-From 59c4d7838e3e526f3e253c536727e3539321fbd6 Mon Sep 17 00:00:00 2001
-From: Jiri Slaby <jslaby@suse.cz>
-Date: Thu, 26 Nov 2015 19:28:26 +0100
-Subject: [PATCH 001/251] TTY: n_hdlc, fix lockdep false positive
-Status: RO
-Content-Length: 3446
-Lines: 97
-
-commit e9b736d88af1a143530565929390cadf036dc799 upstream.
-
-The class of 4 n_hdls buf locks is the same because a single function
-n_hdlc_buf_list_init is used to init all the locks. But since
-flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
-n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
-emits a warning:
-=============================================
-[ INFO: possible recursive locking detected ]
-4.3.0-25.g91e30a7-default #1 Not tainted
----------------------------------------------
-a.out/1248 is trying to acquire lock:
- (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
-
-but task is already holding lock:
- (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
-
-other info that might help us debug this:
- Possible unsafe locking scenario:
-
- CPU0
- ----
- lock(&(&list->spinlock)->rlock);
- lock(&(&list->spinlock)->rlock);
-
- *** DEADLOCK ***
-
- May be due to missing lock nesting notation
-
-2 locks held by a.out/1248:
- #0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
- #1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
-...
-Call Trace:
-...
- [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
- [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
- [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
- [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
-...
-
-Fix it by initializing the spin_locks separately. This removes also
-reduntand memset of a freshly kzallocated space.
-
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 19 ++++---------------
- 1 file changed, 4 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
-index 644ddb841d9f..a7fa016f31eb 100644
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -159,7 +159,6 @@ struct n_hdlc {
- /*
- * HDLC buffer list manipulation functions
- */
--static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -853,10 +852,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
- if (!n_hdlc)
- return NULL;
-
-- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
-+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
-
- /* allocate free rx buffer list */
- for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
-@@ -885,16 +884,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
- } /* end of n_hdlc_alloc() */
-
- /**
-- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
-- * @list - pointer to buffer list
-- */
--static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
--{
-- memset(list, 0, sizeof(*list));
-- spin_lock_init(&list->spinlock);
--} /* end of n_hdlc_buf_list_init() */
--
--/**
- * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
- * @list - pointer to buffer list
- * @buf - pointer to buffer
---
-2.12.2
-
-From 999853d941b99ca2ac4a331552c388e2603a9b1d Mon Sep 17 00:00:00 2001
-From: Alexander Popov <alex.popov@linux.com>
-Date: Tue, 28 Feb 2017 19:54:40 +0300
-Subject: [PATCH 002/251] tty: n_hdlc: get rid of racy n_hdlc.tbuf
-Content-Length: 9967
-Lines: 308
-
-commit 82f2341c94d270421f383641b7cd670e474db56b upstream.
-
-Currently N_HDLC line discipline uses a self-made singly linked list for
-data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
-an error.
-
-The commit be10eb7589337e5defbe214dae038a53dd21add8
-("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
-After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
-one data buffer to tx_free_buf_list twice. That causes double free in
-n_hdlc_release().
-
-Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
-in case of tx error put current data buffer after the head of tx_buf_list.
-
-Signed-off-by: Alexander Popov <alex.popov@linux.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
- 1 file changed, 69 insertions(+), 63 deletions(-)
-
-diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
-index a7fa016f31eb..6d1e2f746ab4 100644
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -114,7 +114,7 @@
- #define DEFAULT_TX_BUF_COUNT 3
-
- struct n_hdlc_buf {
-- struct n_hdlc_buf *link;
-+ struct list_head list_item;
- int count;
- char buf[1];
- };
-@@ -122,8 +122,7 @@ struct n_hdlc_buf {
- #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
-
- struct n_hdlc_buf_list {
-- struct n_hdlc_buf *head;
-- struct n_hdlc_buf *tail;
-+ struct list_head list;
- int count;
- spinlock_t spinlock;
- };
-@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
- * @backup_tty - TTY to use if tty gets closed
- * @tbusy - reentrancy flag for tx wakeup code
- * @woke_up - FIXME: describe this field
-- * @tbuf - currently transmitting tx buffer
- * @tx_buf_list - list of pending transmit frame buffers
- * @rx_buf_list - list of received frame buffers
- * @tx_free_buf_list - list unused transmit frame buffers
-@@ -149,7 +147,6 @@ struct n_hdlc {
- struct tty_struct *backup_tty;
- int tbusy;
- int woke_up;
-- struct n_hdlc_buf *tbuf;
- struct n_hdlc_buf_list tx_buf_list;
- struct n_hdlc_buf_list rx_buf_list;
- struct n_hdlc_buf_list tx_free_buf_list;
-@@ -159,6 +156,8 @@ struct n_hdlc {
- /*
- * HDLC buffer list manipulation functions
- */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+ struct n_hdlc_buf *buf);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
- {
- struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
- struct n_hdlc_buf *buf;
-- unsigned long flags;
-
- while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
-- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
