From: Greg Kroah-Hartman Date: Mon, 10 Apr 2017 20:30:46 +0000 (+0200) Subject: 3.18 patches X-Git-Tag: v4.4.61~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9f46cd2361a9a37674901470bed1af446a6059c3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18 patches --- diff --git a/queue-3.18/crypto-improve-gcc-optimization-flags-for-serpent-and-wp512.patch b/queue-3.18/crypto-improve-gcc-optimization-flags-for-serpent-and-wp512.patch new file mode 100644 index 00000000000..49ea2a338a7 --- /dev/null +++ b/queue-3.18/crypto-improve-gcc-optimization-flags-for-serpent-and-wp512.patch @@ -0,0 +1,158 @@ +From 7d6e9105026788c497f0ab32fa16c82f4ab5ff61 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 3 Feb 2017 23:33:23 +0100 +Subject: crypto: improve gcc optimization flags for serpent and wp512 + +From: Arnd Bergmann + +commit 7d6e9105026788c497f0ab32fa16c82f4ab5ff61 upstream. + +An ancient gcc bug (first reported in 2003) has apparently resurfaced +on MIPS, where kernelci.org reports an overly large stack frame in the +whirlpool hash algorithm: + +crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +With some testing in different configurations, I'm seeing large +variations in stack frames size up to 1500 bytes for what should have +around 300 bytes at most. I also checked the reference implementation, +which is essentially the same code but also comes with some test and +benchmarking infrastructure. + +It seems that recent compiler versions on at least arm, arm64 and powerpc +have a partial fix for this problem, but enabling "-fsched-pressure", but +even with that fix they suffer from the issue to a certain degree. Some +testing on arm64 shows that the time needed to hash a given amount of +data is roughly proportional to the stack frame size here, which makes +sense given that the wp512 implementation is doing lots of loads for +table lookups, and the problem with the overly large stack is a result +of doing a lot more loads and stores for spilled registers (as seen from +inspecting the object code). + +Disabling -fschedule-insns consistently fixes the problem for wp512, +in my collection of cross-compilers, the results are consistently better +or identical when comparing the stack sizes in this function, though +some architectures (notable x86) have schedule-insns disabled by +default. + +The four columns are: +default: -O2 +press: -O2 -fsched-pressure +nopress: -O2 -fschedule-insns -fno-sched-pressure +nosched: -O2 -no-schedule-insns (disables sched-pressure) + + default press nopress nosched +alpha-linux-gcc-4.9.3 1136 848 1136 176 +am33_2.0-linux-gcc-4.9.3 2100 2076 2100 2104 +arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352 +cris-linux-gcc-4.9.3 272 272 272 272 +frv-linux-gcc-4.9.3 1128 1000 1128 280 +hppa64-linux-gcc-4.9.3 1128 336 1128 184 +hppa-linux-gcc-4.9.3 644 308 644 276 +i386-linux-gcc-4.9.3 352 352 352 352 +m32r-linux-gcc-4.9.3 720 656 720 268 +microblaze-linux-gcc-4.9.3 1108 604 1108 256 +mips64-linux-gcc-4.9.3 1328 592 1328 208 +mips-linux-gcc-4.9.3 1096 624 1096 240 +powerpc64-linux-gcc-4.9.3 1088 432 1088 160 +powerpc-linux-gcc-4.9.3 1080 584 1080 224 +s390-linux-gcc-4.9.3 456 456 624 360 +sh3-linux-gcc-4.9.3 292 292 292 292 +sparc64-linux-gcc-4.9.3 992 240 992 208 +sparc-linux-gcc-4.9.3 680 592 680 312 +x86_64-linux-gcc-4.9.3 224 240 272 224 +xtensa-linux-gcc-4.9.3 1152 704 1152 304 + +aarch64-linux-gcc-7.0.0 224 224 1104 208 +arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352 +mips-linux-gcc-7.0.0 1120 648 1120 272 +x86_64-linux-gcc-7.0.1 240 240 304 240 + +arm-linux-gnueabi-gcc-4.4.7 840 392 +arm-linux-gnueabi-gcc-4.5.4 784 728 784 320 +arm-linux-gnueabi-gcc-4.6.4 736 728 736 304 +arm-linux-gnueabi-gcc-4.7.4 944 784 944 352 +arm-linux-gnueabi-gcc-4.8.5 464 464 760 352 +arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352 +arm-linux-gnueabi-gcc-5.3.1 824 824 1064 336 +arm-linux-gnueabi-gcc-6.1.1 808 808 1056 344 +arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352 + +Trying the same test for serpent-generic, the picture is a bit different, +and while -fno-schedule-insns is generally better here than the default, +-fsched-pressure wins overall, so I picked that instead. + + default press nopress nosched +alpha-linux-gcc-4.9.3 1392 864 1392 960 +am33_2.0-linux-gcc-4.9.3 536 524 536 528 +arm-linux-gnueabi-gcc-4.9.3 552 552 776 536 +cris-linux-gcc-4.9.3 528 528 528 528 +frv-linux-gcc-4.9.3 536 400 536 504 +hppa64-linux-gcc-4.9.3 524 208 524 480 +hppa-linux-gcc-4.9.3 768 472 768 508 +i386-linux-gcc-4.9.3 564 564 564 564 +m32r-linux-gcc-4.9.3 712 576 712 532 +microblaze-linux-gcc-4.9.3 724 392 724 512 +mips64-linux-gcc-4.9.3 720 384 720 496 +mips-linux-gcc-4.9.3 728 384 728 496 +powerpc64-linux-gcc-4.9.3 704 304 704 480 +powerpc-linux-gcc-4.9.3 704 296 704 480 +s390-linux-gcc-4.9.3 560 560 592 536 +sh3-linux-gcc-4.9.3 540 540 540 540 +sparc64-linux-gcc-4.9.3 544 352 544 496 +sparc-linux-gcc-4.9.3 544 344 544 496 +x86_64-linux-gcc-4.9.3 528 536 576 528 +xtensa-linux-gcc-4.9.3 752 544 752 544 + +aarch64-linux-gcc-7.0.0 432 432 656 480 +arm-linux-gnueabi-gcc-7.0.1 616 616 808 536 +mips-linux-gcc-7.0.0 720 464 720 488 +x86_64-linux-gcc-7.0.1 536 528 600 536 + +arm-linux-gnueabi-gcc-4.4.7 592 440 +arm-linux-gnueabi-gcc-4.5.4 776 448 776 544 +arm-linux-gnueabi-gcc-4.6.4 776 448 776 544 +arm-linux-gnueabi-gcc-4.7.4 768 448 768 544 +arm-linux-gnueabi-gcc-4.8.5 488 488 776 544 +arm-linux-gnueabi-gcc-4.9.3 552 552 776 536 +arm-linux-gnueabi-gcc-5.3.1 552 552 776 536 +arm-linux-gnueabi-gcc-6.1.1 560 560 776 536 +arm-linux-gnueabi-gcc-7.0.1 616 616 808 536 + +I did not do any runtime tests with serpent, so it is possible that stack +frame size does not directly correlate with runtime performance here and +it actually makes things worse, but it's more likely to help here, and +the reduced stack frame size is probably enough reason to apply the patch, +especially given that the crypto code is often used in deep call chains. + +Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/ +Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488 +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 +Cc: Ralf Baechle +Signed-off-by: Arnd Bergmann +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -47,6 +47,7 @@ obj-$(CONFIG_CRYPTO_SHA1) += sha1_generi + obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o + obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o + obj-$(CONFIG_CRYPTO_WP512) += wp512.o ++CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 + obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o + obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o + obj-$(CONFIG_CRYPTO_ECB) += ecb.o +@@ -68,6 +69,7 @@ obj-$(CONFIG_CRYPTO_BLOWFISH_COMMON) += + obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o + obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o + obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o ++CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 + obj-$(CONFIG_CRYPTO_AES) += aes_generic.o + obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o + obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o diff --git a/queue-3.18/dm-flush-queued-bios-when-process-blocks-to-avoid-deadlock.patch b/queue-3.18/dm-flush-queued-bios-when-process-blocks-to-avoid-deadlock.patch new file mode 100644 index 00000000000..7337384fdb5 --- /dev/null +++ b/queue-3.18/dm-flush-queued-bios-when-process-blocks-to-avoid-deadlock.patch @@ -0,0 +1,122 @@ +From cd8ad4d9eb6d9ee04e77b42c6a7a15eabada85ac Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 15 Feb 2017 11:26:10 -0500 +Subject: dm: flush queued bios when process blocks to avoid deadlock + +From: Mikulas Patocka + +commit d67a5f4b5947aba4bfe9a80a2b86079c215ca755 upstream. + +Commit df2cb6daa4 ("block: Avoid deadlocks with bio allocation by +stacking drivers") created a workqueue for every bio set and code +in bio_alloc_bioset() that tries to resolve some low-memory deadlocks +by redirecting bios queued on current->bio_list to the workqueue if the +system is low on memory. However other deadlocks (see below **) may +happen, without any low memory condition, because generic_make_request +is queuing bios to current->bio_list (rather than submitting them). + +** the related dm-snapshot deadlock is detailed here: +https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html + +Fix this deadlock by redirecting any bios on current->bio_list to the +bio_set's rescue workqueue on every schedule() call. Consequently, +when the process blocks on a mutex, the bios queued on +current->bio_list are dispatched to independent workqueus and they can +complete without waiting for the mutex to be available. + +The structure blk_plug contains an entry cb_list and this list can contain +arbitrary callback functions that are called when the process blocks. +To implement this fix DM (ab)uses the onstack plug's cb_list interface +to get its flush_current_bio_list() called at schedule() time. + +This fixes the snapshot deadlock - if the map method blocks, +flush_current_bio_list() will be called and it redirects bios waiting +on current->bio_list to appropriate workqueues. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1267650 +Depends-on: df2cb6daa4 ("block: Avoid deadlocks with bio allocation by stacking drivers") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1300,11 +1300,62 @@ void dm_accept_partial_bio(struct bio *b + } + EXPORT_SYMBOL_GPL(dm_accept_partial_bio); + ++/* ++ * Flush current->bio_list when the target map method blocks. ++ * This fixes deadlocks in snapshot and possibly in other targets. ++ */ ++struct dm_offload { ++ struct blk_plug plug; ++ struct blk_plug_cb cb; ++}; ++ ++static void flush_current_bio_list(struct blk_plug_cb *cb, bool from_schedule) ++{ ++ struct dm_offload *o = container_of(cb, struct dm_offload, cb); ++ struct bio_list list; ++ struct bio *bio; ++ ++ INIT_LIST_HEAD(&o->cb.list); ++ ++ if (unlikely(!current->bio_list)) ++ return; ++ ++ list = *current->bio_list; ++ bio_list_init(current->bio_list); ++ ++ while ((bio = bio_list_pop(&list))) { ++ struct bio_set *bs = bio->bi_pool; ++ if (unlikely(!bs) || bs == fs_bio_set) { ++ bio_list_add(current->bio_list, bio); ++ continue; ++ } ++ ++ spin_lock(&bs->rescue_lock); ++ bio_list_add(&bs->rescue_list, bio); ++ queue_work(bs->rescue_workqueue, &bs->rescue_work); ++ spin_unlock(&bs->rescue_lock); ++ } ++} ++ ++static void dm_offload_start(struct dm_offload *o) ++{ ++ blk_start_plug(&o->plug); ++ o->cb.callback = flush_current_bio_list; ++ list_add(&o->cb.list, ¤t->plug->cb_list); ++} ++ ++static void dm_offload_end(struct dm_offload *o) ++{ ++ list_del(&o->cb.list); ++ blk_finish_plug(&o->plug); ++} ++ + static void __map_bio(struct dm_target_io *tio) + { + int r; + sector_t sector; + struct mapped_device *md; ++ struct dm_offload o; + struct bio *clone = &tio->clone; + struct dm_target *ti = tio->ti; + +@@ -1317,7 +1368,11 @@ static void __map_bio(struct dm_target_i + */ + atomic_inc(&tio->io->io_count); + sector = clone->bi_iter.bi_sector; ++ ++ dm_offload_start(&o); + r = ti->type->map(ti, clone); ++ dm_offload_end(&o); ++ + if (r == DM_MAPIO_REMAPPED) { + /* the bio has been remapped so dispatch it */ + diff --git a/queue-3.18/ext4-don-t-bug-when-truncating-encrypted-inodes-on-the-orphan-list.patch b/queue-3.18/ext4-don-t-bug-when-truncating-encrypted-inodes-on-the-orphan-list.patch new file mode 100644 index 00000000000..446428ccf85 --- /dev/null +++ b/queue-3.18/ext4-don-t-bug-when-truncating-encrypted-inodes-on-the-orphan-list.patch @@ -0,0 +1,99 @@ +From 0d06863f903ac5f4f6efb0273079d27de3e53a28 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 14 Feb 2017 11:31:15 -0500 +Subject: ext4: don't BUG when truncating encrypted inodes on the orphan list + +From: Theodore Ts'o + +commit 0d06863f903ac5f4f6efb0273079d27de3e53a28 upstream. + +Fix a BUG when the kernel tries to mount a file system constructed as +follows: + +echo foo > foo.txt +mke2fs -Fq -t ext4 -O encrypt foo.img 100 +debugfs -w foo.img << EOF +write foo.txt a +set_inode_field a i_flags 0x80800 +set_super_value s_last_orphan 12 +quit +EOF + +root@kvm-xfstests:~# mount -o loop foo.img /mnt +[ 160.238770] ------------[ cut here ]------------ +[ 160.240106] kernel BUG at /usr/projects/linux/ext4/fs/ext4/inode.c:3874! +[ 160.240106] invalid opcode: 0000 [#1] SMP +[ 160.240106] Modules linked in: +[ 160.240106] CPU: 0 PID: 2547 Comm: mount Tainted: G W 4.10.0-rc3-00034-gcdd33b941b67 #227 +[ 160.240106] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014 +[ 160.240106] task: f4518000 task.stack: f47b6000 +[ 160.240106] EIP: ext4_block_zero_page_range+0x1a7/0x2b4 +[ 160.240106] EFLAGS: 00010246 CPU: 0 +[ 160.240106] EAX: 00000001 EBX: f7be4b50 ECX: f47b7dc0 EDX: 00000007 +[ 160.240106] ESI: f43b05a8 EDI: f43babec EBP: f47b7dd0 ESP: f47b7dac +[ 160.240106] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 +[ 160.240106] CR0: 80050033 CR2: bfd85b08 CR3: 34a00680 CR4: 000006f0 +[ 160.240106] Call Trace: +[ 160.240106] ext4_truncate+0x1e9/0x3e5 +[ 160.240106] ext4_fill_super+0x286f/0x2b1e +[ 160.240106] ? set_blocksize+0x2e/0x7e +[ 160.240106] mount_bdev+0x114/0x15f +[ 160.240106] ext4_mount+0x15/0x17 +[ 160.240106] ? ext4_calculate_overhead+0x39d/0x39d +[ 160.240106] mount_fs+0x58/0x115 +[ 160.240106] vfs_kern_mount+0x4b/0xae +[ 160.240106] do_mount+0x671/0x8c3 +[ 160.240106] ? _copy_from_user+0x70/0x83 +[ 160.240106] ? strndup_user+0x31/0x46 +[ 160.240106] SyS_mount+0x57/0x7b +[ 160.240106] do_int80_syscall_32+0x4f/0x61 +[ 160.240106] entry_INT80_32+0x2f/0x2f +[ 160.240106] EIP: 0xb76b919e +[ 160.240106] EFLAGS: 00000246 CPU: 0 +[ 160.240106] EAX: ffffffda EBX: 08053838 ECX: 08052188 EDX: 080537e8 +[ 160.240106] ESI: c0ed0000 EDI: 00000000 EBP: 080537e8 ESP: bfa13660 +[ 160.240106] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b +[ 160.240106] Code: 59 8b 00 a8 01 0f 84 09 01 00 00 8b 07 66 25 00 f0 66 3d 00 80 75 61 89 f8 e8 3e e2 ff ff 84 c0 74 56 83 bf 48 02 00 00 00 75 02 <0f> 0b 81 7d e8 00 10 00 00 74 02 0f 0b 8b 43 04 8b 53 08 31 c9 +[ 160.240106] EIP: ext4_block_zero_page_range+0x1a7/0x2b4 SS:ESP: 0068:f47b7dac +[ 160.317241] ---[ end trace d6a773a375c810a5 ]--- + +The problem is that when the kernel tries to truncate an inode in +ext4_truncate(), it tries to clear any on-disk data beyond i_size. +Without the encryption key, it can't do that, and so it triggers a +BUG. + +E2fsck does *not* provide this service, and in practice most file +systems have their orphan list processed by e2fsck, so to avoid +crashing, this patch skips this step if we don't have access to the +encryption key (which is the case when processing the orphan list; in +all other cases, we will have the encryption key, or the kernel +wouldn't have allowed the file to be opened). + +An open question is whether the fact that e2fsck isn't clearing the +bytes beyond i_size causing problems --- and if we've lived with it +not doing it for so long, can we drop this from the kernel replay of +the orphan list in all cases (not just when we don't have the key for +encrypted inodes). + +Addresses-Google-Bug: #35209576 + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3363,6 +3363,10 @@ static int ext4_block_truncate_page(hand + unsigned blocksize; + struct inode *inode = mapping->host; + ++ /* If we are processing an encrypted inode during orphan list handling */ ++ if (ext4_encrypted_inode(inode) && !fscrypt_has_encryption_key(inode)) ++ return 0; ++ + blocksize = inode->i_sb->s_blocksize; + length = blocksize - (offset & (blocksize - 1)); + diff --git a/queue-3.18/fat-fix-using-uninitialized-fields-of-fat_inode-fsinfo_inode.patch b/queue-3.18/fat-fix-using-uninitialized-fields-of-fat_inode-fsinfo_inode.patch new file mode 100644 index 00000000000..281eadd1dd8 --- /dev/null +++ b/queue-3.18/fat-fix-using-uninitialized-fields-of-fat_inode-fsinfo_inode.patch @@ -0,0 +1,63 @@ +From c0d0e351285161a515396b7b1ee53ec9ffd97e3c Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Thu, 9 Mar 2017 16:17:37 -0800 +Subject: fat: fix using uninitialized fields of fat_inode/fsinfo_inode + +From: OGAWA Hirofumi + +commit c0d0e351285161a515396b7b1ee53ec9ffd97e3c upstream. + +Recently fallocate patch was merged and it uses +MSDOS_I(inode)->mmu_private at fat_evict_inode(). However, +fat_inode/fsinfo_inode that was introduced in past didn't initialize +MSDOS_I(inode) properly. + +With those combinations, it became the cause of accessing random entry +in FAT area. + +Link: http://lkml.kernel.org/r/87pohrj4i8.fsf@mail.parknet.co.jp +Signed-off-by: OGAWA Hirofumi +Reported-by: Moreno Bartalucci +Tested-by: Moreno Bartalucci +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -1266,6 +1266,16 @@ out: + return 0; + } + ++static void fat_dummy_inode_init(struct inode *inode) ++{ ++ /* Initialize this dummy inode to work as no-op. */ ++ MSDOS_I(inode)->mmu_private = 0; ++ MSDOS_I(inode)->i_start = 0; ++ MSDOS_I(inode)->i_logstart = 0; ++ MSDOS_I(inode)->i_attrs = 0; ++ MSDOS_I(inode)->i_pos = 0; ++} ++ + static int fat_read_root(struct inode *inode) + { + struct super_block *sb = inode->i_sb; +@@ -1711,12 +1721,13 @@ int fat_fill_super(struct super_block *s + fat_inode = new_inode(sb); + if (!fat_inode) + goto out_fail; +- MSDOS_I(fat_inode)->i_pos = 0; ++ fat_dummy_inode_init(fat_inode); + sbi->fat_inode = fat_inode; + + fsinfo_inode = new_inode(sb); + if (!fsinfo_inode) + goto out_fail; ++ fat_dummy_inode_init(fsinfo_inode); + fsinfo_inode->i_ino = MSDOS_FSINFO_INO; + sbi->fsinfo_inode = fsinfo_inode; + insert_inode_hash(fsinfo_inode); diff --git a/queue-3.18/ktest-fix-child-exit-code-processing.patch b/queue-3.18/ktest-fix-child-exit-code-processing.patch new file mode 100644 index 00000000000..a312fbcf844 --- /dev/null +++ b/queue-3.18/ktest-fix-child-exit-code-processing.patch @@ -0,0 +1,31 @@ +From 32677207dcc5e594254b7fb4fb2352b1755b1d5b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 7 Feb 2017 12:05:25 -0500 +Subject: ktest: Fix child exit code processing + +From: Steven Rostedt (VMware) + +commit 32677207dcc5e594254b7fb4fb2352b1755b1d5b upstream. + +The child_exit errno needs to be shifted by 8 bits to compare against the +return values for the bisect variables. + +Fixes: c5dacb88f0a64 ("ktest: Allow overriding bisect test results") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/ktest/ktest.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -2450,7 +2450,7 @@ sub do_run_test { + } + + waitpid $child_pid, 0; +- $child_exit = $?; ++ $child_exit = $? >> 8; + + if (!$bug && $in_bisect) { + if (defined($bisect_ret_good)) { diff --git a/queue-3.18/libceph-use-bug-instead-of-bug_on-1.patch b/queue-3.18/libceph-use-bug-instead-of-bug_on-1.patch new file mode 100644 index 00000000000..39fac08d1e2 --- /dev/null +++ b/queue-3.18/libceph-use-bug-instead-of-bug_on-1.patch @@ -0,0 +1,37 @@ +From d24cdcd3e40a6825135498e11c20c7976b9bf545 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 16 Jan 2017 12:06:09 +0100 +Subject: libceph: use BUG() instead of BUG_ON(1) + +From: Arnd Bergmann + +commit d24cdcd3e40a6825135498e11c20c7976b9bf545 upstream. + +I ran into this compile warning, which is the result of BUG_ON(1) +not always leading to the compiler treating the code path as +unreachable: + + include/linux/ceph/osdmap.h: In function 'ceph_can_shift_osds': + include/linux/ceph/osdmap.h:62:1: error: control reaches end of non-void function [-Werror=return-type] + +Using BUG() here avoids the warning. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ceph/osdmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/ceph/osdmap.h ++++ b/include/linux/ceph/osdmap.h +@@ -49,7 +49,7 @@ static inline bool ceph_can_shift_osds(s + case CEPH_POOL_TYPE_EC: + return false; + default: +- BUG_ON(1); ++ BUG(); + } + } + diff --git a/queue-3.18/mac80211-flush-delayed-work-when-entering-suspend.patch b/queue-3.18/mac80211-flush-delayed-work-when-entering-suspend.patch new file mode 100644 index 00000000000..bbb84ed1773 --- /dev/null +++ b/queue-3.18/mac80211-flush-delayed-work-when-entering-suspend.patch @@ -0,0 +1,38 @@ +From a9e9200d8661c1a0be8c39f93deb383dc940de35 Mon Sep 17 00:00:00 2001 +From: Matt Chen +Date: Sun, 22 Jan 2017 02:16:58 +0800 +Subject: mac80211: flush delayed work when entering suspend + +From: Matt Chen + +commit a9e9200d8661c1a0be8c39f93deb383dc940de35 upstream. + +The issue was found when entering suspend and resume. +It triggers a warning in: +mac80211/key.c: ieee80211_enable_keys() +... +WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt || + sdata->crypto_tx_tailroom_pending_dec); +... + +It points out sdata->crypto_tx_tailroom_pending_dec isn't cleaned up successfully +in a delayed_work during suspend. Add a flush_delayed_work to fix it. + +Signed-off-by: Matt Chen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/pm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/pm.c ++++ b/net/mac80211/pm.c +@@ -116,6 +116,7 @@ int __ieee80211_suspend(struct ieee80211 + break; + } + ++ flush_delayed_work(&sdata->dec_tailroom_needed_wk); + drv_remove_interface(local, sdata); + } + diff --git a/queue-3.18/mtd-pmcmsp-use-kstrndup-instead-of-kmalloc-strncpy.patch b/queue-3.18/mtd-pmcmsp-use-kstrndup-instead-of-kmalloc-strncpy.patch new file mode 100644 index 00000000000..be6098e26e6 --- /dev/null +++ b/queue-3.18/mtd-pmcmsp-use-kstrndup-instead-of-kmalloc-strncpy.patch @@ -0,0 +1,44 @@ +From 906b268477bc03daaa04f739844c120fe4dbc991 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 3 Feb 2017 10:49:17 +0100 +Subject: mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy + +From: Arnd Bergmann + +commit 906b268477bc03daaa04f739844c120fe4dbc991 upstream. + +kernelci.org reports a warning for this driver, as it copies a local +variable into a 'const char *' string: + + drivers/mtd/maps/pmcmsp-flash.c:149:30: warning: passing argument 1 of 'strncpy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] + +Using kstrndup() simplifies the code and avoids the warning. + +Signed-off-by: Arnd Bergmann +Acked-by: Marek Vasut +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/maps/pmcmsp-flash.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/mtd/maps/pmcmsp-flash.c ++++ b/drivers/mtd/maps/pmcmsp-flash.c +@@ -139,15 +139,13 @@ static int __init init_msp_flash(void) + } + + msp_maps[i].bankwidth = 1; +- msp_maps[i].name = kmalloc(7, GFP_KERNEL); ++ msp_maps[i].name = kstrndup(flash_name, 7, GFP_KERNEL); + if (!msp_maps[i].name) { + iounmap(msp_maps[i].virt); + kfree(msp_parts[i]); + goto cleanup_loop; + } + +- msp_maps[i].name = strncpy(msp_maps[i].name, flash_name, 7); +- + for (j = 0; j < pcnt; j++) { + part_name[5] = '0' + i; + part_name[7] = '0' + j; diff --git a/queue-3.18/mvsas-fix-misleading-indentation.patch b/queue-3.18/mvsas-fix-misleading-indentation.patch new file mode 100644 index 00000000000..d0f76bb62f7 --- /dev/null +++ b/queue-3.18/mvsas-fix-misleading-indentation.patch @@ -0,0 +1,38 @@ +From 7789cd39274c51bf475411fe22a8ee7255082809 Mon Sep 17 00:00:00 2001 +From: Luis de Bethencourt +Date: Mon, 30 Nov 2015 14:32:17 +0000 +Subject: mvsas: fix misleading indentation + +From: Luis de Bethencourt + +commit 7789cd39274c51bf475411fe22a8ee7255082809 upstream. + +Fix a smatch warning: +drivers/scsi/mvsas/mv_sas.c:740 mvs_task_prep() warn: curly braces intended? + +The code is correct, the indention is misleading. When the device is not +ready we want to return SAS_PHY_DOWN. But current indentation makes it +look like we only do so in the else branch of if (mvi_dev). + +Signed-off-by: Luis de Bethencourt +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mvsas/mv_sas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -737,8 +737,8 @@ static int mvs_task_prep(struct sas_task + mv_dprintk("device %016llx not ready.\n", + SAS_ADDR(dev->sas_addr)); + +- rc = SAS_PHY_DOWN; +- return rc; ++ rc = SAS_PHY_DOWN; ++ return rc; + } + tei.port = dev->port->lldd_port; + if (tei.port && !tei.port->port_attached && !tmf) { diff --git a/queue-3.18/nlm-ensure-callback-code-also-checks-that-the-files-match.patch b/queue-3.18/nlm-ensure-callback-code-also-checks-that-the-files-match.patch new file mode 100644 index 00000000000..b790dd4ef70 --- /dev/null +++ b/queue-3.18/nlm-ensure-callback-code-also-checks-that-the-files-match.patch @@ -0,0 +1,35 @@ +From 251af29c320d86071664f02c76f0d063a19fefdf Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 11 Feb 2017 10:37:38 -0500 +Subject: nlm: Ensure callback code also checks that the files match + +From: Trond Myklebust + +commit 251af29c320d86071664f02c76f0d063a19fefdf upstream. + +It is not sufficient to just check that the lock pids match when +granting a callback, we also need to ensure that we're granting +the callback on the right file. + +Reported-by: Pankaj Singh +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/lockd/lockd.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/lockd/lockd.h ++++ b/include/linux/lockd/lockd.h +@@ -351,7 +351,8 @@ static inline int nlm_privileged_request + static inline int nlm_compare_locks(const struct file_lock *fl1, + const struct file_lock *fl2) + { +- return fl1->fl_pid == fl2->fl_pid ++ return file_inode(fl1->fl_file) == file_inode(fl2->fl_file) ++ && fl1->fl_pid == fl2->fl_pid + && fl1->fl_owner == fl2->fl_owner + && fl1->fl_start == fl2->fl_start + && fl1->fl_end == fl2->fl_end diff --git a/queue-3.18/padata-avoid-race-in-reordering.patch b/queue-3.18/padata-avoid-race-in-reordering.patch new file mode 100644 index 00000000000..089f987c31c --- /dev/null +++ b/queue-3.18/padata-avoid-race-in-reordering.patch @@ -0,0 +1,96 @@ +From de5540d088fe97ad583cc7d396586437b32149a5 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 23 Mar 2017 12:24:43 +0100 +Subject: padata: avoid race in reordering + +From: Jason A. Donenfeld + +commit de5540d088fe97ad583cc7d396586437b32149a5 upstream. + +Under extremely heavy uses of padata, crashes occur, and with list +debugging turned on, this happens instead: + +[87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33 +__list_add+0xae/0x130 +[87487.301868] list_add corruption. prev->next should be next +(ffffb17abfc043d0), but was ffff8dba70872c80. (prev=ffff8dba70872b00). +[87487.339011] [] dump_stack+0x68/0xa3 +[87487.342198] [] ? console_unlock+0x281/0x6d0 +[87487.345364] [] __warn+0xff/0x140 +[87487.348513] [] warn_slowpath_fmt+0x4a/0x50 +[87487.351659] [] __list_add+0xae/0x130 +[87487.354772] [] ? _raw_spin_lock+0x64/0x70 +[87487.357915] [] padata_reorder+0x1e6/0x420 +[87487.361084] [] padata_do_serial+0xa5/0x120 + +padata_reorder calls list_add_tail with the list to which its adding +locked, which seems correct: + +spin_lock(&squeue->serial.lock); +list_add_tail(&padata->list, &squeue->serial.list); +spin_unlock(&squeue->serial.lock); + +This therefore leaves only place where such inconsistency could occur: +if padata->list is added at the same time on two different threads. +This pdata pointer comes from the function call to +padata_get_next(pd), which has in it the following block: + +next_queue = per_cpu_ptr(pd->pqueue, cpu); +padata = NULL; +reorder = &next_queue->reorder; +if (!list_empty(&reorder->list)) { + padata = list_entry(reorder->list.next, + struct padata_priv, list); + spin_lock(&reorder->lock); + list_del_init(&padata->list); + atomic_dec(&pd->reorder_objects); + spin_unlock(&reorder->lock); + + pd->processed++; + + goto out; +} +out: +return padata; + +I strongly suspect that the problem here is that two threads can race +on reorder list. Even though the deletion is locked, call to +list_entry is not locked, which means it's feasible that two threads +pick up the same padata object and subsequently call list_add_tail on +them at the same time. The fix is thus be hoist that lock outside of +that block. + +Signed-off-by: Jason A. Donenfeld +Acked-by: Steffen Klassert +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/padata.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -189,19 +189,20 @@ static struct padata_priv *padata_get_ne + + reorder = &next_queue->reorder; + ++ spin_lock(&reorder->lock); + if (!list_empty(&reorder->list)) { + padata = list_entry(reorder->list.next, + struct padata_priv, list); + +- spin_lock(&reorder->lock); + list_del_init(&padata->list); + atomic_dec(&pd->reorder_objects); +- spin_unlock(&reorder->lock); + + pd->processed++; + ++ spin_unlock(&reorder->lock); + goto out; + } ++ spin_unlock(&reorder->lock); + + if (__this_cpu_read(pd->pqueue->cpu_index) == next_queue->cpu_index) { + padata = ERR_PTR(-ENODATA); diff --git a/queue-3.18/series b/queue-3.18/series index 4091bf5c8d0..b4db8edfeb1 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -72,3 +72,25 @@ bluetooth-add-another-ar3012-04ca-3018-device.patch ib-ipoib-fix-deadlock-between-rmmod-and-set_mode.patch usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch usb-serial-digi_acceleport-fix-oob-event-processing.patch +nlm-ensure-callback-code-also-checks-that-the-files-match.patch +xtensa-move-parse_tag_fdt-out-of-ifdef-config_blk_dev_initrd.patch +mac80211-flush-delayed-work-when-entering-suspend.patch +libceph-use-bug-instead-of-bug_on-1.patch +fat-fix-using-uninitialized-fields-of-fat_inode-fsinfo_inode.patch +ktest-fix-child-exit-code-processing.patch +crypto-improve-gcc-optimization-flags-for-serpent-and-wp512.patch +mtd-pmcmsp-use-kstrndup-instead-of-kmalloc-strncpy.patch +usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch +usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch +usb-gadget-function-f_fs-pass-companion-descriptor-along.patch +usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch +usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch +usb-serial-omninet-fix-reference-leaks-at-open.patch +usb-iowarrior-fix-null-deref-at-probe.patch +usb-iowarrior-fix-null-deref-in-write.patch +usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch +usb-serial-io_ti-fix-information-leak-in-completion-handler.patch +mvsas-fix-misleading-indentation.patch +ext4-don-t-bug-when-truncating-encrypted-inodes-on-the-orphan-list.patch +dm-flush-queued-bios-when-process-blocks-to-avoid-deadlock.patch +padata-avoid-race-in-reordering.patch diff --git a/queue-3.18/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch b/queue-3.18/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch new file mode 100644 index 00000000000..b1de3010b03 --- /dev/null +++ b/queue-3.18/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch @@ -0,0 +1,61 @@ +From 7369090a9fb57c3fc705ce355d2e4523a5a24716 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Tue, 31 Jan 2017 13:24:54 +0200 +Subject: usb: dwc3: gadget: make Set Endpoint Configuration macros safe + +From: Felipe Balbi + +commit 7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream. + +Some gadget drivers are bad, bad boys. We