diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2020-02-05 00:55:09 +0000 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2020-02-05 00:55:09 +0000 |
| commit | ed77d206a6a7ea56c2bf5ab213d6ee1c1884d1de (patch) | |
| tree | a629766f6351ef375e136145d2a24932c8b1d78b | |
| parent | 59863712f4e608039b68314929aab80865cd96d1 (diff) | |
| download | linux-stable-queue-ed77d206a6a7ea56c2bf5ab213d6ee1c1884d1de.tar.gz | |
Add commits cc'd to stable, up to 5.5-rc1
...plus their obvious dependencies, and some follow-up fixes.
137 files changed, 8971 insertions, 1 deletions
diff --git a/queue-3.16/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/queue-3.16/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch new file mode 100644 index 00000000..574e5213 --- /dev/null +++ b/queue-3.16/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch @@ -0,0 +1,54 @@ +From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> +Date: Thu, 28 Nov 2019 15:58:29 +0530 +Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() + +commit 627ead724eff33673597216f5020b72118827de4 upstream. + +kmemleak reported backtrace: + [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260 + [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 + [<1180f4fc>] i2c_register_adapter+0x186/0x400 + [<6083baf7>] i2c_add_adapter+0x4e/0x70 + [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915] + [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] + [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] + [<4b159af1>] pci_device_probe+0xdc/0x160 + [<b3c64704>] really_probe+0x1ee/0x450 + [<bc029f5a>] driver_probe_device+0x142/0x1b0 + [<d8829d20>] device_driver_attach+0x49/0x50 + [<de71f045>] __driver_attach+0xc9/0x150 + [<df33ac83>] bus_for_each_dev+0x56/0xa0 + [<80089bba>] driver_attach+0x19/0x20 + [<cc73f583>] bus_add_driver+0x177/0x220 + [<7b29d8c7>] driver_register+0x56/0xf0 + +In i2c_acpi_remove_space_handler(), a leak occurs whenever the +"data" parameter is initialized to 0 before being passed to +acpi_bus_get_private_data(). + +This is because the NULL pointer check in acpi_bus_get_private_data() +(condition->if(!*data)) returns EINVAL and, in consequence, memory is +never freed in i2c_acpi_remove_space_handler(). + +Fix the NULL pointer check in acpi_bus_get_private_data() to follow +the analogous check in acpi_get_data_full(). + +Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> +[ rjw: Subject & changelog ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/acpi/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -154,7 +154,7 @@ int acpi_bus_get_private_data(acpi_handl + { + acpi_status status; + +- if (!*data) ++ if (!data) + return -EINVAL; + + status = acpi_get_data(handle, acpi_bus_private_data_handler, data); diff --git a/queue-3.16/acpi-osl-only-free-map-once-in-osl.c.patch b/queue-3.16/acpi-osl-only-free-map-once-in-osl.c.patch new file mode 100644 index 00000000..75f06f9a --- /dev/null +++ b/queue-3.16/acpi-osl-only-free-map-once-in-osl.c.patch @@ -0,0 +1,104 @@ +From: Francesco Ruggeri <fruggeri@arista.com> +Date: Tue, 19 Nov 2019 21:47:27 -0800 +Subject: ACPI: OSL: only free map once in osl.c + +commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream. + +acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock +before freeing the map. This creates a race condition the can result +in the map being freed more than once. +A panic can be caused by running + +for ((i=0; i<10; i++)) +do + for ((j=0; j<100000; j++)) + do + cat /sys/firmware/acpi/tables/data/BERT >/dev/null + done & +done + +This patch makes sure that only the process that drops the reference +to 0 does the freeing. + +Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c") +Signed-off-by: Francesco Ruggeri <fruggeri@arista.com> +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/acpi/osl.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -416,24 +416,27 @@ acpi_os_map_memory(acpi_physical_address + } + EXPORT_SYMBOL_GPL(acpi_os_map_memory); + +-static void acpi_os_drop_map_ref(struct acpi_ioremap *map) ++/* Must be called with mutex_lock(&acpi_ioremap_lock) */ ++static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map) + { +- if (!--map->refcount) ++ unsigned long refcount = --map->refcount; ++ ++ if (!refcount) + list_del_rcu(&map->list); ++ return refcount; + } + + static void acpi_os_map_cleanup(struct acpi_ioremap *map) + { +- if (!map->refcount) { +- synchronize_rcu_expedited(); +- acpi_unmap(map->phys, map->virt); +- kfree(map); +- } ++ synchronize_rcu_expedited(); ++ acpi_unmap(map->phys, map->virt); ++ kfree(map); + } + + void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size) + { + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (!acpi_gbl_permanent_mmap) { + __acpi_unmap_table(virt, size); +@@ -447,10 +450,11 @@ void __ref acpi_os_unmap_iomem(void __io + WARN(true, PREFIX "%s: bad address %p\n", __func__, virt); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem); + +@@ -491,6 +495,7 @@ void acpi_os_unmap_generic_address(struc + { + u64 addr; + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY) + return; +@@ -506,10 +511,11 @@ void acpi_os_unmap_generic_address(struc + mutex_unlock(&acpi_ioremap_lock); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL(acpi_os_unmap_generic_address); + diff --git a/queue-3.16/acpi-osl-speedup-grace-period-in-acpi_os_map_cleanup.patch b/queue-3.16/acpi-osl-speedup-grace-period-in-acpi_os_map_cleanup.patch new file mode 100644 index 00000000..3089213e --- /dev/null +++ b/queue-3.16/acpi-osl-speedup-grace-period-in-acpi_os_map_cleanup.patch @@ -0,0 +1,45 @@ +From: Konstantin Khlebnikov <koct9i@gmail.com> +Date: Sun, 9 Nov 2014 13:53:37 +0400 +Subject: ACPI / osl: speedup grace period in acpi_os_map_cleanup + +commit 74b51ee152b6d99e61ba329799a039453fb9438f upstream. + +ACPI maintains cache of ioremap regions to speed up operations and +access to them from irq context where ioremap() calls aren't allowed. +This code abuses synchronize_rcu() on unmap path for synchronization +with fast-path in acpi_os_read/write_memory which uses this cache. + +Since v3.10 CPUs are allowed to enter idle state even if they have RCU +callbacks queued, see commit c0f4dfd4f90f1667d234d21f15153ea09a2eaa66 +("rcu: Make RCU_FAST_NO_HZ take advantage of numbered callbacks"). +That change caused problems with nvidia proprietary driver which calls +acpi_os_map/unmap_generic_address several times during initialization. +Each unmap calls synchronize_rcu and adds significant delay. Totally +initialization is slowed for a couple of seconds and that is enough to +trigger timeout in hardware, gpu decides to "fell off the bus". Widely +spread workaround is reducing "rcu_idle_gp_delay" from 4 to 1 jiffy. + +This patch replaces synchronize_rcu() with synchronize_rcu_expedited() +which is much faster. + +Link: https://devtalk.nvidia.com/default/topic/567297/linux/linux-3-10-driver-crash/ +Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com> +Reported-and-tested-by: Alexander Monakov <amonakov@gmail.com> +Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -425,7 +425,7 @@ static void acpi_os_drop_map_ref(struct + static void acpi_os_map_cleanup(struct acpi_ioremap *map) + { + if (!map->refcount) { +- synchronize_rcu(); ++ synchronize_rcu_expedited(); + acpi_unmap(map->phys, map->virt); + kfree(map); + } diff --git a/queue-3.16/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch b/queue-3.16/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch new file mode 100644 index 00000000..72630871 --- /dev/null +++ b/queue-3.16/alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch @@ -0,0 +1,33 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Fri, 22 Nov 2019 13:13:54 +0000 +Subject: ALSA: cs4236: fix error return comparison of an unsigned integer + +commit d60229d84846a8399257006af9c5444599f64361 upstream. + +The return from pnp_irq is an unsigned integer type resource_size_t +and hence the error check for a positive non-error code is always +going to be true. A check for a non-failure return from pnp_irq +should in fact be for (resource_size_t)-1 rather than >= 0. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/isa/cs423x/cs4236.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/isa/cs423x/cs4236.c ++++ b/sound/isa/cs423x/cs4236.c +@@ -293,7 +293,8 @@ static int snd_cs423x_pnp_init_mpu(int d + } else { + mpu_port[dev] = pnp_port_start(pdev, 0); + if (mpu_irq[dev] >= 0 && +- pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) { ++ pnp_irq_valid(pdev, 0) && ++ pnp_irq(pdev, 0) != (resource_size_t)-1) { + mpu_irq[dev] = pnp_irq(pdev, 0); + } else { + mpu_irq[dev] = -1; /* disable interrupt */ diff --git a/queue-3.16/alsa-pcm-oss-avoid-potential-buffer-overflows.patch b/queue-3.16/alsa-pcm-oss-avoid-potential-buffer-overflows.patch new file mode 100644 index 00000000..129133fc --- /dev/null +++ b/queue-3.16/alsa-pcm-oss-avoid-potential-buffer-overflows.patch @@ -0,0 +1,59 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 4 Dec 2019 15:48:24 +0100 +Subject: ALSA: pcm: oss: Avoid potential buffer overflows + +commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. + +syzkaller reported an invalid access in PCM OSS read, and this seems +to be an overflow of the internal buffer allocated for a plugin. +Since the rate plugin adjusts its transfer size dynamically, the +calculation for the chained plugin might be bigger than the given +buffer size in some extreme cases, which lead to such an buffer +overflow as caught by KASAN. + +Fix it by limiting the max transfer size properly by checking against +the destination size in each plugin transfer callback. + +Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/oss/linear.c | 2 ++ + sound/core/oss/mulaw.c | 2 ++ + sound/core/oss/route.c | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/sound/core/oss/linear.c ++++ b/sound/core/oss/linear.c +@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer + } + } + #endif ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + convert(plugin, src_channels, dst_channels, frames); + return frames; + } +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( + } + } + #endif ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + data = (struct mulaw_priv *)plugin->extra_data; + data->func(plugin, src_channels, dst_channels, frames); + return frames; +--- a/sound/core/oss/route.c ++++ b/sound/core/oss/route.c +@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( + return -ENXIO; + if (frames == 0) + return 0; ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + + nsrcs = plugin->src_format.channels; + ndsts = plugin->dst_format.channels; diff --git a/queue-3.16/appledisplay-fix-error-handling-in-the-scheduled-work.patch b/queue-3.16/appledisplay-fix-error-handling-in-the-scheduled-work.patch new file mode 100644 index 00000000..b0a86454 --- /dev/null +++ b/queue-3.16/appledisplay-fix-error-handling-in-the-scheduled-work.patch @@ -0,0 +1,47 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Wed, 6 Nov 2019 13:49:01 +0100 +Subject: appledisplay: fix error handling in the scheduled work + +commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. + +The work item can operate on + +1. stale memory left over from the last transfer +the actual length of the data transfered needs to be checked +2. memory already freed +the error handling in appledisplay_probe() needs +to cancel the work in that case + +Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/misc/appledisplay.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -180,7 +180,12 @@ static int appledisplay_bl_get_brightnes + 0, + pdata->msgdata, 2, + ACD_USB_TIMEOUT); +- brightness = pdata->msgdata[1]; ++ if (retval < 2) { ++ if (retval >= 0) ++ retval = -EMSGSIZE; ++ } else { ++ brightness = pdata->msgdata[1]; ++ } + mutex_unlock(&pdata->sysfslock); + + if (retval < 0) +@@ -326,6 +331,7 @@ error: + if (pdata) { + if (pdata->urb) { + usb_kill_urb(pdata->urb); ++ cancel_delayed_work_sync(&pdata->work); + if (pdata->urbdata) + usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, + pdata->urbdata, pdata->urb->transfer_dma); diff --git a/queue-3.16/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/queue-3.16/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch new file mode 100644 index 00000000..d337e4e2 --- /dev/null +++ b/queue-3.16/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch @@ -0,0 +1,35 @@ +From: Denis Efremov <efremov@linux.com> +Date: Mon, 30 Sep 2019 23:31:47 +0300 +Subject: ar5523: check NULL before memcpy() in ar5523_cmd() + +commit 315cee426f87658a6799815845788fde965ddaad upstream. + +memcpy() call with "idata == NULL && ilen == 0" results in undefined +behavior in ar5523_cmd(). For example, NULL is passed in callchain +"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch +adds ilen check before memcpy() call in ar5523_cmd() to prevent an +undefined behavior. + +Cc: Pontus Fuchs <pontus.fuchs@gmail.com> +Cc: Kalle Valo <kvalo@codeaurora.org> +Cc: "David S. Miller" <davem@davemloft.net> +Cc: David Laight <David.Laight@ACULAB.COM> +Signed-off-by: Denis Efremov <efremov@linux.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, + + if (flags & AR5523_CMD_FLAG_MAGIC) + hdr->magic = cpu_to_be32(1 << 24); +- memcpy(hdr + 1, idata, ilen); ++ if (ilen) ++ memcpy(hdr + 1, idata, ilen); + + cmd->odata = odata; + cmd->olen = olen; diff --git a/queue-3.16/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch b/queue-3.16/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch new file mode 100644 index 00000000..18415961 --- /dev/null +++ b/queue-3.16/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch @@ -0,0 +1,54 @@ +From: Lihua Yao <ylhuajnu@outlook.com> +Date: Tue, 10 Sep 2019 13:22:28 +0000 +Subject: ARM: dts: s3c64xx: Fix init order of clock providers + +commit d60d0cff4ab01255b25375425745c3cff69558ad upstream. + +fin_pll is the parent of clock-controller@7e00f000, specify +the dependency to ensure proper initialization order of clock +providers. + +without this patch: +[ 0.000000] S3C6410 clocks: apll = 0, mpll = 0 +[ 0.000000] epll = 0, arm_clk = 0 + +with this patch: +[ 0.000000] S3C6410 clocks: apll = 532000000, mpll = 532000000 +[ 0.000000] epll = 24000000, arm_clk = 532000000 + +Fixes: 3f6d439f2022 ("clk: reverse default clk provider initialization order in of_clk_init()") +Signed-off-by: Lihua Yao <ylhuajnu@outlook.com> +Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com> +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 4 ++++ + arch/arm/boot/dts/s3c6410-smdk6410.dts | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -167,6 +167,10 @@ + }; + }; + ++&clocks { ++ clocks = <&fin_pll>; ++}; ++ + &sdhci0 { + pinctrl-names = "default"; + pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>; +--- a/arch/arm/boot/dts/s3c6410-smdk6410.dts ++++ b/arch/arm/boot/dts/s3c6410-smdk6410.dts +@@ -71,6 +71,10 @@ + }; + }; + ++&clocks { ++ clocks = <&fin_pll>; ++}; ++ + &sdhci0 { + pinctrl-names = "default"; + pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>; diff --git a/queue-3.16/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch b/queue-3.16/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch new file mode 100644 index 00000000..2b529b58 --- /dev/null +++ b/queue-3.16/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch @@ -0,0 +1,39 @@ +From: Dmitry Osipenko <digetx@gmail.com> +Date: Tue, 30 Jul 2019 20:23:39 +0300 +Subject: ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() + +commit d70f7d31a9e2088e8a507194354d41ea10062994 upstream. + +There is an unfortunate typo in the code that results in writing to +FLOW_CTLR_HALT instead of FLOW_CTLR_CSR. + +Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com> +Signed-off-by: Dmitry Osipenko <digetx@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/mach-tegra/reset-handler.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-tegra/reset-handler.S ++++ b/arch/arm/mach-tegra/reset-handler.S +@@ -55,16 +55,16 @@ ENTRY(tegra_resume) + cmp r6, #TEGRA20 + beq 1f @ Yes + /* Clear the flow controller flags for this CPU. */ +- cpu_to_csr_reg r1, r0 ++ cpu_to_csr_reg r3, r0 + mov32 r2, TEGRA_FLOW_CTRL_BASE +- ldr r1, [r2, r1] ++ ldr r1, [r2, r3] + /* Clear event & intr flag */ + orr r1, r1, \ + #FLOW_CTRL_CSR_INTR_FLAG | FLOW_CTRL_CSR_EVENT_FLAG + movw r0, #0x3FFD @ enable, cluster_switch, immed, bitmaps + @ & ext flags for CPU power mgnt + bic r1, r1, r0 +- str r1, [r2] ++ str r1, [r2, r3] + 1: + + mov32 r9, 0xc09 diff --git a/queue-3.16/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/queue-3.16/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch new file mode 100644 index 00000000..876fa8f0 --- /dev/null +++ b/queue-3.16/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch @@ -0,0 +1,32 @@ +From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> +Date: Tue, 12 Nov 2019 14:02:36 +0100 +Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report + +commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream. + +Check for existance of jack before tracing. +NULL pointer dereference has been reported by KASAN while unloading +machine driver (snd_soc_cnl_rt274). + +Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> +Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/soc/soc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -69,10 +69,9 @@ void snd_soc_jack_report(struct snd_soc_ + unsigned int sync = 0; + int enable; + +- trace_snd_soc_jack_report(jack, mask, status); +- + if (!jack) + return; ++ trace_snd_soc_jack_report(jack, mask, status); + + codec = jack->codec; + dapm = &codec->dapm; diff --git a/queue-3.16/ath9k_hw-fix-uninitialized-variable-data.patch b/queue-3.16/ath9k_hw-fix-uninitialized-variable-data.patch new file mode 100644 index 00000000..7f221ed1 --- /dev/null +++ b/queue-3.16/ath9k_hw-fix-uninitialized-variable-data.patch @@ -0,0 +1,34 @@ +From: Denis Efremov <efremov@linux.com> +Date: Fri, 27 Sep 2019 01:56:04 +0300 +Subject: ath9k_hw: fix uninitialized variable data + +commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream. + +Currently, data variable in ar9003_hw_thermo_cal_apply() could be +uninitialized if ar9300_otp_read_word() will fail to read the value. +Initialize data variable with 0 to prevent an undefined behavior. This +will be enough to handle error case when ar9300_otp_read_word() fails. + +Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462") +Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Cc: John W. Linville <linville@tuxdriver.com> +Cc: Kalle Valo <kvalo@codeaurora.org> +Cc: "David S. Miller" <davem@davemloft.net> +Signed-off-by: Denis Efremov <efremov@linux.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +@@ -4107,7 +4107,7 @@ static void ar9003_hw_thermometer_apply( + + static void ar9003_hw_thermo_cal_apply(struct ath_hw *ah) + { +- u32 data, ko, kg; ++ u32 data = 0, ko, kg; + + if (!AR_SREV_9462_20_OR_LATER(ah)) + return; diff --git a/queue-3.16/binder-handle-start-null-in-binder_update_page_range.patch b/queue-3.16/binder-handle-start-null-in-binder_update_page_range.patch new file mode 100644 index 00000000..8418bf6f --- /dev/null +++ b/queue-3.16/binder-handle-start-null-in-binder_update_page_range.patch @@ -0,0 +1,51 @@ +From: Jann Horn <jannh@google.com> +Date: Fri, 18 Oct 2019 22:56:31 +0200 +Subject: binder: Handle start==NULL in binder_update_page_range() + +commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream. + +The old loop wouldn't stop when reaching `start` if `start==NULL`, instead +continuing backwards to index -1 and crashing. + +Luckily you need to be highly privileged to map things at NULL, so it's not +a big problem. + +Fix it by adjusting the loop so that the loop variable is always in bounds. + +This patch is deliberately minimal to simplify backporting, but IMO this +function could use a refactor. The jump labels in the second loop body are +horrible (the error gotos should be jumping to free_range instead), and +both loops would look nicer if they just iterated upwards through indices. +And the up_read()+mmput() shouldn't be duplicated like that. + +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Signed-off-by: Jann Horn <jannh@google.com> +Acked-by: Christian Brauner <christian.brauner@ubuntu.com> +Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: There is no continue statement in the loop, + so we only need to check the exit condition at the bottom] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/staging/android/binder.c ++++ b/drivers/staging/android/binder.c +@@ -624,8 +624,7 @@ static int binder_update_page_range(stru + return 0; + + free_range: +- for (page_addr = end - PAGE_SIZE; page_addr >= start; +- page_addr -= PAGE_SIZE) { ++ for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) { + page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE]; + if (vma) + zap_page_range(vma, (uintptr_t)page_addr + +@@ -636,7 +635,8 @@ err_map_kernel_failed: + __free_page(*page); + *page = NULL; + err_alloc_page_failed: +- ; ++ if (page_addr == start) ++ break; + } + err_no_vma: + if (mm) { diff --git a/queue-3.16/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch b/queue-3.16/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch new file mode 100644 index 00000000..ce72bfdf --- /dev/null +++ b/queue-3.16/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch @@ -0,0 +1,56 @@ +From: Ming Lei <ming.lei@redhat.com> +Date: Sat, 2 Nov 2019 16:02:15 +0800 +Subject: blk-mq: avoid sysfs buffer overflow with too many CPU cores + +commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream. + +It is reported that sysfs buffer overflow can be triggered if the system +has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of +hctx via /sys/block/$DEV/mq/$N/cpu_list. + +Use snprintf to avoid the potential buffer overflow. + +This version doesn't change the attribute format, and simply stops +showing CPU numbers if the buffer is going to overflow. + +Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load") +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + block/blk-mq-sysfs.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -226,20 +226,25 @@ static ssize_t blk_mq_hw_sysfs_active_sh + + static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page) + { ++ const size_t size = PAGE_SIZE - 1; + unsigned int i, first = 1; +- ssize_t ret = 0; ++ int ret = 0, pos = 0; + + for_each_cpu(i, hctx->cpumask) { + if (first) +- ret += sprintf(ret + page, "%u", i); ++ ret = snprintf(pos + page, size - pos, "%u", i); + else +- ret += sprintf(ret + page, ", %u", i); ++ ret = snprintf(pos + page, size - pos, ", %u", i); ++ ++ if (ret >= size - pos) ++ break; + + first = 0; ++ pos += ret; + } + +- ret += sprintf(ret + page, "\n"); +- return ret; ++ ret = snprintf(pos + page, size - pos, "\n"); ++ return pos + ret; + } + + static struct blk_mq_ctx_sysfs_entry blk_mq_sysfs_dispatched = { diff --git a/queue-3.16/blk-mq-fix-deadlock-when-reading-cpu_list.patch b/queue-3.16/blk-mq-fix-deadlock-when-reading-cpu_list.patch new file mode 100644 index 00000000..ab8a5516 --- /dev/null +++ b/queue-3.16/blk-mq-fix-deadlock-when-reading-cpu_list.patch @@ -0,0 +1,81 @@ +From: Akinobu Mita <akinobu.mita@gmail.com> +Date: Sun, 27 Sep 2015 02:09:25 +0900 +Subject: blk-mq: fix deadlock when reading cpu_list + +commit 60de074ba1e8f327db19bc33d8530131ac01695d upstream. + +CPU hotplug handling for blk-mq (blk_mq_queue_reinit) acquires +all_q_mutex in blk_mq_queue_reinit_notify() and then removes sysfs +entries by blk_mq_sysfs_unregister(). Removing sysfs entry needs to +be blocked until the active reference of the kernfs_node to be zero. + +On the other hand, reading blk_mq_hw_sysfs_cpu sysfs entry (e.g. +/sys/block/nullb0/mq/0/cpu_list) acquires all_q_mutex in +blk_mq_hw_sysfs_cpus_show(). + +If these happen at the same time, a deadlock can happen. Because one +can wait for the active reference to be zero with holding all_q_mutex, +and the other tries to acquire all_q_mutex with holding the active +reference. + +The reason that all_q_mutex is acquired in blk_mq_hw_sysfs_cpus_show() +is to avoid reading an imcomplete hctx->cpumask. Since reading sysfs +entry for blk-mq needs to acquire q->sysfs_lock, we can avoid deadlock +and reading an imcomplete hctx->cpumask by protecting q->sysfs_lock +while hctx->cpumask is being updated. + +Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> +Reviewed-by: Ming Lei <tom.leiming@gmail.com> +Cc: Ming Lei <tom.leiming@gmail.com> +Cc: Wanpeng Li <wanpeng.li@hotmail.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Jens Axboe <axboe@fb.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + block/blk-mq-sysfs.c | 4 ---- + block/blk-mq.c | 7 +++++++ + 2 files changed, 7 insertions(+), 4 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -229,8 +229,6 @@ static ssize_t blk_mq_hw_sysfs_cpus_show + unsigned int i, first = 1; + ssize_t ret = 0; + +- blk_mq_disable_hotplug(); +- + for_each_cpu(i, hctx->cpumask) { + if (first) + ret += sprintf(ret + page, "%u", i); +@@ -240,8 +238,6 @@ static ssize_t blk_mq_hw_sysfs_cpus_show + first = 0; + } + +- blk_mq_enable_hotplug(); +- + ret += sprintf(ret + page, "\n"); + return ret; + } +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1645,6 +1645,11 @@ static void blk_mq_map_swqueue(struct re + struct blk_mq_ctx *ctx; + struct blk_mq_tag_set *set = q->tag_set; + ++ /* ++ * Avoid others reading imcomplete hctx->cpumask through sysfs ++ */ ++ mutex_lock(&q->sysfs_lock); ++ + queue_for_each_hw_ctx(q, hctx, i) { + cpumask_clear(hctx->cpumask); + hctx->nr_ctx = 0; +@@ -1664,6 +1669,8 @@ static void blk_mq_map_swqueue(struct re + hctx->ctxs[hctx->nr_ctx++] = ctx; + } + ++ mutex_unlock(&q->sysfs_lock); ++ + queue_for_each_hw_ctx(q, hctx, i) { + /* + * If not software queues are mapped to this hardware queue, diff --git a/queue-3.16/blk-mq-make-sure-that-line-break-can-be-printed.patch b/queue-3.16/blk-mq-make-sure-that-line-break-can-be-printed.patch new file mode 100644 index 00000000..45a69b59 --- /dev/null +++ b/queue-3.16/blk-mq-make-sure-that-line-break-can-be-printed.patch @@ -0,0 +1,30 @@ +From: Ming Lei <ming.lei@redhat.com> +Date: Mon, 4 Nov 2019 16:26:53 +0800 +Subject: blk-mq: make sure that line break can be printed + +commit d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a upstream. + +8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores") +avoids sysfs buffer overflow, and reserves one character for line break. +However, the last snprintf() doesn't get correct 'size' parameter passed +in, so fixed it. + +Fixes: 8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores") +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + block/blk-mq-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -243,7 +243,7 @@ static ssize_t blk_mq_hw_sysfs_cpus_show + pos += ret; + } + +- ret = snprintf(pos + page, size - pos, "\n"); ++ ret = snprintf(pos + page, size + 1 - pos, "\n"); + return pos + ret; + } + diff --git a/queue-3.16/bluetooth-delete-a-stray-unlock.patch b/queue-3.16/bluetooth-delete-a-stray-unlock.patch new file mode 100644 index 00000000..3d0f5d4f --- /dev/null +++ b/queue-3.16/bluetooth-delete-a-stray-unlock.patch @@ -0,0 +1,32 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 19 Nov 2019 09:17:05 +0300 +Subject: Bluetooth: delete a stray unlock + +commit df66499a1fab340c167250a5743931dc50d5f0fa upstream. + +We used to take a lock in amp_physical_cfm() but then we moved it to +the caller function. Unfortunately the unlock on this error path was +overlooked so it leads to a double unlock. + +Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bluetooth/l2cap_core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4902,10 +4902,8 @@ void __l2cap_physical_cfm(struct l2cap_c + BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d", + chan, result, local_amp_id, remote_amp_id); + +- if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) { +- l2cap_chan_unlock(chan); ++ if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) + return; +- } + + if (chan->state != BT_CONNECTED) { + l2cap_do_create(chan, result, local_amp_id, remote_amp_id); diff --git a/queue-3.16/bluetooth-hci_core-fix-init-for-hci_user_channel.patch b/queue-3.16/bluetooth-hci_core-fix-init-for-hci_user_channel.patch new file mode 100644 index 00000000..d035505b --- /dev/null +++ b/queue-3.16/bluetooth-hci_core-fix-init-for-hci_user_channel.patch @@ -0,0 +1,45 @@ +From: Mattijs Korpershoek <mkorpershoek@baylibre.com> +Date: Wed, 16 Oct 2019 20:20:39 -0700 +Subject: Bluetooth: hci_core: fix init for HCI_USER_CHANNEL + +commit eb8c101e28496888a0dcfe16ab86a1bee369e820 upstream. + +During the setup() stage, HCI device drivers expect the chip to +acknowledge its setup() completion via vendor specific frames. + +If userspace opens() such HCI device in HCI_USER_CHANNEL [1] mode, +the vendor specific frames are never tranmitted to the driver, as +they are filtered in hci_rx_work(). + +Allow HCI devices which operate in HCI_USER_CHANNEL mode to receive +frames if the HCI device is is HCI_INIT state. + +[1] https://www.spinics.net/lists/linux-bluetooth/msg37345.html + +Fixes: 23500189d7e0 ("Bluetooth: Introduce new HCI socket channel for user operation") +Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +[bwh: Backported to 3.16: Keep checking both HCI_RAW and HCI_USER_CHANNEL + bits here] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -5226,8 +5226,15 @@ static void hci_rx_work(struct work_stru + hci_send_to_sock(hdev, skb); + } + +- if (test_bit(HCI_RAW, &hdev->flags) || +- test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) { ++ /* If the device has been opened in HCI_USER_CHANNEL, ++ * the userspace has exclusive access to device. ++ * When device is HCI_INIT, we still need to process ++ * the data packets to the driver in order ++ * to complete its setup(). ++ */ ++ if ((test_bit(HCI_RAW, &hdev->flags) || ++ test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) && ++ !test_bit(HCI_INIT, &hdev->flags)) { + kfree_skb(skb); + continue; + } diff --git a/queue-3.16/bnx2x-enable-multi-cos-feature.patch b/queue-3.16/bnx2x-enable-multi-cos-feature.patch new file mode 100644 index 00000000..b546ae71 --- /dev/null +++ b/queue-3.16/bnx2x-enable-multi-cos-feature.patch @@ -0,0 +1,31 @@ +From: Sudarsana Reddy Kalluru <skalluru@marvell.com> +Date: Mon, 4 Nov 2019 21:51:10 -0800 +Subject: bnx2x: Enable Multi-Cos feature. + +commit 069e47823fff2c634b2d46a328b5096fdc8c2a0c upstream. + +FW version 7.13.15 addresses the issue in Multi-cos implementation. +This patch re-enables the Multi-Cos support in the driver. + +Fixes: d1f0b5dce8fd ("bnx2x: Disable multi-cos feature.") +Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com> +Signed-off-by: Ariel Elior <aelior@marvell.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: Keep calling fallback()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -1914,7 +1914,8 @@ u16 bnx2x_select_queue(struct net_device + } + + /* select a non-FCoE queue */ +- return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp)); ++ return fallback(dev, skb) % ++ (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos); + } + + void bnx2x_set_num_queues(struct bnx2x *bp) diff --git a/queue-3.16/btrfs-check-page-mapping-when-loading-free-space-cache.patch b/queue-3.16/btrfs-check-page-mapping-when-loading-free-space-cache.patch new file mode 100644 index 00000000..826b24e3 --- /dev/null +++ b/queue-3.16/btrfs-check-page-mapping-when-loading-free-space-cache.patch @@ -0,0 +1,71 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Tue, 24 Sep 2019 16:50:43 -0400 +Subject: btrfs: check page->mapping when loading free space cache + +commit 3797136b626ad4b6582223660c041efdea8f26b2 upstream. + +While testing 5.2 we ran into the following panic + +[52238.017028] BUG: kernel NULL pointer dereference, address: 0000000000000001 +[52238.105608] RIP: 0010:drop_buffers+0x3d/0x150 +[52238.304051] Call Trace: +[52238.308958] try_to_free_buffers+0x15b/0x1b0 +[52238.317503] shrink_page_list+0x1164/0x1780 +[52238.325877] shrink_inactive_list+0x18f/0x3b0 +[52238.334596] shrink_node_memcg+0x23e/0x7d0 +[52238.342790] ? do_shrink_slab+0x4f/0x290 +[52238.350648] shrink_node+0xce/0x4a0 +[52238.357628] balance_pgdat+0x2c7/0x510 +[52238.365135] kswapd+0x216/0x3e0 +[52238.371425] ? wait_woken+0x80/0x80 +[52238.378412] ? balance_pgdat+0x510/0x510 +[52238.386265] kthread+0x111/0x130 +[52238.392727] ? kthread_create_on_node+0x60/0x60 +[52238.401782] ret_from_fork+0x1f/0x30 + +The page we were trying to drop had a page->private, but had no +page->mapping and so called drop_buffers, assuming that we had a +buffer_head on the page, and then panic'ed trying to deref 1, which is +our page->private for data pages. + +This is happening because we're truncating the free space cache while +we're trying to load the free space cache. This isn't supposed to +happen, and I'll fix that in a followup patch. However we still +shouldn't allow those sort of mistakes to result in messing with pages +that do not belong to us. So add the page->mapping check to verify that +we still own this page after dropping and re-acquiring the page lock. + +This page being unlocked as: +btrfs_readpage + extent_read_full_page + __extent_read_full_page + __do_readpage + if (!nr) + unlock_page <-- nr can be 0 only if submit_extent_page + returns an error + +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: Nikolay Borisov <nborisov@suse.com> +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +[ add callchain ] +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/free-space-cache.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -360,6 +360,12 @@ static int io_ctl_prepare_pages(struct i + if (uptodate && !PageUptodate(page)) { + btrfs_readpage(NULL, page); + lock_page(page); ++ if (page->mapping != inode->i_mapping) { ++ btrfs_err(BTRFS_I(inode)->root->fs_info, ++ "free space cache page truncated"); ++ io_ctl_drop_pages(io_ctl); ++ return -EIO; ++ } + if (!PageUptodate(page)) { + btrfs_err(BTRFS_I(inode)->root->fs_info, + "error reading free space cache"); diff --git a/queue-3.16/btrfs-fix-negative-subv_writers-counter-and-data-space-leak-after.patch b/queue-3.16/btrfs-fix-negative-subv_writers-counter-and-data-space-leak-after.patch new file mode 100644 index 00000000..cf93efb1 --- /dev/null +++ b/queue-3.16/btrfs-fix-negative-subv_writers-counter-and-data-space-leak-after.patch @@ -0,0 +1,83 @@ +From: Filipe Manana <fdmanana@suse.com> +Date: Fri, 11 Oct 2019 16:41:20 +0100 +Subject: Btrfs: fix negative subv_writers counter and data space leak after + buffered write + +commit a0e248bb502d5165b3314ac3819e888fdcdf7d9f upstream. + +When doing a buffered write it's possible to leave the subv_writers +counter of the root, used for synchronization between buffered nocow +writers and snapshotting. This happens in an exceptional case like the +following: + +1) We fail to allocate data space for the write, since there's not + enough available data space nor enough unallocated space for allocating + a new data block group; + +2) Because of that failure, we try to go to NOCOW mode, which succeeds + and therefore we set the local variable 'only_release_metadata' to true + and set the root's sub_writers counter to 1 through the call to + btrfs_start_write_no_snapshotting() made by check_can_nocow(); + +3) The call to btrfs_copy_from_user() returns zero, which is very unlikely + to happen but not impossible; + +4) No pages are copied because btrfs_copy_from_user() returned zero; + +5) We call btrfs_end_write_no_snapshotting() which decrements the root's + subv_writers counter to 0; + +6) We don't set 'only_release_metadata' back to 'false' because we do + it only if 'copied', the value returned by btrfs_copy_from_user(), is + greater than zero; + +7) On the next iteration of the while loop, which processes the same + page range, we are now able to allocate data space for the write (we + got enough data space released in the meanwhile); + +8) After this if we fail at btrfs_delalloc_reserve_metadata(), because + now there isn't enough free metadata space, or in some other place + further below (prepare_pages(), lock_and_cleanup_extent_if_need(), + btrfs_dirty_pages()), we break out of the while loop with + 'only_release_metadata' having a value of 'true'; + +9) Because 'only_release_metadata' is 'true' we end up decrementing the + root's subv_writers counter to -1 (through a call to + btrfs_end_write_no_snapshotting()), and we also end up not releasing the + data space previously reserved through btrfs_check_data_free_space(). + As a consequence the mechanism for synchronizing NOCOW buffered writes + with snapshotting gets broken. + +Fix this by always setting 'only_release_metadata' to false at the start +of each iteration. + +Fixes: 8257b2dc3c1a ("Btrfs: introduce btrfs_{start, end}_nocow_write() for each subvolume") +Fixes: 7ee9e4405f26 ("Btrfs: check if we can nocow if we don't have data space") +Reviewed-by: Josef Bacik <josef@toxicpanda.com> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1540,6 +1540,7 @@ static noinline ssize_t __btrfs_buffered + break; + } + ++ only_release_metadata = false; + reserve_bytes = num_pages << PAGE_CACHE_SHIFT; + ret = btrfs_check_data_free_space(inode, reserve_bytes); + if (ret == -ENOSPC && +@@ -1671,7 +1672,6 @@ again: + set_extent_bit(&BTRFS_I(inode)->io_tree, lockstart, + lockend, EXTENT_NORESERVE, NULL, + NULL, GFP_NOFS); +- only_release_metadata = false; + } + + btrfs_drop_pages(pages, num_pages); diff --git a/queue-3.16/cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconnect-occurs.patch b/queue-3.16/cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconnect-occurs.patch new file mode 100644 index 00000000..f0c1928c --- /dev/null +++ b/queue-3.16/cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconnect-occurs.patch @@ -0,0 +1,166 @@ +From: Dave Wysochanski <dwysocha@redhat.com> +Date: Wed, 23 Oct 2019 05:02:33 -0400 +Subject: cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs + +commit d46b0da7a33dd8c99d969834f682267a45444ab3 upstream. + +There's a deadlock that is possible and can easily be seen with +a test where multiple readers open/read/close of the same file +and a disruption occurs causing reconnect. The deadlock is due +a reader thread inside cifs_strict_readv calling down_read and +obtaining lock_sem, and then after reconnect inside +cifs_reopen_file calling down_read a second time. If in +between the two down_read calls, a down_write comes from +another process, deadlock occurs. + + CPU0 CPU1 + ---- ---- +cifs_strict_readv() + down_read(&cifsi->lock_sem); + _cifsFileInfo_put + OR + cifs_new_fileinfo + down_write(&cifsi->lock_sem); +cifs_reopen_file() + down_read(&cifsi->lock_sem); + +Fix the above by changing all down_write(lock_sem) calls to +down_write_trylock(lock_sem)/msleep() loop, which in turn +makes the second down_read call benign since it will never +block behind the writer while holding lock_sem. + +Signed-off-by: Dave Wysochanski <dwysocha@redhat.com> +Suggested-by: Ronnie Sahlberg <lsahlber@redhat.com> +Reviewed--by: Ronnie Sahlberg <lsahlber@redhat.com> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/cifsglob.h | 5 +++++ + fs/cifs/cifsproto.h | 1 + + fs/cifs/file.c | 23 +++++++++++++++-------- + fs/cifs/smb2file.c | 2 +- + 4 files changed, 22 insertions(+), 9 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1113,6 +1113,11 @@ void cifsFileInfo_put(struct cifsFileInf + struct cifsInodeInfo { + bool can_cache_brlcks; + struct list_head llist; /* locks helb by this inode */ ++ /* ++ * NOTE: Some code paths call down_read(lock_sem) twice, so ++ * we must always use use cifs_down_write() instead of down_write() ++ * for this semaphore to avoid deadlocks. ++ */ + struct rw_semaphore lock_sem; /* protect the fields above */ + /* BB add in lists for dirty pages i.e. write caching info for oplock */ + struct list_head openFileList; +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -137,6 +137,7 @@ extern int cifs_unlock_range(struct cifs + struct file_lock *flock, const unsigned int xid); + extern int cifs_push_mandatory_locks(struct cifsFileInfo *cfile); + ++extern void cifs_down_write(struct rw_semaphore *sem); + extern struct cifsFileInfo *cifs_new_fileinfo(struct cifs_fid *fid, + struct file *file, + struct tcon_link *tlink, +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -281,6 +281,13 @@ cifs_has_mand_locks(struct cifsInodeInfo + return has_locks; + } + ++void ++cifs_down_write(struct rw_semaphore *sem) ++{ ++ while (!down_write_trylock(sem)) ++ msleep(10); ++} ++ + struct cifsFileInfo * + cifs_new_fileinfo(struct cifs_fid *fid, struct file *file, + struct tcon_link *tlink, __u32 oplock) +@@ -306,7 +313,7 @@ cifs_new_fileinfo(struct cifs_fid *fid, + INIT_LIST_HEAD(&fdlocks->locks); + fdlocks->cfile = cfile; + cfile->llist = fdlocks; +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_add(&fdlocks->llist, &cinode->llist); + up_write(&cinode->lock_sem); + +@@ -462,7 +469,7 @@ void _cifsFileInfo_put(struct cifsFileIn + * Delete any outstanding lock records. We'll lose them when the file + * is closed anyway. + */ +- down_write(&cifsi->lock_sem); ++ cifs_down_write(&cifsi->lock_sem); + list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) { + list_del(&li->llist); + cifs_del_lock_waiters(li); +@@ -970,7 +977,7 @@ static void + cifs_lock_add(struct cifsFileInfo *cfile, struct cifsLockInfo *lock) + { + struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode); +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_add_tail(&lock->llist, &cfile->llist->locks); + up_write(&cinode->lock_sem); + } +@@ -992,7 +999,7 @@ cifs_lock_add_if(struct cifsFileInfo *cf + + try_again: + exist = false; +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + + exist = cifs_find_lock_conflict(cfile, lock->offset, lock->length, + lock->type, &conf_lock, CIFS_LOCK_OP); +@@ -1014,7 +1021,7 @@ try_again: + (lock->blist.next == &lock->blist)); + if (!rc) + goto try_again; +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_del_init(&lock->blist); + } + +@@ -1067,7 +1074,7 @@ cifs_posix_lock_set(struct file *file, s + return rc; + + try_again: +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + if (!cinode->can_cache_brlcks) { + up_write(&cinode->lock_sem); + return rc; +@@ -1267,7 +1274,7 @@ cifs_push_locks(struct cifsFileInfo *cfi + int rc = 0; + + /* we are going to update can_cache_brlcks here - need a write access */ +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + if (!cinode->can_cache_brlcks) { + up_write(&cinode->lock_sem); + return rc; +@@ -1451,7 +1458,7 @@ cifs_unlock_range(struct cifsFileInfo *c + if (!buf) + return -ENOMEM; + +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + for (i = 0; i < 2; i++) { + cur = buf; + num = 0; +--- a/fs/cifs/smb2file.c ++++ b/fs/cifs/smb2file.c +@@ -114,7 +114,7 @@ smb2_unlock_range(struct cifsFileInfo *c + + cur = buf; + +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_for_each_entry_safe(li, tmp, &cfile->llist->locks, llist) { + if (flock->fl_start > li->offset || + (flock->fl_start + length) < diff --git a/queue-3.16/cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch b/queue-3.16/cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch new file mode 100644 index 00000000..eb3097b2 --- /dev/null +++ b/queue-3.16/cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch @@ -0,0 +1,67 @@ +From: Pavel Shilovsky <pshilov@microsoft.com> +Date: Wed, 27 Nov 2019 16:18:39 -0800 +Subject: CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks + +commit 6f582b273ec23332074d970a7fb25bef835df71f upstream. + +Currently when the client creates a cifsFileInfo structure for +a newly opened file, it allocates a list of byte-range locks +with a pointer to the new cfile and attaches this list to the +inode's lock list. The latter happens before initializing all +other fields, e.g. cfile->tlink. Thus a partially initialized +cifsFileInfo structure becomes available to other threads that +walk through the inode's lock list. One example of such a thread +may be an oplock break worker thread that tries to push all +cached byte-range locks. This causes NULL-pointer dereference +in smb2_push_mandatory_locks() when accessing cfile->tlink: + +[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038 +... +[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs] +[598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs] +... +[598428.945834] Call Trace: +[598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs] +[598428.945901] cifs_oplock_break+0x13d/0x450 [cifs] +[598428.945909] process_one_work+0x1db/0x380 +[598428.945914] worker_thread+0x4d/0x400 +[598428.945921] kthread+0x104/0x140 +[598428.945925] ? process_one_work+0x380/0x380 +[598428.945931] ? kthread_park+0x80/0x80 +[598428.945937] ret_from_fork+0x35/0x40 + +Fix this by reordering initialization steps of the cifsFileInfo +structure: initialize all the fields first and then add the new +byte-range lock list to the inode's lock list. + +Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> +Reviewed-by: Aurelien Aptel <aaptel@suse.