From 5680205d56e772fc7a50d9703e9f7ce6695e96bc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 18 Aug 2019 07:49:04 -0400 Subject: [PATCH] fixes for 4.4 Signed-off-by: Sasha Levin --- ...c-fix-wtype-limits-compiler-warnings.patch | 132 ++++++++++++++++++ ...ot-complain-in-case-of-deferred-prob.patch | 36 +++++ ...t-make-setting-exit_state-consistent.patch | 51 +++++++ ...b-core-add-mitigation-for-spectre-v1.patch | 52 +++++++ ...imx-gpcv2-forward-irq-type-to-parent.patch | 33 +++++ ...andle-kbuild_extra_symbols-only-for-.patch | 36 +++++ ...-small-read-overflow-in-zpodd_get_me.patch | 50 +++++++ ...-set-but-not-used-variable-last_hash.patch | 54 +++++++ ...divide-by-zero-error-if-f_header.att.patch | 52 +++++++ ...fix-use-of-unitialized-value-warning.patch | 68 +++++++++ ...t-scsi-command-status-issue-after-re.patch | 59 ++++++++ queue-4.4/series | 12 ++ ...ve-set-but-not-used-variable-old_sta.patch | 46 ++++++ 13 files changed, 681 insertions(+) create mode 100644 queue-4.4/asm-generic-fix-wtype-limits-compiler-warnings.patch create mode 100644 queue-4.4/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch create mode 100644 queue-4.4/exit-make-setting-exit_state-consistent.patch create mode 100644 queue-4.4/ib-core-add-mitigation-for-spectre-v1.patch create mode 100644 queue-4.4/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch create mode 100644 queue-4.4/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch create mode 100644 queue-4.4/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch create mode 100644 queue-4.4/ocfs2-remove-set-but-not-used-variable-last_hash.patch create mode 100644 queue-4.4/perf-header-fix-divide-by-zero-error-if-f_header.att.patch create mode 100644 queue-4.4/perf-header-fix-use-of-unitialized-value-warning.patch create mode 100644 queue-4.4/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch create mode 100644 queue-4.4/xen-pciback-remove-set-but-not-used-variable-old_sta.patch diff --git a/queue-4.4/asm-generic-fix-wtype-limits-compiler-warnings.patch b/queue-4.4/asm-generic-fix-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..57fbccdfa07 --- /dev/null +++ b/queue-4.4/asm-generic-fix-wtype-limits-compiler-warnings.patch @@ -0,0 +1,132 @@ +From feb88cbaa879ab6eb22cadadb9cd2ad3b79efc69 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 2 Aug 2019 21:49:19 -0700 +Subject: asm-generic: fix -Wtype-limits compiler warnings + +[ Upstream commit cbedfe11347fe418621bd188d58a206beb676218 ] + +Commit d66acc39c7ce ("bitops: Optimise get_order()") introduced a +compilation warning because "rx_frag_size" is an "ushort" while +PAGE_SHIFT here is 16. + +The commit changed the get_order() to be a multi-line macro where +compilers insist to check all statements in the macro even when +__builtin_constant_p(rx_frag_size) will return false as "rx_frag_size" +is a module parameter. + +In file included from ./arch/powerpc/include/asm/page_64.h:107, + from ./arch/powerpc/include/asm/page.h:242, + from ./arch/powerpc/include/asm/mmu.h:132, + from ./arch/powerpc/include/asm/lppaca.h:47, + from ./arch/powerpc/include/asm/paca.h:17, + from ./arch/powerpc/include/asm/current.h:13, + from ./include/linux/thread_info.h:21, + from ./arch/powerpc/include/asm/processor.h:39, + from ./include/linux/prefetch.h:15, + from drivers/net/ethernet/emulex/benet/be_main.c:14: +drivers/net/ethernet/emulex/benet/be_main.c: In function 'be_rx_cqs_create': +./include/asm-generic/getorder.h:54:9: warning: comparison is always +true due to limited range of data type [-Wtype-limits] + (((n) < (1UL << PAGE_SHIFT)) ? 