diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-12 13:37:45 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-06-12 13:37:45 +0200 |
| commit | 70092c74a63433d6e8bf63f8e11c1d2522cc2048 (patch) | |
| tree | 24e13206a12c3d7fc5876897a9aa288b40c77775 | |
| parent | e83aff3d719a7246e087021feae68d29bb8df699 (diff) | |
| download | queue-3.18-70092c74a63433d6e8bf63f8e11c1d2522cc2048.tar.gz | |
drop applied patches and add another one.
79 files changed, 42 insertions, 5428 deletions
diff --git a/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch b/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch deleted file mode 100644 index f2dfd64..0000000 --- a/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 Mon Sep 17 00:00:00 2001 -From: Hui Wang <hui.wang@canonical.com> -Date: Mon, 6 May 2019 22:09:32 +0800 -Subject: ALSA: hda/hdmi - Consider eld_valid when reporting jack event - -From: Hui Wang <hui.wang@canonical.com> - -commit 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 upstream. - -On the machines with AMD GPU or Nvidia GPU, we often meet this issue: -after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting -even there is no any monitors plugged. - -When this problem happens, we check the /proc/asound/cardX/eld#N.M, we -will find the monitor_present=1, eld_valid=0. - -The root cause is BIOS or GPU driver makes the PRESENCE valid even no -monitor plugged, and of course the driver will not get the valid -eld_data subsequently. - -In this situation, we should not report the jack_plugged event, to do -so, let us change the function hdmi_present_sense_via_verbs(). In this -function, it reads the pin_sense via snd_hda_pin_sense(), after -calling this function, the jack_dirty is 0, and before exiting -via_verbs(), we change the shadow pin_sense according to both -monitor_present and eld_valid, then in the snd_hda_jack_report_sync(), -since the jack_dirty is still 0, it will report jack event according -to this modified shadow pin_sense. - -After this change, the driver will not report Jack_is_plugged event -through hdmi_present_sense_via_verbs() if monitor_present is 1 and -eld_valid is 0. - -Signed-off-by: Hui Wang <hui.wang@canonical.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/pci/hda/patch_hdmi.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/sound/pci/hda/patch_hdmi.c -+++ b/sound/pci/hda/patch_hdmi.c -@@ -1635,9 +1635,11 @@ static bool hdmi_present_sense(struct hd - ret = !repoll || !pin_eld->monitor_present || pin_eld->eld_valid; - - jack = snd_hda_jack_tbl_get(codec, pin_nid); -- if (jack) -+ if (jack) { - jack->block_report = !ret; -- -+ jack->pin_sense = (eld->monitor_present && eld->eld_valid) ? -+ AC_PINSENSE_PRESENCE : 0; -+ } - mutex_unlock(&per_pin->lock); - snd_hda_power_down(codec); - return ret; diff --git a/alsa-hda-realtek-eapd-turn-on-later.patch b/alsa-hda-realtek-eapd-turn-on-later.patch deleted file mode 100644 index c894f07..0000000 --- a/alsa-hda-realtek-eapd-turn-on-later.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 607ca3bd220f4022e6f5356026b19dafc363863a Mon Sep 17 00:00:00 2001 -From: Kailang Yang <kailang@realtek.com> -Date: Fri, 26 Apr 2019 16:35:41 +0800 -Subject: ALSA: hda/realtek - EAPD turn on later - -From: Kailang Yang <kailang@realtek.com> - -commit 607ca3bd220f4022e6f5356026b19dafc363863a upstream. - -Let EAPD turn on after set pin output. - -[ NOTE: This change is supposed to reduce the possible click noises at - (runtime) PM resume. The functionality should be same (i.e. the - verbs are executed correctly) no matter which order is, so this - should be safe to apply for all codecs -- tiwai ] - -Signed-off-by: Kailang Yang <kailang@realtek.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/pci/hda/patch_realtek.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -755,11 +755,10 @@ static int alc_init(struct hda_codec *co - if (spec->init_hook) - spec->init_hook(codec); - -+ snd_hda_gen_init(codec); - alc_fix_pll(codec); - alc_auto_init_amp(codec, spec->init_amp); - -- snd_hda_gen_init(codec); -- - snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT); - - return 0; diff --git a/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch b/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch deleted file mode 100644 index 42fe459..0000000 --- a/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Wadowski?