From 9d4489d917a6159c0b407442ee72cd9ac01737f6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 9 Aug 2017 12:41:14 -0700 Subject: [PATCH] 4.4-stable patches added patches: arm-8632-1-ftrace-fix-syscall-name-matching.patch drm-virtio-fix-framebuffer-sparse-warning.patch ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch lib-kconfig.debug-fix-frv-build-failure.patch mm-don-t-dereference-struct-page-fields-of-invalid-pages.patch mm-slab-make-sure-that-kmalloc_max_size-will-fit-into-max_order.patch net-account-for-current-skb-length-when-deciding-about-ufo.patch net-phy-dp83867-fix-irq-generation.patch phy-state-machine-failsafe-leave-invalid-running-state.patch scsi-qla2xxx-get-mutex-lock-before-checking-optrom_state.patch sh_eth-r8a7740-supports-packet-shecksumming.patch signal-protect-signal_unkillable-from-unintentional-clearing.patch tg3-fix-race-condition-in-tg3_get_stats64.patch virtio_blk-fix-panic-in-initialization-error-path.patch x86-boot-add-missing-declaration-of-string-functions.patch --- ...2-1-ftrace-fix-syscall-name-matching.patch | 52 +++++++++ ...irtio-fix-framebuffer-sparse-warning.patch | 33 ++++++ ..._ip_append_data-and-ip_finish_output.patch | 43 ++++++++ ...-kconfig.debug-fix-frv-build-failure.patch | 54 +++++++++ ...-struct-page-fields-of-invalid-pages.patch | 54 +++++++++ ...loc_max_size-will-fit-into-max_order.patch | 79 +++++++++++++ ...t-skb-length-when-deciding-about-ufo.patch | 78 +++++++++++++ .../net-phy-dp83867-fix-irq-generation.patch | 63 +++++++++++ ...failsafe-leave-invalid-running-state.patch | 55 +++++++++ ...ex-lock-before-checking-optrom_state.patch | 104 ++++++++++++++++++ queue-4.4/series | 15 +++ ...r8a7740-supports-packet-shecksumming.patch | 33 ++++++ ...killable-from-unintentional-clearing.patch | 84 ++++++++++++++ ...ix-race-condition-in-tg3_get_stats64.patch | 42 +++++++ ...x-panic-in-initialization-error-path.patch | 40 +++++++ ...sing-declaration-of-string-functions.patch | 50 +++++++++ 16 files changed, 879 insertions(+) create mode 100644 queue-4.4/arm-8632-1-ftrace-fix-syscall-name-matching.patch create mode 100644 queue-4.4/drm-virtio-fix-framebuffer-sparse-warning.patch create mode 100644 queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch create mode 100644 queue-4.4/lib-kconfig.debug-fix-frv-build-failure.patch create mode 100644 queue-4.4/mm-don-t-dereference-struct-page-fields-of-invalid-pages.patch create mode 100644 queue-4.4/mm-slab-make-sure-that-kmalloc_max_size-will-fit-into-max_order.patch create mode 100644 queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch create mode 100644 queue-4.4/net-phy-dp83867-fix-irq-generation.patch create mode 100644 queue-4.4/phy-state-machine-failsafe-leave-invalid-running-state.patch create mode 100644 queue-4.4/scsi-qla2xxx-get-mutex-lock-before-checking-optrom_state.patch create mode 100644 queue-4.4/sh_eth-r8a7740-supports-packet-shecksumming.patch create mode 100644 queue-4.4/signal-protect-signal_unkillable-from-unintentional-clearing.patch create mode 100644 queue-4.4/tg3-fix-race-condition-in-tg3_get_stats64.patch create mode 100644 queue-4.4/virtio_blk-fix-panic-in-initialization-error-path.patch create mode 100644 queue-4.4/x86-boot-add-missing-declaration-of-string-functions.patch diff --git a/queue-4.4/arm-8632-1-ftrace-fix-syscall-name-matching.patch b/queue-4.4/arm-8632-1-ftrace-fix-syscall-name-matching.patch new file mode 100644 index 00000000000..c77b0a6aa01 --- /dev/null +++ b/queue-4.4/arm-8632-1-ftrace-fix-syscall-name-matching.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Rabin Vincent +Date: Wed, 23 Nov 2016 13:02:32 +0100 +Subject: ARM: 8632/1: ftrace: fix syscall name matching + +From: Rabin Vincent + + +[ Upstream commit 270c8cf1cacc69cb8d99dea812f06067a45e4609 ] + +ARM has a few system calls (most notably mmap) for which the names of +the functions which are referenced in the syscall table do not match the +names of the syscall tracepoints. As a consequence of this, these +tracepoints are not made available. Implement +arch_syscall_match_sym_name to fix this and allow tracing even these +system calls. + +Signed-off-by: Rabin Vincent +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/ftrace.