From b5c1cc5f94bf0d7c1fffaa61674382e0c7462eff Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 3 Sep 2018 15:32:54 +0200 Subject: [PATCH] 4.9-stable patches added patches: cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch clk-rockchip-fix-clk_i2sout-parent-selection-bits-on-rk3399.patch iscsi-target-fix-session-creation-failure-handling.patch kprobes-make-list-and-blacklist-root-user-read-only.patch mips-correct-the-64-bit-dsp-accumulator-register-size.patch mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch s390-fix-br_r1_trampoline-for-machines-without-exrl.patch s390-numa-move-initial-setup-of-node_to_cpumask_map.patch s390-pci-fix-out-of-bounds-access-during-irq-setup.patch s390-qdio-reset-old-sbal_state-flags.patch scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch --- ...oob-read-in-cdrom_ioctl_drive_status.patch | 36 ++++ ...sout-parent-selection-bits-on-rk3399.patch | 33 ++++ ...ix-session-creation-failure-handling.patch | 98 +++++++++++ ...st-and-blacklist-root-user-read-only.patch | 63 +++++++ ...64-bit-dsp-accumulator-register-size.patch | 71 ++++++++ ...-provide-mips64r6-__multi3-for-gcc-7.patch | 62 +++++++ ...signedness-bug-in-of_pm_clk_add_clks.patch | 33 ++++ ...-properties-copied-from-iio-channels.patch | 60 +++++++ ...rite-when-copying-channel-properties.patch | 99 +++++++++++ ...trampoline-for-machines-without-exrl.patch | 35 ++++ ...initial-setup-of-node_to_cpumask_map.patch | 60 +++++++ ...ut-of-bounds-access-during-irq-setup.patch | 36 ++++ ...s390-qdio-reset-old-sbal_state-flags.patch | 66 +++++++ ...al-through-sysfs-triggers-a-deadlock.patch | 164 ++++++++++++++++++ ...ce-sysfs_-un-break_active_protection.patch | 107 ++++++++++++ queue-4.9/series | 15 ++ 16 files changed, 1038 insertions(+) create mode 100644 queue-4.9/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch create mode 100644 queue-4.9/clk-rockchip-fix-clk_i2sout-parent-selection-bits-on-rk3399.patch create mode 100644 queue-4.9/iscsi-target-fix-session-creation-failure-handling.patch create mode 100644 queue-4.9/kprobes-make-list-and-blacklist-root-user-read-only.patch create mode 100644 queue-4.9/mips-correct-the-64-bit-dsp-accumulator-register-size.patch create mode 100644 queue-4.9/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch create mode 100644 queue-4.9/pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch create mode 100644 queue-4.9/power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch create mode 100644 queue-4.9/power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch create mode 100644 queue-4.9/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch create mode 100644 queue-4.9/s390-numa-move-initial-setup-of-node_to_cpumask_map.patch create mode 100644 queue-4.9/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch create mode 100644 queue-4.9/s390-qdio-reset-old-sbal_state-flags.patch create mode 100644 queue-4.9/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch create mode 100644 queue-4.9/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch diff --git a/queue-4.9/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch b/queue-4.9/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch new file mode 100644 index 00000000000..039e77a0a69 --- /dev/null +++ b/queue-4.9/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch @@ -0,0 +1,36 @@ +From 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 Mon Sep 17 00:00:00 2001 +From: Scott Bauer +Date: Thu, 26 Apr 2018 11:51:08 -0600 +Subject: cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status + +From: Scott Bauer + +commit 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 upstream. + +Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()" + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +Signed-off-by: Scott Bauer +Signed-off-by: Scott Bauer +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2536,7 +2536,7 @@ static int cdrom_ioctl_drive_status(stru + if (!CDROM_CAN(CDC_SELECT_DISC) || + (arg == CDSL_CURRENT || arg == CDSL_NONE)) + return cdi->ops->drive_status(cdi, CDSL_CURRENT); +- if (((int)arg >= cdi->capacity)) ++ if (arg >= cdi->capacity) + return -EINVAL; + return cdrom_slot_status(cdi, arg); + } diff --git a/queue-4.9/clk-rockchip-fix-clk_i2sout-parent-selection-bits-on-rk3399.patch b/queue-4.9/clk-rockchip-fix-clk_i2sout-parent-selection-bits-on-rk3399.patch new file mode 100644 index 00000000000..67347922b4d --- /dev/null +++ b/queue-4.9/clk-rockchip-fix-clk_i2sout-parent-selection-bits-on-rk3399.patch @@ -0,0 +1,33 @@ +From a64ad008980c65d38e6cf6858429c78e6b740c41 Mon Sep 17 00:00:00 2001 +From: Alberto Panizzo +Date: Fri, 6 Jul 2018 15:18:51 +0200 +Subject: clk: rockchip: fix clk_i2sout parent selection bits on rk3399 + +From: Alberto Panizzo + +commit a64ad008980c65d38e6cf6858429c78e6b740c41 upstream. + +Register, shift and mask were wrong according to datasheet. + +Fixes: 115510053e5e ("clk: rockchip: add clock controller for the RK3399") +Cc: stable@vger.kernel.org +Signed-off-by: Alberto Panizzo +Signed-off-by: Anthony Brandon +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/rockchip/clk-rk3399.