notice +that ADB was passing bad Burst Size which caused top +bits of param0 to be overwritten which confused DWC3 +when running this command. + +In order to avoid future issues, we're going to make +sure values passed by macros are always safe for the +controller. Note that ADB still needs a fix to *not* +pass bad values. + +Reported-by: Mohamed Abbas +Sugested-by: Adam Andruszak +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.h | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/dwc3/gadget.h ++++ b/drivers/usb/dwc3/gadget.h +@@ -28,23 +28,23 @@ struct dwc3; + #define gadget_to_dwc(g) (container_of(g, struct dwc3, gadget)) + + /* DEPCFG parameter 1 */ +-#define DWC3_DEPCFG_INT_NUM(n) ((n) << 0) ++#define DWC3_DEPCFG_INT_NUM(n) (((n) & 0x1f) << 0) + #define DWC3_DEPCFG_XFER_COMPLETE_EN (1 << 8) + #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN (1 << 9) + #define DWC3_DEPCFG_XFER_NOT_READY_EN (1 << 10) + #define DWC3_DEPCFG_FIFO_ERROR_EN (1 << 11) + #define DWC3_DEPCFG_STREAM_EVENT_EN (1 << 13) +-#define DWC3_DEPCFG_BINTERVAL_M1(n) ((n) << 16) ++#define DWC3_DEPCFG_BINTERVAL_M1(n) (((n) & 0xff) << 16) + #define DWC3_DEPCFG_STREAM_CAPABLE (1 << 24) +-#define DWC3_DEPCFG_EP_NUMBER(n) ((n) << 25) ++#define DWC3_DEPCFG_EP_NUMBER(n) (((n) & 0x1f) << 25) + #define DWC3_DEPCFG_BULK_BASED (1 << 30) + #define DWC3_DEPCFG_FIFO_BASED (1 << 31) + + /* DEPCFG parameter 0 */ +-#define DWC3_DEPCFG_EP_TYPE(n) ((n) << 1) +-#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) ((n) << 3) +-#define DWC3_DEPCFG_FIFO_NUMBER(n) ((n) << 17) +-#define DWC3_DEPCFG_BURST_SIZE(n) ((n) << 22) ++#define DWC3_DEPCFG_EP_TYPE(n) (((n) & 0x3) << 1) ++#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) (((n) & 0x7ff) << 3) ++#define DWC3_DEPCFG_FIFO_NUMBER(n) (((n) & 0x1f) << 17) ++#define DWC3_DEPCFG_BURST_SIZE(n) (((n) & 0xf) << 22) + #define DWC3_DEPCFG_DATA_SEQ_NUM(n) ((n) << 26) + /* This applies for core versions earlier than 1.94a */ + #define DWC3_DEPCFG_IGN_SEQ_NUM (1 << 31) diff --git a/queue-3.18/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch b/queue-3.18/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch new file mode 100644 index 00000000000..6fb7a9efe31 --- /dev/null +++ b/queue-3.18/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch @@ -0,0 +1,81 @@ +From 5bbc852676ae08e818241cf66a3ffe4be44225c4 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 28 Feb 2017 14:25:45 +0800 +Subject: usb: gadget: dummy_hcd: clear usb_gadget region before registration + +From: Peter Chen + +commit 5bbc852676ae08e818241cf66a3ffe4be44225c4 upstream. + +When the user does device unbind and rebind test, the kernel will +show below dump due to usb_gadget memory region is dirty after unbind. +Clear usb_gadget region for every new probe. + +root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind +[ 102.523312] kobject (eddd78b0): tried to init an initialized object, something is seriously wrong. +[ 102.532447] CPU: 0 PID: 734 Comm: sh Not tainted 4.10.0-rc7-00872-g1b2b8e9 #1298 +[ 102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree) +[ 102.545717] Backtrace: +[ 102.548225] [] (dump_backtrace) from [] (show_stack+0x18/0x1c) +[ 102.555822] r7:ede34000 r6:60010013 r5:00000000 r4:c0f29418 +[ 102.561512] [] (show_stack) from [] (dump_stack+0xb4/0xe8) +[ 102.568764] [] (dump_stack) from [] (kobject_init+0x80/0x9c) +[ 102.576187] r10:0000001f r9:eddd7000 r8:eeaf8c10 r7:eddd78a8 r6:c177891c r5:c0f3b060 +[ 102.584036] r4:eddd78b0 r3:00000000 +[ 102.587641] [] (kobject_init) from [] (device_initialize+0x28/0xf8) +[ 102.595665] r5:eebc4800 r4:eddd78a8 +[ 102.599268] [] (device_initialize) from [] (device_register+0x14/0x20) +[ 102.607556] r7:eddd78a8 r6:00000000 r5:eebc4800 r4:eddd78a8 +[ 102.613256] [] (device_register) from [] (usb_add_gadget_udc_release+0x8c/0x1ec) +[ 102.622410] r5:eebc4800 r4:eddd7860 +[ 102.626015] [] (usb_add_gadget_udc_release) from [] (usb_add_gadget_udc+0x14/0x18) +[ 102.635351] r10:0000001f r9:eddd7000 r8:eddd788c r7:bf003770 r6:eddd77f8 r5:eddd7818 +[ 102.643198] r4:eddd785c r3:eddd7b24 +[ 102.646834] [] (usb_add_gadget_udc) from [] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd]) +[ 102.656458] [] (dummy_udc_probe [dummy_hcd]) from [] (platform_drv_probe+0x54/0xb8) +[ 102.665881] r10:00000008 r9:c1778960 r8:bf004128 r7:fffffdfb r6:bf004128 r5:eeaf8c10 +[ 102.673727] r4:eeaf8c10 +[ 102.676293] [] (platform_drv_probe) from [] (driver_probe_device+0x264/0x474) +[ 102.685186] r7:00000000 r6:00000000 r5:c1778960 r4:eeaf8c10 +[ 102.690876] [] (driver_probe_device) from [] (bind_store+0xb8/0x14c) +[ 102.698994] r10:eeb3bb4c r9:ede34000 r8:0000000c r7:eeaf8c44 r6:bf004128 r5:c0f3b668 +[ 102.706840] r4:eeaf8c10 +[ 102.709402] [] (bind_store) from [] (drv_attr_store+0x28/0x34) +[ 102.716998] r9:ede34000 r8:00000000 r7:ee3863c0 r6:ee3863c0 r5:c0538c80 r4:c053970c +[ 102.724776] [] (drv_attr_store) from [] (sysfs_kf_write+0x50/0x54) +[ 102.732711] r5:c0538c80 r4:0000000c +[ 102.736313] [] (sysfs_kf_write) from [] (kernfs_fop_write+0x100/0x214) +[ 102.744599] r7:ee3863c0 r6:eeb3bb40 r5:00000000 r4:00000000 +[ 102.750287] [] (kernfs_fop_write) from [] (__vfs_write+0x34/0x120) +[ 102.758231] r10:00000000 r9:ede34000 r8:c0108bc4 r7:0000000c r6:ede35f80 r5:c029bd84 +[ 102.766077] r4:ee223780 +[ 102.768638] [] (__vfs_write) from [] (vfs_write+0xa8/0x170) +[ 102.775974] r9:ede34000 r8:c0108bc4 r7:ede35f80 r6:01861cb0 r5:ee223780 r4:0000000c +[ 102.783743] [] (vfs_write) from [] (SyS_write+0x4c/0xa8) +[ 102.790818] r9:ede34000 r8:c0108bc4 r7:0000000c r6:01861cb0 r5:ee223780 r4:ee223780 +[ 102.798595] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) +[ 102.806188] r7:00000004 r6:b6e83d58 r5:01861cb0 r4:0000000c + +Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") +Acked-by: Alan Stern +Signed-off-by: Peter Chen +Tested-by: Xiaolong Ye +Reported-by: Fengguang Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -972,6 +972,8 @@ static int dummy_udc_probe(struct platfo + int rc; + + dum = *((void **)dev_get_platdata(&pdev->dev)); ++ /* Clear usb_gadget region for new registration to udc-core */ ++ memzero_explicit(&dum->gadget, sizeof(struct usb_gadget)); + dum->gadget.name = gadget_name; + dum->gadget.ops = &dummy_ops; + dum->gadget.max_speed = USB_SPEED_SUPER; diff --git a/queue-3.18/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch b/queue-3.18/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch new file mode 100644 index 00000000000..0bbc5876977 --- /dev/null +++ b/queue-3.18/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch @@ -0,0 +1,57 @@ +From 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Tue, 31 Jan 2017 14:54:45 +0200 +Subject: usb: gadget: function: f_fs: pass companion descriptor along + +From: Felipe Balbi + +commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 upstream. + +If we're dealing with SuperSpeed endpoints, we need +to make sure to pass along the companion descriptor +and initialize fields needed by the Gadget +API. Eventually, f_fs.c should be converted to use +config_ep_by_speed() like all other functions, +though. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1649,11 +1649,14 @@ static int ffs_func_eps_enable(struct ff + spin_lock_irqsave(&func->ffs->eps_lock, flags); + do { + struct usb_endpoint_descriptor *ds; ++ struct usb_ss_ep_comp_descriptor *comp_desc = NULL; ++ int needs_comp_desc = false; + int desc_idx; + +- if (ffs->gadget->speed == USB_SPEED_SUPER) ++ if (ffs->gadget->speed == USB_SPEED_SUPER) { + desc_idx = 2; +- else if (ffs->gadget->speed == USB_SPEED_HIGH) ++ needs_comp_desc = true; ++ } else if (ffs->gadget->speed == USB_SPEED_HIGH) + desc_idx = 1; + else + desc_idx = 0; +@@ -1670,6 +1673,14 @@ static int ffs_func_eps_enable(struct ff + + ep->ep->driver_data = ep; + ep->ep->desc = ds; ++ ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; ++ ++ if (needs_comp_desc) ++ ep->ep->comp_desc = comp_desc; ++ + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) { + epfile->ep = ep; diff --git a/queue-3.18/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch b/queue-3.18/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch new file mode 100644 index 00000000000..933b0acc689 --- /dev/null +++ b/queue-3.18/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch @@ -0,0 +1,42 @@ +From dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 9 Mar 2017 15:39:37 +0200 +Subject: usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers + +From: Guenter Roeck + +commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream. + +Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of +PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI +xhci controllers which can result in excessive timeouts, to the point where +the system reports a deadlock. + +The same problem is seen with hot pluggable xhci controllers using the +xhci-plat driver, such as the driver used for Type-C ports on rk3399. +Similar to hot-pluggable PCI controllers, the driver for this chip +removes the xhci controller from the system when the Type-C cable is +disconnected. + +The solution for PCI devices works just as well for non-PCI devices +and avoids the problem. + +Signed-off-by: Guenter Roeck +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -189,6 +189,8 @@ static int xhci_plat_remove(struct platf + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + struct clk *clk = xhci->clk; + ++ xhci->xhc_state |= XHCI_STATE_REMOVING; ++ + usb_remove_hcd(xhci->shared_hcd); + usb_put_hcd(xhci->shared_hcd); + diff --git a/queue-3.18/usb-iowarrior-fix-null-deref-at-probe.patch b/queue-3.18/usb-iowarrior-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..81a49098576 --- /dev/null +++ b/queue-3.18/usb-iowarrior-fix-null-deref-at-probe.patch @@ -0,0 +1,55 @@ +From b7321e81fc369abe353cf094d4f0dc2fe11ab95f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 16:11:03 +0100 +Subject: USB: iowarrior: fix NULL-deref at probe + +From: Johan Hovold + +commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream. + +Make sure to check for the required interrupt-in endpoint to avoid +dereferencing a NULL-pointer should a malicious device lack such an +endpoint. + +Note that a fairly recent change purported to fix this issue, but added +an insufficient test on the number of endpoints only, a test which can +now be removed. + +Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors") +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_in + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + +- if (iface_desc->desc.bNumEndpoints < 1) { +- dev_err(&interface->dev, "Invalid number of endpoints\n"); +- retval = -EINVAL; +- goto error; +- } +- + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_in + /* this one will match for the IOWarrior56 only */ + dev->int_out_endpoint = endpoint; + } ++ ++ if (!dev->int_in_endpoint) { ++ dev_err(&interface->dev, "no interrupt-in endpoint found\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); + if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && diff --git a/queue-3.18/usb-iowarrior-fix-null-deref-in-write.patch b/queue-3.18/usb-iowarrior-fix-null-deref-in-write.patch new file mode 100644 index 00000000000..30b7799556a --- /dev/null +++ b/queue-3.18/usb-iowarrior-fix-null-deref-in-write.patch @@ -0,0 +1,38 @@ +From de46e56653de7b3b54baa625bd582635008b8d05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 16:11:04 +0100 +Subject: USB: iowarrior: fix NULL-deref in write + +From: Johan Hovold + +commit de46e56653de7b3b54baa625bd582635008b8d05 upstream. + +Make sure to verify that we have the required interrupt-out endpoint for +IOWarrior56 devices to avoid dereferencing a NULL-pointer in write +should a malicious device lack such an endpoint. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -804,6 +804,14 @@ static int iowarrior_probe(struct usb_in + goto error; + } + ++ if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) { ++ if (!dev->int_out_endpoint) { ++ dev_err(&interface->dev, "no interrupt-out endpoint found\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ } ++ + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); + if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && diff --git a/queue-3.18/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch b/queue-3.18/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch new file mode 100644 index 00000000000..e0a2025df79 --- /dev/null +++ b/queue-3.18/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch @@ -0,0 +1,35 @@ +From 654b404f2a222f918af9b0cd18ad469d0c941a8e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:40 +0100 +Subject: USB: serial: io_ti: fix information leak in completion handler + +From: Johan Hovold + +commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream. + +Add missing sanity check to the bulk-in completion handler to avoid an +integer underflow that can be triggered by a malicious device. + +This avoids leaking 128 kB of memory content from after the URB transfer +buffer to user space. + +Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -1632,7 +1632,7 @@ static void edge_bulk_in_callback(struct + + port_number = edge_port->port->port_number; + +- if (edge_port->lsr_event) { ++ if (urb->actual_length > 0 && edge_port->lsr_event) { + edge_port->lsr_event = 0; + dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n", + __func__, port_number, edge_port->lsr_mask, *data); diff --git a/queue-3.18/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch b/queue-3.18/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch new file mode 100644 index 00000000000..f2c0934c40d --- /dev/null +++ b/queue-3.18/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch @@ -0,0 +1,36 @@ +From 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:37 +0100 +Subject: USB: serial: io_ti: fix NULL-deref in interrupt callback + +From: Johan Hovold + +commit 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream. + +Fix a NULL-pointer dereference in the interrupt callback should a +malicious device send data containing a bad port number by adding the +missing sanity check. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -1546,6 +1546,12 @@ static void edge_interrupt_callback(stru + function = TIUMP_GET_FUNC_FROM_CODE(data[0]); + dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__, + port_number, function, data[1]); ++ ++ if (port_number >= edge_serial->serial->num_ports) { ++ dev_err(dev, "bad port number %d\n", port_number); ++ goto exit; ++ } ++ + port = edge_serial->serial->port[port_number]; + edge_port = usb_get_serial_port_data(port); + if (!edge_port) { diff --git a/queue-3.18/usb-serial-omninet-fix-reference-leaks-at-open.patch b/queue-3.18/usb-serial-omninet-fix-reference-leaks-at-open.patch new file mode 100644 index 00000000000..d8d46eb9083 --- /dev/null +++ b/queue-3.18/usb-serial-omninet-fix-reference-leaks-at-open.patch @@ -0,0 +1,37 @@ +From 30572418b445d85fcfe6c8fe84c947d2606767d8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:38 +0100 +Subject: USB: serial: omninet: fix reference leaks at open + +From: Johan Hovold + +commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream. + +This driver needlessly took another reference to the tty on open, a +reference which was then never released on close. This lead to not just +a leak of the tty, but also a driver reference leak that prevented the +driver from being unloaded after a port had once been opened. + +Fixes: 4a90f09b20f4 ("tty: usb-serial krefs") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/omninet.