From 76fedcaa9797261e8ec4e4b273a4efb1e1358a7d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 14 Dec 2017 21:32:14 +0100 Subject: [PATCH] 3.18-stable patches added patches: afs-connect-up-the-cb.probeuuid.patch arm-kvm-survive-unknown-traps-from-guests.patch atm-horizon-fix-irq-release-error.patch audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch axonram-fix-gendisk-handling.patch bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch i2c-riic-fix-restart-condition.patch ib-mlx4-increase-maximal-message-size-under-ud-qp.patch ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch irqchip-crossbar-fix-incorrect-type-of-register-size.patch kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch nfs-fix-a-typo-in-nfs_rename.patch revert-drm-armada-fix-compile-fail.patch revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch route-also-update-fnhe_genid-when-updating-a-route-cache.patch route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch selftest-powerpc-fix-false-failures-for-skipped-tests.patch sparc64-mm-set-fields-in-deferred-pages.patch spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch sunrpc-fix-rpc_task_begin-trace-point.patch usb-gadget-configs-plug-memory-leak.patch usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch xfrm-copy-policy-family-in-clone_policy.patch --- .../afs-connect-up-the-cb.probeuuid.patch | 33 ++++++ ...vm-survive-unknown-traps-from-guests.patch | 87 ++++++++++++++ .../atm-horizon-fix-irq-release-error.patch | 34 ++++++ ...t-1-actually-enables-audit-for-pid-1.patch | 64 +++++++++++ queue-3.18/axonram-fix-gendisk-handling.patch | 47 ++++++++ ...un-of-vfpf-multicast-addresses-array.patch | 79 +++++++++++++ ...leting-crypto-request-in-irq-handler.patch | 42 +++++++ ...line-number-to-be-large-instead-of-0.patch | 42 +++++++ ...-fix-definition-of-nrecmemb-register.patch | 83 ++++++++++++++ ...5400-fix-use-of-mtr_dram_width-macro.patch | 55 +++++++++ .../i2c-riic-fix-restart-condition.patch | 42 +++++++ ...ase-maximal-message-size-under-ud-qp.patch | 49 ++++++++ ...assign-send-cq-and-recv-cq-of-umr-qp.patch | 39 +++++++ ...-reorder-icmpv6_init-and-ip6_mr_init.patch | 96 ++++++++++++++++ ...-fix-incorrect-type-of-register-size.patch | 58 ++++++++++ ...ing-if-the-vcpu-is-going-to-be-reset.patch | 96 ++++++++++++++++ ...-the-avail-variable-an-atomic_long_t.patch | 102 +++++++++++++++++ ...m-protocol-error-in-ata_sff_qc_issue.patch | 39 +++++++ queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch | 32 ++++++ .../revert-drm-armada-fix-compile-fail.patch | 26 +++++ ...rsions-for-symbols-exported-from-asm.patch | 30 +++++ ...he_genid-when-updating-a-route-cache.patch | 64 +++++++++++ ...es-for-redirect-when-the-fnhe-exists.patch | 50 ++++++++ ...ware-error-recovery-on-sli3-adapters.patch | 46 ++++++++ ...n-it-is-already-dead-in-sctp_sendmsg.patch | 79 +++++++++++++ ...-after-waking-up-from-wait_buf-sleep.patch | 104 +++++++++++++++++ ...fix-false-failures-for-skipped-tests.patch | 55 +++++++++ queue-3.18/series | 34 ++++++ ...rc64-mm-set-fields-in-deferred-pages.patch | 107 ++++++++++++++++++ ...95-fix-bug-key-accdaa28-not-in-.data.patch | 28 +++++ ...unrpc-fix-rpc_task_begin-trace-point.patch | 35 ++++++ .../usb-gadget-configs-plug-memory-leak.patch | 31 +++++ ...-potential-memory-leak-in-dev_config.patch | 35 ++++++ ..._delayed_work-is-called-with-null-wq.patch | 36 ++++++ ...m-copy-policy-family-in-clone_policy.patch | 37 ++++++ 35 files changed, 1916 insertions(+) create mode 100644 queue-3.18/afs-connect-up-the-cb.probeuuid.patch create mode 100644 queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch create mode 100644 queue-3.18/atm-horizon-fix-irq-release-error.patch create mode 100644 queue-3.18/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch create mode 100644 queue-3.18/axonram-fix-gendisk-handling.patch create mode 100644 queue-3.18/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch create mode 100644 queue-3.18/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch create mode 100644 queue-3.18/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch create mode 100644 queue-3.18/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch create mode 100644 queue-3.18/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch create mode 100644 queue-3.18/i2c-riic-fix-restart-condition.patch create mode 100644 queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch create mode 100644 queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch create mode 100644 queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch create mode 100644 queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch create mode 100644 queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch create mode 100644 queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch create mode 100644 queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch create mode 100644 queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch create mode 100644 queue-3.18/revert-drm-armada-fix-compile-fail.patch create mode 100644 queue-3.18/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch create mode 100644 queue-3.18/route-also-update-fnhe_genid-when-updating-a-route-cache.patch create mode 100644 queue-3.18/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch create mode 100644 queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch create mode 100644 queue-3.18/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch create mode 100644 queue-3.18/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch create mode 100644 queue-3.18/selftest-powerpc-fix-false-failures-for-skipped-tests.patch create mode 100644 queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch create mode 100644 queue-3.18/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch create mode 100644 queue-3.18/sunrpc-fix-rpc_task_begin-trace-point.patch create mode 100644 queue-3.18/usb-gadget-configs-plug-memory-leak.patch create mode 100644 queue-3.18/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch create mode 100644 queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch create mode 100644 queue-3.18/xfrm-copy-policy-family-in-clone_policy.patch diff --git a/queue-3.18/afs-connect-up-the-cb.probeuuid.patch b/queue-3.18/afs-connect-up-the-cb.probeuuid.patch new file mode 100644 index 00000000000..a6946790c3a --- /dev/null +++ b/queue-3.18/afs-connect-up-the-cb.probeuuid.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: David Howells +Date: Thu, 2 Nov 2017 15:27:48 +0000 +Subject: afs: Connect up the CB.ProbeUuid + +From: David Howells + + +[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ] + +The handler for the CB.ProbeUuid operation in the cache manager is +implemented, but isn't listed in the switch-statement of operation +selection, so won't be used. Fix this by adding it. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/cmservice.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -115,6 +115,9 @@ bool afs_cm_incoming_call(struct afs_cal + case CBProbe: + call->type = &afs_SRXCBProbe; + return true; ++ case CBProbeUuid: ++ call->type = &afs_SRXCBProbeUuid; ++ return true; + case CBTellMeAboutYourself: + call->type = &afs_SRXCBTellMeAboutYourself; + return true; diff --git a/queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch b/queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch new file mode 100644 index 00000000000..0d5ec9bc764 --- /dev/null +++ b/queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Mark Rutland +Date: Mon, 20 Feb 2017 12:30:11 +0000 +Subject: arm: KVM: Survive unknown traps from guests + +From: Mark Rutland + + +[ Upstream commit f050fe7a9164945dd1c28be05bf00e8cfb082ccf ] + +Currently we BUG() if we see a HSR.EC value we don't recognise. As +configurable disables/enables are added to the architecture (controlled +by RES1/RES0 bits respectively), with associated synchronous exceptions, +it may be possible for a guest to trigger exceptions with classes that +we don't recognise. + +While we can't service these exceptions in a manner useful to the guest, +we can avoid bringing down the host. Per ARM DDI 0406C.c, all currently +unallocated HSR EC encodings are reserved, and per ARM DDI +0487A.k_iss10775, page G6-4395, EC values within the range 0x00 - 0x2c +are reserved for future use with synchronous exceptions, and EC values +within the range 0x2d - 0x3f may be used for either synchronous or +asynchronous exceptions. + +The patch makes KVM handle any unknown EC by injecting an UNDEFINED +exception into the guest, with a corresponding (ratelimited) warning in +the host dmesg. We could later improve on this with with