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/rockchip/clk-rk3399.c ++++ b/drivers/clk/rockchip/clk-rk3399.c +@@ -629,7 +629,7 @@ static struct rockchip_clk_branch rk3399 + MUX(0, "clk_i2sout_src", mux_i2sch_p, CLK_SET_RATE_PARENT, + RK3399_CLKSEL_CON(31), 0, 2, MFLAGS), + COMPOSITE_NODIV(SCLK_I2S_8CH_OUT, "clk_i2sout", mux_i2sout_p, CLK_SET_RATE_PARENT, +- RK3399_CLKSEL_CON(30), 8, 2, MFLAGS, ++ RK3399_CLKSEL_CON(31), 2, 1, MFLAGS, + RK3399_CLKGATE_CON(8), 12, GFLAGS), + + /* uart */ diff --git a/queue-4.9/iscsi-target-fix-session-creation-failure-handling.patch b/queue-4.9/iscsi-target-fix-session-creation-failure-handling.patch new file mode 100644 index 00000000000..518dbe9c233 --- /dev/null +++ b/queue-4.9/iscsi-target-fix-session-creation-failure-handling.patch @@ -0,0 +1,98 @@ +From 26abc916a898d34c5ad159315a2f683def3c5555 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Thu, 26 Jul 2018 12:13:49 -0500 +Subject: iscsi target: fix session creation failure handling + +From: Mike Christie + +commit 26abc916a898d34c5ad159315a2f683def3c5555 upstream. + +The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in +iscsi_login_set_conn_values. If the function fails later like when we +alloc the idr it does kfree(sess) and leaves the conn->sess pointer set. +iscsi_login_zero_tsih_s1 then returns -Exyz and we then call +iscsi_target_login_sess_out and access the freed memory. + +This patch has iscsi_login_zero_tsih_s1 either completely setup the +session or completely tear it down, so later in +iscsi_target_login_sess_out we can just check for it being set to the +connection. + +Cc: stable@vger.kernel.org +Fixes: 0957627a9960 ("iscsi-target: Fix sess allocation leak in...") +Signed-off-by: Mike Christie +Acked-by: Martin K. Petersen +Signed-off-by: Matthew Wilcox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 14 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -333,8 +333,7 @@ static int iscsi_login_zero_tsih_s1( + pr_err("idr_alloc() for sess_idr failed\n"); + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, + ISCSI_LOGIN_STATUS_NO_RESOURCES); +- kfree(sess); +- return -ENOMEM; ++ goto free_sess; + } + + sess->creation_time = get_jiffies_64(); +@@ -350,20 +349,28 @@ static int iscsi_login_zero_tsih_s1( + ISCSI_LOGIN_STATUS_NO_RESOURCES); + pr_err("Unable to allocate memory for" + " struct iscsi_sess_ops.\n"); +- kfree(sess); +- return -ENOMEM; ++ goto remove_idr; + } + + sess->se_sess = transport_init_session(TARGET_PROT_NORMAL); + if (IS_ERR(sess->se_sess)) { + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, + ISCSI_LOGIN_STATUS_NO_RESOURCES); +- kfree(sess->sess_ops); +- kfree(sess); +- return -ENOMEM; ++ goto free_ops; + } + + return 0; ++ ++free_ops: ++ kfree(sess->sess_ops); ++remove_idr: ++ spin_lock_bh(&sess_idr_lock); ++ idr_remove(&sess_idr, sess->session_index); ++ spin_unlock_bh(&sess_idr_lock); ++free_sess: ++ kfree(sess); ++ conn->sess = NULL; ++ return -ENOMEM; + } + + static int iscsi_login_zero_tsih_s2( +@@ -1152,13 +1159,13 @@ void iscsi_target_login_sess_out(struct + ISCSI_LOGIN_STATUS_INIT_ERR); + if (!zero_tsih || !conn->sess) + goto old_sess_out; +- if (conn->sess->se_sess) +- transport_free_session(conn->sess->se_sess); +- if (conn->sess->session_index != 0) { +- spin_lock_bh(&sess_idr_lock); +- idr_remove(&sess_idr, conn->sess->session_index); +- spin_unlock_bh(&sess_idr_lock); +- } ++ ++ transport_free_session(conn->sess->se_sess); ++ ++ spin_lock_bh(&sess_idr_lock); ++ idr_remove(&sess_idr, conn->sess->session_index); ++ spin_unlock_bh(&sess_idr_lock); ++ + kfree(conn->sess->sess_ops); + kfree(conn->sess); + conn->sess = NULL; diff --git a/queue-4.9/kprobes-make-list-and-blacklist-root-user-read-only.patch b/queue-4.9/kprobes-make-list-and-blacklist-root-user-read-only.patch new file mode 100644 index 00000000000..0f08a4b0626 --- /dev/null +++ b/queue-4.9/kprobes-make-list-and-blacklist-root-user-read-only.patch @@ -0,0 +1,63 @@ +From f2a3ab36077222437b4826fc76111caa14562b7c Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sat, 28 Apr 2018 21:35:01 +0900 +Subject: kprobes: Make list and blacklist root user read only + +From: Masami Hiramatsu + +commit f2a3ab36077222437b4826fc76111caa14562b7c upstream. + +Since the blacklist and list files on debugfs indicates +a sensitive address information to reader, it should be +restricted to the root user. + +Suggested-by: Thomas Richter +Suggested-by: Ingo Molnar +Signed-off-by: Masami Hiramatsu +Cc: Ananth N Mavinakayanahalli +Cc: Anil S Keshavamurthy +Cc: Arnd Bergmann +Cc: David Howells +Cc: David S . Miller +Cc: Heiko Carstens +Cc: Jon Medhurst +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tobin C . Harding +Cc: Will Deacon +Cc: acme@kernel.org +Cc: akpm@linux-foundation.org +Cc: brueckner@linux.vnet.ibm.com +Cc: linux-arch@vger.kernel.org +Cc: rostedt@goodmis.org +Cc: schwidefsky@de.ibm.com +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/lkml/152491890171.9916.5183693615601334087.