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/arch/arm/include/asm/ftrace.h ++++ b/arch/arm/include/asm/ftrace.h +@@ -54,6 +54,24 @@ static inline void *return_address(unsig + + #define ftrace_return_address(n) return_address(n) + ++#define ARCH_HAS_SYSCALL_MATCH_SYM_NAME ++ ++static inline bool arch_syscall_match_sym_name(const char *sym, ++ const char *name) ++{ ++ if (!strcmp(sym, "sys_mmap2")) ++ sym = "sys_mmap_pgoff"; ++ else if (!strcmp(sym, "sys_statfs64_wrapper")) ++ sym = "sys_statfs64"; ++ else if (!strcmp(sym, "sys_fstatfs64_wrapper")) ++ sym = "sys_fstatfs64"; ++ else if (!strcmp(sym, "sys_arm_fadvise64_64")) ++ sym = "sys_fadvise64_64"; ++ ++ /* Ignore case since sym may start with "SyS" instead of "sys" */ ++ return !strcasecmp(sym, name); ++} ++ + #endif /* ifndef __ASSEMBLY__ */ + + #endif /* _ASM_ARM_FTRACE */ diff --git a/queue-4.4/drm-virtio-fix-framebuffer-sparse-warning.patch b/queue-4.4/drm-virtio-fix-framebuffer-sparse-warning.patch new file mode 100644 index 00000000000..d72825cbb5e --- /dev/null +++ b/queue-4.4/drm-virtio-fix-framebuffer-sparse-warning.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Gerd Hoffmann +Date: Mon, 28 Nov 2016 08:52:20 +0100 +Subject: drm/virtio: fix framebuffer sparse warning + +From: Gerd Hoffmann + + +[ Upstream commit 71d3f6ef7f5af38dea2975ec5715c88bae92e92d ] + +virtio uses normal ram as backing storage for the framebuffer, so we +should assign the address to new screen_buffer (added by commit +17a7b0b4d9749f80d365d7baff5dec2f54b0e992) instead of screen_base. + +Reported-by: Michael S. Tsirkin +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_fb.c ++++ b/drivers/gpu/drm/virtio/virtgpu_fb.c +@@ -338,7 +338,7 @@ static int virtio_gpufb_create(struct dr + info->fbops = &virtio_gpufb_ops; + info->pixmap.flags = FB_PIXMAP_SYSTEM; + +- info->screen_base = obj->vmap; ++ info->screen_buffer = obj->vmap; + info->screen_size = obj->gem_base.size; + drm_fb_helper_fill_fix(info, fb->pitches[0], fb->depth); + drm_fb_helper_fill_var(info, &vfbdev->helper, diff --git a/queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch b/queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch new file mode 100644 index 00000000000..da249eeb55b --- /dev/null +++ b/queue-4.4/ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: zheng li +Date: Mon, 12 Dec 2016 09:56:05 +0800 +Subject: ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output + +From: zheng li + + +[ Upstream commit 0a28cfd51e17f4f0a056bcf66bfbe492c3b99f38 ] + +There is an inconsistent conditional judgement in __ip_append_data and +ip_finish_output functions, the variable length in __ip_append_data just +include the length of application's payload and udp header, don't include +the length of ip header, but in ip_finish_output use +(skb->len > ip_skb_dst_mtu(skb)) as judgement, and skb->len include the +length of ip header. + +That causes some particular application's udp payload whose length is +between (MTU - IP Header) and MTU were fragmented by ip_fragment even +though the rst->dev support UFO feature. + +Add the length of ip header to length in __ip_append_data to keep +consistent conditional judgement as ip_finish_output for ip fragment. + +Signed-off-by: Zheng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -922,7 +922,7 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if (((length > mtu) || (skb && skb_is_gso(skb))) && ++ if ((((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && + (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { diff --git a/queue-4.4/lib-kconfig.debug-fix-frv-build-failure.patch b/queue-4.4/lib-kconfig.debug-fix-frv-build-failure.patch new file mode 100644 index 00000000000..c9fe7cf5afc --- /dev/null +++ b/queue-4.4/lib-kconfig.debug-fix-frv-build-failure.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Sudip Mukherjee +Date: Tue, 10 Jan 2017 16:57:45 -0800 +Subject: lib/Kconfig.debug: fix frv build failure + +From: Sudip Mukherjee + + +[ Upstream commit da0510c47519fe0999cffe316e1d370e29f952be ] + +The build of frv allmodconfig was failing with the errors like: + + /tmp/cc0JSPc3.s: Assembler messages: + /tmp/cc0JSPc3.s:1839: Error: symbol `.LSLT0' is already defined + /tmp/cc0JSPc3.s:1842: Error: symbol `.LASLTP0' is already defined + /tmp/cc0JSPc3.s:1969: Error: symbol `.LELTP0' is already defined + /tmp/cc0JSPc3.s:1970: Error: symbol `.LELT0' is already defined + +Commit 866ced950bcd ("kbuild: Support split debug info v4") introduced +splitting the debug info and keeping that in a separate