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -129,12 +129,6 @@ static int omninet_port_remove(struct us + + static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port) + { +- struct usb_serial *serial = port->serial; +- struct usb_serial_port *wport; +- +- wport = serial->port[1]; +- tty_port_tty_set(&wport->port, tty); +- + return usb_serial_generic_open(tty, port); + } + diff --git a/queue-3.18/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch b/queue-3.18/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch new file mode 100644 index 00000000000..7d6b982e44b --- /dev/null +++ b/queue-3.18/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch @@ -0,0 +1,37 @@ +From 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:41 +0100 +Subject: USB: serial: safe_serial: fix information leak in completion handler + +From: Johan Hovold + +commit 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream. + +Add missing sanity check to the bulk-in completion handler to avoid an +integer underflow that could be triggered by a malicious device. + +This avoids leaking up to 56 bytes from after the URB transfer buffer to +user space. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/safe_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/safe_serial.c ++++ b/drivers/usb/serial/safe_serial.c +@@ -205,6 +205,11 @@ static void safe_process_read_urb(struct + if (!safe) + goto out; + ++ if (length < 2) { ++ dev_err(&port->dev, "malformed packet\n"); ++ return; ++ } ++ + fcs = fcs_compute10(data, length, CRC10_INITFCS); + if (fcs) { + dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs); diff --git a/queue-3.18/work_mbox b/queue-3.18/work_mbox index 5d4f46d23c2..d406246b6c5 100644 --- a/queue-3.18/work_mbox +++ b/queue-3.18/work_mbox @@ -915,97 +915,6 @@ index f6af531f9f32..109eea94d0f9 100644 -- 2.12.2 -From 485171b1ee8c7cc74cff9881b92b178b1c709663 Mon Sep 17 00:00:00 2001 -From: "Steven Rostedt (VMware)" -Date: Tue, 7 Feb 2017 12:05:25 -0500 -Subject: [PATCH 018/251] ktest: Fix child exit code processing -Status: RO -Content-Length: 849 -Lines: 27 - -commit 32677207dcc5e594254b7fb4fb2352b1755b1d5b upstream. - -The child_exit errno needs to be shifted by 8 bits to compare against the -return values for the bisect variables. - -Fixes: c5dacb88f0a64 ("ktest: Allow overriding bisect test results") -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Greg Kroah-Hartman ---- - tools/testing/ktest/ktest.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl -index d08e214ec6e7..223d88e25e05 100755 ---- a/tools/testing/ktest/ktest.pl -+++ b/tools/testing/ktest/ktest.pl -@@ -2629,7 +2629,7 @@ sub do_run_test { - } - - waitpid $child_pid, 0; -- $child_exit = $?; -+ $child_exit = $? >> 8; - - my $end_time = time; - $test_time = $end_time - $start_time; --- -2.12.2 - -From 05a9143edb47e7799f191f1015f56eb2dacfee0d Mon Sep 17 00:00:00 2001 -From: Jeff Layton -Date: Tue, 14 Feb 2017 10:09:40 -0500 -Subject: [PATCH 019/251] ceph: remove req from unsafe list when unregistering - it -Content-Length: 1752 -Lines: 46 - -commit df963ea8a082d31521a120e8e31a29ad8a1dc215 upstream. - -There's no reason a request should ever be on a s_unsafe list but not -in the request tree. - -Link: http://tracker.ceph.com/issues/18474 -Signed-off-by: Jeff Layton -Reviewed-by: Yan, Zheng -Signed-off-by: Ilya Dryomov -Signed-off-by: Greg Kroah-Hartman ---- - fs/ceph/mds_client.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c -index 239bc9cba28c..f54f77037d22 100644 ---- a/fs/ceph/mds_client.c -+++ b/fs/ceph/mds_client.c -@@ -644,6 +644,9 @@ static void __unregister_request(struct ceph_mds_client *mdsc, - { - dout("__unregister_request %p tid %lld\n", req, req->r_tid); - -+ /* Never leave an unregistered request on an unsafe list! */ -+ list_del_init(&req->r_unsafe_item); -+ - if (req->r_tid == mdsc->oldest_tid) { - struct rb_node *p = rb_next(&req->r_node); - mdsc->oldest_tid = 0; -@@ -1051,7 +1054,6 @@ static void cleanup_session_requests(struct ceph_mds_client *mdsc, - while (!list_empty(&session->s_unsafe)) { - req = list_first_entry(&session->s_unsafe, - struct ceph_mds_request, r_unsafe_item); -- list_del_init(&req->r_unsafe_item); - pr_warn_ratelimited(" dropping unsafe request %llu\n", - req->r_tid); - __unregister_request(mdsc, req); -@@ -2477,7 +2479,6 @@ static void handle_reply(struct ceph_mds_session *session, struct ceph_msg *msg) - * useful we could do with a revised return value. - */ - dout("got safe reply %llu, mds%d\n", tid, mds); -- list_del_init(&req->r_unsafe_item); - - /* last unsafe request during umount? */ - if (mdsc->stopping && !__get_oldest_req(mdsc)) --- -2.12.2 - From ca739e3fd7dc803d526ea5bb9b80c0d07fbca55f Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Wed, 22 Feb 2017 22:06:32 -0800 @@ -1206,193 +1115,6 @@ index 800fe16cc36f..ed66414b91f0 100644 -- 2.12.2 -From e1c924e85a937de5e1d0dd6c47f094b089952e0c Mon Sep 17 00:00:00 2001 -From: Trond Myklebust -Date: Sat, 11 Feb 2017 10:37:38 -0500 -Subject: [PATCH 021/251] nlm: Ensure callback code also checks that the files - match -Content-Length: 1237 -Lines: 31 - -commit 251af29c320d86071664f02c76f0d063a19fefdf upstream. - -It is not sufficient to just check that the lock pids match when -granting a callback, we also need to ensure that we're granting -the callback on the right file. - -Reported-by: Pankaj Singh -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Trond Myklebust -Signed-off-by: Anna Schumaker -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/lockd/lockd.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/lockd.h -index c15373894a42..b37dee3acaba 100644 ---- a/include/linux/lockd/lockd.h -+++ b/include/linux/lockd/lockd.h -@@ -355,7 +355,8 @@ static inline int nlm_privileged_requester(const struct svc_rqst *rqstp) - static inline int nlm_compare_locks(const struct file_lock *fl1, - const struct file_lock *fl2) - { -- return fl1->fl_pid == fl2->fl_pid -+ return file_inode(fl1->fl_file) == file_inode(fl2->fl_file) -+ && fl1->fl_pid == fl2->fl_pid - && fl1->fl_owner == fl2->fl_owner - && fl1->fl_start == fl2->fl_start - && fl1->fl_end == fl2->fl_end --- -2.12.2 - -From 6ef213d6219456ea5e4df7d201b4a3384e06783b Mon Sep 17 00:00:00 2001 -From: Clemens Gruber -Date: Tue, 13 Dec 2016 16:52:50 +0100 -Subject: [PATCH 022/251] pwm: pca9685: Fix period change with same duty cycle -Content-Length: 1777 -Lines: 51 - -commit 8d254a340efb12b40c4c1ff25a48a4f48f7bbd6b upstream. - -When first implementing support for changing the output frequency, an -optimization was added to continue the PWM after changing the prescaler -without having to reprogram the ON and OFF registers for the duty cycle, -in case the duty cycle stayed the same. This was flawed, because we -compared the absolute value of the duty cycle in nanoseconds instead of -the ratio to the period. - -Fix the problem by removing the shortcut. - -Fixes: 01ec8472009c9 ("pwm-pca9685: Support changing the output frequency") -Signed-off-by: Clemens Gruber -Reviewed-by: Mika Westerberg -Signed-off-by: Thierry Reding -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pwm/pwm-pca9685.c | 11 ----------- - 1 file changed, 11 deletions(-) - -diff --git a/drivers/pwm/pwm-pca9685.c b/drivers/pwm/pwm-pca9685.c -index 117fccf7934a..01a6a83f625d 100644 ---- a/drivers/pwm/pwm-pca9685.c -+++ b/drivers/pwm/pwm-pca9685.c -@@ -65,7 +65,6 @@ - #define PCA9685_MAXCHAN 0x10 - - #define LED_FULL (1 << 4) --#define MODE1_RESTART (1 << 7) - #define MODE1_SLEEP (1 << 4) - #define MODE2_INVRT (1 << 4) - #define MODE2_OUTDRV (1 << 2) -@@ -117,16 +116,6 @@ static int pca9685_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, - udelay(500); - - pca->period_ns = period_ns; -- -- /* -- * If the duty cycle did not change, restart PWM with -- * the same duty cycle to period ratio and return. -- */ -- if (duty_ns == pca->duty_ns) { -- regmap_update_bits(pca->regmap, PCA9685_MODE1, -- MODE1_RESTART, 0x1); -- return 0; -- } - } else { - dev_err(chip->dev, - "prescaler not set: period out of bounds!\n"); --- -2.12.2 - -From 21096328c97e707f2190b26a06d8b805551a543d Mon Sep 17 00:00:00 2001 -From: Max Filippov -Date: Tue, 3 Jan 2017 09:37:34 -0800 -Subject: [PATCH 023/251] xtensa: move parse_tag_fdt out of #ifdef - CONFIG_BLK_DEV_INITRD -Content-Length: 1156 -Lines: 37 - -commit 4ab18701c66552944188dbcd0ce0012729baab84 upstream. - -FDT tag parsing is not related to whether BLK_DEV_INITRD is configured -or not, move it out of the corresponding #ifdef/#endif block. -This fixes passing external FDT to the kernel configured w/o -BLK_DEV_INITRD support. - -Signed-off-by: Max Filippov -Signed-off-by: Greg Kroah-Hartman ---- - arch/xtensa/kernel/setup.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/xtensa/kernel/setup.c b/arch/xtensa/kernel/setup.c -index 9735691f37f1..49ccbd9022f6 100644 ---- a/arch/xtensa/kernel/setup.c -+++ b/arch/xtensa/kernel/setup.c -@@ -133,6 +133,8 @@ static int __init parse_tag_initrd(const bp_tag_t* tag) - - __tagtable(BP_TAG_INITRD, parse_tag_initrd); - -+#endif /* CONFIG_BLK_DEV_INITRD */ -+ - #ifdef CONFIG_OF - - static int __init parse_tag_fdt(const bp_tag_t *tag) -@@ -145,8 +147,6 @@ __tagtable(BP_TAG_FDT, parse_tag_fdt); - - #endif /* CONFIG_OF */ - --#endif /* CONFIG_BLK_DEV_INITRD */ -- - static int __init parse_tag_cmdline(const bp_tag_t* tag) - { - strlcpy(command_line, (char *)(tag->data), COMMAND_LINE_SIZE); --- -2.12.2 - -From 8650af261d6c119062da542c70881653db0a0b20 Mon Sep 17 00:00:00 2001 -From: Matt Chen -Date: Sun, 22 Jan 2017 02:16:58 +0800 -Subject: [PATCH 024/251] mac80211: flush delayed work when entering suspend -Content-Length: 1043 -Lines: 34 - -commit a9e9200d8661c1a0be8c39f93deb383dc940de35 upstream. - -The issue was found when entering suspend and resume. -It triggers a warning in: -mac80211/key.c: ieee80211_enable_keys() -... -WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt || - sdata->crypto_tx_tailroom_pending_dec); -... - -It points out sdata->crypto_tx_tailroom_pending_dec isn't cleaned up successfully -in a delayed_work during suspend. Add a flush_delayed_work to fix it. - -Signed-off-by: Matt Chen -Signed-off-by: Johannes Berg -Signed-off-by: Greg Kroah-Hartman ---- - net/mac80211/pm.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c -index 00a43a70e1fc..0402fa45b343 100644 ---- a/net/mac80211/pm.c -+++ b/net/mac80211/pm.c -@@ -168,6 +168,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) - break; - } - -+ flush_delayed_work(&sdata->dec_tailroom_needed_wk); - drv_remove_interface(local, sdata); - } - --- -2.12.2 - From 0d80ac62b609bce00b78a656b7cdde2d8f587345 Mon Sep 17 00:00:00 2001 From: Alex Deucher Date: Fri, 10 Feb 2017 00:00:52 -0500 @@ -1761,82 +1483,6 @@ index 1ac29d703c12..ea443fafb934 100644 -- 2.12.2 -From 77fec8bc7a0fbee3bf5893d8c1ce755c029f2b40 Mon Sep 17 00:00:00 2001 -From: Alexander Aring -Date: Thu, 1 Sep 2016 11:24:57 +0200 -Subject: [PATCH 032/251] fakelb: fix schedule while atomic -Content-Length: 2082 -Lines: 68 - -commit bdca1fd9a6df745857e23c6056494b7fe062b4e6 upstream. - -This patch changes the spinlock to mutex for the available fakelb phy -list. When holding the spinlock the ieee802154_unregister_hw is called -which holding the rtnl_mutex, in that case we get a "BUG: sleeping function -called from invalid context" error. We simple change the spinlock to -mutex which allows to hold the rtnl lock there. - -Signed-off-by: Alexander Aring -Signed-off-by: Marcel Holtmann -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ieee802154/fakelb.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/ieee802154/fakelb.c b/drivers/net/ieee802154/fakelb.c -index 860d4aed8274..43617ded3773 100644 ---- a/drivers/net/ieee802154/fakelb.c -+++ b/drivers/net/ieee802154/fakelb.c -@@ -30,7 +30,7 @@ - static int numlbs = 2; - - static LIST_HEAD(fakelb_phys); --static DEFINE_SPINLOCK(fakelb_phys_lock); -+static DEFINE_MUTEX(fakelb_phys_lock); - - static LIST_HEAD(fakelb_ifup_phys); - static DEFINE_RWLOCK(fakelb_ifup_phys_lock); -@@ -180,9 +180,9 @@ static int fakelb_add_one(struct device *dev) - if (err) - goto err_reg; - -- spin_lock(&fakelb_phys_lock); -+ mutex_lock(&fakelb_phys_lock); - list_add_tail(&phy->list, &fakelb_phys); -- spin_unlock(&fakelb_phys_lock); -+ mutex_unlock(&fakelb_phys_lock); - - return 0; - -@@ -214,10 +214,10 @@ static int fakelb_probe(struct platform_device *pdev) - return 0; - - err_slave: -- spin_lock(&fakelb_phys_lock); -+ mutex_lock(&fakelb_phys_lock); - list_for_each_entry_safe(phy, tmp, &fakelb_phys, list) - fakelb_del(phy); -- spin_unlock(&fakelb_phys_lock); -+ mutex_unlock(&fakelb_phys_lock); - return err; - } - -@@ -225,10 +225,10 @@ static int fakelb_remove(struct platform_device *pdev) - { - struct fakelb_phy *phy, *tmp; - -- spin_lock(&fakelb_phys_lock); -+ mutex_lock(&fakelb_phys_lock); - list_for_each_entry_safe(phy, tmp, &fakelb_phys, list) - fakelb_del(phy); -- spin_unlock(&fakelb_phys_lock); -+ mutex_unlock(&fakelb_phys_lock); - return 0; - } - --- -2.12.2 - From 7952b6490bbce45e078c8c0e669df7a0a8f8948a Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 2 Dec 2016 15:29:04 +0100 @@ -1911,154 +1557,6 @@ index 3f802163f7d4..e7c18519274a 100644 -- 2.12.2 -From 13ef90e1bb7963ec2fb9d3680fe418a4b7dedfa3 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Mon, 16 Jan 2017 12:06:09 +0100 -Subject: [PATCH 034/251] libceph: use BUG() instead of BUG_ON(1) -Content-Length: 1071 -Lines: 34 - -commit d24cdcd3e40a6825135498e11c20c7976b9bf545 upstream. - -I ran into this compile warning, which is the result of BUG_ON(1) -not always leading to the compiler treating the code path as -unreachable: - - include/linux/ceph/osdmap.h: In function 'ceph_can_shift_osds': - include/linux/ceph/osdmap.h:62:1: error: control reaches end of non-void function [-Werror=return-type] - -Using BUG() here avoids the warning. - -Signed-off-by: Arnd Bergmann -Signed-off-by: Ilya Dryomov -Cc: Heinrich Schuchardt -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/ceph/osdmap.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/linux/ceph/osdmap.h b/include/linux/ceph/osdmap.h -index e55c08bc3a96..0abc56140c83 100644 ---- a/include/linux/ceph/osdmap.h -+++ b/include/linux/ceph/osdmap.h -@@ -49,7 +49,7 @@ static inline bool ceph_can_shift_osds(struct ceph_pg_pool_info *pool) - case CEPH_POOL_TYPE_EC: - return false; - default: -- BUG_ON(1); -+ BUG(); - } - } - --- -2.12.2 - -From 8353f338def1df3b58150cf1d6f42d1a51902b55 Mon Sep 17 00:00:00 2001 -From: OGAWA Hirofumi -Date: Thu, 9 Mar 2017 16:17:37 -0800 -Subject: [PATCH 035/251] fat: fix using uninitialized fields of - fat_inode/fsinfo_inode -Content-Length: 1922 -Lines: 59 - -commit c0d0e351285161a515396b7b1ee53ec9ffd97e3c upstream. - -Recently fallocate patch was merged and it uses -MSDOS_I(inode)->mmu_private at fat_evict_inode(). However, -fat_inode/fsinfo_inode that was introduced in past didn't initialize -MSDOS_I(inode) properly. - -With those combinations, it became the cause of accessing random entry -in FAT area. - -Link: http://lkml.kernel.org/r/87pohrj4i8.fsf@mail.parknet.co.jp -Signed-off-by: OGAWA Hirofumi -Reported-by: Moreno Bartalucci -Tested-by: Moreno Bartalucci -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - fs/fat/inode.