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2441,7 +2441,7 @@ static int __init debugfs_kprobe_init(vo + if (!dir) + return -ENOMEM; + +- file = debugfs_create_file("list", 0444, dir, NULL, ++ file = debugfs_create_file("list", 0400, dir, NULL, + &debugfs_kprobes_operations); + if (!file) + goto error; +@@ -2451,7 +2451,7 @@ static int __init debugfs_kprobe_init(vo + if (!file) + goto error; + +- file = debugfs_create_file("blacklist", 0444, dir, NULL, ++ file = debugfs_create_file("blacklist", 0400, dir, NULL, + &debugfs_kprobe_blacklist_ops); + if (!file) + goto error; diff --git a/queue-4.9/mips-correct-the-64-bit-dsp-accumulator-register-size.patch b/queue-4.9/mips-correct-the-64-bit-dsp-accumulator-register-size.patch new file mode 100644 index 00000000000..f1ff1231d18 --- /dev/null +++ b/queue-4.9/mips-correct-the-64-bit-dsp-accumulator-register-size.patch @@ -0,0 +1,71 @@ +From f5958b4cf4fc38ed4583ab83fb7c4cd1ab05f47b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 15 May 2018 23:33:26 +0100 +Subject: MIPS: Correct the 64-bit DSP accumulator register size + +From: Maciej W. Rozycki + +commit f5958b4cf4fc38ed4583ab83fb7c4cd1ab05f47b upstream. + +Use the `unsigned long' rather than `__u32' type for DSP accumulator +registers, like with the regular MIPS multiply/divide accumulator and +general-purpose registers, as all are 64-bit in 64-bit implementations +and using a 32-bit data type leads to contents truncation on context +saving. + +Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing +casts that are similarly not used with multiply/divide accumulator or +general-purpose register accesses. + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Paul Burton +Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") +Patchwork: https://patchwork.linux-mips.org/patch/19329/ +Cc: Alexander Viro +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 2.6.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/processor.h | 2 +- + arch/mips/kernel/ptrace.c | 2 +- + arch/mips/kernel/ptrace32.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/mips/include/asm/processor.h ++++ b/arch/mips/include/asm/processor.h +@@ -141,7 +141,7 @@ struct mips_fpu_struct { + + #define NUM_DSP_REGS 6 + +-typedef __u32 dspreg_t; ++typedef unsigned long dspreg_t; + + struct mips_dsp_state { + dspreg_t dspr[NUM_DSP_REGS]; +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -876,7 +876,7 @@ long arch_ptrace(struct task_struct *chi + goto out; + } + dregs = __get_dsp_regs(child); +- tmp = (unsigned long) (dregs[addr - DSP_BASE]); ++ tmp = dregs[addr - DSP_BASE]; + break; + } + case DSP_CONTROL: +--- a/arch/mips/kernel/ptrace32.c ++++ b/arch/mips/kernel/ptrace32.c +@@ -140,7 +140,7 @@ long compat_arch_ptrace(struct task_stru + goto out; + } + dregs = __get_dsp_regs(child); +- tmp = (unsigned long) (dregs[addr - DSP_BASE]); ++ tmp = dregs[addr - DSP_BASE]; + break; + } + case DSP_CONTROL: diff --git a/queue-4.9/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch b/queue-4.9/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch new file mode 100644 index 00000000000..a514e54cfba --- /dev/null +++ b/queue-4.9/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch @@ -0,0 +1,62 @@ +From 690d9163bf4b8563a2682e619f938e6a0443947f Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 21 Aug 2018 12:12:59 -0700 +Subject: MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 + +From: Paul Burton + +commit 690d9163bf4b8563a2682e619f938e6a0443947f upstream. + +Some versions of GCC suboptimally generate calls to the __multi3() +intrinsic for MIPS64r6 builds, resulting in link failures due to the +missing function: + + LD vmlinux.o + MODPOST vmlinux.o + kernel/bpf/verifier.o: In function `kmalloc_array': + include/linux/slab.h:631: undefined reference to `__multi3' + fs/select.o: In function `kmalloc_array': + include/linux/slab.h:631: undefined reference to `__multi3' + ... + +We already have a workaround for this in which we provide the +instrinsic, but we do so selectively for GCC 7 only. Unfortunately the +issue occurs with older GCC versions too - it has been observed with +both GCC 5.4.0 & GCC 6.4.0. + +MIPSr6 support was introduced in GCC 5, so all major GCC versions prior +to GCC 8 are affected and we extend our workaround accordingly to all +MIPS64r6 builds using GCC versions older than GCC 8. + +Signed-off-by: Paul Burton +Reported-by: Vladimir Kondratiev +Fixes: ebabcf17bcd7 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds") +Patchwork: https://patchwork.linux-mips.org/patch/20297/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # 4.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/multi3.