file. Somehow, +the frv-linux gcc did not like that and I am guessing that instead of +splitting it started copying. The first report about this is at: + + https://lists.01.org/pipermail/kbuild-all/2015-July/010527.html. + +I will try and see if this can work with frv and if still fails I will +open a bug report with gcc. But meanwhile this is the easiest option to +solve build failure of frv. + +Fixes: 866ced950bcd ("kbuild: Support split debug info v4") +Link: http://lkml.kernel.org/r/1482062348-5352-1-git-send-email-sudipm.mukherjee@gmail.com +Signed-off-by: Sudip Mukherjee +Reported-by: Fengguang Wu +Cc: Andi Kleen +Cc: David Howells +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -145,7 +145,7 @@ config DEBUG_INFO_REDUCED + + config DEBUG_INFO_SPLIT + bool "Produce split debuginfo in .dwo files" +- depends on DEBUG_INFO ++ depends on DEBUG_INFO && !FRV + help + Generate debug info into separate .dwo files. This significantly + reduces the build directory size for builds with DEBUG_INFO, diff --git a/queue-4.4/mm-don-t-dereference-struct-page-fields-of-invalid-pages.patch b/queue-4.4/mm-don-t-dereference-struct-page-fields-of-invalid-pages.patch new file mode 100644 index 00000000000..c0892e11f27 --- /dev/null +++ b/queue-4.4/mm-don-t-dereference-struct-page-fields-of-invalid-pages.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Ard Biesheuvel +Date: Tue, 10 Jan 2017 16:58:00 -0800 +Subject: mm: don't dereference struct page fields of invalid pages + +From: Ard Biesheuvel + + +[ Upstream commit f073bdc51771f5a5c7a8d1191bfc3ae371d44de7 ] + +The VM_BUG_ON() check in move_freepages() checks whether the node id of +a page matches the node id of its zone. However, it does this before +having checked whether the struct page pointer refers to a valid struct +page to begin with. This is guaranteed in most cases, but may not be +the case if CONFIG_HOLES_IN_ZONE=y. + +So reorder the VM_BUG_ON() with the pfn_valid_within() check. + +Link: http://lkml.kernel.org/r/1481706707-6211-2-git-send-email-ard.biesheuvel@linaro.org +Signed-off-by: Ard Biesheuvel +Acked-by: Will Deacon +Cc: Catalin Marinas +Cc: Hanjun Guo +Cc: Yisheng Xie +Cc: Robert Richter +Cc: James Morse +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1527,14 +1527,14 @@ int move_freepages(struct zone *zone, + #endif + + for (page = start_page; page <= end_page;) { +- /* Make sure we are not inadvertently changing nodes */ +- VM_BUG_ON_PAGE(page_to_nid(page) != zone_to_nid(zone), page); +- + if (!pfn_valid_within(page_to_pfn(page))) { + page++; + continue; + } + ++ /* Make sure we are not inadvertently changing nodes */ ++ VM_BUG_ON_PAGE(page_to_nid(page) != zone_to_nid(zone), page); ++ + if (!PageBuddy(page)) { + page++; + continue; diff --git a/queue-4.4/mm-slab-make-sure-that-kmalloc_max_size-will-fit-into-max_order.patch b/queue-4.4/mm-slab-make-sure-that-kmalloc_max_size-will-fit-into-max_order.patch new file mode 100644 index 00000000000..34a0f584453 --- /dev/null +++ b/queue-4.4/mm-slab-make-sure-that-kmalloc_max_size-will-fit-into-max_order.patch @@ -0,0 +1,79 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Michal Hocko +Date: Tue, 10 Jan 2017 16:57:27 -0800 +Subject: mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER + +From: Michal Hocko + + +[ Upstream commit bb1107f7c6052c863692a41f78c000db792334bf ] + +Andrey Konovalov has reported the following warning triggered by the +syzkaller fuzzer. + + WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511 __alloc_pages_nodemask+0x159c/0x1e20 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 1 PID: 9935 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #34 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __alloc_pages_slowpath mm/page_alloc.c:3511 + __alloc_pages_nodemask+0x159c/0x1e20 mm/page_alloc.c:3781 + alloc_pages_current+0x1c7/0x6b0 mm/mempolicy.c:2072 + alloc_pages include/linux/gfp.h:469 + kmalloc_order+0x1f/0x70 mm/slab_common.c:1015 + kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1026 + kmalloc_large include/linux/slab.h:422 + __kmalloc+0x210/0x2d0 mm/slub.c:3723 + kmalloc include/linux/slab.h:495 + ep_write_iter+0x167/0xb50 drivers/usb/gadget/legacy/inode.c:664 + new_sync_write fs/read_write.c:499 + __vfs_write+0x483/0x760 fs/read_write.c:512 + vfs_write+0x170/0x4e0 fs/read_write.c:560 + SYSC_write fs/read_write.c:607 + SyS_write+0xfb/0x230 