a new (opt-in) +exit to the host userspace. + +Cc: Dave Martin +Cc: Suzuki K Poulose +Reviewed-by: Christoffer Dall +Signed-off-by: Mark Rutland +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/kvm_arm.h | 1 + + arch/arm/kvm/handle_exit.c | 19 ++++++++++++------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +--- a/arch/arm/include/asm/kvm_arm.h ++++ b/arch/arm/include/asm/kvm_arm.h +@@ -208,6 +208,7 @@ + #define HSR_EC_IABT_HYP (0x21) + #define HSR_EC_DABT (0x24) + #define HSR_EC_DABT_HYP (0x25) ++#define HSR_EC_MAX (0x3f) + + #define HSR_WFI_IS_WFE (1U << 0) + +--- a/arch/arm/kvm/handle_exit.c ++++ b/arch/arm/kvm/handle_exit.c +@@ -98,7 +98,19 @@ static int kvm_handle_wfx(struct kvm_vcp + return 1; + } + ++static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run) ++{ ++ u32 hsr = kvm_vcpu_get_hsr(vcpu); ++ ++ kvm_pr_unimpl("Unknown exception class: hsr: %#08x\n", ++ hsr); ++ ++ kvm_inject_undefined(vcpu); ++ return 1; ++} ++ + static exit_handle_fn arm_exit_handlers[] = { ++ [0 ... HSR_EC_MAX] = kvm_handle_unknown_ec, + [HSR_EC_WFI] = kvm_handle_wfx, + [HSR_EC_CP15_32] = kvm_handle_cp15_32, + [HSR_EC_CP15_64] = kvm_handle_cp15_64, +@@ -120,13 +132,6 @@ static exit_handle_fn kvm_get_exit_handl + { + u8 hsr_ec = kvm_vcpu_trap_get_class(vcpu); + +- if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) || +- !arm_exit_handlers[hsr_ec]) { +- kvm_err("Unknown exception class: hsr: %#08x\n", +- (unsigned int)kvm_vcpu_get_hsr(vcpu)); +- BUG(); +- } +- + return arm_exit_handlers[hsr_ec]; + } + diff --git a/queue-3.18/atm-horizon-fix-irq-release-error.patch b/queue-3.18/atm-horizon-fix-irq-release-error.patch new file mode 100644 index 00000000000..5498d5f8541 --- /dev/null +++ b/queue-3.18/atm-horizon-fix-irq-release-error.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Arvind Yadav +Date: Tue, 14 Nov 2017 13:42:38 +0530 +Subject: atm: horizon: Fix irq release error + +From: Arvind Yadav + + +[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ] + +atm_dev_register() can fail here and passed parameters to free irq +which is not initialised. Initialization of 'dev->irq' happened after +the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in +free_irq(). + +Signed-off-by: Arvind Yadav +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/horizon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/atm/horizon.c ++++ b/drivers/atm/horizon.c +@@ -2828,7 +2828,7 @@ out: + return err; + + out_free_irq: +- free_irq(dev->irq, dev); ++ free_irq(irq, dev); + out_free: + kfree(dev); + out_release: diff --git a/queue-3.18/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch b/queue-3.18/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch new file mode 100644 index 00000000000..64b80fe7cdd --- /dev/null +++ b/queue-3.18/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Paul Moore +Date: Fri, 1 Sep 2017 09:44:34 -0400 +Subject: audit: ensure that 'audit=1' actually enables audit for PID 1 + +From: Paul Moore + + +[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ] + +Prior to this patch we enabled audit in audit_init(), which is too +late for PID 1 as the standard initcalls are run after the PID 1 task +is forked. This means that we never allocate an audit_context (see +audit_alloc()) for PID 1 and therefore miss a lot of audit events +generated by PID 1. + +This patch enables audit as early as possible to help ensure that when +PID 1 is forked it can allocate an audit_context if required. + +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -79,13 +79,13 @@ static int audit_initialized; + #define AUDIT_OFF 0 + #define AUDIT_ON 1 + #define AUDIT_LOCKED 2 +-u32 audit_enabled; +-u32 audit_ever_enabled; ++u32 audit_enabled = AUDIT_OFF; ++u32 audit_ever_enabled = !!AUDIT_OFF; + + EXPORT_SYMBOL_GPL(audit_enabled); + + /* Default state when kernel boots without any parameters. */ +-static u32 audit_default; ++static u32 audit_default = AUDIT_OFF; + + /* If auditing cannot proceed, audit_failure selects what happens. */ + static u32 audit_failure = AUDIT_FAIL_PRINTK; +@@ -1173,8 +1173,6 @@ static int __init audit_init(void) + skb_queue_head_init(&audit_skb_queue); + skb_queue_head_init(&audit_skb_hold_queue); + audit_initialized = AUDIT_INITIALIZED; +- audit_enabled = audit_default; +- audit_ever_enabled |= !!audit_default; + + audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); + +@@ -1191,6 +1189,8 @@ static int __init audit_enable(char *str + audit_default = !!simple_strtol(str, NULL, 0); + if (!audit_default) + audit_initialized = AUDIT_DISABLED; ++ audit_enabled = audit_default; ++ audit_ever_enabled = !!audit_enabled; + + pr_info("%s\n", audit_default ? + "enabled (after initialization)" : "disabled (until reboot)"); diff --git a/queue-3.18/axonram-fix-gendisk-handling.patch b/queue-3.18/axonram-fix-gendisk-handling.patch new file mode 100644 index 00000000000..cccb563b25d --- /dev/null +++ b/queue-3.18/axonram-fix-gendisk-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Jan Kara +Date: Wed, 8 Mar 2017 14:56:05 +0100 +Subject: axonram: Fix gendisk handling + +From: Jan Kara + + +[ Upstream commit 672a2c87c83649fb0167202342ce85af9a3b4f1c ] + +It is invalid to call del_gendisk() when disk->queue is NULL. Fix error +handling in axon_ram_probe() to avoid doing that. + +Also del_gendisk() does not drop a reference to gendisk allocated by +alloc_disk(). That has to be done by put_disk(). Add that call where +needed. + +Reported-by: Dan Carpenter +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/axonram.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/axonram.c ++++ b/arch/powerpc/sysdev/axonram.c +@@ -283,7 +283,9 @@ failed: + if (bank->disk->major > 0) + unregister_blkdev(bank->disk->major, + bank->disk->disk_name); +- del_gendisk(bank->disk); ++ if (bank->disk->flags & GENHD_FL_UP) ++ del_gendisk(bank->disk); ++ put_disk(bank->disk); + } + device->dev.platform_data = NULL; + if (bank->io_addr != 0) +@@ -308,6 +310,7 @@ axon_ram_remove(struct platform_device * + device_remove_file(&device->dev, &dev_attr_ecc); + free_irq(bank->irq_id, device); + del_gendisk(bank->disk); ++ put_disk(bank->disk); + iounmap((void __iomem *) bank->io_addr); + kfree(bank); + diff --git a/queue-3.18/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch b/queue-3.18/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch new file mode 100644 index 00000000000..95bff565049 --- /dev/null +++ b/queue-3.18/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch @@ -0,0 +1,79 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Michal Schmidt +Date: Fri, 3 Mar 2017 17:08:30 +0100 +Subject: bnx2x: fix possible overrun of VFPF multicast addresses array + +From: Michal Schmidt + + +[ Upstream commit 22118d861cec5da6ed525aaf12a3de9bfeffc58f ] + +It is too late to check for the limit of the number of VF multicast +addresses after they have already been copied to the req->multicast[] +array, possibly overflowing it. + +Do the check before copying. + +Also fix the error path to not skip unlocking vf2pf_mutex. + +Signed-off-by: Michal Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c +@@ -826,7 +826,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi + struct bnx2x *bp = netdev_priv(dev); + struct vfpf_set_q_filters_tlv *req = &bp->vf2pf_mbox->req.set_q_filters; + struct pfvf_general_resp_tlv *resp = &bp->vf2pf_mbox->resp.general_resp; +- int rc, i = 0; ++ int rc = 0, i = 0; + struct netdev_hw_addr *ha; + + if (bp->state != BNX2X_STATE_OPEN) { +@@ -841,6 +841,15 @@ int bnx2x_vfpf_set_mcast(struct net_devi + /* Get Rx mode requested */ + DP(NETIF_MSG_IFUP, "dev->flags = %x\n", dev->flags); + ++ /* We support PFVF_MAX_MULTICAST_PER_VF mcast addresses tops */ ++ if (netdev_mc_count(dev) > PFVF_MAX_MULTICAST_PER_VF) { ++ DP(NETIF_MSG_IFUP, ++ "VF supports not more than %d multicast MAC addresses\n", ++ PFVF_MAX_MULTICAST_PER_VF); ++ rc = -EINVAL; ++ goto out; ++ } ++ + netdev_for_each_mc_addr(ha, dev) { + DP(NETIF_MSG_IFUP, "Adding mcast MAC: %pM\n", + bnx2x_mc_addr(ha)); +@@ -848,16 +857,6 @@ int bnx2x_vfpf_set_mcast(struct net_devi + i++; + } + +- /* We support four PFVF_MAX_MULTICAST_PER_VF mcast +- * addresses tops +- */ +- if (i >= PFVF_MAX_MULTICAST_PER_VF) { +- DP(NETIF_MSG_IFUP, +- "VF supports not more than %d multicast MAC addresses\n", +- PFVF_MAX_MULTICAST_PER_VF); +- return -EINVAL; +- } +- + req->n_multicast = i; + req->flags |= VFPF_SET_Q_FILTERS_MULTICAST_CHANGED; + req->vf_qid = 0; +@@ -882,7 +881,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi + out: + bnx2x_vfpf_finalize(bp, &req->first_tlv); + +- return 0; ++ return rc; + } + + int bnx2x_vfpf_storm_rx_mode(struct bnx2x *bp) diff --git a/queue-3.18/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch b/queue-3.18/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch new file mode 100644 index 00000000000..c235056ae4e --- /dev/null +++ b/queue-3.18/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Krzysztof Kozlowski +Date: Sun, 5 Mar 2017 19:14:07 +0200 +Subject: crypto: s5p-sss - Fix completing crypto request in IRQ handler + +From: Krzysztof Kozlowski + + +[ Upstream commit 07de4bc88ce6a4d898cad9aa4c99c1df7e87702d ] + +In a regular interrupt handler driver was finishing the crypt/decrypt +request by calling complete on crypto request. This is disallowed since +converting to skcipher in commit b286d8b1a690 ("crypto: skcipher - Add +skcipher walk interface") and causes a warning: + WARNING: CPU: 0 PID: 0 at crypto/skcipher.c:430 skcipher_walk_first+0x13c/0x14c + +The interrupt is marked shared but in fact there are no other users +sharing it. Thus the simplest solution seems to be to just use a +threaded interrupt handler, after converting it to oneshot. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/s5p-sss.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/s5p-sss.c ++++ b/drivers/crypto/s5p-sss.c +@@ -682,8 +682,9 @@ static int s5p_aes_probe(struct platform + dev_warn(dev, "feed control interrupt is not available.\n"); + goto err_irq; + } +- err = devm_request_irq(dev, pdata->irq_fc, s5p_aes_interrupt, +- IRQF_SHARED, pdev->name, pdev); ++ err = devm_request_threaded_irq(dev, pdata->irq_fc, NULL, ++ s5p_aes_interrupt, IRQF_ONESHOT, ++ pdev->name, pdev); + if (err < 0) { + dev_warn(dev, "feed control interrupt is not available.\n"); + goto err_irq; diff --git a/queue-3.18/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch b/queue-3.18/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch new file mode 100644 index 00000000000..7bd02c6578d --- /dev/null +++ b/queue-3.18/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Randy Dunlap +Date: Fri, 17 Nov 2017 15:27:35 -0800 +Subject: dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 + +From: Randy Dunlap + + +[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ] + +line-range is supposed to treat "1-" as "1-endoffile", so +handle the special case by setting last_lineno to UINT_MAX. + +Fixes this error: + + dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1 + dynamic_debug:ddebug_exec_query: query parse failed + +Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org +Signed-off-by: Randy Dunlap +Acked-by: Jason Baron +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/dynamic_debug.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -353,6 +353,10 @@ static int ddebug_parse_query(char *word + if (parse_lineno(last, &query->last_lineno) < 0) + return -EINVAL; + ++ /* special case for last lineno not specified */ ++ if (query->last_lineno == 0) ++ query->last_lineno = UINT_MAX; ++ + if (query->last_lineno < query->first_lineno) { + pr_err("last-line:%d < 1st-line:%d\n", + query->last_lineno, diff --git a/queue-3.18/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch b/queue-3.18/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch new file mode 100644 index 00000000000..1ef414603c6 --- /dev/null +++ b/queue-3.18/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Jérémy Lefaure +Date: Wed, 28 Jun 2017 20:57:29 -0400 +Subject: EDAC, i5000, i5400: Fix definition of NRECMEMB register + +From: Jérémy Lefaure + + +[ Upstream commit a8c8261425649da58bdf08221570e5335ad33a31 ] + +In the i5000 and i5400 drivers, the NRECMEMB register is defined as a +16-bit value, which results in wrong shifts in the code, as reported by +sparse. + +In the datasheets ([1], section 3.9.22.20 and [2], section 3.9.22.21), +this register is a 32-bit register. A u32 value for the register fixes +the wrong shifts warnings and matches the datasheet. + +Also fix the mask to access to the CAS bits [27:16] in the i5000 driver. + +[1]: https://www.intel.com/content/dam/doc/datasheet/5000p-5000v-5000z-chipset-memory-controller-hub-datasheet.pdf +[2]: https://www.intel.se/content/dam/doc/datasheet/5400-chipset-memory-controller-hub-datasheet.pdf + +Signed-off-by: Jérémy Lefaure +Cc: linux-edac +Link: http://lkml.kernel.org/r/20170629005729.8478-1-jeremy.lefaure@lse.epita.fr +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/i5000_edac.c | 6 +++--- + drivers/edac/i5400_edac.c | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/edac/i5000_edac.c ++++ b/drivers/edac/i5000_edac.c +@@ -227,7 +227,7 @@ + #define NREC_RDWR(x) (((x)>>11) & 1) + #define NREC_RANK(x) (((x)>>8) & 0x7) + #define NRECMEMB 0xC0 +-#define NREC_CAS(x) (((x)>>16) & 0xFFFFFF) ++#define NREC_CAS(x) (((x)>>16) & 0xFFF) + #define NREC_RAS(x) ((x) & 0x7FFF) + #define NRECFGLOG 0xC4 + #define NREEECFBDA 0xC8 +@@ -371,7 +371,7 @@ struct i5000_error_info { + /* These registers are input ONLY if there was a + * Non-Recoverable Error */ + u16 nrecmema; /* Non-Recoverable Mem log A */ +- u16 nrecmemb; /* Non-Recoverable Mem log B */ ++ u32 nrecmemb; /* Non-Recoverable Mem log B */ + + }; + +@@ -407,7 +407,7 @@ static void i5000_get_error_info(struct + NERR_FAT_FBD, &info->nerr_fat_fbd); + pci_read_config_word(pvt->branchmap_werrors, + NRECMEMA, &info->nrecmema); +- pci_read_config_word(pvt->branchmap_werrors, ++ pci_read_config_dword(pvt->branchmap_werrors, + NRECMEMB, &info->nrecmemb); + + /* Clear the error bits, by writing them back */ +--- a/drivers/edac/i5400_edac.c ++++ b/drivers/edac/i5400_edac.c +@@ -368,7 +368,7 @@ struct i5400_error_info { + + /* These registers are input ONLY if there was a Non-Rec Error */ + u16 nrecmema; /* Non-Recoverable Mem log A */ +- u16 nrecmemb; /* Non-Recoverable Mem log B */ ++ u32 nrecmemb; /* Non-Recoverable Mem log B */ + + }; + +@@ -458,7 +458,7 @@ static void i5400_get_error_info(struct + NERR_FAT_FBD, &info->nerr_fat_fbd); + pci_read_config_word(pvt->branchmap_werrors, + NRECMEMA, &info->nrecmema); +- pci_read_config_word(pvt->branchmap_werrors, ++ pci_read_config_dword(pvt->branchmap_werrors, + NRECMEMB, &info->nrecmemb); + + /* Clear the error bits, by writing them back */ diff --git a/queue-3.18/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch b/queue-3.18/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch new file mode 100644 index 00000000000..fcb671a67c0 --- /dev/null +++ b/queue-3.18/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Jérémy Lefaure +Date: Wed, 8 Mar 2017 20:18:09 -0500 +Subject: EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro + +From: Jérémy Lefaure + + +[ Upstream commit e61555c29c28a4a3b6ba6207f4a0883ee236004d ] + +The MTR_DRAM_WIDTH macro returns the data width. It is sometimes used +as if it returned a boolean true if the width if 8. Fix the tests where +MTR_DRAM_WIDTH is misused. + +Signed-off-by: Jérémy Lefaure +Cc: linux-edac +Link: http://lkml.kernel.org/r/20170309011809.8340-1-jeremy.lefaure@lse.epita.fr +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/i5000_edac.c | 2 +- + drivers/edac/i5400_edac.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/edac/i5000_edac.c ++++ b/drivers/edac/i5000_edac.c +@@ -1293,7 +1293,7 @@ static int i5000_init_csrows(struct mem_ + dimm->mtype = MEM_FB_DDR2; + + /* ask what device type on this row */ +- if (MTR_DRAM_WIDTH(mtr)) ++ if (MTR_DRAM_WIDTH(mtr) == 8) + dimm->dtype = DEV_X8; + else + dimm->dtype = DEV_X4; +--- a/drivers/edac/i5400_edac.c ++++ b/drivers/edac/i5400_edac.c +@@ -1207,13 +1207,14 @@ static int i5400_init_dimms(struct mem_c + + dimm->nr_pages = size_mb << 8; + dimm->grain = 8; +- dimm->dtype = MTR_DRAM_WIDTH(mtr) ? DEV_X8 : DEV_X4; ++ dimm->dtype = MTR_DRAM_WIDTH(mtr) == 8 ? ++ DEV_X8 : DEV_X4; + dimm->mtype = MEM_FB_DDR2; + /* + * The eccc mechanism is SDDC (aka SECC), with + * is similar to Chipkill. + */ +- dimm->edac_mode = MTR_DRAM_WIDTH(mtr) ? ++ dimm->edac_mode = MTR_DRAM_WIDTH(mtr) == 8 ? + EDAC_S8ECD8ED : EDAC_S4ECD4ED; + ndimms++; + } diff --git a/queue-3.18/i2c-riic-fix-restart-condition.patch b/queue-3.18/i2c-riic-fix-restart-condition.patch new file mode 100644 index 00000000000..edc6b5ab3d3 --- /dev/null +++ b/queue-3.18/i2c-riic-fix-restart-condition.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Chris Brandt +Date: Mon, 6 Mar 2017 15:20:51 -0500 +Subject: i2c: riic: fix restart condition + +From: Chris Brandt + + +[ Upstream commit 2501c1bb054290679baad0ff7f4f07c714251f4c ] + +While modifying the driver to use the STOP interrupt, the completion of the +intermediate transfers need to wake the driver back up in order to initiate +the next transfer (restart condition). Otherwise you get never ending +interrupts and only the first transfer sent. + +Fixes: 71ccea095ea1 ("i2c: riic: correctly finish transfers") +Reported-by: Simon Horman +Signed-off-by: Chris Brandt +Tested-by: Simon Horman +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-riic.