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/mips/lib/multi3.c ++++ b/arch/mips/lib/multi3.c +@@ -4,12 +4,12 @@ + #include "libgcc.h" + + /* +- * GCC 7 suboptimally generates __multi3 calls for mips64r6, so for that +- * specific case only we'll implement it here. ++ * GCC 7 & older can suboptimally generate __multi3 calls for mips64r6, so for ++ * that specific case only we implement that intrinsic here. + * + * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981 + */ +-#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ == 7) ++#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 8) + + /* multiply 64-bit values, low 64-bits returned */ + static inline long long notrace dmulu(long long a, long long b) diff --git a/queue-4.9/pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch b/queue-4.9/pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch new file mode 100644 index 00000000000..2d6c810cfc1 --- /dev/null +++ b/queue-4.9/pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch @@ -0,0 +1,33 @@ +From 5e2e2f9f76e157063a656351728703cb02b068f1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 23 Aug 2018 16:59:25 +0300 +Subject: PM / clk: signedness bug in of_pm_clk_add_clks() + +From: Dan Carpenter + +commit 5e2e2f9f76e157063a656351728703cb02b068f1 upstream. + +"count" needs to be signed for the error handling to work. I made "i" +signed as well so they match. + +Fixes: 02113ba93ea4 (PM / clk: Add support for obtaining clocks from device-tree) +Cc: 4.6+ # 4.6+ +Signed-off-by: Dan Carpenter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/clock_ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/clock_ops.c ++++ b/drivers/base/power/clock_ops.c +@@ -185,7 +185,7 @@ EXPORT_SYMBOL_GPL(of_pm_clk_add_clk); + int of_pm_clk_add_clks(struct device *dev) + { + struct clk **clks; +- unsigned int i, count; ++ int i, count; + int ret; + + if (!dev || !dev->of_node) diff --git a/queue-4.9/power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch b/queue-4.9/power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch new file mode 100644 index 00000000000..b7d82869292 --- /dev/null +++ b/queue-4.9/power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch @@ -0,0 +1,60 @@ +From a427503edaaed9b75ed9746a654cece7e93e60a8 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Tue, 26 Jun 2018 15:28:30 +0200 +Subject: power: generic-adc-battery: check for duplicate properties copied from iio channels + +From: H. Nikolaus Schaller + +commit a427503edaaed9b75ed9746a654cece7e93e60a8 upstream. + +If an iio channel defines a basic property, there are duplicate entries +in /sys/class/power/*/uevent. + +So add a check to avoid duplicates. Since all channels may be duplicates, +we have to modify the related error check. + +Signed-off-by: H. Nikolaus Schaller +Cc: stable@vger.kernel.org +Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/generic-adc-battery.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/generic-adc-battery.c ++++ b/drivers/power/supply/generic-adc-battery.c +@@ -246,6 +246,7 @@ static int gab_probe(struct platform_dev + int ret = 0; + int chan; + int index = ARRAY_SIZE(gab_props); ++ bool any = false; + + adc_bat = devm_kzalloc(&pdev->dev, sizeof(*adc_bat), GFP_KERNEL); + if (!adc_bat) { +@@ -292,12 +293,22 @@ static int gab_probe(struct platform_dev + adc_bat->channel[chan] = NULL; + } else { + /* copying properties for supported channels only */ +- psy_desc->properties[index++] = gab_dyn_props[chan]; ++ int index2; ++ ++ for (index2 = 0; index2 < index; index2++) { ++ if (psy_desc->properties[index2] == ++ gab_dyn_props[chan]) ++ break; /* already known */ ++ } ++ if (index2 == index) /* really new */ ++ psy_desc->properties[index++] = ++ gab_dyn_props[chan]; ++ any = true; + } + } + + /* none of the channels are supported so let's bail out */ +- if (index == ARRAY_SIZE(gab_props)) { ++ if (!any) { + ret = -ENODEV; + goto second_mem_fail; + } diff --git a/queue-4.9/power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch b/queue-4.9/power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch new file mode 100644 index 00000000000..f251360f2f2 --- /dev/null +++ b/queue-4.9/power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch @@ -0,0 +1,99 @@ +From 932d47448c3caa0fa99e84d7f5bc302aa286efd8 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Tue, 26 Jun 2018 15:28:29 +0200 +Subject: power: generic-adc-battery: fix out-of-bounds write when copying channel properties + +From: H. Nikolaus Schaller + +commit 932d47448c3caa0fa99e84d7f5bc302aa286efd8 upstream. + +We did have sporadic problems in the pinctrl framework during boot +where a pin group name unexpectedly became NULL leading to a NULL +dereference in strcmp. + +Detailled analysis of the failing cases did reveal that there were +two devm allocated objects close to each other. The second one was +the affected group_desc in pinmux and the first one was the +psy_desc->properties buffer of the gab driver. + +Review of the gab code showed that the address calculation for +one memcpy() is wrong. It does + + properties + sizeof(type) * index + +but C is defined to do the index multiplication already for +pointer + integer additions. Hence the factor was applied twice +and the memcpy() does write outside of the properties buffer. +Sometimes it happened to be the pinctrl and triggered the strcmp(NULL). + +Anyways, it is overkill to use a memcpy() here instead of a simple +assignment, which is easier to read and has less risk for wrong +address calculations. So we change code to a simple assignment. + +If we initialize the index to the first free location, we can even +remove the local variable 'properties'. + +This bug seems to exist right from the beginning in 3.7-rc1 in + +commit e60fea794e6e ("power: battery: Generic battery driver using IIO") + +Signed-off-by: H. Nikolaus Schaller +Cc: stable@vger.kernel.org +Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/generic-adc-battery.