= <wadosm@gmail.com> -Date: Tue, 14 May 2019 16:58:00 +0200 -Subject: ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Michał Wadowski <wadosm@gmail.com> - -commit 56df90b631fc027fe28b70d41352d820797239bb upstream. - -Add patch for realtek codec in Lenovo B50-70 that fixes inverted -internal microphone channel. -Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70, -but first one is about fix the noise and it didn't seem help in a -later kernel version. -So I replaced IdeaPad Y410P device description with B50-70 and apply -inverted microphone fix. - -Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215 -Signed-off-by: Michał Wadowski <wadosm@gmail.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/pci/hda/patch_realtek.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5471,7 +5471,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), - SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), -- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), -+ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), - SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), - SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC), - SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK), diff --git a/alsa-usb-audio-fix-a-memory-leak-bug.patch b/alsa-usb-audio-fix-a-memory-leak-bug.patch deleted file mode 100644 index 30f4dd5..0000000 --- a/alsa-usb-audio-fix-a-memory-leak-bug.patch +++ /dev/null @@ -1,40 +0,0 @@ -From cb5173594d50c72b7bfa14113dfc5084b4d2f726 Mon Sep 17 00:00:00 2001 -From: Wenwen Wang <wang6495@umn.edu> -Date: Sat, 27 Apr 2019 01:06:46 -0500 -Subject: ALSA: usb-audio: Fix a memory leak bug - -From: Wenwen Wang <wang6495@umn.edu> - -commit cb5173594d50c72b7bfa14113dfc5084b4d2f726 upstream. - -In parse_audio_selector_unit(), the string array 'namelist' is allocated -through kmalloc_array(), and each string pointer in this array, i.e., -'namelist[]', is allocated through kmalloc() in the following for loop. -Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If -an error occurs during the creation process, the string array 'namelist', -including all string pointers in the array 'namelist[]', should be freed, -before the error code ENOMEM is returned. However, the current code does -not free 'namelist[]', resulting in memory leaks. - -To fix the above issue, free all string pointers 'namelist[]' in a loop. - -Signed-off-by: Wenwen Wang <wang6495@umn.edu> -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/usb/mixer.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/sound/usb/mixer.c -+++ b/sound/usb/mixer.c -@@ -2103,6 +2103,8 @@ static int parse_audio_selector_unit(str - kctl = snd_ctl_new1(&mixer_selectunit_ctl, cval); - if (! kctl) { - usb_audio_err(state->chip, "cannot malloc kcontrol\n"); -+ for (i = 0; i < desc->bNrInPins; i++) -+ kfree(namelist[i]); - kfree(namelist); - kfree(cval); - return -ENOMEM; diff --git a/alsa-usb-audio-fix-uaf-decrement-if-card-has-no-live-interfaces-in-card.c.patch b/alsa-usb-audio-fix-uaf-decrement-if-card-has-no-live-interfaces-in-card.c.patch deleted file mode 100644 index 1e406ac..0000000 --- a/alsa-usb-audio-fix-uaf-decrement-if-card-has-no-live-interfaces-in-card.c.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 5f8cf712582617d523120df67d392059eaf2fc4b Mon Sep 17 00:00:00 2001 -From: Hui Peng <benquike@gmail.com> -Date: Mon, 3 Dec 2018 16:09:34 +0100 -Subject: ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c - -From: Hui Peng <benquike@gmail.com> - -commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream. - -If a USB sound card reports 0 interfaces, an error condition is triggered -and the function usb_audio_probe errors out. In the error path, there was a -use-after-free vulnerability where the memory object of the card was first -freed, followed by a decrement of the number of active chips. Moving the -decrement above the atomic_dec fixes the UAF. - -[ The original problem was introduced in 3.1 kernel, while it was - developed in a different form. The Fixes tag below indicates the - original commit but it doesn't mean that the patch is applicable - cleanly. -- tiwai ] - -Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") -Reported-by: Hui Peng <benquike@gmail.com> -Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> -Signed-off-by: Hui Peng <benquike@gmail.com> -Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> -[surenb@google.com: resolve 3.18 differences] -Signed-off-by: Suren Baghdasaryan <surenb@google.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/usb/card.