0 : \ + ^ +drivers/net/ethernet/emulex/benet/be_main.c:3138:33: note: in expansion +of macro 'get_order' + adapter->big_page_size = (1 << get_order(rx_frag_size)) * PAGE_SIZE; + ^~~~~~~~~ + +Fix it by moving all of this multi-line macro into a proper function, +and killing __get_order() off. + +[akpm@linux-foundation.org: remove __get_order() altogether] +[cai@lca.pw: v2] + Link: http://lkml.kernel.org/r/1564000166-31428-1-git-send-email-cai@lca.pw +Link: http://lkml.kernel.org/r/1563914986-26502-1-git-send-email-cai@lca.pw +Fixes: d66acc39c7ce ("bitops: Optimise get_order()") +Signed-off-by: Qian Cai +Reviewed-by: Nathan Chancellor +Cc: David S. Miller +Cc: Arnd Bergmann +Cc: David Howells +Cc: Jakub Jelinek +Cc: Nick Desaulniers +Cc: Bill Wendling +Cc: James Y Knight +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/asm-generic/getorder.h | 50 ++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 30 deletions(-) + +diff --git a/include/asm-generic/getorder.h b/include/asm-generic/getorder.h +index 65e4468ac53da..52fbf236a90ea 100644 +--- a/include/asm-generic/getorder.h ++++ b/include/asm-generic/getorder.h +@@ -6,24 +6,6 @@ + #include + #include + +-/* +- * Runtime evaluation of get_order() +- */ +-static inline __attribute_const__ +-int __get_order(unsigned long size) +-{ +- int order; +- +- size--; +- size >>= PAGE_SHIFT; +-#if BITS_PER_LONG == 32 +- order = fls(size); +-#else +- order = fls64(size); +-#endif +- return order; +-} +- + /** + * get_order - Determine the allocation order of a memory size + * @size: The size for which to get the order +@@ -42,19 +24,27 @@ int __get_order(unsigned long size) + * to hold an object of the specified size. + * + * The result is undefined if the size is 0. +- * +- * This function may be used to initialise variables with compile time +- * evaluations of constants. + */ +-#define get_order(n) \ +-( \ +- __builtin_constant_p(n) ? ( \ +- ((n) == 0UL) ? BITS_PER_LONG - PAGE_SHIFT : \ +- (((n) < (1UL << PAGE_SHIFT)) ? 0 : \ +- ilog2((n) - 1) - PAGE_SHIFT + 1) \ +- ) : \ +- __get_order(n) \ +-) ++static inline __attribute_const__ int get_order(unsigned long size) ++{ ++ if (__builtin_constant_p(size)) { ++ if (!size) ++ return BITS_PER_LONG - PAGE_SHIFT; ++ ++ if (size < (1UL << PAGE_SHIFT)) ++ return 0; ++ ++ return ilog2((size) - 1) - PAGE_SHIFT + 1; ++ } ++ ++ size--; ++ size >>= PAGE_SHIFT; ++#if BITS_PER_LONG == 32 ++ return fls(size); ++#else ++ return fls64(size); ++#endif ++} + + #endif /* __ASSEMBLY__ */ + +-- +2.20.1 + diff --git a/queue-4.4/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch b/queue-4.4/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch new file mode 100644 index 00000000000..f5d772f0e9a --- /dev/null +++ b/queue-4.4/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch @@ -0,0 +1,36 @@ +From e4fab2c3ae4b765ce4921f2a8eaad7fde41a4df0 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 31 Jul 2019 14:26:51 +0200 +Subject: ata: libahci: do not complain in case of deferred probe + +[ Upstream commit 090bb803708198e5ab6b0046398c7ed9f4d12d6b ] + +Retrieving PHYs can defer the probe, do not spawn an error when +-EPROBE_DEFER is returned, it is normal behavior. + +Fixes: b1a9edbda040 ("ata: libahci: allow to use multiple PHYs") +Reviewed-by: Hans de Goede +Signed-off-by: Miquel Raynal +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci_platform.