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/drivers/power/supply/generic-adc-battery.c ++++ b/drivers/power/supply/generic-adc-battery.c +@@ -243,10 +243,9 @@ static int gab_probe(struct platform_dev + struct power_supply_desc *psy_desc; + struct power_supply_config psy_cfg = {}; + struct gab_platform_data *pdata = pdev->dev.platform_data; +- enum power_supply_property *properties; + int ret = 0; + int chan; +- int index = 0; ++ int index = ARRAY_SIZE(gab_props); + + adc_bat = devm_kzalloc(&pdev->dev, sizeof(*adc_bat), GFP_KERNEL); + if (!adc_bat) { +@@ -280,8 +279,6 @@ static int gab_probe(struct platform_dev + } + + memcpy(psy_desc->properties, gab_props, sizeof(gab_props)); +- properties = (enum power_supply_property *) +- ((char *)psy_desc->properties + sizeof(gab_props)); + + /* + * getting channel from iio and copying the battery properties +@@ -295,15 +292,12 @@ static int gab_probe(struct platform_dev + adc_bat->channel[chan] = NULL; + } else { + /* copying properties for supported channels only */ +- memcpy(properties + sizeof(*(psy_desc->properties)) * index, +- &gab_dyn_props[chan], +- sizeof(gab_dyn_props[chan])); +- index++; ++ psy_desc->properties[index++] = gab_dyn_props[chan]; + } + } + + /* none of the channels are supported so let's bail out */ +- if (index == 0) { ++ if (index == ARRAY_SIZE(gab_props)) { + ret = -ENODEV; + goto second_mem_fail; + } +@@ -314,7 +308,7 @@ static int gab_probe(struct platform_dev + * as come channels may be not be supported by the device.So + * we need to take care of that. + */ +- psy_desc->num_properties = ARRAY_SIZE(gab_props) + index; ++ psy_desc->num_properties = index; + + adc_bat->psy = power_supply_register(&pdev->dev, psy_desc, &psy_cfg); + if (IS_ERR(adc_bat->psy)) { diff --git a/queue-4.9/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch b/queue-4.9/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch new file mode 100644 index 00000000000..8a03a981c65 --- /dev/null +++ b/queue-4.9/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch @@ -0,0 +1,35 @@ +From 26f843848bae973817b3587780ce6b7b0200d3e4 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 6 Aug 2018 14:26:39 +0200 +Subject: s390: fix br_r1_trampoline for machines without exrl + +From: Martin Schwidefsky + +commit 26f843848bae973817b3587780ce6b7b0200d3e4 upstream. + +For machines without the exrl instruction the BFP jit generates +code that uses an "br %r1" instruction located in the lowcore page. +Unfortunately there is a cut & paste error that puts an additional +"larl %r1,.+14" instruction in the code that clobbers the branch +target address in %r1. Remove the larl instruction. + +Cc: # v4.17+ +Fixes: de5cb6eb51 ("s390: use expoline thunks in the BPF JIT") +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/net/bpf_jit_comp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -517,8 +517,6 @@ static void bpf_jit_epilogue(struct bpf_ + /* br %r1 */ + _EMIT2(0x07f1); + } else { +- /* larl %r1,.+14 */ +- EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14); + /* ex 0,S390_lowcore.br_r1_tampoline */ + EMIT4_DISP(0x44000000, REG_0, REG_0, + offsetof(struct lowcore, br_r1_trampoline)); diff --git a/queue-4.9/s390-numa-move-initial-setup-of-node_to_cpumask_map.patch b/queue-4.9/s390-numa-move-initial-setup-of-node_to_cpumask_map.patch new file mode 100644 index 00000000000..505f0bd70cb --- /dev/null +++ b/queue-4.9/s390-numa-move-initial-setup-of-node_to_cpumask_map.patch @@ -0,0 +1,60 @@ +From fb7d7518b0d65955f91c7b875c36eae7694c69bd Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 31 Jul 2018 16:14:18 +0200 +Subject: s390/numa: move initial setup of node_to_cpumask_map + +From: Martin Schwidefsky + +commit fb7d7518b0d65955f91c7b875c36eae7694c69bd upstream. + +The numa_init_early initcall sets the node_to_cpumask_map[0] to the +full cpu_possible_mask. Unfortunately this early_initcall is too late, +the NUMA setup for numa=emu is done even earlier. The order of calls +is numa_setup() -> emu_update_cpu_topology(), then the early_initcalls(), +followed by sched_init_domains(). + +Starting with git commit 051f3ca02e46432c0965e8948f00c07d8a2f09c0 +"sched/topology: Introduce NUMA identity node sched domain" +the incorrect node_to_cpumask_map[0] really screws up the domain +setup and the kernel panics with the follow oops: + +Cc: # v4.15+ +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/numa/numa.c | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +--- a/arch/s390/numa/numa.c ++++ b/arch/s390/numa/numa.c +@@ -133,6 +133,8 @@ void __init numa_setup(void) + { + pr_info("NUMA mode: %s\n", mode->name); + nodes_clear(node_possible_map); ++ /* Initially attach all possible CPUs to node 0. */ ++ cpumask_copy(&node_to_cpumask_map[0], cpu_possible_mask); + if (mode->setup) + mode->setup(); + numa_setup_memory(); +@@ -140,20 +142,6 @@ void __init numa_setup(void) + } + + /* +- * numa_init_early() - Initialization initcall +- * +- * This runs when only one CPU is online and before the first +- * topology update is called for by the scheduler. +- */ +-static int __init numa_init_early(void) +-{ +- /* Attach all possible CPUs to node 0 for now. */ +- cpumask_copy(&node_to_cpumask_map[0], cpu_possible_mask); +- return 0; +-} +-early_initcall(numa_init_early); +- +-/* + * numa_init_late() - Initialization initcall + * + * Register NUMA nodes. diff --git a/queue-4.9/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch b/queue-4.9/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch new file mode 100644 index 00000000000..fa28500b897 --- /dev/null +++ b/queue-4.9/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch @@ -0,0 +1,36 @@ +From 866f3576a72b2233a76dffb80290f8086dc49e17 Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Mon, 13 Aug 2018 11:26:46 +0200 +Subject: s390/pci: fix out of bounds access during irq setup + +From: Sebastian Ott + +commit 866f3576a72b2233a76dffb80290f8086dc49e17 upstream. + +During interrupt setup we allocate interrupt vectors, walk the list of msi +descriptors, and fill in the message data. Requesting more interrupts than +supported on s390 can lead to an out of bounds access. + +When we restrict the number of interrupts we should also stop walking the +msi list after all supported interrupts are handled. + +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Ott +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -407,6 +407,8 @@ int arch_setup_msi_irqs(struct pci_dev * + hwirq = 0; + for_each_pci_msi_entry(msi, pdev) { + rc = -EIO; ++ if (hwirq >= msi_vecs) ++ break; + irq = irq_alloc_desc(0); /* Alloc irq on node 0 */ + if (irq < 0) + goto out_msi; diff --git a/queue-4.9/s390-qdio-reset-old-sbal_state-flags.patch b/queue-4.9/s390-qdio-reset-old-sbal_state-flags.patch new file mode 100644 index 00000000000..b2522a939df --- /dev/null +++ b/queue-4.9/s390-qdio-reset-old-sbal_state-flags.patch @@ -0,0 +1,66 @@ +From 64e03ff72623b8c2ea89ca3cb660094e019ed4ae Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Wed, 16 May 2018 09:37:25 +0200 +Subject: s390/qdio: reset old sbal_state flags + +From: Julian Wiedmann + +commit 64e03ff72623b8c2ea89ca3cb660094e019ed4ae upstream. + +When allocating a new AOB fails, handle_outbound() is still capable of +transmitting the selected buffer (just without async completion). + +But if a previous transfer on this queue slot used async completion, its +sbal_state flags field is still set to QDIO_OUTBUF_STATE_FLAG_PENDING. +So when the upper layer driver sees this stale flag, it expects an async +completion that never happens. + +Fix this by unconditionally clearing the flags field. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Cc: #v3.2+ +Signed-off-by: Julian Wiedmann +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/qdio.h | 1 - + drivers/s390/cio/qdio_main.c | 5 ++--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/qdio.h ++++ b/arch/s390/include/asm/qdio.h +@@ -261,7 +261,6 @@ struct qdio_outbuf_state { + void *user; + }; + +-#define QDIO_OUTBUF_STATE_FLAG_NONE 0x00 + #define QDIO_OUTBUF_STATE_FLAG_PENDING 0x01 + + #define CHSC_AC1_INITIATE_INPUTQ 0x80 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -640,21 +640,20 @@ static inline unsigned long qdio_aob_for + unsigned long phys_aob = 0; + + if (!q->use_cq) +- goto out; ++ return 0; + + if (!q->aobs[bufnr]) { + struct qaob *aob = qdio_allocate_aob(); + q->aobs[bufnr] = aob; + } + if (q->aobs[bufnr]) { +- q->sbal_state[bufnr].flags = QDIO_OUTBUF_STATE_FLAG_NONE; + q->sbal_state[bufnr].aob = q->aobs[bufnr]; + q->aobs[bufnr]->user1 = (u64) q->sbal_state[bufnr].user; + phys_aob = virt_to_phys(q->aobs[bufnr]); + WARN_ON_ONCE(phys_aob & 0xFF); + } + +-out: ++ q->sbal_state[bufnr].flags = 0; + return phys_aob; + } + diff --git a/queue-4.9/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch b/queue-4.9/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch new file mode 100644 index 00000000000..7789fe26c4a --- /dev/null +++ b/queue-4.9/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch @@ -0,0 +1,164 @@ +From 0ee223b2e1f67cb2de9c0e3247c510d846e74d63 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 2 Aug 2018 10:51:41 -0700 +Subject: scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock + +From: Bart Van Assche + +commit 0ee223b2e1f67cb2de9c0e3247c510d846e74d63 upstream. + +A long time ago the unfortunate decision was taken to add a