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/sound/usb/card.c -+++ b/sound/usb/card.c -@@ -593,9 +593,12 @@ snd_usb_audio_probe(struct usb_device *d - - __error: - if (chip) { -+ /* chip->probing is inside the chip->card object, -+ * reset before memory is possibly returned. -+ */ -+ chip->probing = 0; - if (!chip->num_interfaces) - snd_card_free(chip->card); -- chip->probing = 0; - } - mutex_unlock(®ister_mutex); - __err_val: diff --git a/asoc-max98090-fix-restore-of-dapm-muxes.patch b/asoc-max98090-fix-restore-of-dapm-muxes.patch deleted file mode 100644 index cf4f32e..0000000 --- a/asoc-max98090-fix-restore-of-dapm-muxes.patch +++ /dev/null @@ -1,53 +0,0 @@ -From ecb2795c08bc825ebd604997e5be440b060c5b18 Mon Sep 17 00:00:00 2001 -From: Jon Hunter <jonathanh@nvidia.com> -Date: Wed, 1 May 2019 15:29:38 +0100 -Subject: ASoC: max98090: Fix restore of DAPM Muxes - -From: Jon Hunter <jonathanh@nvidia.com> - -commit ecb2795c08bc825ebd604997e5be440b060c5b18 upstream. - -The max98090 driver defines 3 DAPM muxes; one for the right line output -(LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux) -and one for the right headphone mixer source (MIXHPRSEL Mux). The same -bit is used for the mux as well as the DAPM enable, and although the mux -can be correctly configured, after playback has completed, the mux will -be reset during the disable phase. This is preventing the state of these -muxes from being saved and restored correctly on system reboot. Fix this -by marking these muxes as SND_SOC_NOPM. - -Note this has been verified this on the Tegra124 Nyan Big which features -the MAX98090 codec. - -Signed-off-by: Jon Hunter <jonathanh@nvidia.com> -Signed-off-by: Mark Brown <broonie@kernel.org> -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/soc/codecs/max98090.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/sound/soc/codecs/max98090.c -+++ b/sound/soc/codecs/max98090.c -@@ -1265,14 +1265,14 @@ static const struct snd_soc_dapm_widget - &max98090_right_rcv_mixer_controls[0], - ARRAY_SIZE(max98090_right_rcv_mixer_controls)), - -- SND_SOC_DAPM_MUX("LINMOD Mux", M98090_REG_LOUTR_MIXER, -- M98090_LINMOD_SHIFT, 0, &max98090_linmod_mux), -+ SND_SOC_DAPM_MUX("LINMOD Mux", SND_SOC_NOPM, 0, 0, -+ &max98090_linmod_mux), - -- SND_SOC_DAPM_MUX("MIXHPLSEL Mux", M98090_REG_HP_CONTROL, -- M98090_MIXHPLSEL_SHIFT, 0, &max98090_mixhplsel_mux), -+ SND_SOC_DAPM_MUX("MIXHPLSEL Mux", SND_SOC_NOPM, 0, 0, -+ &max98090_mixhplsel_mux), - -- SND_SOC_DAPM_MUX("MIXHPRSEL Mux", M98090_REG_HP_CONTROL, -- M98090_MIXHPRSEL_SHIFT, 0, &max98090_mixhprsel_mux), -+ SND_SOC_DAPM_MUX("MIXHPRSEL Mux", SND_SOC_NOPM, 0, 0, -+ &max98090_mixhprsel_mux), - - SND_SOC_DAPM_PGA("HP Left Out", M98090_REG_OUTPUT_ENABLE, - M98090_HPLEN_SHIFT, 0, NULL, 0), diff --git a/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch b/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch deleted file mode 100644 index 4eb0887..0000000 --- a/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 09ac2694b0475f96be895848687ebcbba97eeecf Mon Sep 17 00:00:00 2001 -From: YueHaibing <yuehaibing@huawei.com> -Date: Mon, 8 Apr 2019 11:45:29 +0800 -Subject: at76c50x-usb: Don't register led_trigger if usb_register_driver failed - -From: YueHaibing <yuehaibing@huawei.com> - -commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream. - -Syzkaller report this: - -[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338 -[ 1213.469530] #PF error: [normal kernel read fault] -[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0 -[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI -[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 -[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 -[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0 -[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d -[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246 -[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6 -[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0 -[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004 -[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900 -[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0 -[ 1213.473514] FS: 00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 -[ 1213.473514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0 -[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -[ 1213.473514] PKRU: 55555554 -[ 1213.473514] Call Trace: -[ 1213.473514] led_trigger_register+0x112/0x3f0 -[ 1213.473514] led_trigger_register_simple+0x7a/0x110 -[ 1213.473514] ? 