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index cd2eab6aa92ea..65371e1befe8a 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -300,6 +300,9 @@ static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port, + hpriv->phys[port] = NULL; + rc = 0; + break; ++ case -EPROBE_DEFER: ++ /* Do not complain yet */ ++ break; + + default: + dev_err(dev, +-- +2.20.1 + diff --git a/queue-4.4/exit-make-setting-exit_state-consistent.patch b/queue-4.4/exit-make-setting-exit_state-consistent.patch new file mode 100644 index 00000000000..3a3650b4fa8 --- /dev/null +++ b/queue-4.4/exit-make-setting-exit_state-consistent.patch @@ -0,0 +1,51 @@ +From 20b45c6d67fd817ea9877ccc2d12eb94e7c503b2 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 29 Jul 2019 17:48:24 +0200 +Subject: exit: make setting exit_state consistent + +[ Upstream commit 30b692d3b390c6fe78a5064be0c4bbd44a41be59 ] + +Since commit b191d6491be6 ("pidfd: fix a poll race when setting exit_state") +we unconditionally set exit_state to EXIT_ZOMBIE before calling into +do_notify_parent(). This was done to eliminate a race when querying +exit_state in do_notify_pidfd(). +Back then we decided to do the absolute minimal thing to fix this and +not touch the rest of the exit_notify() function where exit_state is +set. +Since this fix has not caused any issues change the setting of +exit_state to EXIT_DEAD in the autoreap case to account for the fact hat +exit_state is set to EXIT_ZOMBIE unconditionally. This fix was planned +but also explicitly requested in [1] and makes the whole code more +consistent. + +/* References */ +[1]: https://lore.kernel.org/lkml/CAHk-=wigcxGFR2szue4wavJtH5cYTTeNES=toUBVGsmX0rzX+g@mail.gmail.com + +Signed-off-by: Christian Brauner +Acked-by: Oleg Nesterov +Cc: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/exit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index 03f6722302b54..14c2f0717ee4b 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -619,9 +619,10 @@ static void exit_notify(struct task_struct *tsk, int group_dead) + autoreap = true; + } + +- tsk->exit_state = autoreap ? EXIT_DEAD : EXIT_ZOMBIE; +- if (tsk->exit_state == EXIT_DEAD) ++ if (autoreap) { ++ tsk->exit_state = EXIT_DEAD; + list_add(&tsk->ptrace_entry, &dead); ++ } + + /* mt-exec, de_thread() is waiting for group leader */ + if (unlikely(tsk->signal->notify_count < 0)) +-- +2.20.1 + diff --git a/queue-4.4/ib-core-add-mitigation-for-spectre-v1.patch b/queue-4.4/ib-core-add-mitigation-for-spectre-v1.patch new file mode 100644 index 00000000000..5e0ae138b31 --- /dev/null +++ b/queue-4.4/ib-core-add-mitigation-for-spectre-v1.patch @@ -0,0 +1,52 @@ +From dd0c8dca2423be60acd4e68b19487665109cfd20 Mon Sep 17 00:00:00 2001 +From: "Luck, Tony" +Date: Tue, 30 Jul 2019 21:39:57 -0700 +Subject: IB/core: Add mitigation for Spectre V1 + +[ Upstream commit 61f259821dd3306e49b7d42a3f90fb5a4ff3351b ] + +Some processors may mispredict an array bounds check and +speculatively access memory that they should not. With +a user supplied array index we like to play things safe +by masking the value with the array size before it is +used as an index. + +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20190731043957.GA1600@agluck-desk2.amr.corp.intel.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 57f281f8d6862..e9e75f40714cb 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + + #include + +@@ -842,11 +843,14 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg) + + if (get_user(id, arg)) + return -EFAULT; ++ if (id >= IB_UMAD_MAX_AGENTS) ++ return -EINVAL; + + mutex_lock(&file->port->file_mutex); + mutex_lock(&file->mutex); + +- if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) { ++ id = array_index_nospec(id, IB_UMAD_MAX_AGENTS); ++ if (!