-- if (n_hdlc->tbuf) {
-- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
-- n_hdlc->tbuf = NULL;
-- }
-- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- }
-
- static struct tty_ldisc_ops n_hdlc_ldisc = {
-@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
- } else
- break;
- }
-- kfree(n_hdlc->tbuf);
- kfree(n_hdlc);
-
- } /* end of n_hdlc_release() */
-@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- n_hdlc->woke_up = 0;
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
-
-- /* get current transmit buffer or get new transmit */
-- /* buffer from list of pending transmit buffers */
--
-- tbuf = n_hdlc->tbuf;
-- if (!tbuf)
-- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
--
-+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
- while (tbuf) {
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)sending frame %p, count=%d\n",
-@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
-
- /* rollback was possible and has been done */
- if (actual == -ERESTARTSYS) {
-- n_hdlc->tbuf = tbuf;
-+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- break;
- }
- /* if transmit error, throw frame away by */
-@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
-
- /* free current transmit buffer */
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
--
-- /* this tx buffer is done */
-- n_hdlc->tbuf = NULL;
--
-+
- /* wait up sleeping writers */
- wake_up_interruptible(&tty->write_wait);
-
-@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)frame %p pending\n",
- __FILE__,__LINE__,tbuf);
--
-- /* buffer not accepted by driver */
-- /* set this buffer as pending buffer */
-- n_hdlc->tbuf = tbuf;
-+
-+ /*
-+ * the buffer was not accepted by driver,
-+ * return it back into tx queue
-+ */
-+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- break;
- }
- }
-@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- int error = 0;
- int count;
- unsigned long flags;
--
-+ struct n_hdlc_buf *buf = NULL;
-+
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
- __FILE__,__LINE__,cmd);
-@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- /* report count of read data available */
- /* in next available frame (if any) */
- spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
-- if (n_hdlc->rx_buf_list.head)
-- count = n_hdlc->rx_buf_list.head->count;
-+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
-+ struct n_hdlc_buf, list_item);
-+ if (buf)
-+ count = buf->count;
- else
- count = 0;
- spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
-@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- count = tty_chars_in_buffer(tty);
- /* add size of next output frame in queue */
- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
-- if (n_hdlc->tx_buf_list.head)
-- count += n_hdlc->tx_buf_list.head->count;
-+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
-+ struct n_hdlc_buf, list_item);
-+ if (buf)
-+ count += buf->count;
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
- error = put_user(count, (int __user *)arg);
- break;
-@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
- poll_wait(filp, &tty->write_wait, wait);
-
- /* set bits for operations that won't block */
-- if (n_hdlc->rx_buf_list.head)
-+ if (!list_empty(&n_hdlc->rx_buf_list.list))
- mask |= POLLIN | POLLRDNORM; /* readable */
- if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
- mask |= POLLHUP;
- if (tty_hung_up_p(filp))
- mask |= POLLHUP;
- if (!tty_is_writelocked(tty) &&
-- n_hdlc->tx_free_buf_list.head)
-+ !list_empty(&n_hdlc->tx_free_buf_list.list))
- mask |= POLLOUT | POLLWRNORM; /* writable */
- }
- return mask;
-@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
- spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
- spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
- spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
--
-+
-+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
-+
- /* allocate free rx buffer list */
- for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
- buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
-@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
- } /* end of n_hdlc_alloc() */
-
- /**
-+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
-+ * @buf_list - pointer to the buffer list
-+ * @buf - pointer to the buffer
-+ */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+ struct n_hdlc_buf *buf)
-+{
-+ unsigned long flags;
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ list_add(&buf->list_item, &buf_list->list);
-+ buf_list->count++;
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
-+}
-+
-+/**
- * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
-- * @list - pointer to buffer list
-+ * @buf_list - pointer to buffer list
- * @buf - pointer to buffer
- */
--static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
-+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
- struct n_hdlc_buf *buf)
- {
- unsigned long flags;
-- spin_lock_irqsave(&list->spinlock,flags);
--
-- buf->link=NULL;
-- if (list->tail)
-- list->tail->link = buf;
-- else
-- list->head = buf;
-- list->tail = buf;
-- (list->count)++;
--
-- spin_unlock_irqrestore(&list->spinlock,flags);
--
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ list_add_tail(&buf->list_item, &buf_list->list);
-+ buf_list->count++;
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
- } /* end of n_hdlc_buf_put() */
-
- /**
- * n_hdlc_buf_get - remove and return an HDLC buffer from list
-- * @list - pointer to HDLC buffer list
-+ * @buf_list - pointer to HDLC buffer list
- *
- * Remove and return an HDLC buffer from the head of the specified HDLC buffer
- * list.