fs/read_write.c:599 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +The issue is caused by a lack of size check for the request size in +ep_write_iter which should be fixed. It, however, points to another +problem, that SLUB defines KMALLOC_MAX_SIZE too large because the its +KMALLOC_SHIFT_MAX is (MAX_ORDER + PAGE_SHIFT) which means that the +resulting page allocator request might be MAX_ORDER which is too large +(see __alloc_pages_slowpath). + +The same applies to the SLOB allocator which allows even larger sizes. +Make sure that they are capped properly and never request more than +MAX_ORDER order. + +Link: http://lkml.kernel.org/r/20161220130659.16461-2-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Andrey Konovalov +Acked-by: Christoph Lameter +Cc: Alexei Starovoitov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/slab.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -203,7 +203,7 @@ size_t ksize(const void *); + * (PAGE_SIZE*2). Larger requests are passed to the page allocator. + */ + #define KMALLOC_SHIFT_HIGH (PAGE_SHIFT + 1) +-#define KMALLOC_SHIFT_MAX (MAX_ORDER + PAGE_SHIFT) ++#define KMALLOC_SHIFT_MAX (MAX_ORDER + PAGE_SHIFT - 1) + #ifndef KMALLOC_SHIFT_LOW + #define KMALLOC_SHIFT_LOW 3 + #endif +@@ -216,7 +216,7 @@ size_t ksize(const void *); + * be allocated from the same page. + */ + #define KMALLOC_SHIFT_HIGH PAGE_SHIFT +-#define KMALLOC_SHIFT_MAX 30 ++#define KMALLOC_SHIFT_MAX (MAX_ORDER + PAGE_SHIFT - 1) + #ifndef KMALLOC_SHIFT_LOW + #define KMALLOC_SHIFT_LOW 3 + #endif diff --git a/queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch b/queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch new file mode 100644 index 00000000000..9cdbc2475bd --- /dev/null +++ b/queue-4.4/net-account-for-current-skb-length-when-deciding-about-ufo.patch @@ -0,0 +1,78 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Michal Kubeček +Date: Mon, 19 Jun 2017 13:03:43 +0200 +Subject: net: account for current skb length when deciding about UFO + +From: Michal Kubeček + + +[ Upstream commit a5cb659bbc1c8644efa0c3138a757a1e432a4880 ] + +Our customer encountered stuck NFS writes for blocks starting at specific +offsets w.r.t. page boundary caused by networking stack sending packets via +UFO enabled device with wrong checksum. The problem can be reproduced by +composing a long UDP datagram from multiple parts using MSG_MORE flag: + + sendto(sd, buff, 1000, MSG_MORE, ...); + sendto(sd, buff, 1000, MSG_MORE, ...); + sendto(sd, buff, 3000, 0, ...); + +Assume this packet is to be routed via a device with MTU 1500 and +NETIF_F_UFO enabled. When second sendto() gets into __ip_append_data(), +this condition is tested (among others) to decide whether to call +ip_ufo_append_data(): + + ((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb)) + +At the moment, we already have skb with 1028 bytes of data which is not +marked for GSO so that the test is false (fragheaderlen is usually 20). +Thus we append second 1000 bytes to this skb without invoking UFO. Third +sendto(), however, has sufficient length to trigger the UFO path so that we +end up with non-UFO skb followed by a UFO one. Later on, udp_send_skb() +uses udp_csum() to calculate the checksum but that assumes all fragments +have correct checksum in skb->csum which is not true for UFO fragments. + +When checking against MTU, we need to add skb->len to length of new segment +if we already have a partially filled skb and fragheaderlen only if there +isn't one. + +In the IPv6 case, skb can only be null if this is the first segment so that +we have to use headersize (length of the first IPv6 header) rather than +fragheaderlen (length of IPv6 header of further fragments) for skb == NULL. + +Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") +Fixes: e4c5e13aa45c ("ipv6: Should use consistent conditional judgement for + ip6 fragment between __ip6_append_data and ip6_finish_output") +Signed-off-by: Michal Kubecek +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_output.c | 3 ++- + net/ipv6/ip6_output.