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-riic.c ++++ b/drivers/i2c/busses/i2c-riic.c +@@ -218,8 +218,12 @@ static irqreturn_t riic_tend_isr(int irq + } + + if (riic->is_last || riic->err) { +- riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER); ++ riic_clear_set_bit(riic, ICIER_TEIE, ICIER_SPIE, RIIC_ICIER); + writeb(ICCR2_SP, riic->base + RIIC_ICCR2); ++ } else { ++ /* Transfer is complete, but do not send STOP */ ++ riic_clear_set_bit(riic, ICIER_TEIE, 0, RIIC_ICIER); ++ complete(&riic->msg_done); + } + + return IRQ_HANDLED; diff --git a/queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch b/queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch new file mode 100644 index 00000000000..9b99da40b05 --- /dev/null +++ b/queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Mark Bloch +Date: Thu, 2 Nov 2017 15:22:26 +0200 +Subject: IB/mlx4: Increase maximal message size under UD QP + +From: Mark Bloch + + +[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ] + +Maximal message should be used as a limit to the max message payload allowed, +without the headers. The ConnectX-3 check is done against this value includes +the headers. When the payload is 4K this will cause the NIC to drop packets. + +Increase maximal message to 8K as workaround, this shouldn't change current +behaviour because we continue to set the MTU to 4k. + +To reproduce; +set MTU to 4296 on the corresponding interface, for example: +ifconfig eth0 mtu 4296 (both server and client) + +On server: +ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096 + +On client: +ib_send_bw -d mlx4_0 -c UD -s 4096 -n 1000000 -i 1 -m 4096 + +Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs") +Signed-off-by: Mark Bloch +Reviewed-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -1465,7 +1465,7 @@ static int __mlx4_ib_modify_qp(struct ib + context->mtu_msgmax = (IB_MTU_4096 << 5) | + ilog2(dev->dev->caps.max_gso_sz); + else +- context->mtu_msgmax = (IB_MTU_4096 << 5) | 12; ++ context->mtu_msgmax = (IB_MTU_4096 << 5) | 13; + } else if (attr_mask & IB_QP_PATH_MTU) { + if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) { + pr_err("path MTU (%u) is invalid\n", diff --git a/queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch b/queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch new file mode 100644 index 00000000000..2ec43d1d56b --- /dev/null +++ b/queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Majd Dibbiny +Date: Mon, 30 Oct 2017 14:23:13 +0200 +Subject: IB/mlx5: Assign send CQ and recv CQ of UMR QP + +From: Majd Dibbiny + + +[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ] + +The UMR's QP is created by calling mlx5_ib_create_qp directly, and +therefore the send CQ and the recv CQ on the ibqp weren't assigned. + +Assign them right after calling the mlx5_ib_create_qp to assure +that any access to those pointers will work as expected and won't +crash the system as might happen as part of reset flow. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Majd Dibbiny +Reviewed-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1099,6 +1099,8 @@ static int create_umr_res(struct mlx5_ib + qp->real_qp = qp; + qp->uobject = NULL; + qp->qp_type = MLX5_IB_QPT_REG_UMR; ++ qp->send_cq = init_attr->send_cq; ++ qp->recv_cq = init_attr->recv_cq; + + attr->qp_state = IB_QPS_INIT; + attr->port_num = 1; diff --git a/queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch b/queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch new file mode 100644 index 00000000000..639da356ec5 --- /dev/null +++ b/queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch @@ -0,0 +1,96 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: WANG Cong +Date: Sun, 5 Mar 2017 12:34:53 -0800 +Subject: ipv6: reorder icmpv6_init() and ip6_mr_init() + +From: WANG Cong + + +[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ] + +Andrey reported the following kernel crash: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +task: ffff88001f311700 task.stack: ffff88001f6e8000 +RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618 +RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000 +RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020 +RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000 +R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040 +FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0 +DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 +Call Trace: + rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217 + inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 + inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 + sock_release+0x8d/0x1e0 net/socket.c:597 + __sock_create+0x39d/0x880 net/socket.c:1226 + sock_create_kern+0x3f/0x50 net/socket.c:1243 + inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526 + icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954 + ops_init+0x10a/0x550 net/core/net_namespace.c:115 + setup_net+0x261/0x660 net/core/net_namespace.c:291 + copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396 +9pnet_virtio: no channels available for device ./file1 + create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106 + unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205 + SYSC_unshare kernel/fork.c:2281 [inline] + SyS_unshare+0x64e/0x1000 kernel/fork.c:2231 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +This is because net->ipv6.mr6_tables is not initialized at that point, +ip6mr_rules_init() is not called yet, therefore on the error path when +we iterator the list, we trigger this oops. Fix this by reordering +ip6mr_rules_init() before icmpv6_sk_init(). + +Reported-by: Andrey Konovalov +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/af_inet6.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -887,12 +887,12 @@ static int __init inet6_init(void) + err = register_pernet_subsys(&inet6_net_ops); + if (err) + goto register_pernet_fail; +- err = icmpv6_init(); +- if (err) +- goto icmp_fail; + err = ip6_mr_init(); + if (err) + goto ipmr_fail; ++ err = icmpv6_init(); ++ if (err) ++ goto icmp_fail; + err = ndisc_init(); + if (err) + goto ndisc_fail; +@@ -1010,10 +1010,10 @@ igmp_fail: + ndisc_cleanup(); + ndisc_fail: + ip6_mr_cleanup(); +-ipmr_fail: +- icmpv6_cleanup(); + icmp_fail: + unregister_pernet_subsys(&inet6_net_ops); ++ipmr_fail: ++ icmpv6_cleanup(); + register_pernet_fail: + sock_unregister(PF_INET6); + rtnl_unregister_all(PF_INET6); diff --git a/queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch b/queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch new file mode 100644 index 00000000000..66fafec0e72 --- /dev/null +++ b/queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch @@ -0,0 +1,58 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Franck Demathieu +Date: Mon, 6 Mar 2017 14:41:06 +0100 +Subject: irqchip/crossbar: Fix incorrect type of register size + +From: Franck Demathieu + + +[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ] + +The 'size' variable is unsigned according to the dt-bindings. +As this variable is used as integer in other places, create a new variable +that allows to fix the following sparse issue (-Wtypesign): + + drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness) + drivers/irqchip/irq-crossbar.c:279:52: expected unsigned int [usertype] *out_value + drivers/irqchip/irq-crossbar.c:279:52: got int * + +Signed-off-by: Franck Demathieu +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-crossbar.