- * Returns a pointer to HDLC buffer if available, otherwise %NULL.
- */
--static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
-+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
- {
- unsigned long flags;
- struct n_hdlc_buf *buf;
-- spin_lock_irqsave(&list->spinlock,flags);
--
-- buf = list->head;
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ buf = list_first_entry_or_null(&buf_list->list,
-+ struct n_hdlc_buf, list_item);
- if (buf) {
-- list->head = buf->link;
-- (list->count)--;
-+ list_del(&buf->list_item);
-+ buf_list->count--;
- }
-- if (!list->head)
-- list->tail = NULL;
--
-- spin_unlock_irqrestore(&list->spinlock,flags);
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
- return buf;
--
- } /* end of n_hdlc_buf_get() */
-
- static char hdlc_banner[] __initdata =
---
-2.12.2
-
-From 4b34572e98f1b0d0df4ea084347b89b5a20fbede Mon Sep 17 00:00:00 2001
-From: Ian Abbott <abbotti@mev.co.uk>
-Date: Fri, 3 Feb 2017 20:25:00 +0000
-Subject: [PATCH 003/251] serial: 8250_pci: Add MKS Tenta SCOM-0800 and
- SCOM-0801 cards
-Content-Length: 1922
-Lines: 56
-
-commit 1c9c858e2ff8ae8024a3d75d2ed080063af43754 upstream.
-
-The MKS Instruments SCOM-0800 and SCOM-0801 cards (originally by Tenta
-Technologies) are 3U CompactPCI serial cards with 4 and 8 serial ports,
-respectively. The first 4 ports are implemented by an OX16PCI954 chip,
-and the second 4 ports are implemented by an OX16C954 chip on a local
-bus, bridged by the second PCI function of the OX16PCI954. The ports
-are jumper-selectable as RS-232 and RS-422/485, and the UARTs use a
-non-standard oscillator frequency of 20 MHz (base_baud = 1250000).
-
-Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/8250/8250_pci.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
-index 029de3f99752..5b24ffd93649 100644
---- a/drivers/tty/serial/8250/8250_pci.c
-+++ b/drivers/tty/serial/8250/8250_pci.c
-@@ -2880,6 +2880,8 @@ enum pci_board_num_t {
- pbn_b0_4_1152000_200,
- pbn_b0_8_1152000_200,
-
-+ pbn_b0_4_1250000,
-+
- pbn_b0_2_1843200,
- pbn_b0_4_1843200,
-
-@@ -3113,6 +3115,13 @@ static struct pciserial_board pci_boards[] = {
- .uart_offset = 0x200,
- },
-
-+ [pbn_b0_4_1250000] = {
-+ .flags = FL_BASE0,
-+ .num_ports = 4,
-+ .base_baud = 1250000,
-+ .uart_offset = 8,
-+ },
-+
- [pbn_b0_2_1843200] = {
- .flags = FL_BASE0,
- .num_ports = 2,
-@@ -5778,6 +5787,10 @@ static struct pci_device_id serial_pci_tbl[] = {
- { PCI_DEVICE(0x1c29, 0x1108), .driver_data = pbn_fintek_8 },
- { PCI_DEVICE(0x1c29, 0x1112), .driver_data = pbn_fintek_12 },
-
-+ /* MKS Tenta SCOM-080x serial cards */
-+ { PCI_DEVICE(0x1601, 0x0800), .driver_data = pbn_b0_4_1250000 },
-+ { PCI_DEVICE(0x1601, 0xa801), .driver_data = pbn_b0_4_1250000 },
-+
- /*
- * These entries match devices with class COMMUNICATION_SERIAL,
- * COMMUNICATION_MODEM or COMMUNICATION_MULTISERIAL
---
-2.12.2
-
-From 0a3df0418d90d7be1abf8e41191c3caa26f2ad4e Mon Sep 17 00:00:00 2001
-From: Janosch Frank <frankja@linux.vnet.ibm.com>
-Date: Thu, 2 Feb 2017 16:39:31 +0100
-Subject: [PATCH 004/251] KVM: s390: Disable dirty log retrieval for UCONTROL
- guests
-Content-Length: 1240
-Lines: 38
-
-commit e1e8a9624f7ba8ead4f056ff558ed070e86fa747 upstream.
-
-User controlled KVM guests do not support the dirty log, as they have
-no single gmap that we can check for changes.
-
-As they have no single gmap, kvm->arch.gmap is NULL and all further
-referencing to it for dirty checking will result in a NULL
-dereference.
-
-Let's return -EINVAL if a caller tries to sync dirty logs for a
-UCONTROL guest.