0xffffffffc1c10000 -[ 1213.473514] at76_mod_init+0x77/0x1000 [at76c50x_usb] -[ 1213.473514] do_one_initcall+0xbc/0x47d -[ 1213.473514] ? perf_trace_initcall_level+0x3a0/0x3a0 -[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 -[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 -[ 1213.473514] do_init_module+0x1b5/0x547 -[ 1213.473514] load_module+0x6405/0x8c10 -[ 1213.473514] ? module_frob_arch_sections+0x20/0x20 -[ 1213.473514] ? kernel_read_file+0x1e6/0x5d0 -[ 1213.473514] ? find_held_lock+0x32/0x1c0 -[ 1213.473514] ? cap_capable+0x1ae/0x210 -[ 1213.473514] ? __do_sys_finit_module+0x162/0x190 -[ 1213.473514] __do_sys_finit_module+0x162/0x190 -[ 1213.473514] ? __ia32_sys_init_module+0xa0/0xa0 -[ 1213.473514] ? __mutex_unlock_slowpath+0xdc/0x690 -[ 1213.473514] ? wait_for_completion+0x370/0x370 -[ 1213.473514] ? vfs_write+0x204/0x4a0 -[ 1213.473514] ? do_syscall_64+0x18/0x450 -[ 1213.473514] do_syscall_64+0x9f/0x450 -[ 1213.473514] entry_SYSCALL_64_after_hwframe+0x49/0xbe -[ 1213.473514] RIP: 0033:0x462e99 -[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 -[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 -[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 -[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 -[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000 -[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc -[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 - -If usb_register failed, no need to call led_trigger_register_simple. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Fixes: 1264b951463a ("at76c50x-usb: add driver") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/wireless/at76c50x-usb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/net/wireless/at76c50x-usb.c -+++ b/drivers/net/wireless/at76c50x-usb.c -@@ -2582,8 +2582,8 @@ static int __init at76_mod_init(void) - if (result < 0) - printk(KERN_ERR DRIVER_NAME - ": usb_register failed (status %d)\n", result); -- -- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); -+ else -+ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); - return result; - } - diff --git a/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch b/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch deleted file mode 100644 index 7a57c10..0000000 --- a/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch +++ /dev/null @@ -1,81 +0,0 @@ -From a4b732a248d12cbdb46999daf0bf288c011335eb Mon Sep 17 00:00:00 2001 -From: Liang Chen <liangchen.linux@gmail.com> -Date: Thu, 25 Apr 2019 00:48:31 +0800 -Subject: bcache: fix a race between cache register and cacheset unregister - -From: Liang Chen <liangchen.linux@gmail.com> - -commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream. - -There is a race between cache device register and cache set unregister. -For an already registered cache device, register_bcache will call -bch_is_open to iterate through all cachesets and check every cache -there. The race occurs if cache_set_free executes at the same time and -clears the caches right before ca is dereferenced in bch_is_open_cache. -To close the race, let's make sure the clean up work is protected by -the bch_register_lock as well. - -This issue can be reproduced as follows, -while true; do echo /dev/XXX> /sys/fs/bcache/register ; done& -while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done & - -and results in the following oops, - -[ +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998 -[ +0.000457] #PF error: [normal kernel read fault] -[ +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0 -[ +0.000388] Oops: 0000 [#1] SMP PTI -[ +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6 -[ +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014 -[ +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache] -[ +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d -[ +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202 -[ +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000 -[ +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001 -[ +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a -[ +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0 -[ +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620 -[ +0.000384] FS: 00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000 -[ +0.000420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0 -[ +0.000837] Call Trace: -[ +0.000682] ? _cond_resched+0x10/0x20 -[ +0.000691] ? __kmalloc+0x131/0x1b0 -[ +0.000710] kernfs_fop_write+0xfa/0x170 -[ +0.000733] __vfs_write+0x2e/0x190 -[ +0.000688] ? inode_security+0x10/0x30 -[ +0.000698] ? selinux_file_permission+0xd2/0x120 -[ +0.000752] ? security_file_permission+0x2b/0x100 -[ +0.000753] vfs_write+0xa8/0x1a0 -[ +0.000676] ksys_write+0x4d/0xb0 -[ +0.000699] do_syscall_64+0x3a/0xf0 -[ +0.000692] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Signed-off-by: Liang Chen <liangchen.linux@gmail.com> -Cc: stable@vger.kernel.org -Signed-off-by: Coly Li <colyli@suse.de> -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/md/bcache/super.