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -922,7 +922,8 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if ((((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))) && ++ if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || ++ (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && + (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1357,7 +1357,7 @@ emsgsize: + */ + + cork->length += length; +- if ((((length + fragheaderlen) > mtu) || ++ if ((((length + (skb ? skb->len : headersize)) > mtu) || + (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && diff --git a/queue-4.4/net-phy-dp83867-fix-irq-generation.patch b/queue-4.4/net-phy-dp83867-fix-irq-generation.patch new file mode 100644 index 00000000000..f9dd48ebdbf --- /dev/null +++ b/queue-4.4/net-phy-dp83867-fix-irq-generation.patch @@ -0,0 +1,63 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Grygorii Strashko +Date: Thu, 5 Jan 2017 14:48:07 -0600 +Subject: net: phy: dp83867: fix irq generation + +From: Grygorii Strashko + + +[ Upstream commit 5ca7d1ca77dc23934504b95a96d2660d345f83c2 ] + +For proper IRQ generation by DP83867 phy the INT/PWDN pin has to be +programmed as an interrupt output instead of a Powerdown input in +Configuration Register 3 (CFG3), Address 0x001E, bit 7 INT_OE = 1. The +current driver doesn't do this and as result IRQs will not be generated by +DP83867 phy even if they are properly configured in DT. + +Hence, fix IRQ generation by properly configuring CFG3.INT_OE bit and +ensure that Link Status Change (LINK_STATUS_CHNG_INT) and Auto-Negotiation +Complete (AUTONEG_COMP_INT) interrupt are enabled. After this the DP83867 +driver will work properly in interrupt enabled mode. + +Signed-off-by: Grygorii Strashko +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83867.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -29,6 +29,7 @@ + #define MII_DP83867_MICR 0x12 + #define MII_DP83867_ISR 0x13 + #define DP83867_CTRL 0x1f ++#define DP83867_CFG3 0x1e + + /* Extended Registers */ + #define DP83867_RGMIICTL 0x0032 +@@ -89,6 +90,8 @@ static int dp83867_config_intr(struct ph + micr_status |= + (MII_DP83867_MICR_AN_ERR_INT_EN | + MII_DP83867_MICR_SPEED_CHNG_INT_EN | ++ MII_DP83867_MICR_AUTONEG_COMP_INT_EN | ++ MII_DP83867_MICR_LINK_STS_CHNG_INT_EN | + MII_DP83867_MICR_DUP_MODE_CHNG_INT_EN | + MII_DP83867_MICR_SLEEP_MODE_CHNG_INT_EN); + +@@ -184,6 +187,13 @@ static int dp83867_config_init(struct ph + DP83867_DEVADDR, phydev->addr, delay); + } + ++ /* Enable Interrupt output INT_OE in CFG3 register */ ++ if (phy_interrupt_is_valid(phydev)) { ++ val = phy_read(phydev, DP83867_CFG3); ++ val |= BIT(7); ++ phy_write(phydev, DP83867_CFG3, val); ++ } ++ + return 0; + } + diff --git a/queue-4.4/phy-state-machine-failsafe-leave-invalid-running-state.patch b/queue-4.4/phy-state-machine-failsafe-leave-invalid-running-state.patch new file mode 100644 index 00000000000..47f90729e2c --- /dev/null +++ b/queue-4.4/phy-state-machine-failsafe-leave-invalid-running-state.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Zefir Kurtisi +Date: Fri, 6 Jan 2017 12:14:48 +0100 +Subject: phy state machine: failsafe leave invalid RUNNING state + +From: Zefir Kurtisi + + +[ Upstream commit 811a919135b980bac8009d042acdccf10dc1ef5e ] + +While in RUNNING state, phy_state_machine() checks for link changes by +comparing phydev->link before and after calling phy_read_status(). +This works as long as it is guaranteed that phydev->link is never +changed outside the phy_state_machine(). + +If in some setups this happens, it causes the state machine to miss +a link loss and remain RUNNING despite phydev->link being 0. + +This has been observed running a dsa setup with a process continuously +polling the link states over ethtool each second (SNMPD RFC-1213 +agent). Disconnecting the link on a phy followed by a ETHTOOL_GSET +causes dsa_slave_get_settings() / dsa_slave_get_link_ksettings() to +call phy_read_status() and with that modify the link status - and +with that bricking the phy state machine. + +This patch adds a fail-safe check while in RUNNING, which causes to +move to CHANGELINK when the link is gone and we are still RUNNING. + +Signed-off-by: Zefir Kurtisi +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -921,6 +921,15 @@ void phy_state_machine(struct work_struc + if (old_link != phydev->link) + phydev->state = PHY_CHANGELINK; + } ++ /* ++ * Failsafe: check that nobody set phydev->link=0 between two ++ * poll cycles, otherwise we won't leave RUNNING state as long ++ * as link remains down. ++ */ ++ if (!phydev->link && phydev->state == PHY_RUNNING) { ++ phydev->state = PHY_CHANGELINK; ++ dev_err(&phydev->dev, "no link in PHY_RUNNING\n"); ++ } + break; + case