self-deletion +attribute to the sysfs SCSI device directory. That decision was unfortunate +because self-deletion is really tricky. We can't drop that attribute +because widely used user space software depends on it, namely the +rescan-scsi-bus.sh script. Hence this patch that avoids that writing into +that attribute triggers a deadlock. See also commit 7973cbd9fbd9 ("[PATCH] +add sysfs attributes to scan and delete scsi_devices"). + +This patch avoids that self-removal triggers the following deadlock: + +====================================================== +WARNING: possible circular locking dependency detected +4.18.0-rc2-dbg+ #5 Not tainted +------------------------------------------------------ +modprobe/6539 is trying to acquire lock: +000000008323c4cd (kn->count#202){++++}, at: kernfs_remove_by_name_ns+0x45/0x90 + +but task is already holding lock: +00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod] + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&shost->scan_mutex){+.+.}: + __mutex_lock+0xfe/0xc70 + mutex_lock_nested+0x1b/0x20 + scsi_remove_device+0x26/0x40 [scsi_mod] + sdev_store_delete+0x27/0x30 [scsi_mod] + dev_attr_store+0x3e/0x50 + sysfs_kf_write+0x87/0xa0 + kernfs_fop_write+0x190/0x230 + __vfs_write+0xd2/0x3b0 + vfs_write+0x101/0x270 + ksys_write+0xab/0x120 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +-> #0 (kn->count#202){++++}: + lock_acquire+0xd2/0x260 + __kernfs_remove+0x424/0x4a0 + kernfs_remove_by_name_ns+0x45/0x90 + remove_files.isra.1+0x3a/0x90 + sysfs_remove_group+0x5c/0xc0 + sysfs_remove_groups+0x39/0x60 + device_remove_attrs+0x82/0xb0 + device_del+0x251/0x580 + __scsi_remove_device+0x19f/0x1d0 [scsi_mod] + scsi_forget_host+0x37/0xb0 [scsi_mod] + scsi_remove_host+0x9b/0x150 [scsi_mod] + sdebug_driver_remove+0x4b/0x150 [scsi_debug] + device_release_driver_internal+0x241/0x360 + device_release_driver+0x12/0x20 + bus_remove_device+0x1bc/0x290 + device_del+0x259/0x580 + device_unregister+0x1a/0x70 + sdebug_remove_adapter+0x8b/0xf0 [scsi_debug] + scsi_debug_exit+0x76/0xe8 [scsi_debug] + __x64_sys_delete_module+0x1c1/0x280 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&shost->scan_mutex); + lock(kn->count#202); + lock(&shost->scan_mutex); + lock(kn->count#202); + + *** DEADLOCK *** + +2 locks held by modprobe/6539: + #0: 00000000efaf9298 (&dev->mutex){....}, at: device_release_driver_internal+0x68/0x360 + #1: 00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod] + +stack backtrace: +CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0xa4/0xf5 + print_circular_bug.isra.34+0x213/0x221 + __lock_acquire+0x1a7e/0x1b50 + lock_acquire+0xd2/0x260 + __kernfs_remove+0x424/0x4a0 + kernfs_remove_by_name_ns+0x45/0x90 + remove_files.isra.1+0x3a/0x90 + sysfs_remove_group+0x5c/0xc0 + sysfs_remove_groups+0x39/0x60 + device_remove_attrs+0x82/0xb0 + device_del+0x251/0x580 + __scsi_remove_device+0x19f/0x1d0 [scsi_mod] + scsi_forget_host+0x37/0xb0 [scsi_mod] + scsi_remove_host+0x9b/0x150 [scsi_mod] + sdebug_driver_remove+0x4b/0x150 [scsi_debug] + device_release_driver_internal+0x241/0x360 + device_release_driver+0x12/0x20 + bus_remove_device+0x1bc/0x290 + device_del+0x259/0x580 + device_unregister+0x1a/0x70 + sdebug_remove_adapter+0x8b/0xf0 [scsi_debug] + scsi_debug_exit+0x76/0xe8 [scsi_debug] + __x64_sys_delete_module+0x1c1/0x280 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html. + +Fixes: ac0ece9174ac ("scsi: use device_remove_file_self() instead of device_schedule_callback()") +Signed-off-by: Bart Van Assche +Cc: Greg Kroah-Hartman +Acked-by: Tejun Heo +Cc: Johannes Thumshirn +Cc: +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Martin K. Petersen + +--- + drivers/scsi/scsi_sysfs.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -709,8 +709,24 @@ static ssize_t + sdev_store_delete(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +- if (device_remove_file_self(dev, attr)) +- scsi_remove_device(to_scsi_device(dev)); ++ struct kernfs_node *kn; ++ ++ kn = sysfs_break_active_protection(&dev->kobj, &attr->attr); ++ WARN_ON_ONCE(!kn); ++ /* ++ * Concurrent writes into the "delete" sysfs attribute may trigger ++ * concurrent calls to device_remove_file() and scsi_remove_device(). ++ * device_remove_file() handles concurrent removal calls by ++ * serializing these and by ignoring the second and later removal ++ * attempts. Concurrent calls of scsi_remove_device() are ++ * serialized. The second and later calls of scsi_remove_device() are ++ * ignored because the first call of that function changes the device ++ * state into SDEV_DEL. ++ */ ++ device_remove_file(dev, attr); ++ scsi_remove_device(to_scsi_device(dev)); ++ if (kn) ++ sysfs_unbreak_active_protection(kn); + return count; + }; + static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete); diff --git a/queue-4.9/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch b/queue-4.9/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch new file mode 100644 index 00000000000..c00e8552d01 --- /dev/null +++ b/queue-4.9/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch @@ -0,0 +1,107 @@ +From 2afc9166f79b8f6da5f347f48515215ceee4ae37 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 2 Aug 2018 10:51:40 -0700 +Subject: scsi: sysfs: Introduce sysfs_{un,}break_active_protection() + +From: Bart Van Assche + +commit 2afc9166f79b8f6da5f347f48515215ceee4ae37 upstream. + +Introduce these two functions and export them such that the next patch +can add calls to these functions from the SCSI core. + +Signed-off-by: Bart Van Assche +Acked-by: Tejun Heo +Acked-by: Greg Kroah-Hartman +Cc: +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/file.