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/fs/fat/inode.c b/fs/fat/inode.c -index 509411dd3698..cf644d52c0cf 100644 ---- a/fs/fat/inode.c -+++ b/fs/fat/inode.c -@@ -1269,6 +1269,16 @@ out: - return 0; - } - -+static void fat_dummy_inode_init(struct inode *inode) -+{ -+ /* Initialize this dummy inode to work as no-op. */ -+ MSDOS_I(inode)->mmu_private = 0; -+ MSDOS_I(inode)->i_start = 0; -+ MSDOS_I(inode)->i_logstart = 0; -+ MSDOS_I(inode)->i_attrs = 0; -+ MSDOS_I(inode)->i_pos = 0; -+} -+ - static int fat_read_root(struct inode *inode) - { - struct msdos_sb_info *sbi = MSDOS_SB(inode->i_sb); -@@ -1713,12 +1723,13 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat, - fat_inode = new_inode(sb); - if (!fat_inode) - goto out_fail; -- MSDOS_I(fat_inode)->i_pos = 0; -+ fat_dummy_inode_init(fat_inode); - sbi->fat_inode = fat_inode; - - fsinfo_inode = new_inode(sb); - if (!fsinfo_inode) - goto out_fail; -+ fat_dummy_inode_init(fsinfo_inode); - fsinfo_inode->i_ino = MSDOS_FSINFO_INO; - sbi->fsinfo_inode = fsinfo_inode; - insert_inode_hash(fsinfo_inode); --- -2.12.2 - -From 4cdfa660c82b57828ffcca94950eccc9458e18e4 Mon Sep 17 00:00:00 2001 -From: "K. Y. Srinivasan" -Date: Wed, 8 Feb 2017 18:30:56 -0700 -Subject: [PATCH 036/251] drivers: hv: Turn off write permission on the - hypercall page -Content-Length: 977 -Lines: 29 - -commit 372b1e91343e657a7cc5e2e2bcecd5140ac28119 upstream. - -The hypercall page only needs to be executable but currently it is setup to -be writable as well. Fix the issue. - -Signed-off-by: K. Y. Srinivasan -Acked-by: Kees Cook -Reported-by: Stephen Hemminger -Tested-by: Stephen Hemminger -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hv/hv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c -index 89fd0113aa5c..57c191798699 100644 ---- a/drivers/hv/hv.c -+++ b/drivers/hv/hv.c -@@ -219,7 +219,7 @@ int hv_init(void) - /* See if the hypercall page is already set */ - rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); - -- virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC); -+ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX); - - if (!virtaddr) - goto cleanup; --- -2.12.2 - From 804a935963a91acd1764ba914f825dd2a29c5871 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 15 Mar 2017 09:57:56 +0800 @@ -2085,169 +1583,6 @@ index 10aec937e9e4..7f54ac081cf3 100644 -- 2.12.2 -From e041ad0664407c60a9d29217819f991933e10edd Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Fri, 3 Feb 2017 23:33:23 +0100 -Subject: [PATCH 040/251] crypto: improve gcc optimization flags for serpent - and wp512 -Content-Length: 6651 -Lines: 154 - -commit 7d6e9105026788c497f0ab32fa16c82f4ab5ff61 upstream. - -An ancient gcc bug (first reported in 2003) has apparently resurfaced -on MIPS, where kernelci.org reports an overly large stack frame in the -whirlpool hash algorithm: - -crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=] - -With some testing in different configurations, I'm seeing large -variations in stack frames size up to 1500 bytes for what should have -around 300 bytes at most. I also checked the reference implementation, -which is essentially the same code but also comes with some test and -benchmarking infrastructure. - -It seems that recent compiler versions on at least arm, arm64 and powerpc -have a partial fix for this problem, but enabling "-fsched-pressure", but -even with that fix they suffer from the issue to a certain degree. Some -testing on arm64 shows that the time needed to hash a given amount of -data is roughly proportional to the stack frame size here, which makes -sense given that the wp512 implementation is doing lots of loads for -table lookups, and the problem with the overly large stack is a result -of doing a lot more loads and stores for spilled registers (as seen from -inspecting the object code). - -Disabling -fschedule-insns consistently fixes the problem for wp512, -in my collection of cross-compilers, the results are consistently better -or identical when comparing the stack sizes in this function, though -some architectures (notable x86) have schedule-insns disabled by -default. - -The four columns are: -default: -O2 -press: -O2 -fsched-pressure -nopress: -O2 -fschedule-insns -fno-sched-pressure -nosched: -O2 -no-schedule-insns (disables sched-pressure) - - default press nopress nosched -alpha-linux-gcc-4.9.3 1136 848 1136 176 -am33_2.0-linux-gcc-4.9.3 2100 2076 2100 2104 -arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352 -cris-linux-gcc-4.9.3 272 272 272 272 -frv-linux-gcc-4.9.3 1128 1000 1128 280 -hppa64-linux-gcc-4.9.3 1128 336 1128 184 -hppa-linux-gcc-4.9.3 644 308 644 276 -i386-linux-gcc-4.9.3 352 352 352 352 -m32r-linux-gcc-4.9.3 720 656 720 268 -microblaze-linux-gcc-4.9.3 1108 604 1108 256 -mips64-linux-gcc-4.9.3 1328 592 1328 208 -mips-linux-gcc-4.9.3 1096 624 1096 240 -powerpc64-linux-gcc-4.9.3 1088 432 1088 160 -powerpc-linux-gcc-4.9.3 1080 584 1080 224 -s390-linux-gcc-4.9.3 456 456 624 360 -sh3-linux-gcc-4.9.3 292 292 292 292 -sparc64-linux-gcc-4.9.3 992 240 992 208 -sparc-linux-gcc-4.9.3 680 592 680 312 -x86_64-linux-gcc-4.9.3 224 240 272 224 -xtensa-linux-gcc-4.9.3 1152 704 1152 304 - -aarch64-linux-gcc-7.0.0 224 224 1104 208 -arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352 -mips-linux-gcc-7.0.0 1120 648 1120 272 -x86_64-linux-gcc-7.0.1 240 240 304 240 - -arm-linux-gnueabi-gcc-4.4.7 840 392 -arm-linux-gnueabi-gcc-4.5.4 784 728 784 320 -arm-linux-gnueabi-gcc-4.6.4 736 728 736 304 -arm-linux-gnueabi-gcc-4.7.4 944 784 944 352 -arm-linux-gnueabi-gcc-4.8.5 464 464 760 352 -arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352 -arm-linux-gnueabi-gcc-5.3.1 824 824 1064 336 -arm-linux-gnueabi-gcc-6.1.1 808 808 1056 344 -arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352 - -Trying the same test for serpent-generic, the picture is a bit different, -and while -fno-schedule-insns is generally better here than the default, --fsched-pressure wins overall, so I picked that instead. - - default press nopress nosched -alpha-linux-gcc-4.9.3 1392 864 1392 960 -am33_2.0-linux-gcc-4.9.3 536 524 536 528 -arm-linux-gnueabi-gcc-4.9.3 552 552 776 536 -cris-linux-gcc-4.9.3 528 528 528 528 -frv-linux-gcc-4.9.3 536 400 536 504 -hppa64-linux-gcc-4.9.3 524 208 524 480 -hppa-linux-gcc-4.9.3 768 472 768 508 -i386-linux-gcc-4.9.3 564 564 564 564 -m32r-linux-gcc-4.9.3 712 576 712 532 -microblaze-linux-gcc-4.9.3 724 392 724 512 -mips64-linux-gcc-4.9.3 720 384 720 496 -mips-linux-gcc-4.9.3 728 384 728 496 -powerpc64-linux-gcc-4.9.3 704 304 704 480 -powerpc-linux-gcc-4.9.3 704 296 704 480 -s390-linux-gcc-4.9.3 560 560 592 536 -sh3-linux-gcc-4.9.3 540 540 540 540 -sparc64-linux-gcc-4.9.3 544 352 544 496 -sparc-linux-gcc-4.9.3 544 344 544 496 -x86_64-linux-gcc-4.9.3 528 536 576 528 -xtensa-linux-gcc-4.9.3 752 544 752 544 - -aarch64-linux-gcc-7.0.0 432 432 656 480 -arm-linux-gnueabi-gcc-7.0.1 616 616 808 536 -mips-linux-gcc-7.0.0 720 464 720 488 -x86_64-linux-gcc-7.0.1 536 528 600 536 - -arm-linux-gnueabi-gcc-4.4.7 592 440 -arm-linux-gnueabi-gcc-4.5.4 776 448 776 544 -arm-linux-gnueabi-gcc-4.6.4 776 448 776 544 -arm-linux-gnueabi-gcc-4.7.4 768 448 768 544 -arm-linux-gnueabi-gcc-4.8.5 488 488 776 544 -arm-linux-gnueabi-gcc-4.9.3 552 552 776 536 -arm-linux-gnueabi-gcc-5.3.1 552 552 776 536 -arm-linux-gnueabi-gcc-6.1.1 560 560 776 536 -arm-linux-gnueabi-gcc-7.0.1 616 616 808 536 - -I did not do any runtime tests with serpent, so it is possible that stack -frame size does not directly correlate with runtime performance here and -it actually makes things worse, but it's more likely to help here, and -the reduced stack frame size is probably enough reason to apply the patch, -especially given that the crypto code is often used in deep call chains. - -Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/ -Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html -Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488 -Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 -Cc: Ralf Baechle -Signed-off-by: Arnd Bergmann -Signed-off-by: Herbert Xu -Signed-off-by: Greg Kroah-Hartman ---- - crypto/Makefile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/Makefile b/crypto/Makefile -index 82fbff180ad3..03e66097eb0c 100644 ---- a/crypto/Makefile -+++ b/crypto/Makefile -@@ -62,6 +62,7 @@ obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o - obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o - obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o - obj-$(CONFIG_CRYPTO_WP512) += wp512.o -+CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 - obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o - obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o - obj-$(CONFIG_CRYPTO_ECB) += ecb.o -@@ -85,6 +86,7 @@ obj-$(CONFIG_CRYPTO_BLOWFISH_COMMON) += blowfish_common.o - obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o - obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o - obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o -+CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 - obj-$(CONFIG_CRYPTO_AES) += aes_generic.o - obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o - obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o --- -2.12.2 - From adc48c710b7e3d0d169e013ca089f46347aaf064 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 11 Jan 2017 15:29:48 +0100 @@ -2574,54 +1909,6 @@ index 004cf52d1b7d..c24b87819ccb 100644 -- 2.12.2 -From 3dc8f1e3a8f2cd8481578689f49c586184f25eed Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Fri, 3 Feb 2017 10:49:17 +0100 -Subject: [PATCH 046/251] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy -Content-Length: 1377 -Lines: 40 - -commit 906b268477bc03daaa04f739844c120fe4dbc991 upstream. - -kernelci.org reports a warning for this driver, as it copies a local -variable into a 'const char *' string: - - drivers/mtd/maps/pmcmsp-flash.c:149:30: warning: passing argument 1 of 'strncpy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] - -Using kstrndup() simplifies the code and avoids the warning. - -Signed-off-by: Arnd Bergmann -Acked-by: Marek Vasut -Signed-off-by: Brian Norris -Signed-off-by: Greg Kroah-Hartman ---- - drivers/mtd/maps/pmcmsp-flash.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/mtd/maps/pmcmsp-flash.c b/drivers/mtd/maps/pmcmsp-flash.c -index f9fa3fad728e..2051f28ddac6 100644 ---- a/drivers/mtd/maps/pmcmsp-flash.c -+++ b/drivers/mtd/maps/pmcmsp-flash.c -@@ -139,15 +139,13 @@ static int __init init_msp_flash(void) - } - - msp_maps[i].bankwidth = 1; -- msp_maps[i].name = kmalloc(7, GFP_KERNEL); -+ msp_maps[i].name = kstrndup(flash_name, 7, GFP_KERNEL); - if (!msp_maps[i].name) { - iounmap(msp_maps[i].virt); - kfree(msp_parts[i]); - goto cleanup_loop; - } - -- msp_maps[i].name = strncpy(msp_maps[i].name, flash_name, 7); -- - for (j = 0; j < pcnt; j++) { - part_name[5] = '0' + i; - part_name[7] = '0' + j; --- -2.12.2 - From 4b91e7a2a9a78b161caebfa5fcf6372a40161699 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Tue, 20 Dec 2016 19:12:46 +0100 @@ -3117,813 +2404,152 @@ Lines: 35 commit bf7165cfa23695c51998231c4efa080fe1d3548d upstream. -There are several trace include files that define TRACE_INCLUDE_FILE. - -Include several of them in the same .c file (as I currently have in -some code I am working on), and the compile will blow up with a -"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls" - -Every other include file in include/trace/events/ avoids that issue -by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h -should have one, too. - -Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com - -Fixes: b8007ef74222 ("tracing: Separate raw syscall from syscall tracer") -Signed-off-by: Rik van Riel -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Greg Kroah-Hartman ---- - include/trace/events/syscalls.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/trace/events/syscalls.h b/include/trace/events/syscalls.h -index 14e49c798135..b35533b94277 100644 ---- a/include/trace/events/syscalls.h -+++ b/include/trace/events/syscalls.h -@@ -1,5 +1,6 @@ - #undef TRACE_SYSTEM - #define TRACE_SYSTEM raw_syscalls -+#undef TRACE_INCLUDE_FILE - #define TRACE_INCLUDE_FILE syscalls - - #if !defined(_TRACE_EVENTS_SYSCALLS_H) || defined(TRACE_HEADER_MULTI_READ) --- -2.12.2 - -From 2ca39d1300152e70977797c3e39c105adfcc0e0b Mon Sep 17 00:00:00 2001 -From: Ravi Bangoria -Date: Tue, 14 Feb 2017 14:46:42 +0530 -Subject: [PATCH 054/251] powerpc: Emulation support for load/store - instructions on LE -Content-Length: 3197 -Lines: 106 - -commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream. - -emulate_step() uses a number of underlying kernel functions that were -initially not enabled for LE. This has been rectified since. So, fix -emulate_step() for LE for the corresponding instructions. - -Reported-by: Anton Blanchard -Signed-off-by: Ravi Bangoria -Signed-off-by: Michael Ellerman -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/lib/sstep.c | 20 -------------------- - 1 file changed, 20 deletions(-) - -diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c -index dc885b30f7a6..4014881e9843 100644 ---- a/arch/powerpc/lib/sstep.c -+++ b/arch/powerpc/lib/sstep.c -@@ -1806,8 +1806,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto instr_done; - - case LARX: -- if (regs->msr & MSR_LE) -- return 0; - if (op.ea & (size - 1)) - break; /* can't handle misaligned */ - err = -EFAULT; -@@ -1829,8 +1827,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto ldst_done; - - case STCX: -- if (regs->msr & MSR_LE) -- return 0; - if (op.ea & (size - 1)) - break; /* can't handle misaligned */ - err = -EFAULT; -@@ -1854,8 +1850,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto ldst_done; - - case LOAD: -- if (regs->msr & MSR_LE) -- return 0; - err = read_mem(®s->gpr[op.reg], op.ea, size, regs); - if (!err) { - if (op.type & SIGNEXT) -@@ -1867,8 +1861,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - - #ifdef CONFIG_PPC_FPU - case LOAD_FP: -- if (regs->msr & MSR_LE) -- return 0; - if (size == 4) - err = do_fp_load(op.reg, do_lfs, op.ea, size, regs); - else -@@ -1877,15 +1869,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - #endif - #ifdef CONFIG_ALTIVEC - case LOAD_VMX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs); - goto ldst_done; - #endif - #ifdef CONFIG_VSX - case LOAD_VSX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs); - goto ldst_done; - #endif -@@ -1908,8 +1896,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - goto instr_done; - - case STORE: -- if (regs->msr & MSR_LE) -- return 0; - if ((op.type & UPDATE) && size == sizeof(long) && - op.reg == 1 && op.update_reg == 1 && - !