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -313,9 +313,6 @@ cifs_new_fileinfo(struct cifs_fid *fid, + INIT_LIST_HEAD(&fdlocks->locks); + fdlocks->cfile = cfile; + cfile->llist = fdlocks; +- cifs_down_write(&cinode->lock_sem); +- list_add(&fdlocks->llist, &cinode->llist); +- up_write(&cinode->lock_sem); + + cfile->count = 1; + cfile->pid = current->tgid; +@@ -339,6 +336,10 @@ cifs_new_fileinfo(struct cifs_fid *fid, + oplock = 0; + } + ++ cifs_down_write(&cinode->lock_sem); ++ list_add(&fdlocks->llist, &cinode->llist); ++ up_write(&cinode->lock_sem); ++ + spin_lock(&tcon->open_file_lock); + if (fid->pending_open->oplock != CIFS_OPLOCK_NO_CHANGE && oplock) + oplock = fid->pending_open->oplock; diff --git a/queue-3.16/cifs-fix-smb2-oplock-break-processing.patch b/queue-3.16/cifs-fix-smb2-oplock-break-processing.patch new file mode 100644 index 00000000..c5337279 --- /dev/null +++ b/queue-3.16/cifs-fix-smb2-oplock-break-processing.patch @@ -0,0 +1,63 @@ +From: Pavel Shilovsky <pshilov@microsoft.com> +Date: Thu, 31 Oct 2019 14:18:57 -0700 +Subject: CIFS: Fix SMB2 oplock break processing + +commit fa9c2362497fbd64788063288dc4e74daf977ebb upstream. + +Even when mounting modern protocol version the server may be +configured without supporting SMB2.1 leases and the client +uses SMB2 oplock to optimize IO performance through local caching. + +However there is a problem in oplock break handling that leads +to missing a break notification on the client who has a file +opened. It latter causes big latencies to other clients that +are trying to open the same file. + +The problem reproduces when there are multiple shares from the +same server mounted on the client. The processing code tries to +match persistent and volatile file ids from the break notification +with an open file but it skips all share besides the first one. +Fix this by looking up in all shares belonging to the server that +issued the oplock break. + +Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/smb2misc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -563,10 +563,10 @@ smb2_is_valid_oplock_break(char *buffer, + spin_lock(&cifs_tcp_ses_lock); + list_for_each(tmp, &server->smb_ses_list) { + ses = list_entry(tmp, struct cifs_ses, smb_ses_list); ++ + list_for_each(tmp1, &ses->tcon_list) { + tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); + +- cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks); + spin_lock(&tcon->open_file_lock); + list_for_each(tmp2, &tcon->openFileList) { + cfile = list_entry(tmp2, struct cifsFileInfo, +@@ -578,6 +578,8 @@ smb2_is_valid_oplock_break(char *buffer, + continue; + + cifs_dbg(FYI, "file id match, oplock break\n"); ++ cifs_stats_inc( ++ &tcon->stats.cifs_stats.num_oplock_brks); + cinode = CIFS_I(cfile->dentry->d_inode); + spin_lock(&cfile->file_info_lock); + if (!CIFS_CACHE_WRITE(cinode) && +@@ -610,9 +612,6 @@ smb2_is_valid_oplock_break(char *buffer, + return true; + } + spin_unlock(&tcon->open_file_lock); +- spin_unlock(&cifs_tcp_ses_lock); +- cifs_dbg(FYI, "No matching file for oplock break\n"); +- return true; + } + } + spin_unlock(&cifs_tcp_ses_lock); diff --git a/queue-3.16/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch b/queue-3.16/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch new file mode 100644 index 00000000..60ddda73 --- /dev/null +++ b/queue-3.16/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch @@ -0,0 +1,41 @@ +From: Pavel Shilovsky <pshilov@microsoft.com> +Date: Tue, 12 Nov 2019 17:16:35 -0800 +Subject: CIFS: Respect O_SYNC and O_DIRECT flags during reconnect + +commit 44805b0e62f15e90d233485420e1847133716bdc upstream. + +Currently the client translates O_SYNC and O_DIRECT flags +into corresponding SMB create options when openning a file. +The problem is that on reconnect when the file is being +re-opened the client doesn't set those flags and it causes +a server to reject re-open requests because create options +don't match. The latter means that any subsequent system +call against that open file fail until a share is re-mounted. + +Fix this by properly setting SMB create options when +re-openning files after reconnects. + +Fixes: 1013e760d10e6: ("SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags") +Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -711,6 +711,13 @@ cifs_reopen_file(struct cifsFileInfo *cf + if (backup_cred(cifs_sb)) + create_options |= CREATE_OPEN_BACKUP_INTENT; + ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (cfile->f_flags & O_SYNC) ++ create_options |= CREATE_WRITE_THROUGH; ++ ++ if (cfile->f_flags & O_DIRECT) ++ create_options |= CREATE_NO_BUFFER; ++ + if (server->ops->get_lease_key) + server->ops->get_lease_key(inode, &cfile->fid); + diff --git a/queue-3.16/clk-samsung-exynos5420-preserve-cpu-clocks-configuration-during.patch b/queue-3.16/clk-samsung-exynos5420-preserve-cpu-clocks-configuration-during.patch new file mode 100644 index 00000000..020f05d8 --- /dev/null +++ b/queue-3.16/clk-samsung-exynos5420-preserve-cpu-clocks-configuration-during.patch @@ -0,0 +1,31 @@ +From: Marian Mihailescu <mihailescu2m@gmail.com> +Date: Tue, 29 Oct 2019 11:20:25 +1030 +Subject: clk: samsung: exynos5420: Preserve CPU clocks configuration during + suspend/resume + +commit e21be0d1d7bd7f78a77613f6bcb6965e72b22fc1 upstream. + +Save and restore top PLL related configuration registers for big (APLL) +and LITTLE (KPLL) cores during suspend/resume cycle. So far, CPU clocks +were reset to default values after suspend/resume cycle and performance +after system resume was affected when performance governor has been selected. + +Fixes: 773424326b51 ("clk: samsung: exynos5420: add more registers to restore list") +Signed-off-by: Marian Mihailescu <mihailescu2m@gmail.com> +Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/clk/samsung/clk-exynos5420.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/samsung/clk-exynos5420.c ++++ b/drivers/clk/samsung/clk-exynos5420.c +@@ -162,6 +162,8 @@ static unsigned long exynos5x_clk_regs[] + GATE_BUS_CPU, + GATE_SCLK_CPU, + CLKOUT_CMU_CPU, ++ APLL_CON0, ++ KPLL_CON0, + CPLL_CON0, + DPLL_CON0, + EPLL_CON0, diff --git a/queue-3.16/compat_ioctl-handle-siocoutqnsd.patch b/queue-3.16/compat_ioctl-handle-siocoutqnsd.patch new file mode 100644 index 00000000..e1a89c36 --- /dev/null +++ b/queue-3.16/compat_ioctl-handle-siocoutqnsd.patch @@ -0,0 +1,30 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Mon, 3 Jun 2019 23:06:00 +0200 +Subject: compat_ioctl: handle SIOCOUTQNSD + +commit 9d7bf41fafa5b5ddd4c13eb39446b0045f0a8167 upstream. + +Unlike the normal SIOCOUTQ, SIOCOUTQNSD was never handled in compat +mode. Add it to the common socket compat handler along with similar +ones. + +Fixes: 2f4e1b397097 ("tcp: ioctl type SIOCOUTQNSD returns amount of data not sent") +Cc: Eric Dumazet <edumazet@google.com> +Cc: netdev@vger.kernel.org +Cc: "David S. Miller" <davem@davemloft.net> +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -3311,6 +3311,7 @@ static int compat_sock_ioctl_trans(struc + case SIOCSARP: + case SIOCGARP: + case SIOCDARP: ++ case SIOCOUTQNSD: + case SIOCATMARK: + return sock_do_ioctl(net, sock, cmd, arg); + } diff --git a/queue-3.16/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/queue-3.16/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch new file mode 100644 index 00000000..a40c2afd --- /dev/null +++ b/queue-3.16/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch @@ -0,0 +1,53 @@ +From: Zhenzhong Duan <zhenzhong.duan@oracle.com> +Date: Wed, 23 Oct 2019 09:57:14 +0800 +Subject: cpuidle: Do not unset the driver if it is there already + +commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream. + +Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has +a driver different from drv already and, if so, return -EBUSY before +updating any cpuidle_drivers per-CPU pointers. + +Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support") +Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com> +[ rjw: Subject & changelog ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/cpuidle/driver.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive + * __cpuidle_set_driver - set per CPU driver variables for the given driver. + * @drv: a valid pointer to a struct cpuidle_driver + * +- * For each CPU in the driver's cpumask, unset the registered driver per CPU +- * to @drv. +- * +- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already. ++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver ++ * different from drv already. + */ + static inline int __cpuidle_set_driver(struct cpuidle_driver *drv) + { + int cpu; + + for_each_cpu(cpu, drv->cpumask) { ++ struct cpuidle_driver *old_drv; + +- if (__cpuidle_get_cpu_driver(cpu)) { +- __cpuidle_unset_driver(drv); ++ old_drv = __cpuidle_get_cpu_driver(cpu); ++ if (old_drv && old_drv != drv) + return -EBUSY; +- } ++ } + ++ for_each_cpu(cpu, drv->cpumask) + per_cpu(cpuidle_drivers, cpu) = drv; +- } + + return 0; + } diff --git a/queue-3.16/cw1200-fix-a-signedness-bug-in-cw1200_load_firmware.patch b/queue-3.16/cw1200-fix-a-signedness-bug-in-cw1200_load_firmware.patch new file mode 100644 index 00000000..a3409103 --- /dev/null +++ b/queue-3.16/cw1200-fix-a-signedness-bug-in-cw1200_load_firmware.patch @@ -0,0 +1,36 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 1 Oct 2019 14:45:01 +0300 +Subject: cw1200: Fix a signedness bug in cw1200_load_firmware() + +commit 4a50d454502f1401171ff061a5424583f91266db upstream. + +The "priv->hw_type" is an enum and in this context GCC will treat it +as an unsigned int so the error handling will never trigger. + +Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/cw1200/fwio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/cw1200/fwio.c ++++ b/drivers/net/wireless/cw1200/fwio.c +@@ -316,12 +316,12 @@ int cw1200_load_firmware(struct cw1200_c + goto out; + } + +- priv->hw_type = cw1200_get_hw_type(val32, &major_revision); +- if (priv->hw_type < 0) { ++ ret = cw1200_get_hw_type(val32, &major_revision); ++ if (ret < 0) { + pr_err("Can't deduce hardware type.\n"); +- ret = -ENOTSUPP; + goto out; + } ++ priv->hw_type = ret; + + /* Set DPLL Reg value, and read back to confirm writes work */ + ret = cw1200_reg_write_32(priv, ST90TDS_TSET_GEN_R_W_REG_ID, diff --git a/queue-3.16/drm-i810-prevent-underflow-in-ioctl.patch b/queue-3.16/drm-i810-prevent-underflow-in-ioctl.patch new file mode 100644 index 00000000..ba3a7d9c --- /dev/null +++ b/queue-3.16/drm-i810-prevent-underflow-in-ioctl.patch @@ -0,0 +1,38 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 4 Oct 2019 13:22:51 +0300 +Subject: drm/i810: Prevent underflow in ioctl + +commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. + +The "used" variables here come from the user in the ioctl and it can be +negative. It could result in an out of bounds write. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/i810/i810_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i810/i810_dma.c ++++ b/drivers/gpu/drm/i810/i810_dma.c +@@ -724,7 +724,7 @@ static void i810_dma_dispatch_vertex(str + if (nbox > I810_NR_SAREA_CLIPRECTS) + nbox = I810_NR_SAREA_CLIPRECTS; + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + if (sarea_priv->dirty) +@@ -1044,7 +1044,7 @@ static void i810_dma_dispatch_mc(struct + if (u != I810_BUF_CLIENT) + DRM_DEBUG("MC found buffer that isn't mine!\n"); + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + sarea_priv->dirty = 0x7f; diff --git a/queue-3.16/drm-i915-userptr-try-to-acquire-the-page-lock-around.patch b/queue-3.16/drm-i915-userptr-try-to-acquire-the-page-lock-around.patch new file mode 100644 index 00000000..c87f4aa4 --- /dev/null +++ b/queue-3.16/drm-i915-userptr-try-to-acquire-the-page-lock-around.patch @@ -0,0 +1,78 @@ +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Mon, 11 Nov 2019 13:32:03 +0000 +Subject: drm/i915/userptr: Try to acquire the page lock around + set_page_dirty() + +commit cee7fb437edcdb2f9f8affa959e274997f5dca4d upstream. + +set_page_dirty says: + + For pages with a mapping this should be done under the page lock + for the benefit of asynchronous memory errors who prefer a + consistent dirty state. This rule can be broken in some special + cases, but should be better not to. + +Under those rules, it is only safe for us to use the plain set_page_dirty +calls for shmemfs/anonymous memory. Userptr may be used with real +mappings and so needs to use the locked version (set_page_dirty_lock). + +However, following a try_to_unmap() we may want to remove the userptr and +so call put_pages(). However, try_to_unmap() acquires the page lock and +so we must avoid recursively locking the pages ourselves -- which means +that we cannot safely acquire the lock around set_page_dirty(). Since we +can't be sure of the lock, we have to risk skip dirtying the page, or +else risk calling set_page_dirty() without a lock and so risk fs +corruption. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203317 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=112012 +Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl") +References: cb6d7c7dc7ff ("drm/i915/userptr: Acquire the page lock around set_page_dirty()") +References: 505a8ec7e11a ("Revert "drm/i915/userptr: Acquire the page lock around set_page_dirty()"") +References: 6dcc693bc57f ("ext4: warn when page is dirtied without buffers") +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com> +Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> +Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20191111133205.11590-1-chris@chris-wilson.co.uk +(cherry picked from commit 0d4bbe3d407f79438dc4f87943db21f7134cfc65) +Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/i915/i915_gem_userptr.c | 22 ++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem_userptr.c ++++ b/drivers/gpu/drm/i915/i915_gem_userptr.c +@@ -569,8 +569,28 @@ i915_gem_userptr_put_pages(struct drm_i9 + for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) { + struct page *page = sg_page_iter_page(&sg_iter); + +- if (obj->dirty) ++ if (obj->dirty && trylock_page(page)) { ++ /* ++ * As this may not be anonymous memory (e.g. shmem) ++ * but exist on a real mapping, we have to lock ++ * the page in order to dirty it -- holding ++ * the page reference is not sufficient to ++ * prevent the inode from being truncated. ++ * Play safe and take the lock. ++ * ++ * However...! ++ * ++ * The mmu-notifier can be invalidated for a ++ * migrate_page, that is alreadying holding the lock ++ * on the page. Such a try_to_unmap() will result ++ * in us calling put_pages() and so recursively try ++ * to lock the page. We avoid that deadlock with ++ * a trylock_page() and in exchange we risk missing ++ * some page dirtying. ++ */ + set_page_dirty(page); ++ unlock_page(page); ++ } + + mark_page_accessed(page); + page_cache_release(page); diff --git a/queue-3.16/drm-radeon-fix-bad-dma-from-interrupt_cntl2.patch b/queue-3.16/drm-radeon-fix-bad-dma-from-interrupt_cntl2.patch new file mode 100644 index 00000000..017a2e83 --- /dev/null +++ b/queue-3.16/drm-radeon-fix-bad-dma-from-interrupt_cntl2.patch @@ -0,0 +1,65 @@ +From: Sam Bobroff <sbobroff@linux.ibm.com> +Date: Mon, 18 Nov 2019 10:53:53 +1100 +Subject: drm/radeon: fix bad DMA from INTERRUPT_CNTL2 + +commit 62d91dd2851e8ae2ca552f1b090a3575a4edf759 upstream. + +The INTERRUPT_CNTL2 register expects a valid DMA address, but is +currently set with a GPU MC address. This can cause problems on +systems that detect the resulting DMA read from an invalid address +(found on a Power8 guest). + +Instead, use the DMA address of the dummy page because it will always +be safe. + +Fixes: d8f60cfc9345 ("drm/radeon/kms: Add support for interrupts on r6xx/r7xx chips (v3)") +Fixes: 25a857fbe973 ("drm/radeon/kms: add support for interrupts on SI") +Fixes: a59781bbe528 ("drm/radeon: add support for interrupts on CIK (v5)") +Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/radeon/cik.c | 4 ++-- + drivers/gpu/drm/radeon/r600.c | 4 ++-- + drivers/gpu/drm/radeon/si.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -6875,8 +6875,8 @@ static int cik_irq_init(struct radeon_de + } + + /* setup interrupt control */ +- /* XXX this should actually be a bus address, not an MC address. same on older asics */ +- WREG32(INTERRUPT_CNTL2, rdev->ih.gpu_addr >> 8); ++ /* set dummy read address to dummy page address */ ++ WREG32(INTERRUPT_CNTL2, rdev->dummy_page.addr >> 8); + interrupt_cntl = RREG32(INTERRUPT_CNTL); + /* IH_DUMMY_RD_OVERRIDE=0 - dummy read disabled with msi, enabled without msi + * IH_DUMMY_RD_OVERRIDE=1 - dummy read controlled by IH_DUMMY_RD_EN +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -3427,8 +3427,8 @@ int r600_irq_init(struct radeon_device * + } + + /* setup interrupt control */ +- /* set dummy read address to ring address */ +- WREG32(INTERRUPT_CNTL2, rdev->ih.gpu_addr >> 8); ++ /* set dummy read address to dummy page address */ ++ WREG32(INTERRUPT_CNTL2, rdev->dummy_page.addr >> 8); + interrupt_cntl = RREG32(INTERRUPT_CNTL); + /* IH_DUMMY_RD_OVERRIDE=0 - dummy read disabled with msi, enabled without msi + * IH_DUMMY_RD_OVERRIDE=1 - dummy read controlled by IH_DUMMY_RD_EN +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -5749,8 +5749,8 @@ static int si_irq_init(struct radeon_dev + } + + /* setup interrupt control */ +- /* set dummy read address to ring address */ +- WREG32(INTERRUPT_CNTL2, rdev->ih.gpu_addr >> 8); ++ /* set dummy read address to dummy page address */ ++ WREG32(INTERRUPT_CNTL2, rdev->dummy_page.addr >> 8); + interrupt_cntl = RREG32(INTERRUPT_CNTL); + /* IH_DUMMY_RD_OVERRIDE=0 - dummy read disabled with msi, enabled without msi + * IH_DUMMY_RD_OVERRIDE=1 - dummy read controlled by IH_DUMMY_RD_EN diff --git a/queue-3.16/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch b/queue-3.16/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch new file mode 100644 index 00000000..ebe09df0 --- /dev/null +++ b/queue-3.16/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch @@ -0,0 +1,46 @@ +From: Alex Deucher <alexander.deucher@amd.com> +Date: Tue, 26 Nov 2019 09:41:46 -0500 +Subject: drm/radeon: fix r1xx/r2xx register checker for POT textures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 008037d4d972c9c47b273e40e52ae34f9d9e33e7 upstream. + +Shift and mask were reversed. Noticed by chance. + +Tested-by: Meelis Roos <mroos@linux.ee> +Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/radeon/r100.c | 4 ++-- + drivers/gpu/drm/radeon/r200.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -1810,8 +1810,8 @@ static int r100_packet0_check(struct rad + track->textures[i].use_pitch = 1; + } else { + track->textures[i].use_pitch = 0; +- track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK); +- track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK); ++ track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT); ++ track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT); + } + if (idx_value & RADEON_TXFORMAT_CUBIC_MAP_ENABLE) + track->textures[i].tex_coord_type = 2; +--- a/drivers/gpu/drm/radeon/r200.c ++++ b/drivers/gpu/drm/radeon/r200.c +@@ -473,8 +473,8 @@ int r200_packet0_check(struct radeon_cs_ + track->textures[i].use_pitch = 1; + } else { + track->textures[i].use_pitch = 0; +- track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK); +- track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK); ++ track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT); ++ track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT); + } + if (idx_value & R200_TXFORMAT_LOOKUP_DISABLE) + track->textures[i].lookup_disable = true; diff --git a/queue-3.16/ext2-check-err-when-partial-null.patch b/queue-3.16/ext2-check-err-when-partial-null.patch new file mode 100644 index 00000000..cd708d11 --- /dev/null +++ b/queue-3.16/ext2-check-err-when-partial-null.patch @@ -0,0 +1,38 @@ +From: Chengguang Xu <cgxu519@mykernel.net> +Date: Tue, 5 Nov 2019 12:51:00 +0800 +Subject: ext2: check err when partial != NULL + +commit e705f4b8aa27a59f8933e8f384e9752f052c469c upstream. + +Check err when partial == NULL is meaningless because +partial == NULL means getting branch successfully without +error. + +Link: https://lore.kernel.org/r/20191105045100.7104-1-cgxu519@mykernel.net +Signed-off-by: Chengguang Xu <cgxu519@mykernel.net> +Signed-off-by: Jan Kara <jack@suse.cz> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext2/inode.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -696,11 +696,14 @@ static int ext2_get_blocks(struct inode + if (!partial) { + count++; + mutex_unlock(&ei->truncate_mutex); +- if (err) +- goto cleanup; + clear_buffer_new(bh_result); + goto got_it; + } ++ ++ if (err) { ++ mutex_unlock(&ei->truncate_mutex); ++ goto cleanup; ++ } + } + + /* diff --git a/queue-3.16/ext4-work-around-deleting-a-file-with-i_nlink-0-safely.patch b/queue-3.16/ext4-work-around-deleting-a-file-with-i_nlink-0-safely.patch new file mode 100644 index 00000000..8d3b2a6d --- /dev/null +++ b/queue-3.16/ext4-work-around-deleting-a-file-with-i_nlink-0-safely.patch @@ -0,0 +1,56 @@ +From: Theodore Ts'o <tytso@mit.edu> +Date: Mon, 11 Nov 2019 22:18:13 -0500 +Subject: ext4: work around deleting a file with i_nlink == 0 safely + +commit c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 upstream. + +If the file system is corrupted such that a file's i_links_count is +too small, then it's possible that when unlinking that file, i_nlink +will already be zero. Previously we were working around this kind of +corruption by forcing i_nlink to one; but we were doing this before +trying to delete the directory entry --- and if the file system is +corrupted enough that ext4_delete_entry() fails, then we exit with +i_nlink elevated, and this causes the orphan inode list handling to be +FUBAR'ed, such that when we unmount the file system, the orphan inode +list can get corrupted. + +A better way to fix this is to simply skip trying to call drop_nlink() +if i_nlink is already zero, thus moving the check to the place where +it makes the most sense. + +https://bugzilla.kernel.org/show_bug.cgi?id=205433 + +Link: https://lore.kernel.org/r/20191112032903.8828-1-tytso@mit.edu +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +[bwh: Backported to 3.16: Log message and function are different] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2830,19 +2830,18 @@ static int ext4_unlink(struct inode *dir + if (IS_DIRSYNC(dir)) + ext4_handle_sync(handle); + +- if (!inode->i_nlink) { +- ext4_warning(inode->i_sb, +- "Deleting nonexistent file (%lu), %d", +- inode->i_ino, inode->i_nlink); +- set_nlink(inode, 1); +- } + retval = ext4_delete_entry(handle, dir, de, bh); + if (retval) + goto end_unlink; + dir->i_ctime = dir->i_mtime = ext4_current_time(dir); + ext4_update_dx_flag(dir); + ext4_mark_inode_dirty(handle, dir); +- drop_nlink(inode); ++ if (inode->i_nlink == 0) ++ ext4_warning(inode->i_sb, ++ "Deleting nonexistent file (%lu), %d", ++ inode->i_ino, inode->i_nlink); ++ else ++ drop_nlink(inode); + if (!inode->i_nlink) + ext4_orphan_add(handle, inode); + inode->i_ctime = ext4_current_time(inode); diff --git a/queue-3.16/fuse-verify-attributes.patch b/queue-3.16/fuse-verify-attributes.patch new file mode 100644 index 00000000..a7be0f7e --- /dev/null +++ b/queue-3.16/fuse-verify-attributes.patch @@ -0,0 +1,118 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Tue, 12 Nov 2019 11:49:04 +0100 +Subject: fuse: verify attributes + +commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream. + +If a filesystem returns negative inode sizes, future reads on the file were +causing the cpu to spin on truncate_pagecache. + +Create a helper to validate the attributes. This now does two things: + + - check the file mode + - check if the file size fits in i_size without overflowing + +Reported-by: Arijit Banerjee <arijit@rubrik.com> +Fixes: d8a5ba45457e ("[PATCH] FUSE - core") +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/fuse/dir.c | 24 +++++++++++++++++------- + fs/fuse/fuse_i.h | 2 ++ + 2 files changed, 19 insertions(+), 7 deletions(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -250,7 +250,8 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fc->lock); + } + kfree(forget); +- if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT) ++ if (err || fuse_invalid_attr(&outarg.attr) || ++ (outarg.attr.mode ^ inode->i_mode) & S_IFMT) + goto invalid; + + fuse_change_attributes(inode, &outarg.attr, +@@ -295,6 +296,12 @@ int fuse_valid_type(int m) + S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m); + } + ++bool fuse_invalid_attr(struct fuse_attr *attr) ++{ ++ return !fuse_valid_type(attr->mode) || ++ attr->size > LLONG_MAX; ++} ++ + int fuse_lookup_name(struct super_block *sb, u64 nodeid, struct qstr *name, + struct fuse_entry_out *outarg, struct inode **inode) + { +@@ -334,7 +341,7 @@ int fuse_lookup_name(struct super_block + err = -EIO; + if (!outarg->nodeid) + goto out_put_forget; +- if (!fuse_valid_type(outarg->attr.mode)) ++ if (fuse_invalid_attr(&outarg->attr)) + goto out_put_forget; + + *inode = fuse_iget(sb, outarg->nodeid, outarg->generation, +@@ -464,7 +471,8 @@ static int fuse_create_open(struct inode + goto out_free_ff; + + err = -EIO; +- if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid)) ++ if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) || ++ fuse_invalid_attr(&outentry.attr)) + goto out_free_ff; + + fuse_put_request(fc, req); +@@ -580,7 +588,7 @@ static int create_new_entry(struct fuse_ + goto out_put_forget_req; + + err = -EIO; +- if (invalid_nodeid(outarg.nodeid)) ++ if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr)) + goto out_put_forget_req; + + if ((outarg.attr.mode ^ mode) & S_IFMT) +@@ -971,7 +979,8 @@ static int fuse_do_getattr(struct inode + err = req->out.h.error; + fuse_put_request(fc, req); + if (!err) { +- if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) { ++ if (fuse_invalid_attr(&outarg.attr) || ++ (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { + make_bad_inode(inode); + err = -EIO; + } else { +@@ -1282,7 +1291,7 @@ static int fuse_direntplus_link(struct f + + if (invalid_nodeid(o->nodeid)) + return -EIO; +- if (!fuse_valid_type(o->attr.mode)) ++ if (fuse_invalid_attr(&o->attr)) + return -EIO; + + fc = get_fuse_conn(dir); +@@ -1794,7 +1803,8 @@ int fuse_do_setattr(struct dentry *dentr + goto error; + } + +- if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) { ++ if (fuse_invalid_attr(&outarg.attr) || ++ (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { + make_bad_inode(inode); + err = -EIO; + goto error; +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -828,6 +828,8 @@ void fuse_ctl_remove_conn(struct fuse_co + */ + int fuse_valid_type(int m); + ++bool fuse_invalid_attr(struct fuse_attr *attr); ++ + /** + * Is current process allowed to perform filesystem operation? + */ diff --git a/queue-3.16/fuse-verify-nlink.patch b/queue-3.16/fuse-verify-nlink.patch new file mode 100644 index 00000000..a30689b7 --- /dev/null +++ b/queue-3.16/fuse-verify-nlink.patch @@ -0,0 +1,28 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Tue, 12 Nov 2019 11:49:04 +0100 +Subject: fuse: verify nlink + +commit c634da718db9b2fac201df2ae1b1b095344ce5eb upstream. + +When adding a new hard link, make sure that i_nlink doesn't overflow. + +Fixes: ac45d61357e8 ("fuse: fix nlink after unlink") +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/fuse/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -890,7 +890,8 @@ static int fuse_link(struct dentry *entr + + spin_lock(&fc->lock); + fi->attr_version = ++fc->attr_version; +- inc_nlink(inode); ++ if (likely(inode->i_nlink < UINT_MAX)) ++ inc_nlink(inode); + spin_unlock(&fc->lock); + fuse_invalidate_attr(inode); + fuse_update_ctime(inode); diff --git a/queue-3.16/futex-prevent-robust-futex-exit-race.patch b/queue-3.16/futex-prevent-robust-futex-exit-race.patch new file mode 100644 index 00000000..2bf8c6dc --- /dev/null +++ b/queue-3.16/futex-prevent-robust-futex-exit-race.patch @@ -0,0 +1,266 @@ +From: Yang Tao <yang.tao172@zte.com.cn> +Date: Wed, 6 Nov 2019 22:55:35 +0100 +Subject: futex: Prevent robust futex exit race + +commit ca16d5bee59807bf04deaab0a8eccecd5061528c upstream. + +Robust futexes utilize the robust_list mechanism to allow the kernel to +release futexes which are held when a task exits. The exit can be voluntary +or caused by a signal or fault. This prevents that waiters block forever. + +The futex operations in user space store a pointer to the futex they are +either locking or unlocking in the op_pending member of the per task robust +list. + +After a lock operation has succeeded the futex is queued in the robust list +linked list and the op_pending pointer is cleared. + +After an unlock operation has succeeded the futex is removed from the +robust list linked list and the op_pending pointer is cleared. + +The robust list exit code checks for the pending operation and any futex +which is queued in the linked list. It carefully checks whether the futex +value is the TID of the exiting task. If so, it sets the OWNER_DIED bit and +tries to wake up a potential waiter. + +This is race free for the lock operation but unlock has two race scenarios +where waiters might not be woken up. These issues can be observed with +regular robust pthread mutexes. PI aware pthread mutexes are not affected. + +(1) Unlocking task is killed after unlocking the futex value in user space + before being able to wake a waiter. + + pthread_mutex_unlock() + | + V + atomic_exchange_rel (&mutex->__data.__lock, 0) + <------------------------killed + lll_futex_wake () | + | + |(__lock = 0) + |(enter kernel) + | + V + do_exit() + exit_mm() + mm_release() + exit_robust_list() + handle_futex_death() + | + |(__lock = 0) + |(uval = 0) + | + V + if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr)) + return 0; + + The sanity check which ensures that the user space futex is owned by + the exiting task prevents the wakeup of waiters which in consequence + block infinitely. + +(2) Waiting task is killed after a wakeup and before it can acquire the + futex in user space. + + OWNER WAITER + futex_wait() + pthread_mutex_unlock() | + | | + |(__lock = 0) | + | | + V | + futex_wake() ------------> wakeup() + | + |(return to userspace) + |(__lock = 0) + | + V + oldval = mutex->__data.__lock + <-----------------killed + atomic_compare_and_exchange_val_acq (&mutex->__data.__lock, | + id | assume_other_futex_waiters, 0) | + | + | + (enter kernel)| + | + V + do_exit() + | + | + V + handle_futex_death() + | + |(__lock = 0) + |(uval = 0) + | + V + if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr)) + return 0; + + The sanity check which ensures that the user space futex is owned + by the exiting task prevents the wakeup of waiters, which seems to + be correct as the exiting task does not own the futex value, but + the consequence is that other waiters wont be woken up and block + infinitely. + +In both scenarios the following conditions are true: + + - task->robust_list->list_op_pending != NULL + - user space futex value == 0 + - Regular futex (not PI) + +If these conditions are met then it is reasonably safe to wake up a +potential waiter in order to prevent the above problems. + +As this might be a false positive it can cause spurious wakeups, but the +waiter side has to handle other types of unrelated wakeups, e.g. signals +gracefully anyway. So such a spurious wakeup will not affect the +correctness of these operations. + +This workaround must not touch the user space futex value and cannot set +the OWNER_DIED bit because the lock value is 0, i.e. uncontended. Setting +OWNER_DIED in this case would result in inconsistent state and subsequently +in malfunction of the owner died handling in user space. + +The rest of the user space state is still consistent as no other task can +observe the list_op_pending entry in the exiting tasks robust list. + +The eventually woken up waiter will observe the uncontended lock value and +take it over. + +[ tglx: Massaged changelog and comment. Made the return explicit and not + depend on the subsequent check and added constants to hand into + handle_futex_death() instead of plain numbers. Fixed a few coding + style issues. ] + +Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core") +Signed-off-by: Yang Tao <yang.tao172@zte.com.cn> +Signed-off-by: Yi Wang <wang.yi59@zte.com.cn> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Ingo Molnar <mingo@kernel.org> +Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Link: https://lkml.kernel.org/r/1573010582-35297-1-git-send-email-wang.yi59@zte.com.cn +Link: https://lkml.kernel.org/r/20191106224555.943191378@linutronix.de +[bwh: Backported to 3.16: Implementation is split between futex.c and + futex_compat.c, with common definitions in <linux/futex.h>] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2905,7 +2905,8 @@ err_unlock: + * Process a futex-list entry, check whether it's owned by the + * dying task, and do notification if so: + */ +-int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi) ++int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, ++ bool pi, bool pending_op) + { + u32 uval, uninitialized_var(nval), mval; + +@@ -2917,6 +2918,42 @@ retry: + if (get_user(uval, uaddr)) + return -1; + ++ /* ++ * Special case for regular (non PI) futexes. The unlock path in ++ * user space has two race scenarios: ++ * ++ * 1. The unlock path releases the user space futex value and ++ * before it can execute the futex() syscall to wake up ++ * waiters it is killed. ++ * ++ * 2. A woken up waiter is killed before it can acquire the ++ * futex in user space. ++ * ++ * In both cases the TID validation below prevents a wakeup of ++ * potential waiters which can cause these waiters to block ++ * forever. ++ * ++ * In both cases the following conditions are met: ++ * ++ * 1) task->robust_list->list_op_pending != NULL ++ * @pending_op == true ++ * 2) User space futex value == 0 ++ * 3) Regular futex: @pi == false ++ * ++ * If these conditions are met, it is safe to attempt waking up a ++ * potential waiter without touching the user space futex value and ++ * trying to set the OWNER_DIED bit. The user space futex value is ++ * uncontended and the rest of the user space mutex state is ++ * consistent, so a woken waiter will just take over the ++ * uncontended futex. Setting the OWNER_DIED bit would create ++ * inconsistent state and malfunction of the user space owner died ++ * handling. ++ */ ++ if (pending_op && !pi && !uval) { ++ futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY); ++ return 0; ++ } ++ + if ((uval & FUTEX_TID_MASK) == task_pid_vnr(curr)) { + /* + * Ok, this dying thread is truly holding a futex +@@ -3021,10 +3058,11 @@ void exit_robust_list(struct task_struct + * A pending lock might already be on the list, so + * don't process it twice: + */ +- if (entry != pending) ++ if (entry != pending) { + if (handle_futex_death((void __user *)entry + futex_offset, +- curr, pi)) ++ curr, pi, HANDLE_DEATH_LIST)) + return; ++ } + if (rc) + return; + entry = next_entry; +@@ -3038,9 +3076,10 @@ void exit_robust_list(struct task_struct + cond_resched(); + } + +- if (pending) ++ if (pending) { + handle_futex_death((void __user *)pending + futex_offset, +- curr, pip); ++ curr, pip, HANDLE_DEATH_PENDING); ++ } + } + + long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, +--- a/kernel/futex_compat.c ++++ b/kernel/futex_compat.c +@@ -94,7 +94,8 @@ void compat_exit_robust_list(struct task + if (entry != pending) { + void __user *uaddr = futex_uaddr(entry, futex_offset); + +- if (handle_futex_death(uaddr, curr, pi)) ++ if (handle_futex_death(uaddr, curr, pi, ++ HANDLE_DEATH_LIST)) + return; + } + if (rc) +@@ -113,7 +114,7 @@ void compat_exit_robust_list(struct task + if (pending) { + void __user *uaddr = futex_uaddr(pending, futex_offset); + +- handle_futex_death(uaddr, curr, pip); ++ handle_futex_death(uaddr, curr, pip, HANDLE_DEATH_PENDING); + } + } + +--- a/include/linux/futex.h ++++ b/include/linux/futex.h +@@ -11,8 +11,13 @@ union ktime; + long do_futex(u32 __user *uaddr, int op, u32 val, union ktime *timeout, + u32 __user *uaddr2, u32 val2, u32 val3); + ++/* Constants for the pending_op argument of handle_futex_death */ ++#define HANDLE_DEATH_PENDING true ++#define HANDLE_DEATH_LIST false ++ + extern int +-handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi); ++handle_futex_death(u32 __user *uaddr, struct task_struct *curr, ++ bool pi, bool pending_op); + + /* + * Futexes are matched on equal values of this key. diff --git a/queue-3.16/hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-only-if-not.patch b/queue-3.16/hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-only-if-not.patch new file mode 100644 index 00000000..c295ac05 --- /dev/null +++ b/queue-3.16/hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-only-if-not.patch @@ -0,0 +1,42 @@ +From: Tony Lindgren <tony@atomide.com> +Date: Sat, 14 Sep 2019 14:02:56 -0700 +Subject: hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not + idled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit eaecce12f5f0d2c35d278e41e1bc4522393861ab upstream. + +When unloading omap3-rom-rng, we'll get the following: + +WARNING: CPU: 0 PID: 100 at drivers/clk/clk.c:948 clk_core_disable + +This is because the clock may be already disabled by omap3_rom_rng_idle(). +Let's fix the issue by checking for rng_idle on exit. + +Cc: Aaro Koskinen <aaro.koskinen@iki.fi> +Cc: Adam Ford <aford173@gmail.com> +Cc: Pali Rohár <pali.rohar@gmail.com> +Cc: Sebastian Reichel <sre@kernel.org> +Cc: Tero Kristo <t-kristo@ti.com> +Fixes: 1c6b7c2108bd ("hwrng: OMAP3 ROM Random Number Generator support") +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/char/hw_random/omap3-rom-rng.