-
-Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
-Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
-Reported-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/kvm/kvm-s390.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
-index 575dc123bda2..23e3f5d77a24 100644
---- a/arch/s390/kvm/kvm-s390.c
-+++ b/arch/s390/kvm/kvm-s390.c
-@@ -295,6 +295,9 @@ int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
- struct kvm_memory_slot *memslot;
- int is_dirty = 0;
-
-+ if (kvm_is_ucontrol(kvm))
-+ return -EINVAL;
-+
- mutex_lock(&kvm->slots_lock);
-
- r = -EINVAL;
---
-2.12.2
-
-From cae929bd8d807457997bec4e9fbc61885cc582f7 Mon Sep 17 00:00:00 2001
-From: Chao Peng <chao.p.peng@linux.intel.com>
-Date: Tue, 21 Feb 2017 03:50:01 -0500
-Subject: [PATCH 005/251] KVM: VMX: use correct vmcs_read/write for guest
- segment selector/base
-Content-Length: 1437
-Lines: 38
-
-commit 96794e4ed4d758272c486e1529e431efb7045265 upstream.
-
-Guest segment selector is 16 bit field and guest segment base is natural
-width field. Fix two incorrect invocations accordingly.
-
-Without this patch, build fails when aggressive inlining is used with ICC.
-
-Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 64f60a48def1..3a7ae80dc49d 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -3499,7 +3499,7 @@ static void fix_rmode_seg(int seg, struct kvm_segment *save)
- }
-
- vmcs_write16(sf->selector, var.selector);
-- vmcs_write32(sf->base, var.base);
-+ vmcs_writel(sf->base, var.base);
- vmcs_write32(sf->limit, var.limit);
- vmcs_write32(sf->ar_bytes, vmx_segment_access_rights(&var));
- }
-@@ -7905,7 +7905,7 @@ static void kvm_flush_pml_buffers(struct kvm *kvm)
- static void vmx_dump_sel(char *name, uint32_t sel)
- {
- pr_err("%s sel=0x%04x, attr=0x%05x, limit=0x%08x, base=0x%016lx\n",
-- name, vmcs_read32(sel),
-+ name, vmcs_read16(sel),
- vmcs_read32(sel + GUEST_ES_AR_BYTES - GUEST_ES_SELECTOR),
- vmcs_read32(sel + GUEST_ES_LIMIT - GUEST_ES_SELECTOR),
- vmcs_readl(sel + GUEST_ES_BASE - GUEST_ES_SELECTOR));
---
-2.12.2
-
-From 00cfdbf5ab6e3285bb4589e6e5d241c8db8cd3ed Mon Sep 17 00:00:00 2001
-From: Dmitry Tunin <hanipouspilot@gmail.com>
-Date: Thu, 5 Jan 2017 13:19:53 +0300
-Subject: [PATCH 006/251] Bluetooth: Add another AR3012 04ca:3018 device
-Content-Length: 2385
-Lines: 51
-
-commit 441ad62d6c3f131f1dbd7dcdd9cbe3f74dbd8501 upstream.
-
-T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 5 Spd=12 MxCh= 0
-D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
-P: Vendor=04ca ProdID=3018 Rev=00.01
-C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
-I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-
-Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/bluetooth/ath3k.c | 2 ++
- drivers/bluetooth/btusb.c | 1 +
- 2 files changed, 3 insertions(+)
-
-diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
-index 0beaa52df66b..5df8e1234505 100644
---- a/drivers/bluetooth/ath3k.c
-+++ b/drivers/bluetooth/ath3k.c
-@@ -94,6 +94,7 @@ static const struct usb_device_id ath3k_table[] = {
- { USB_DEVICE(0x04CA, 0x300f) },
- { USB_DEVICE(0x04CA, 0x3010) },
- { USB_DEVICE(0x04CA, 0x3014) },
-+ { USB_DEVICE(0x04CA, 0x3018) },
- { USB_DEVICE(0x0930, 0x0219) },
- { USB_DEVICE(0x0930, 0x021c) },
- { USB_DEVICE(0x0930, 0x0220) },
-@@ -160,6 +161,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
- { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x04ca, 0x3018), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
-diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index c306b483de60..cd6b141b9825 100644
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -208,6 +208,7 @@ static const struct usb_device_id blacklist_table[] = {
- { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
-+ { USB_DEVICE(0x04ca, 0x3018), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
- { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
---
-2.12.2
-
From ec50c80c780152d2058c23d9e246fc81f73742da Mon Sep 17 00:00:00 2001
From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Date: Mon, 21 Nov 2016 13:37:48 +0100
Subject: [PATCH 007/251] s390/qdio: clear DSCI prior to scanning multiple
input queues
+Status: RO
Content-Length: 2241
Lines: 56
Date: Mon, 30 Jan 2017 15:52:14 +0100
Subject: [PATCH 008/251] s390/dcssblk: fix device size calculation in
dcssblk_direct_access()
+Status: RO
Content-Length: 1263
Lines: 32
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date: Fri, 24 Feb 2017 07:43:51 +0100
Subject: [PATCH 009/251] s390: TASK_SIZE for kernel threads
+Status: RO
Content-Length: 1158
Lines: 30
From: Heiko Carstens <heiko.carstens@de.ibm.com>
Date: Sat, 4 Feb 2017 11:40:36 +0100
Subject: [PATCH 010/251] s390: make setup_randomness work
+Status: RO
Content-Length: 1465
Lines: 40
Date: Sun, 5 Feb 2017 23:03:18 +0100
Subject: [PATCH 011/251] s390: use correct input data address for
setup_randomness
+Status: RO
Content-Length: 1414
Lines: 37
--
2.12.2
-From b57ffb2a8466a7628b316c8e3a5ce34b8ee4e519 Mon Sep 17 00:00:00 2001
-From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Date: Tue, 21 Feb 2017 11:28:01 +0100
-Subject: [PATCH 012/251] net: mvpp2: fix DMA address calculation in
- mvpp2_txq_inc_put()
-Content-Length: 1642
-Lines: 38
-
-commit 239a3b663647869330955ec59caac0100ef9b60a upstream.