__get_agent(file, id)) { + ret = -EINVAL; + goto out; + } +-- +2.20.1 + diff --git a/queue-4.4/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch b/queue-4.4/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch new file mode 100644 index 00000000000..afe01c09617 --- /dev/null +++ b/queue-4.4/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch @@ -0,0 +1,33 @@ +From e3d1cca791a871315c002aaf5e461fe4cbc6fb25 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Jul 2019 15:29:05 +0200 +Subject: irqchip/irq-imx-gpcv2: Forward irq type to parent + +[ Upstream commit 9a446ef08f3bfc0c3deb9c6be840af2528ef8cf8 ] + +The GPCv2 is a stacked IRQ controller below the ARM GIC. It doesn't +care about the IRQ type itself, but needs to forward the type to the +parent IRQ controller, so this one can be configured correctly. + +Signed-off-by: Lucas Stach +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-imx-gpcv2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-imx-gpcv2.c b/drivers/irqchip/irq-imx-gpcv2.c +index 2d203b422129e..c56da0b13da5d 100644 +--- a/drivers/irqchip/irq-imx-gpcv2.c ++++ b/drivers/irqchip/irq-imx-gpcv2.c +@@ -145,6 +145,7 @@ static struct irq_chip gpcv2_irqchip_data_chip = { + .irq_unmask = imx_gpcv2_irq_unmask, + .irq_set_wake = imx_gpcv2_irq_set_wake, + .irq_retrigger = irq_chip_retrigger_hierarchy, ++ .irq_set_type = irq_chip_set_type_parent, + #ifdef CONFIG_SMP + .irq_set_affinity = irq_chip_set_affinity_parent, + #endif +-- +2.20.1 + diff --git a/queue-4.4/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch b/queue-4.4/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch new file mode 100644 index 00000000000..3f1fc9a0c89 --- /dev/null +++ b/queue-4.4/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch @@ -0,0 +1,36 @@ +From e6468e24d8221ef69c884470b3e19e8315444e1c Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 31 Jul 2019 00:59:00 +0900 +Subject: kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external + modules + +[ Upstream commit cb4819934a7f9b87876f11ed05b8624c0114551b ] + +KBUILD_EXTRA_SYMBOLS makes sense only when building external modules. +Moreover, the modpost sets 'external_module' if the -e option is given. + +I replaced $(patsubst %, -e %,...) with simpler $(addprefix -e,...) +while I was here. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.modpost | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index 1366a94b6c395..7718a64b1cd15 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -74,7 +74,7 @@ modpost = scripts/mod/modpost \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a,) \ + $(if $(KBUILD_EXTMOD),-i,-o) $(kernelsymfile) \ + $(if $(KBUILD_EXTMOD),-I $(modulesymfile)) \ +- $(if $(KBUILD_EXTRA_SYMBOLS), $(patsubst %, -e %,$(KBUILD_EXTRA_SYMBOLS))) \ ++ $(if $(KBUILD_EXTMOD),$(addprefix -e ,$(KBUILD_EXTRA_SYMBOLS))) \ + $(if $(KBUILD_EXTMOD),-o $(modulesymfile)) \ + $(if $(CONFIG_DEBUG_SECTION_MISMATCH),,-S) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ +-- +2.20.1 + diff --git a/queue-4.4/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch b/queue-4.4/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch new file mode 100644 index 00000000000..0c305c6c45b --- /dev/null +++ b/queue-4.4/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch @@ -0,0 +1,50 @@ +From 5a8a7c69443ffb7957dcffb01096cb294392fb98 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 29 Jul 2019 14:47:22 -0700 +Subject: libata: zpodd: Fix small read overflow in zpodd_get_mech_type() + +[ Upstream commit 71d6c505b4d9e6f76586350450e785e3d452b346 ] + +Jeffrin reported a KASAN issue: + + BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70 + Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149 + ... + The buggy address belongs to the variable: + cdb.48319+0x0/0x40 + +Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in +eject_tray()"), this fixes a cdb[] buffer length, this time in +zpodd_get_mech_type(): + +We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be +ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes. + +Reported-by: Jeffrin Jose T +Fixes: afe759511808c ("libata: identify and init ZPODD devices") +Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/ +Tested-by: Jeffrin Jose T +Reviewed-by: Nick Desaulniers +Signed-off-by: Kees Cook +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-zpodd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 7017a81d53cf2..083856272e92a 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + unsigned int ret; + struct rm_feature_desc *desc; + struct ata_taskfile tf; +- static const char cdb[] = { GPCMD_GET_CONFIGURATION, ++ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +-- +2.20.1 + diff --git a/queue-4.4/ocfs2-remove-set-but-not-used-variable-last_hash.patch b/queue-4.4/ocfs2-remove-set-but-not-used-variable-last_hash.patch new file mode 100644 index 00000000000..8da6658da9d --- /dev/null +++ b/queue-4.4/ocfs2-remove-set-but-not-used-variable-last_hash.patch @@ -0,0 +1,54 @@ +From 8ea40c362292a9bc103db84b230634f24ad4a192 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 2 Aug 2019 21:48:40 -0700 +Subject: ocfs2: remove set but not used variable 'last_hash' + +[ Upstream commit 7bc36e3ce91471b6377c8eadc0a2f220a2280083 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + + fs/ocfs2/xattr.c: In function ocfs2_xattr_bucket_find: + fs/ocfs2/xattr.c:3828:6: warning: variable last_hash set but not used [-Wunused-but-set-variable] + +It's never used and can be removed. + +Link: http://lkml.kernel.org/r/20190716132110.34836-1-yuehaibing@huawei.com +Signed-off-by: YueHaibing +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/xattr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c +index 4f0788232f2f9..06faa608e5622 100644 +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -3808,7 +3808,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode, + u16 blk_per_bucket = ocfs2_blocks_per_xattr_bucket(inode->i_sb); + int low_bucket = 0, bucket, high_bucket; + struct ocfs2_xattr_bucket *search; +- u32 last_hash; + u64 blkno, lower_blkno = 0; + + search = ocfs2_xattr_bucket_new(inode); +@@ -3852,8 +3851,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode, + if (xh->xh_count) + xe = &xh->xh_entries[le16_to_cpu(xh->xh_count) - 1]; + +- last_hash = le32_to_cpu(xe->xe_name_hash); +- + /* record lower_blkno which may be the insert place. */ + lower_blkno = blkno; + +-- +2.20.1 + diff --git a/queue-4.4/perf-header-fix-divide-by-zero-error-if-f_header.att.patch b/queue-4.4/perf-header-fix-divide-by-zero-error-if-f_header.att.patch new file mode 100644 index 00000000000..76ebe4b975e --- /dev/null +++ b/queue-4.4/perf-header-fix-divide-by-zero-error-if-f_header.att.patch @@ -0,0 +1,52 @@ +From 3fc6bd9557594124fe82c8631978babdf7beef25 Mon Sep 17 00:00:00 2001 +From: Vince Weaver +Date: Tue, 23 Jul 2019 11:06:01 -0400 +Subject: perf header: Fix divide by zero error if f_header.attr_size==0 + +[ Upstream commit 7622236ceb167aa3857395f9bdaf871442aa467e ] + +So I have been having lots of trouble with hand-crafted perf.data files +causing segfaults and the like, so I have started fuzzing the perf tool. + +First issue found: + +If f_header.attr_size is 0 in the perf.data file, then perf will crash +with a divide-by-zero error. + +Committer note: + +Added a pr_err() to tell the user why the command failed. + +Signed-off-by: Vince Weaver +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1907231100440.14532@macbook-air +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 304f5d7101436..0102dd46fb6da 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2591,6 +2591,13 @@ int perf_session__read_header(struct perf_session *session) + file->path); + } + ++ if (f_header.attr_size == 0) { ++ pr_err("ERROR: The %s file's attr size field is 0 which is unexpected.