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/hw_random/omap3-rom-rng.c ++++ b/drivers/char/hw_random/omap3-rom-rng.c +@@ -119,7 +119,8 @@ static int omap3_rom_rng_probe(struct pl + static int omap3_rom_rng_remove(struct platform_device *pdev) + { + hwrng_unregister(&omap3_rom_rng_ops); +- clk_disable_unprepare(rng_clk); ++ if (!rng_idle) ++ clk_disable_unprepare(rng_clk); + return 0; + } + diff --git a/queue-3.16/iio-adis16480-add-debugfs_reg_access-entry.patch b/queue-3.16/iio-adis16480-add-debugfs_reg_access-entry.patch new file mode 100644 index 00000000..30f8094d --- /dev/null +++ b/queue-3.16/iio-adis16480-add-debugfs_reg_access-entry.patch @@ -0,0 +1,33 @@ +From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com> +Date: Mon, 28 Oct 2019 17:33:49 +0100 +Subject: iio: adis16480: Add debugfs_reg_access entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 4c35b7a51e2f291471f7221d112c6a45c63e83bc upstream. + +The driver is defining debugfs entries by calling +`adis16480_debugfs_init()`. However, those entries are attached to the +iio_dev debugfs entry which won't exist if no debugfs_reg_access +callback is provided. + +Fixes: 2f3abe6cbb6c ("iio:imu: Add support for the ADIS16480 and similar IMUs") +Signed-off-by: Nuno Sá <nuno.sa@analog.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/imu/adis16480.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -760,6 +760,7 @@ static const struct iio_info adis16480_i + .read_raw = &adis16480_read_raw, + .write_raw = &adis16480_write_raw, + .update_scan_mode = adis_update_scan_mode, ++ .debugfs_reg_access = adis_debugfs_reg_access, + .driver_module = THIS_MODULE, + }; + diff --git a/queue-3.16/iio-imu-adis16480-assign-bias-value-only-if-operation-succeeded.patch b/queue-3.16/iio-imu-adis16480-assign-bias-value-only-if-operation-succeeded.patch new file mode 100644 index 00000000..48dd61bd --- /dev/null +++ b/queue-3.16/iio-imu-adis16480-assign-bias-value-only-if-operation-succeeded.patch @@ -0,0 +1,41 @@ +From: Alexandru Ardelean <alexandru.ardelean@analog.com> +Date: Fri, 1 Nov 2019 11:35:03 +0200 +Subject: iio: imu: adis16480: assign bias value only if operation succeeded + +commit 9b742763d9d4195e823ae6ece760c9ed0500c1dc upstream. + +This was found only after the whole thing with the inline functions, but +the compiler actually found something. The value of the `bias` (in +adis16480_get_calibbias()) should only be set if the read operation was +successful. + +No actual known problem occurs as users of this function all +ultimately check the return value. Hence probably not stable material. + +Fixes: 2f3abe6cbb6c9 ("iio:imu: Add support for the ADIS16480 and similar IMUs") +Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/imu/adis16480.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -405,12 +405,14 @@ static int adis16480_get_calibbias(struc + case IIO_MAGN: + case IIO_PRESSURE: + ret = adis_read_reg_16(&st->adis, reg, &val16); +- *bias = sign_extend32(val16, 15); ++ if (ret == 0) ++ *bias = sign_extend32(val16, 15); + break; + case IIO_ANGL_VEL: + case IIO_ACCEL: + ret = adis_read_reg_32(&st->adis, reg, &val32); +- *bias = sign_extend32(val32, 31); ++ if (ret == 0) ++ *bias = sign_extend32(val32, 31); + break; + default: + ret = -EINVAL; diff --git a/queue-3.16/inet-protect-against-too-small-mtu-values.patch b/queue-3.16/inet-protect-against-too-small-mtu-values.patch new file mode 100644 index 00000000..d6f5033f --- /dev/null +++ b/queue-3.16/inet-protect-against-too-small-mtu-values.patch @@ -0,0 +1,178 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 5 Dec 2019 20:43:46 -0800 +Subject: inet: protect against too small mtu values. + +commit 501a90c945103e8627406763dac418f20f3837b2 upstream. + +syzbot was once again able to crash a host by setting a very small mtu +on loopback device. + +Let's make inetdev_valid_mtu() available in include/net/ip.h, +and use it in ip_setup_cork(), so that we protect both ip_append_page() +and __ip_append_data() + +Also add a READ_ONCE() when the device mtu is read. + +Pairs this lockless read with one WRITE_ONCE() in __dev_set_mtu(), +even if other code paths might write over this field. + +Add a big comment in include/linux/netdevice.h about dev->mtu +needing READ_ONCE()/WRITE_ONCE() annotations. + +Hopefully we will add the missing ones in followup patches. + +[1] + +refcount_t: saturated; leaking memory. +WARNING: CPU: 0 PID: 9464 at lib/refcount.c:22 refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 0 PID: 9464 Comm: syz-executor850 Not tainted 5.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + panic+0x2e3/0x75c kernel/panic.c:221 + __warn.cold+0x2f/0x3e kernel/panic.c:582 + report_bug+0x289/0x300 lib/bug.c:195 + fixup_bug arch/x86/kernel/traps.c:174 [inline] + fixup_bug arch/x86/kernel/traps.c:169 [inline] + do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 + do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286 + invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 +RIP: 0010:refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22 +Code: 06 31 ff 89 de e8 c8 f5 e6 fd 84 db 0f 85 6f ff ff ff e8 7b f4 e6 fd 48 c7 c7 e0 71 4f 88 c6 05 56 a6 a4 06 01 e8 c7 a8 b7 fd <0f> 0b e9 50 ff ff ff e8 5c f4 e6 fd 0f b6 1d 3d a6 a4 06 31 ff 89 +RSP: 0018:ffff88809689f550 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff815e4336 RDI: ffffed1012d13e9c +RBP: ffff88809689f560 R08: ffff88809c50a3c0 R09: fffffbfff15d31b1 +R10: fffffbfff15d31b0 R11: ffffffff8ae98d87 R12: 0000000000000001 +R13: 0000000000040100 R14: ffff888099041104 R15: ffff888218d96e40 + refcount_add include/linux/refcount.h:193 [inline] + skb_set_owner_w+0x2b6/0x410 net/core/sock.c:1999 + sock_wmalloc+0xf1/0x120 net/core/sock.c:2096 + ip_append_page+0x7ef/0x1190 net/ipv4/ip_output.c:1383 + udp_sendpage+0x1c7/0x480 net/ipv4/udp.c:1276 + inet_sendpage+0xdb/0x150 net/ipv4/af_inet.c:821 + kernel_sendpage+0x92/0xf0 net/socket.c:3794 + sock_sendpage+0x8b/0xc0 net/socket.c:936 + pipe_to_sendpage+0x2da/0x3c0 fs/splice.c:458 + splice_from_pipe_feed fs/splice.c:512 [inline] + __splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636 + splice_from_pipe+0x108/0x170 fs/splice.c:671 + generic_splice_sendpage+0x3c/0x50 fs/splice.c:842 + do_splice_from fs/splice.c:861 [inline] + direct_splice_actor+0x123/0x190 fs/splice.c:1035 + splice_direct_to_actor+0x3b4/0xa30 fs/splice.c:990 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1078 + do_sendfile+0x597/0xd00 fs/read_write.c:1464 + __do_sys_sendfile64 fs/read_write.c:1525 [inline] + __se_sys_sendfile64 fs/read_write.c:1511 [inline] + __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x441409 +Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fffb64c4f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409 +RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005 +RBP: 0000000000073b8a R08: 0000000000000010 R09: 0000000000000010 +R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000402180 +R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 +Kernel Offset: disabled +Rebooting in 86400 seconds.. + +Fixes: 1470ddf7f8ce ("inet: Remove explicit write references to sk/inet in ip_append_data") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: + - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE() + - Keep using literal 68 instead of IPV4_MIN_MTU + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/netdevice.h | 5 +++++ + include/net/ip.h | 5 +++++ + net/core/dev.c | 3 ++- + net/ipv4/devinet.c | 5 ----- + net/ipv4/ip_output.c | 14 +++++++++----- + 5 files changed, 21 insertions(+), 11 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1345,6 +1345,11 @@ struct net_device { + unsigned char if_port; /* Selectable AUI, TP,..*/ + unsigned char dma; /* DMA channel */ + ++ /* Note : dev->mtu is often read without holding a lock. ++ * Writers usually hold RTNL. ++ * It is recommended to use ACCESS_ONCE() to annotate the reads ++ * and writes. ++ */ + unsigned int mtu; /* interface MTU value */ + unsigned short type; /* interface hardware type */ + unsigned short hard_header_len; /* hardware hdr length */ +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -522,4 +522,9 @@ void ip_local_error(struct sock *sk, int + int ip_misc_proc_init(void); + #endif + ++static inline bool inetdev_valid_mtu(unsigned int mtu) ++{ ++ return likely(mtu >= 68); ++} ++ + #endif /* _IP_H */ +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5680,7 +5680,8 @@ static int __dev_set_mtu(struct net_devi + if (ops->ndo_change_mtu) + return ops->ndo_change_mtu(dev, new_mtu); + +- dev->mtu = new_mtu; ++ /* Pairs with all the lockless reads of dev->mtu in the stack */ ++ ACCESS_ONCE(dev->mtu) = new_mtu; + return 0; + } + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1318,11 +1318,6 @@ skip: + } + } + +-static bool inetdev_valid_mtu(unsigned int mtu) +-{ +- return mtu >= 68; +-} +- + static void inetdev_send_gratuitous_arp(struct net_device *dev, + struct in_device *in_dev) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1106,13 +1106,17 @@ static int ip_setup_cork(struct sock *sk + rt = *rtp; + if (unlikely(!rt)) + return -EFAULT; +- /* +- * We steal reference to this route, caller should not release it +- */ +- *rtp = NULL; ++ + cork->fragsize = ip_sk_use_pmtu(sk) ? +- dst_mtu(&rt->dst) : rt->dst.dev->mtu; ++ dst_mtu(&rt->dst) : ACCESS_ONCE(rt->dst.dev->mtu); ++ ++ if (!inetdev_valid_mtu(cork->fragsize)) ++ return -ENETUNREACH; ++ + cork->dst = &rt->dst; ++ /* We stole this route, caller should not release it. */ ++ *rtp = NULL; ++ + cork->length = 0; + cork->ttl = ipc->ttl; + cork->tos = ipc->tos; diff --git a/queue-3.16/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch b/queue-3.16/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch new file mode 100644 index 00000000..4e3a4d7c --- /dev/null +++ b/queue-3.16/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch @@ -0,0 +1,92 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 7 Nov 2019 10:30:42 -0800 +Subject: inetpeer: fix data-race in inet_putpeer / inet_putpeer + +commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 upstream. + +We need to explicitely forbid read/store tearing in inet_peer_gc() +and inet_putpeer(). + +The following syzbot report reminds us about inet_putpeer() +running without a lock held. + +BUG: KCSAN: data-race in inet_putpeer / inet_putpeer + +write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0: + inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 + ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 + inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 + __rcu_reclaim kernel/rcu/rcu.h:222 [inline] + rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 + rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 + rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + +write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1: + inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 + ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 + inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 + __rcu_reclaim kernel/rcu/rcu.h:222 [inline] + rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 + rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 + rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 + smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 4b9d9be839fd ("inetpeer: remove unused list") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: + - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE() + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/inetpeer.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/ipv4/inetpeer.c ++++ b/net/ipv4/inetpeer.c +@@ -419,7 +419,12 @@ static int inet_peer_gc(struct inet_peer + p = rcu_deref_locked(**stackptr, base); + if (atomic_read(&p->refcnt) == 0) { + smp_rmb(); +- delta = (__u32)jiffies - p->dtime; ++ ++ /* The ACCESS_ONCE() pairs with the ACCESS_ONCE() ++ * in inet_putpeer() ++ */ ++ delta = (__u32)jiffies - ACCESS_ONCE(p->dtime); ++ + if (delta >= ttl && + atomic_cmpxchg(&p->refcnt, 0, -1) == 0) { + p->gc_next = gchead; +@@ -504,7 +509,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer); + + void inet_putpeer(struct inet_peer *p) + { +- p->dtime = (__u32)jiffies; ++ /* The ACCESS_ONCE() pairs with itself (we run lockless) ++ * and the ACCESS_ONCE() in inet_peer_gc() ++ */ ++ ACCESS_ONCE(p->dtime) = (__u32)jiffies; + smp_mb__before_atomic(); + atomic_dec(&p->refcnt); + } diff --git a/queue-3.16/iwlwifi-check-kasprintf-return-value.patch b/queue-3.16/iwlwifi-check-kasprintf-return-value.patch new file mode 100644 index 00000000..345355bb --- /dev/null +++ b/queue-3.16/iwlwifi-check-kasprintf-return-value.patch @@ -0,0 +1,43 @@ +From: Johannes Berg <johannes.berg@intel.com> +Date: Tue, 5 Nov 2019 14:50:32 +0100 +Subject: iwlwifi: check kasprintf() return value + +commit 5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9 upstream. + +kasprintf() can fail, we should check the return value. + +Fixes: 5ed540aecc2a ("iwlwifi: use mac80211 throughput trigger") +Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver") +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Luca Coelho <luciano.coelho@intel.com> +[bwh: Backported to 3.16: adjust filenames] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/iwlwifi/dvm/led.c | 3 +++ + drivers/net/wireless/iwlwifi/mvm/led.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/dvm/led.c ++++ b/drivers/net/wireless/iwlwifi/dvm/led.c +@@ -184,6 +184,9 @@ void iwl_leds_init(struct iwl_priv *priv + + priv->led.name = kasprintf(GFP_KERNEL, "%s-led", + wiphy_name(priv->hw->wiphy)); ++ if (!priv->led.name) ++ return; ++ + priv->led.brightness_set = iwl_led_brightness_set; + priv->led.blink_set = iwl_led_blink_set; + priv->led.max_brightness = 1; +--- a/drivers/net/wireless/iwlwifi/mvm/led.c ++++ b/drivers/net/wireless/iwlwifi/mvm/led.c +@@ -109,6 +109,9 @@ int iwl_mvm_leds_init(struct iwl_mvm *mv + + mvm->led.name = kasprintf(GFP_KERNEL, "%s-led", + wiphy_name(mvm->hw->wiphy)); ++ if (!mvm->led.name) ++ return -ENOMEM; ++ + mvm->led.brightness_set = iwl_led_brightness_set; + mvm->led.max_brightness = 1; + diff --git a/queue-3.16/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch b/queue-3.16/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch new file mode 100644 index 00000000..9825969c --- /dev/null +++ b/queue-3.16/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch @@ -0,0 +1,44 @@ +From: Jan Kara <jack@suse.cz> +Date: Tue, 5 Nov 2019 17:44:07 +0100 +Subject: jbd2: Fix possible overflow in jbd2_log_space_left() + +commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream. + +When number of free space in the journal is very low, the arithmetic in +jbd2_log_space_left() could underflow resulting in very high number of +free blocks and thus triggering assertion failure in transaction commit +code complaining there's not enough space in the journal: + +J_ASSERT(journal->j_free > 1); + +Properly check for the low number of free blocks. + +Reviewed-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/jbd2.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1340,7 +1340,7 @@ static inline int jbd2_space_needed(jour + static inline unsigned long jbd2_log_space_left(journal_t *journal) + { + /* Allow for rounding errors */ +- unsigned long free = journal->j_free - 32; ++ long free = journal->j_free - 32; + + if (journal->j_committing_transaction) { + unsigned long committing = atomic_read(&journal-> +@@ -1349,7 +1349,7 @@ static inline unsigned long jbd2_log_spa + /* Transaction + control blocks */ + free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT); + } +- return free; ++ return max_t(long, free, 0); + } + + /* diff --git a/queue-3.16/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/queue-3.16/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch new file mode 100644 index 00000000..e5496ab1 --- /dev/null +++ b/queue-3.16/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch @@ -0,0 +1,46 @@ +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Mon, 18 Nov 2019 12:23:00 -0500 +Subject: KVM: x86: do not modify masked bits of shared MSRs + +commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. + +"Shared MSRs" are guest MSRs that are written to the host MSRs but +keep their value until the next return to userspace. They support +a mask, so that some bits keep the host value, but this mask is +only used to skip an unnecessary MSR write and the value written +to the MSR is always the guest MSR. + +Fix this and, while at it, do not update smsr->values[slot].curr if +for whatever reason the wrmsr fails. This should only happen due to +reserved bits, so the value written to smsr->values[slot].curr +will not match when the user-return notifier and the host value will +always be restored. However, it is untidy and in rare cases this +can actually avoid spurious WRMSRs on return to userspace. + +Reviewed-by: Jim Mattson <jmattson@google.com> +Tested-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/x86.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -242,13 +242,14 @@ int kvm_set_shared_msr(unsigned slot, u6 + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); + int err; + +- if (((value ^ smsr->values[slot].curr) & mask) == 0) ++ value = (value & mask) | (smsr->values[slot].host & ~mask); ++ if (value == smsr->values[slot].curr) + return 0; +- smsr->values[slot].curr = value; + err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); + if (err) + return 1; + ++ smsr->values[slot].curr = value; + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); diff --git a/queue-3.16/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch b/queue-3.16/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch new file mode 100644 index 00000000..eac5240a --- /dev/null +++ b/queue-3.16/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch @@ -0,0 +1,37 @@ +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Mon, 18 Nov 2019 18:58:26 +0100 +Subject: KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES + +commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream. + +KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented +to the guests. It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR && +!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not +hidden (it actually was), yet the value says that TSX is not vulnerable +to microarchitectural data sampling. Fix both. + +Tested-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -945,10 +945,15 @@ u64 kvm_get_arch_capabilities(void) + * If TSX is disabled on the system, guests are also mitigated against + * TAA and clear CPU buffer mitigation is not required for guests. + */ +- if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) && +- (data & ARCH_CAP_TSX_CTRL_MSR)) ++ if (!boot_cpu_has(X86_FEATURE_RTM)) ++ data &= ~ARCH_CAP_TAA_NO; ++ else if (!boot_cpu_has_bug(X86_BUG_TAA)) ++ data |= ARCH_CAP_TAA_NO; ++ else if (data & ARCH_CAP_TSX_CTRL_MSR) + data &= ~ARCH_CAP_MDS_NO; + ++ /* KVM does not emulate MSR_IA32_TSX_CTRL. */ ++ data &= ~ARCH_CAP_TSX_CTRL_MSR; + return data; + } + diff --git a/queue-3.16/libtraceevent-fix-memory-leakage-in-copy_filter_type.patch b/queue-3.16/libtraceevent-fix-memory-leakage-in-copy_filter_type.patch new file mode 100644 index 00000000..c85b7d26 --- /dev/null +++ b/queue-3.16/libtraceevent-fix-memory-leakage-in-copy_filter_type.patch @@ -0,0 +1,47 @@ +From: Hewenliang <hewenliang4@huawei.com> +Date: Mon, 18 Nov 2019 20:44:15 -0500 +Subject: libtraceevent: Fix memory leakage in copy_filter_type + +commit 10992af6bf46a2048ad964985a5b77464e5563b1 upstream. + +It is necessary to free the memory that we have allocated when error occurs. + +Fixes: ef3072cd1d5c ("tools lib traceevent: Get rid of die in add_filter_type()") +Signed-off-by: Hewenliang <hewenliang4@huawei.com> +Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com> +Link: http://lore.kernel.org/lkml/20191119014415.57210-1-hewenliang4@huawei.com +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/lib/traceevent/parse-filter.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/lib/traceevent/parse-filter.c ++++ b/tools/lib/traceevent/parse-filter.c +@@ -1482,8 +1482,10 @@ static int copy_filter_type(struct event + if (strcmp(str, "TRUE") == 0 || strcmp(str, "FALSE") == 0) { + /* Add trivial event */ + arg = allocate_arg(); +- if (arg == NULL) ++ if (arg == NULL) { ++ free(str); + return -1; ++ } + + arg->type = FILTER_ARG_BOOLEAN; + if (strcmp(str, "TRUE") == 0) +@@ -1492,8 +1494,11 @@ static int copy_filter_type(struct event + arg->boolean.value = 0; + + filter_type = add_filter_type(filter, event->id); +- if (filter_type == NULL) ++ if (filter_type == NULL) { ++ free(str); ++ free_arg(arg); + return -1; ++ } + + filter_type->filter = arg; + diff --git a/queue-3.16/macvlan-schedule-bc_work-even-if-error.patch b/queue-3.16/macvlan-schedule-bc_work-even-if-error.patch new file mode 100644 index 00000000..fa950364 --- /dev/null +++ b/queue-3.16/macvlan-schedule-bc_work-even-if-error.patch @@ -0,0 +1,49 @@ +From: Menglong Dong <dong.menglong@zte.com.cn> +Date: Mon, 25 Nov 2019 16:58:09 +0800 +Subject: macvlan: schedule bc_work even if error + +commit 1d7ea55668878bb350979c377fc72509dd6f5b21 upstream. + +While enqueueing a broadcast skb to port->bc_queue, schedule_work() +is called to add port->bc_work, which processes the skbs in +bc_queue, to "events" work queue. If port->bc_queue is full, the +skb will be discarded and schedule_work(&port->bc_work) won't be +called. However, if port->bc_queue is full and port->bc_work is not +running or pending, port->bc_queue will keep full and schedule_work() +won't be called any more, and all broadcast skbs to macvlan will be +discarded. This case can happen: + +macvlan_process_broadcast() is the pending function of port->bc_work, +it moves all the skbs in port->bc_queue to the queue "list", and +processes the skbs in "list". During this, new skbs will keep being +added to port->bc_queue in macvlan_broadcast_enqueue(), and +port->bc_queue may already full when macvlan_process_broadcast() +return. This may happen, especially when there are a lot of real-time +threads and the process is preempted. + +Fix this by calling schedule_work(&port->bc_work) even if +port->bc_work is full in macvlan_broadcast_enqueue(). + +Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") +Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/macvlan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -262,10 +262,11 @@ static void macvlan_broadcast_enqueue(st + } + spin_unlock(&port->bc_queue.lock); + ++ schedule_work(&port->bc_work); ++ + if (err) + goto free_nskb; + +- schedule_work(&port->bc_work); + return; + + free_nskb: diff --git a/queue-3.16/media-exynos4-is-fix-recursive-locking-in-isp_video_release.patch b/queue-3.16/media-exynos4-is-fix-recursive-locking-in-isp_video_release.patch new file mode 100644 index 00000000..a5ed7712 --- /dev/null +++ b/queue-3.16/media-exynos4-is-fix-recursive-locking-in-isp_video_release.patch @@ -0,0 +1,32 @@ +From: Seung-Woo Kim <sw0312.kim@samsung.com> +Date: Fri, 18 Oct 2019 07:20:52 -0300 +Subject: media: exynos4-is: Fix recursive locking in isp_video_release() + +commit 704c6c80fb471d1bb0ef0d61a94617d1d55743cd upstream. + +>From isp_video_release(), &isp->video_lock is held and subsequent +vb2_fop_release() tries to lock vdev->lock which is same with the +previous one. Replace vb2_fop_release() with _vb2_fop_release() to +fix the recursive locking. + +Fixes: 1380f5754cb0 ("[media] videobuf2: Add missing lock held on vb2_fop_release") +Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> +Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/platform/exynos4-is/fimc-isp-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c +@@ -322,7 +322,7 @@ static int isp_video_release(struct file + ivc->streaming = 0; + } + +- vb2_fop_release(file); ++ _vb2_fop_release(file, NULL); + + if (v4l2_fh_is_singular_file(file)) { + fimc_pipeline_call(&ivc->ve, close); diff --git a/queue-3.16/media-ov6650-fix-incorrect-use-of-jpeg-colorspace.patch b/queue-3.16/media-ov6650-fix-incorrect-use-of-jpeg-colorspace.patch new file mode 100644 index 00000000..8b7b90cb --- /dev/null +++ b/queue-3.16/media-ov6650-fix-incorrect-use-of-jpeg-colorspace.patch @@ -0,0 +1,90 @@ +From: Janusz Krzysztofik <jmkrzyszt@gmail.com> +Date: Tue, 3 Sep 2019 17:11:39 -0300 +Subject: media: ov6650: Fix incorrect use of JPEG colorspace + +commit 12500731895ef09afc5b66b86b76c0884fb9c7bf upstream. + +Since its initial submission, the driver selects V4L2_COLORSPACE_JPEG +for supported formats other than V4L2_MBUS_FMT_SBGGR8_1X8. According +to v4l2-compliance test program, V4L2_COLORSPACE_JPEG applies +exclusively to V4L2_PIX_FMT_JPEG. Since the sensor does not support +JPEG format, fix it to always select V4L2_COLORSPACE_SRGB. + +Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") +Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com> +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/i2c/soc_camera/ov6650.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -203,7 +203,6 @@ struct ov6650 { + unsigned long pclk_max; /* from resolution and format */ + struct v4l2_fract tpf; /* as requested with s_parm */ + enum v4l2_mbus_pixelcode code; +- enum v4l2_colorspace colorspace; + }; + + +@@ -508,7 +507,7 @@ static int ov6650_g_fmt(struct v4l2_subd + mf->width = priv->rect.width >> priv->half_scale; + mf->height = priv->rect.height >> priv->half_scale; + mf->code = priv->code; +- mf->colorspace = priv->colorspace; ++ mf->colorspace = V4L2_COLORSPACE_SRGB; + mf->field = V4L2_FIELD_NONE; + + return 0; +@@ -619,11 +618,6 @@ static int ov6650_s_fmt(struct v4l2_subd + priv->pclk_max = 8000000; + } + +- if (code == V4L2_MBUS_FMT_SBGGR8_1X8) +- priv->colorspace = V4L2_COLORSPACE_SRGB; +- else if (code != 0) +- priv->colorspace = V4L2_COLORSPACE_JPEG; +- + if (half_scale) { + dev_dbg(&client->dev, "max resolution: QCIF\n"); + coma_set |= COMA_QCIF; +@@ -676,7 +670,6 @@ static int ov6650_s_fmt(struct v4l2_subd + ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask); + + if (!ret) { +- mf->colorspace = priv->colorspace; + mf->width = priv->rect.width >> half_scale; + mf->height = priv->rect.height >> half_scale; + } +@@ -695,6 +688,7 @@ static int ov6650_try_fmt(struct v4l2_su + &mf->height, 2, H_CIF, 1, 0); + + mf->field = V4L2_FIELD_NONE; ++ mf->colorspace = V4L2_COLORSPACE_SRGB; + + switch (mf->code) { + case V4L2_MBUS_FMT_Y10_1X10: +@@ -704,12 +698,10 @@ static int ov6650_try_fmt(struct v4l2_su + case V4L2_MBUS_FMT_YUYV8_2X8: + case V4L2_MBUS_FMT_VYUY8_2X8: + case V4L2_MBUS_FMT_UYVY8_2X8: +- mf->colorspace = V4L2_COLORSPACE_JPEG; + break; + default: + mf->code = V4L2_MBUS_FMT_SBGGR8_1X8; + case V4L2_MBUS_FMT_SBGGR8_1X8: +- mf->colorspace = V4L2_COLORSPACE_SRGB; + break; + } + +@@ -1016,7 +1008,6 @@ static int ov6650_probe(struct i2c_clien + priv->rect.height = H_CIF; + priv->half_scale = false; + priv->code = V4L2_MBUS_FMT_YUYV8_2X8; +- priv->colorspace = V4L2_COLORSPACE_JPEG; + + priv->clk = v4l2_clk_get(&client->dev, "mclk"); + if (IS_ERR(priv->clk)) { diff --git a/queue-3.16/media-ov6650-fix-stored-frame-format-not-in-sync-with-hardware.patch b/queue-3.16/media-ov6650-fix-stored-frame-format-not-in-sync-with-hardware.patch new file mode 100644 index 00000000..84a44404 --- /dev/null +++ b/queue-3.16/media-ov6650-fix-stored-frame-format-not-in-sync-with-hardware.patch @@ -0,0 +1,62 @@ +From: Janusz Krzysztofik <jmkrzyszt@gmail.com> +Date: Tue, 3 Sep 2019 17:11:43 -0300 +Subject: media: ov6650: Fix stored frame format not in sync with hardware + +commit 3143b459de4cdcce67b36827476c966e93c1cf01 upstream. + +The driver stores frame format settings supposed to be in line with +hardware state in a device private structure. Since the driver initial +submission, those settings are updated before they are actually applied +on hardware. If an error occurs on device update, the stored settings +my not reflect hardware state anymore and consecutive calls to +.get_fmt() may return incorrect information. That in turn may affect +ability of a bridge device to use correct DMA transfer settings if such +incorrect informmation on active frame format returned by .get_fmt() is +used. + +Assuming a failed device update means its state hasn't changed, update +frame format related settings stored in the device private structure +only after they are successfully applied so the stored values always +reflect hardware state as closely as possible. + +Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") +Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com> +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -605,7 +605,6 @@ static int ov6650_s_fmt(struct v4l2_subd + dev_err(&client->dev, "Pixel format not handled: 0x%x\n", code); + return -EINVAL; + } +- priv->code = code; + + if (code == V4L2_MBUS_FMT_Y8_1X8 || + code == V4L2_MBUS_FMT_SBGGR8_1X8) { +@@ -626,7 +625,6 @@ static int ov6650_s_fmt(struct v4l2_subd + dev_dbg(&client->dev, "max resolution: CIF\n"); + coma_mask |= COMA_QCIF; + } +- priv->half_scale = half_scale; + + if (sense) { + if (sense->master_clock == 8000000) { +@@ -666,10 +664,14 @@ static int ov6650_s_fmt(struct v4l2_subd + ret = ov6650_reg_rmw(client, REG_COMA, coma_set, coma_mask); + if (!ret) + ret = ov6650_reg_write(client, REG_CLKRC, clkrc); +- if (!ret) ++ if (!ret) { ++ priv->half_scale = half_scale; ++ + ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask); ++ } + + if (!ret) { ++ priv->code = code; + mf->width = priv->rect.width >> half_scale; + mf->height = priv->rect.height >> half_scale; + } diff --git a/queue-3.16/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/queue-3.16/media-radio-wl1273-fix-interrupt-masking-on-release.patch new file mode 100644 index 00000000..af41c205 --- /dev/null +++ b/queue-3.16/media-radio-wl1273-fix-interrupt-masking-on-release.patch @@ -0,0 +1,35 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 10 Oct 2019 10:13:32 -0300 +Subject: media: radio: wl1273: fix interrupt masking on release + +commit 1091eb830627625dcf79958d99353c2391f41708 upstream. + +If a process is interrupted while accessing the radio device and the +core lock is contended, release() could return early and fail to update +the interrupt mask. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") +Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/radio/radio-wl1273.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/radio/radio-wl1273.c ++++ b/drivers/media/radio/radio-wl1273.c +@@ -1142,8 +1142,7 @@ static int wl1273_fm_fops_release(struct + if (radio->rds_users > 0) { + radio->rds_users--; + if (radio->rds_users == 0) { +- if (mutex_lock_interruptible(&core->lock)) +- return -EINTR; ++ mutex_lock(&core->lock); + + radio->irq_flags &= ~WL1273_RDS_EVENT; + diff --git a/queue-3.16/media-usbvision-fix-invalid-accesses-after-device-disconnect.patch b/queue-3.16/media-usbvision-fix-invalid-accesses-after-device-disconnect.patch new file mode 100644 index 00000000..8af454f7 --- /dev/null +++ b/queue-3.16/media-usbvision-fix-invalid-accesses-after-device-disconnect.patch @@ -0,0 +1,58 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 7 Oct 2019 12:09:04 -0300 +Subject: media: usbvision: Fix invalid accesses after device disconnect + +commit c7a191464078262bf799136317c95824e26a222b upstream. + +The syzbot fuzzer found two invalid-access bugs in the usbvision +driver. These bugs occur when userspace keeps the device file open +after the device has been disconnected and usbvision_disconnect() has +set usbvision->dev to NULL: + + When the device file is closed, usbvision_radio_close() tries + to issue a usb_set_interface() call, passing the NULL pointer + as its first argument. + + If userspace performs a querycap ioctl call, vidioc_querycap() + calls usb_make_path() with the same NULL pointer. + +This patch fixes the problems by making the appropriate tests +beforehand. Note that vidioc_querycap() is protected by +usbvision->v4l2_lock, acquired in a higher layer of the V4L2 +subsystem. + +Reported-and-tested-by: syzbot+7fa38a608b1075dfd634@syzkaller.appspotmail.com + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/usb/usbvision/usbvision-video.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -482,6 +482,9 @@ static int vidioc_querycap(struct file * + { + struct usb_usbvision *usbvision = video_drvdata(file); + ++ if (!usbvision->dev) ++ return -ENODEV; ++ + strlcpy(vc->driver, "USBVision", sizeof(vc->driver)); + strlcpy(vc->card, + usbvision_device_data[usbvision->dev_model].model_string, +@@ -1169,8 +1172,9 @@ static int usbvision_radio_close(struct + mutex_lock(&usbvision->v4l2_lock); + /* Set packet size to 0 */ + usbvision->iface_alt = 0; +- err_code = usb_set_interface(usbvision->dev, usbvision->iface, +- usbvision->iface_alt); ++ if (usbvision->dev) ++ err_code = usb_set_interface(usbvision->dev, usbvision->iface, ++ usbvision->iface_alt); + + usbvision_audio_off(usbvision); + usbvision->radio = 0; diff --git a/queue-3.16/media-usbvision-fix-races-among-open-close-and-disconnect.patch b/queue-3.16/media-usbvision-fix-races-among-open-close-and-disconnect.patch new file mode 100644 index 00000000..45cdc840 --- /dev/null +++ b/queue-3.16/media-usbvision-fix-races-among-open-close-and-disconnect.patch @@ -0,0 +1,134 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 7 Oct 2019 12:09:53 -0300 +Subject: media: usbvision: Fix races among open, close, and disconnect + +commit 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 upstream. + +Visual inspection of the usbvision driver shows that it suffers from +three races between its open, close, and disconnect handlers. In +particular, the driver is careful to update its usbvision->user and +usbvision->remove_pending flags while holding the private mutex, but: + + usbvision_v4l2_close() and usbvision_radio_close() don't hold + the mutex while they check the value of + usbvision->remove_pending; + + usbvision_disconnect() doesn't hold the mutex while checking + the value of usbvision->user; and + + also, usbvision_v4l2_open() and usbvision_radio_open() don't + check whether the device has been unplugged before allowing + the user to open the device files. + +Each of these can potentially lead to usbvision_release() being called +twice and use-after-free errors. + +This patch fixes the races by reading the flags while the mutex is +still held and checking for pending removes before allowing an open to +succeed. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +[bwh: Backported to 3.16: + - Add unlock label in usbvision_v4l2_open() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -348,6 +348,10 @@ static int usbvision_v4l2_open(struct fi + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; + ++ if (usbvision->remove_pending) { ++ err_code = -ENODEV; ++ goto unlock; ++ } + if (usbvision->user) { + err_code = -EBUSY; + } else { +@@ -389,6 +393,7 @@ static int usbvision_v4l2_open(struct fi + } + } + ++unlock: + mutex_unlock(&usbvision->v4l2_lock); + + PDEBUG(DBG_IO, "success"); +@@ -406,6 +411,7 @@ static int usbvision_v4l2_open(struct fi + static int usbvision_v4l2_close(struct file *file) + { + struct usb_usbvision *usbvision = video_drvdata(file); ++ int r; + + PDEBUG(DBG_IO, "close"); + +@@ -420,9 +426,10 @@ static int usbvision_v4l2_close(struct f + usbvision_scratch_free(usbvision); + + usbvision->user--; ++ r = usbvision->remove_pending; + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->remove_pending) { ++ if (r) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); + return 0; +@@ -1136,6 +1143,11 @@ static int usbvision_radio_open(struct f + + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; ++ ++ if (usbvision->remove_pending) { ++ err_code = -ENODEV; ++ goto out; ++ } + if (usbvision->user) { + dev_err(&usbvision->rdev->dev, + "%s: Someone tried to open an already opened USBVision Radio!\n", +@@ -1166,6 +1178,7 @@ static int usbvision_radio_close(struct + { + struct usb_usbvision *usbvision = video_drvdata(file); + int err_code = 0; ++ int r; + + PDEBUG(DBG_IO, ""); + +@@ -1179,9 +1192,10 @@ static int usbvision_radio_close(struct + usbvision_audio_off(usbvision); + usbvision->radio = 0; + usbvision->user--; ++ r = usbvision->remove_pending; + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->remove_pending) { ++ if (r) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); + return err_code; +@@ -1614,6 +1628,7 @@ err_usb: + static void usbvision_disconnect(struct usb_interface *intf) + { + struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf)); ++ int u; + + PDEBUG(DBG_PROBE, ""); + +@@ -1630,13 +1645,14 @@ static void usbvision_disconnect(struct + v4l2_device_disconnect(&usbvision->v4l2_dev); + usbvision_i2c_unregister(usbvision); + usbvision->remove_pending = 1; /* Now all ISO data will be ignored */ ++ u = usbvision->user; + + usb_put_dev(usbvision->dev); + usbvision->dev = NULL; /* USB device is no more */ + + mutex_unlock(&usbvision->v4l2_lock); + +- if (usbvision->user) { ++ if (u) { + printk(KERN_INFO "%s: In use, disconnect pending\n", + __func__); + wake_up_interruptible(&usbvision->wait_frame); diff --git a/queue-3.16/mtd-spear_smi-fix-write-burst-mode.patch b/queue-3.16/mtd-spear_smi-fix-write-burst-mode.patch new file mode 100644 index 00000000..39564221 --- /dev/null +++ b/queue-3.16/mtd-spear_smi-fix-write-burst-mode.patch @@ -0,0 +1,102 @@ +From: Miquel Raynal <miquel.raynal@bootlin.com> +Date: Tue, 22 Oct 2019 16:58:59 +0200 +Subject: mtd: spear_smi: Fix Write Burst mode + +commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream. + +Any write with either dd or flashcp to a device driven by the +spear_smi.c driver will pass through the spear_smi_cpy_toio() +function. This function will get called for chunks of up to 256 bytes. +If the amount of data is smaller, we may have a problem if the data +length is not 4-byte aligned. In this situation, the kernel panics +during the memcpy: + + # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6 + spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256 + spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256 + spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256 + spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233 + Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8 + [...] + PC is at memcpy+0xcc/0x330 + +The above error occurs because the implementation of memcpy_toio() +tries to optimize the number of I/O by writing 4 bytes at a time as +much as possible, until there are less than 4 bytes left and then +switches to word or byte writes. + +Unfortunately, the specification states about the Write Burst mode: + + "the next AHB Write request should point to the next + incremented address and should have the same size (byte, + half-word or word)" + +This means ARM architecture implementation of memcpy_toio() cannot +reliably be used blindly here. Workaround this situation by update the +write path to stick to byte access when the burst length is not +multiple of 4. + +Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash") +Cc: Russell King <linux@armlinux.org.uk> +Cc: Boris Brezillon <boris.brezillon@collabora.com> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/mtd/devices/spear_smi.c | 38 ++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/devices/spear_smi.c ++++ b/drivers/mtd/devices/spear_smi.c +@@ -595,6 +595,26 @@ static int spear_mtd_read(struct mtd_inf + return 0; + } + ++/* ++ * The purpose of this function is to ensure a memcpy_toio() with byte writes ++ * only. Its structure is inspired from the ARM implementation of _memcpy_toio() ++ * which also does single byte writes but cannot be used here as this is just an ++ * implementation detail and not part of the API. Not mentioning the comment ++ * stating that _memcpy_toio() should be optimized. ++ */ ++static void spear_smi_memcpy_toio_b(volatile void __iomem *dest, ++ const void *src, size_t len) ++{ ++ const unsigned char *from = src; ++ ++ while (len) { ++ len--; ++ writeb(*from, dest); ++ from++; ++ dest++; ++ } ++} ++ + static inline int spear_smi_cpy_toio(struct spear_smi *dev, u32 bank, + void __iomem *dest, const void *src, size_t len) + { +@@ -617,7 +637,23 @@ static inline int spear_smi_cpy_toio(str + ctrlreg1 = readl(dev->io_base + SMI_CR1); + writel((ctrlreg1 | WB_MODE) & ~SW_MODE, dev->io_base + SMI_CR1); + +- memcpy_toio(dest, src, len); ++ /* ++ * In Write Burst mode (WB_MODE), the specs states that writes must be: ++ * - incremental ++ * - of the same size ++ * The ARM implementation of memcpy_toio() will optimize the number of ++ * I/O by using as much 4-byte writes as possible, surrounded by ++ * 2-byte/1-byte access if: ++ * - the destination is not 4-byte aligned ++ * - the length is not a multiple of 4-byte. ++ * Avoid this alternance of write access size by using our own 'byte ++ * access' helper if at least one of the two conditions above is true. ++ */ ++ if (IS_ALIGNED(len, sizeof(u32)) && ++ IS_ALIGNED((uintptr_t)dest, sizeof(u32))) ++ memcpy_toio(dest, src, len); ++ else ++ spear_smi_memcpy_toio_b(dest, src, len); + + writel(ctrlreg1, dev->io_base + SMI_CR1); + diff --git a/queue-3.16/net-bridge-deny-dev_set_mac_address-when-unregistering.patch b/queue-3.16/net-bridge-deny-dev_set_mac_address-when-unregistering.patch new file mode 100644 index 00000000..394117aa --- /dev/null +++ b/queue-3.16/net-bridge-deny-dev_set_mac_address-when-unregistering.patch @@ -0,0 +1,73 @@ +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Date: Tue, 3 Dec 2019 16:48:06 +0200 +Subject: net: bridge: deny dev_set_mac_address() when unregistering + +commit c4b4c421857dc7b1cf0dccbd738472360ff2cd70 upstream. + +We have an interesting memory leak in the bridge when it is being +unregistered and is a slave to a master device which would change the +mac of its slaves on unregister (e.g. bond, team). This is a very +unusual setup but we do end up leaking 1 fdb entry because +dev_set_mac_address() would cause the bridge to insert the new mac address +into its table after all fdbs are flushed, i.e. after dellink() on the +bridge has finished and we call NETDEV_UNREGISTER the bond/team would +release it and will call dev_set_mac_address() to restore its original +address and that in turn will add an fdb in the bridge. +One fix is to check for the bridge dev's reg_state in its +ndo_set_mac_address callback and return an error if the bridge is not in +NETREG_REGISTERED. + +Easy steps to reproduce: + 1. add bond in mode != A/B + 2. add any slave to the bond + 3. add bridge dev as a slave to the bond + 4. destroy the bridge device + +Trace: + unreferenced object 0xffff888035c4d080 (size 128): + comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s) + hex dump (first 32 bytes): + 41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00 A..6............ + d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00 ...^?........... + backtrace: + [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f + [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge] + [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge] + [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge] + [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge] + [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge] + [<000000006846a77f>] dev_set_mac_address+0x63/0x9b + [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding] + [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding] + [<00000000305d7795>] notifier_call_chain+0x38/0x56 + [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23 + [<000000008279477b>] rollback_registered_many+0x353/0x6a4 + [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f + [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43 + [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a + [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268 + +Fixes: 43598813386f ("bridge: add local MAC address to forwarding table (v2)") +Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com +Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/br_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -193,6 +193,12 @@ static int br_set_mac_address(struct net + if (!is_valid_ether_addr(addr->sa_data)) + return -EADDRNOTAVAIL; + ++ /* dev_set_mac_addr() can be called by a master device on bridge's ++ * NETDEV_UNREGISTER, but since it's being destroyed do nothing ++ */ ++ if (dev->reg_state != NETREG_REGISTERED) ++ return -EBUSY; ++ + spin_lock_bh(&br->lock); + if (!ether_addr_equal(dev->dev_addr, addr->sa_data)) { + /* Mac address will be changed in br_stp_change_bridge_id(). */ diff --git a/queue-3.16/openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch b/queue-3.16/openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch new file mode 100644 index 00000000..0395d323 --- /dev/null +++ b/queue-3.16/openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch @@ -0,0 +1,38 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Sun, 1 Dec 2019 18:41:24 +0100 +Subject: openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() + +commit 8ffeb03fbba3b599690b361467bfd2373e8c450f upstream. + +All the callers of ovs_flow_cmd_build_info() already deal with +error return code correctly, so we can handle the error condition +in a more gracefull way. Still dump a warning to preserve +debuggability. + +v1 -> v2: + - clarify the commit message + - clean the skb and report the error (DaveM) + +Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.") +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/openvswitch/datapath.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -788,7 +788,10 @@ static struct sk_buff *ovs_flow_cmd_buil + retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb, + info->snd_portid, info->snd_seq, 0, + cmd); +- BUG_ON(retval < 0); ++ if (WARN_ON_ONCE(retval < 0)) { ++ kfree_skb(skb); ++ skb = ERR_PTR(retval); ++ } + return skb; + } + diff --git a/queue-3.16/openvswitch-remove-another-bug_on.patch b/queue-3.16/openvswitch-remove-another-bug_on.patch new file mode 100644 index 00000000..aeb3d78c --- /dev/null +++ b/queue-3.16/openvswitch-remove-another-bug_on.patch @@ -0,0 +1,46 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Sun, 1 Dec 2019 18:41:25 +0100 +Subject: openvswitch: remove another BUG_ON() + +commit 8a574f86652a4540a2433946ba826ccb87f398cc upstream. + +If we can't build the flow del notification, we can simply delete +the flow, no need to crash the kernel. Still keep a WARN_ON to +preserve debuggability. + +Note: the BUG_ON() predates the Fixes tag, but this change +can be applied only after the mentioned commit. + +v1 -> v2: + - do not leak an skb on error + +Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.") +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/openvswitch/datapath.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -1136,7 +1136,10 @@ static int ovs_flow_cmd_del(struct sk_bu + info->snd_seq, 0, + OVS_FLOW_CMD_DEL); + rcu_read_unlock(); +- BUG_ON(err < 0); ++ if (WARN_ON_ONCE(err < 0)) { ++ kfree_skb(reply); ++ goto out_free; ++ } + + ovs_notify(&dp_flow_genl_family, reply, info); + } else { +@@ -1144,6 +1147,7 @@ static int ovs_flow_cmd_del(struct sk_bu + } + } + ++out_free: + ovs_flow_free(flow, true); + return 0; + unlock: diff --git a/queue-3.16/pci-fix-intel-acs-quirk-updcr-register-address.patch b/queue-3.16/pci-fix-intel-acs-quirk-updcr-register-address.patch new file mode 100644 index 00000000..41d4d09d --- /dev/null +++ b/queue-3.16/pci-fix-intel-acs-quirk-updcr-register-address.patch @@ -0,0 +1,41 @@ +From: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com> +Date: Wed, 18 Sep 2019 15:16:52 +0200 +Subject: PCI: Fix Intel ACS quirk UPDCR register address + +commit d8558ac8c93d429d65d7490b512a3a67e559d0d4 upstream. + +According to documentation [0] the correct offset for the Upstream Peer +Decode Configuration Register (UPDCR) is 0x1014. It was previously defined +as 0x1114. + +d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports") +intended to enforce isolation between PCI devices allowing them to be put +into separate IOMMU groups. Due to the wrong register offset the intended +isolation was not fully enforced. This is fixed with this patch. + +Please note that I did not test this patch because I have no hardware that +implements this register. + +[0] https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/4th-gen-core-family-mobile-i-o-datasheet.pdf (page 325) +Fixes: d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports") +Link: https://lore.kernel.org/r/7a3505df-79ba-8a28-464c-88b83eefffa6@kernkonzept.com +Signed-off-by: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Reviewed-by: Andrew Murray <andrew.murray@arm.com> +Acked-by: Ashok Raj <ashok.raj@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3787,7 +3787,7 @@ int pci_dev_specific_acs_enabled(struct + #define INTEL_BSPR_REG_BPPD (1 << 9) + + /* Upstream Peer Decode Configuration Register */ +-#define INTEL_UPDCR_REG 0x1114 ++#define INTEL_UPDCR_REG 0x1014 + /* 5:0 Peer Decode Enable bits */ + #define INTEL_UPDCR_REG_MASK 0x3f + diff --git a/queue-3.16/pci-msi-fix-incorrect-msi-x-masking-on-resume.patch b/queue-3.16/pci-msi-fix-incorrect-msi-x-masking-on-resume.patch new file mode 100644 index 00000000..afa89aa4 --- /dev/null +++ b/queue-3.16/pci-msi-fix-incorrect-msi-x-masking-on-resume.patch @@ -0,0 +1,61 @@ +From: Jian-Hong Pan <jian-hong@endlessm.com> +Date: Tue, 8 Oct 2019 11:42:39 +0800 +Subject: PCI/MSI: Fix incorrect MSI-X masking on resume + +commit e045fa29e89383c717e308609edd19d2fd29e1be upstream. + +When a driver enables MSI-X, msix_program_entries() reads the MSI-X Vector +Control register for each vector and saves it in desc->masked. Each +register is 32 bits and bit 0 is the actual Mask bit. + +When we restored these registers during resume, we previously set the Mask +bit if *any* bit in desc->masked was set instead of when the Mask bit +itself was set: + + pci_restore_state + pci_restore_msi_state + __pci_restore_msix_state + for_each_pci_msi_entry + msix_mask_irq(entry, entry->masked) <-- entire u32 word + __pci_msix_desc_mask_irq(desc, flag) + mask_bits = desc->masked & ~PCI_MSIX_ENTRY_CTRL_MASKBIT + if (flag) <-- testing entire u32, not just bit 0 + mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT + writel(mask_bits, desc_addr + PCI_MSIX_ENTRY_VECTOR_CTRL) + +This means that after resume, MSI-X vectors were masked when they shouldn't +be, which leads to timeouts like this: + + nvme nvme0: I/O 978 QID 3 timeout, completion polled + +On resume, set the Mask bit only when the saved Mask bit from suspend was +set. + +This should remove the need for 19ea025e1d28 ("nvme: Add quirk for Kingston +NVME SSD running FW E8FK11.T"). + +[bhelgaas: commit log, move fix to __pci_msix_desc_mask_irq()] +Link: https://bugzilla.kernel.org/show_bug.cgi?id=204887 +Link: https://lore.kernel.org/r/20191008034238.2503-1-jian-hong@endlessm.com +Fixes: f2440d9acbe8 ("PCI MSI: Refactor interrupt masking code") +Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/msi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -220,8 +220,9 @@ u32 default_msix_mask_irq(struct msi_des + u32 mask_bits = desc->masked; + unsigned offset = desc->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE + + PCI_MSIX_ENTRY_VECTOR_CTRL; ++ + mask_bits &= ~PCI_MSIX_ENTRY_CTRL_MASKBIT; +- if (flag) ++ if (flag & PCI_MSIX_ENTRY_CTRL_MASKBIT) + mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT; + writel(mask_bits, desc->mask_base + offset); + diff --git a/queue-3.16/perf-probe-filter-out-instances-except-for-inlined-subroutine-and.patch b/queue-3.16/perf-probe-filter-out-instances-except-for-inlined-subroutine-and.patch new file mode 100644 index 00000000..4f4e8b1b --- /dev/null +++ b/queue-3.16/perf-probe-filter-out-instances-except-for-inlined-subroutine-and.patch @@ -0,0 +1,114 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Wed, 30 Oct 2019 16:09:30 +0900 +Subject: perf probe: Filter out instances except for inlined subroutine and + subprogram + +commit da6cb952a89efe24bb76c4971370d485737a2d85 upstream. + +Filter out instances except for inlined_subroutine and subprogram DIE in +die_walk_instances() and die_is_func_instance(). + +This fixes an issue that perf probe sets some probes on calling address +instead of a target function itself. + +When perf probe walks on instances of an abstruct origin (a kind of +function prototype of inlined function), die_walk_instances() can also +pass a GNU_call_site (a GNU extension for call site) to callback. Since +it is not an inlined instance of target function, we have to filter out +when searching a probe point. + +Without this patch, perf probe sets probes on call site address too.This +can happen on some function which is marked "inlined", but has actual +symbol. (I'm not sure why GCC mark it "inlined"): + + # perf probe -D vfs_read + p:probe/vfs_read _text+2500017 + p:probe/vfs_read_1 _text+2499468 + p:probe/vfs_read_2 _text+2499563 + p:probe/vfs_read_3 _text+2498876 + p:probe/vfs_read_4 _text+2498512 + p:probe/vfs_read_5 _text+2498627 + +With this patch: + +Slightly different results, similar tho: + + # perf probe -D vfs_read + p:probe/vfs_read _text+2498512 + +Committer testing: + + # uname -a + Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + +Before: + + # perf probe -D vfs_read + p:probe/vfs_read _text+3131557 + p:probe/vfs_read_1 _text+3130975 + p:probe/vfs_read_2 _text+3131047 + p:probe/vfs_read_3 _text+3130380 + p:probe/vfs_read_4 _text+3130000 + # uname -a + Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + # + +After: + + # perf probe -D vfs_read + p:probe/vfs_read _text+3130000 + # + +Fixes: db0d2c6420ee ("perf probe: Search concrete out-of-line instances") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157241937063.32002.11024544873990816590.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -304,18 +304,22 @@ int die_entrypc(Dwarf_Die *dw_die, Dwarf + * @dw_die: a DIE + * + * Ensure that this DIE is an instance (which has an entry address). +- * This returns true if @dw_die is a function instance. If not, you need to +- * call die_walk_instances() to find actual instances. ++ * This returns true if @dw_die is a function instance. If not, the @dw_die ++ * must be a prototype. You can use die_walk_instances() to find actual ++ * instances. + **/ + bool die_is_func_instance(Dwarf_Die *dw_die) + { + Dwarf_Addr tmp; + Dwarf_Attribute attr_mem; ++ int tag = dwarf_tag(dw_die); + +- /* Actually gcc optimizes non-inline as like as inlined */ +- return !dwarf_func_inline(dw_die) && +- (dwarf_entrypc(dw_die, &tmp) == 0 || +- dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL); ++ if (tag != DW_TAG_subprogram && ++ tag != DW_TAG_inlined_subroutine) ++ return false; ++ ++ return dwarf_entrypc(dw_die, &tmp) == 0 || ++ dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL; + } + + /** +@@ -557,6 +561,9 @@ static int __die_walk_instances_cb(Dwarf + Dwarf_Die *origin; + int tmp; + ++ if (!die_is_func_instance(inst)) ++ return DIE_FIND_CB_CONTINUE; ++ + attr = dwarf_attr(inst, DW_AT_abstract_origin, &attr_mem); + if (attr == NULL) + return DIE_FIND_CB_CONTINUE; diff --git a/queue-3.16/perf-probe-fix-to-add-missed-brace-around-if-block.patch b/queue-3.16/perf-probe-fix-to-add-missed-brace-around-if-block.patch new file mode 100644 index 00000000..66949123 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-add-missed-brace-around-if-block.patch @@ -0,0 +1,41 @@ +From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Date: Thu, 13 Aug 2015 06:55:41 +0900 +Subject: perf probe: Fix to add missed brace around if block + +commit 86a76027457633488b0a83d5e2bb944159885605 upstream. + +The commit 75186a9b09e4 (perf probe: Fix to show lines of sys_ functions +correctly) introduced a bug by a missed brace around if block. This +fixes to add it. + +Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Cc: David Ahern <dsahern@gmail.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Fixes: 75186a9b09e4 ("perf probe: Fix to show lines of sys_ functions correctly") +Link: http://lkml.kernel.org/r/20150812215541.9088.62425.stgit@localhost.localdomain +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -717,7 +717,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li + continue; + } + /* Filter lines based on address */ +- if (rt_die != cu_die) ++ if (rt_die != cu_die) { + /* + * Address filtering + * The line is included in given function, and +@@ -731,6 +731,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li + decf != dwarf_decl_file(&die_mem)) + continue; + } ++ } + /* Get source line */ + fname = dwarf_linesrc(line, NULL, NULL); + diff --git a/queue-3.16/perf-probe-fix-to-find-range-only-function-instance.patch b/queue-3.16/perf-probe-fix-to-find-range-only-function-instance.patch new file mode 100644 index 00000000..fa30ec00 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-find-range-only-function-instance.patch @@ -0,0 +1,42 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Thu, 24 Oct 2019 18:12:36 +0900 +Subject: perf probe: Fix to find range-only function instance + +commit b77afa1f810f37bd8a36cb1318178dfe2d7af6b6 upstream. + +Fix die_is_func_instance() to find range-only function instance. + +In some case, a function instance can be made without any low PC or +entry PC, but only with address ranges by optimization. (e.g. cold text +partially in "text.unlikely" section) To find such function instance, we +have to check the range attribute too. + +Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157190835669.1859.8368628035930950596.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -288,10 +288,14 @@ bool die_is_func_def(Dwarf_Die *dw_die) + bool die_is_func_instance(Dwarf_Die *dw_die) + { + Dwarf_Addr tmp; ++ Dwarf_Attribute attr_mem; + + /* Actually gcc optimizes non-inline as like as inlined */ +- return !dwarf_func_inline(dw_die) && dwarf_entrypc(dw_die, &tmp) == 0; ++ return !dwarf_func_inline(dw_die) && ++ (dwarf_entrypc(dw_die, &tmp) == 0 || ++ dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL); + } ++ + /** + * die_get_data_member_location - Get the data-member offset + * @mb_die: a DIE of a member of a data structure diff --git a/queue-3.16/perf-probe-fix-to-handle-optimized-not-inlined-functions.patch b/queue-3.16/perf-probe-fix-to-handle-optimized-not-inlined-functions.patch new file mode 100644 index 00000000..6d475ddf --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-handle-optimized-not-inlined-functions.patch @@ -0,0 +1,124 @@ +From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Date: Fri, 30 Jan 2015 18:37:44 +0900 +Subject: perf probe: Fix to handle optimized not-inlined functions + +commit e1ecbbc3fa834cc6b4b344edb1968e734d57189b upstream. + +Fix to handle optimized no-inline functions which have only function +definition but no actual instance at that point. + +To fix this problem, we need to find actual instance of the function. + +Without this patch: + ---- + # perf probe -a __up + Failed to get entry address of __up. + Error: Failed to add events. + # perf probe -L __up + Specified source line is not found. + Error: Failed to show lines. + ---- + +With this patch: + ---- + # perf probe -a __up + Added new event: + probe:__up (on __up) + + You can now use it in all perf tools, such as: + + perf record -e probe:__up -aR sleep 1 + + # perf probe -L __up + <__up@/home/fedora/ksrc/linux-3/kernel/locking/semaphore.c:0> + 0 static noinline void __sched __up(struct semaphore *sem) + { + struct semaphore_waiter *waiter = list_first_entry(&sem->wait_ + struct semaphore_waite + 4 list_del(&waiter->list); + 5 waiter->up = true; + 6 wake_up_process(waiter->task); + 7 } + ---- + +Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Link: http://lkml.kernel.org/r/20150130093744.30575.43290.stgit@localhost.localdomain +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 15 +++++++++++++++ + tools/perf/util/dwarf-aux.h | 3 +++ + tools/perf/util/probe-finder.c | 12 ++++-------- + 3 files changed, 22 insertions(+), 8 deletions(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -278,6 +278,21 @@ bool die_is_func_def(Dwarf_Die *dw_die) + } + + /** ++ * die_is_func_instance - Ensure that this DIE is an instance of a subprogram ++ * @dw_die: a DIE ++ * ++ * Ensure that this DIE is an instance (which has an entry address). ++ * This returns true if @dw_die is a function instance. If not, you need to ++ * call die_walk_instances() to find actual instances. ++ **/ ++bool die_is_func_instance(Dwarf_Die *dw_die) ++{ ++ Dwarf_Addr tmp; ++ ++ /* Actually gcc optimizes non-inline as like as inlined */ ++ return !dwarf_func_inline(dw_die) && dwarf_entrypc(dw_die, &tmp) == 0; ++} ++/** + * die_get_data_member_location - Get the data-member offset + * @mb_die: a DIE of a member of a data structure + * @offs: The offset of the member in the data structure +--- a/tools/perf/util/dwarf-aux.h ++++ b/tools/perf/util/dwarf-aux.h +@@ -41,6 +41,9 @@ extern int cu_walk_functions_at(Dwarf_Di + /* Ensure that this DIE is a subprogram and definition (not declaration) */ + extern bool die_is_func_def(Dwarf_Die *dw_die); + ++/* Ensure that this DIE is an instance of a subprogram */ ++extern bool die_is_func_instance(Dwarf_Die *dw_die); ++ + /* Compare diename and tname */ + extern bool die_compare_name(Dwarf_Die *dw_die, const char *tname); + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -909,17 +909,13 @@ static int probe_point_search_cb(Dwarf_D + dwarf_decl_line(sp_die, &pf->lno); + pf->lno += pp->line; + param->retval = find_probe_point_by_line(pf); +- } else if (!dwarf_func_inline(sp_die)) { ++ } else if (die_is_func_instance(sp_die)) { ++ /* Instances always have the entry address */ ++ dwarf_entrypc(sp_die, &pf->addr); + /* Real function */ + if (pp->lazy_line) + param->retval = find_probe_point_lazy(sp_die, pf); + else { +- if (dwarf_entrypc(sp_die, &pf->addr) != 0) { +- pr_warning("Failed to get entry address of " +- "%s.\n", dwarf_diename(sp_die)); +- param->retval = -ENOENT; +- return DWARF_CB_ABORT; +- } + pf->addr += pp->offset; + /* TODO: Check the address in this function */ + param->retval = call_probe_finder(sp_die, pf); +@@ -1514,7 +1510,7 @@ static int line_range_search_cb(Dwarf_Di + pr_debug("New line range: %d to %d\n", lf->lno_s, lf->lno_e); + lr->start = lf->lno_s; + lr->end = lf->lno_e; +- if (dwarf_func_inline(sp_die)) ++ if (!die_is_func_instance(sp_die)) + param->retval = die_walk_instances(sp_die, + line_range_inline_cb, lf); + else diff --git a/queue-3.16/perf-probe-fix-to-list-probe-event-with-correct-line-number.patch b/queue-3.16/perf-probe-fix-to-list-probe-event-with-correct-line-number.patch new file mode 100644 index 00000000..92cb9ed4 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-list-probe-event-with-correct-line-number.patch @@ -0,0 +1,70 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Fri, 25 Oct 2019 17:46:52 +0900 +Subject: perf probe: Fix to list probe event with correct line number + +commit 3895534dd78f0fd4d3f9e05ee52b9cdd444a743e upstream. + +Since debuginfo__find_probe_point() uses dwarf_entrypc() for finding the +entry address of the function on which a probe is, it will fail when the +function DIE has only ranges attribute. + +To fix this issue, use die_entrypc() instead of dwarf_entrypc(). + +Without this fix, perf probe -l shows incorrect offset: + + # perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579263632@work/linux/linux/kernel/cpu.c) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask+18446744071579263752@work/linux/linux/kernel/cpu.c) + +With this: + + # perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@work/linux/linux/kernel/cpu.c) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:21@work/linux/linux/kernel/cpu.c) + +Committer testing: + +Before: + + [root@quaco ~]# perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579765152@kernel/cpu.c) + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c) + [root@quaco ~]# + +Fixes: 1d46ea2a6a40 ("perf probe: Fix listing incorrect line number with inline function") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157199321227.8075.14655572419136993015.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/probe-finder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1345,7 +1345,7 @@ int debuginfo__find_probe_point(struct d + /* Get function entry information */ + func = basefunc = dwarf_diename(&spdie); + if (!func || +- dwarf_entrypc(&spdie, &baseaddr) != 0 || ++ die_entrypc(&spdie, &baseaddr) != 0 || + dwarf_decl_line(&spdie, &baseline) != 0) { + lineno = 0; + goto post; +@@ -1362,7 +1362,7 @@ int debuginfo__find_probe_point(struct d + while (die_find_top_inlinefunc(&spdie, (Dwarf_Addr)addr, + &indie)) { + /* There is an inline function */ +- if (dwarf_entrypc(&indie, &_addr) == 0 && ++ if (die_entrypc(&indie, &_addr) == 0 && + _addr == addr) { + /* + * addr is at an inline function entry. diff --git a/queue-3.16/perf-probe-fix-to-probe-a-function-which-has-no-entry-pc.patch b/queue-3.16/perf-probe-fix-to-probe-a-function-which-has-no-entry-pc.patch new file mode 100644 index 00000000..169873c4 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-probe-a-function-which-has-no-entry-pc.patch @@ -0,0 +1,88 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Fri, 25 Oct 2019 17:46:34 +0900 +Subject: perf probe: Fix to probe a function which has no entry pc + +commit 5d16dbcc311d91267ddb45c6da4f187be320ecee upstream. + +Fix 'perf probe' to probe a function which has no entry pc or low pc but +only has ranges attribute. + +probe_point_search_cb() uses dwarf_entrypc() to get the probe address, +but that doesn't work for the function DIE which has only ranges +attribute. Use die_entrypc() instead. + +Without this fix: + + # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + +With this: + + # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0 + p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0 + +Committer testing: + +Before: + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + [root@quaco ~]# + +Using it with 'perf trace': + + [root@quaco ~]# perf trace -e probe:clear_tasks_mm_cpumask + +Doesn't seem to be used in x86_64: + + $ find . -name "*.c" | xargs grep clear_tasks_mm_cpumask + ./kernel/cpu.c: * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU + ./kernel/cpu.c:void clear_tasks_mm_cpumask(int cpu) + ./arch/xtensa/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/csky/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/sh/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/arm/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/powerpc/mm/nohash/mmu_context.c: clear_tasks_mm_cpumask(cpu); + $ find . -name "*.h" | xargs grep clear_tasks_mm_cpumask + ./include/linux/cpu.h:void clear_tasks_mm_cpumask(int cpu); + $ find . -name "*.S" | xargs grep clear_tasks_mm_cpumask + $ + +Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions") +Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157199319438.8075.4695576954550638618.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -908,7 +908,7 @@ static int probe_point_search_cb(Dwarf_D + param->retval = find_probe_point_by_line(pf); + } else if (die_is_func_instance(sp_die)) { + /* Instances always have the entry address */ +- dwarf_entrypc(sp_die, &pf->addr); ++ die_entrypc(sp_die, &pf->addr); + /* But in some case the entry address is 0 */ + if (pf->addr == 0) { + pr_debug("%s has no entry PC. Skipped\n", diff --git a/queue-3.16/perf-probe-fix-to-probe-an-inline-function-which-has-no-entry-pc.patch b/queue-3.16/perf-probe-fix-to-probe-an-inline-function-which-has-no-entry-pc.patch new file mode 100644 index 00000000..193038d6 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-probe-an-inline-function-which-has-no-entry-pc.patch @@ -0,0 +1,64 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Fri, 25 Oct 2019 17:46:43 +0900 +Subject: perf probe: Fix to probe an inline function which has no entry pc + +commit eb6933b29d20bf2c3053883d409a53f462c1a3ac upstream. + +Fix perf probe to probe an inlne function which has no entry pc +or low pc but only has ranges attribute. + +This seems very rare case, but I could find a few examples, as +same as probe_point_search_cb(), use die_entrypc() to get the +entry address in probe_point_inline_cb() too. + +Without this patch: + + # perf probe -D __amd_put_nb_event_constraints + Failed to get entry address of __amd_put_nb_event_constraints. + Probe point '__amd_put_nb_event_constraints' not found. + Error: Failed to add events. + +With this patch: + + # perf probe -D __amd_put_nb_event_constraints + p:probe/__amd_put_nb_event_constraints amd_put_event_constraints+43 + +Committer testing: + +Before: + + [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints + Failed to get entry address of __amd_put_nb_event_constraints. + Probe point '__amd_put_nb_event_constraints' not found. + Error: Failed to add events. + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints + p:probe/__amd_put_nb_event_constraints _text+33789 + [root@quaco ~]# + +Fixes: 4ea42b181434 ("perf: Add perf probe subcommand, a kprobe-event setup helper") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157199320336.8075.16189530425277588587.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -858,7 +858,7 @@ static int probe_point_inline_cb(Dwarf_D + ret = find_probe_point_lazy(in_die, pf); + else { + /* Get probe address */ +- if (dwarf_entrypc(in_die, &addr) != 0) { ++ if (die_entrypc(in_die, &addr) != 0) { + pr_warning("Failed to get entry address of %s.\n", + dwarf_diename(in_die)); + return -ENOENT; diff --git a/queue-3.16/perf-probe-fix-to-show-calling-lines-of-inlined-functions.patch b/queue-3.16/perf-probe-fix-to-show-calling-lines-of-inlined-functions.patch new file mode 100644 index 00000000..57986ff5 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-show-calling-lines-of-inlined-functions.patch @@ -0,0 +1,114 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Wed, 30 Oct 2019 16:09:40 +0900 +Subject: perf probe: Fix to show calling lines of inlined functions + +commit 86c0bf8539e7f46d91bd105e55eda96e0064caef upstream. + +Fix to show calling lines of inlined functions (where an inline function +is called). + +die_walk_lines() filtered out the lines inside inlined functions based +on the address. However this also filtered out the lines which call +those inlined functions from the target function. + +To solve this issue, check the call_file and call_line attributes and do +not filter out if it matches to the line information. + +Without this fix, perf probe -L doesn't show some lines correctly. +(don't see the lines after 17) + + # perf probe -L vfs_read + <vfs_read@/home/mhiramat/ksrc/linux/fs/read_write.c:0> + 0 ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) + 1 { + 2 ssize_t ret; + + 4 if (!(file->f_mode & FMODE_READ)) + return -EBADF; + 6 if (!(file->f_mode & FMODE_CAN_READ)) + return -EINVAL; + 8 if (unlikely(!access_ok(buf, count))) + return -EFAULT; + + 11 ret = rw_verify_area(READ, file, pos, count); + 12 if (!ret) { + 13 if (count > MAX_RW_COUNT) + count = MAX_RW_COUNT; + 15 ret = __vfs_read(file, buf, count, pos); + 16 if (ret > 0) { + fsnotify_access(file); + add_rchar(current, ret); + } + +With this fix: + + # perf probe -L vfs_read + <vfs_read@/home/mhiramat/ksrc/linux/fs/read_write.c:0> + 0 ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) + 1 { + 2 ssize_t ret; + + 4 if (!(file->f_mode & FMODE_READ)) + return -EBADF; + 6 if (!(file->f_mode & FMODE_CAN_READ)) + return -EINVAL; + 8 if (unlikely(!access_ok(buf, count))) + return -EFAULT; + + 11 ret = rw_verify_area(READ, file, pos, count); + 12 if (!ret) { + 13 if (count > MAX_RW_COUNT) + count = MAX_RW_COUNT; + 15 ret = __vfs_read(file, buf, count, pos); + 16 if (ret > 0) { + 17 fsnotify_access(file); + 18 add_rchar(current, ret); + } + 20 inc_syscr(current); + } + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157241937995.32002.17899884017011512577.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -714,7 +714,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li + Dwarf_Lines *lines; + Dwarf_Line *line; + Dwarf_Addr addr; +- const char *fname, *decf = NULL; ++ const char *fname, *decf = NULL, *inf = NULL; + int lineno, ret = 0; + int decl = 0, inl; + Dwarf_Die die_mem, *cu_die; +@@ -765,13 +765,21 @@ int die_walk_lines(Dwarf_Die *rt_die, li + */ + if (!dwarf_haspc(rt_die, addr)) + continue; ++ + if (die_find_inlinefunc(rt_die, addr, &die_mem)) { ++ /* Call-site check */ ++ inf = die_get_call_file(&die_mem); ++ if ((inf && !strcmp(inf, decf)) && ++ die_get_call_lineno(&die_mem) == lineno) ++ goto found; ++ + dwarf_decl_line(&die_mem, &inl); + if (inl != decl || + decf != dwarf_decl_file(&die_mem)) + continue; + } + } ++found: + /* Get source line */ + fname = dwarf_linesrc(line, NULL, NULL); + diff --git a/queue-3.16/perf-probe-fix-to-show-function-entry-line-as-probe-able.patch b/queue-3.16/perf-probe-fix-to-show-function-entry-line-as-probe-able.patch new file mode 100644 index 00000000..5ab6bc4c --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-show-function-entry-line-as-probe-able.patch @@ -0,0 +1,80 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Thu, 24 Oct 2019 18:12:54 +0900 +Subject: perf probe: Fix to show function entry line as probe-able + +commit 91e2f539eeda26ab00bd03fae8dc434c128c85ed upstream. + +Fix die_walk_lines() to list the function entry line correctly. Since +the dwarf_entrypc() does not return the entry pc if the DIE has only +range attribute, __die_walk_funclines() fails to list the declaration +line (entry line) in that case. + +To solve this issue, this introduces die_entrypc() which correctly +returns the entry PC (the first address range) even if the DIE has only +range attribute. With this fix die_walk_lines() shows the function entry +line is able to probe correctly. + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157190837419.1859.4619125803596816752.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 24 +++++++++++++++++++++++- + tools/perf/util/dwarf-aux.h | 3 +++ + 2 files changed, 26 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -278,6 +278,28 @@ bool die_is_func_def(Dwarf_Die *dw_die) + } + + /** ++ * die_entrypc - Returns entry PC (the lowest address) of a DIE ++ * @dw_die: a DIE ++ * @addr: where to store entry PC ++ * ++ * Since dwarf_entrypc() does not return entry PC if the DIE has only address ++ * range, we have to use this to retrieve the lowest address from the address ++ * range attribute. ++ */ ++int die_entrypc(Dwarf_Die *dw_die, Dwarf_Addr *addr) ++{ ++ Dwarf_Addr base, end; ++ ++ if (!addr) ++ return -EINVAL; ++ ++ if (dwarf_entrypc(dw_die, addr) == 0) ++ return 0; ++ ++ return dwarf_ranges(dw_die, 0, &base, addr, &end) < 0 ? -ENOENT : 0; ++} ++ ++/** + * die_is_func_instance - Ensure that this DIE is an instance of a subprogram + * @dw_die: a DIE + * +@@ -647,7 +669,7 @@ static int __die_walk_funclines(Dwarf_Di + /* Handle function declaration line */ + fname = dwarf_decl_file(sp_die); + if (fname && dwarf_decl_line(sp_die, &lineno) == 0 && +- dwarf_entrypc(sp_die, &addr) == 0) { ++ die_entrypc(sp_die, &addr) == 0) { + lw.retval = callback(fname, lineno, addr, data); + if (lw.retval != 0) + goto done; +--- a/tools/perf/util/dwarf-aux.h ++++ b/tools/perf/util/dwarf-aux.h +@@ -38,6 +38,9 @@ extern int cu_find_lineinfo(Dwarf_Die *c + extern int cu_walk_functions_at(Dwarf_Die *cu_die, Dwarf_Addr addr, + int (*callback)(Dwarf_Die *, void *), void *data); + ++/* Get the lowest PC in DIE (including range list) */ ++int die_entrypc(Dwarf_Die *dw_die, Dwarf_Addr *addr); ++ + /* Ensure that this DIE is a subprogram and definition (not declaration) */ + extern bool die_is_func_def(Dwarf_Die *dw_die); + diff --git a/queue-3.16/perf-probe-fix-to-show-inlined-function-callsite-without-entry_pc.patch b/queue-3.16/perf-probe-fix-to-show-inlined-function-callsite-without-entry_pc.patch new file mode 100644 index 00000000..f45c5ef3 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-show-inlined-function-callsite-without-entry_pc.patch @@ -0,0 +1,104 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Fri, 25 Oct 2019 17:47:01 +0900 +Subject: perf probe: Fix to show inlined function callsite without entry_pc + +commit 18e21eb671dc87a4f0546ba505a89ea93598a634 upstream. + +Fix 'perf probe --line' option to show inlined function callsite lines +even if the function DIE has only ranges. + +Without this: + + # perf probe -L amd_put_event_constraints + ... + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + __amd_put_nb_event_constraints(cpuc, event); + 5 } + +With this patch: + + # perf probe -L amd_put_event_constraints + ... + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + 4 __amd_put_nb_event_constraints(cpuc, event); + 5 } + +Committer testing: + +Before: + + [root@quaco ~]# perf probe -L amd_put_event_constraints + <amd_put_event_constraints@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/arch/x86/events/amd/core.c:0> + 0 static void amd_put_event_constraints(struct cpu_hw_events *cpuc, + struct perf_event *event) + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + __amd_put_nb_event_constraints(cpuc, event); + 5 } + + PMU_FORMAT_ATTR(event, "config:0-7,32-35"); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe -L amd_put_event_constraints + <amd_put_event_constraints@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/arch/x86/events/amd/core.c:0> + 0 static void amd_put_event_constraints(struct cpu_hw_events *cpuc, + struct perf_event *event) + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + 4 __amd_put_nb_event_constraints(cpuc, event); + 5 } + + PMU_FORMAT_ATTR(event, "config:0-7,32-35"); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + + [root@quaco ~]# perf probe amd_put_event_constraints:4 + Added new event: + probe:amd_put_event_constraints (on amd_put_event_constraints:4) + + You can now use it in all perf tools, such as: + + perf record -e probe:amd_put_event_constraints -aR sleep 1 + + [root@quaco ~]# + + [root@quaco ~]# perf probe -l + probe:amd_put_event_constraints (on amd_put_event_constraints:4@arch/x86/events/amd/core.c) + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c) + [root@quaco ~]# + +Using it: + + [root@quaco ~]# perf trace -e probe:* + ^C[root@quaco ~]# + +Ok, Intel system here... :-) + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157199322107.8075.12659099000567865708.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -628,7 +628,7 @@ static int __die_walk_funclines_cb(Dwarf + if (dwarf_tag(in_die) == DW_TAG_inlined_subroutine) { + fname = die_get_call_file(in_die); + lineno = die_get_call_lineno(in_die); +- if (fname && lineno > 0 && dwarf_entrypc(in_die, &addr) == 0) { ++ if (fname && lineno > 0 && die_entrypc(in_die, &addr) == 0) { + lw->retval = lw->callback(fname, lineno, addr, lw->data); + if (lw->retval != 0) + return DIE_FIND_CB_END; diff --git a/queue-3.16/perf-probe-fix-to-show-lines-of-sys_-functions-correctly.patch b/queue-3.16/perf-probe-fix-to-show-lines-of-sys_-functions-correctly.patch new file mode 100644 index 00000000..16c40954 --- /dev/null +++ b/queue-3.16/perf-probe-fix-to-show-lines-of-sys_-functions-correctly.patch @@ -0,0 +1,92 @@ +From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Date: Wed, 12 Aug 2015 10:24:07 +0900 +Subject: perf probe: Fix to show lines of sys_ functions correctly + +commit 75186a9b09e47072f442f43e292cd47180b67b5c upstream. + +"perf probe --lines sys_poll" shows only the first line of sys_poll, +because the SYSCALL_DEFINE macro: + + ---- + SYSCALL_DEFINE*(foo,...) + { + body; + } + ---- + + is expanded as below (on debuginfo) + + ---- + + static inline int SYSC_foo(...) + { + body; + } + int SyS_foo(...) <- is an alias of sys_foo. + { + return SYSC_foo(...); + } + ---- + +So, "perf probe --lines sys_foo" decodes SyS_foo function and it also skips +inlined functions(SYSC_foo) inside the target function because those functions +are usually defined somewhere else. + +To fix this issue, this fix checks whether the inlined function is defined at +the same point of the target function, and if so, it doesn't skip the inline +function. + +Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org> +Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: David Ahern <dsahern@gmail.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lkml.kernel.org/r/20150812012406.11811.94691.stgit@localhost.localdomain +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -681,15 +681,18 @@ int die_walk_lines(Dwarf_Die *rt_die, li + Dwarf_Lines *lines; + Dwarf_Line *line; + Dwarf_Addr addr; +- const char *fname; ++ const char *fname, *decf = NULL; + int lineno, ret = 0; ++ int decl = 0, inl; + Dwarf_Die die_mem, *cu_die; + size_t nlines, i; + + /* Get the CU die */ +- if (dwarf_tag(rt_die) != DW_TAG_compile_unit) ++ if (dwarf_tag(rt_die) != DW_TAG_compile_unit) { + cu_die = dwarf_diecu(rt_die, &die_mem, NULL, NULL); +- else ++ dwarf_decl_line(rt_die, &decl); ++ decf = dwarf_decl_file(rt_die); ++ } else + cu_die = rt_die; + if (!cu_die) { + pr_debug2("Failed to get CU from given DIE.\n"); +@@ -720,9 +723,14 @@ int die_walk_lines(Dwarf_Die *rt_die, li + * The line is included in given function, and + * no inline block includes it. + */ +- if (!dwarf_haspc(rt_die, addr) || +- die_find_inlinefunc(rt_die, addr, &die_mem)) ++ if (!dwarf_haspc(rt_die, addr)) + continue; ++ if (die_find_inlinefunc(rt_die, addr, &die_mem)) { ++ dwarf_decl_line(&die_mem, &inl); ++ if (inl != decl || ++ decf != dwarf_decl_file(&die_mem)) ++ continue; ++ } + /* Get source line */ + fname = dwarf_linesrc(line, NULL, NULL); + diff --git a/queue-3.16/perf-probe-fix-wrong-address-verification.patch b/queue-3.16/perf-probe-fix-wrong-address-verification.patch new file mode 100644 index 00000000..d86de998 --- /dev/null +++ b/queue-3.16/perf-probe-fix-wrong-address-verification.patch @@ -0,0 +1,112 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Fri, 25 Oct 2019 17:46:25 +0900 +Subject: perf probe: Fix wrong address verification + +commit 07d369857808b7e8e471bbbbb0074a6718f89b31 upstream. + +Since there are some DIE which has only ranges instead of the +combination of entrypc/highpc, address verification must use +dwarf_haspc() instead of dwarf_entrypc/dwarf_highpc. + +Also, the ranges only DIE will have a partial code in different section +(e.g. unlikely code will be in text.unlikely as "FUNC.cold" symbol). In +that case, we can not use dwarf_entrypc() or die_entrypc(), because the +offset from original DIE can be a minus value. + +Instead, this simply gets the symbol and offset from symtab. + +Without this patch; + + # perf probe -D clear_tasks_mm_cpumask:1 + Failed to get entry address of clear_tasks_mm_cpumask + Error: Failed to add events. + +And with this patch: + + # perf probe -D clear_tasks_mm_cpumask:1 + p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0 + p:probe/clear_tasks_mm_cpumask_1 clear_tasks_mm_cpumask+5 + p:probe/clear_tasks_mm_cpumask_2 clear_tasks_mm_cpumask+8 + p:probe/clear_tasks_mm_cpumask_3 clear_tasks_mm_cpumask+16 + p:probe/clear_tasks_mm_cpumask_4 clear_tasks_mm_cpumask+82 + +Committer testing: + +I managed to reproduce the above: + + [root@quaco ~]# perf probe -D clear_tasks_mm_cpumask:1 + p:probe/clear_tasks_mm_cpumask _text+919968 + p:probe/clear_tasks_mm_cpumask_1 _text+919973 + p:probe/clear_tasks_mm_cpumask_2 _text+919976 + [root@quaco ~]# + +But then when trying to actually put the probe in place, it fails if I +use :0 as the offset: + + [root@quaco ~]# perf probe -L clear_tasks_mm_cpumask | head -5 + <clear_tasks_mm_cpumask@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/kernel/cpu.c:0> + 0 void clear_tasks_mm_cpumask(int cpu) + 1 { + 2 struct task_struct *p; + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + [root@quaco + +The next patch is needed to fix this case. + +Fixes: 576b523721b7 ("perf probe: Fix probing symbols with optimization suffix") +Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157199318513.8075.10463906803299647907.