-
-When TX descriptors are filled in, the buffer DMA address is split
-between the tx_desc->buf_phys_addr field (high-order bits) and
-tx_desc->packet_offset field (5 low-order bits).
-
-However, when we re-calculate the DMA address from the TX descriptor in
-mvpp2_txq_inc_put(), we do not take tx_desc->packet_offset into
-account. This means that when the DMA address is not aligned on a 32
-bytes boundary, we end up calling dma_unmap_single() with a DMA address
-that was not the one returned by dma_map_single().
-
-This inconsistency is detected by the kernel when DMA_API_DEBUG is
-enabled. We fix this problem by properly calculating the DMA address in
-mvpp2_txq_inc_put().
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/marvell/mvpp2.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c
-index 25aba9886990..0e67145bc418 100644
---- a/drivers/net/ethernet/marvell/mvpp2.c
-+++ b/drivers/net/ethernet/marvell/mvpp2.c
-@@ -993,7 +993,7 @@ static void mvpp2_txq_inc_put(struct mvpp2_txq_pcpu *txq_pcpu,
- txq_pcpu->buffs + txq_pcpu->txq_put_index;
- tx_buf->skb = skb;
- tx_buf->size = tx_desc->data_size;
-- tx_buf->phys = tx_desc->buf_phys_addr;
-+ tx_buf->phys = tx_desc->buf_phys_addr + tx_desc->packet_offset;
- txq_pcpu->txq_put_index++;
- if (txq_pcpu->txq_put_index == txq_pcpu->size)
- txq_pcpu->txq_put_index = 0;
---
-2.12.2
-
From 839d42687dfce0ed0ea2c6bd8d707cc0e276fbe7 Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Fri, 20 Jan 2017 18:28:35 +1300
Subject: [PATCH 013/251] mnt: Tuck mounts under others instead of creating
shadow/side mounts.
+Status: RO
Content-Length: 13585
Lines: 423
--
2.12.2
-From 10beca53745eff651209fbd6d8ddbbc0f46c30a4 Mon Sep 17 00:00:00 2001
-From: Feras Daoud <ferasda@mellanox.com>
-Date: Wed, 28 Dec 2016 14:47:23 +0200
-Subject: [PATCH 014/251] IB/ipoib: Fix deadlock between rmmod and set_mode
-Content-Length: 4326
-Lines: 110
-
-commit 0a0007f28304cb9fc87809c86abb80ec71317f20 upstream.
-
-When calling set_mode from sys/fs, the call flow locks the sys/fs lock
-first and then tries to lock rtnl_lock (when calling ipoib_set_mod).
-On the other hand, the rmmod call flow takes the rtnl_lock first
-(when calling unregister_netdev) and then tries to take the sys/fs
-lock. Deadlock a->b, b->a.
-
-The problem starts when ipoib_set_mod frees it's rtnl_lck and tries
-to get it after that.