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1375,6 +1375,7 @@ static void cache_set_free(struct closur - bch_btree_cache_free(c); - bch_journal_free(c); - -+ mutex_lock(&bch_register_lock); - for_each_cache(ca, c, i) - if (ca) { - ca->set = NULL; -@@ -1397,7 +1398,6 @@ static void cache_set_free(struct closur - mempool_destroy(c->search); - kfree(c->devices); - -- mutex_lock(&bch_register_lock); - list_del(&c->list); - mutex_unlock(&bch_register_lock); - diff --git a/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch b/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch deleted file mode 100644 index 14ba611..0000000 --- a/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc Mon Sep 17 00:00:00 2001 -From: Coly Li <colyli@suse.de> -Date: Thu, 25 Apr 2019 00:48:33 +0800 -Subject: bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() - -From: Coly Li <colyli@suse.de> - -commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream. - -In journal_reclaim() ja->cur_idx of each cache will be update to -reclaim available journal buckets. Variable 'int n' is used to count how -many cache is successfully reclaimed, then n is set to c->journal.key -by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache() -loop will write the jset data onto each cache. - -The problem is, if all jouranl buckets on each cache is full, the -following code in journal_reclaim(), - -529 for_each_cache(ca, c, iter) { -530 struct journal_device *ja = &ca->journal; -531 unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets; -532 -533 /* No space available on this device */ -534 if (next == ja->discard_idx) -535 continue; -536 -537 ja->cur_idx = next; -538 k->ptr[n++] = MAKE_PTR(0, -539 bucket_to_sector(c, ca->sb.d[ja->cur_idx]), -540 ca->sb.nr_this_dev); -541 } -542 -543 bkey_init(k); -544 SET_KEY_PTRS(k, n); - -If there is no available bucket to reclaim, the if() condition at line -534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS() -will set KEY_PTRS field of c->journal.key to 0. - -Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in -journal_write_unlocked() the journal data is written in following loop, - -649 for (i = 0; i < KEY_PTRS(k); i++) { -650-671 submit journal data to cache device -672 } - -If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data -won't be written to cache device here. If system crahed or rebooted -before bkeys of the lost journal entries written into btree nodes, data -corruption will be reported during bcache reload after rebooting the -system. - -Indeed there is only one cache in a cache set, there is no need to set -KEY_PTRS field in journal_reclaim() at all. But in order to keep the -for_each_cache() logic consistent for now, this patch fixes the above -problem by not setting 0 KEY_PTRS of journal key, if there is no bucket -available to reclaim. - -Signed-off-by: Coly Li <colyli@suse.de> -Reviewed-by: Hannes Reinecke <hare@suse.com> -Cc: stable@vger.kernel.org -Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/md/bcache/journal.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - ---- a/drivers/md/bcache/journal.c -+++ b/drivers/md/bcache/journal.c -@@ -513,11 +513,11 @@ static void journal_reclaim(struct cache - ca->sb.nr_this_dev); - } - -- bkey_init(k); -- SET_KEY_PTRS(k, n); -- -- if (n) -+ if (n) { -+ bkey_init(k); -+ SET_KEY_PTRS(k, n); - c->journal.blocks_free = c->sb.bucket_size >> c->block_bits; -+ } - out: - if (!journal_full(&c->journal)) - __closure_wake_up(&c->journal.wait); -@@ -639,6 +639,9 @@ static void journal_write_unlocked(struc - ca->journal.seq[ca->journal.cur_idx] = w->data->seq; - } - -+ /* If KEY_PTRS(k) == 0, this jset gets lost in air */ -+ BUG_ON(i == 0); -+ - atomic_dec_bug(&fifo_back(&c->journal.pin)); - bch_journal_next(&c->journal); - journal_reclaim(c); diff --git a/btrfs-fix-race-updating-log-root-item-during-fsync.patch b/btrfs-fix-race-updating-log-root-item-during-fsync.patch deleted file mode 100644 index 77e2e83..0000000 --- a/btrfs-fix-race-updating-log-root-item-during-fsync.