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -588,34 +588,26 @@ static int convert_to_trace_point(Dwarf_ + Dwarf_Addr paddr, bool retprobe, + struct probe_trace_point *tp) + { +- Dwarf_Addr eaddr, highaddr; ++ Dwarf_Addr eaddr; + GElf_Sym sym; + const char *symbol; + + /* Verify the address is correct */ +- if (dwarf_entrypc(sp_die, &eaddr) != 0) { +- pr_warning("Failed to get entry address of %s\n", +- dwarf_diename(sp_die)); +- return -ENOENT; +- } +- if (dwarf_highpc(sp_die, &highaddr) != 0) { +- pr_warning("Failed to get end address of %s\n", +- dwarf_diename(sp_die)); +- return -ENOENT; +- } +- if (paddr > highaddr) { +- pr_warning("Offset specified is greater than size of %s\n", ++ if (!dwarf_haspc(sp_die, paddr)) { ++ pr_warning("Specified offset is out of %s\n", + dwarf_diename(sp_die)); + return -EINVAL; + } + +- /* Get an appropriate symbol from symtab */ ++ /* Try to get actual symbol name from symtab */ + symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL); + if (!symbol) { + pr_warning("Failed to find symbol at 0x%lx\n", + (unsigned long)paddr); + return -ENOENT; + } ++ eaddr = sym.st_value; ++ + tp->offset = (unsigned long)(paddr - sym.st_value); + tp->address = (unsigned long)paddr; + tp->symbol = strdup(symbol); diff --git a/queue-3.16/perf-probe-skip-end-of-sequence-and-non-statement-lines.patch b/queue-3.16/perf-probe-skip-end-of-sequence-and-non-statement-lines.patch new file mode 100644 index 00000000..7abe7f7f --- /dev/null +++ b/queue-3.16/perf-probe-skip-end-of-sequence-and-non-statement-lines.patch @@ -0,0 +1,137 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Wed, 30 Oct 2019 16:09:21 +0900 +Subject: perf probe: Skip end-of-sequence and non statement lines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit f4d99bdfd124823a81878b44b5e8750b97f73902 upstream. + +Skip end-of-sequence and non-statement lines while walking through lines +list. + +The "end-of-sequence" line information means: + + "the current address is that of the first byte after the + end of a sequence of target machine instructions." + (DWARF version 4 spec 6.2.2) + +This actually means out of scope and we can not probe on it. + +On the other hand, the statement lines (is_stmt) means: + + "the current instruction is a recommended breakpoint location. + A recommended breakpoint location is intended to “represent” + a line, a statement and/or a semantically distinct subpart + of a statement." + + (DWARF version 4 spec 6.2.2) + +So, non-statement line info also should be skipped. + +These can reduce unneeded probe points and also avoid an error. + +E.g. without this patch: + + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new events: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_3 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_4 (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask_4 -aR sleep 1 + + # + +This puts 5 probes on one line, but acutally it's not inlined function. +This is because there are many non statement instructions at the +function prologue. + +With this patch: + + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + # + +Now perf-probe skips unneeded addresses. + +Committer testing: + +Slightly different results, but similar: + +Before: + + # uname -a + Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + # + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new events: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask_2 -aR sleep 1 + + # + +After: + + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + # perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c) + # + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157241936090.32002.12156347518596111660.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/dwarf-aux.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -712,6 +712,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li + int decl = 0, inl; + Dwarf_Die die_mem, *cu_die; + size_t nlines, i; ++ bool flag; + + /* Get the CU die */ + if (dwarf_tag(rt_die) != DW_TAG_compile_unit) { +@@ -742,6 +743,12 @@ int die_walk_lines(Dwarf_Die *rt_die, li + "Possible error in debuginfo.\n"); + continue; + } ++ /* Skip end-of-sequence */ ++ if (dwarf_lineendsequence(line, &flag) != 0 || flag) ++ continue; ++ /* Skip Non statement line-info */ ++ if (dwarf_linebeginstatement(line, &flag) != 0 || !flag) ++ continue; + /* Filter lines based on address */ + if (rt_die != cu_die) { + /* diff --git a/queue-3.16/perf-probe-skip-if-the-function-address-is-0.patch b/queue-3.16/perf-probe-skip-if-the-function-address-is-0.patch new file mode 100644 index 00000000..a078265e --- /dev/null +++ b/queue-3.16/perf-probe-skip-if-the-function-address-is-0.patch @@ -0,0 +1,101 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Sat, 24 Sep 2016 00:35:07 +0900 +Subject: perf probe: Skip if the function address is 0 + +commit 0ad45b33c58dca60dec7e1fb44766753bc4a7a38 upstream. + +Skip probes if the entry address of the target function is 0. This can +happen when we're handling C++ debuginfo files. + +E.g. without this fix, below case still fail. + ---- + $ ./perf probe -x /usr/lib64/libstdc++.so.6 -vD is_open + probe-definition(0): is_open + symbol:is_open file:(null) line:0 offset:0 return:0 lazy:(null) + 0 arguments + symbol:catch file:(null) line:0 offset:0 return:0 lazy:(null) + symbol:throw file:(null) line:0 offset:0 return:0 lazy:(null) + symbol:rethrow file:(null) line:0 offset:0 return:0 lazy:(null) + Open Debuginfo file: /usr/lib/debug/usr/lib64/libstdc++.so.6.0.22.debug + Try to find probe point from debuginfo. + Matched function: is_open [295df] + found inline addr: 0x8ca80 + Probe point found: is_open+0 + found inline addr: 0x8ca70 + Probe point found: is_open+0 + found inline addr: 0x8ca60 + Probe point found: is_open+0 + Matched function: is_open [6527f] + Matched function: is_open [9fe8a] + Probe point found: is_open+0 + Matched function: is_open [19710b] + found inline addr: 0xecca9 + Probe point found: stdio_filebuf+57 + found inline addr: 0x0 + Probe point found: swap+0 + Matched function: is_open [19fc9d] + Probe point found: is_open+0 + Found 7 probe_trace_events. + p:probe_libstdc++/is_open /usr/lib64/libstdc++.so.6.0.22:0x8ca80 + p:probe_libstdc++/is_open_1 /usr/lib64/libstdc++.so.6.0.22:0x8ca70 + p:probe_libstdc++/is_open_2 /usr/lib64/libstdc++.so.6.0.22:0x8ca60 + p:probe_libstdc++/is_open_3 /usr/lib64/libstdc++.so.6.0.22:0xb0ad0 + p:probe_libstdc++/is_open_4 /usr/lib64/libstdc++.so.6.0.22:0xecca9 + Failed to synthesize probe trace event. + Error: Failed to add events. Reason: Invalid argument (Code: -22) + ---- +This is because some instances have entry_pc == 0 (see 19710b and +19fc9d). With this fix, those are skipped. + + ---- + $ ./perf probe -x /usr/lib64/libstdc++.so.6 -D is_open + p:probe_libstdc++/is_open /usr/lib64/libstdc++.so.6.0.22:0x8ca80 + p:probe_libstdc++/is_open_1 /usr/lib64/libstdc++.so.6.0.22:0x8ca70 + p:probe_libstdc++/is_open_2 /usr/lib64/libstdc++.so.6.0.22:0x8ca60 + p:probe_libstdc++/is_open_3 /usr/lib64/libstdc++.so.6.0.22:0xb0ad0 + p:probe_libstdc++/is_open_4 /usr/lib64/libstdc++.so.6.0.22:0xecca9 + ---- + +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Tested-by: Jiri Olsa <jolsa@kernel.org> +Cc: David Ahern <dsahern@gmail.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/147464490707.29804.14277897643725143867.stgit@devbox +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/probe-finder.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -871,6 +871,11 @@ static int probe_point_inline_cb(Dwarf_D + dwarf_diename(in_die)); + return -ENOENT; + } ++ if (addr == 0) { ++ pr_debug("%s has no valid entry address. skipped.\n", ++ dwarf_diename(in_die)); ++ return -ENOENT; ++ } + pf->addr = addr; + pf->addr += pp->offset; + pr_debug("found inline addr: 0x%jx\n", +@@ -912,8 +917,13 @@ static int probe_point_search_cb(Dwarf_D + } else if (die_is_func_instance(sp_die)) { + /* Instances always have the entry address */ + dwarf_entrypc(sp_die, &pf->addr); ++ /* But in some case the entry address is 0 */ ++ if (pf->addr == 0) { ++ pr_debug("%s has no entry PC. Skipped\n", ++ dwarf_diename(sp_die)); ++ param->retval = 0; + /* Real function */ +- if (pp->lazy_line) ++ } else if (pp->lazy_line) + param->retval = find_probe_point_lazy(sp_die, pf); + else { + pf->addr += pp->offset; diff --git a/queue-3.16/perf-probe-skip-overlapped-location-on-searching-variables.patch b/queue-3.16/perf-probe-skip-overlapped-location-on-searching-variables.patch new file mode 100644 index 00000000..0454cf50 --- /dev/null +++ b/queue-3.16/perf-probe-skip-overlapped-location-on-searching-variables.patch @@ -0,0 +1,96 @@ +From: Masami Hiramatsu <mhiramat@kernel.org> +Date: Wed, 30 Oct 2019 16:09:49 +0900 +Subject: perf probe: Skip overlapped location on searching variables + +commit dee36a2abb67c175265d49b9a8c7dfa564463d9a upstream. + +Since debuginfo__find_probes() callback function can be called with the +location which already passed, the callback function must filter out +such overlapped locations. + +add_probe_trace_event() has already done it by commit 1a375ae7659a +("perf probe: Skip same probe address for a given line"), but +add_available_vars() doesn't. Thus perf probe -v shows same address +repeatedly as below: + + # perf probe -V vfs_read:18 + Available variables at vfs_read:18 + @<vfs_read+217> + char* buf + loff_t* pos + ssize_t ret + struct file* file + @<vfs_read+217> + char* buf + loff_t* pos + ssize_t ret + struct file* file + @<vfs_read+226> + char* buf + loff_t* pos + ssize_t ret + struct file* file + +With this fix, perf probe -V shows it correctly: + + # perf probe -V vfs_read:18 + Available variables at vfs_read:18 + @<vfs_read+217> + char* buf + loff_t* pos + ssize_t ret + struct file* file + @<vfs_read+226> + char* buf + loff_t* pos + ssize_t ret + struct file* file + +Fixes: cf6eb489e5c0 ("perf probe: Show accessible local variables") +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: http://lore.kernel.org/lkml/157241938927.32002.4026859017790562751.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/probe-finder.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1230,6 +1230,18 @@ static int collect_variables_cb(Dwarf_Di + return DIE_FIND_CB_SIBLING; + } + ++static bool available_var_finder_overlap(struct available_var_finder *af) ++{ ++ int i; ++ ++ for (i = 0; i < af->nvls; i++) { ++ if (af->pf.addr == af->vls[i].point.address) ++ return true; ++ } ++ return false; ++ ++} ++ + /* Add a found vars into available variables list */ + static int add_available_vars(Dwarf_Die *sc_die, struct probe_finder *pf) + { +@@ -1239,6 +1251,14 @@ static int add_available_vars(Dwarf_Die + Dwarf_Die die_mem; + int ret; + ++ /* ++ * For some reason (e.g. different column assigned to same address), ++ * this callback can be called with the address which already passed. ++ * Ignore it first. ++ */ ++ if (available_var_finder_overlap(af)) ++ return 0; ++ + /* Check number of tevs */ + if (af->nvls == af->max_vls) { + pr_warning("Too many( > %d) probe point found.\n", af->max_vls); diff --git a/queue-3.16/perf-regs-make-perf_reg_name-return-unknown-instead-of-null.patch b/queue-3.16/perf-regs-make-perf_reg_name-return-unknown-instead-of-null.patch new file mode 100644 index 00000000..6ea864e4 --- /dev/null +++ b/queue-3.16/perf-regs-make-perf_reg_name-return-unknown-instead-of-null.patch @@ -0,0 +1,78 @@ +From: Arnaldo Carvalho de Melo <acme@redhat.com> +Date: Wed, 27 Nov 2019 10:13:34 -0300 +Subject: perf regs: Make perf_reg_name() return "unknown" instead of NULL + +commit 5b596e0ff0e1852197d4c82d3314db5e43126bf7 upstream. + +To avoid breaking the build on arches where this is not wired up, at +least all the other features should be made available and when using +this specific routine, the "unknown" should point the user/developer to +the need to wire this up on this particular hardware architecture. + +Detected in a container mipsel debian cross build environment, where it +shows up as: + + In file included from /usr/mipsel-linux-gnu/include/stdio.h:867, + from /git/linux/tools/perf/lib/include/perf/cpumap.h:6, + from util/session.c:13: + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2: + /usr/mipsel-linux-gnu/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +cross compiler details: + + mipsel-linux-gnu-gcc (Debian 9.2.1-8) 9.2.1 20190909 + +Also on mips64: + + In file included from /usr/mips64-linux-gnuabi64/include/stdio.h:867, + from /git/linux/tools/perf/lib/include/perf/cpumap.h:6, + from util/session.c:13: + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2, + inlined from 'regs_user__printf' at util/session.c:1139:3, + inlined from 'dump_sample' at util/session.c:1246:3, + inlined from 'machines__deliver_event' at util/session.c:1421:3: + /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2, + inlined from 'regs_intr__printf' at util/session.c:1147:3, + inlined from 'dump_sample' at util/session.c:1249:3, + inlined from 'machines__deliver_event' at util/session.c:1421:3: + /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +cross compiler details: + + mips64-linux-gnuabi64-gcc (Debian 9.2.1-8) 9.2.1 20190909 + +Fixes: 2bcd355b71da ("perf tools: Add interface to arch registers sets") +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Jiri Olsa <jolsa@kernel.org> +Cc: Namhyung Kim <namhyung@kernel.org> +Link: https://lkml.kernel.org/n/tip-95wjyv4o65nuaeweq31t7l1s@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/perf/util/perf_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/perf_regs.h ++++ b/tools/perf/util/perf_regs.h +@@ -16,7 +16,7 @@ int perf_reg_value(u64 *valp, struct reg + + static inline const char *perf_reg_name(int id __maybe_unused) + { +- return NULL; ++ return "unknown"; + } + + static inline int perf_reg_value(u64 *valp __maybe_unused, diff --git a/queue-3.16/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup.patch b/queue-3.16/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup.patch new file mode 100644 index 00000000..8c3891d9 --- /dev/null +++ b/queue-3.16/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup.patch @@ -0,0 +1,50 @@ +From: Krzysztof Kozlowski <krzk@kernel.org> +Date: Mon, 5 Aug 2019 18:27:08 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup + controller init + +commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream. + +In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a +break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver") +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pinctrl/pinctrl-s3c24xx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-s3c24xx.c ++++ b/drivers/pinctrl/pinctrl-s3c24xx.c +@@ -497,8 +497,10 @@ static int s3c24xx_eint_init(struct sams + return -ENODEV; + + eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL); +- if (!eint_data) ++ if (!eint_data) { ++ of_node_put(eint_np); + return -ENOMEM; ++ } + + eint_data->drvdata = d; + +@@ -510,6 +512,7 @@ static int s3c24xx_eint_init(struct sams + irq = irq_of_parse_and_map(eint_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint_np); + return -ENXIO; + } + +@@ -517,6 +520,7 @@ static int s3c24xx_eint_init(struct sams + irq_set_chained_handler(irq, handlers[i]); + irq_set_handler_data(irq, eint_data); + } ++ of_node_put(eint_np); + + bank = d->ctrl->pin_banks; + for (i = 0; i < d->ctrl->nr_banks; ++i, ++bank) { diff --git a/queue-3.16/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup.patch b/queue-3.16/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup.patch new file mode 100644 index 00000000..863603ef --- /dev/null +++ b/queue-3.16/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup.patch @@ -0,0 +1,42 @@ +From: Krzysztof Kozlowski <krzk@kernel.org> +Date: Mon, 5 Aug 2019 18:27:09 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup + controller init + +commit 7f028caadf6c37580d0f59c6c094ed09afc04062 upstream. + +In s3c64xx_eint_eint0_init() the for_each_child_of_node() loop is used +with a break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Fixes: 61dd72613177 ("pinctrl: Add pinctrl-s3c64xx driver") +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/pinctrl/pinctrl-s3c64xx.c ++++ b/drivers/pinctrl/pinctrl-s3c64xx.c +@@ -718,6 +718,7 @@ static int s3c64xx_eint_eint0_init(struc + data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL); + if (!data) { + dev_err(dev, "could not allocate memory for wkup eint data\n"); ++ of_node_put(eint0_np); + return -ENOMEM; + } + data->drvdata = d; +@@ -728,12 +729,14 @@ static int s3c64xx_eint_eint0_init(struc + irq = irq_of_parse_and_map(eint0_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint0_np); + return -ENXIO; + } + + irq_set_chained_handler(irq, s3c64xx_eint0_handlers[i]); + irq_set_handler_data(irq, data); + } ++ of_node_put(eint0_np); + + bank = d->ctrl->pin_banks; + for (i = 0; i < d->ctrl->nr_banks; ++i, ++bank) { diff --git a/queue-3.16/platform-x86-hp-wmi-fix-acpi-errors-caused-by-passing-0-as-input.patch b/queue-3.16/platform-x86-hp-wmi-fix-acpi-errors-caused-by-passing-0-as-input.patch new file mode 100644 index 00000000..502513ec --- /dev/null +++ b/queue-3.16/platform-x86-hp-wmi-fix-acpi-errors-caused-by-passing-0-as-input.patch @@ -0,0 +1,60 @@ +From: Hans de Goede <hdegoede@redhat.com> +Date: Fri, 22 Nov 2019 19:56:41 +0100 +Subject: platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input + size + +commit f3e4f3fc8ee9729c4b1b27a478c68b713df53c0c upstream. + +The AML code implementing the WMI methods creates a variable length +field to hold the input data we pass like this: + + CreateDWordField (Arg1, 0x0C, DSZI) + Local5 = DSZI /* \HWMC.DSZI */ + CreateField (Arg1, 0x80, (Local5 * 0x08), DAIN) + +If we pass 0 as bios_args.datasize argument then (Local5 * 0x08) +is 0 which results in these errors: + +[ 71.973305] ACPI BIOS Error (bug): Attempt to CreateField of length zero (20190816/dsopcode-133) +[ 71.973332] ACPI Error: Aborting method \HWMC due to previous error (AE_AML_OPERAND_VALUE) (20190816/psparse-529) +[ 71.973413] ACPI Error: Aborting method \_SB.WMID.WMAA due to previous error (AE_AML_OPERAND_VALUE) (20190816/psparse-529) + +And in our HPWMI_WIRELESS2_QUERY calls always failing. for read commands +like HPWMI_WIRELESS2_QUERY the DSZI value is not used / checked, except for +read commands where extra input is needed to specify exactly what to read. + +So for HPWMI_WIRELESS2_QUERY we can safely pass the size of the expected +output as insize to hp_wmi_perform_query(), as we are already doing for all +other HPWMI_READ commands we send. Doing so fixes these errors. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197007 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201981 +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703 +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/hp-wmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -400,7 +400,7 @@ static int hp_wmi_rfkill2_refresh(void) + struct bios_rfkill2_state state; + + err = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, 0, &state, +- 0, sizeof(state)); ++ sizeof(state), sizeof(state)); + if (err) + return err; + +@@ -825,7 +825,7 @@ static int __init hp_wmi_rfkill2_setup(s + int err, i; + struct bios_rfkill2_state state; + err = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, 0, &state, +- 0, sizeof(state)); ++ sizeof(state), sizeof(state)); + if (err) + return err; + diff --git a/queue-3.16/platform-x86-hp-wmi-fix-acpi-errors-caused-by-too-small-buffer.patch b/queue-3.16/platform-x86-hp-wmi-fix-acpi-errors-caused-by-too-small-buffer.patch new file mode 100644 index 00000000..547c2f93 --- /dev/null +++ b/queue-3.16/platform-x86-hp-wmi-fix-acpi-errors-caused-by-too-small-buffer.patch @@ -0,0 +1,65 @@ +From: Hans de Goede <hdegoede@redhat.com> +Date: Fri, 22 Nov 2019 19:56:40 +0100 +Subject: platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer + +commit 16245db1489cd9aa579506f64afeeeb13d825a93 upstream. + +The HP WMI calls may take up to 128 bytes of data as input, and +the AML methods implementing the WMI calls, declare a couple of fields for +accessing input in different sizes, specifycally the HWMC method contains: + + CreateField (Arg1, 0x80, 0x0400, D128) + +Even though we do not use any of the WMI command-types which need a buffer +of this size, the APCI interpreter still tries to create it as it is +declared in generoc code at the top of the HWMC method which runs before +the code looks at which command-type is requested. + +This results in many of these errors on many different HP laptop models: + +[ 14.459261] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20170303/dsopcode-236) +[ 14.459268] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8edcc61507f8), AE_AML_BUFFER_LIMIT (20170303/psparse-543) +[ 14.459279] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8edcc61523c0), AE_AML_BUFFER_LIMIT (20170303/psparse-543) + +This commit increases the size of the data element of the bios_args struct +to 128 bytes fixing these errors. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197007 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201981 +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703 +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/hp-wmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -90,7 +90,7 @@ struct bios_args { + u32 command; + u32 commandtype; + u32 datasize; +- u32 data; ++ u8 data[128]; + }; + + struct bios_return { +@@ -199,7 +199,7 @@ static int hp_wmi_perform_query(int quer + .command = write ? 0x2 : 0x1, + .commandtype = query, + .datasize = insize, +- .data = 0, ++ .data = { 0 }, + }; + struct acpi_buffer input = { sizeof(struct bios_args), &args }; + struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; +@@ -207,7 +207,7 @@ static int hp_wmi_perform_query(int quer + + if (WARN_ON(insize > sizeof(args.data))) + return -EINVAL; +- memcpy(&args.data, buffer, insize); ++ memcpy(&args.data[0], buffer, insize); + + wmi_evaluate_method(HPWMI_BIOS_GUID, 0, 0x3, &input, &output); + diff --git a/queue-3.16/pm-devfreq-lock-devfreq-in-trans_stat_show.patch b/queue-3.16/pm-devfreq-lock-devfreq-in-trans_stat_show.patch new file mode 100644 index 00000000..3b9b7615 --- /dev/null +++ b/queue-3.16/pm-devfreq-lock-devfreq-in-trans_stat_show.patch @@ -0,0 +1,46 @@ +From: Leonard Crestez <leonard.crestez@nxp.com> +Date: Tue, 24 Sep 2019 10:52:23 +0300 +Subject: PM / devfreq: Lock devfreq in trans_stat_show + +commit 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 upstream. + +There is no locking in this sysfs show function so stats printing can +race with a devfreq_update_status called as part of freq switching or +with initialization. + +Also add an assert in devfreq_update_status to make it clear that lock +must be held by caller. + +Fixes: 39688ce6facd ("PM / devfreq: account suspend/resume for stats") +Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com> +Reviewed-by: Matthias Kaehlcke <mka@chromium.org> +Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com> +Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -95,6 +95,7 @@ static int devfreq_update_status(struct + int lev, prev_lev, ret = 0; + unsigned long cur_time; + ++ lockdep_assert_held(&devfreq->lock); + cur_time = jiffies; + + prev_lev = devfreq_get_freq_level(devfreq, devfreq->previous_freq); +@@ -1054,9 +1055,13 @@ static ssize_t trans_stat_show(struct de + int i, j; + unsigned int max_state = devfreq->profile->max_state; + ++ mutex_lock(&devfreq->lock); + if (!devfreq->stop_polling && +- devfreq_update_status(devfreq, devfreq->previous_freq)) ++ devfreq_update_status(devfreq, devfreq->previous_freq)) { ++ mutex_unlock(&devfreq->lock); + return 0; ++ } ++ mutex_unlock(&devfreq->lock); + + len = sprintf(buf, " From : To\n"); + len += sprintf(buf + len, " :"); diff --git a/queue-3.16/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges.patch b/queue-3.16/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges.patch new file mode 100644 index 00000000..4f6408f8 --- /dev/null +++ b/queue-3.16/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges.patch @@ -0,0 +1,42 @@ +From: Alastair D'Silva <alastair@d-silva.org> +Date: Mon, 4 Nov 2019 13:32:54 +1100 +Subject: powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges + >4GB + +commit f9ec11165301982585e5e5f606739b5bae5331f3 upstream. + +When calling __kernel_sync_dicache with a size >4GB, we were masking +off the upper 32 bits, so we would incorrectly flush a range smaller +than intended. + +This patch replaces the 32 bit shifts with 64 bit ones, so that +the full size is accounted for. + +Signed-off-by: Alastair D'Silva <alastair@d-silva.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20191104023305.9581-3-alastair@au1.ibm.com +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/kernel/vdso64/cacheflush.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/vdso64/cacheflush.S ++++ b/arch/powerpc/kernel/vdso64/cacheflush.S +@@ -39,7 +39,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) + subf r8,r6,r4 /* compute length */ + add r8,r8,r5 /* ensure we get enough */ + lwz r9,CFG_DCACHE_LOGBLOCKSZ(r10) +- srw. r8,r8,r9 /* compute line count */ ++ srd. r8,r8,r9 /* compute line count */ + crclr cr0*4+so + beqlr /* nothing to do? */ + mtctr r8 +@@ -56,7 +56,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) + subf r8,r6,r4 /* compute length */ + add r8,r8,r5 + lwz r9,CFG_ICACHE_LOGBLOCKSZ(r10) +- srw. r8,r8,r9 /* compute line count */ ++ srd. r8,r8,r9 /* compute line count */ + crclr cr0*4+so + beqlr /* nothing to do? */ + mtctr r8 diff --git a/queue-3.16/powerpc-allow-flush_icache_range-to-work-across-ranges-4gb.patch b/queue-3.16/powerpc-allow-flush_icache_range-to-work-across-ranges-4gb.patch new file mode 100644 index 00000000..bbf0c6b4 --- /dev/null +++ b/queue-3.16/powerpc-allow-flush_icache_range-to-work-across-ranges-4gb.patch @@ -0,0 +1,42 @@ +From: Alastair D'Silva <alastair@d-silva.org> +Date: Mon, 4 Nov 2019 13:32:53 +1100 +Subject: powerpc: Allow flush_icache_range to work across ranges >4GB + +commit 29430fae82073d39b1b881a3cd507416a56a363f upstream. + +When calling flush_icache_range with a size >4GB, we were masking +off the upper 32 bits, so we would incorrectly flush a range smaller +than intended. + +This patch replaces the 32 bit shifts with 64 bit ones, so that +the full size is accounted for. + +Signed-off-by: Alastair D'Silva <alastair@d-silva.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20191104023305.9581-2-alastair@au1.ibm.com +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/kernel/misc_64.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/misc_64.S ++++ b/arch/powerpc/kernel/misc_64.S +@@ -84,7 +84,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_I + subf r8,r6,r4 /* compute length */ + add r8,r8,r5 /* ensure we get enough */ + lwz r9,DCACHEL1LOGLINESIZE(r10) /* Get log-2 of cache line size */ +- srw. r8,r8,r9 /* compute line count */ ++ srd. r8,r8,r9 /* compute line count */ + beqlr /* nothing to do? */ + mtctr r8 + 1: dcbst 0,r6 +@@ -100,7 +100,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_I + subf r8,r6,r4 /* compute length */ + add r8,r8,r5 + lwz r9,ICACHEL1LOGLINESIZE(r10) /* Get log-2 of Icache line size */ +- srw. r8,r8,r9 /* compute line count */ ++ srd. r8,r8,r9 /* compute line count */ + beqlr /* nothing to do? */ + mtctr r8 + 2: icbi 0,r6 diff --git a/queue-3.16/powerpc-fix-vdso-clock_getres.patch b/queue-3.16/powerpc-fix-vdso-clock_getres.patch new file mode 100644 index 00000000..c42e6d30 --- /dev/null +++ b/queue-3.16/powerpc-fix-vdso-clock_getres.patch @@ -0,0 +1,124 @@ +From: Vincenzo Frascino <vincenzo.frascino@arm.com> +Date: Mon, 2 Dec 2019 07:57:29 +0000 +Subject: powerpc: Fix vDSO clock_getres() + +commit 552263456215ada7ee8700ce022d12b0cffe4802 upstream. + +clock_getres in the vDSO library has to preserve the same behaviour +of posix_get_hrtimer_res(). + +In particular, posix_get_hrtimer_res() does: + sec = 0; + ns = hrtimer_resolution; +and hrtimer_resolution depends on the enablement of the high +resolution timers that can happen either at compile or at run time. + +Fix the powerpc vdso implementation of clock_getres keeping a copy of +hrtimer_resolution in vdso data and using that directly. + +Fixes: a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to 32 bits kernel") +Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com> +Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr> +Acked-by: Shuah Khan <skhan@linuxfoundation.org> +[chleroy: changed CLOCK_REALTIME_RES to CLOCK_HRTIMER_RES] +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/a55eca3a5e85233838c2349783bcb5164dae1d09.1575273217.git.christophe.leroy@c-s.fr +[bwh: Backported to 3.16: + - In asm-offsets.c, use DEFINE() instead of OFFSET() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/include/asm/vdso_datapage.h | 2 ++ + arch/powerpc/kernel/asm-offsets.c | 2 +- + arch/powerpc/kernel/time.c | 1 + + arch/powerpc/kernel/vdso32/gettimeofday.S | 7 +++++-- + arch/powerpc/kernel/vdso64/gettimeofday.S | 7 +++++-- + 5 files changed, 14 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/asm/vdso_datapage.h ++++ b/arch/powerpc/include/asm/vdso_datapage.h +@@ -86,6 +86,7 @@ struct vdso_data { + __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec */ + __s64 wtom_clock_sec; /* Wall to monotonic clock sec */ + struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ ++ __u32 hrtimer_res; /* hrtimer resolution */ + __u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */ + __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */ + }; +@@ -107,6 +108,7 @@ struct vdso_data { + __s32 wtom_clock_nsec; + struct timespec stamp_xtime; /* xtime as at tb_orig_stamp */ + __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */ ++ __u32 hrtimer_res; /* hrtimer resolution */ + __u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */ + __u32 dcache_block_size; /* L1 d-cache block size */ + __u32 icache_block_size; /* L1 i-cache block size */ +--- a/arch/powerpc/kernel/asm-offsets.c ++++ b/arch/powerpc/kernel/asm-offsets.c +@@ -397,6 +397,7 @@ int main(void) + DEFINE(WTOM_CLOCK_NSEC, offsetof(struct vdso_data, wtom_clock_nsec)); + DEFINE(STAMP_XTIME, offsetof(struct vdso_data, stamp_xtime)); + DEFINE(STAMP_SEC_FRAC, offsetof(struct vdso_data, stamp_sec_fraction)); ++ DEFINE(CLOCK_HRTIMER_RES, offsetof(struct vdso_data, hrtimer_res)); + DEFINE(CFG_ICACHE_BLOCKSZ, offsetof(struct vdso_data, icache_block_size)); + DEFINE(CFG_DCACHE_BLOCKSZ, offsetof(struct vdso_data, dcache_block_size)); + DEFINE(CFG_ICACHE_LOGBLOCKSZ, offsetof(struct vdso_data, icache_log_block_size)); +@@ -425,7 +426,6 @@ int main(void) + DEFINE(CLOCK_REALTIME, CLOCK_REALTIME); + DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC); + DEFINE(NSEC_PER_SEC, NSEC_PER_SEC); +- DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC); + + #ifdef CONFIG_BUG + DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry)); +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -781,6 +781,7 @@ void update_vsyscall_old(struct timespec + vdso_data->wtom_clock_nsec = wtm->tv_nsec; + vdso_data->stamp_xtime = *wall_time; + vdso_data->stamp_sec_fraction = frac_sec; ++ vdso_data->hrtimer_res = hrtimer_resolution; + smp_wmb(); + ++(vdso_data->tb_update_count); + } +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S +@@ -159,12 +159,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres) + cror cr0*4+eq,cr0*4+eq,cr1*4+eq + bne cr0,99f + ++ mflr r12 ++ .cfi_register lr,r12 ++ bl __get_datapage@local /* get data page */ ++ lwz r5, CLOCK_HRTIMER_RES(r3) ++ mtlr r12 + li r3,0 + cmpli cr0,r4,0 + crclr cr0*4+so + beqlr +- lis r5,CLOCK_REALTIME_RES@h +- ori r5,r5,CLOCK_REALTIME_RES@l + stw r3,TSPC32_TV_SEC(r4) + stw r5,TSPC32_TV_NSEC(r4) + blr +--- a/arch/powerpc/kernel/vdso64/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso64/gettimeofday.S +@@ -144,12 +144,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres) + cror cr0*4+eq,cr0*4+eq,cr1*4+eq + bne cr0,99f + ++ mflr r12 ++ .cfi_register lr,r12 ++ bl V_LOCAL_FUNC(__get_datapage) ++ lwz r5, CLOCK_HRTIMER_RES(r3) ++ mtlr r12 + li r3,0 + cmpldi cr0,r4,0 + crclr cr0*4+so + beqlr +- lis r5,CLOCK_REALTIME_RES@h +- ori r5,r5,CLOCK_REALTIME_RES@l + std r3,TSPC64_TV_SEC(r4) + std r5,TSPC64_TV_NSEC(r4) + blr diff --git a/queue-3.16/quota-check-that-quota-is-not-dirty-before-release.patch b/queue-3.16/quota-check-that-quota-is-not-dirty-before-release.patch new file mode 100644 index 00000000..c0d970cb --- /dev/null +++ b/queue-3.16/quota-check-that-quota-is-not-dirty-before-release.patch @@ -0,0 +1,80 @@ +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Date: Thu, 31 Oct 2019 10:39:20 +0000 +Subject: quota: Check that quota is not dirty before release + +commit df4bb5d128e2c44848aeb36b7ceceba3ac85080d upstream. + +There is a race window where quota was redirted once we drop dq_list_lock inside dqput(), +but before we grab dquot->dq_lock inside dquot_release() + +TASK1 TASK2 (chowner) +->dqput() + we_slept: + spin_lock(&dq_list_lock) + if (dquot_dirty(dquot)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->write_dquot(dquot); + goto we_slept + if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->release_dquot(dquot); + dqget() + mark_dquot_dirty() + dqput() + goto we_slept; + } +So dquot dirty quota will be released by TASK1, but on next we_sleept loop +we detect this and call ->write_dquot() for it. +XFSTEST: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107 + +Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org +Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ocfs2/quota_global.c | 2 +- + fs/quota/dquot.c | 2 +- + include/linux/quotaops.h | 10 ++++++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -714,7 +714,7 @@ static int ocfs2_release_dquot(struct dq + + mutex_lock(&dquot->dq_lock); + /* Check whether we are not racing with some other dqget() */ +- if (atomic_read(&dquot->dq_count) > 1) ++ if (dquot_is_busy(dquot)) + goto out; + /* Running from downconvert thread? Postpone quota processing to wq */ + if (current == osb->dc_task) { +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -475,7 +475,7 @@ int dquot_release(struct dquot *dquot) + + mutex_lock(&dquot->dq_lock); + /* Check whether we are not racing with some other dqget() */ +- if (atomic_read(&dquot->dq_count) > 1) ++ if (dquot_is_busy(dquot)) + goto out_dqlock; + mutex_lock(&dqopt->dqio_mutex); + if (dqopt->ops[dquot->dq_id.type]->release_dqblk) { +--- a/include/linux/quotaops.h ++++ b/include/linux/quotaops.h +@@ -54,6 +54,16 @@ static inline struct dquot *dqgrab(struc + atomic_inc(&dquot->dq_count); + return dquot; + } ++ ++static inline bool dquot_is_busy(struct dquot *dquot) ++{ ++ if (test_bit(DQ_MOD_B, &dquot->dq_flags)) ++ return true; ++ if (atomic_read(&dquot->dq_count) > 1) ++ return true; ++ return false; ++} ++ + void dqput(struct dquot *dquot); + int dquot_scan_active(struct super_block *sb, + int (*fn)(struct dquot *dquot, unsigned long priv), diff --git a/queue-3.16/quota-fix-livelock-in-dquot_writeback_dquots.patch b/queue-3.16/quota-fix-livelock-in-dquot_writeback_dquots.patch new file mode 100644 index 00000000..4725d68f --- /dev/null +++ b/queue-3.16/quota-fix-livelock-in-dquot_writeback_dquots.patch @@ -0,0 +1,44 @@ +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Date: Thu, 31 Oct 2019 10:39:19 +0000 +Subject: quota: fix livelock in dquot_writeback_dquots + +commit 6ff33d99fc5c96797103b48b7b0902c296f09c05 upstream. + +Write only quotas which are dirty at entry. + +XFSTEST: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc + +Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org +Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/quota/dquot.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -607,7 +607,7 @@ EXPORT_SYMBOL(dquot_scan_active); + /* Write all dquot structures to quota files */ + int dquot_writeback_dquots(struct super_block *sb, int type) + { +- struct list_head *dirty; ++ struct list_head dirty; + struct dquot *dquot; + struct quota_info *dqopt = sb_dqopt(sb); + int cnt; +@@ -620,9 +620,10 @@ int dquot_writeback_dquots(struct super_ + if (!sb_has_quota_active(sb, cnt)) + continue; + spin_lock(&dq_list_lock); +- dirty = &dqopt->info[cnt].dqi_dirty_list; +- while (!list_empty(dirty)) { +- dquot = list_first_entry(dirty, struct dquot, ++ /* Move list away to avoid livelock. */ ++ list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty); ++ while (!list_empty(&dirty)) { ++ dquot = list_first_entry(&dirty, struct dquot, + dq_dirty); + /* Dirty and inactive can be only bad dquot... */ + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { diff --git a/queue-3.16/rdma-srpt-report-the-scsi-residual-to-the-initiator.patch b/queue-3.16/rdma-srpt-report-the-scsi-residual-to-the-initiator.patch new file mode 100644 index 00000000..feba960a --- /dev/null +++ b/queue-3.16/rdma-srpt-report-the-scsi-residual-to-the-initiator.patch @@ -0,0 +1,66 @@ +From: Bart Van Assche <bvanassche@acm.org> +Date: Tue, 5 Nov 2019 13:46:32 -0800 +Subject: RDMA/srpt: Report the SCSI residual to the initiator + +commit e88982ad1bb12db699de96fbc07096359ef6176c upstream. + +The code added by this patch is similar to the code that already exists in +ibmvscsis_determine_resid(). This patch has been tested by running the +following command: + +strace sg_raw -r 1k /dev/sdb 12 00 00 00 60 00 -o inquiry.bin |& + grep resid= + +Link: https://lore.kernel.org/r/20191105214632.183302-1-bvanassche@acm.org +Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: Bart Van Assche <bvanassche@acm.org> +Acked-by: Honggang Li <honli@redhat.com> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -1519,9 +1519,11 @@ static int srpt_build_cmd_rsp(struct srp + struct srpt_send_ioctx *ioctx, u64 tag, + int status) + { ++ struct se_cmd *cmd = &ioctx->cmd; + struct srp_rsp *srp_rsp; + const u8 *sense_data; + int sense_data_len, max_sense_len; ++ u32 resid = cmd->residual_count; + + /* + * The lowest bit of all SAM-3 status codes is zero (see also +@@ -1543,6 +1545,28 @@ static int srpt_build_cmd_rsp(struct srp + srp_rsp->tag = tag; + srp_rsp->status = status; + ++ if (cmd->se_cmd_flags & SCF_UNDERFLOW_BIT) { ++ if (cmd->data_direction == DMA_TO_DEVICE) { ++ /* residual data from an underflow write */ ++ srp_rsp->flags = SRP_RSP_FLAG_DOUNDER; ++ srp_rsp->data_out_res_cnt = cpu_to_be32(resid); ++ } else if (cmd->data_direction == DMA_FROM_DEVICE) { ++ /* residual data from an underflow read */ ++ srp_rsp->flags = SRP_RSP_FLAG_DIUNDER; ++ srp_rsp->data_in_res_cnt = cpu_to_be32(resid); ++ } ++ } else if (cmd->se_cmd_flags & SCF_OVERFLOW_BIT) { ++ if (cmd->data_direction == DMA_TO_DEVICE) { ++ /* residual data from an overflow write */ ++ srp_rsp->flags = SRP_RSP_FLAG_DOOVER; ++ srp_rsp->data_out_res_cnt = cpu_to_be32(resid); ++ } else if (cmd->data_direction == DMA_FROM_DEVICE) { ++ /* residual data from an overflow read */ ++ srp_rsp->flags = SRP_RSP_FLAG_DIOVER; ++ srp_rsp->data_in_res_cnt = cpu_to_be32(resid); ++ } ++ } ++ + if (sense_data_len) { + BUILD_BUG_ON(MIN_MAX_RSP_SIZE <= sizeof(*srp_rsp)); + max_sense_len = ch->max_ti_iu_len - sizeof(*srp_rsp); diff --git a/queue-3.16/regulator-ab8500-remove-ab8505-usb-regulator.patch b/queue-3.16/regulator-ab8500-remove-ab8505-usb-regulator.patch new file mode 100644 index 00000000..b938cb20 --- /dev/null +++ b/queue-3.16/regulator-ab8500-remove-ab8505-usb-regulator.patch @@ -0,0 +1,71 @@ +From: Stephan Gerhold <stephan@gerhold.net> +Date: Wed, 6 Nov 2019 18:31:24 +0100 +Subject: regulator: ab8500: Remove AB8505 USB regulator + +commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream. + +The USB regulator was removed for AB8500 in +commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator"). +It was then added for AB8505 in +commit 547f384f33db ("regulator: ab8500: add support for ab8505"). + +However, there was never an entry added for it in +ab8505_regulator_match. This causes all regulators after it +to be initialized with the wrong device tree data, eventually +leading to an out-of-bounds array read. + +Given that it is not used anywhere in the kernel, it seems +likely that similar arguments against supporting it exist for +AB8505 (it is controlled by hardware). + +Therefore, simply remove it like for AB8500 instead of adding +an entry in ab8505_regulator_match. + +Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505") +Cc: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Stephan Gerhold <stephan@gerhold.net> +Reviewed-by: Linus Walleij <linus.walleij@linaro.org> +Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/ab8500.c | 17 ----------------- + include/linux/regulator/ab8500.h | 1 - + 2 files changed, 18 deletions(-) + +--- a/drivers/regulator/ab8500.c ++++ b/drivers/regulator/ab8500.c +@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info + .update_val_idle = 0x82, + .update_val_normal = 0x02, + }, +- [AB8505_LDO_USB] = { +- .desc = { +- .name = "LDO-USB", +- .ops = &ab8500_regulator_mode_ops, +- .type = REGULATOR_VOLTAGE, +- .id = AB8505_LDO_USB, +- .owner = THIS_MODULE, +- .n_voltages = 1, +- .volt_table = fixed_3300000_voltage, +- }, +- .update_bank = 0x03, +- .update_reg = 0x82, +- .update_mask = 0x03, +- .update_val = 0x01, +- .update_val_idle = 0x03, +- .update_val_normal = 0x01, +- }, + [AB8505_LDO_AUDIO] = { + .desc = { + .name = "LDO-AUDIO", +--- a/include/linux/regulator/ab8500.h ++++ b/include/linux/regulator/ab8500.h +@@ -38,7 +38,6 @@ enum ab8505_regulator_id { + AB8505_LDO_AUX6, + AB8505_LDO_INTCORE, + AB8505_LDO_ADC, +- AB8505_LDO_USB, + AB8505_LDO_AUDIO, + AB8505_LDO_ANAMIC1, + AB8505_LDO_ANAMIC2, diff --git a/queue-3.16/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch b/queue-3.16/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch new file mode 100644 index 00000000..0c528d6b --- /dev/null +++ b/queue-3.16/regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch @@ -0,0 +1,35 @@ +From: Stephan Gerhold <stephan@gerhold.net> +Date: Wed, 6 Nov 2019 18:31:25 +0100 +Subject: regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id + +commit 458ea3ad033fc86e291712ce50cbe60c3428cf30 upstream. + +Those regulators are not actually supported by the AB8500 regulator +driver. There is no ab8500_regulator_info for them and no entry in +ab8505_regulator_match. + +As such, they cannot be registered successfully, and looking them +up in ab8505_regulator_match causes an out-of-bounds array read. + +Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505") +Cc: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Stephan Gerhold <stephan@gerhold.net> +Reviewed-by: Linus Walleij <linus.walleij@linaro.org> +Link: https://lore.kernel.org/r/20191106173125.14496-2-stephan@gerhold.net +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/regulator/ab8500.