-
- set_mod:
- [<ffffffff8104f2bd>] ? check_preempt_curr+0x6d/0x90
- [<ffffffff814fee8e>] __mutex_lock_slowpath+0x13e/0x180
- [<ffffffff81448655>] ? __rtnl_unlock+0x15/0x20
- [<ffffffff814fed2b>] mutex_lock+0x2b/0x50
- [<ffffffff81448675>] rtnl_lock+0x15/0x20
- [<ffffffffa02ad807>] ipoib_set_mode+0x97/0x160 [ib_ipoib]
- [<ffffffffa02b5f5b>] set_mode+0x3b/0x80 [ib_ipoib]
- [<ffffffff8134b840>] dev_attr_store+0x20/0x30
- [<ffffffff811f0fe5>] sysfs_write_file+0xe5/0x170
- [<ffffffff8117b068>] vfs_write+0xb8/0x1a0
- [<ffffffff8117ba81>] sys_write+0x51/0x90
- [<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b
-
- rmmod:
- [<ffffffff81279ffc>] ? put_dec+0x10c/0x110
- [<ffffffff8127a2ee>] ? number+0x2ee/0x320
- [<ffffffff814fe6a5>] schedule_timeout+0x215/0x2e0
- [<ffffffff8127cc04>] ? vsnprintf+0x484/0x5f0
- [<ffffffff8127b550>] ? string+0x40/0x100
- [<ffffffff814fe323>] wait_for_common+0x123/0x180
- [<ffffffff81060250>] ? default_wake_function+0x0/0x20
- [<ffffffff8119661e>] ? ifind_fast+0x5e/0xb0
- [<ffffffff814fe43d>] wait_for_completion+0x1d/0x20
- [<ffffffff811f2e68>] sysfs_addrm_finish+0x228/0x270
- [<ffffffff811f2fb3>] sysfs_remove_dir+0xa3/0xf0
- [<ffffffff81273f66>] kobject_del+0x16/0x40
- [<ffffffff8134cd14>] device_del+0x184/0x1e0
- [<ffffffff8144e59b>] netdev_unregister_kobject+0xab/0xc0
- [<ffffffff8143c05e>] rollback_registered+0xae/0x130
- [<ffffffff8143c102>] unregister_netdevice+0x22/0x70
- [<ffffffff8143c16e>] unregister_netdev+0x1e/0x30
- [<ffffffffa02a91b0>] ipoib_remove_one+0xe0/0x120 [ib_ipoib]
- [<ffffffffa01ed95f>] ib_unregister_device+0x4f/0x100 [ib_core]
- [<ffffffffa021f5e1>] mlx4_ib_remove+0x41/0x180 [mlx4_ib]
- [<ffffffffa01ab771>] mlx4_remove_device+0x71/0x90 [mlx4_core]
-
-Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
-Cc: Or Gerlitz <ogerlitz@mellanox.com>
-Signed-off-by: Feras Daoud <ferasda@mellanox.com>
-Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
-Signed-off-by: Leon Romanovsky <leon@kernel.org>
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/infiniband/ulp/ipoib/ipoib_cm.c | 12 +++++++-----
- drivers/infiniband/ulp/ipoib/ipoib_main.c | 6 ++----
- 2 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
-index 3ba7de5f9379..2018d24344de 100644
---- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
-+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
-@@ -1488,12 +1488,14 @@ static ssize_t set_mode(struct device *d, struct device_attribute *attr,
-
- ret = ipoib_set_mode(dev, buf);
-
-- rtnl_unlock();
--
-- if (!ret)
-- return count;
-+ /* The assumption is that the function ipoib_set_mode returned
-+ * with the rtnl held by it, if not the value -EBUSY returned,
-+ * then no need to rtnl_unlock
-+ */
-+ if (ret != -EBUSY)
-+ rtnl_unlock();
-
-- return ret;
-+ return (!ret || ret == -EBUSY) ? count : ret;
- }
-
- static DEVICE_ATTR(mode, S_IWUSR | S_IRUGO, show_mode, set_mode);
-diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
-index 8a4d10452d61..b34f9ffe559a 100644
---- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
-+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
-@@ -464,8 +464,7 @@ int ipoib_set_mode(struct net_device *dev, const char *buf)
- priv->tx_wr.wr.send_flags &= ~IB_SEND_IP_CSUM;
-
- ipoib_flush_paths(dev);
-- rtnl_lock();
-- return 0;
-+ return (!rtnl_trylock()) ? -EBUSY : 0;
- }
-
- if (!strcmp(buf, "datagram\n")) {
-@@ -474,8 +473,7 @@ int ipoib_set_mode(struct net_device *dev, const char *buf)
- dev_set_mtu(dev, min(priv->mcast_mtu, dev->mtu));
- rtnl_unlock();
- ipoib_flush_paths(dev);
-- rtnl_lock();
-- return 0;
-+ return (!rtnl_trylock()) ? -EBUSY : 0;
- }
-
- return -EINVAL;
---
-2.12.2
-
-From bb4a21dcb6fb57892eea7c941fdfd57e55ba5dbe Mon Sep 17 00:00:00 2001
-From: Erez Shitrit <erezsh@mellanox.com>
-Date: Wed, 1 Feb 2017 19:10:05 +0200
-Subject: [PATCH 015/251] IB/IPoIB: Add destination address when re-queue
- packet
-Content-Length: 4692
-Lines: 125
-
-commit 2b0841766a898aba84630fb723989a77a9d3b4e6 upstream.