(regs->msr & MSR_PR) && -@@ -1922,8 +1908,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - - #ifdef CONFIG_PPC_FPU - case STORE_FP: -- if (regs->msr & MSR_LE) -- return 0; - if (size == 4) - err = do_fp_store(op.reg, do_stfs, op.ea, size, regs); - else -@@ -1932,15 +1916,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) - #endif - #ifdef CONFIG_ALTIVEC - case STORE_VMX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs); - goto ldst_done; - #endif - #ifdef CONFIG_VSX - case STORE_VSX: -- if (regs->msr & MSR_LE) -- return 0; - err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs); - goto ldst_done; - #endif --- -2.12.2 - -From f47b97f2cdaa42b211299bac93d0a2ba0f617b9e Mon Sep 17 00:00:00 2001 -From: Peter Chen -Date: Tue, 28 Feb 2017 14:25:45 +0800 -Subject: [PATCH 055/251] usb: gadget: dummy_hcd: clear usb_gadget region - before registration -Content-Length: 4651 -Lines: 77 - -commit 5bbc852676ae08e818241cf66a3ffe4be44225c4 upstream. - -When the user does device unbind and rebind test, the kernel will -show below dump due to usb_gadget memory region is dirty after unbind. -Clear usb_gadget region for every new probe. - -root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind -[ 102.523312] kobject (eddd78b0): tried to init an initialized object, something is seriously wrong. -[ 102.532447] CPU: 0 PID: 734 Comm: sh Not tainted 4.10.0-rc7-00872-g1b2b8e9 #1298 -[ 102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree) -[ 102.545717] Backtrace: -[ 102.548225] [] (dump_backtrace) from [] (show_stack+0x18/0x1c) -[ 102.555822] r7:ede34000 r6:60010013 r5:00000000 r4:c0f29418 -[ 102.561512] [] (show_stack) from [] (dump_stack+0xb4/0xe8) -[ 102.568764] [] (dump_stack) from [] (kobject_init+0x80/0x9c) -[ 102.576187] r10:0000001f r9:eddd7000 r8:eeaf8c10 r7:eddd78a8 r6:c177891c r5:c0f3b060 -[ 102.584036] r4:eddd78b0 r3:00000000 -[ 102.587641] [] (kobject_init) from [] (device_initialize+0x28/0xf8) -[ 102.595665] r5:eebc4800 r4:eddd78a8 -[ 102.599268] [] (device_initialize) from [] (device_register+0x14/0x20) -[ 102.607556] r7:eddd78a8 r6:00000000 r5:eebc4800 r4:eddd78a8 -[ 102.613256] [] (device_register) from [] (usb_add_gadget_udc_release+0x8c/0x1ec) -[ 102.622410] r5:eebc4800 r4:eddd7860 -[ 102.626015] [] (usb_add_gadget_udc_release) from [] (usb_add_gadget_udc+0x14/0x18) -[ 102.635351] r10:0000001f r9:eddd7000 r8:eddd788c r7:bf003770 r6:eddd77f8 r5:eddd7818 -[ 102.643198] r4:eddd785c r3:eddd7b24 -[ 102.646834] [] (usb_add_gadget_udc) from [] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd]) -[ 102.656458] [] (dummy_udc_probe [dummy_hcd]) from [] (platform_drv_probe+0x54/0xb8) -[ 102.665881] r10:00000008 r9:c1778960 r8:bf004128 r7:fffffdfb r6:bf004128 r5:eeaf8c10 -[ 102.673727] r4:eeaf8c10 -[ 102.676293] [] (platform_drv_probe) from [] (driver_probe_device+0x264/0x474) -[ 102.685186] r7:00000000 r6:00000000 r5:c1778960 r4:eeaf8c10 -[ 102.690876] [] (driver_probe_device) from [] (bind_store+0xb8/0x14c) -[ 102.698994] r10:eeb3bb4c r9:ede34000 r8:0000000c r7:eeaf8c44 r6:bf004128 r5:c0f3b668 -[ 102.706840] r4:eeaf8c10 -[ 102.709402] [] (bind_store) from [] (drv_attr_store+0x28/0x34) -[ 102.716998] r9:ede34000 r8:00000000 r7:ee3863c0 r6:ee3863c0 r5:c0538c80 r4:c053970c -[ 102.724776] [] (drv_attr_store) from [] (sysfs_kf_write+0x50/0x54) -[ 102.732711] r5:c0538c80 r4:0000000c -[ 102.736313] [] (sysfs_kf_write) from [] (kernfs_fop_write+0x100/0x214) -[ 102.744599] r7:ee3863c0 r6:eeb3bb40 r5:00000000 r4:00000000 -[ 102.750287] [] (kernfs_fop_write) from [] (__vfs_write+0x34/0x120) -[ 102.758231] r10:00000000 r9:ede34000 r8:c0108bc4 r7:0000000c r6:ede35f80 r5:c029bd84 -[ 102.766077] r4:ee223780 -[ 102.768638] [] (__vfs_write) from [] (vfs_write+0xa8/0x170) -[ 102.775974] r9:ede34000 r8:c0108bc4 r7:ede35f80 r6:01861cb0 r5:ee223780 r4:0000000c -[ 102.783743] [] (vfs_write) from [] (SyS_write+0x4c/0xa8) -[ 102.790818] r9:ede34000 r8:c0108bc4 r7:0000000c r6:01861cb0 r5:ee223780 r4:ee223780 -[ 102.798595] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) -[ 102.806188] r7:00000004 r6:b6e83d58 r5:01861cb0 r4:0000000c - -Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") -Acked-by: Alan Stern -Signed-off-by: Peter Chen -Tested-by: Xiaolong Ye -Reported-by: Fengguang Wu -Signed-off-by: Felipe Balbi -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/udc/dummy_hcd.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c -index 22d067cd5aa3..6610f7a023d3 100644 ---- a/drivers/usb/gadget/udc/dummy_hcd.c -+++ b/drivers/usb/gadget/udc/dummy_hcd.c -@@ -1033,6 +1033,8 @@ static int dummy_udc_probe(struct platform_device *pdev) - int rc; - - dum = *((void **)dev_get_platdata(&pdev->dev)); -+ /* Clear usb_gadget region for new registration to udc-core */ -+ memzero_explicit(&dum->gadget, sizeof(struct usb_gadget)); - dum->gadget.name = gadget_name; - dum->gadget.ops = &dummy_ops; - dum->gadget.max_speed = USB_SPEED_SUPER; --- -2.12.2 - -From 10af2485650387d928ad00ec7843d66b5b2a705f Mon Sep 17 00:00:00 2001 -From: Felipe Balbi -Date: Tue, 31 Jan 2017 13:24:54 +0200 -Subject: [PATCH 056/251] usb: dwc3: gadget: make Set Endpoint Configuration - macros safe -Content-Length: 2326 -Lines: 57 - -commit 7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream. - -Some gadget drivers are bad, bad boys. We notice -that ADB was passing bad Burst Size which caused top -bits of param0 to be overwritten which confused DWC3 -when running this command. - -In order to avoid future issues, we're going to make -sure values passed by macros are always safe for the -controller. Note that ADB still needs a fix to *not* -pass bad values. - -Reported-by: Mohamed Abbas -Sugested-by: Adam Andruszak -Signed-off-by: Felipe Balbi -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/dwc3/gadget.h | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h -index 18ae3eaa8b6f..ccd9694f8e36 100644 ---- a/drivers/usb/dwc3/gadget.h -+++ b/drivers/usb/dwc3/gadget.h -@@ -28,23 +28,23 @@ struct dwc3; - #define gadget_to_dwc(g) (container_of(g, struct dwc3, gadget)) - - /* DEPCFG parameter 1 */ --#define DWC3_DEPCFG_INT_NUM(n) ((n) << 0) -+#define DWC3_DEPCFG_INT_NUM(n) (((n) & 0x1f) << 0) - #define DWC3_DEPCFG_XFER_COMPLETE_EN (1 << 8) - #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN (1 << 9) - #define DWC3_DEPCFG_XFER_NOT_READY_EN (1 << 10) - #define DWC3_DEPCFG_FIFO_ERROR_EN (1 << 11) - #define DWC3_DEPCFG_STREAM_EVENT_EN (1 << 13) --#define DWC3_DEPCFG_BINTERVAL_M1(n) ((n) << 16) -+#define DWC3_DEPCFG_BINTERVAL_M1(n) (((n) & 0xff) << 16) - #define DWC3_DEPCFG_STREAM_CAPABLE (1 << 24) --#define DWC3_DEPCFG_EP_NUMBER(n) ((n) << 25) -+#define DWC3_DEPCFG_EP_NUMBER(n) (((n) & 0x1f) << 25) - #define DWC3_DEPCFG_BULK_BASED (1 << 30) - #define DWC3_DEPCFG_FIFO_BASED (1 << 31) - - /* DEPCFG parameter 0 */ --#define DWC3_DEPCFG_EP_TYPE(n) ((n) << 1) --#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) ((n) << 3) --#define DWC3_DEPCFG_FIFO_NUMBER(n) ((n) << 17) --#define DWC3_DEPCFG_BURST_SIZE(n) ((n) << 22) -+#define DWC3_DEPCFG_EP_TYPE(n) (((n) & 0x3) << 1) -+#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) (((n) & 0x7ff) << 3) -+#define DWC3_DEPCFG_FIFO_NUMBER(n) (((n) & 0x1f) << 17) -+#define DWC3_DEPCFG_BURST_SIZE(n) (((n) & 0xf) << 22) - #define DWC3_DEPCFG_DATA_SEQ_NUM(n) ((n) << 26) - /* This applies for core versions earlier than 1.94a */ - #define DWC3_DEPCFG_IGN_SEQ_NUM (1 << 31) --- -2.12.2 - -From 4a1a3bb70fb4255a9f6052eb86db1ff2140255a6 Mon Sep 17 00:00:00 2001 -From: Felipe Balbi -Date: Tue, 31 Jan 2017 14:54:45 +0200 -Subject: [PATCH 057/251] usb: gadget: function: f_fs: pass companion - descriptor along -Content-Length: 1743 -Lines: 53 - -commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 upstream. - -If we're dealing with SuperSpeed endpoints, we need -to make sure to pass along the companion descriptor -and initialize fields needed by the Gadget -API. Eventually, f_fs.c should be converted to use -config_ep_by_speed() like all other functions, -though. - -Signed-off-by: Felipe Balbi -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/gadget/function/f_fs.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index cfda1a1c0ab6..9ad5145d3103 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -1643,11 +1643,14 @@ static int ffs_func_eps_enable(struct ffs_function *func) - spin_lock_irqsave(&func->ffs->eps_lock, flags); - do { - struct usb_endpoint_descriptor *ds; -+ struct usb_ss_ep_comp_descriptor *comp_desc = NULL; -+ int needs_comp_desc = false; - int desc_idx; - -- if (ffs->gadget->speed == USB_SPEED_SUPER) -+ if (ffs->gadget->speed == USB_SPEED_SUPER) { - desc_idx = 2; -- else if (ffs->gadget->speed == USB_SPEED_HIGH) -+ needs_comp_desc = true; -+ } else if (ffs->gadget->speed == USB_SPEED_HIGH) - desc_idx = 1; - else - desc_idx = 0; -@@ -1664,6 +1667,14 @@ static int ffs_func_eps_enable(struct ffs_function *func) - - ep->ep->driver_data = ep; - ep->ep->desc = ds; -+ -+ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + -+ USB_DT_ENDPOINT_SIZE); -+ ep->ep->maxburst = comp_desc->bMaxBurst + 1; -+ -+ if (needs_comp_desc) -+ ep->ep->comp_desc = comp_desc; -+ - ret = usb_ep_enable(ep->ep); - if (likely(!ret)) { - epfile->ep = ep; --- -2.12.2 - -From 40c5634ffe3dd484d633dafc1d32e0c87d67d23a Mon Sep 17 00:00:00 2001 -From: Peter Chen -Date: Thu, 9 Mar 2017 15:39:36 +0200 -Subject: [PATCH 058/251] usb: host: xhci-dbg: HCIVERSION should be a binary - number -Content-Length: 1211 -Lines: 30 - -commit f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 upstream. - -According to xHCI spec, HCIVERSION containing a BCD encoding -of the xHCI specification revision number, 0100h corresponds -to xHCI version 1.0. Change "100" as "0x100". - -Cc: Lu Baolu -Fixes: 04abb6de2825 ("xhci: Read and parse new xhci 1.1 capability register") -Signed-off-by: Peter Chen -Signed-off-by: Mathias Nyman -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/host/xhci-dbg.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/usb/host/xhci-dbg.c b/drivers/usb/host/xhci-dbg.c -index 74c42f722678..3425154baf8b 100644 ---- a/drivers/usb/host/xhci-dbg.c -+++ b/drivers/usb/host/xhci-dbg.c -@@ -111,7 +111,7 @@ static void xhci_print_cap_regs(struct xhci_hcd *xhci) - xhci_dbg(xhci, "RTSOFF 0x%x:\n", temp & RTSOFF_MASK); - - /* xhci 1.1 controllers have the HCCPARAMS2 register */ -- if (hci_version > 100) { -+ if (hci_version > 0x100) { - temp = readl(&xhci->cap_regs->hcc_params2); - xhci_dbg(xhci, "HCC PARAMS2 0x%x:\n", (unsigned int) temp); - xhci_dbg(xhci, " HC %s Force save context capability", --- -2.12.2 - -From cf09c7d60ccc8189cd8e313ae83b8d377fa67359 Mon Sep 17 00:00:00 2001 -From: Guenter Roeck -Date: Thu, 9 Mar 2017 15:39:37 +0200 -Subject: [PATCH 059/251] usb: host: xhci-plat: Fix timeout on removal of hot - pluggable xhci controllers -Content-Length: 1413 -Lines: 38 - -commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream. - -Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of -PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI -xhci controllers which can result in excessive timeouts, to the point where -the system reports a deadlock. - -The same problem is seen with hot pluggable xhci controllers using the -xhci-plat driver, such as the driver used for Type-C ports on rk3399. -Similar to hot-pluggable PCI controllers, the driver for this chip -removes the xhci controller from the system when the Type-C cable is -disconnected. - -The solution for PCI devices works just as well for non-PCI devices -and avoids the problem. - -Signed-off-by: Guenter Roeck -Signed-off-by: Mathias Nyman -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/host/xhci-plat.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c -index 19cb32a65161..268829db9e88 100644 ---- a/drivers/usb/host/xhci-plat.c -+++ b/drivers/usb/host/xhci-plat.c -@@ -213,6 +213,8 @@ static int xhci_plat_remove(struct platform_device *dev) - struct xhci_hcd *xhci = hcd_to_xhci(hcd); - struct clk *clk = xhci->clk; - -+ xhci->xhc_state |= XHCI_STATE_REMOVING; -+ - usb_remove_hcd(xhci->shared_hcd); - usb_phy_shutdown(hcd->usb_phy); - --- -2.12.2 - -From 3cdc94638746eab168accf0f808a83e59fe1ca67 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 6 Mar 2017 17:36:41 +0100 -Subject: [PATCH 060/251] USB: serial: safe_serial: fix information leak in - completion handler -Content-Length: 1033 -Lines: 33 - -commit 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream. - -Add missing sanity check to the bulk-in completion handler to avoid an -integer underflow that could be triggered by a malicious device. - -This avoids leaking up to 56 bytes from after the URB transfer buffer to -user space. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/safe_serial.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/usb/serial/safe_serial.c b/drivers/usb/serial/safe_serial.c -index b2dff0f14743..236ea43f7815 100644 ---- a/drivers/usb/serial/safe_serial.c -+++ b/drivers/usb/serial/safe_serial.c -@@ -205,6 +205,11 @@ static void safe_process_read_urb(struct urb *urb) - if (!safe) - goto out; - -+ if (length < 2) { -+ dev_err(&port->dev, "malformed packet\n"); -+ return; -+ } -+ - fcs = fcs_compute10(data, length, CRC10_INITFCS); - if (fcs) { - dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs); --- -2.12.2 - -From 54f11a9662b632defe4d75c7574fddbc5c503c9c Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 6 Mar 2017 17:36:38 +0100 -Subject: [PATCH 061/251] USB: serial: omninet: fix reference leaks at open -Content-Length: 1124 -Lines: 33 - -commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream. - -This driver needlessly took another reference to the tty on open, a -reference which was then never released on close. This lead to not just -a leak of the tty, but also a driver reference leak that prevented the -driver from being unloaded after a port had once been opened. - -Fixes: 4a90f09b20f4 ("tty: usb-serial krefs") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/omninet.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c -index a180b17d2432..76564b3bebb9 100644 ---- a/drivers/usb/serial/omninet.c -+++ b/drivers/usb/serial/omninet.c -@@ -142,12 +142,6 @@ static int omninet_port_remove(struct usb_serial_port *port) - - static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port) - { -- struct usb_serial *serial = port->serial; -- struct usb_serial_port *wport; -- -- wport = serial->port[1]; -- tty_port_tty_set(&wport->port, tty); -- - return usb_serial_generic_open(tty, port); - } - --- -2.12.2 - -From 179295c38d23874357ca75af104fd6f1fe769cfd Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Tue, 7 Mar 2017 16:11:03 +0100 -Subject: [PATCH 062/251] USB: iowarrior: fix NULL-deref at probe -Content-Length: 1947 -Lines: 51 - -commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream. - -Make sure to check for the required interrupt-in endpoint to avoid -dereferencing a NULL-pointer should a malicious device lack such an -endpoint. - -Note that a fairly recent change purported to fix this issue, but added -an insufficient test on the number of endpoints only, a test which can -now be removed. - -Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors") -Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/misc/iowarrior.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c -index 1950e87b4219..e4d17878743e 100644 ---- a/drivers/usb/misc/iowarrior.c -+++ b/drivers/usb/misc/iowarrior.c -@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_interface *interface, - iface_desc = interface->cur_altsetting; - dev->product_id = le16_to_cpu(udev->descriptor.idProduct); - -- if (iface_desc->desc.bNumEndpoints < 1) { -- dev_err(&interface->dev, "Invalid number of endpoints\n"); -- retval = -EINVAL; -- goto error; -- } -- - /* set up the endpoint information */ - for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { - endpoint = &iface_desc->endpoint[i].desc; -@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_interface *interface, - /* this one will match for the IOWarrior56 only */ - dev->int_out_endpoint = endpoint; - } -+ -+ if (!dev->int_in_endpoint) { -+ dev_err(&interface->dev, "no interrupt-in endpoint found\n"); -+ retval = -ENODEV; -+ goto error; -+ } -+ - /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ - dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); - if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && --- -2.12.2 - -From 6498086195b9d6939293d35e93b804228158eb7f Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Tue, 7 Mar 2017 16:11:04 +0100 -Subject: [PATCH 063/251] USB: iowarrior: fix NULL-deref in write -Content-Length: 1244 -Lines: 34 - -commit de46e56653de7b3b54baa625bd582635008b8d05 upstream. - -Make sure to verify that we have the required interrupt-out endpoint for -IOWarrior56 devices to avoid dereferencing a NULL-pointer in write -should a malicious device lack such an endpoint. - -Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/misc/iowarrior.