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/include/linux/regulator/ab8500.h ++++ b/include/linux/regulator/ab8500.h +@@ -43,8 +43,6 @@ enum ab8505_regulator_id { + AB8505_LDO_ANAMIC2, + AB8505_LDO_AUX8, + AB8505_LDO_ANA, +- AB8505_SYSCLKREQ_2, +- AB8505_SYSCLKREQ_4, + AB8505_NUM_REGULATORS, + }; + diff --git a/queue-3.16/rtc-msm6242-fix-reading-of-10-hour-digit.patch b/queue-3.16/rtc-msm6242-fix-reading-of-10-hour-digit.patch new file mode 100644 index 00000000..2f9e253b --- /dev/null +++ b/queue-3.16/rtc-msm6242-fix-reading-of-10-hour-digit.patch @@ -0,0 +1,36 @@ +From: Kars de Jong <jongk@linux-m68k.org> +Date: Sat, 16 Nov 2019 12:05:48 +0100 +Subject: rtc: msm6242: Fix reading of 10-hour digit + +commit e34494c8df0cd96fc432efae121db3212c46ae48 upstream. + +The driver was reading the wrong register as the 10-hour digit due to +a misplaced ')'. It was in fact reading the 1-second digit register due +to this bug. + +Also remove the use of a magic number for the hour mask and use the define +for it which was already present. + +Fixes: 4f9b9bba1dd1 ("rtc: Add an RTC driver for the Oki MSM6242") +Tested-by: Kars de Jong <jongk@linux-m68k.org> +Signed-off-by: Kars de Jong <jongk@linux-m68k.org> +Link: https://lore.kernel.org/r/20191116110548.8562-1-jongk@linux-m68k.org +Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org> +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/rtc/rtc-msm6242.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-msm6242.c ++++ b/drivers/rtc/rtc-msm6242.c +@@ -130,7 +130,8 @@ static int msm6242_read_time(struct devi + msm6242_read(priv, MSM6242_SECOND1); + tm->tm_min = msm6242_read(priv, MSM6242_MINUTE10) * 10 + + msm6242_read(priv, MSM6242_MINUTE1); +- tm->tm_hour = (msm6242_read(priv, MSM6242_HOUR10 & 3)) * 10 + ++ tm->tm_hour = (msm6242_read(priv, MSM6242_HOUR10) & ++ MSM6242_HOUR10_HR_MASK) * 10 + + msm6242_read(priv, MSM6242_HOUR1); + tm->tm_mday = msm6242_read(priv, MSM6242_DAY10) * 10 + + msm6242_read(priv, MSM6242_DAY1); diff --git a/queue-3.16/scsi-bnx2i-fix-potential-use-after-free.patch b/queue-3.16/scsi-bnx2i-fix-potential-use-after-free.patch new file mode 100644 index 00000000..c2ac4dec --- /dev/null +++ b/queue-3.16/scsi-bnx2i-fix-potential-use-after-free.patch @@ -0,0 +1,35 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Wed, 6 Nov 2019 20:32:21 +0800 +Subject: scsi: bnx2i: fix potential use after free + +commit 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 upstream. + +The member hba->pcidev may be used after its reference is dropped. Move the +put function to where it is never used to avoid potential use after free +issues. + +Fixes: a77171806515 ("[SCSI] bnx2i: Removed the reference to the netdev->base_addr") +Link: https://lore.kernel.org/r/1573043541-19126-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian <bianpan2016@163.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c ++++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c +@@ -913,12 +913,12 @@ void bnx2i_free_hba(struct bnx2i_hba *hb + INIT_LIST_HEAD(&hba->ep_ofld_list); + INIT_LIST_HEAD(&hba->ep_active_list); + INIT_LIST_HEAD(&hba->ep_destroy_list); +- pci_dev_put(hba->pcidev); + + if (hba->regview) { + pci_iounmap(hba->pcidev, hba->regview); + hba->regview = NULL; + } ++ pci_dev_put(hba->pcidev); + bnx2i_free_mp_bdt(hba); + bnx2i_release_free_cid_que(hba); + iscsi_host_free(shost); diff --git a/queue-3.16/scsi-core-scsi_trace-use-get_unaligned_be.patch b/queue-3.16/scsi-core-scsi_trace-use-get_unaligned_be.patch new file mode 100644 index 00000000..4bfff4f3 --- /dev/null +++ b/queue-3.16/scsi-core-scsi_trace-use-get_unaligned_be.patch @@ -0,0 +1,208 @@ +From: Bart Van Assche <bvanassche@acm.org> +Date: Fri, 1 Nov 2019 14:14:47 -0700 +Subject: scsi: core: scsi_trace: Use get_unaligned_be*() + +commit b1335f5b0486f61fb66b123b40f8e7a98e49605d upstream. + +This patch fixes an unintended sign extension on left shifts. From Colin +King: "Shifting a u8 left will cause the value to be promoted to an +integer. If the top bit of the u8 is set then the following conversion to +an u64 will sign extend the value causing the upper 32 bits to be set in +the result." + +Fix this by using get_unaligned_be*() instead. + +Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") +Cc: Christoph Hellwig <hch@lst.de> +Cc: Hannes Reinecke <hare@suse.com> +Cc: Douglas Gilbert <dgilbert@interlog.com> +Link: https://lore.kernel.org/r/20191101211447.187151-1-bvanassche@acm.org +Reported-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Bart Van Assche <bvanassche@acm.org> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/scsi_trace.c | 114 ++++++++++++-------------------------- + 1 file changed, 34 insertions(+), 80 deletions(-) + +--- a/drivers/scsi/scsi_trace.c ++++ b/drivers/scsi/scsi_trace.c +@@ -17,10 +17,11 @@ + */ + #include <linux/kernel.h> + #include <linux/trace_seq.h> ++#include <asm/unaligned.h> + #include <trace/events/scsi.h> + + #define SERVICE_ACTION16(cdb) (cdb[1] & 0x1f) +-#define SERVICE_ACTION32(cdb) ((cdb[8] << 8) | cdb[9]) ++#define SERVICE_ACTION32(cdb) (get_unaligned_be16(&cdb[8])) + + static const char * + scsi_trace_misc(struct trace_seq *, unsigned char *, int); +@@ -47,17 +48,12 @@ static const char * + scsi_trace_rw10(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len; +- sector_t lba = 0, txlen = 0; ++ u32 lba, txlen; + +- lba |= (cdb[2] << 24); +- lba |= (cdb[3] << 16); +- lba |= (cdb[4] << 8); +- lba |= cdb[5]; +- txlen |= (cdb[7] << 8); +- txlen |= cdb[8]; ++ lba = get_unaligned_be32(&cdb[2]); ++ txlen = get_unaligned_be16(&cdb[7]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + + if (cdb[0] == WRITE_SAME) +@@ -72,19 +68,12 @@ static const char * + scsi_trace_rw12(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len; +- sector_t lba = 0, txlen = 0; ++ u32 lba, txlen; + +- lba |= (cdb[2] << 24); +- lba |= (cdb[3] << 16); +- lba |= (cdb[4] << 8); +- lba |= cdb[5]; +- txlen |= (cdb[6] << 24); +- txlen |= (cdb[7] << 16); +- txlen |= (cdb[8] << 8); +- txlen |= cdb[9]; ++ lba = get_unaligned_be32(&cdb[2]); ++ txlen = get_unaligned_be32(&cdb[6]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + trace_seq_putc(p, 0); + +@@ -95,23 +84,13 @@ static const char * + scsi_trace_rw16(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len; +- sector_t lba = 0, txlen = 0; ++ u64 lba; ++ u32 txlen; + +- lba |= ((u64)cdb[2] << 56); +- lba |= ((u64)cdb[3] << 48); +- lba |= ((u64)cdb[4] << 40); +- lba |= ((u64)cdb[5] << 32); +- lba |= (cdb[6] << 24); +- lba |= (cdb[7] << 16); +- lba |= (cdb[8] << 8); +- lba |= cdb[9]; +- txlen |= (cdb[10] << 24); +- txlen |= (cdb[11] << 16); +- txlen |= (cdb[12] << 8); +- txlen |= cdb[13]; ++ lba = get_unaligned_be64(&cdb[2]); ++ txlen = get_unaligned_be32(&cdb[10]); + +- trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u", +- (unsigned long long)lba, (unsigned long long)txlen, ++ trace_seq_printf(p, "lba=%llu txlen=%u protect=%u", lba, txlen, + cdb[1] >> 5); + + if (cdb[0] == WRITE_SAME_16) +@@ -126,8 +105,8 @@ static const char * + scsi_trace_rw32(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len, *cmd; +- sector_t lba = 0, txlen = 0; +- u32 ei_lbrt = 0; ++ u64 lba; ++ u32 ei_lbrt, txlen; + + switch (SERVICE_ACTION32(cdb)) { + case READ_32: +@@ -147,26 +126,12 @@ scsi_trace_rw32(struct trace_seq *p, uns + goto out; + } + +- lba |= ((u64)cdb[12] << 56); +- lba |= ((u64)cdb[13] << 48); +- lba |= ((u64)cdb[14] << 40); +- lba |= ((u64)cdb[15] << 32); +- lba |= (cdb[16] << 24); +- lba |= (cdb[17] << 16); +- lba |= (cdb[18] << 8); +- lba |= cdb[19]; +- ei_lbrt |= (cdb[20] << 24); +- ei_lbrt |= (cdb[21] << 16); +- ei_lbrt |= (cdb[22] << 8); +- ei_lbrt |= cdb[23]; +- txlen |= (cdb[28] << 24); +- txlen |= (cdb[29] << 16); +- txlen |= (cdb[30] << 8); +- txlen |= cdb[31]; +- +- trace_seq_printf(p, "%s_32 lba=%llu txlen=%llu protect=%u ei_lbrt=%u", +- cmd, (unsigned long long)lba, +- (unsigned long long)txlen, cdb[10] >> 5, ei_lbrt); ++ lba = get_unaligned_be64(&cdb[12]); ++ ei_lbrt = get_unaligned_be32(&cdb[20]); ++ txlen = get_unaligned_be32(&cdb[28]); ++ ++ trace_seq_printf(p, "%s_32 lba=%llu txlen=%u protect=%u ei_lbrt=%u", ++ cmd, lba, txlen, cdb[10] >> 5, ei_lbrt); + + if (SERVICE_ACTION32(cdb) == WRITE_SAME_32) + trace_seq_printf(p, " unmap=%u", cdb[10] >> 3 & 1); +@@ -181,7 +146,7 @@ static const char * + scsi_trace_unmap(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len; +- unsigned int regions = cdb[7] << 8 | cdb[8]; ++ unsigned int regions = get_unaligned_be16(&cdb[7]); + + trace_seq_printf(p, "regions=%u", (regions - 8) / 16); + trace_seq_putc(p, 0); +@@ -193,8 +158,8 @@ static const char * + scsi_trace_service_action_in(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len, *cmd; +- sector_t lba = 0; +- u32 alloc_len = 0; ++ u64 lba; ++ u32 alloc_len; + + switch (SERVICE_ACTION16(cdb)) { + case SAI_READ_CAPACITY_16: +@@ -208,21 +173,10 @@ scsi_trace_service_action_in(struct trac + goto out; + } + +- lba |= ((u64)cdb[2] << 56); +- lba |= ((u64)cdb[3] << 48); +- lba |= ((u64)cdb[4] << 40); +- lba |= ((u64)cdb[5] << 32); +- lba |= (cdb[6] << 24); +- lba |= (cdb[7] << 16); +- lba |= (cdb[8] << 8); +- lba |= cdb[9]; +- alloc_len |= (cdb[10] << 24); +- alloc_len |= (cdb[11] << 16); +- alloc_len |= (cdb[12] << 8); +- alloc_len |= cdb[13]; ++ lba = get_unaligned_be64(&cdb[2]); ++ alloc_len = get_unaligned_be32(&cdb[10]); + +- trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, +- (unsigned long long)lba, alloc_len); ++ trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, lba, alloc_len); + + out: + trace_seq_putc(p, 0); diff --git a/queue-3.16/scsi-csiostor-don-t-enable-irqs-too-early.patch b/queue-3.16/scsi-csiostor-don-t-enable-irqs-too-early.patch new file mode 100644 index 00000000..c5f86e1d --- /dev/null +++ b/queue-3.16/scsi-csiostor-don-t-enable-irqs-too-early.patch @@ -0,0 +1,92 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Sat, 19 Oct 2019 11:59:13 +0300 +Subject: scsi: csiostor: Don't enable IRQs too early + +commit d6c9b31ac3064fbedf8961f120a4c117daa59932 upstream. + +These are called with IRQs disabled from csio_mgmt_tmo_handler() so we +can't call spin_unlock_irq() or it will enable IRQs prematurely. + +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Link: https://lore.kernel.org/r/20191019085913.GA14245@mwanda +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/csiostor/csio_lnode.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -292,6 +292,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h + struct fc_fdmi_port_name *port_name; + uint8_t buf[64]; + uint8_t *fc4_type; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi rhba cmd\n", +@@ -369,13 +370,13 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h + len = (uint32_t)(pld - (uint8_t *)cmd); + + /* Submit FDMI RPA request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_done, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi rpa req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /* +@@ -396,6 +397,7 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h + struct fc_fdmi_rpl *reg_pl; + struct fs_fdmi_attrs *attrib_blk; + uint8_t buf[64]; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi dprt cmd\n", +@@ -476,13 +478,13 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h + attrib_blk->numattrs = htonl(numattrs); + + /* Submit FDMI RHBA request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_rhba_cbfn, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi rhba req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /* +@@ -497,6 +499,7 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *h + void *cmd; + struct fc_fdmi_port_name *port_name; + uint32_t len; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi dhba cmd\n", +@@ -527,13 +530,13 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *h + len += sizeof(*port_name); + + /* Submit FDMI request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_dprt_cbfn, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi dprt req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /** diff --git a/queue-3.16/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch b/queue-3.16/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch new file mode 100644 index 00000000..5158bbb3 --- /dev/null +++ b/queue-3.16/scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch @@ -0,0 +1,27 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 22 Oct 2019 13:23:24 +0300 +Subject: scsi: esas2r: unlock on error in esas2r_nvram_read_direct() + +commit 906ca6353ac09696c1bf0892513c8edffff5e0a6 upstream. + +This error path is missing an unlock. + +Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver") +Link: https://lore.kernel.org/r/20191022102324.GA27540@mwanda +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/esas2r/esas2r_flash.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/esas2r/esas2r_flash.c ++++ b/drivers/scsi/esas2r/esas2r_flash.c +@@ -1197,6 +1197,7 @@ bool esas2r_nvram_read_direct(struct esa + if (!esas2r_read_flash_block(a, a->nvram, FLS_OFFSET_NVR, + sizeof(struct esas2r_sas_nvram))) { + esas2r_hdebug("NVRAM read failed, using defaults"); ++ up(&a->nvram_semaphore); + return false; + } + diff --git a/queue-3.16/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointer.patch b/queue-3.16/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointer.patch new file mode 100644 index 00000000..75d548c8 --- /dev/null +++ b/queue-3.16/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointer.patch @@ -0,0 +1,59 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Mon, 11 Nov 2019 15:03:57 -0800 +Subject: scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer + dereferences + +commit 6c6d59e0fe5b86cf273d6d744a6a9768c4ecc756 upstream. + +Coverity reported the following: + +*** CID 101747: Null pointer dereferences (FORWARD_NULL) +/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp() +4433 kfree(mp); +4434 } +4435 mempool_free(mbox, phba->mbox_mem_pool); +4436 } +4437 out: +4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) { +vvv CID 101747: Null pointer dereferences (FORWARD_NULL) +vvv Dereferencing null pointer "shost". +4439 spin_lock_irq(shost->host_lock); +4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); +4441 spin_unlock_irq(shost->host_lock); +4442 +4443 /* If the node is not being used by another discovery thread, +4444 * and we are sending a reject, we are done with it. + +Fix by adding a check for non-null shost in line 4438. +The scenario when shost is set to null is when ndlp is null. +As such, the ndlp check present was sufficient. But better safe +than sorry so add the shost check. + +Reported-by: coverity-bot <keescook+coverity-bot@chromium.org> +Addresses-Coverity-ID: 101747 ("Null pointer dereferences") +Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports") + +CC: James Bottomley <James.Bottomley@SteelEye.com> +CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +CC: linux-next@vger.kernel.org +Link: https://lore.kernel.org/r/20191111230401.12958-3-jsmart2021@gmail.com +Reviewed-by: Ewan D. Milne <emilne@redhat.com> +Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> +Signed-off-by: James Smart <jsmart2021@gmail.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/lpfc/lpfc_els.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3861,7 +3861,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, + mempool_free(mbox, phba->mbox_mem_pool); + } + out: +- if (ndlp && NLP_CHK_NODE_ACT(ndlp)) { ++ if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) { + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); + spin_unlock_irq(shost->host_lock); diff --git a/queue-3.16/scsi-qla4xxx-fix-double-free-bug.patch b/queue-3.16/scsi-qla4xxx-fix-double-free-bug.patch new file mode 100644 index 00000000..d168f036 --- /dev/null +++ b/queue-3.16/scsi-qla4xxx-fix-double-free-bug.patch @@ -0,0 +1,32 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Tue, 5 Nov 2019 17:25:27 +0800 +Subject: scsi: qla4xxx: fix double free bug + +commit 3fe3d2428b62822b7b030577cd612790bdd8c941 upstream. + +The variable init_fw_cb is released twice, resulting in a double free +bug. The call to the function dma_free_coherent() before goto is removed to +get rid of potential double free. + +Fixes: 2a49a78ed3c8 ("[SCSI] qla4xxx: added IPv6 support.") +Link: https://lore.kernel.org/r/1572945927-27796-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian <bianpan2016@163.com> +Acked-by: Manish Rangankar <mrangankar@marvell.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/qla4xxx/ql4_mbx.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/scsi/qla4xxx/ql4_mbx.c ++++ b/drivers/scsi/qla4xxx/ql4_mbx.c +@@ -641,9 +641,6 @@ int qla4xxx_initialize_fw_cb(struct scsi + + if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0], init_fw_cb_dma) != + QLA_SUCCESS) { +- dma_free_coherent(&ha->pdev->dev, +- sizeof(struct addr_ctrl_blk), +- init_fw_cb, init_fw_cb_dma); + goto exit_init_fw_cb; + } + diff --git a/queue-3.16/scsi-tracing-fix-handling-of-transfer-length-0-for-read-6-and.patch b/queue-3.16/scsi-tracing-fix-handling-of-transfer-length-0-for-read-6-and.patch new file mode 100644 index 00000000..c40dc79d --- /dev/null +++ b/queue-3.16/scsi-tracing-fix-handling-of-transfer-length-0-for-read-6-and.patch @@ -0,0 +1,48 @@ +From: Bart Van Assche <bvanassche@acm.org> +Date: Tue, 5 Nov 2019 13:55:53 -0800 +Subject: scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and + WRITE(6) + +commit f6b8540f40201bff91062dd64db8e29e4ddaaa9d upstream. + +According to SBC-2 a TRANSFER LENGTH field of zero means that 256 logical +blocks must be transferred. Make the SCSI tracing code follow SBC-2. + +Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") +Cc: Christoph Hellwig <hch@lst.de> +Cc: Hannes Reinecke <hare@suse.com> +Cc: Douglas Gilbert <dgilbert@interlog.com> +Link: https://lore.kernel.org/r/20191105215553.185018-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche <bvanassche@acm.org> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/scsi_trace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_trace.c ++++ b/drivers/scsi/scsi_trace.c +@@ -30,15 +30,18 @@ static const char * + scsi_trace_rw6(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = p->buffer + p->len; +- sector_t lba = 0, txlen = 0; ++ u32 lba = 0, txlen; + + lba |= ((cdb[1] & 0x1F) << 16); + lba |= (cdb[2] << 8); + lba |= cdb[3]; +- txlen = cdb[4]; ++ /* ++ * From SBC-2: a TRANSFER LENGTH field set to zero specifies that 256 ++ * logical blocks shall be read (READ(6)) or written (WRITE(6)). ++ */ ++ txlen = cdb[4] ? cdb[4] : 256; + +- trace_seq_printf(p, "lba=%llu txlen=%llu", +- (unsigned long long)lba, (unsigned long long)txlen); ++ trace_seq_printf(p, "lba=%u txlen=%u", lba, txlen); + trace_seq_putc(p, 0); + + return ret; diff --git a/queue-3.16/scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch b/queue-3.16/scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch new file mode 100644 index 00000000..d50de82a --- /dev/null +++ b/queue-3.16/scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch @@ -0,0 +1,42 @@ +From: Steffen Maier <maier@linux.ibm.com> +Date: Fri, 25 Oct 2019 18:12:53 +0200 +Subject: scsi: zfcp: trace channel log even for FCP command responses + +commit 100843f176109af94600e500da0428e21030ca7f upstream. + +While v2.6.26 commit b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug +trace") is right that we don't want to flood the (payload) trace ring +buffer, we don't trace successful FCP command responses by default. So we +can include the channel log for problem determination with failed responses +of any FSF request type. + +Fixes: b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug trace") +Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.") +Link: https://lore.kernel.org/r/e37597b5c4ae123aaa85fd86c23a9f71e994e4a9.1572018132.git.bblock@linux.ibm.com +Reviewed-by: Benjamin Block <bblock@linux.ibm.com> +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Signed-off-by: Benjamin Block <bblock@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +[bwh: Backported to 3.16: Deleted condition is slightly different] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/s390/scsi/zfcp_dbf.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/s390/scsi/zfcp_dbf.c ++++ b/drivers/s390/scsi/zfcp_dbf.c +@@ -93,11 +93,9 @@ void zfcp_dbf_hba_fsf_res(char *tag, int + memcpy(rec->u.res.fsf_status_qual, &q_head->fsf_status_qual, + FSF_STATUS_QUALIFIER_SIZE); + +- if (req->fsf_command != FSF_QTCB_FCP_CMND) { +- rec->pl_len = q_head->log_length; +- zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start, +- rec->pl_len, "fsf_res", req->req_id); +- } ++ rec->pl_len = q_head->log_length; ++ zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start, ++ rec->pl_len, "fsf_res", req->req_id); + + debug_event(dbf->hba, level, rec, sizeof(*rec)); + spin_unlock_irqrestore(&dbf->hba_lock, flags); diff --git a/queue-3.16/serial-ifx6x60-add-missed-pm_runtime_disable.patch b/queue-3.16/serial-ifx6x60-add-missed-pm_runtime_disable.patch new file mode 100644 index 00000000..0e8b38cd --- /dev/null +++ b/queue-3.16/serial-ifx6x60-add-missed-pm_runtime_disable.patch @@ -0,0 +1,29 @@ +From: Chuhong Yuan <hslester96@gmail.com> +Date: Mon, 18 Nov 2019 10:48:33 +0800 +Subject: serial: ifx6x60: add missed pm_runtime_disable + +commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream. + +The driver forgets to call pm_runtime_disable in remove. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan <hslester96@gmail.com> +Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/ifx6x60.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/ifx6x60.c ++++ b/drivers/tty/serial/ifx6x60.c +@@ -1242,6 +1242,9 @@ static int ifx_spi_spi_remove(struct spi + struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi); + /* stop activity */ + tasklet_kill(&ifx_dev->io_work_tasklet); ++ ++ pm_runtime_disable(&spi->dev); ++ + /* free irq */ + free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), (void *)ifx_dev); + free_irq(gpio_to_irq(ifx_dev->gpio.srdy), (void *)ifx_dev); diff --git a/queue-3.16/serial-pl011-fix-dma-flush_buffer.patch b/queue-3.16/serial-pl011-fix-dma-flush_buffer.patch new file mode 100644 index 00000000..5c4051b6 --- /dev/null +++ b/queue-3.16/serial-pl011-fix-dma-flush_buffer.patch @@ -0,0 +1,69 @@ +From: Vincent Whitchurch <vincent.whitchurch@axis.com> +Date: Mon, 18 Nov 2019 10:25:47 +0100 +Subject: serial: pl011: Fix DMA ->flush_buffer() + +commit f6a196477184b99a31d16366a8e826558aa11f6d upstream. + +PL011's ->flush_buffer() implementation releases and reacquires the port +lock. Due to a race condition here, data can end up being added to the +circular buffer but neither being discarded nor being sent out. This +leads to, for example, tcdrain(2) waiting indefinitely. + +Process A Process B + +uart_flush_buffer() + - acquire lock + - circ_clear + - pl011_flush_buffer() + -- release lock + -- dmaengine_terminate_all() + + uart_write() + - acquire lock + - add chars to circ buffer + - start_tx() + -- start DMA + - release lock + + -- acquire lock + -- turn off DMA + -- release lock + + // Data in circ buffer but DMA is off + +According to the comment in the code, the releasing of the lock around +dmaengine_terminate_all() is to avoid a deadlock with the DMA engine +callback. However, since the time this code was written, the DMA engine +API documentation seems to have been clarified to say that +dmaengine_terminate_all() (in the identically implemented but +differently named dmaengine_terminate_async() variant) does not wait for +any running complete callback to be completed and can even be called +from a complete callback. So there is no possibility of deadlock if the +DMA engine driver implements this API correctly. + +So we should be able to just remove this release and reacquire of the +lock to prevent the aforementioned race condition. + +Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> +Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/amba-pl011.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -683,10 +683,8 @@ __acquires(&uap->port.lock) + if (!uap->using_tx_dma) + return; + +- /* Avoid deadlock with the DMA engine callback */ +- spin_unlock(&uap->port.lock); +- dmaengine_terminate_all(uap->dmatx.chan); +- spin_lock(&uap->port.lock); ++ dmaengine_terminate_async(uap->dmatx.chan); ++ + if (uap->dmatx.queued) { + dma_unmap_sg(uap->dmatx.chan->device->dev, &uap->dmatx.sg, 1, + DMA_TO_DEVICE); diff --git a/queue-3.16/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch b/queue-3.16/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch new file mode 100644 index 00000000..6a8f1f8c --- /dev/null +++ b/queue-3.16/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch @@ -0,0 +1,122 @@ +From: Jiangfeng Xiao <xiaojiangfeng@huawei.com> +Date: Wed, 20 Nov 2019 23:18:53 +0800 +Subject: serial: serial_core: Perform NULL checks for break_ctl ops + +commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream. + +Doing fuzz test on sbsa uart device, causes a kernel crash +due to NULL pointer dereference: + +------------[ cut here ]------------ +Unable to handle kernel paging request at virtual address fffffffffffffffc +pgd = ffffffe331723000 +[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O) +Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O) +hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O) +mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O) +uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4 +iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd +usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid +ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod +yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand +nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe +cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry +nfsv3 nfs nfs_acl lockd sunrpc grace autofs4 +CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 +task: ffffffe32b23f110 task.stack: ffffffe32bda4000 +PC is at uart_break_ctl+0x44/0x84 +LR is at uart_break_ctl+0x34/0x84 +pc : [<ffffff8393196098>] lr : [<ffffff8393196088>] pstate: 80000005 +sp : ffffffe32bda7cc0 +x29: ffffffe32bda7cc0 x28: ffffffe32b23f110 +x27: ffffff8393402000 x26: 0000000000000000 +x25: ffffffe32b233f40 x24: ffffffc07a8ec680 +x23: 0000000000005425 x22: 00000000ffffffff +x21: ffffffe33ed73c98 x20: 0000000000000000 +x19: ffffffe33ed94168 x18: 0000000000000004 +x17: 0000007f92ae9d30 x16: ffffff8392fa6064 +x15: 0000000000000010 x14: 0000000000000000 +x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000020 x10: 0000007ffdac1708 +x9 : 0000000000000078 x8 : 000000000000001d +x7 : 0000000052a64887 x6 : ffffffe32bda7e08 +x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000 +x3 : ffffff83938d5018 x2 : 0000000000000080 +x1 : ffffffe32b23c040 x0 : ffffff83934428f8 +virtual start addr offset is 38ac00000 +module base offset is 2cd4cf1000 +linear region base offset is : 0 +Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000) +Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000) +7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054 +7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c +7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600 +7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425 +7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003 +7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e +7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600 +7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410 +7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978 +7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc +7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 +7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0 +7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 +7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78 +7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c +7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425 +7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014 +7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078 +7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000 +7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30 +7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0 +7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840 +7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000 +7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d +7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +Call trace: +Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0) +7aa0: 0000000000001000 0000007fffffffff +7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025 +7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c +7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20 +7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000 +7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110 +7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600 +7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018 +7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887 +7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020 +7be0: 0000000000000000 0000000000000000 +[<ffffff8393196098>] uart_break_ctl+0x44/0x84 +[<ffffff8393177718>] send_break+0xa0/0x114 +[<ffffff8393179a1c>] tty_ioctl+0xc50/0xe84 +[<ffffff8392fa5a40>] do_vfs_ioctl+0xc4/0x6e8 +[<ffffff8392fa60cc>] SyS_ioctl+0x68/0x9c +[<ffffff8392e02e78>] __sys_trace_return+0x0/0x4 +Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) +---[ end trace 8606094f1960c5e0 ]--- +Kernel panic - not syncing: Fatal exception + +Fix this problem by adding NULL checks prior to calling break_ctl ops. + +Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com> +Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/serial_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1013,7 +1013,7 @@ static int uart_break_ctl(struct tty_str + + mutex_lock(&port->mutex); + +- if (uport->type != PORT_UNKNOWN) ++ if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl) + uport->ops->break_ctl(uport, break_state); + + mutex_unlock(&port->mutex); diff --git a/queue-3.16/series b/queue-3.16/series index c1eae8f1..7b8e6e40 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -6,3 +6,138 @@ net-davinci_cpdma-use-dma_addr_t-for-dma-address.patch stmmac-fix-oversized-frame-reception.patch net-stmmac-use-correct-dma-buffer-size-in-the-rx-descriptor.patch net-stmmac-don-t-stop-napi-processing-when-dropping-a-packet.patch +workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch +ath9k_hw-fix-uninitialized-variable-data.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup.patch +media-ov6650-fix-incorrect-use-of-jpeg-colorspace.patch +media-ov6650-fix-stored-frame-format-not-in-sync-with-hardware.patch +tools-power-cpupower-fix-initializer-override-in-hsw_ext_cstates.patch +cw1200-fix-a-signedness-bug-in-cw1200_load_firmware.patch +ar5523-check-null-before-memcpy-in-ar5523_cmd.patch +hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-only-if-not.patch +drm-i810-prevent-underflow-in-ioctl.patch +arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch +usbvision-remove-power_on_at_open-and-timed-power-off.patch +usbvision-video-two-use-after-frees.patch +usbvision-fix-locking-error.patch +usbvision-fix-locking-error-2.patch +media-usbvision-fix-invalid-accesses-after-device-disconnect.patch +media-usbvision-fix-races-among-open-close-and-disconnect.patch +sunrpc-fix-crash-when-cache_head-become-valid-before-update.patch +pci-fix-intel-acs-quirk-updcr-register-address.patch +bluetooth-hci_core-fix-init-for-hci_user_channel.patch +spi-atmel-fix-handling-of-cs_change-set-on-non-last-xfer.patch +usb-gadget-u_serial-add-missing-port-entry-locking.patch +compat_ioctl-handle-siocoutqnsd.patch +x86-ioapic-prevent-inconsistent-state-when-moving-an-interrupt.patch +xfs-sanity-check-flags-of-q_xquotarm-call.patch +cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch +scsi-csiostor-don-t-enable-irqs-too-early.patch +scsi-esas2r-unlock-on-error-in-esas2r_nvram_read_direct.patch +scsi-zfcp-trace-channel-log-even-for-fcp-command-responses.patch +clk-samsung-exynos5420-preserve-cpu-clocks-configuration-during.patch +mtd-spear_smi-fix-write-burst-mode.patch +arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch +quota-fix-livelock-in-dquot_writeback_dquots.patch +quota-check-that-quota-is-not-dirty-before-release.patch +scsi-core-scsi_trace-use-get_unaligned_be.patch +blk-mq-fix-deadlock-when-reading-cpu_list.patch +blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch +iio-imu-adis16480-assign-bias-value-only-if-operation-succeeded.patch +blk-mq-make-sure-that-line-break-can-be-printed.patch +tty-serial-msm_serial-fix-flow-control.patch +ext2-check-err-when-partial-null.patch +media-radio-wl1273-fix-interrupt-masking-on-release.patch +media-exynos4-is-fix-recursive-locking-in-isp_video_release.patch +staging-rtl8192e-fix-potential-use-after-free.patch +jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch +bnx2x-enable-multi-cos-feature.patch +pm-devfreq-lock-devfreq-in-trans_stat_show.patch +scsi-tracing-fix-handling-of-transfer-length-0-for-read-6-and.patch +usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch +perf-probe-fix-to-handle-optimized-not-inlined-functions.patch +perf-probe-fix-to-show-lines-of-sys_-functions-correctly.patch +perf-probe-fix-to-add-missed-brace-around-if-block.patch +perf-probe-skip-if-the-function-address-is-0.patch +perf-probe-fix-to-find-range-only-function-instance.patch +perf-probe-fix-to-show-function-entry-line-as-probe-able.patch +perf-probe-fix-wrong-address-verification.patch +perf-probe-fix-to-probe-a-function-which-has-no-entry-pc.patch +perf-probe-fix-to-probe-an-inline-function-which-has-no-entry-pc.patch +perf-probe-fix-to-list-probe-event-with-correct-line-number.patch +perf-probe-fix-to-show-inlined-function-callsite-without-entry_pc.patch +usb-gadget-pch_udc-fix-use-after-free.patch +usb-allow-usb-device-to-be-warm-reset-in-suspended-state.patch +appledisplay-fix-error-handling-in-the-scheduled-work.patch +perf-probe-skip-end-of-sequence-and-non-statement-lines.patch +perf-probe-filter-out-instances-except-for-inlined-subroutine-and.patch +perf-probe-fix-to-show-calling-lines-of-inlined-functions.patch +perf-probe-skip-overlapped-location-on-searching-variables.patch +powerpc-allow-flush_icache_range-to-work-across-ranges-4gb.patch +powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges.patch +regulator-ab8500-remove-ab8505-usb-regulator.patch +regulator-ab8500-remove-sysclkreq-from-enum-ab8505_regulator_id.patch +inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch +iio-adis16480-add-debugfs_reg_access-entry.patch +drm-i915-userptr-try-to-acquire-the-page-lock-around.patch +usb-serial-mos7720-fix-remote-wakeup.patch +usb-serial-mos7840-fix-remote-wakeup.patch +fuse-verify-attributes.patch +fuse-verify-nlink.patch +asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch +scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointer.patch +tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch +tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch +rdma-srpt-report-the-scsi-residual-to-the-initiator.patch +binder-handle-start-null-in-binder_update_page_range.patch +usb-serial-ftdi_sio-add-device-ids-for-u-blox-c099-f9p.patch +futex-prevent-robust-futex-exit-race.patch +x86-speculation-fix-incorrect-mds-taa-mitigation-status.patch +usb-serial-cp201x-support-mark-10-digital-force-gauge.patch +usb-uas-honor-flag-to-avoid-capacity16.patch +usb-uas-heed-capacity_heuristics.patch +usb-documentation-flags-on-usb-storage-versus-uas.patch +btrfs-fix-negative-subv_writers-counter-and-data-space-leak-after.patch +btrfs-check-page-mapping-when-loading-free-space-cache.patch +serial-pl011-fix-dma-flush_buffer.patch +serial-ifx6x60-add-missed-pm_runtime_disable.patch +rtc-msm6242-fix-reading-of-10-hour-digit.patch +bluetooth-delete-a-stray-unlock.patch +ext4-work-around-deleting-a-file-with-i_nlink-0-safely.patch +scsi-qla4xxx-fix-double-free-bug.patch +scsi-bnx2i-fix-potential-use-after-free.patch +iwlwifi-check-kasprintf-return-value.patch +serial-serial_core-perform-null-checks-for-break_ctl-ops.patch +kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch +kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch +x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch +alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch +libtraceevent-fix-memory-leakage-in-copy_filter_type.patch +drm-radeon-fix-bad-dma-from-interrupt_cntl2.patch +tty-vt-keyboard-reject-invalid-keycodes.patch +cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch +cifs-fix-smb2-oplock-break-processing.patch +platform-x86-hp-wmi-fix-acpi-errors-caused-by-too-small-buffer.patch +platform-x86-hp-wmi-fix-acpi-errors-caused-by-passing-0-as-input.patch +macvlan-schedule-bc_work-even-if-error.patch +pci-msi-fix-incorrect-msi-x-masking-on-resume.patch +xtensa-fix-tlb-sanity-checker.patch +perf-regs-make-perf_reg_name-return-unknown-instead-of-null.patch +acpi-osl-speedup-grace-period-in-acpi_os_map_cleanup.patch +acpi-osl-only-free-map-once-in-osl.c.patch +acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch +openvswitch-drop-unneeded-bug_on-in-ovs_flow_cmd_build_info.patch +openvswitch-remove-another-bug_on.patch +cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconnect-occurs.patch +cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch +net-bridge-deny-dev_set_mac_address-when-unregistering.patch +drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch +xen-blkback-avoid-unmapping-unmapped-grant-pages.patch +powerpc-fix-vdso-clock_getres.patch +alsa-pcm-oss-avoid-potential-buffer-overflows.patch +tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch +tcp-syncookies-extend-validity-range.patch +tcp-fix-rejected-syncookies-due-to-stale-timestamps.patch +tcp-protect-accesses-to-.ts_recent_stamp-with-read-write-_once.patch +inet-protect-against-too-small-mtu-values.patch diff --git a/queue-3.16/spi-atmel-fix-handling-of-cs_change-set-on-non-last-xfer.patch b/queue-3.16/spi-atmel-fix-handling-of-cs_change-set-on-non-last-xfer.patch new file mode 100644 index 00000000..207c2da6 --- /dev/null +++ b/queue-3.16/spi-atmel-fix-handling-of-cs_change-set-on-non-last-xfer.patch @@ -0,0 +1,60 @@ +From: Mans Rullgard <mans@mansr.com> +Date: Fri, 18 Oct 2019 17:35:04 +0200 +Subject: spi: atmel: fix handling of cs_change set on non-last xfer + +commit fed8d8c7a6dc2a76d7764842853d81c770b0788e upstream. + +The driver does the wrong thing when cs_change is set on a non-last +xfer in a message. When cs_change is set, the driver deactivates the +CS and leaves it off until a later xfer again has cs_change set whereas +it should be briefly toggling CS off and on again. + +This patch brings the behaviour of the driver back in line with the +documentation and common sense. The delay of 10 us is the same as is +used by the default spi_transfer_one_message() function in spi.c. +[gregory: rebased on for-5.5 from spi tree] +Fixes: 8090d6d1a415 ("spi: atmel: Refactor spi-atmel to use SPI framework queue") +Signed-off-by: Mans Rullgard <mans@mansr.com> +Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com> +Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com> +Link: https://lore.kernel.org/r/20191018153504.4249-1-gregory.clement@bootlin.com +Signed-off-by: Mark Brown <broonie@kernel.org> +[bwhh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/spi/spi-atmel.