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-crossbar.c ++++ b/drivers/irqchip/irq-crossbar.c +@@ -176,7 +176,7 @@ static const struct irq_domain_ops routa + static int __init crossbar_of_init(struct device_node *node) + { + int i, size, reserved = 0; +- u32 max = 0, entry; ++ u32 max = 0, entry, reg_size; + const __be32 *irqsr; + int ret = -ENOMEM; + +@@ -253,9 +253,9 @@ static int __init crossbar_of_init(struc + if (!cb->register_offsets) + goto err_irq_map; + +- of_property_read_u32(node, "ti,reg-size", &size); ++ of_property_read_u32(node, "ti,reg-size", ®_size); + +- switch (size) { ++ switch (reg_size) { + case 1: + cb->write = crossbar_writeb; + break; +@@ -281,7 +281,7 @@ static int __init crossbar_of_init(struc + continue; + + cb->register_offsets[i] = reserved; +- reserved += size; ++ reserved += reg_size; + } + + of_property_read_u32(node, "ti,irqs-safe-map", &cb->safe_map); diff --git a/queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch b/queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch new file mode 100644 index 00000000000..82aacce2ffe --- /dev/null +++ b/queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch @@ -0,0 +1,96 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Wanpeng Li +Date: Mon, 6 Mar 2017 04:03:28 -0800 +Subject: KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset + +From: Wanpeng Li + + +[ Upstream commit 2f707d97982286b307ef2a9b034e19aabc1abb56 ] + +Reported by syzkaller: + + WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029 + nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029 + CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:15 [inline] + dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 + panic+0x1fb/0x412 kernel/panic.c:179 + __warn+0x1c4/0x1e0 kernel/panic.c:540 + warn_slowpath_null+0x2c/0x40 kernel/panic.c:583 + nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029 + vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline] + vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324 + kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099 + do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128 + __msr_io arch/x86/kvm/x86.c:2577 [inline] + msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614 + kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497 + kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721 + vfs_ioctl fs/ioctl.c:43 [inline] + do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683 + SYSC_ioctl fs/ioctl.c:698 [inline] + SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +The syzkaller folks reported a nested_run_pending warning during userspace +clear VMX capability which is exposed to L1 before. + +The warning gets thrown while doing + +(*(uint32_t*)0x20aecfe8 = (uint32_t)0x1); +(*(uint32_t*)0x20aecfec = (uint32_t)0x0); +(*(uint32_t*)0x20aecff0 = (uint32_t)0x3a); +(*(uint32_t*)0x20aecff4 = (uint32_t)0x0); +(*(uint64_t*)0x20aecff8 = (uint64_t)0x0); +r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul, + 0x20aecfe8ul, 0, 0, 0, 0, 0, 0); + +i.e. KVM_SET_MSR ioctl with + +struct kvm_msrs { + .nmsrs = 1, + .pad = 0, + .entries = { + {.index = MSR_IA32_FEATURE_CONTROL, + .reserved = 0, + .data = 0} + } +} + +The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to +reset here. This patch resets the nested_run_pending since the CPU is going +to be reset hence there should be nothing pending. + +Reported-by: Dmitry Vyukov +Suggested-by: Radim Krčmář +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Dmitry Vyukov +Cc: David Hildenbrand +Signed-off-by: Wanpeng Li +Reviewed-by: David Hildenbrand +Reviewed-by: Jim Mattson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9086,8 +9086,10 @@ static void nested_vmx_vmexit(struct kvm + */ + static void vmx_leave_nested(struct kvm_vcpu *vcpu) + { +- if (is_guest_mode(vcpu)) ++ if (is_guest_mode(vcpu)) { ++ to_vmx(vcpu)->nested.nested_run_pending = 0; + nested_vmx_vmexit(vcpu, -1, 0, 0); ++ } + free_nested(to_vmx(vcpu)); + } + diff --git a/queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch b/queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch new file mode 100644 index 00000000000..a5a2d5e55c9 --- /dev/null +++ b/queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch @@ -0,0 +1,102 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Stephen Bates +Date: Fri, 17 Nov 2017 15:28:16 -0800 +Subject: lib/genalloc.c: make the avail variable an atomic_long_t + +From: Stephen Bates + + +[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ] + +If the amount of resources allocated to a gen_pool exceeds 2^32 then the +avail atomic overflows and this causes problems when clients try and +borrow resources from the pool. This is only expected to be an issue on +64 bit systems. + +Add the header to pull in atomic_long* operations. So +that 32 bit systems continue to use atomic32_t but 64 bit systems can +use atomic64_t. + +Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com +Signed-off-by: Stephen Bates +Reviewed-by: Logan Gunthorpe +Reviewed-by: Mathieu Desnoyers +Reviewed-by: Daniel Mentz +Cc: Jonathan Corbet +Cc: Andrew Morton +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/genalloc.h | 3 ++- + lib/genalloc.c | 10 +++++----- + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -31,6 +31,7 @@ + #define __GENALLOC_H__ + + #include ++#include + + struct device; + struct device_node; +@@ -66,7 +67,7 @@ struct gen_pool { + */ + struct gen_pool_chunk { + struct list_head next_chunk; /* next chunk in pool */ +- atomic_t avail; ++ atomic_long_t avail; + phys_addr_t phys_addr; /* physical starting address of memory chunk */ + unsigned long start_addr; /* start address of memory chunk */ + unsigned long end_addr; /* end address of memory chunk (inclusive) */ +--- a/lib/genalloc.c ++++ b/lib/genalloc.c +@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p + chunk->phys_addr = phys; + chunk->start_addr = virt; + chunk->end_addr = virt + size - 1; +- atomic_set(&chunk->avail, size); ++ atomic_long_set(&chunk->avail, size); + + spin_lock(&pool->lock); + list_add_rcu(&chunk->next_chunk, &pool->chunks); +@@ -285,7 +285,7 @@ unsigned long gen_pool_alloc(struct gen_ + nbits = (size + (1UL << order) - 1) >> order; + rcu_read_lock(); + list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) { +- if (size > atomic_read(&chunk->avail)) ++ if (size > atomic_long_read(&chunk->avail)) + continue; + + end_bit = chunk_size(chunk) >> order; +@@ -304,7 +304,7 @@ retry: + + addr = chunk->start_addr + ((unsigned long)start_bit << order); + size = nbits << order; +- atomic_sub(size, &chunk->avail); ++ atomic_long_sub(size, &chunk->avail); + break; + } + rcu_read_unlock(); +@@ -370,7 +370,7 @@ void gen_pool_free(struct gen_pool *pool + remain = bitmap_clear_ll(chunk->bits, start_bit, nbits); + BUG_ON(remain); + size = nbits << order; +- atomic_add(size, &chunk->avail); ++ atomic_long_add(size, &chunk->avail); + rcu_read_unlock(); + return; + } +@@ -444,7 +444,7 @@ size_t gen_pool_avail(struct gen_pool *p + + rcu_read_lock(); + list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) +- avail += atomic_read(&chunk->avail); ++ avail += atomic_long_read(&chunk->avail); + rcu_read_unlock(); + return avail; + } diff --git a/queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch b/queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch new file mode 100644 index 00000000000..99f87a15f4a --- /dev/null +++ b/queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Tejun Heo +Date: Mon, 6 Mar 2017 15:26:54 -0500 +Subject: libata: drop WARN from protocol error in ata_sff_qc_issue() + +From: Tejun Heo + + +[ Upstream commit 0580b762a4d6b70817476b90042813f8573283fa ] + +ata_sff_qc_issue() expects upper layers to never issue commands on a +command protocol that it doesn't implement. While the assumption +holds fine with the usual IO path, nothing filters based on the +command protocol in the passthrough path (which was added later), +allowing the warning to be tripped with a passthrough command with the +right (well, wrong) protocol. + +Failing with AC_ERR_SYSTEM is the right thing to do anyway. Remove +the unnecessary WARN. + +Reported-by: Dmitry Vyukov +Link: http://lkml.kernel.org/r/CACT4Y+bXkvevNZU8uP6X0QVqsj6wNoUA_1exfTSOzc+SmUtMOA@mail.gmail.com +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-sff.