-
-When sending packet to destination that was not resolved yet
-via path query, the driver keeps the skb and tries to re-send it
-again when the path is resolved.
-
-But when re-sending via dev_queue_xmit the kernel doesn't call
-to dev_hard_header, so IPoIB needs to keep 20 bytes in the skb
-and to put the destination address inside them.
-
-In that way the dev_start_xmit will have the correct destination,
-and the driver won't take the destination from the skb->data, while
-nothing exists there, which causes to packet be be dropped.
-
-The test flow is:
-1. Run the SM on remote node,
-2. Restart the driver.
-4. Ping some destination,
-3. Observe that first ICMP request will be dropped.
-
-Fixes: fc791b633515 ("IB/ipoib: move back IB LL address into the hard header")
-Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
-Signed-off-by: Noa Osherovich <noaos@mellanox.com>
-Signed-off-by: Leon Romanovsky <leon@kernel.org>
-Tested-by: Yuval Shaia <yuval.shaia@oracle.com>
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/infiniband/ulp/ipoib/ipoib_main.c | 30 +++++++++++++++++-------------
- 1 file changed, 17 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
-index b34f9ffe559a..8efcff1beb8f 100644
---- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
-+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
-@@ -626,6 +626,14 @@ void ipoib_mark_paths_invalid(struct net_device *dev)
- spin_unlock_irq(&priv->lock);
- }
-
-+static void push_pseudo_header(struct sk_buff *skb, const char *daddr)
-+{
-+ struct ipoib_pseudo_header *phdr;
-+
-+ phdr = (struct ipoib_pseudo_header *)skb_push(skb, sizeof(*phdr));
-+ memcpy(phdr->hwaddr, daddr, INFINIBAND_ALEN);
-+}
-+
- void ipoib_flush_paths(struct net_device *dev)
- {
- struct ipoib_dev_priv *priv = netdev_priv(dev);
-@@ -850,8 +858,7 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
- }
- if (skb_queue_len(&neigh->queue) <
- IPOIB_MAX_PATH_REC_QUEUE) {
-- /* put pseudoheader back on for next time */
-- skb_push(skb, IPOIB_PSEUDO_LEN);
-+ push_pseudo_header(skb, neigh->daddr);
- __skb_queue_tail(&neigh->queue, skb);
- } else {
- ipoib_warn(priv, "queue length limit %d. Packet drop.\n",
-@@ -869,10 +876,12 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
-
- if (!path->query && path_rec_start(dev, path))
- goto err_path;
-- if (skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE)
-+ if (skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE) {
-+ push_pseudo_header(skb, neigh->daddr);
- __skb_queue_tail(&neigh->queue, skb);
-- else
-+ } else {
- goto err_drop;
-+ }
- }
-
- spin_unlock_irqrestore(&priv->lock, flags);
-@@ -908,8 +917,7 @@ static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev,
- }
- if (path) {
- if (skb_queue_len(&path->queue) < IPOIB_MAX_PATH_REC_QUEUE) {
-- /* put pseudoheader back on for next time */
-- skb_push(skb, IPOIB_PSEUDO_LEN);
-+ push_pseudo_header(skb, phdr->hwaddr);
- __skb_queue_tail(&path->queue, skb);
- } else {
- ++dev->stats.tx_dropped;
-@@ -941,8 +949,7 @@ static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev,
- return;
- } else if ((path->query || !path_rec_start(dev, path)) &&
- skb_queue_len(&path->queue) < IPOIB_MAX_PATH_REC_QUEUE) {
-- /* put pseudoheader back on for next time */
-- skb_push(skb, IPOIB_PSEUDO_LEN);
-+ push_pseudo_header(skb, phdr->hwaddr);
- __skb_queue_tail(&path->queue, skb);
- } else {
- ++dev->stats.tx_dropped;
-@@ -1023,8 +1030,7 @@ send_using_neigh:
- }
-
- if (skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE) {
-- /* put pseudoheader back on for next time */
-- skb_push(skb, sizeof(*phdr));
-+ push_pseudo_header(skb, phdr->hwaddr);
- spin_lock_irqsave(&priv->lock, flags);
- __skb_queue_tail(&neigh->queue, skb);
- spin_unlock_irqrestore(&priv->lock, flags);
-@@ -1056,7 +1062,6 @@ static int ipoib_hard_header(struct sk_buff *skb,
- unsigned short type,
- const void *daddr, const void *saddr, unsigned len)
- {
-- struct ipoib_pseudo_header *phdr;
- struct ipoib_header *header;
-
- header = (struct ipoib_header *) skb_push(skb, sizeof *header);
-@@ -1069,8 +1074,7 @@ static int ipoib_hard_header(struct sk_buff *skb,
- * destination address into skb hard header so we can figure out where
- * to send the packet later.