PHY_CHANGELINK: + err = phy_read_status(phydev); diff --git a/queue-4.4/scsi-qla2xxx-get-mutex-lock-before-checking-optrom_state.patch b/queue-4.4/scsi-qla2xxx-get-mutex-lock-before-checking-optrom_state.patch new file mode 100644 index 00000000000..047aff6233c --- /dev/null +++ b/queue-4.4/scsi-qla2xxx-get-mutex-lock-before-checking-optrom_state.patch @@ -0,0 +1,104 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: "Milan P. Gandhi" +Date: Sat, 24 Dec 2016 22:02:46 +0530 +Subject: scsi: qla2xxx: Get mutex lock before checking optrom_state + +From: "Milan P. Gandhi" + + +[ Upstream commit c7702b8c22712a06080e10f1d2dee1a133ec8809 ] + +There is a race condition with qla2xxx optrom functions where one thread +might modify optrom buffer, optrom_state while other thread is still +reading from it. + +In couple of crashes, it was found that we had successfully passed the +following 'if' check where we confirm optrom_state to be +QLA_SREADING. But by the time we acquired mutex lock to proceed with +memory_read_from_buffer function, some other thread/process had already +modified that option rom buffer and optrom_state from QLA_SREADING to +QLA_SWAITING. Then we got ha->optrom_buffer 0x0 and crashed the system: + + if (ha->optrom_state != QLA_SREADING) + return 0; + + mutex_lock(&ha->optrom_mutex); + rval = memory_read_from_buffer(buf, count, &off, ha->optrom_buffer, + ha->optrom_region_size); + mutex_unlock(&ha->optrom_mutex); + +With current optrom function we get following crash due to a race +condition: + +[ 1479.466679] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 1479.466707] IP: [] memcpy+0x6/0x110 +[...] +[ 1479.473673] Call Trace: +[ 1479.474296] [] ? memory_read_from_buffer+0x3c/0x60 +[ 1479.474941] [] qla2x00_sysfs_read_optrom+0x9c/0xc0 [qla2xxx] +[ 1479.475571] [] read+0xdb/0x1f0 +[ 1479.476206] [] vfs_read+0x9e/0x170 +[ 1479.476839] [] SyS_read+0x7f/0xe0 +[ 1479.477466] [] system_call_fastpath+0x16/0x1b + +Below patch modifies qla2x00_sysfs_read_optrom, +qla2x00_sysfs_write_optrom functions to get the mutex_lock before +checking ha->optrom_state to avoid similar crashes. + +The patch was applied and tested and same crashes were no longer +observed again. + +Tested-by: Milan P. Gandhi +Signed-off-by: Milan P. Gandhi +Reviewed-by: Laurence Oberman +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -329,12 +329,15 @@ qla2x00_sysfs_read_optrom(struct file *f + struct qla_hw_data *ha = vha->hw; + ssize_t rval = 0; + ++ mutex_lock(&ha->optrom_mutex); ++ + if (ha->optrom_state != QLA_SREADING) +- return 0; ++ goto out; + +- mutex_lock(&ha->optrom_mutex); + rval = memory_read_from_buffer(buf, count, &off, ha->optrom_buffer, + ha->optrom_region_size); ++ ++out: + mutex_unlock(&ha->optrom_mutex); + + return rval; +@@ -349,14 +352,19 @@ qla2x00_sysfs_write_optrom(struct file * + struct device, kobj))); + struct qla_hw_data *ha = vha->hw; + +- if (ha->optrom_state != QLA_SWRITING) ++ mutex_lock(&ha->optrom_mutex); ++ ++ if (ha->optrom_state != QLA_SWRITING) { ++ mutex_unlock(&ha->optrom_mutex); + return -EINVAL; +- if (off > ha->optrom_region_size) ++ } ++ if (off > ha->optrom_region_size) { ++ mutex_unlock(&ha->optrom_mutex); + return -ERANGE; ++ } + if (off + count > ha->optrom_region_size) + count = ha->optrom_region_size - off; + +- mutex_lock(&ha->optrom_mutex); + memcpy(&ha->optrom_buffer[off], buf, count); + mutex_unlock(&ha->optrom_mutex); + diff --git a/queue-4.4/series b/queue-4.4/series index 395442eff9e..16586603115 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -41,3 +41,18 @@ xen-netback-correctly-schedule-rate-limited-queues.patch sparc64-measure-receiver-forward-progress-to-avoid-send-mondo-timeout.patch sparc64-prevent-perf-from-running-during-super-critical-sections.patch wext-handle-null-extra-data-in-iwe_stream_add_point-better.patch +sh_eth-r8a7740-supports-packet-shecksumming.patch +net-phy-dp83867-fix-irq-generation.patch +tg3-fix-race-condition-in-tg3_get_stats64.patch +x86-boot-add-missing-declaration-of-string-functions.patch +phy-state-machine-failsafe-leave-invalid-running-state.patch +scsi-qla2xxx-get-mutex-lock-before-checking-optrom_state.patch +drm-virtio-fix-framebuffer-sparse-warning.patch +virtio_blk-fix-panic-in-initialization-error-path.patch +arm-8632-1-ftrace-fix-syscall-name-matching.patch +mm-slab-make-sure-that-kmalloc_max_size-will-fit-into-max_order.patch +lib-kconfig.debug-fix-frv-build-failure.patch +signal-protect-signal_unkillable-from-unintentional-clearing.patch +mm-don-t-dereference-struct-page-fields-of-invalid-pages.patch +ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch +net-account-for-current-skb-length-when-deciding-about-ufo.patch diff --git a/queue-4.4/sh_eth-r8a7740-supports-packet-shecksumming.patch b/queue-4.4/sh_eth-r8a7740-supports-packet-shecksumming.patch new file mode 100644 index 00000000000..36214f6146f --- /dev/null +++ b/queue-4.4/sh_eth-r8a7740-supports-packet-shecksumming.