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -1480,7 +1480,6 @@ unsigned int ata_sff_qc_issue(struct ata + break; + + default: +- WARN_ON_ONCE(1); + return AC_ERR_SYSTEM; + } + diff --git a/queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch b/queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch new file mode 100644 index 00000000000..3498d502157 --- /dev/null +++ b/queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Trond Myklebust +Date: Mon, 6 Nov 2017 15:28:04 -0500 +Subject: NFS: Fix a typo in nfs_rename() + +From: Trond Myklebust + + +[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ] + +On successful rename, the "old_dentry" is retained and is attached to +the "new_dir", so we need to call nfs_set_verifier() accordingly. + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2063,7 +2063,7 @@ out: + if (new_inode != NULL) + nfs_drop_nlink(new_inode); + d_move(old_dentry, new_dentry); +- nfs_set_verifier(new_dentry, ++ nfs_set_verifier(old_dentry, + nfs_save_change_attribute(new_dir)); + } else if (error == -ENOENT) + nfs_dentry_handle_enoent(old_dentry); diff --git a/queue-3.18/revert-drm-armada-fix-compile-fail.patch b/queue-3.18/revert-drm-armada-fix-compile-fail.patch new file mode 100644 index 00000000000..2ae65e3be20 --- /dev/null +++ b/queue-3.18/revert-drm-armada-fix-compile-fail.patch @@ -0,0 +1,26 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Sasha Levin +Date: Thu, 7 Dec 2017 23:21:06 -0500 +Subject: Revert "drm/armada: Fix compile fail" + +From: Sasha Levin + + +This reverts commit 82f260d472c3b4dbb7324624e395c3e91f73a040. + +Not required on < 4.10. + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/armada/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/armada/Makefile ++++ b/drivers/gpu/drm/armada/Makefile +@@ -5,5 +5,3 @@ armada-y += armada_510.o + armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o + + obj-$(CONFIG_DRM_ARMADA) := armada.o +- +-CFLAGS_armada_trace.o := -I$(src) diff --git a/queue-3.18/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch b/queue-3.18/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch new file mode 100644 index 00000000000..0e155b17d93 --- /dev/null +++ b/queue-3.18/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch @@ -0,0 +1,30 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Sasha Levin +Date: Fri, 8 Dec 2017 00:11:47 -0500 +Subject: Revert "s390/kbuild: enable modversions for symbols exported from asm" + +From: Sasha Levin + + +This reverts commit cabab3f9f5ca077535080b3252e6168935b914af. + +Not needed for < 4.9. + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/asm-prototypes.h | 8 -------- + 1 file changed, 8 deletions(-) + delete mode 100644 arch/s390/include/asm/asm-prototypes.h + +--- a/arch/s390/include/asm/asm-prototypes.h ++++ /dev/null +@@ -1,8 +0,0 @@ +-#ifndef _ASM_S390_PROTOTYPES_H +- +-#include +-#include +-#include +-#include +- +-#endif /* _ASM_S390_PROTOTYPES_H */ diff --git a/queue-3.18/route-also-update-fnhe_genid-when-updating-a-route-cache.patch b/queue-3.18/route-also-update-fnhe_genid-when-updating-a-route-cache.patch new file mode 100644 index 00000000000..a54f81226bb --- /dev/null +++ b/queue-3.18/route-also-update-fnhe_genid-when-updating-a-route-cache.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Xin Long +Date: Fri, 17 Nov 2017 14:27:18 +0800 +Subject: route: also update fnhe_genid when updating a route cache + +From: Xin Long + + +[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ] + +Now when ip route flush cache and it turn out all fnhe_genid != genid. +If a redirect/pmtu icmp packet comes and the old fnhe is found and all +it's members but fnhe_genid will be updated. + +Then next time when it looks up route and tries to rebind this fnhe to +the new dst, the fnhe will be flushed due to fnhe_genid != genid. It +causes this redirect/pmtu icmp packet acutally not to be applied. + +This patch is to also reset fnhe_genid when updating a route cache. + +Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions") +Acked-by: Hannes Frederic Sowa +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -622,9 +622,12 @@ static void update_or_create_fnhe(struct + struct fnhe_hash_bucket *hash; + struct fib_nh_exception *fnhe; + struct rtable *rt; ++ u32 genid, hval; + unsigned int i; + int depth; +- u32 hval = fnhe_hashfun(daddr); ++ ++ genid = fnhe_genid(dev_net(nh->nh_dev)); ++ hval = fnhe_hashfun(daddr); + + spin_lock_bh(&fnhe_lock); + +@@ -647,6 +650,8 @@ static void update_or_create_fnhe(struct + } + + if (fnhe) { ++ if (fnhe->fnhe_genid != genid) ++ fnhe->fnhe_genid = genid; + if (gw) + fnhe->fnhe_gw = gw; + if (pmtu) { +@@ -671,7 +676,7 @@ static void update_or_create_fnhe(struct + fnhe->fnhe_next = hash->chain; + rcu_assign_pointer(hash->chain, fnhe); + } +- fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev)); ++ fnhe->fnhe_genid = genid; + fnhe->fnhe_daddr = daddr; + fnhe->fnhe_gw = gw; + fnhe->fnhe_pmtu = pmtu; diff --git a/queue-3.18/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch b/queue-3.18/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch new file mode 100644 index 00000000000..7c4641eb16d --- /dev/null +++ b/queue-3.18/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Xin Long +Date: Fri, 17 Nov 2017 14:27:06 +0800 +Subject: route: update fnhe_expires for redirect when the fnhe exists + +From: Xin Long + + +[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ] + +Now when creating fnhe for redirect, it sets fnhe_expires for this +new route cache. But when updating the exist one, it doesn't do it. +It will cause this fnhe never to be expired. + +Paolo already noticed it before, in Jianlin's test case, it became +even worse: + +When ip route flush cache, the old fnhe is not to be removed, but +only clean it's members. When redirect comes again, this fnhe will +be found and updated, but never be expired due to fnhe_expires not +being set. + +So fix it by simply updating fnhe_expires even it's for redirect. + +Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions") +Reported-by: Jianlin Shi +Acked-by: Hannes Frederic Sowa +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -654,10 +654,9 @@ static void update_or_create_fnhe(struct + fnhe->fnhe_genid = genid; + if (gw) + fnhe->fnhe_gw = gw; +- if (pmtu) { ++ if (pmtu) + fnhe->fnhe_pmtu = pmtu; +- fnhe->fnhe_expires = max(1UL, expires); +- } ++ fnhe->fnhe_expires = max(1UL, expires); + /* Update all cached dsts too */ + rt = rcu_dereference(fnhe->fnhe_rth_input); + if (rt) diff --git a/queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch b/queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch new file mode 100644 index 00000000000..13e8da21bd1 --- /dev/null +++ b/queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: James Smart +Date: Sat, 4 Mar 2017 09:30:25 -0800 +Subject: scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters + +From: James Smart + + +[ Upstream commit 5d181531bc6169e19a02a27d202cf0e982db9d0e ] + +if REG_VPI fails, the driver was incorrectly issuing INIT_VFI +(a SLI4 command) on a SLI3 adapter. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_els.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7265,11 +7265,17 @@ lpfc_cmpl_reg_new_vport(struct lpfc_hba + spin_lock_irq(shost->host_lock); + vport->fc_flag |= FC_VPORT_NEEDS_REG_VPI; + spin_unlock_irq(shost->host_lock); +- if (vport->port_type == LPFC_PHYSICAL_PORT +- && !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) +- lpfc_issue_init_vfi(vport); +- else ++ if (mb->mbxStatus == MBX_NOT_FINISHED) ++ break; ++ if ((vport->port_type == LPFC_PHYSICAL_PORT) && ++ !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) { ++ if (phba->sli_rev == LPFC_SLI_REV4) ++ lpfc_issue_init_vfi(vport); ++ else ++ lpfc_initial_flogi(vport); ++ } else { + lpfc_initial_fdisc(vport); ++ } + break; + } + } else { diff --git a/queue-3.18/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch b/queue-3.18/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch new file mode 100644 index 00000000000..a518dae228e --- /dev/null +++ b/queue-3.18/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch @@ -0,0 +1,79 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Xin Long +Date: Wed, 15 Nov 2017 16:55:54 +0800 +Subject: sctp: do not free asoc when it is already dead in sctp_sendmsg + +From: Xin Long + + +[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ] + +Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without +holding sock sk. It means the current asoc can be freed elsewhere, +like when receiving an abort packet. + +If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf +returns err, the asoc will be freed again due to new_asoc is not nil. +An use-after-free issue would be triggered by this. + +This patch is to fix it by setting new_asoc with nil if the asoc is +already dead when cpu schedules back, so that it will not be freed +again in sctp_sendmsg. + +v1->v2: + set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf. + +Suggested-by: Neil Horman +Reported-by: Dmitry Vyukov +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1950,8 +1950,14 @@ static int sctp_sendmsg(struct kiocb *io + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + if (!sctp_wspace(asoc)) { + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); +- if (err) ++ if (err) { ++ if (err == -ESRCH) { ++ /* asoc is already dead. */ ++ new_asoc = NULL; ++ err = -EPIPE; ++ } + goto out_free; ++ } + } + + /* If an address is passed with the sendto/sendmsg call, it is used +@@ -6999,10 +7005,11 @@ static int sctp_wait_for_sndbuf(struct s + for (;;) { + prepare_to_wait_exclusive(&asoc->wait, &wait, + TASK_INTERRUPTIBLE); ++ if (asoc->base.dead) ++ goto do_dead; + if (!