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c -index e4d17878743e..775690bed4c0 100644 ---- a/drivers/usb/misc/iowarrior.c -+++ b/drivers/usb/misc/iowarrior.c -@@ -804,6 +804,14 @@ static int iowarrior_probe(struct usb_interface *interface, - goto error; - } - -+ if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) { -+ if (!dev->int_out_endpoint) { -+ dev_err(&interface->dev, "no interrupt-out endpoint found\n"); -+ retval = -ENODEV; -+ goto error; -+ } -+ } -+ - /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ - dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); - if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && --- -2.12.2 - -From e71c7bad68449a59e4e411257420916397cdff85 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 6 Mar 2017 17:36:37 +0100 -Subject: [PATCH 064/251] USB: serial: io_ti: fix NULL-deref in interrupt - callback -Content-Length: 1115 -Lines: 32 - -commit 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream. - -Fix a NULL-pointer dereference in the interrupt callback should a -malicious device send data containing a bad port number by adding the -missing sanity check. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/io_ti.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c -index c02808a30436..67d68b502a51 100644 ---- a/drivers/usb/serial/io_ti.c -+++ b/drivers/usb/serial/io_ti.c -@@ -1674,6 +1674,12 @@ static void edge_interrupt_callback(struct urb *urb) - function = TIUMP_GET_FUNC_FROM_CODE(data[0]); - dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__, - port_number, function, data[1]); -+ -+ if (port_number >= edge_serial->serial->num_ports) { -+ dev_err(dev, "bad port number %d\n", port_number); -+ goto exit; -+ } -+ - port = edge_serial->serial->port[port_number]; - edge_port = usb_get_serial_port_data(port); - if (!edge_port) { --- -2.12.2 - -From 72bb2b96b8568a74f28e2a2c39e005583595b2c2 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 6 Mar 2017 17:36:40 +0100 -Subject: [PATCH 065/251] USB: serial: io_ti: fix information leak in - completion handler -Content-Length: 1156 -Lines: 31 - -commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream. - -Add missing sanity check to the bulk-in completion handler to avoid an -integer underflow that can be triggered by a malicious device. - -This avoids leaking 128 kB of memory content from after the URB transfer -buffer to user space. - -Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/io_ti.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c -index 67d68b502a51..f1a8fdcd8674 100644 ---- a/drivers/usb/serial/io_ti.c -+++ b/drivers/usb/serial/io_ti.c -@@ -1761,7 +1761,7 @@ static void edge_bulk_in_callback(struct urb *urb) - - port_number = edge_port->port->port_number; - -- if (edge_port->lsr_event) { -+ if (urb->actual_length > 0 && edge_port->lsr_event) { - edge_port->lsr_event = 0; - dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n", - __func__, port_number, edge_port->lsr_mask, *data); --- -2.12.2 - -From 72ca0ab30680571295c97b6a0d87b56d1212c417 Mon Sep 17 00:00:00 2001 -From: Krzysztof Kozlowski -Date: Sat, 25 Feb 2017 18:36:44 +0200 -Subject: [PATCH 066/251] serial: samsung: Continue to work if DMA request - fails -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 1564 -Lines: 42 - -commit f98c7bce570bdbe344b74ff5daa7dfeef3f22929 upstream. +There are several trace include files that define TRACE_INCLUDE_FILE. -If DMA is not available (even when configured in DeviceTree), the driver -will fail the startup procedure thus making serial console not -available. +Include several of them in the same .c file (as I currently have in +some code I am working on), and the compile will blow up with a +"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls" -For example this causes boot failure on QEMU ARMv7 (Exynos4210, SMDKC210): - [    1.302575] OF: amba_device_add() failed (-19) for /amba/pdma@12680000 - ... - [   11.435732] samsung-uart 13800000.serial: DMA request failed - [   72.963893] samsung-uart 13800000.serial: DMA request failed - [   73.143361] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000 +Every other include file in include/trace/events/ avoids that issue +by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h +should have one, too. -DMA is not necessary for serial to work, so continue with UART startup -after emitting a warning. +Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com -Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") -Signed-off-by: Krzysztof Kozlowski +Fixes: b8007ef74222 ("tracing: Separate raw syscall from syscall tracer") +Signed-off-by: Rik van Riel +Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- - drivers/tty/serial/samsung.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) + include/trace/events/syscalls.h | 1 + + 1 file changed, 1 insertion(+) -diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c -index 237ef5573c18..6deb06147202 100644 ---- a/drivers/tty/serial/samsung.c -+++ b/drivers/tty/serial/samsung.c -@@ -1030,8 +1030,10 @@ static int s3c64xx_serial_startup(struct uart_port *port) - if (ourport->dma) { - ret = s3c24xx_serial_request_dma(ourport); - if (ret < 0) { -- dev_warn(port->dev, "DMA request failed\n"); -- return ret; -+ dev_warn(port->dev, -+ "DMA request failed, DMA will not be used\n"); -+ devm_kfree(port->dev, ourport->dma); -+ ourport->dma = NULL; - } - } +diff --git a/include/trace/events/syscalls.h b/include/trace/events/syscalls.h +index 14e49c798135..b35533b94277 100644 +--- a/include/trace/events/syscalls.h ++++ b/include/trace/events/syscalls.h +@@ -1,5 +1,6 @@ + #undef TRACE_SYSTEM + #define TRACE_SYSTEM raw_syscalls ++#undef TRACE_INCLUDE_FILE + #define TRACE_INCLUDE_FILE syscalls + #if !defined(_TRACE_EVENTS_SYSCALLS_H) || defined(TRACE_HEADER_MULTI_READ) -- 2.12.2 -From 61fbad6a28fd3c80567cc615e2de6bd6476ab60c Mon Sep 17 00:00:00 2001 -From: Luis de Bethencourt -Date: Mon, 30 Nov 2015 14:32:17 +0000 -Subject: [PATCH 067/251] mvsas: fix misleading indentation -Content-Length: 1232 -Lines: 34 - -commit 7789cd39274c51bf475411fe22a8ee7255082809 upstream. +From 2ca39d1300152e70977797c3e39c105adfcc0e0b Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 14 Feb 2017 14:46:42 +0530 +Subject: [PATCH 054/251] powerpc: Emulation support for load/store + instructions on LE +Content-Length: 3197 +Lines: 106 -Fix a smatch warning: -drivers/scsi/mvsas/mv_sas.c:740 mvs_task_prep() warn: curly braces intended? +commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream. -The code is correct, the indention is misleading. When the device is not -ready we want to return SAS_PHY_DOWN. But current indentation makes it -look like we only do so in the else branch of if (mvi_dev). +emulate_step() uses a number of underlying kernel functions that were +initially not enabled for LE. This has been rectified since. So, fix +emulate_step() for LE for the corresponding instructions. -Signed-off-by: Luis de Bethencourt -Reviewed-by: Johannes Thumshirn -Signed-off-by: Martin K. Petersen +Reported-by: Anton Blanchard +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman --- - drivers/scsi/mvsas/mv_sas.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + arch/powerpc/lib/sstep.c | 20 -------------------- + 1 file changed, 20 deletions(-) -diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c -index 9c780740fb82..e712fe745955 100644 ---- a/drivers/scsi/mvsas/mv_sas.c -+++ b/drivers/scsi/mvsas/mv_sas.c -@@ -737,8 +737,8 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf - mv_dprintk("device %016llx not ready.\n", - SAS_ADDR(dev->sas_addr)); - -- rc = SAS_PHY_DOWN; -- return rc; -+ rc = SAS_PHY_DOWN; -+ return rc; - } - tei.port = dev->port->lldd_port; - if (tei.port && !tei.port->port_attached && !tmf) { +diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c +index dc885b30f7a6..4014881e9843 100644 +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -1806,8 +1806,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + goto instr_done; + + case LARX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1829,8 +1827,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + goto ldst_done; + + case STCX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1854,8 +1850,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + goto ldst_done; + + case LOAD: +- if (regs->msr & MSR_LE) +- return 0; + err = read_mem(®s->gpr[op.reg], op.ea, size, regs); + if (!err) { + if (op.type & SIGNEXT) +@@ -1867,8 +1861,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + + #ifdef CONFIG_PPC_FPU + case LOAD_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_load(op.reg, do_lfs, op.ea, size, regs); + else +@@ -1877,15 +1869,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + #endif + #ifdef CONFIG_ALTIVEC + case LOAD_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case LOAD_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs); + goto ldst_done; + #endif +@@ -1908,8 +1896,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + goto instr_done; + + case STORE: +- if (regs->msr & MSR_LE) +- return 0; + if ((op.type & UPDATE) && size == sizeof(long) && + op.reg == 1 && op.update_reg == 1 && + !(regs->msr & MSR_PR) && +@@ -1922,8 +1908,6 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + + #ifdef CONFIG_PPC_FPU + case STORE_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_store(op.reg, do_stfs, op.ea, size, regs); + else +@@ -1932,15 +1916,11 @@ int __kprobes emulate_step(struct pt_regs *regs, unsigned int instr) + #endif + #ifdef CONFIG_ALTIVEC + case STORE_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case STORE_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs); + goto ldst_done; + #endif -- 2.12.2 @@ -4111,429 +2737,6 @@ index 171e09bb8ea2..f7c3a61040bd 100644 -- 2.12.2 -From 66dd58f56eabe2795ed8f83a8480f0e8aace908f Mon Sep 17 00:00:00 2001 -From: Dan Williams -Date: Tue, 28 Feb 2017 18:32:48 -0800 -Subject: [PATCH 070/251] nfit, libnvdimm: fix interleave set cookie - calculation -Content-Length: 6812 -Lines: 182 - -commit 86ef58a4e35e8fa66afb5898cf6dec6a3bb29f67 upstream. - -The interleave-set cookie is a sum that sanity checks the composition of -an interleave set has not changed from when the namespace was initially -created. The checksum is calculated by sorting the DIMMs by their -location in the interleave-set. The comparison for the sort must be -64-bit wide, not byte-by-byte as performed by memcmp() in the broken -case. - -Fix the implementation to accept correct cookie values in addition to -the Linux "memcmp" order cookies, but only allow correct cookies to be -generated going forward. It does mean that namespaces created by -third-party-tooling, or created by newer kernels with this fix, will not -validate on older kernels. However, there are a couple mitigating -conditions: - - 1/ platforms with namespace-label capable NVDIMMs are not widely - available. - - 2/ interleave-sets with a single-dimm are by definition not affected - (nothing to sort). This covers the QEMU-KVM NVDIMM emulation case. - -The cookie stored in the namespace label will be fixed by any write the -namespace label, the most straightforward way to achieve this is to -write to the "alt_name" attribute of a namespace in sysfs. - -Fixes: eaf961536e16 ("libnvdimm, nfit: add interleave-set state-tracking infrastructure") -Reported-by: Nicholas Moulin -Tested-by: Nicholas Moulin -Signed-off-by: Dan Williams -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/nfit.c | 16 +++++++++++++++- - drivers/nvdimm/namespace_devs.c | 28 +++++++++++++++++++++------- - drivers/nvdimm/nd.h | 1 + - drivers/nvdimm/region_devs.c | 9 +++++++++ - include/linux/libnvdimm.h | 2 ++ - 5 files changed, 48 insertions(+), 8 deletions(-) - -diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c -index c097f477c74c..14c2a07c9f3f 100644 ---- a/drivers/acpi/nfit.c -+++ b/drivers/acpi/nfit.c -@@ -965,7 +965,7 @@ static size_t sizeof_nfit_set_info(int num_mappings) - + num_mappings * sizeof(struct nfit_set_info_map); - } - --static int cmp_map(const void *m0, const void *m1) -+static int cmp_map_compat(const void *m0, const void *m1) - { - const struct nfit_set_info_map *map0 = m0; - const struct nfit_set_info_map *map1 = m1; -@@ -974,6 +974,14 @@ static int cmp_map(const void *m0, const void *m1) - sizeof(u64)); - } - -+static int cmp_map(const void *m0, const void *m1) -+{ -+ const struct nfit_set_info_map *map0 = m0; -+ const struct nfit_set_info_map *map1 = m1; -+ -+ return map0->region_offset - map1->region_offset; -+} -+ - /* Retrieve the nth entry referencing this spa */ - static struct acpi_nfit_memory_map *memdev_from_spa( - struct acpi_nfit_desc *acpi_desc, u16 range_index, int n) -@@ -1029,6 +1037,12 @@ static int acpi_nfit_init_interleave_set(struct acpi_nfit_desc *acpi_desc, - sort(&info->mapping[0], nr, sizeof(struct nfit_set_info_map), - cmp_map, NULL); - nd_set->cookie = nd_fletcher64(info, sizeof_nfit_set_info(nr), 0); -+ -+ /* support namespaces created with the wrong sort order */ -+ sort(&info->mapping[0], nr, sizeof(struct nfit_set_info_map), -+ cmp_map_compat, NULL); -+ nd_set->altcookie = nd_fletcher64(info, sizeof_nfit_set_info(nr), 0); -+ - ndr_desc->nd_set = nd_set; - devm_kfree(dev, info); - -diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c -index 62120c38d56b..aae7379af4e4 100644 ---- a/drivers/nvdimm/namespace_devs.c -+++ b/drivers/nvdimm/namespace_devs.c -@@ -1534,6 +1534,7 @@ static int select_pmem_id(struct nd_region *nd_region, u8 *pmem_id) - static int find_pmem_label_set(struct nd_region *nd_region, - struct nd_namespace_pmem *nspm) - { -+ u64 altcookie = nd_region_interleave_set_altcookie(nd_region); - u64 cookie = nd_region_interleave_set_cookie(nd_region); - struct nd_namespace_label *nd_label; - u8 select_id[NSLABEL_UUID_LEN]; -@@ -1542,8 +1543,10 @@ static int find_pmem_label_set(struct nd_region *nd_region, - int rc = -ENODEV, l; - u16 i; - -- if (cookie == 0) -+ if (cookie == 0) { -+ dev_dbg(&nd_region->dev, "invalid interleave-set-cookie\n"); - return -ENXIO; -+ } - - /* - * Find a complete set of labels by uuid. By definition we can start -@@ -1552,13 +1555,24 @@ static int find_pmem_label_set(struct nd_region *nd_region, - for_each_label(l, nd_label, nd_region->mapping[0].labels) { - u64 isetcookie = __le64_to_cpu(nd_label->isetcookie); - -- if (isetcookie != cookie) -- continue; -+ if (isetcookie != cookie) { -+ dev_dbg(&nd_region->dev, "invalid cookie in label: %pUb\n", -+ nd_label->uuid); -+ if (isetcookie != altcookie) -+ continue; -+ -+ dev_dbg(&nd_region->dev, "valid altcookie in label: %pUb\n", -+ nd_label->uuid); -+ } -+ -+ for (i = 0; nd_region->ndr_mappings; i++) { -+ if (has_uuid_at_pos(nd_region, nd_label->uuid, cookie, i)) -+ continue; -+ if (has_uuid_at_pos(nd_region, nd_label->uuid, altcookie, i)) -+ continue; -+ break; -+ } - -- for (i = 0; nd_region->ndr_mappings; i++) -- if (!has_uuid_at_pos(nd_region, nd_label->uuid, -- cookie, i)) -- break; - if (i < nd_region->ndr_mappings) { - /* - * Give up if we don't find an instance of a -diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h -index 417e521d299c..fc870e55bb66 100644 ---- a/drivers/nvdimm/nd.h -+++ b/drivers/nvdimm/nd.h -@@ -245,6 +245,7 @@ struct nd_region *to_nd_region(struct device *dev); - int nd_region_to_nstype(struct nd_region *nd_region); - int nd_region_register_namespaces(struct nd_region *nd_region, int *err); - u64 nd_region_interleave_set_cookie(struct nd_region *nd_region); -+u64 nd_region_interleave_set_altcookie(struct nd_region *nd_region); - void nvdimm_bus_lock(struct device *dev); - void nvdimm_bus_unlock(struct device *dev); - bool is_nvdimm_bus_locked(struct device *dev); -diff --git a/drivers/nvdimm/region_devs.c b/drivers/nvdimm/region_devs.c -index 9521696c9385..dc2e919daa39 100644 ---- a/drivers/nvdimm/region_devs.c -+++ b/drivers/nvdimm/region_devs.c -@@ -379,6 +379,15 @@ u64 nd_region_interleave_set_cookie(struct nd_region *nd_region) - return 0; - } - -+u64 nd_region_interleave_set_altcookie(struct nd_region *nd_region) -+{ -+ struct nd_interleave_set *nd_set = nd_region->nd_set; -+ -+ if (nd_set) -+ return nd_set->altcookie; -+ return 0; -+} -+ - /* - * Upon successful probe/remove, take/release a reference on the - * associated interleave set (if present), and plant new btt + namespace -diff --git a/include/linux/libnvdimm.h b/include/linux/libnvdimm.h -index 3f021dc5da8c..30201b9be7bc 100644 ---- a/include/linux/libnvdimm.h -+++ b/include/linux/libnvdimm.h -@@ -83,6 +83,8 @@ struct nd_cmd_desc { - - struct nd_interleave_set { - u64 cookie; -+ /* compatibility with initial buggy Linux implementation */ -+ u64 altcookie; - }; - - struct nd_region_desc { --- -2.12.2 - -From cd8ad4d9eb6d9ee04e77b42c6a7a15eabada85ac Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka -Date: Wed, 15 Feb 2017 11:26:10 -0500 -Subject: [PATCH 071/251] dm: flush queued bios when process blocks to avoid - deadlock -Content-Length: 3875 -Lines: 118 - -commit d67a5f4b5947aba4bfe9a80a2b86079c215ca755 upstream. - -Commit df2cb6daa4 ("block: Avoid deadlocks with bio allocation by -stacking drivers") created a workqueue for every bio set and code -in bio_alloc_bioset() that tries to resolve some low-memory deadlocks -by redirecting bios queued on current->bio_list to the workqueue if the -system is low on memory. However other deadlocks (see below **) may -happen, without any low memory condition, because generic_make_request -is queuing bios to current->bio_list (rather than submitting them). - -** the related dm-snapshot deadlock is detailed here: -https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html - -Fix this deadlock by redirecting any bios on current->bio_list to the -bio_set's rescue workqueue on every schedule() call. Consequently, -when the process blocks on a mutex, the bios queued on -current->bio_list are dispatched to independent workqueus and they can -complete without waiting for the mutex to be available. - -The structure blk_plug contains an entry cb_list and this list can contain -arbitrary callback functions that are called when the process blocks. -To implement this fix DM (ab)uses the onstack plug's cb_list interface -to get its flush_current_bio_list() called at schedule() time. - -This fixes the snapshot deadlock - if the map method blocks, -flush_current_bio_list() will be called and it redirects bios waiting -on current->bio_list to appropriate workqueues. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1267650 -Depends-on: df2cb6daa4 ("block: Avoid deadlocks with bio allocation by stacking drivers") -Signed-off-by: Mikulas Patocka -Signed-off-by: Mike Snitzer -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/dm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 55 insertions(+) - -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 3384a3eef917..397f0454100b 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -1467,11 +1467,62 @@ void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors) - } - EXPORT_SYMBOL_GPL(dm_accept_partial_bio); - -+/* -+ * Flush current->bio_list when the target map method blocks. -+ * This fixes deadlocks in snapshot and possibly in other targets. -+ */ -+struct dm_offload { -+ struct blk_plug plug; -+ struct blk_plug_cb cb; -+}; -+ -+static void flush_current_bio_list(struct blk_plug_cb *cb, bool from_schedule) -+{ -+ struct dm_offload *o = container_of(cb, struct dm_offload, cb); -+ struct bio_list list; -+ struct bio *bio; -+ -+ INIT_LIST_HEAD(&o->cb.list); -+ -+ if (unlikely(!current->bio_list)) -+ return; -+ -+ list = *current->bio_list; -+ bio_list_init(current->bio_list); -+ -+ while ((bio = bio_list_pop(&list))) { -+ struct bio_set *bs = bio->bi_pool; -+ if (unlikely(!bs) || bs == fs_bio_set) { -+ bio_list_add(current->bio_list, bio); -+ continue; -+ } -+ -+ spin_lock(&bs->rescue_lock); -+ bio_list_add(&bs->rescue_list, bio); -+ queue_work(bs->rescue_workqueue, &bs->rescue_work); -+ spin_unlock(&bs->rescue_lock); -+ } -+} -+ -+static void dm_offload_start(struct dm_offload *o) -+{ -+ blk_start_plug(&o->plug); -+ o->cb.callback = flush_current_bio_list; -+ list_add(&o->cb.list, ¤t->plug->cb_list); -+} -+ -+static void dm_offload_end(struct dm_offload *o) -+{ -+ list_del(&o->cb.list); -+ blk_finish_plug(&o->plug); -+} -+ - static void __map_bio(struct dm_target_io *tio) - { - int r; - sector_t sector; - struct mapped_device *md; -+ struct dm_offload o; - struct bio *clone = &tio->clone; - struct dm_target *ti = tio->ti; - -@@ -1484,7 +1535,11 @@ static void __map_bio(struct dm_target_io *tio) - */ - atomic_inc(&tio->io->io_count); - sector = clone->bi_iter.bi_sector; -+ -+ dm_offload_start(&o); - r = ti->type->map(ti, clone); -+ dm_offload_end(&o); -+ - if (r == DM_MAPIO_REMAPPED) { - /* the bio has been remapped so dispatch it */ - --- -2.12.2 - -From 1c5265be54d32ee21128137ccdb6ecbab0458f07 Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Tue, 14 Feb 2017 11:31:15 -0500 -Subject: [PATCH 072/251] ext4: don't BUG when truncating encrypted inodes on - the orphan list -Content-Length: 4100 -Lines: 96 - -commit 0d06863f903ac5f4f6efb0273079d27de3e53a28 upstream. - -Fix a BUG when the kernel tries to mount a file system constructed as -follows: - -echo foo > foo.txt -mke2fs -Fq -t ext4 -O encrypt foo.img 100 -debugfs -w foo.img << EOF -write foo.txt a -set_inode_field a i_flags 0x80800 -set_super_value s_last_orphan 12 -quit -EOF - -root@kvm-xfstests:~# mount -o loop foo.img /mnt -[ 160.238770] ------------[ cut here ]------------ -[ 160.240106] kernel BUG at /usr/projects/linux/ext4/fs/ext4/inode.c:3874! -[ 160.240106] invalid opcode: 0000 [#1] SMP -[ 160.240106] Modules linked in: -[ 160.240106] CPU: 0 PID: 2547 Comm: mount Tainted: G W 4.10.0-rc3-00034-gcdd33b941b67 #227 -[ 160.240106] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014 -[ 160.240106] task: f4518000 task.stack: f47b6000 -[ 160.240106] EIP: ext4_block_zero_page_range+0x1a7/0x2b4 -[ 160.240106] EFLAGS: 00010246 CPU: 0 -[ 160.240106] EAX: 00000001 EBX: f7be4b50 ECX: f47b7dc0 EDX: 00000007 -[ 160.240106] ESI: f43b05a8 EDI: f43babec EBP: f47b7dd0 ESP: f47b7dac -[ 160.240106] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 -[ 160.240106] CR0: 80050033 CR2: bfd85b08 CR3: 34a00680 CR4: 000006f0 -[ 160.240106] Call Trace: -[ 160.240106] ext4_truncate+0x1e9/0x3e5 -[ 160.240106] ext4_fill_super+0x286f/0x2b1e -[ 160.240106] ? set_blocksize+0x2e/0x7e -[ 160.240106] mount_bdev+0x114/0x15f -[ 160.240106] ext4_mount+0x15/0x17 -[ 160.240106] ? ext4_calculate_overhead+0x39d/0x39d -[ 160.240106] mount_fs+0x58/0x115 -[ 160.240106] vfs_kern_mount+0x4b/0xae -[ 160.240106] do_mount+0x671/0x8c3 -[ 160.240106] ? _copy_from_user+0x70/0x83 -[ 160.240106] ? strndup_user+0x31/0x46 -[ 160.240106] SyS_mount+0x57/0x7b -[ 160.240106] do_int80_syscall_32+0x4f/0x61 -[ 160.240106] entry_INT80_32+0x2f/0x2f -[ 160.240106] EIP: 0xb76b919e -[ 160.240106] EFLAGS: 00000246 CPU: 0 -[ 160.240106] EAX: ffffffda EBX: 08053838 ECX: 08052188 EDX: 080537e8 -[ 160.240106] ESI: c0ed0000 EDI: 00000000 EBP: 080537e8 ESP: bfa13660 -[ 160.240106] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b -[ 160.240106] Code: 59 8b 00 a8 01 0f 84 09 01 00 00 8b 07 66 25 00 f0 66 3d 00 80 75 61 89 f8 e8 3e e2 ff ff 84 c0 74 56 83 bf 48 02 00 00 00 75 02 <0f> 0b 81 7d e8 00 10 00 00 74 02 0f 0b 8b 43 04 8b 53 08 31 c9 -[ 160.240106] EIP: ext4_block_zero_page_range+0x1a7/0x2b4 SS:ESP: 0068:f47b7dac -[ 160.317241] ---[ end trace d6a773a375c810a5 ]--- - -The problem is that when the kernel tries to truncate an inode in -ext4_truncate(), it tries to clear any on-disk data beyond i_size. -Without the encryption key, it can't do that, and so it triggers a -BUG. - -E2fsck does *not* provide this service, and in practice most file -systems have their orphan list processed by e2fsck, so to avoid -crashing, this patch skips this step if we don't have access to the -encryption key (which is the case when processing the orphan list; in -all other cases, we will have the encryption key, or the kernel -wouldn't have allowed the file to be opened). - -An open question is whether the fact that e2fsck isn't clearing the -bytes beyond i_size causing problems --- and if we've lived with it -not doing it for so long, can we drop this from the kernel replay of -the orphan list in all cases (not just when we don't have the key for -encrypted inodes). - -Addresses-Google-Bug: #35209576 - -Signed-off-by: Theodore Ts'o -Signed-off-by: Eric Biggers -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/inode.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index e0f862146793..7dcc97eadb12 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -3573,6 +3573,10 @@ static int ext4_block_truncate_page(handle_t *handle, - unsigned blocksize; - struct inode *inode = mapping->host; - -+ /* If we are processing an encrypted inode during orphan list handling */ -+ if (ext4_encrypted_inode(inode) && !ext4_has_encryption_key(inode)) -+ return 0; -+ - blocksize = inode->i_sb->s_blocksize; - length = blocksize - (offset & (blocksize - 1)); - --- -2.12.2 - From 28ec98bc2e4a175b60f45d505e715a33b93dd077 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 18 Mar 2017 19:10:23 +0800 @@ -19105,106 +17308,6 @@ index a92979e704e3..e5ee4e9e0ea5 100644 -- 2.12.2 -From 84bd21a708b83a24d26cd0010ea94106c96557de Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" -Date: Thu, 23 Mar 2017 12:24:43 +0100 -Subject: [PATCH 250/251] padata: avoid race in reordering -Content-Length: 3216 -Lines: 92 - -commit de5540d088fe97ad583cc7d396586437b32149a5 upstream. - -Under extremely heavy uses of padata, crashes occur, and with list -debugging turned on, this happens instead: - -[87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33 -__list_add+0xae/0x130 -[87487.301868] list_add corruption. prev->next should be next -(ffffb17abfc043d0), but was ffff8dba70872c80. (prev=ffff8dba70872b00). -[87487.339011] [] dump_stack+0x68/0xa3 -[87487.342198] [] ? console_unlock+0x281/0x6d0 -[87487.345364] [] __warn+0xff/0x140 -[87487.348513] [] warn_slowpath_fmt+0x4a/0x50 -[87487.351659] [] __list_add+0xae/0x130 -[87487.354772] [] ? _raw_spin_lock+0x64/0x70 -[87487.357915] [] padata_reorder+0x1e6/0x420 -[87487.361084] [] padata_do_serial+0xa5/0x120 - -padata_reorder calls list_add_tail with the list to which its adding -locked, which seems correct: - -spin_lock(&squeue->serial.lock); -list_add_tail(&padata->list, &squeue->serial.list); -spin_unlock(&squeue->serial.lock); - -This therefore leaves only place where such inconsistency could occur: -if padata->list is added at the same time on two different threads. -This pdata pointer comes from the function call to -padata_get_next(pd), which has in it the following block: - -next_queue = per_cpu_ptr(pd->pqueue, cpu); -padata = NULL; -reorder = &next_queue->reorder; -if (!list_empty(&reorder->list)) { - padata = list_entry(reorder->list.next, - struct padata_priv, list); - spin_lock(&reorder->lock); - list_del_init(&padata->list); - atomic_dec(&pd->reorder_objects); - spin_unlock(&reorder->lock); - - pd->processed++; - - goto out; -} -out: -return padata; - -I strongly suspect that the problem here is that two threads can race -on reorder list. Even though the deletion is locked, call to -list_entry is not locked, which means it's feasible that two threads -pick up the same padata object and subsequently call list_add_tail on -them at the same time. The fix is thus be hoist that lock outside of -that block. - -Signed-off-by: Jason A. Donenfeld -Acked-by: Steffen Klassert -Signed-off-by: Herbert Xu -Signed-off-by: Greg Kroah-Hartman ---- - kernel/padata.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/kernel/padata.c b/kernel/padata.c -index b38bea9c466a..401227e3967c 100644 ---- a/kernel/padata.c -+++ b/kernel/padata.c -@@ -189,19 +189,20 @@ static struct padata_priv *padata_get_next(struct parallel_data *pd) - - reorder = &next_queue->reorder; - -+ spin_lock(&reorder->lock); - if (!list_empty(&reorder->list)) { - padata = list_entry(reorder->list.next, - struct padata_priv, list); - -- spin_lock(&reorder->lock); - list_del_init(&padata->list); - atomic_dec(&pd->reorder_objects); -- spin_unlock(&reorder->lock); - - pd->processed++; - -+ spin_unlock(&reorder->lock); - goto out; - } -+ spin_unlock(&reorder->lock); - - if (__this_cpu_read(pd->pqueue->cpu_index) == next_queue->cpu_index) { - padata = ERR_PTR(-ENODATA); --- -2.12.2 - From 8f8ee9706b0a64a3506b9d9789ace7c44f3d817d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 8 Apr 2017 09:53:53 +0200 diff --git a/queue-3.18/xtensa-move-parse_tag_fdt-out-of-ifdef-config_blk_dev_initrd.patch b/queue-3.18/xtensa-move-parse_tag_fdt-out-of-ifdef-config_blk_dev_initrd.patch new file mode 100644 index 00000000000..32f76b907d5 --- /dev/null +++ b/queue-3.18/xtensa-move-parse_tag_fdt-out-of-ifdef-config_blk_dev_initrd.patch @@ -0,0 +1,41 @@ +From 4ab18701c66552944188dbcd0ce0012729baab84 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 3 Jan 2017 09:37:34 -0800 +Subject: xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD + +From: Max Filippov + +commit 4ab18701c66552944188dbcd0ce0012729baab84 upstream. + +FDT tag parsing is not related to whether BLK_DEV_INITRD is configured +or not, move it out of the corresponding #ifdef/#endif block. +This fixes passing external FDT to the kernel configured w/o +BLK_DEV_INITRD support. + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/xtensa/kernel/setup.c ++++ b/arch/xtensa/kernel/setup.c +@@ -133,6 +133,8 @@ static int __init parse_tag_initrd(const + + __tagtable(BP_TAG_INITRD, parse_tag_initrd); + ++#endif /* CONFIG_BLK_DEV_INITRD */ ++ + #ifdef CONFIG_OF + + static int __init parse_tag_fdt(const bp_tag_t *tag) +@@ -145,8 +147,6 @@ __tagtable(BP_TAG_FDT, parse_tag_fdt); + + #endif /* CONFIG_OF */ + +-#endif /* CONFIG_BLK_DEV_INITRD */ +- + static int __init parse_tag_cmdline(const bp_tag_t* tag) + { + strlcpy(command_line, (char *)(tag->data), COMMAND_LINE_SIZE);