\n" ++ "Was the 'perf record' command properly terminated?\n", ++ data->file.path); ++ return -EINVAL; ++ } ++ + nr_attrs = f_header.attrs.size / f_header.attr_size; + lseek(fd, f_header.attrs.offset, SEEK_SET); + +-- +2.20.1 + diff --git a/queue-4.4/perf-header-fix-use-of-unitialized-value-warning.patch b/queue-4.4/perf-header-fix-use-of-unitialized-value-warning.patch new file mode 100644 index 00000000000..2b66e8c5fb9 --- /dev/null +++ b/queue-4.4/perf-header-fix-use-of-unitialized-value-warning.patch @@ -0,0 +1,68 @@ +From d25c0832516b6d49898922dcc2c43ad86677cc85 Mon Sep 17 00:00:00 2001 +From: Numfor Mbiziwo-Tiapo +Date: Wed, 24 Jul 2019 16:44:58 -0700 +Subject: perf header: Fix use of unitialized value warning + +[ Upstream commit 20f9781f491360e7459c589705a2e4b1f136bee9 ] + +When building our local version of perf with MSAN (Memory Sanitizer) and +running the perf record command, MSAN throws a use of uninitialized +value warning in "tools/perf/util/util.c:333:6". + +This warning stems from the "buf" variable being passed into "write". +It originated as the variable "ev" with the type union perf_event* +defined in the "perf_event__synthesize_attr" function in +"tools/perf/util/header.c". + +In the "perf_event__synthesize_attr" function they allocate space with a malloc +call using ev, then go on to only assign some of the member variables before +passing "ev" on as a parameter to the "process" function therefore "ev" +contains uninitialized memory. Changing the malloc call to zalloc to initialize +all the members of "ev" which gets rid of the warning. + +To reproduce this warning, build perf by running: +make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-fsanitize=memory\ + -fsanitize-memory-track-origins" + +(Additionally, llvm might have to be installed and clang might have to +be specified as the compiler - export CC=/usr/bin/clang) + +then running: +tools/perf/perf record -o - ls / | tools/perf/perf --no-pager annotate\ + -i - --stdio + +Please see the cover letter for why false positive warnings may be +generated. + +Signed-off-by: Numfor Mbiziwo-Tiapo +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Drayton +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190724234500.253358-2-nums@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 0102dd46fb6da..bcb8e85a40f90 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2680,7 +2680,7 @@ int perf_event__synthesize_attr(struct perf_tool *tool, + size += sizeof(struct perf_event_header); + size += ids * sizeof(u64); + +- ev = malloc(size); ++ ev = zalloc(size); + + if (ev == NULL) + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.4/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch b/queue-4.4/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch new file mode 100644 index 00000000000..2f7ca582f86 --- /dev/null +++ b/queue-4.4/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch @@ -0,0 +1,59 @@ +From 879da3556dbf1f9fb3b45e1f9df68ab43c3e8574 Mon Sep 17 00:00:00 2001 +From: Don Brace +Date: Wed, 24 Jul 2019 17:08:06 -0500 +Subject: scsi: hpsa: correct scsi command status issue after reset + +[ Upstream commit eeebce1862970653cdf5c01e98bc669edd8f529a ] + +Reviewed-by: Bader Ali - Saleh +Reviewed-by: Scott Teel +Reviewed-by: Scott Benesh +Reviewed-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index e0952882e1320..fcce3ae119fa4 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -2153,6 +2153,8 @@ static int handle_ioaccel_mode2_error(struct