251_alloc_hw(voi + + wl->state = WL1251_STATE_OFF; + mutex_init(&wl->mutex); ++ spin_lock_init(&wl->wl_lock); + + wl->tx_mgmt_frm_rate = DEFAULT_HW_GEN_TX_RATE; + wl->tx_mgmt_frm_mod = DEFAULT_HW_GEN_MODULATION_TYPE; diff --git a/queue-4.12/xfrm-policy-check-policy-direction-value.patch b/queue-4.12/xfrm-policy-check-policy-direction-value.patch new file mode 100644 index 00000000000..d737fdef47d --- /dev/null +++ b/queue-4.12/xfrm-policy-check-policy-direction-value.patch @@ -0,0 +1,44 @@ +From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 2 Aug 2017 19:50:14 +0200 +Subject: xfrm: policy: check policy direction value + +From: Vladis Dronov + +commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream. + +The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used +as an array index. This can lead to an out-of-bound access, kernel lockup and +DoS. Add a check for the 'dir' value. + +This fixes CVE-2017-11600. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Reported-by: "bo Zhang" +Signed-off-by: Vladis Dronov +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_policy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3301,9 +3301,15 @@ int xfrm_migrate(const struct xfrm_selec + struct xfrm_state *x_new[XFRM_MAX_DEPTH]; + struct xfrm_migrate *mp; + ++ /* Stage 0 - sanity checks */ + if ((err = xfrm_migrate_check(m, num_migrate)) < 0) + goto out; + ++ if (dir >= XFRM_POLICY_MAX) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /* Stage 1 - find policy */ + if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { + err = -ENOENT;