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -242,7 +242,6 @@ struct atmel_spi { + struct atmel_spi_dma dma; + + bool keep_cs; +- bool cs_active; + }; + + /* Controller-specific per-slave state */ +@@ -1190,11 +1189,9 @@ static int atmel_spi_one_transfer(struct + &msg->transfers)) { + as->keep_cs = true; + } else { +- as->cs_active = !as->cs_active; +- if (as->cs_active) +- cs_activate(as, msg->spi); +- else +- cs_deactivate(as, msg->spi); ++ cs_deactivate(as, msg->spi); ++ udelay(10); ++ cs_activate(as, msg->spi); + } + } + +@@ -1217,7 +1214,6 @@ static int atmel_spi_transfer_one_messag + atmel_spi_lock(as); + cs_activate(as, spi); + +- as->cs_active = true; + as->keep_cs = false; + + msg->status = 0; diff --git a/queue-3.16/staging-rtl8192e-fix-potential-use-after-free.patch b/queue-3.16/staging-rtl8192e-fix-potential-use-after-free.patch new file mode 100644 index 00000000..899b9c55 --- /dev/null +++ b/queue-3.16/staging-rtl8192e-fix-potential-use-after-free.patch @@ -0,0 +1,43 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Tue, 5 Nov 2019 22:49:11 +0800 +Subject: staging: rtl8192e: fix potential use after free + +commit b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9 upstream. + +The variable skb is released via kfree_skb() when the return value of +_rtl92e_tx is not zero. However, after that, skb is accessed again to +read its length, which may result in a use after free bug. This patch +fixes the bug by moving the release operation to where skb is never +used later. + +Signed-off-by: Pan Bian <bianpan2016@163.com> +Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> +Link: https://lore.kernel.org/r/1572965351-6745-1-git-send-email-bianpan2016@163.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -1884,8 +1884,6 @@ void rtl8192_hard_data_xmit(struct sk_bu + memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev)); + skb_push(skb, priv->rtllib->tx_headroom); + ret = rtl8192_tx(dev, skb); +- if (ret != 0) +- kfree_skb(skb); + + if (queue_index != MGNT_QUEUE) { + priv->rtllib->stats.tx_bytes += (skb->len - +@@ -1893,6 +1891,9 @@ void rtl8192_hard_data_xmit(struct sk_bu + priv->rtllib->stats.tx_packets++; + } + ++ if (ret != 0) ++ kfree_skb(skb); ++ + return; + } + diff --git a/queue-3.16/sunrpc-fix-crash-when-cache_head-become-valid-before-update.patch b/queue-3.16/sunrpc-fix-crash-when-cache_head-become-valid-before-update.patch new file mode 100644 index 00000000..61ca33e8 --- /dev/null +++ b/queue-3.16/sunrpc-fix-crash-when-cache_head-become-valid-before-update.patch @@ -0,0 +1,119 @@ +From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> +Date: Tue, 1 Oct 2019 11:03:59 +0300 +Subject: sunrpc: fix crash when cache_head become valid before update + +commit 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 upstream. + +I was investigating a crash in our Virtuozzo7 kernel which happened in +in svcauth_unix_set_client. I found out that we access m_client field +in ip_map structure, which was received from sunrpc_cache_lookup (we +have a bit older kernel, now the code is in sunrpc_cache_add_entry), and +these field looks uninitialized (m_client == 0x74 don't look like a +pointer) but in the cache_head in flags we see 0x1 which is CACHE_VALID. + +It looks like the problem appeared from our previous fix to sunrpc (1): +commit 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued +request") + +And we've also found a patch already fixing our patch (2): +commit d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.") + +Though the crash is eliminated, I think the core of the problem is not +completely fixed: + +Neil in the patch (2) makes cache_head CACHE_NEGATIVE, before +cache_fresh_locked which was added in (1) to fix crash. These way +cache_is_valid won't say the cache is valid anymore and in +svcauth_unix_set_client the function cache_check will return error +instead of 0, and we don't count entry as initialized. + +But it looks like we need to remove cache_fresh_locked completely in +sunrpc_cache_lookup: + +In (1) we've only wanted to make cache_fresh_unlocked->cache_dequeue so +that cache_requests with no readers also release corresponding +cache_head, to fix their leak. We with Vasily were not sure if +cache_fresh_locked and cache_fresh_unlocked should be used in pair or +not, so we've guessed to use them in pair. + +Now we see that we don't want the CACHE_VALID bit set here by +cache_fresh_locked, as "valid" means "initialized" and there is no +initialization in sunrpc_cache_add_entry. Both expiry_time and +last_refresh are not used in cache_fresh_unlocked code-path and also not +required for the initial fix. + +So to conclude cache_fresh_locked was called by mistake, and we can just +safely remove it instead of crutching it with CACHE_NEGATIVE. It looks +ideologically better for me. Hope I don't miss something here. + +Here is our crash backtrace: +[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074 +[13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.326448] PGD 0 +[13108726.326468] Oops: 0002 [#1] SMP +[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4 +[13108726.327173] dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat +[13108726.327817] ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1] +[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G W O ------------ 3.10.0-862.20.2.vz7.73.29 #1 73.29 +[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018 +[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000 +[13108726.328610] RIP: 0010:[<ffffffffc01f79eb>] [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.328706] RSP: 0018:ffffa0c2a74bfd80 EFLAGS: 00010246 +[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000 +[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0 +[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001 +[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000 +[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4 +[13108726.329022] FS: 0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000 +[13108726.329081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0 +[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[13108726.338908] PKRU: 00000000 +[13108726.341047] Call Trace: +[13108726.343074] [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110 +[13108726.344837] [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc] +[13108726.346631] [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc] +[13108726.348332] [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc] +[13108726.350016] [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd] +[13108726.351735] [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd] +[13108726.353459] [<ffffffff8a2bf741>] kthread+0xd1/0xe0 +[13108726.355195] [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60 +[13108726.356896] [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21 +[13108726.358577] [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60 +[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38 +[13108726.363769] RIP [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.365530] RSP <ffffa0c2a74bfd80> +[13108726.367179] CR2: 0000000000000074 + +Fixes: d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.") +Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> +Acked-by: NeilBrown <neilb@suse.de> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +[bwh: Backported to 3.16: cache_fresh_locked() had only 2 parameters here] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sunrpc/cache.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -50,8 +50,6 @@ static void cache_init(struct cache_head + h->last_refresh = now; + } + +-static inline int cache_is_valid(struct cache_head *h); +-static void cache_fresh_locked(struct cache_head *head, time_t expiry); + static void cache_fresh_unlocked(struct cache_head *head, + struct cache_detail *detail); + +@@ -99,9 +97,6 @@ struct cache_head *sunrpc_cache_lookup(s + *hp = tmp->next; + tmp->next = NULL; + detail->entries --; +- if (cache_is_valid(tmp) == -EAGAIN) +- set_bit(CACHE_NEGATIVE, &tmp->flags); +- cache_fresh_locked(tmp, 0); + freeme = tmp; + break; + } diff --git a/queue-3.16/tcp-fix-rejected-syncookies-due-to-stale-timestamps.patch b/queue-3.16/tcp-fix-rejected-syncookies-due-to-stale-timestamps.patch new file mode 100644 index 00000000..e1de9607 --- /dev/null +++ b/queue-3.16/tcp-fix-rejected-syncookies-due-to-stale-timestamps.patch @@ -0,0 +1,105 @@ +From: Guillaume Nault <gnault@redhat.com> +Date: Fri, 6 Dec 2019 12:38:36 +0100 +Subject: tcp: fix rejected syncookies due to stale timestamps + +commit 04d26e7b159a396372646a480f4caa166d1b6720 upstream. + +If no synflood happens for a long enough period of time, then the +synflood timestamp isn't refreshed and jiffies can advance so much +that time_after32() can't accurately compare them any more. + +Therefore, we can end up in a situation where time_after32(now, +last_overflow + HZ) returns false, just because these two values are +too far apart. In that case, the synflood timestamp isn't updated as +it should be, which can trick tcp_synq_no_recent_overflow() into +rejecting valid syncookies. + +For example, let's consider the following scenario on a system +with HZ=1000: + + * The synflood timestamp is 0, either because that's the timestamp + of the last synflood or, more commonly, because we're working with + a freshly created socket. + + * We receive a new SYN, which triggers synflood protection. Let's say + that this happens when jiffies == 2147484649 (that is, + 'synflood timestamp' + HZ + 2^31 + 1). + + * Then tcp_synq_overflow() doesn't update the synflood timestamp, + because time_after32(2147484649, 1000) returns false. + With: + - 2147484649: the value of jiffies, aka. 'now'. + - 1000: the value of 'last_overflow' + HZ. + + * A bit later, we receive the ACK completing the 3WHS. But + cookie_v[46]_check() rejects it because tcp_synq_no_recent_overflow() + says that we're not under synflood. That's because + time_after32(2147484649, 120000) returns false. + With: + - 2147484649: the value of jiffies, aka. 'now'. + - 120000: the value of 'last_overflow' + TCP_SYNCOOKIE_VALID. + + Of course, in reality jiffies would have increased a bit, but this + condition will last for the next 119 seconds, which is far enough + to accommodate for jiffie's growth. + +Fix this by updating the overflow timestamp whenever jiffies isn't +within the [last_overflow, last_overflow + HZ] range. That shouldn't +have any performance impact since the update still happens at most once +per second. + +Now we're guaranteed to have fresh timestamps while under synflood, so +tcp_synq_no_recent_overflow() can safely use it with time_after32() in +such situations. + +Stale timestamps can still make tcp_synq_no_recent_overflow() return +the wrong verdict when not under synflood. This will be handled in the +next patch. + +For 64 bits architectures, the problem was introduced with the +conversion of ->tw_ts_recent_stamp to 32 bits integer by commit +cca9bab1b72c ("tcp: use monotonic timestamps for PAWS"). +The problem has always been there on 32 bits architectures. + +Fixes: cca9bab1b72c ("tcp: use monotonic timestamps for PAWS") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Guillaume Nault <gnault@redhat.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/time.h | 12 ++++++++++++ + include/net/tcp.h | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/include/linux/time.h ++++ b/include/linux/time.h +@@ -280,4 +280,16 @@ static __always_inline void timespec_add + a->tv_nsec = ns; + } + ++/** ++ * time_between32 - check if a 32-bit timestamp is within a given time range ++ * @t: the time which may be within [l,h] ++ * @l: the lower bound of the range ++ * @h: the higher bound of the range ++ * ++ * time_before32(t, l, h) returns true if @l <= @t <= @h. All operands are ++ * treated as 32-bit integers. ++ * ++ * Equivalent to !(time_before32(@t, @l) || time_after32(@t, @h)). ++ */ ++#define time_between32(t, l, h) ((u32)(h) - (u32)(l) >= (u32)(t) - (u32)(l)) + #endif +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -485,7 +485,7 @@ static inline void tcp_synq_overflow(str + unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp; + unsigned long now = jiffies; + +- if (time_after(now, last_overflow + HZ)) ++ if (!time_between32(now, last_overflow, last_overflow + HZ)) + tcp_sk(sk)->rx_opt.ts_recent_stamp = now; + } + diff --git a/queue-3.16/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch b/queue-3.16/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch new file mode 100644 index 00000000..8b89cd42 --- /dev/null +++ b/queue-3.16/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch @@ -0,0 +1,43 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 5 Dec 2019 10:10:15 -0800 +Subject: tcp: md5: fix potential overestimation of TCP option space + +commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 upstream. + +Back in 2008, Adam Langley fixed the corner case of packets for flows +having all of the following options : MD5 TS SACK + +Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block +can be cooked from the remaining 8 bytes. + +tcp_established_options() correctly sets opts->num_sack_blocks +to zero, but returns 36 instead of 32. + +This means TCP cooks packets with 4 extra bytes at the end +of options, containing unitialized bytes. + +Fixes: 33ad798c924b ("tcp: options clean up") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Acked-by: Neal Cardwell <ncardwell@google.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/tcp_output.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -680,8 +680,9 @@ static unsigned int tcp_established_opti + min_t(unsigned int, eff_sacks, + (remaining - TCPOLEN_SACK_BASE_ALIGNED) / + TCPOLEN_SACK_PERBLOCK); +- size += TCPOLEN_SACK_BASE_ALIGNED + +- opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK; ++ if (likely(opts->num_sack_blocks)) ++ size += TCPOLEN_SACK_BASE_ALIGNED + ++ opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK; + } + + return size; diff --git a/queue-3.16/tcp-protect-accesses-to-.ts_recent_stamp-with-read-write-_once.patch b/queue-3.16/tcp-protect-accesses-to-.ts_recent_stamp-with-read-write-_once.patch new file mode 100644 index 00000000..54d00b14 --- /dev/null +++ b/queue-3.16/tcp-protect-accesses-to-.ts_recent_stamp-with-read-write-_once.patch @@ -0,0 +1,49 @@ +From: Guillaume Nault <gnault@redhat.com> +Date: Fri, 6 Dec 2019 12:38:49 +0100 +Subject: tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() + +commit 721c8dafad26ccfa90ff659ee19755e3377b829d upstream. + +Syncookies borrow the ->rx_opt.ts_recent_stamp field to store the +timestamp of the last synflood. Protect them with READ_ONCE() and +WRITE_ONCE() since reads and writes aren't serialised. + +Use of .rx_opt.ts_recent_stamp for storing the synflood timestamp was +introduced by a0f82f64e269 ("syncookies: remove last_synq_overflow from +struct tcp_sock"). But unprotected accesses were already there when +timestamp was stored in .last_synq_overflow. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Guillaume Nault <gnault@redhat.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/net/tcp.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -482,17 +482,17 @@ struct sock *cookie_v4_check(struct sock + */ + static inline void tcp_synq_overflow(struct sock *sk) + { +- unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp; ++ unsigned long last_overflow = ACCESS_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp); + unsigned long now = jiffies; + + if (!time_between32(now, last_overflow, last_overflow + HZ)) +- tcp_sk(sk)->rx_opt.ts_recent_stamp = now; ++ ACCESS_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp) = now; + } + + /* syncookies: no recent synqueue overflow on this listening socket? */ + static inline bool tcp_synq_no_recent_overflow(const struct sock *sk) + { +- unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp; ++ unsigned long last_overflow = ACCESS_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp); + + return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID); + } diff --git a/queue-3.16/tcp-syncookies-extend-validity-range.patch b/queue-3.16/tcp-syncookies-extend-validity-range.patch new file mode 100644 index 00000000..eac74a71 --- /dev/null +++ b/queue-3.16/tcp-syncookies-extend-validity-range.patch @@ -0,0 +1,91 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 14 May 2015 14:26:56 -0700 +Subject: tcp: syncookies: extend validity range + +commit 264ea103a7473f51aced838e68ed384ea2c759f5 upstream. + +Now we allow storing more request socks per listener, we might +hit syncookie mode less often and hit following bug in our stack : + +When we send a burst of syncookies, then exit this mode, +tcp_synq_no_recent_overflow() can return false if the ACK packets coming +from clients are coming three seconds after the end of syncookie +episode. + +This is a way too strong requirement and conflicts with rest of +syncookie code which allows ACK to be aged up to 2 minutes. + +Perfectly valid ACK packets are dropped just because clients might be +in a crowded wifi environment or on another planet. + +So let's fix this, and also change tcp_synq_overflow() to not +dirty a cache line for every syncookie we send, as we are under attack. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Acked-by: Florian Westphal <fw@strlen.de> +Acked-by: Yuchung Cheng <ycheng@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/net/tcp.h | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -326,18 +326,6 @@ static inline bool tcp_too_many_orphans( + + bool tcp_check_oom(struct sock *sk, int shift); + +-/* syncookies: remember time of last synqueue overflow */ +-static inline void tcp_synq_overflow(struct sock *sk) +-{ +- tcp_sk(sk)->rx_opt.ts_recent_stamp = jiffies; +-} +- +-/* syncookies: no recent synqueue overflow on this listening socket? */ +-static inline bool tcp_synq_no_recent_overflow(const struct sock *sk) +-{ +- unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp; +- return time_after(jiffies, last_overflow + TCP_TIMEOUT_FALLBACK); +-} + + extern struct proto tcp_prot; + +@@ -485,13 +473,35 @@ struct sock *cookie_v4_check(struct sock + * i.e. a sent cookie is valid only at most for 2*60 seconds (or less if + * the counter advances immediately after a cookie is generated). + */ +-#define MAX_SYNCOOKIE_AGE 2 ++#define MAX_SYNCOOKIE_AGE 2 ++#define TCP_SYNCOOKIE_PERIOD (60 * HZ) ++#define TCP_SYNCOOKIE_VALID (MAX_SYNCOOKIE_AGE * TCP_SYNCOOKIE_PERIOD) ++ ++/* syncookies: remember time of last synqueue overflow ++ * But do not dirty this field too often (once per second is enough) ++ */ ++static inline void tcp_synq_overflow(struct sock *sk) ++{ ++ unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp; ++ unsigned long now = jiffies; ++ ++ if (time_after(now, last_overflow + HZ)) ++ tcp_sk(sk)->rx_opt.ts_recent_stamp = now; ++} ++ ++/* syncookies: no recent synqueue overflow on this listening socket? */ ++static inline bool tcp_synq_no_recent_overflow(const struct sock *sk) ++{ ++ unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp; ++ ++ return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID); ++} + + static inline u32 tcp_cookie_time(void) + { + u64 val = get_jiffies_64(); + +- do_div(val, 60 * HZ); ++ do_div(val, TCP_SYNCOOKIE_PERIOD); + return val; + } + diff --git a/queue-3.16/tools-power-cpupower-fix-initializer-override-in-hsw_ext_cstates.patch b/queue-3.16/tools-power-cpupower-fix-initializer-override-in-hsw_ext_cstates.patch new file mode 100644 index 00000000..a471d5a6 --- /dev/null +++ b/queue-3.16/tools-power-cpupower-fix-initializer-override-in-hsw_ext_cstates.patch @@ -0,0 +1,55 @@ +From: Nathan Chancellor <natechancellor@gmail.com> +Date: Fri, 27 Sep 2019 09:26:42 -0700 +Subject: tools/power/cpupower: Fix initializer override in hsw_ext_cstates + +commit 7e5705c635ecfccde559ebbbe1eaf05b5cc60529 upstream. + +When building cpupower with clang, the following warning appears: + + utils/idle_monitor/hsw_ext_idle.c:42:16: warning: initializer overrides + prior initialization of this subobject [-Winitializer-overrides] + .desc = N_("Processor Package C2"), + ^~~~~~~~~~~~~~~~~~~~~~ + ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_' + #define N_(String) gettext_noop(String) + ^~~~~~ + ./utils/helpers/helpers.h:23:30: note: expanded from macro + 'gettext_noop' + #define gettext_noop(String) String + ^~~~~~ + utils/idle_monitor/hsw_ext_idle.c:41:16: note: previous initialization + is here + .desc = N_("Processor Package C9"), + ^~~~~~~~~~~~~~~~~~~~~~ + ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_' + #define N_(String) gettext_noop(String) + ^~~~~~ + ./utils/helpers/helpers.h:23:30: note: expanded from macro + 'gettext_noop' + #define gettext_noop(String) String + ^~~~~~ + 1 warning generated. + +This appears to be a copy and paste or merge mistake because the name +and id fields both have PC9 in them, not PC2. Remove the second +assignment to fix the warning. + +Fixes: 7ee767b69b68 ("cpupower: Add Haswell family 0x45 specific idle monitor to show PC8,9,10 states") +Link: https://github.com/ClangBuiltLinux/linux/issues/718 +Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> +Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c ++++ b/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c +@@ -40,7 +40,6 @@ static cstate_t hsw_ext_cstates[HSW_EXT_ + { + .name = "PC9", + .desc = N_("Processor Package C9"), +- .desc = N_("Processor Package C2"), + .id = PC9, + .range = RANGE_PACKAGE, + .get_count_percent = hsw_ext_get_count_percent, diff --git a/queue-3.16/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch b/queue-3.16/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch new file mode 100644 index 00000000..fe465c94 --- /dev/null +++ b/queue-3.16/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch @@ -0,0 +1,30 @@ +From: Peng Fan <peng.fan@nxp.com> +Date: Thu, 7 Nov 2019 06:42:53 +0000 +Subject: tty: serial: imx: use the sg count from dma_map_sg + +commit 596fd8dffb745afcebc0ec6968e17fe29f02044c upstream. + +The dmaengine_prep_slave_sg needs to use sg count returned +by dma_map_sg, not use sport->dma_tx_nents, because the return +value of dma_map_sg is not always same with "nents". + +Fixes: b4cdc8f61beb ("serial: imx: add DMA support for imx6q") +Signed-off-by: Peng Fan <peng.fan@nxp.com> +Link: https://lore.kernel.org/r/1573108875-26530-1-git-send-email-peng.fan@nxp.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -541,7 +541,7 @@ static void imx_dma_tx(struct imx_port * + dev_err(dev, "DMA mapping error for TX.\n"); + return; + } +- desc = dmaengine_prep_slave_sg(chan, sgl, sport->dma_tx_nents, ++ desc = dmaengine_prep_slave_sg(chan, sgl, ret, + DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT); + if (!desc) { + dev_err(dev, "We cannot prepare for the TX slave dma!\n"); diff --git a/queue-3.16/tty-serial-msm_serial-fix-flow-control.patch b/queue-3.16/tty-serial-msm_serial-fix-flow-control.patch new file mode 100644 index 00000000..90247a50 --- /dev/null +++ b/queue-3.16/tty-serial-msm_serial-fix-flow-control.patch @@ -0,0 +1,65 @@ +From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> +Date: Mon, 21 Oct 2019 08:46:16 -0700 +Subject: tty: serial: msm_serial: Fix flow control + +commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream. + +hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and +Lenovo Miix 630 laptop. As part of initializing the wcn3990, hci_qca +disables flow, configures the uart baudrate, and then reenables flow - at +which point an event is expected to be received over the uart from the +wcn3990. It is observed that this event comes after the baudrate change +but before hci_qca re-enables flow. This is unexpected, and is a result of +msm_reset() being broken. + +According to the uart_dm hardware documentation, it is recommended that +automatic hardware flow control be enabled by setting RX_RDY_CTL. Auto +hw flow control will manage RFR based on the configured watermark. When +there is space to receive data, the hw will assert RFR. When the watermark +is hit, the hw will de-assert RFR. + +The hardware documentation indicates that RFR can me manually managed via +CR when RX_RDY_CTL is not set. SET_RFR asserts RFR, and RESET_RFR +de-asserts RFR. + +msm_reset() is broken because after resetting the hardware, it +unconditionally asserts RFR via SET_RFR. This enables flow regardless of +the current configuration, and would undo a previous flow disable +operation. It should instead de-assert RFR via RESET_RFR to block flow +until the hardware is reconfigured. msm_serial should rely on the client +to specify that flow should be enabled, either via mctrl() or the termios +structure, and only assert RFR in response to those triggers. + +Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") +Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> +Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> +Reviewed-by: Andy Gross <agross@kernel.org> +Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/msm_serial.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -316,6 +316,7 @@ static unsigned int msm_get_mctrl(struct + static void msm_reset(struct uart_port *port) + { + struct msm_port *msm_port = UART_TO_MSM(port); ++ unsigned int mr; + + /* reset everything */ + msm_write(port, UART_CR_CMD_RESET_RX, UART_CR); +@@ -323,7 +324,10 @@ static void msm_reset(struct uart_port * + msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR); + msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR); + msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR); +- msm_write(port, UART_CR_CMD_SET_RFR, UART_CR); ++ msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR); ++ mr = msm_read(port, UART_MR1); ++ mr &= ~UART_MR1_RX_RDY_CTL; ++ msm_write(port, mr, UART_MR1); + + /* Disable DM modes */ + if (msm_port->is_uartdm) diff --git a/queue-3.16/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch b/queue-3.16/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch new file mode 100644 index 00000000..b1317a80 --- /dev/null +++ b/queue-3.16/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch @@ -0,0 +1,62 @@ +From: Peng Fan <peng.fan@nxp.com> +Date: Wed, 13 Nov 2019 05:37:42 +0000 +Subject: tty: serial: pch_uart: correct usage of dma_unmap_sg + +commit 74887542fdcc92ad06a48c0cca17cdf09fc8aa00 upstream. + +Per Documentation/DMA-API-HOWTO.txt, +To unmap a scatterlist, just call: + dma_unmap_sg(dev, sglist, nents, direction); + +.. note:: + + The 'nents' argument to the dma_unmap_sg call must be + the _same_ one you passed into the dma_map_sg call, + it should _NOT_ be the 'count' value _returned_ from the + dma_map_sg call. + +However in the driver, priv->nent is directly assigned with value +returned from dma_map_sg, and dma_unmap_sg use priv->nent for unmap, +this breaks the API usage. + +So introduce a new entry orig_nent to remember 'nents'. + +Fixes: da3564ee027e ("pch_uart: add multi-scatter processing") +Signed-off-by: Peng Fan <peng.fan@nxp.com> +Link: https://lore.kernel.org/r/1573623259-6339-1-git-send-email-peng.fan@nxp.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/pch_uart.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -251,6 +251,7 @@ struct eg20t_port { + struct dma_chan *chan_rx; + struct scatterlist *sg_tx_p; + int nent; ++ int orig_nent; + struct scatterlist sg_rx; + int tx_dma_use; + void *rx_buf_virt; +@@ -803,9 +804,10 @@ static void pch_dma_tx_complete(void *ar + } + xmit->tail &= UART_XMIT_SIZE - 1; + async_tx_ack(priv->desc_tx); +- dma_unmap_sg(port->dev, sg, priv->nent, DMA_TO_DEVICE); ++ dma_unmap_sg(port->dev, sg, priv->orig_nent, DMA_TO_DEVICE); + priv->tx_dma_use = 0; + priv->nent = 0; ++ priv->orig_nent = 0; + kfree(priv->sg_tx_p); + pch_uart_hal_enable_interrupt(priv, PCH_UART_HAL_TX_INT); + } +@@ -1030,6 +1032,7 @@ static unsigned int dma_handle_tx(struct + dev_err(priv->port.dev, "%s:dma_map_sg Failed\n", __func__); + return 0; + } ++ priv->orig_nent = num; + priv->nent = nent; + + for (i = 0; i < nent; i++, sg++) { diff --git a/queue-3.16/tty-vt-keyboard-reject-invalid-keycodes.patch b/queue-3.16/tty-vt-keyboard-reject-invalid-keycodes.patch new file mode 100644 index 00000000..fcef3946 --- /dev/null +++ b/queue-3.16/tty-vt-keyboard-reject-invalid-keycodes.patch @@ -0,0 +1,48 @@ +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Fri, 22 Nov 2019 12:42:20 -0800 +Subject: tty: vt: keyboard: reject invalid keycodes + +commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream. + +Do not try to handle keycodes that are too big, otherwise we risk doing +out-of-bounds writes: + +BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] +BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] +BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 +Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 +... + kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] + kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 + input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 + input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 + input_pass_values drivers/input/input.c:949 [inline] + input_set_keycode+0x290/0x320 drivers/input/input.c:954 + evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 + evdev_do_ioctl drivers/input/evdev.c:1150 [inline] + +In this case we were dealing with a fuzzed HID device that declared over +12K buttons, and while HID layer should not be reporting to us such big +keycodes, we should also be defensive and reject invalid data ourselves as +well. + +Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/vt/keyboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -1358,7 +1358,7 @@ static void kbd_event(struct input_handl + + if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev)) + kbd_rawcode(value); +- if (event_type == EV_KEY) ++ if (event_type == EV_KEY && event_code <= KEY_MAX) + kbd_keycode(event_code, value, HW_RAW(handle->dev)); + + spin_unlock(&kbd_event_lock); diff --git a/queue-3.16/usb-allow-usb-device-to-be-warm-reset-in-suspended-state.patch b/queue-3.16/usb-allow-usb-device-to-be-warm-reset-in-suspended-state.patch new file mode 100644 index 00000000..5795504a --- /dev/null +++ b/queue-3.16/usb-allow-usb-device-to-be-warm-reset-in-suspended-state.patch @@ -0,0 +1,100 @@ +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Wed, 6 Nov 2019 14:27:10 +0800 +Subject: usb: Allow USB device to be warm reset in suspended state + +commit e76b3bf7654c3c94554c24ba15a3d105f4006c80 upstream. + +On Dell WD15 dock, sometimes USB ethernet cannot be detected after plugging +cable to the ethernet port, the hub and roothub get runtime resumed and +runtime suspended immediately: +... +[ 433.315169] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0 +[ 433.315204] usb usb4: usb auto-resume +[ 433.315226] hub 4-0:1.0: hub_resume +[ 433.315239] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10202e2, return 0x10343 +[ 433.315264] usb usb4-port1: status 0343 change 0001 +[ 433.315279] xhci_hcd 0000:3a:00.0: clear port1 connect change, portsc: 0x10002e2 +[ 433.315293] xhci_hcd 0000:3a:00.0: Get port status 4-2 read: 0x2a0, return 0x2a0 +[ 433.317012] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.422282] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343 +[ 433.422307] usb usb4-port1: do warm reset +[ 433.422311] usb 4-1: device reset not allowed in state 8 +[ 433.422339] hub 4-0:1.0: state 7 ports 2 chg 0002 evt 0000 +[ 433.422346] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343 +[ 433.422356] usb usb4-port1: do warm reset +[ 433.422358] usb 4-1: device reset not allowed in state 8 +[ 433.422428] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 0 status = 0xf0002e2 +[ 433.422455] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 1 status = 0xe0002a0 +[ 433.422465] hub 4-0:1.0: hub_suspend +[ 433.422475] usb usb4: bus auto-suspend, wakeup 1 +[ 433.426161] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.466209] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.510204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.554051] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.598235] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.642154] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.686204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.730205] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.774203] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.818207] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.862040] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting +[ 433.862053] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.862077] xhci_hcd 0000:3a:00.0: xhci_suspend: stopping port polling. +[ 433.862096] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001 +[ 433.862312] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_suspend: 0 +[ 433.862445] xhci_hcd 0000:3a:00.0: PME# enabled +[ 433.902376] xhci_hcd 0000:3a:00.0: restoring config space at offset 0xc (was 0x0, writing 0x20) +[ 433.902395] xhci_hcd 0000:3a:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100403) +[ 433.902490] xhci_hcd 0000:3a:00.0: PME# disabled +[ 433.902504] xhci_hcd 0000:3a:00.0: enabling bus mastering +[ 433.902547] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001 +[ 433.902649] pcieport 0000:00:1b.0: PME: Spurious native interrupt! +[ 433.902839] xhci_hcd 0000:3a:00.0: Port change event, 4-1, id 3, portsc: 0xb0202e2 +[ 433.902842] xhci_hcd 0000:3a:00.0: resume root hub +[ 433.902845] xhci_hcd 0000:3a:00.0: handle_port_status: starting port polling. +[ 433.902877] xhci_hcd 0000:3a:00.0: xhci_resume: starting port polling. +[ 433.902889] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling. +[ 433.902891] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0 +[ 433.902919] usb usb4: usb wakeup-resume +[ 433.902942] usb usb4: usb auto-resume +[ 433.902966] hub 4-0:1.0: hub_resume +... + +As Mathias pointed out, the hub enters Cold Attach Status state and +requires a warm reset. However usb_reset_device() bails out early when +the device is in suspended state, as its callers port_event() and +hub_event() don't always resume the device. + +Since there's nothing wrong to reset a suspended device, allow +usb_reset_device() to do so to solve the issue. + +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Link: https://lore.kernel.org/r/20191106062710.29880-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/hub.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5535,7 +5535,7 @@ re_enumerate_no_bos: + + /** + * usb_reset_device - warn interface drivers and perform a USB port reset +- * @udev: device to reset (not in SUSPENDED or NOTATTACHED state) ++ * @udev: device to reset (not in NOTATTACHED state) + * + * Warns all drivers bound to registered interfaces (using their pre_reset + * method), performs the port reset, and then lets the drivers know that +@@ -5563,8 +5563,7 @@ int usb_reset_device(struct usb_device * + struct usb_host_config *config = udev->actconfig; + struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); + +- if (udev->state == USB_STATE_NOTATTACHED || +- udev->state == USB_STATE_SUSPENDED) { ++ if (udev->state == USB_STATE_NOTATTACHED) { + dev_dbg(&udev->dev, "device reset not allowed in state %d\n", + udev->state); + return -EINVAL; diff --git a/queue-3.16/usb-documentation-flags-on-usb-storage-versus-uas.patch b/queue-3.16/usb-documentation-flags-on-usb-storage-versus-uas.patch new file mode 100644 index 00000000..4f5b7824 --- /dev/null +++ b/queue-3.16/usb-documentation-flags-on-usb-storage-versus-uas.patch @@ -0,0 +1,61 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 14 Nov 2019 12:27:58 +0100 +Subject: USB: documentation: flags on usb-storage versus UAS + +commit 65cc8bf99349f651a0a2cee69333525fe581f306 upstream. + +Document which flags work storage, UAS or both + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Link: https://lore.kernel.org/r/20191114112758.32747-4-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: Drop change relating to ALWAYS_SYNC] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + .../kernel-parameters.txt | 22 ++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -3730,13 +3730,13 @@ bytes respectively. Such letter suffixes + Flags is a set of characters, each corresponding + to a common usb-storage quirk flag as follows: + a = SANE_SENSE (collect more than 18 bytes +- of sense data); ++ of sense data, not on uas); + b = BAD_SENSE (don't collect more than 18 +- bytes of sense data); ++ bytes of sense data, not on uas); + c = FIX_CAPACITY (decrease the reported + device capacity by one sector); + d = NO_READ_DISC_INFO (don't use +- READ_DISC_INFO command); ++ READ_DISC_INFO command, not on uas); + e = NO_READ_CAPACITY_16 (don't use + READ_CAPACITY_16 command); + f = NO_REPORT_OPCODES (don't use report opcodes +@@ -3751,17 +3751,18 @@ bytes respectively. Such letter suffixes + j = NO_REPORT_LUNS (don't use report luns + command, uas only); + l = NOT_LOCKABLE (don't try to lock and +- unlock ejectable media); ++ unlock ejectable media, not on uas); + m = MAX_SECTORS_64 (don't transfer more +- than 64 sectors = 32 KB at a time); ++ than 64 sectors = 32 KB at a time, ++ not on uas); + n = INITIAL_READ10 (force a retry of the +- initial READ(10) command); ++ initial READ(10) command, not on uas); + o = CAPACITY_OK (accept the capacity +- reported by the device); ++ reported by the device, not on uas); + p = WRITE_CACHE (the device cache is ON +- by default); ++ by default, not on uas); + r = IGNORE_RESIDUE (the device reports +- bogus residue values); ++ bogus residue values, not on uas); + s = SINGLE_LUN (the device has only one + Logical Unit); + t = NO_ATA_1X (don't allow ATA(12) and ATA(16) diff --git a/queue-3.16/usb-gadget-pch_udc-fix-use-after-free.patch b/queue-3.16/usb-gadget-pch_udc-fix-use-after-free.patch new file mode 100644 index 00000000..81aec48f --- /dev/null +++ b/queue-3.16/usb-gadget-pch_udc-fix-use-after-free.patch @@ -0,0 +1,32 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 6 Nov 2019 14:28:21 -0600 +Subject: usb: gadget: pch_udc: fix use after free + +commit 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 upstream. + +Remove pointer dereference after free. + +pci_pool_free doesn't care about contents of td. +It's just a void* for it + +Addresses-Coverity-ID: 1091173 ("Use after free") +Acked-by: Michal Nazarewicz <mina86@mina86.com> +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/gadget/pch_udc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/pch_udc.c ++++ b/drivers/usb/gadget/pch_udc.c +@@ -1533,7 +1533,6 @@ static void pch_udc_free_dma_chain(struc + td = phys_to_virt(addr); + addr2 = (dma_addr_t)td->next; + pci_pool_free(dev->data_requests, td, addr); +- td->next = 0x00; + addr = addr2; + } + req->chain_len = 1; diff --git a/queue-3.16/usb-gadget-u_serial-add-missing-port-entry-locking.patch b/queue-3.16/usb-gadget-u_serial-add-missing-port-entry-locking.patch new file mode 100644 index 00000000..65204951 --- /dev/null +++ b/queue-3.16/usb-gadget-u_serial-add-missing-port-entry-locking.patch @@ -0,0 +1,35 @@ +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl> +Date: Sat, 10 Aug 2019 10:42:48 +0200 +Subject: usb: gadget: u_serial: add missing port entry locking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream. + +gserial_alloc_line() misses locking (for a release barrier) while +resetting port entry on TTY allocation failure. Fix this. + +Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Tested-by: Ladislav Michl <ladis@linux-mips.org> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/gadget/u_serial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/u_serial.c ++++ b/drivers/usb/gadget/u_serial.c +@@ -1140,8 +1140,10 @@ int gserial_alloc_line(unsigned char *li + __func__, port_num, PTR_ERR(tty_dev)); + + ret = PTR_ERR(tty_dev); ++ mutex_lock(&ports[port_num].lock); + port = ports[port_num].port; + ports[port_num].port = NULL; ++ mutex_unlock(&ports[port_num].lock); + gserial_free_port(port); + goto err; + } diff --git a/queue-3.16/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch b/queue-3.16/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch new file mode 100644 index 00000000..d8a08658 --- /dev/null +++ b/queue-3.16/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch @@ -0,0 +1,30 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Mon, 18 Nov 2019 10:21:19 +0100 +Subject: usb-serial: cp201x: support Mark-10 digital force gauge + +commit 347bc8cb26388791c5881a3775cb14a3f765a674 upstream. + +Add support for the Mark-10 digital force gauge device to the cp201x +driver. + +Based on a report and a larger patch from Joel Jennings + +Reported-by: Joel Jennings <joel.jennings@makeitlabs.com> +Acked-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191118092119.GA153852@kroah.