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + include/linux/sysfs.h | 14 ++++++++++++++ + 2 files changed, 58 insertions(+) + +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -408,6 +408,50 @@ int sysfs_chmod_file(struct kobject *kob + EXPORT_SYMBOL_GPL(sysfs_chmod_file); + + /** ++ * sysfs_break_active_protection - break "active" protection ++ * @kobj: The kernel object @attr is associated with. ++ * @attr: The attribute to break the "active" protection for. ++ * ++ * With sysfs, just like kernfs, deletion of an attribute is postponed until ++ * all active .show() and .store() callbacks have finished unless this function ++ * is called. Hence this function is useful in methods that implement self ++ * deletion. ++ */ ++struct kernfs_node *sysfs_break_active_protection(struct kobject *kobj, ++ const struct attribute *attr) ++{ ++ struct kernfs_node *kn; ++ ++ kobject_get(kobj); ++ kn = kernfs_find_and_get(kobj->sd, attr->name); ++ if (kn) ++ kernfs_break_active_protection(kn); ++ return kn; ++} ++EXPORT_SYMBOL_GPL(sysfs_break_active_protection); ++ ++/** ++ * sysfs_unbreak_active_protection - restore "active" protection ++ * @kn: Pointer returned by sysfs_break_active_protection(). ++ * ++ * Undo the effects of sysfs_break_active_protection(). Since this function ++ * calls kernfs_put() on the kernfs node that corresponds to the 'attr' ++ * argument passed to sysfs_break_active_protection() that attribute may have ++ * been removed between the sysfs_break_active_protection() and ++ * sysfs_unbreak_active_protection() calls, it is not safe to access @kn after ++ * this function has returned. ++ */ ++void sysfs_unbreak_active_protection(struct kernfs_node *kn) ++{ ++ struct kobject *kobj = kn->parent->priv; ++ ++ kernfs_unbreak_active_protection(kn); ++ kernfs_put(kn); ++ kobject_put(kobj); ++} ++EXPORT_SYMBOL_GPL(sysfs_unbreak_active_protection); ++ ++/** + * sysfs_remove_file_ns - remove an object attribute with a custom ns tag + * @kobj: object we're acting for + * @attr: attribute descriptor +--- a/include/linux/sysfs.h ++++ b/include/linux/sysfs.h +@@ -238,6 +238,9 @@ int __must_check sysfs_create_files(stru + const struct attribute **attr); + int __must_check sysfs_chmod_file(struct kobject *kobj, + const struct attribute *attr, umode_t mode); ++struct kernfs_node *sysfs_break_active_protection(struct kobject *kobj, ++ const struct attribute *attr); ++void sysfs_unbreak_active_protection(struct kernfs_node *kn); + void sysfs_remove_file_ns(struct kobject *kobj, const struct attribute *attr, + const void *ns); + bool sysfs_remove_file_self(struct kobject *kobj, const struct attribute *attr); +@@ -351,6 +354,17 @@ static inline int sysfs_chmod_file(struc + return 0; + } + ++static inline struct kernfs_node * ++sysfs_break_active_protection(struct kobject *kobj, ++ const struct attribute *attr) ++{ ++ return NULL; ++} ++ ++static inline void sysfs_unbreak_active_protection(struct kernfs_node *kn) ++{ ++} ++ + static inline void sysfs_remove_file_ns(struct kobject *kobj, + const struct attribute *attr, + const void *ns) diff --git a/queue-4.9/series b/queue-4.9/series index 1fc05012bb1..a225135bddd 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -89,3 +89,18 @@ x86-irqflags-mark-native_restore_fl-extern-inline.patch x86-spectre-add-missing-family-6-check-to-microcode-check.patch x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch x86-entry-64-wipe-kasan-stack-shadow-before-rewind_stack_do_exit.patch +s390-fix-br_r1_trampoline-for-machines-without-exrl.patch +s390-qdio-reset-old-sbal_state-flags.patch +s390-numa-move-initial-setup-of-node_to_cpumask_map.patch +s390-pci-fix-out-of-bounds-access-during-irq-setup.patch +kprobes-make-list-and-blacklist-root-user-read-only.patch +mips-correct-the-64-bit-dsp-accumulator-register-size.patch +mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch +scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch +scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch +iscsi-target-fix-session-creation-failure-handling.patch +clk-rockchip-fix-clk_i2sout-parent-selection-bits-on-rk3399.patch +pm-clk-signedness-bug-in-of_pm_clk_add_clks.patch +power-generic-adc-battery-fix-out-of-bounds-write-when-copying-channel-properties.patch +power-generic-adc-battery-check-for-duplicate-properties-copied-from-iio-channels.patch +cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch -- 2.47.3