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Sergei Shtylyov +Date: Thu, 5 Jan 2017 00:29:32 +0300 +Subject: sh_eth: R8A7740 supports packet shecksumming + +From: Sergei Shtylyov + + +[ Upstream commit 0f1f9cbc04dbb3cc310f70a11cba0cf1f2109d9c ] + +The R8A7740 GEther controller supports the packet checksum offloading +but the 'hw_crc' (bad name, I'll fix it) flag isn't set in the R8A7740 +data, thus CSMR isn't cleared... + +Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740") +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -819,6 +819,7 @@ static struct sh_eth_cpu_data r8a7740_da + .rpadir_value = 2 << 16, + .no_trimd = 1, + .no_ade = 1, ++ .hw_crc = 1, + .tsu = 1, + .select_mii = 1, + .shift_rd0 = 1, diff --git a/queue-4.4/signal-protect-signal_unkillable-from-unintentional-clearing.patch b/queue-4.4/signal-protect-signal_unkillable-from-unintentional-clearing.patch new file mode 100644 index 00000000000..1cc34452a29 --- /dev/null +++ b/queue-4.4/signal-protect-signal_unkillable-from-unintentional-clearing.patch @@ -0,0 +1,84 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Jamie Iles +Date: Tue, 10 Jan 2017 16:57:54 -0800 +Subject: signal: protect SIGNAL_UNKILLABLE from unintentional clearing. + +From: Jamie Iles + + +[ Upstream commit 2d39b3cd34e6d323720d4c61bd714f5ae202c022 ] + +Since commit 00cd5c37afd5 ("ptrace: permit ptracing of /sbin/init") we +can now trace init processes. init is initially protected with +SIGNAL_UNKILLABLE which will prevent fatal signals such as SIGSTOP, but +there are a number of paths during tracing where SIGNAL_UNKILLABLE can +be implicitly cleared. + +This can result in init becoming stoppable/killable after tracing. For +example, running: + + while true; do kill -STOP 1; done & + strace -p 1 + +and then stopping strace and the kill loop will result in init being +left in state TASK_STOPPED. Sending SIGCONT to init will resume it, but +init will now respond to future SIGSTOP signals rather than ignoring +them. + +Make sure that when setting SIGNAL_STOP_CONTINUED/SIGNAL_STOP_STOPPED +that we don't clear SIGNAL_UNKILLABLE. + +Link: http://lkml.kernel.org/r/20170104122017.25047-1-jamie.iles@oracle.com +Signed-off-by: Jamie Iles +Acked-by: Oleg Nesterov +Cc: Alexander Viro +Cc: Ingo Molnar +Cc: Peter Zijlstra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 10 ++++++++++ + kernel/signal.c | 4 ++-- + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -801,6 +801,16 @@ struct signal_struct { + + #define SIGNAL_UNKILLABLE 0x00000040 /* for init: ignore fatal signals */ + ++#define SIGNAL_STOP_MASK (SIGNAL_CLD_MASK | SIGNAL_STOP_STOPPED | \ ++ SIGNAL_STOP_CONTINUED) ++ ++static inline void signal_set_stop_flags(struct signal_struct *sig, ++ unsigned int flags) ++{ ++ WARN_ON(sig->flags & (SIGNAL_GROUP_EXIT|SIGNAL_GROUP_COREDUMP)); ++ sig->flags = (sig->flags & ~SIGNAL_STOP_MASK) | flags; ++} ++ + /* If true, all threads except ->group_exit_task have pending SIGKILL */ + static inline int signal_group_exit(const struct signal_struct *sig) + { +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -346,7 +346,7 @@ static bool task_participate_group_stop( + * fresh group stop. Read comment in do_signal_stop() for details. + */ + if (!sig->group_stop_count && !(sig->flags & SIGNAL_STOP_STOPPED)) { +- sig->flags = SIGNAL_STOP_STOPPED; ++ signal_set_stop_flags(sig, SIGNAL_STOP_STOPPED); + return true; + } + return false; +@@ -845,7 +845,7 @@ static bool prepare_signal(int sig, stru + * will take ->siglock, notice SIGNAL_CLD_MASK, and + * notify its parent. See get_signal_to_deliver(). + */ +- signal->flags = why | SIGNAL_STOP_CONTINUED; ++ signal_set_stop_flags(signal, why | SIGNAL_STOP_CONTINUED); + signal->group_stop_count = 0; + signal->group_exit_code = 0; + } diff --git a/queue-4.4/tg3-fix-race-condition-in-tg3_get_stats64.patch b/queue-4.4/tg3-fix-race-condition-in-tg3_get_stats64.patch new file mode 100644 index 00000000000..f238bee9a6a --- /dev/null +++ b/queue-4.4/tg3-fix-race-condition-in-tg3_get_stats64.