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -121,6 +121,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ + { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */ + { USB_DEVICE(0x10C4, 0x83A8) }, /* Amber Wireless AMB2560 */ ++ { USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */ + { USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */ + { USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */ + { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */ diff --git a/queue-3.16/usb-serial-ftdi_sio-add-device-ids-for-u-blox-c099-f9p.patch b/queue-3.16/usb-serial-ftdi_sio-add-device-ids-for-u-blox-c099-f9p.patch new file mode 100644 index 00000000..9c6611e1 --- /dev/null +++ b/queue-3.16/usb-serial-ftdi_sio-add-device-ids-for-u-blox-c099-f9p.patch @@ -0,0 +1,51 @@ +From: Fabio D'Urso <fabiodurso@hotmail.it> +Date: Thu, 14 Nov 2019 01:30:53 +0000 +Subject: USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P + +commit c1a1f273d0825774c80896b8deb1c9ea1d0b91e3 upstream. + +This device presents itself as a USB hub with three attached devices: + - An ACM serial port connected to the GPS module (not affected by this + commit) + - An FTDI serial port connected to the GPS module (1546:0502) + - Another FTDI serial port connected to the ODIN-W2 radio module + (1546:0503) + +This commit registers U-Blox's VID and the PIDs of the second and third +devices. + +Datasheet: https://www.u-blox.com/sites/default/files/C099-F9P-AppBoard-Mbed-OS3-FW_UserGuide_%28UBX-18063024%29.pdf + +Signed-off-by: Fabio D'Urso <fabiodurso@hotmail.it> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/ftdi_sio.c | 3 +++ + drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1041,6 +1041,9 @@ static const struct usb_device_id id_tab + /* Sienna devices */ + { USB_DEVICE(FTDI_VID, FTDI_SIENNA_PID) }, + { USB_DEVICE(ECHELON_VID, ECHELON_U20_PID) }, ++ /* U-Blox devices */ ++ { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, ++ { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1557,3 +1557,10 @@ + */ + #define UNJO_VID 0x22B7 + #define UNJO_ISODEBUG_V1_PID 0x150D ++ ++/* ++ * U-Blox products (http://www.u-blox.com). ++ */ ++#define UBLOX_VID 0x1546 ++#define UBLOX_C099F9P_ZED_PID 0x0502 ++#define UBLOX_C099F9P_ODIN_PID 0x0503 diff --git a/queue-3.16/usb-serial-mos7720-fix-remote-wakeup.patch b/queue-3.16/usb-serial-mos7720-fix-remote-wakeup.patch new file mode 100644 index 00000000..331ed384 --- /dev/null +++ b/queue-3.16/usb-serial-mos7720-fix-remote-wakeup.patch @@ -0,0 +1,36 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 7 Nov 2019 14:21:18 +0100 +Subject: USB: serial: mos7720: fix remote wakeup + +commit ea422312a462696093b5db59d294439796cba4ad upstream. + +The driver was setting the device remote-wakeup feature during probe in +violation of the USB specification (which says it should only be set +just prior to suspending the device). This could potentially waste +power during suspend as well as lead to spurious wakeups. + +Note that USB core would clear the remote-wakeup feature at first +resume. + +Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/mos7720.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -1917,10 +1917,6 @@ static int mos7720_startup(struct usb_se + } + } + +- /* setting configuration feature to one */ +- usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), +- (__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000); +- + #ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT + if (product == MOSCHIP_DEVICE_ID_7715) { + ret_val = mos7715_parport_init(serial); diff --git a/queue-3.16/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch b/queue-3.16/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch new file mode 100644 index 00000000..a96b4831 --- /dev/null +++ b/queue-3.16/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch @@ -0,0 +1,67 @@ +From: =?UTF-8?q?Pavel=20L=C3=B6bl?= <pavel@loebl.cz> +Date: Fri, 1 Nov 2019 08:01:50 +0100 +Subject: USB: serial: mos7840: add USB ID to support Moxa UPort 2210 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit e696d00e65e81d46e911f24b12e441037bf11b38 upstream. + +Add USB ID for MOXA UPort 2210. This device contains mos7820 but +it passes GPIO0 check implemented by driver and it's detected as +mos7840. Hence product id check is added to force mos7820 mode. + +Signed-off-by: Pavel Löbl <pavel@loebl.cz> +[ johan: rename id defines and add vendor-id check ] +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/mos7840.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -131,11 +131,15 @@ + /* This driver also supports + * ATEN UC2324 device using Moschip MCS7840 + * ATEN UC2322 device using Moschip MCS7820 ++ * MOXA UPort 2210 device using Moschip MCS7820 + */ + #define USB_VENDOR_ID_ATENINTL 0x0557 + #define ATENINTL_DEVICE_ID_UC2324 0x2011 + #define ATENINTL_DEVICE_ID_UC2322 0x7820 + ++#define USB_VENDOR_ID_MOXA 0x110a ++#define MOXA_DEVICE_ID_2210 0x2210 ++ + /* Interrupt Routine Defines */ + + #define SERIAL_IIR_RLS 0x06 +@@ -206,6 +210,7 @@ static const struct usb_device_id id_tab + {USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4)}, + {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2324)}, + {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2322)}, ++ {USB_DEVICE(USB_VENDOR_ID_MOXA, MOXA_DEVICE_ID_2210)}, + {} /* terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, id_table); +@@ -2139,6 +2144,7 @@ static int mos7840_probe(struct usb_seri + const struct usb_device_id *id) + { + u16 product = le16_to_cpu(serial->dev->descriptor.idProduct); ++ u16 vid = le16_to_cpu(serial->dev->descriptor.idVendor); + u8 *buf; + int device_type; + +@@ -2148,6 +2154,11 @@ static int mos7840_probe(struct usb_seri + goto out; + } + ++ if (vid == USB_VENDOR_ID_MOXA && product == MOXA_DEVICE_ID_2210) { ++ device_type = MOSCHIP_DEVICE_ID_7820; ++ goto out; ++ } ++ + buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL); + if (!buf) + return -ENOMEM; diff --git a/queue-3.16/usb-serial-mos7840-fix-remote-wakeup.patch b/queue-3.16/usb-serial-mos7840-fix-remote-wakeup.patch new file mode 100644 index 00000000..59ae0e3a --- /dev/null +++ b/queue-3.16/usb-serial-mos7840-fix-remote-wakeup.patch @@ -0,0 +1,36 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 7 Nov 2019 14:21:19 +0100 +Subject: USB: serial: mos7840: fix remote wakeup + +commit 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 upstream. + +The driver was setting the device remote-wakeup feature during probe in +violation of the USB specification (which says it should only be set +just prior to suspending the device). This could potentially waste +power during suspend as well as lead to spurious wakeups. + +Note that USB core would clear the remote-wakeup feature at first +resume. + +Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/mos7840.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -2414,11 +2414,6 @@ out: + goto error; + } else + dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status); +- +- /* setting configuration feature to one */ +- usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), +- 0x03, 0x00, 0x01, 0x00, NULL, 0x00, +- MOS_WDR_TIMEOUT); + } + return 0; + error: diff --git a/queue-3.16/usb-uas-heed-capacity_heuristics.patch b/queue-3.16/usb-uas-heed-capacity_heuristics.patch new file mode 100644 index 00000000..638989f8 --- /dev/null +++ b/queue-3.16/usb-uas-heed-capacity_heuristics.patch @@ -0,0 +1,33 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 14 Nov 2019 12:27:57 +0100 +Subject: USB: uas: heed CAPACITY_HEURISTICS + +commit 335cbbd5762d5e5c67a8ddd6e6362c2aa42a328f upstream. + +There is no need to ignore this flag. We should be as close +to storage in that regard as makes sense, so honor flags whose +cost is tiny. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Link: https://lore.kernel.org/r/20191114112758.32747-3-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/storage/uas.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -1004,6 +1004,12 @@ static int uas_slave_configure(struct sc + sdev->fix_capacity = 1; + + /* ++ * in some cases we have to guess ++ */ ++ if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) ++ sdev->guess_capacity = 1; ++ ++ /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device + * is write-protected. Now that we tell the sd driver diff --git a/queue-3.16/usb-uas-honor-flag-to-avoid-capacity16.patch b/queue-3.16/usb-uas-honor-flag-to-avoid-capacity16.patch new file mode 100644 index 00000000..87fb688e --- /dev/null +++ b/queue-3.16/usb-uas-honor-flag-to-avoid-capacity16.patch @@ -0,0 +1,29 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 14 Nov 2019 12:27:56 +0100 +Subject: USB: uas: honor flag to avoid CAPACITY16 + +commit bff000cae1eec750d62e265c4ba2db9af57b17e1 upstream. + +Copy the support over from usb-storage to get feature parity + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Link: https://lore.kernel.org/r/20191114112758.32747-2-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/storage/uas.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -991,6 +991,10 @@ static int uas_slave_configure(struct sc + if (devinfo->flags & US_FL_BROKEN_FUA) + sdev->broken_fua = 1; + ++ /* Some disks cannot handle READ_CAPACITY_16 */ ++ if (devinfo->flags & US_FL_NO_READ_CAPACITY_16) ++ sdev->no_read_capacity_16 = 1; ++ + /* + * Some disks return the total number of blocks in response + * to READ CAPACITY rather than the highest block number. diff --git a/queue-3.16/usbvision-fix-locking-error-2.patch b/queue-3.16/usbvision-fix-locking-error-2.patch new file mode 100644 index 00000000..49b71972 --- /dev/null +++ b/queue-3.16/usbvision-fix-locking-error-2.patch @@ -0,0 +1,33 @@ +From: Insu Yun <wuninsu@gmail.com> +Date: Mon, 1 Feb 2016 13:59:30 -0200 +Subject: [media] usbvision: fix locking error + +commit 5ce625a42d6206d5a18222c6475f6b866ef68569 upstream. + +When remove_pending is non-zero, v4l2_lock is never unlocked. + +Signed-off-by: Insu Yun <wuninsu@gmail.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/usb/usbvision/usbvision-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1175,6 +1175,7 @@ static int usbvision_radio_close(struct + usbvision_audio_off(usbvision); + usbvision->radio = 0; + usbvision->user--; ++ mutex_unlock(&usbvision->v4l2_lock); + + if (usbvision->remove_pending) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); +@@ -1182,7 +1183,6 @@ static int usbvision_radio_close(struct + return err_code; + } + +- mutex_unlock(&usbvision->v4l2_lock); + PDEBUG(DBG_IO, "success"); + return err_code; + } diff --git a/queue-3.16/usbvision-fix-locking-error.patch b/queue-3.16/usbvision-fix-locking-error.patch new file mode 100644 index 00000000..adef3a20 --- /dev/null +++ b/queue-3.16/usbvision-fix-locking-error.patch @@ -0,0 +1,32 @@ +From: Hans Verkuil <hans.verkuil@cisco.com> +Date: Mon, 20 Jul 2015 09:59:35 -0300 +Subject: [media] usbvision: fix locking error + +commit e2c84ccb0fbe5e524d15bb09c042a6ca634adaed upstream. + +If remove_pending is non-zero, then the v4l2_lock is never unlocked. + +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/usb/usbvision/usbvision-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -420,13 +420,13 @@ static int usbvision_v4l2_close(struct f + usbvision_scratch_free(usbvision); + + usbvision->user--; ++ mutex_unlock(&usbvision->v4l2_lock); + + if (usbvision->remove_pending) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); + return 0; + } +- mutex_unlock(&usbvision->v4l2_lock); + + PDEBUG(DBG_IO, "success"); + return 0; diff --git a/queue-3.16/usbvision-remove-power_on_at_open-and-timed-power-off.patch b/queue-3.16/usbvision-remove-power_on_at_open-and-timed-power-off.patch new file mode 100644 index 00000000..c4adc821 --- /dev/null +++ b/queue-3.16/usbvision-remove-power_on_at_open-and-timed-power-off.patch @@ -0,0 +1,282 @@ +From: Hans Verkuil <hans.verkuil@cisco.com> +Date: Mon, 20 Jul 2015 09:59:28 -0300 +Subject: [media] usbvision: remove power_on_at_open and timed power off + +commit 62e259493d779b0e2c1a675ab733136511310821 upstream. + +This causes lots of problems and is *very* slow as well. + +One of the main problems is that this prohibits the use of the control +framework since subdevs will be unloaded on power off which is not allowed +as long as they are used by a usb device. + +Apparently the reason for doing this is to turn off a noisy tuner. My hardware +has no problem with that, and I wonder whether the hardware with that noisy +tuner wasn't just functioning improperly as I have never heard of noisy tuners. + +Contact me if you have one of those devices and I can take a look whether the +tuner can't be powered off if necessary by letting the tuner subdevice go +into standby mode. Unloading the tuner module is just evil and is not the +right approach. + +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +[bwh: Backported to 3.16 as dependency of locking fixes. Our version of + usbvision_init_power_off_timer() was slightly different.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/media/usb/usbvision/usbvision-core.c ++++ b/drivers/media/usb/usbvision/usbvision-core.c +@@ -2167,56 +2167,6 @@ int usbvision_power_on(struct usb_usbvis + + + /* +- * usbvision timer stuff +- */ +- +-/* to call usbvision_power_off from task queue */ +-static void call_usbvision_power_off(struct work_struct *work) +-{ +- struct usb_usbvision *usbvision = container_of(work, struct usb_usbvision, power_off_work); +- +- PDEBUG(DBG_FUNC, ""); +- if (mutex_lock_interruptible(&usbvision->v4l2_lock)) +- return; +- +- if (usbvision->user == 0) { +- usbvision_i2c_unregister(usbvision); +- +- usbvision_power_off(usbvision); +- usbvision->initialized = 0; +- } +- mutex_unlock(&usbvision->v4l2_lock); +-} +- +-static void usbvision_power_off_timer(unsigned long data) +-{ +- struct usb_usbvision *usbvision = (void *)data; +- +- PDEBUG(DBG_FUNC, ""); +- del_timer(&usbvision->power_off_timer); +- INIT_WORK(&usbvision->power_off_work, call_usbvision_power_off); +- (void) schedule_work(&usbvision->power_off_work); +-} +- +-void usbvision_init_power_off_timer(struct usb_usbvision *usbvision) +-{ +- init_timer(&usbvision->power_off_timer); +- usbvision->power_off_timer.data = (long)usbvision; +- usbvision->power_off_timer.function = usbvision_power_off_timer; +-} +- +-void usbvision_set_power_off_timer(struct usb_usbvision *usbvision) +-{ +- mod_timer(&usbvision->power_off_timer, jiffies + USBVISION_POWEROFF_TIME); +-} +- +-void usbvision_reset_power_off_timer(struct usb_usbvision *usbvision) +-{ +- if (timer_pending(&usbvision->power_off_timer)) +- del_timer(&usbvision->power_off_timer); +-} +- +-/* + * usbvision_begin_streaming() + * Sure you have to put bit 7 to 0, if not incoming frames are droped, but no + * idea about the rest +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -122,8 +122,6 @@ static void usbvision_release(struct usb + static int isoc_mode = ISOC_MODE_COMPRESS; + /* Set the default Debug Mode of the device driver */ + static int video_debug; +-/* Set the default device to power on at startup */ +-static int power_on_at_open = 1; + /* Sequential Number of Video Device */ + static int video_nr = -1; + /* Sequential Number of Radio Device */ +@@ -134,13 +132,11 @@ static int radio_nr = -1; + /* Showing parameters under SYSFS */ + module_param(isoc_mode, int, 0444); + module_param(video_debug, int, 0444); +-module_param(power_on_at_open, int, 0444); + module_param(video_nr, int, 0444); + module_param(radio_nr, int, 0444); + + MODULE_PARM_DESC(isoc_mode, " Set the default format for ISOC endpoint. Default: 0x60 (Compression On)"); + MODULE_PARM_DESC(video_debug, " Set the default Debug Mode of the device driver. Default: 0 (Off)"); +-MODULE_PARM_DESC(power_on_at_open, " Set the default device to power on when device is opened. Default: 1 (On)"); + MODULE_PARM_DESC(video_nr, "Set video device number (/dev/videoX). Default: -1 (autodetect)"); + MODULE_PARM_DESC(radio_nr, "Set radio device number (/dev/radioX). Default: -1 (autodetect)"); + +@@ -351,11 +347,10 @@ static int usbvision_v4l2_open(struct fi + + if (mutex_lock_interruptible(&usbvision->v4l2_lock)) + return -ERESTARTSYS; +- usbvision_reset_power_off_timer(usbvision); + +- if (usbvision->user) ++ if (usbvision->user) { + err_code = -EBUSY; +- else { ++ } else { + /* Allocate memory for the scratch ring buffer */ + err_code = usbvision_scratch_alloc(usbvision); + if (isoc_mode == ISOC_MODE_COMPRESS) { +@@ -372,11 +367,6 @@ static int usbvision_v4l2_open(struct fi + + /* If so far no errors then we shall start the camera */ + if (!err_code) { +- if (usbvision->power == 0) { +- usbvision_power_on(usbvision); +- usbvision_i2c_register(usbvision); +- } +- + /* Send init sequence only once, it's large! */ + if (!usbvision->initialized) { + int setup_ok = 0; +@@ -392,18 +382,13 @@ static int usbvision_v4l2_open(struct fi + err_code = usbvision_init_isoc(usbvision); + /* device must be initialized before isoc transfer */ + usbvision_muxsel(usbvision, 0); ++ ++ /* prepare queues */ ++ usbvision_empty_framequeues(usbvision); + usbvision->user++; +- } else { +- if (power_on_at_open) { +- usbvision_i2c_unregister(usbvision); +- usbvision_power_off(usbvision); +- usbvision->initialized = 0; +- } + } + } + +- /* prepare queues */ +- usbvision_empty_framequeues(usbvision); + mutex_unlock(&usbvision->v4l2_lock); + + PDEBUG(DBG_IO, "success"); +@@ -436,13 +421,6 @@ static int usbvision_v4l2_close(struct f + + usbvision->user--; + +- if (power_on_at_open) { +- /* power off in a little while +- to avoid off/on every close/open short sequences */ +- usbvision_set_power_off_timer(usbvision); +- usbvision->initialized = 0; +- } +- + if (usbvision->remove_pending) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); +@@ -1160,14 +1138,6 @@ static int usbvision_radio_open(struct f + __func__); + err_code = -EBUSY; + } else { +- if (power_on_at_open) { +- usbvision_reset_power_off_timer(usbvision); +- if (usbvision->power == 0) { +- usbvision_power_on(usbvision); +- usbvision_i2c_register(usbvision); +- } +- } +- + /* Alternate interface 1 is is the biggest frame size */ + err_code = usbvision_set_alternate(usbvision); + if (err_code < 0) { +@@ -1182,14 +1152,6 @@ static int usbvision_radio_open(struct f + usbvision_set_audio(usbvision, USBVISION_AUDIO_RADIO); + usbvision->user++; + } +- +- if (err_code) { +- if (power_on_at_open) { +- usbvision_i2c_unregister(usbvision); +- usbvision_power_off(usbvision); +- usbvision->initialized = 0; +- } +- } + out: + mutex_unlock(&usbvision->v4l2_lock); + return err_code; +@@ -1213,11 +1175,6 @@ static int usbvision_radio_close(struct + usbvision->radio = 0; + usbvision->user--; + +- if (power_on_at_open) { +- usbvision_set_power_off_timer(usbvision); +- usbvision->initialized = 0; +- } +- + if (usbvision->remove_pending) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); +@@ -1432,8 +1389,6 @@ static struct usb_usbvision *usbvision_a + goto err_unreg; + init_waitqueue_head(&usbvision->ctrl_urb_wq); + +- usbvision_init_power_off_timer(usbvision); +- + return usbvision; + + err_unreg: +@@ -1454,8 +1409,6 @@ static void usbvision_release(struct usb + { + PDEBUG(DBG_PROBE, ""); + +- usbvision_reset_power_off_timer(usbvision); +- + usbvision->initialized = 0; + + usbvision_remove_sysfs(usbvision->vdev); +@@ -1499,11 +1452,9 @@ static void usbvision_configure_video(st + /* first switch off audio */ + if (usbvision_device_data[model].audio_channels > 0) + usbvision_audio_off(usbvision); +- if (!power_on_at_open) { +- /* and then power up the noisy tuner */ +- usbvision_power_on(usbvision); +- usbvision_i2c_register(usbvision); +- } ++ /* and then power up the tuner */ ++ usbvision_power_on(usbvision); ++ usbvision_i2c_register(usbvision); + } + + /* +@@ -1671,11 +1622,7 @@ static void usbvision_disconnect(struct + usbvision_stop_isoc(usbvision); + + v4l2_device_disconnect(&usbvision->v4l2_dev); +- +- if (usbvision->power) { +- usbvision_i2c_unregister(usbvision); +- usbvision_power_off(usbvision); +- } ++ usbvision_i2c_unregister(usbvision); + usbvision->remove_pending = 1; /* Now all ISO data will be ignored */ + + usb_put_dev(usbvision->dev); +--- a/drivers/media/usb/usbvision/usbvision.h ++++ b/drivers/media/usb/usbvision/usbvision.h +@@ -391,8 +391,6 @@ struct usb_usbvision { + unsigned char iface_alt; /* Alt settings */ + unsigned char vin_reg2_preset; + struct mutex v4l2_lock; +- struct timer_list power_off_timer; +- struct work_struct power_off_work; + int power; /* is the device powered on? */ + int user; /* user count for exclusive use */ + int initialized; /* Had we already sent init sequence? */ +@@ -510,9 +508,6 @@ int usbvision_muxsel(struct usb_usbvisio + int usbvision_set_input(struct usb_usbvision *usbvision); + int usbvision_set_output(struct usb_usbvision *usbvision, int width, int height); + +-void usbvision_init_power_off_timer(struct usb_usbvision *usbvision); +-void usbvision_set_power_off_timer(struct usb_usbvision *usbvision); +-void usbvision_reset_power_off_timer(struct usb_usbvision *usbvision); + int usbvision_power_off(struct usb_usbvision *usbvision); + int usbvision_power_on(struct usb_usbvision *usbvision); + diff --git a/queue-3.16/usbvision-video-two-use-after-frees.patch b/queue-3.16/usbvision-video-two-use-after-frees.patch new file mode 100644 index 00000000..335a8939 --- /dev/null +++ b/queue-3.16/usbvision-video-two-use-after-frees.patch @@ -0,0 +1,35 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 16 Oct 2014 04:57:21 -0300 +Subject: [media] usbvision-video: two use after frees + +commit 470a9147899500eb4898f77816520c4b4aa1a698 upstream. + +The lock has been freed in usbvision_release() so there is no need to +call mutex_unlock() here. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/usb/usbvision/usbvision-video.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -424,6 +424,7 @@ static int usbvision_v4l2_close(struct f + if (usbvision->remove_pending) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); ++ return 0; + } + mutex_unlock(&usbvision->v4l2_lock); + +@@ -1178,6 +1179,7 @@ static int usbvision_radio_close(struct + if (usbvision->remove_pending) { + printk(KERN_INFO "%s: Final disconnect\n", __func__); + usbvision_release(usbvision); ++ return err_code; + } + + mutex_unlock(&usbvision->v4l2_lock); diff --git a/queue-3.16/workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch b/queue-3.16/workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch new file mode 100644 index 00000000..1e422463 --- /dev/null +++ b/queue-3.16/workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch @@ -0,0 +1,80 @@ +From: Tejun Heo <tj@kernel.org> +Date: Wed, 18 Sep 2019 18:43:40 -0700 +Subject: workqueue: Fix spurious sanity check failures in destroy_workqueue() + +commit def98c84b6cdf2eeea19ec5736e90e316df5206b upstream. + +Before actually destrying a workqueue, destroy_workqueue() checks +whether it's actually idle. If it isn't, it prints out a bunch of +warning messages and leaves the workqueue dangling. It unfortunately +has a couple issues. + +* Mayday list queueing increments pwq's refcnts which gets detected as + busy and fails the sanity checks. However, because mayday list + queueing is asynchronous, this condition can happen without any + actual work items left in the workqueue. + +* Sanity check failure leaves the sysfs interface behind too which can + lead to init failure of newer instances of the workqueue. + +This patch fixes the above two by + +* If a workqueue has a rescuer, disable and kill the rescuer before + sanity checks. Disabling and killing is guaranteed to flush the + existing mayday list. + +* Remove sysfs interface before sanity checks. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Reported-by: Marcin Pawlowski <mpawlowski@fb.com> +Reported-by: "Williams, Gerald S" <gerald.s.williams@intel.com> +[bwh: Backported to 3.16: destroy_workqueue() also freed wq->rescuer itself] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4266,9 +4266,29 @@ void destroy_workqueue(struct workqueue_ + struct pool_workqueue *pwq; + int node; + ++ /* ++ * Remove it from sysfs first so that sanity check failure doesn't ++ * lead to sysfs name conflicts. ++ */ ++ workqueue_sysfs_unregister(wq); ++ + /* drain it before proceeding with destruction */ + drain_workqueue(wq); + ++ /* kill rescuer, if sanity checks fail, leave it w/o rescuer */ ++ if (wq->rescuer) { ++ struct worker *rescuer = wq->rescuer; ++ ++ /* this prevents new queueing */ ++ spin_lock_irq(&wq_mayday_lock); ++ wq->rescuer = NULL; ++ spin_unlock_irq(&wq_mayday_lock); ++ ++ /* rescuer will empty maydays list before exiting */ ++ kthread_stop(rescuer->task); ++ kfree(rescuer); ++ } ++ + /* sanity checks */ + mutex_lock(&wq->mutex); + for_each_pwq(pwq, wq) { +@@ -4298,14 +4318,6 @@ void destroy_workqueue(struct workqueue_ + list_del_init(&wq->list); + mutex_unlock(&wq_pool_mutex); + +- workqueue_sysfs_unregister(wq); +- +- if (wq->rescuer) { +- kthread_stop(wq->rescuer->task); +- kfree(wq->rescuer); +- wq->rescuer = NULL; +- } +- + if (!(wq->flags & WQ_UNBOUND)) { + /* + * The base ref is never dropped on per-cpu pwqs. Directly diff --git a/queue-3.16/x86-ioapic-prevent-inconsistent-state-when-moving-an-interrupt.patch b/queue-3.16/x86-ioapic-prevent-inconsistent-state-when-moving-an-interrupt.patch new file mode 100644 index 00000000..81e954b2 --- /dev/null +++ b/queue-3.16/x86-ioapic-prevent-inconsistent-state-when-moving-an-interrupt.patch @@ -0,0 +1,74 @@ +From: Thomas Gleixner <tglx@linutronix.de> +Date: Thu, 17 Oct 2019 12:19:01 +0200 +Subject: x86/ioapic: Prevent inconsistent state when moving an interrupt + +commit df4393424af3fbdcd5c404077176082a8ce459c4 upstream. + +There is an issue with threaded interrupts which are marked ONESHOT +and using the fasteoi handler: + + if (IS_ONESHOT()) + mask_irq(); + .... + cond_unmask_eoi_irq() + chip->irq_eoi(); + if (setaffinity_pending) { + mask_ioapic(); + ... + move_affinity(); + unmask_ioapic(); + } + +So if setaffinity is pending the interrupt will be moved and then +unconditionally unmasked at the ioapic level, which is wrong in two +aspects: + + 1) It should be kept masked up to the point where the threaded handler + finished. + + 2) The physical chip state and the software masked state are inconsistent + +Guard both the mask and the unmask with a check for the software masked +state. If the line is marked masked then the ioapic line is also masked, so +both mask_ioapic() and unmask_ioapic() can be skipped safely. + +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Andy Shevchenko <andy.shevchenko@gmail.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Sebastian Siewior <bigeasy@linutronix.de> +Fixes: 3aa551c9b4c4 ("genirq: add threaded interrupt handler support") +Link: https://lkml.kernel.org/r/20191017101938.321393687@linutronix.de +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: Keep using {,un}mask_iopaic_irq()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kernel/apic/io_apic.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2377,9 +2377,10 @@ static bool io_apic_level_ack_pending(st + + static inline bool ioapic_irqd_mask(struct irq_data *data, struct irq_cfg *cfg) + { +- /* If we are moving the irq we need to mask it */ ++ /* If we are moving the IRQ we need to mask it */ + if (unlikely(irqd_is_setaffinity_pending(data))) { +- mask_ioapic(cfg); ++ if (!irqd_irq_masked(data)) ++ mask_ioapic(cfg); + return true; + } + return false; +@@ -2417,7 +2418,9 @@ static inline void ioapic_irqd_unmask(st + */ + if (!io_apic_level_ack_pending(cfg)) + irq_move_masked_irq(data); +- unmask_ioapic(cfg); ++ /* If the IRQ is masked in the core, leave it: */ ++ if (!irqd_irq_masked(data)) ++ unmask_ioapic(cfg); + } + } + #else diff --git a/queue-3.16/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch b/queue-3.16/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch new file mode 100644 index 00000000..73c60ba3 --- /dev/null +++ b/queue-3.16/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch @@ -0,0 +1,48 @@ +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Mon, 2 Sep 2019 22:52:52 +0800 +Subject: x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect + +commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream. + +The AMD FCH USB XHCI Controller advertises support for generating PME# +while in D0. When in D0, it does signal PME# for USB 3.0 connect events, +but not for USB 2.0 or USB 1.1 connect events, which means the controller +doesn't wake correctly for those events. + + 00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI]) + Subsystem: Dell FCH USB XHCI Controller [1028:087e] + Capabilities: [50] Power Management version 3 + Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) + +Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not +assert PME# from D0 so we don't rely on it. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673 +Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/pci/fixup.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -575,6 +575,17 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_IN + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_invalid_bar); + + /* ++ * Device [1022:7914] ++ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device. ++ */ ++static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev) ++{ ++ dev_info(&dev->dev, "PME# does not work under D0, disabling it\n"); ++ dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme); ++ ++/* + * Apple MacBook Pro: Avoid [mem 0x7fa00000-0x7fbfffff] + * + * Using the [mem 0x7fa00000-0x7fbfffff] region, e.g., by assigning it to diff --git a/queue-3.16/x86-speculation-fix-incorrect-mds-taa-mitigation-status.patch b/queue-3.16/x86-speculation-fix-incorrect-mds-taa-mitigation-status.patch new file mode 100644 index 00000000..7f96a7ea --- /dev/null +++ b/queue-3.16/x86-speculation-fix-incorrect-mds-taa-mitigation-status.patch @@ -0,0 +1,150 @@ +From: Waiman Long <longman@redhat.com> +Date: Fri, 15 Nov 2019 11:14:44 -0500 +Subject: x86/speculation: Fix incorrect MDS/TAA mitigation status + +commit 64870ed1b12e235cfca3f6c6da75b542c973ff78 upstream. + +For MDS vulnerable processors with TSX support, enabling either MDS or +TAA mitigations will enable the use of VERW to flush internal processor +buffers at the right code path. IOW, they are either both mitigated +or both not. However, if the command line options are inconsistent, +the vulnerabilites sysfs files may not report the mitigation status +correctly. + +For example, with only the "mds=off" option: + + vulnerabilities/mds:Vulnerable; SMT vulnerable + vulnerabilities/tsx_async_abort:Mitigation: Clear CPU buffers; SMT vulnerable + +The mds vulnerabilities file has wrong status in this case. Similarly, +the taa vulnerability file will be wrong with mds mitigation on, but +taa off. + +Change taa_select_mitigation() to sync up the two mitigation status +and have them turned off if both "mds=off" and "tsx_async_abort=off" +are present. + +Update documentation to emphasize the fact that both "mds=off" and +"tsx_async_abort=off" have to be specified together for processors that +are affected by both TAA and MDS to be effective. + + [ bp: Massage and add kernel-parameters.txt change too. ] + +Fixes: 1b42f017415b ("x86/speculation/taa: Add mitigation for TSX Async Abort") +Signed-off-by: Waiman Long <longman@redhat.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Jiri Kosina <jkosina@suse.cz> +Cc: Jonathan Corbet <corbet@lwn.net> +Cc: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: linux-doc@vger.kernel.org +Cc: Mark Gross <mgross@linux.intel.com> +Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Tim Chen <tim.c.chen@linux.intel.com> +Cc: Tony Luck <tony.luck@intel.com> +Cc: Tyler Hicks <tyhicks@canonical.com> +Cc: x86-ml <x86@kernel.org> +Link: https://lkml.kernel.org/r/20191115161445.30809-2-longman@redhat.com +[bwh: Backported to 3.16: adjust filenames] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + Documentation/hw-vuln/mds.rst | 7 +++++-- + Documentation/hw-vuln/tsx_async_abort.rst | 5 ++++- + Documentation/kernel-parameters.txt | 11 +++++++++++ + arch/x86/kernel/cpu/bugs.c | 17 +++++++++++++++-- + 4 files changed, 35 insertions(+), 5 deletions(-) + +--- a/Documentation/hw-vuln/mds.rst ++++ b/Documentation/hw-vuln/mds.rst +@@ -262,8 +262,11 @@ time with the option "mds=". The valid a + + ============ ============================================================= + +-Not specifying this option is equivalent to "mds=full". +- ++Not specifying this option is equivalent to "mds=full". For processors ++that are affected by both TAA (TSX Asynchronous Abort) and MDS, ++specifying just "mds=off" without an accompanying "tsx_async_abort=off" ++will have no effect as the same mitigation is used for both ++vulnerabilities. + + Mitigation selection guide + -------------------------- +--- a/Documentation/hw-vuln/tsx_async_abort.rst ++++ b/Documentation/hw-vuln/tsx_async_abort.rst +@@ -169,7 +169,10 @@ the option "tsx_async_abort=". The valid + systems will have no effect. + ============ ============================================================= + +-Not specifying this option is equivalent to "tsx_async_abort=full". ++Not specifying this option is equivalent to "tsx_async_abort=full". For ++processors that are affected by both TAA and MDS, specifying just ++"tsx_async_abort=off" without an accompanying "mds=off" will have no ++effect as the same mitigation is used for both vulnerabilities. + + The kernel command line also allows to control the TSX feature using the + parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -1793,6 +1793,12 @@ bytes respectively. Such letter suffixes + full - Enable MDS mitigation on vulnerable CPUs + off - Unconditionally disable MDS mitigation + ++ On TAA-affected machines, mds=off can be prevented by ++ an active TAA mitigation as both vulnerabilities are ++ mitigated with the same mechanism so in order to disable ++ this mitigation, you need to specify tsx_async_abort=off ++ too. ++ + Not specifying this option is equivalent to + mds=full. + +@@ -3634,6 +3640,11 @@ bytes respectively. Such letter suffixes + + off - Unconditionally disable TAA mitigation + ++ On MDS-affected machines, tsx_async_abort=off can be ++ prevented by an active MDS mitigation as both vulnerabilities ++ are mitigated with the same mechanism so in order to disable ++ this mitigation, you need to specify mds=off too. ++ + Not specifying this option is equivalent to + tsx_async_abort=full. On CPUs which are MDS affected + and deploy MDS mitigation, TAA mitigation is not +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -349,8 +349,12 @@ static void __init taa_select_mitigation + return; + } + +- /* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */ +- if (taa_mitigation == TAA_MITIGATION_OFF) ++ /* ++ * TAA mitigation via VERW is turned off if both ++ * tsx_async_abort=off and mds=off are specified. ++ */ ++ if (taa_mitigation == TAA_MITIGATION_OFF && ++ mds_mitigation == MDS_MITIGATION_OFF) + goto out; + + if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) +@@ -381,6 +385,15 @@ static void __init taa_select_mitigation + */ + static_branch_enable(&mds_user_clear); + ++ /* ++ * Update MDS mitigation, if necessary, as the mds_user_clear is ++ * now enabled for TAA mitigation. ++ */ ++ if (mds_mitigation == MDS_MITIGATION_OFF && ++ boot_cpu_has_bug(X86_BUG_MDS)) { ++ mds_mitigation = MDS_MITIGATION_FULL; ++ mds_select_mitigation(); ++ } + out: + pr_info("%s\n", taa_strings[taa_mitigation]); + } diff --git a/queue-3.16/xen-blkback-avoid-unmapping-unmapped-grant-pages.patch b/queue-3.16/xen-blkback-avoid-unmapping-unmapped-grant-pages.patch new file mode 100644 index 00000000..c79111af --- /dev/null +++ b/queue-3.16/xen-blkback-avoid-unmapping-unmapped-grant-pages.patch @@ -0,0 +1,64 @@ +From: SeongJae Park <sjpark@amazon.de> +Date: Tue, 26 Nov 2019 16:36:05 +0100 +Subject: xen/blkback: Avoid unmapping unmapped grant pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit f9bd84a8a845d82f9b5a081a7ae68c98a11d2e84 upstream. + +For each I/O request, blkback first maps the foreign pages for the +request to its local pages. If an allocation of a local page for the +mapping fails, it should unmap every mapping already made for the +request. + +However, blkback's handling mechanism for the allocation failure does +not mark the remaining foreign pages as unmapped. Therefore, the unmap +function merely tries to unmap every valid grant page for the request, +including the pages not mapped due to the allocation failure. On a +system that fails the allocation frequently, this problem leads to +following kernel crash. + + [ 372.012538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 + [ 372.012546] IP: [<ffffffff814071ac>] gnttab_unmap_refs.part.7+0x1c/0x40 + [ 372.012557] PGD 16f3e9067 PUD 16426e067 PMD 0 + [ 372.012562] Oops: 0002 [#1] SMP + [ 372.012566] Modules linked in: act_police sch_ingress cls_u32 + ... + [ 372.012746] Call Trace: + [ 372.012752] [<ffffffff81407204>] gnttab_unmap_refs+0x34/0x40 + [ 372.012759] [<ffffffffa0335ae3>] xen_blkbk_unmap+0x83/0x150 [xen_blkback] + ... + [ 372.012802] [<ffffffffa0336c50>] dispatch_rw_block_io+0x970/0x980 [xen_blkback] + ... + Decompressing Linux... Parsing ELF... done. + Booting the kernel. + [ 0.000000] Initializing cgroup subsys cpuset + +This commit fixes this problem by marking the grant pages of the given +request that didn't mapped due to the allocation failure as invalid. + +Fixes: c6cc142dac52 ("xen-blkback: use balloon pages for all mappings") + +Reviewed-by: David Woodhouse <dwmw@amazon.de> +Reviewed-by: Maximilian Heyne <mheyne@amazon.de> +Reviewed-by: Paul Durrant <pdurrant@amazon.co.uk> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +Signed-off-by: SeongJae Park <sjpark@amazon.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/block/xen-blkback/blkback.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -825,6 +825,8 @@ next: + out_of_memory: + pr_alert(DRV_PFX "%s: out of memory\n", __func__); + put_free_pages(blkif, pages_to_gnt, segs_to_map); ++ for (i = last_map; i < num; i++) ++ pages[i]->handle = BLKBACK_INVALID_HANDLE; + return -ENOMEM; + } + diff --git a/queue-3.16/xfs-sanity-check-flags-of-q_xquotarm-call.patch b/queue-3.16/xfs-sanity-check-flags-of-q_xquotarm-call.patch new file mode 100644 index 00000000..429b381b --- /dev/null +++ b/queue-3.16/xfs-sanity-check-flags-of-q_xquotarm-call.patch @@ -0,0 +1,32 @@ +From: Jan Kara <jack@suse.cz> +Date: Wed, 23 Oct 2019 17:00:45 -0700 +Subject: xfs: Sanity check flags of Q_XQUOTARM call + +commit 3dd4d40b420846dd35869ccc8f8627feef2cff32 upstream. + +Flags passed to Q_XQUOTARM were not sanity checked for invalid values. +Fix that. + +Fixes: 9da93f9b7cdf ("xfs: fix Q_XQUOTARM ioctl") +Reported-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Reviewed-by: Eric Sandeen <sandeen@redhat.com> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/xfs/xfs_quotaops.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/xfs/xfs_quotaops.c ++++ b/fs/xfs/xfs_quotaops.c +@@ -119,6 +119,9 @@ xfs_fs_rm_xquota( + if (XFS_IS_QUOTA_ON(mp)) + return -EINVAL; + ++ if (uflags & ~(FS_USER_QUOTA | FS_GROUP_QUOTA | FS_PROJ_QUOTA)) ++ return -EINVAL; ++ + if (uflags & FS_USER_QUOTA) + flags |= XFS_DQ_USER; + if (uflags & FS_GROUP_QUOTA) diff --git a/queue-3.16/xtensa-fix-tlb-sanity-checker.patch b/queue-3.16/xtensa-fix-tlb-sanity-checker.patch new file mode 100644 index 00000000..80c76542 --- /dev/null +++ b/queue-3.16/xtensa-fix-tlb-sanity-checker.patch @@ -0,0 +1,42 @@ +From: Max Filippov <jcmvbkbc@gmail.com> +Date: Wed, 13 Nov 2019 13:18:31 -0800 +Subject: xtensa: fix TLB sanity checker + +commit 36de10c4788efc6efe6ff9aa10d38cb7eea4c818 upstream. + +Virtual and translated addresses retrieved by the xtensa TLB sanity +checker must be consistent, i.e. correspond to the same state of the +checked TLB entry. KASAN shadow memory is mapped dynamically using +auto-refill TLB entries and thus may change TLB state between the +virtual and translated address retrieval, resulting in false TLB +insanity report. +Move read_xtlb_translation close to read_xtlb_virtual to make sure that +read values are consistent. + +Fixes: a99e07ee5e88 ("xtensa: check TLB sanity on return to userspace") +Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/xtensa/mm/tlb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/xtensa/mm/tlb.c ++++ b/arch/xtensa/mm/tlb.c +@@ -218,6 +218,8 @@ static int check_tlb_entry(unsigned w, u + unsigned tlbidx = w | (e << PAGE_SHIFT); + unsigned r0 = dtlb ? + read_dtlb_virtual(tlbidx) : read_itlb_virtual(tlbidx); ++ unsigned r1 = dtlb ? ++ read_dtlb_translation(tlbidx) : read_itlb_translation(tlbidx); + unsigned vpn = (r0 & PAGE_MASK) | (e << PAGE_SHIFT); + unsigned pte = get_pte_for_vaddr(vpn); + unsigned mm_asid = (get_rasid_register() >> 8) & ASID_MASK; +@@ -233,8 +235,6 @@ static int check_tlb_entry(unsigned w, u + } + + if (tlb_asid == mm_asid) { +- unsigned r1 = dtlb ? read_dtlb_translation(tlbidx) : +- read_itlb_translation(tlbidx); + if ((pte ^ r1) & PAGE_MASK) { + pr_err("%cTLB: way: %u, entry: %u, mapping: %08x->%08x, PTE: %08x\n", + dtlb ? 'D' : 'I', w, e, r0, r1, pte); diff --git a/upstream-head b/upstream-head index a1954b0f..65a384fe 100644 --- a/upstream-head +++ b/upstream-head @@ -1 +1 @@ -219d54332a09e8d8741c1e1982f5eae56099de85 +e42617b825f8073569da76dc4510bfa019b1c35a |