- */
-- phdr = (struct ipoib_pseudo_header *) skb_push(skb, sizeof(*phdr));
-- memcpy(phdr->hwaddr, daddr, INFINIBAND_ALEN);
-+ push_pseudo_header(skb, daddr);
-
- return IPOIB_HARD_LEN;
- }
---
-2.12.2
-
From 944690cdb5f48d03842365b7359fe090d6c2b1fa Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Tue, 14 Feb 2017 10:56:30 -0800
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
Date: Tue, 7 Feb 2017 12:05:25 -0500
Subject: [PATCH 018/251] ktest: Fix child exit code processing
+Status: RO
Content-Length: 849
Lines: 27
--
2.12.2
-From 4d95645f3dd5b1e8453d65220f604c39e822d990 Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Tue, 31 Jan 2017 17:17:27 +0100
-Subject: [PATCH 038/251] USB: serial: digi_acceleport: fix OOB data sanity
- check
-Content-Length: 1827
-Lines: 49
-
-commit 2d380889215fe20b8523345649dee0579821800c upstream.
-
-Make sure to check for short transfers to avoid underflow in a loop
-condition when parsing the receive buffer.
-
-Also fix an off-by-one error in the incomplete sanity check which could
-lead to invalid data being parsed.
-
-Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/digi_acceleport.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
-index 3df7b7ec178e..19c3bef426c3 100644
---- a/drivers/usb/serial/digi_acceleport.c
-+++ b/drivers/usb/serial/digi_acceleport.c
-@@ -1483,16 +1483,20 @@ static int digi_read_oob_callback(struct urb *urb)
- struct usb_serial *serial = port->serial;
- struct tty_struct *tty;
- struct digi_port *priv = usb_get_serial_port_data(port);
-+ unsigned char *buf = urb->transfer_buffer;
- int opcode, line, status, val;
- int i;
- unsigned int rts;
-
-+ if (urb->actual_length < 4)
-+ return -1;
-+
- /* handle each oob command */
-- for (i = 0; i < urb->actual_length - 3;) {
-- opcode = ((unsigned char *)urb->transfer_buffer)[i++];
-- line = ((unsigned char *)urb->transfer_buffer)[i++];
-- status = ((unsigned char *)urb->transfer_buffer)[i++];
-- val = ((unsigned char *)urb->transfer_buffer)[i++];
-+ for (i = 0; i < urb->actual_length - 4; i += 4) {
-+ opcode = buf[i];
-+ line = buf[i + 1];
-+ status = buf[i + 2];
-+ val = buf[i + 3];
-
- dev_dbg(&port->dev, "digi_read_oob_callback: opcode=%d, line=%d, status=%d, val=%d\n",
- opcode, line, status, val);
---
-2.12.2
-
-From a8cb5c02a20f04d947e386bdd958e1e80e920baa Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Fri, 24 Feb 2017 19:11:28 +0100
-Subject: [PATCH 039/251] USB: serial: digi_acceleport: fix OOB-event
- processing
-Content-Length: 1276
-Lines: 34
-
-commit 2e46565cf622dd0534a9d8bffe152a577b48d7aa upstream.
-
-A recent change claimed to fix an off-by-one error in the OOB-port
-completion handler, but instead introduced such an error. This could
-specifically led to modem-status changes going unnoticed, effectively
-breaking TIOCMGET.
-
-Note that the offending commit fixes a loop-condition underflow and is
-marked for stable, but should not be backported without this fix.
-
-Reported-by: Ben Hutchings <ben@decadent.org.uk>
-Fixes: 2d380889215f ("USB: serial: digi_acceleport: fix OOB data sanity
-check")
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/digi_acceleport.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
-index 19c3bef426c3..e0b1fe2f60e1 100644
---- a/drivers/usb/serial/digi_acceleport.c
-+++ b/drivers/usb/serial/digi_acceleport.c
-@@ -1492,7 +1492,7 @@ static int digi_read_oob_callback(struct urb *urb)
- return -1;
-
- /* handle each oob command */
-- for (i = 0; i < urb->actual_length - 4; i += 4) {
-+ for (i = 0; i < urb->actual_length - 3; i += 4) {
- opcode = buf[i];
- line = buf[i + 1];
- status = buf[i + 2];
---
-2.12.2
-
From e041ad0664407c60a9d29217819f991933e10edd Mon Sep 17 00:00:00 2001
From: Arnd Bergmann <arnd@arndb.de>
Date: Fri, 3 Feb 2017 23:33:23 +0100
projects / thirdparty / kernel / stable-queue.git / commitdiff