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Michael Chan +Date: Fri, 6 Jan 2017 16:18:53 -0500 +Subject: tg3: Fix race condition in tg3_get_stats64(). + +From: Michael Chan + + +[ Upstream commit f5992b72ebe0dde488fa8f706b887194020c66fc ] + +The driver's ndo_get_stats64() method is not always called under RTNL. +So it can race with driver close or ethtool reconfigurations. Fix the +race condition by taking tp->lock spinlock in tg3_free_consistent() +when freeing the tp->hw_stats memory block. tg3_get_stats64() is +already taking tp->lock. + +Reported-by: Wang Yufen +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -8722,11 +8722,14 @@ static void tg3_free_consistent(struct t + tg3_mem_rx_release(tp); + tg3_mem_tx_release(tp); + ++ /* Protect tg3_get_stats64() from reading freed tp->hw_stats. */ ++ tg3_full_lock(tp, 0); + if (tp->hw_stats) { + dma_free_coherent(&tp->pdev->dev, sizeof(struct tg3_hw_stats), + tp->hw_stats, tp->stats_mapping); + tp->hw_stats = NULL; + } ++ tg3_full_unlock(tp); + } + + /* diff --git a/queue-4.4/virtio_blk-fix-panic-in-initialization-error-path.patch b/queue-4.4/virtio_blk-fix-panic-in-initialization-error-path.patch new file mode 100644 index 00000000000..5566c9f52d5 --- /dev/null +++ b/queue-4.4/virtio_blk-fix-panic-in-initialization-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Omar Sandoval +Date: Mon, 9 Jan 2017 11:44:12 -0800 +Subject: virtio_blk: fix panic in initialization error path + +From: Omar Sandoval + + +[ Upstream commit 6bf6b0aa3da84a3d9126919a94c49c0fb7ee2fb3 ] + +If blk_mq_init_queue() returns an error, it gets assigned to +vblk->disk->queue. Then, when we call put_disk(), we end up calling +blk_put_queue() with the ERR_PTR, causing a bad dereference. Fix it by +only assigning to vblk->disk->queue on success. + +Signed-off-by: Omar Sandoval +Reviewed-by: Jeff Moyer +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/virtio_blk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -641,11 +641,12 @@ static int virtblk_probe(struct virtio_d + if (err) + goto out_put_disk; + +- q = vblk->disk->queue = blk_mq_init_queue(&vblk->tag_set); ++ q = blk_mq_init_queue(&vblk->tag_set); + if (IS_ERR(q)) { + err = -ENOMEM; + goto out_free_tags; + } ++ vblk->disk->queue = q; + + q->queuedata = vblk; + diff --git a/queue-4.4/x86-boot-add-missing-declaration-of-string-functions.patch b/queue-4.4/x86-boot-add-missing-declaration-of-string-functions.patch new file mode 100644 index 00000000000..18524d900b0 --- /dev/null +++ b/queue-4.4/x86-boot-add-missing-declaration-of-string-functions.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Aug 9 11:19:16 PDT 2017 +From: Nicholas Mc Guire +Date: Sat, 7 Jan 2017 10:38:31 +0100 +Subject: x86/boot: Add missing declaration of string functions + +From: Nicholas Mc Guire + + +[ Upstream commit fac69d0efad08fc15e4dbfc116830782acc0dc9a ] + +Add the missing declarations of basic string functions to string.h to allow +a clean build. + +Fixes: 5be865661516 ("String-handling functions for the new x86 setup code.") +Signed-off-by: Nicholas Mc Guire +Link: http://lkml.kernel.org/r/1483781911-21399-1-git-send-email-hofrat@osadl.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/string.c | 1 + + arch/x86/boot/string.h | 9 +++++++++ + 2 files changed, 10 insertions(+) + +--- a/arch/x86/boot/string.c ++++ b/arch/x86/boot/string.c +@@ -14,6 +14,7 @@ + + #include + #include "ctype.h" ++#include "string.h" + + int memcmp(const void *s1, const void *s2, size_t len) + { +--- a/arch/x86/boot/string.h ++++ b/arch/x86/boot/string.h +@@ -18,4 +18,13 @@ int memcmp(const void *s1, const void *s + #define memset(d,c,l) __builtin_memset(d,c,l) + #define memcmp __builtin_memcmp + ++extern int strcmp(const char *str1, const char *str2); ++extern int strncmp(const char *cs, const char *ct, size_t count); ++extern size_t strlen(const char *s); ++extern char *strstr(const char *s1, const char *s2); ++extern size_t strnlen(const char *s, size_t maxlen); ++extern unsigned int atou(const char *s); ++extern unsigned long long simple_strtoull(const char *cp, char **endp, ++ unsigned int base); ++ + #endif /* BOOT_STRING_H */ -- 2.47.3