*timeo_p) + goto do_nonblock; +- if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING || +- asoc->base.dead) ++ if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING) + goto do_error; + if (signal_pending(current)) + goto do_interrupted; +@@ -7027,6 +7034,10 @@ out: + + return err; + ++do_dead: ++ err = -ESRCH; ++ goto out; ++ + do_error: + err = -EPIPE; + goto out; diff --git a/queue-3.18/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch b/queue-3.18/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch new file mode 100644 index 00000000000..ee72404d4ab --- /dev/null +++ b/queue-3.18/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch @@ -0,0 +1,104 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Xin Long +Date: Wed, 15 Nov 2017 16:57:26 +0800 +Subject: sctp: use the right sk after waking up from wait_buf sleep + +From: Xin Long + + +[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ] + +Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads +sleeping on it") fixed the race between peeloff and wait sndbuf by +checking waitqueue_active(&asoc->wait) in sctp_do_peeloff(). + +But it actually doesn't work, as even if waitqueue_active returns false +the waiting sndbuf thread may still not yet hold sk lock. After asoc is +peeled off, sk is not asoc->base.sk any more, then to hold the old sk +lock couldn't make assoc safe to access. + +This patch is to fix this by changing to hold the new sk lock if sk is +not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the +new sk. + +With this fix, there is no more race between peeloff and waitbuf, the +check 'waitqueue_active' in sctp_do_peeloff can be removed. + +Thanks Marcelo and Neil for making this clear. + +v1->v2: + fix it by changing to lock the new sock instead of adding a flag in asoc. + +Suggested-by: Neil Horman +Signed-off-by: Xin Long +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -82,8 +82,8 @@ + /* Forward declarations for internal helper functions. */ + static int sctp_writeable(struct sock *sk); + static void sctp_wfree(struct sk_buff *skb); +-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p, +- size_t msg_len); ++static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, ++ size_t msg_len, struct sock **orig_sk); + static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p); + static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p); + static int sctp_wait_for_accept(struct sock *sk, long timeo); +@@ -1949,7 +1949,8 @@ static int sctp_sendmsg(struct kiocb *io + + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + if (!sctp_wspace(asoc)) { +- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); ++ /* sk can be changed by peel off when waiting for buf. */ ++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk); + if (err) { + if (err == -ESRCH) { + /* asoc is already dead. */ +@@ -4479,12 +4480,6 @@ int sctp_do_peeloff(struct sock *sk, sct + if (!asoc) + return -EINVAL; + +- /* If there is a thread waiting on more sndbuf space for +- * sending on this asoc, it cannot be peeled. +- */ +- if (waitqueue_active(&asoc->wait)) +- return -EBUSY; +- + /* An association cannot be branched off from an already peeled-off + * socket, nor is this supported for tcp style sockets. + */ +@@ -6988,7 +6983,7 @@ void sctp_sock_rfree(struct sk_buff *skb + + /* Helper function to wait for space in the sndbuf. */ + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, +- size_t msg_len) ++ size_t msg_len, struct sock **orig_sk) + { + struct sock *sk = asoc->base.sk; + int err = 0; +@@ -7022,11 +7017,17 @@ static int sctp_wait_for_sndbuf(struct s + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); + lock_sock(sk); ++ if (sk != asoc->base.sk) { ++ release_sock(sk); ++ sk = asoc->base.sk; ++ lock_sock(sk); ++ } + + *timeo_p = current_timeo; + } + + out: ++ *orig_sk = sk; + finish_wait(&asoc->wait, &wait); + + /* Release the association's refcnt. */ diff --git a/queue-3.18/selftest-powerpc-fix-false-failures-for-skipped-tests.patch b/queue-3.18/selftest-powerpc-fix-false-failures-for-skipped-tests.patch new file mode 100644 index 00000000000..ca2d3882be8 --- /dev/null +++ b/queue-3.18/selftest-powerpc-fix-false-failures-for-skipped-tests.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Sachin Sant +Date: Sun, 26 Feb 2017 11:38:39 +0530 +Subject: selftest/powerpc: Fix false failures for skipped tests + +From: Sachin Sant + + +[ Upstream commit a6d8a21596df041f36f4c2ccc260c459e3e851f1 ] + +Tests under alignment subdirectory are skipped when executed on previous +generation hardware, but harness still marks them as failed. + + test: test_copy_unaligned + tags: git_version:unknown + [SKIP] Test skipped on line 26 + skip: test_copy_unaligned + selftests: copy_unaligned [FAIL] + +The MAGIC_SKIP_RETURN_VALUE value assigned to rc variable is retained till +the program exit which causes the test to be marked as failed. + +This patch resets the value before returning to the main() routine. +With this patch the test o/p is as follows: + + test: test_copy_unaligned + tags: git_version:unknown + [SKIP] Test skipped on line 26 + skip: test_copy_unaligned + selftests: copy_unaligned [PASS] + +Signed-off-by: Sachin Sant +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/harness.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/powerpc/harness.c ++++ b/tools/testing/selftests/powerpc/harness.c +@@ -105,9 +105,11 @@ int test_harness(int (test_function)(voi + + rc = run_test(test_function, name); + +- if (rc == MAGIC_SKIP_RETURN_VALUE) ++ if (rc == MAGIC_SKIP_RETURN_VALUE) { + test_skip(name); +- else ++ /* so that skipped test is not marked as failed */ ++ rc = 0; ++ } else + test_finish(name, rc); + + return rc; diff --git a/queue-3.18/series b/queue-3.18/series index 4fa7959e898..422863b4b96 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -26,3 +26,37 @@ arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch sit-update-frag_off-info.patch net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch +revert-drm-armada-fix-compile-fail.patch +revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch +selftest-powerpc-fix-false-failures-for-skipped-tests.patch +usb-gadget-configs-plug-memory-leak.patch +usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch +libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch +workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch +scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch +irqchip-crossbar-fix-incorrect-type-of-register-size.patch +kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch +arm-kvm-survive-unknown-traps-from-guests.patch +spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch +bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch +ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch +crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch +i2c-riic-fix-restart-condition.patch +axonram-fix-gendisk-handling.patch +edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch +edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch +route-also-update-fnhe_genid-when-updating-a-route-cache.patch +route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch +lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch +dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch +nfs-fix-a-typo-in-nfs_rename.patch +sunrpc-fix-rpc_task_begin-trace-point.patch +sparc64-mm-set-fields-in-deferred-pages.patch +sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch +sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch +atm-horizon-fix-irq-release-error.patch +xfrm-copy-policy-family-in-clone_policy.patch +ib-mlx4-increase-maximal-message-size-under-ud-qp.patch +ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch +afs-connect-up-the-cb.probeuuid.patch +audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch diff --git a/queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch b/queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch new file mode 100644 index 00000000000..7b0302a9178 --- /dev/null +++ b/queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch @@ -0,0 +1,107 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Pavel Tatashin +Date: Wed, 15 Nov 2017 17:36:18 -0800 +Subject: sparc64/mm: set fields in deferred pages + +From: Pavel Tatashin + + +[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ] + +Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT), +flags and other fields in "struct page"es are never changed prior to +first initializing struct pages by going through __init_single_page(). + +With deferred struct page feature enabled there is a case where we set +some fields prior to initializing: + +mem_init() { + register_page_bootmem_info(); + free_all_bootmem(); + ... +} + +When register_page_bootmem_info() is called only non-deferred struct +pages are initialized. But, this function goes through some reserved +pages which might be part of the deferred, and thus are not yet +initialized. + +mem_init +register_page_bootmem_info +register_page_bootmem_info_node + get_page_bootmem + .. setting fields here .. + such as: page->freelist = (void *)type; + +free_all_bootmem() +free_low_memory_core_early() + for_each_reserved_mem_region() + reserve_bootmem_region() + init_reserved_page() <- Only if this is deferred reserved page + __init_single_pfn() + __init_single_page() + memset(0) <-- Loose the set fields here + +We end up with similar issue as in the previous patch, where currently +we do not observe problem as memory is zeroed. But, if flag asserts are +changed we can start hitting issues. + +Also, because in this patch series we will stop zeroing struct page +memory during allocation, we must make sure that struct pages are +properly initialized prior to using them. + +The deferred-reserved pages are initialized in free_all_bootmem(). +Therefore, the fix is to switch the above calls. + +Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com +Signed-off-by: Pavel Tatashin +Reviewed-by: Steven Sistare +Reviewed-by: Daniel Jordan +Reviewed-by: Bob Picco +Acked-by: David S. Miller +Acked-by: Michal Hocko +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Christian Borntraeger +Cc: Dmitry Vyukov +Cc: Heiko Carstens +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Mark Rutland +Cc: Matthew Wilcox +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Sam Ravnborg +Cc: Thomas Gleixner +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/mm/init_64.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -2215,10 +2215,17 @@ void __init mem_init(void) + { + high_memory = __va(last_valid_pfn << PAGE_SHIFT); + +- register_page_bootmem_info(); + free_all_bootmem(); + + /* ++ * Must be done after boot memory is put on freelist, because here we ++ * might set fields in deferred struct pages that have not yet been ++ * initialized, and free_all_bootmem() initializes all the reserved ++ * deferred pages for us. ++ */ ++ register_page_bootmem_info(); ++ ++ /* + * Set up the zero page, mark it reserved, so that page count + * is not manipulated when freeing the page from user ptes. + */ diff --git a/queue-3.18/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch b/queue-3.18/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch new file mode 100644 index 00000000000..1b7b4a341ba --- /dev/null +++ b/queue-3.18/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch @@ -0,0 +1,28 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: "Blomme, Maarten" +Date: Thu, 2 Mar 2017 13:08:36 +0100 +Subject: spi_ks8995: fix "BUG: key accdaa28 not in .data!" + +From: "Blomme, Maarten" + + +[ Upstream commit 4342696df764ec65dcdfbd0c10d90ea52505f8ba ] + +Signed-off-by: Maarten Blomme +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/spi_ks8995.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/spi_ks8995.c ++++ b/drivers/net/phy/spi_ks8995.c +@@ -332,6 +332,7 @@ static int ks8995_probe(struct spi_devic + if (err) + return err; + ++ sysfs_attr_init(&ks->regs_attr.attr); + err = sysfs_create_bin_file(&spi->dev.kobj, &ks->regs_attr); + if (err) { + dev_err(&spi->dev, "unable to create sysfs file, err=%d\n", diff --git a/queue-3.18/sunrpc-fix-rpc_task_begin-trace-point.patch b/queue-3.18/sunrpc-fix-rpc_task_begin-trace-point.patch new file mode 100644 index 00000000000..c046d063e62 --- /dev/null +++ b/queue-3.18/sunrpc-fix-rpc_task_begin-trace-point.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Chuck Lever +Date: Fri, 3 Nov 2017 13:46:06 -0400 +Subject: sunrpc: Fix rpc_task_begin trace point + +From: Chuck Lever + + +[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ] + +The rpc_task_begin trace point always display a task ID of zero. +Move the trace point call site so that it picks up the new task ID. + +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/sched.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -273,10 +273,9 @@ static inline void rpc_task_set_debuginf + + static void rpc_set_active(struct rpc_task *task) + { +- trace_rpc_task_begin(task->tk_client, task, NULL); +- + rpc_task_set_debuginfo(task); + set_bit(RPC_TASK_ACTIVE, &task->tk_runstate); ++ trace_rpc_task_begin(task->tk_client, task, NULL); + } + + /* diff --git a/queue-3.18/usb-gadget-configs-plug-memory-leak.patch b/queue-3.18/usb-gadget-configs-plug-memory-leak.patch new file mode 100644 index 00000000000..dcb0b68937e --- /dev/null +++ b/queue-3.18/usb-gadget-configs-plug-memory-leak.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: John Keeping +Date: Tue, 28 Feb 2017 10:55:30 +0000 +Subject: usb: gadget: configs: plug memory leak + +From: John Keeping + + +[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ] + +When binding a gadget to a device, "name" is stored in gi->udc_name, but +this does not happen when unregistering and the string is leaked. + +Signed-off-by: John Keeping +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/configfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -266,6 +266,7 @@ static ssize_t gadget_dev_desc_UDC_store + ret = unregister_gadget(gi); + if (ret) + goto err; ++ kfree(name); + } else { + if (gi->udc_name) { + ret = -EBUSY; diff --git a/queue-3.18/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch b/queue-3.18/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch new file mode 100644 index 00000000000..0b2a67b382b --- /dev/null +++ b/queue-3.18/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Christophe JAILLET +Date: Tue, 21 Feb 2017 22:33:11 +0100 +Subject: USB: gadgetfs: Fix a potential memory leak in 'dev_config()' + +From: Christophe JAILLET + + +[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ] + +'kbuf' is allocated just a few lines above using 'memdup_user()'. +If the 'if (dev->buf)' test fails, this memory is never released. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/legacy/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1921,8 +1921,10 @@ dev_config (struct file *fd, const char + + spin_lock_irq (&dev->lock); + value = -EINVAL; +- if (dev->buf) ++ if (dev->buf) { ++ kfree(kbuf); + goto fail; ++ } + dev->buf = kbuf; + + /* full or low speed config */ diff --git a/queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch b/queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch new file mode 100644 index 00000000000..2f2ca147d10 --- /dev/null +++ b/queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Tejun Heo +Date: Mon, 6 Mar 2017 15:33:42 -0500 +Subject: workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq + +From: Tejun Heo + + +[ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ] + +If queue_delayed_work() gets called with NULL @wq, the kernel will +oops asynchronuosly on timer expiration which isn't too helpful in +tracking down the offender. This actually happened with smc. + +__queue_delayed_work() already does several input sanity checks +synchronously. Add NULL @wq check. + +Reported-by: Dave Jones +Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -1452,6 +1452,7 @@ static void __queue_delayed_work(int cpu + struct timer_list *timer = &dwork->timer; + struct work_struct *work = &dwork->work; + ++ WARN_ON_ONCE(!wq); + WARN_ON_ONCE(timer->function != delayed_work_timer_fn || + timer->data != (unsigned long)dwork); + WARN_ON_ONCE(timer_pending(timer)); diff --git a/queue-3.18/xfrm-copy-policy-family-in-clone_policy.patch b/queue-3.18/xfrm-copy-policy-family-in-clone_policy.patch new file mode 100644 index 00000000000..43fe3181c3b --- /dev/null +++ b/queue-3.18/xfrm-copy-policy-family-in-clone_policy.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Dec 14 21:30:47 CET 2017 +From: Herbert Xu +Date: Fri, 10 Nov 2017 14:14:06 +1100 +Subject: xfrm: Copy policy family in clone_policy + +From: Herbert Xu + + +[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ] + +The syzbot found an ancient bug in the IPsec code. When we cloned +a socket policy (for example, for a child TCP socket derived from a +listening socket), we did not copy the family field. This results +in a live policy with a zero family field. This triggers a BUG_ON +check in the af_key code when the cloned policy is retrieved. + +This patch fixes it by copying the family field over. + +Reported-by: syzbot +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1345,6 +1345,7 @@ static struct xfrm_policy *clone_policy( + newp->xfrm_nr = old->xfrm_nr; + newp->index = old->index; + newp->type = old->type; ++ newp->family = old->family; + memcpy(newp->xfrm_vec, old->xfrm_vec, + newp->xfrm_nr*sizeof(struct xfrm_tmpl)); + write_lock_bh(&net->xfrm.xfrm_policy_lock); -- 2.47.3