ctlr_info *h, + case IOACCEL2_SERV_RESPONSE_COMPLETE: + switch (c2->error_data.status) { + case IOACCEL2_STATUS_SR_TASK_COMP_GOOD: ++ if (cmd) ++ cmd->result = 0; + break; + case IOACCEL2_STATUS_SR_TASK_COMP_CHK_COND: + cmd->result |= SAM_STAT_CHECK_CONDITION; +@@ -2320,8 +2322,10 @@ static void process_ioaccel2_completion(struct ctlr_info *h, + + /* check for good status */ + if (likely(c2->error_data.serv_response == 0 && +- c2->error_data.status == 0)) ++ c2->error_data.status == 0)) { ++ cmd->result = 0; + return hpsa_cmd_free_and_done(h, c, cmd); ++ } + + /* + * Any RAID offload error results in retry which will use +@@ -5236,6 +5240,12 @@ static int hpsa_scsi_queue_command(struct Scsi_Host *sh, struct scsi_cmnd *cmd) + } + c = cmd_tagged_alloc(h, cmd); + ++ /* ++ * This is necessary because the SML doesn't zero out this field during ++ * error recovery. ++ */ ++ cmd->result = 0; ++ + /* + * Call alternate submit routine for I/O accelerated commands. + * Retries always go down the normal I/O path. +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 3932dd6ac3d..66fe183f323 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -42,3 +42,15 @@ hid-hiddev-do-cleanup-in-failure-of-opening-a-device.patch input-kbtab-sanity-check-for-endpoint-type.patch input-iforce-add-sanity-checks.patch net-usb-pegasus-fix-improper-read-if-get_registers-fail.patch +xen-pciback-remove-set-but-not-used-variable-old_sta.patch +irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch +perf-header-fix-divide-by-zero-error-if-f_header.att.patch +perf-header-fix-use-of-unitialized-value-warning.patch +libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch +scsi-hpsa-correct-scsi-command-status-issue-after-re.patch +exit-make-setting-exit_state-consistent.patch +ata-libahci-do-not-complain-in-case-of-deferred-prob.patch +kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch +ib-core-add-mitigation-for-spectre-v1.patch +ocfs2-remove-set-but-not-used-variable-last_hash.patch +asm-generic-fix-wtype-limits-compiler-warnings.patch diff --git a/queue-4.4/xen-pciback-remove-set-but-not-used-variable-old_sta.patch b/queue-4.4/xen-pciback-remove-set-but-not-used-variable-old_sta.patch new file mode 100644 index 00000000000..909cf271ea3 --- /dev/null +++ b/queue-4.4/xen-pciback-remove-set-but-not-used-variable-old_sta.patch @@ -0,0 +1,46 @@ +From 7865f0554c14d057354fa230e3629c780ff41d57 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 24 Jul 2019 22:08:50 +0800 +Subject: xen/pciback: remove set but not used variable 'old_state' + +[ Upstream commit 09e088a4903bd0dd911b4f1732b250130cdaffed ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/xen/xen-pciback/conf_space_capability.c: In function pm_ctrl_write: +drivers/xen/xen-pciback/conf_space_capability.c:119:25: warning: + variable old_state set but not used [-Wunused-but-set-variable] + +It is never used so can be removed. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xen-pciback/conf_space_capability.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c +index 7f83e9083e9dd..b1a1d7de0894e 100644 +--- a/drivers/xen/xen-pciback/conf_space_capability.c ++++ b/drivers/xen/xen-pciback/conf_space_capability.c +@@ -115,13 +115,12 @@ static int pm_ctrl_write(struct pci_dev *dev, int offset, u16 new_value, + { + int err; + u16 old_value; +- pci_power_t new_state, old_state; ++ pci_power_t new_state; + + err = pci_read_config_word(dev, offset, &old_value); + if (err) + goto out; + +- old_state = (pci_power_t)(old_value & PCI_PM_CTRL_STATE_MASK); + new_state = (pci_power_t)(new_value & PCI_PM_CTRL_STATE_MASK); + + new_value &= PM_OK_BITS; +-- +2.20.1 + -- 2.47.3