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 06989c799f04810f6876900d4760c0edda369cf7 Mon Sep 17 00:00:00 2001 -From: Filipe Manana <fdmanana@suse.com> -Date: Wed, 15 May 2019 16:03:17 +0100 -Subject: Btrfs: fix race updating log root item during fsync - -From: Filipe Manana <fdmanana@suse.com> - -commit 06989c799f04810f6876900d4760c0edda369cf7 upstream. - -When syncing the log, the final phase of a fsync operation, we need to -either create a log root's item or update the existing item in the log -tree of log roots, and that depends on the current value of the log -root's log_transid - if it's 1 we need to create the log root item, -otherwise it must exist already and we update it. Since there is no -synchronization between updating the log_transid and checking it for -deciding whether the log root's item needs to be created or updated, we -end up with a tiny race window that results in attempts to update the -item to fail because the item was not yet created: - - CPU 1 CPU 2 - - btrfs_sync_log() - - lock root->log_mutex - - set log root's log_transid to 1 - - unlock root->log_mutex - - btrfs_sync_log() - - lock root->log_mutex - - sets log root's - log_transid to 2 - - unlock root->log_mutex - - update_log_root() - - sees log root's log_transid - with a value of 2 - - calls btrfs_update_root(), - which fails with -EUCLEAN - and causes transaction abort - -Until recently the race lead to a BUG_ON at btrfs_update_root(), but after -the recent commit 7ac1e464c4d47 ("btrfs: Don't panic when we can't find a -root key") we just abort the current transaction. - -A sample trace of the BUG_ON() on a SLE12 kernel: - - ------------[ cut here ]------------ - kernel BUG at ../fs/btrfs/root-tree.c:157! - Oops: Exception in kernel mode, sig: 5 [#1] - SMP NR_CPUS=2048 NUMA pSeries - (...) - Supported: Yes, External - CPU: 78 PID: 76303 Comm: rtas_errd Tainted: G X 4.4.156-94.57-default #1 - task: c00000ffa906d010 ti: c00000ff42b08000 task.ti: c00000ff42b08000 - NIP: d000000036ae5cdc LR: d000000036ae5cd8 CTR: 0000000000000000 - REGS: c00000ff42b0b860 TRAP: 0700 Tainted: G X (4.4.156-94.57-default) - MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 22444484 XER: 20000000 - CFAR: d000000036aba66c SOFTE: 1 - GPR00: d000000036ae5cd8 c00000ff42b0bae0 d000000036bda220 0000000000000054 - GPR04: 0000000000000001 0000000000000000 c00007ffff8d37c8 0000000000000000 - GPR08: c000000000e19c00 0000000000000000 0000000000000000 3736343438312079 - GPR12: 3930373337303434 c000000007a3a800 00000000007fffff 0000000000000023 - GPR16: c00000ffa9d26028 c00000ffa9d261f8 0000000000000010 c00000ffa9d2ab28 - GPR20: c00000ff42b0bc48 0000000000000001 c00000ff9f0d9888 0000000000000001 - GPR24: c00000ffa9d26000 c00000ffa9d261e8 c00000ffa9d2a800 c00000ff9f0d9888 - GPR28: c00000ffa9d26028 c00000ffa9d2aa98 0000000000000001 c00000ffa98f5b20 - NIP [d000000036ae5cdc] btrfs_update_root+0x25c/0x4e0 [btrfs] - LR [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] - Call Trace: - [c00000ff42b0bae0] [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] (unreliable) - [c00000ff42b0bba0] [d000000036b53610] btrfs_sync_log+0x2d0/0xc60 [btrfs] - [c00000ff42b0bce0] [d000000036b1785c] btrfs_sync_file+0x44c/0x4e0 [btrfs] - [c00000ff42b0bd80] [c00000000032e300] vfs_fsync_range+0x70/0x120 - [c00000ff42b0bdd0] [c00000000032e44c] do_fsync+0x5c/0xb0 - [c00000ff42b0be10] [c00000000032e8dc] SyS_fdatasync+0x2c/0x40 - [c00000ff42b0be30] [c000000000009488] system_call+0x3c/0x100 - Instruction dump: - 7f43d378 4bffebb9 60000000 88d90008 3d220000 e8b90000 3b390009 e87a01f0 - e8898e08 e8f90000 4bfd48e5 60000000 <0fe00000> e95b0060 39200004 394a0ea0 - ---[ end trace 8f2dc8f919cabab8 ]--- - -So fix this by doing the check of log_transid and updating or creating the -log root's item while holding the root's log_mutex. - -Fixes: 7237f1833601d ("Btrfs: fix tree logs parallel sync") -CC: stable@vger.kernel.org # 4.4+ -Signed-off-by: Filipe Manana <fdmanana@suse.com> -Signed-off-by: David Sterba <dsterba@suse.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/btrfs/tree-log.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/fs/btrfs/tree-log.c -+++ b/fs/btrfs/tree-log.c -@@ -2565,6 +2565,12 @@ int btrfs_sync_log(struct btrfs_trans_ha - log->log_transid = root->log_transid; - root->log_start_pid = 0; - /* -+ * Update or create log root item under the root's log_mutex to prevent -+ * races with concurrent log syncs that can lead to failure to update -+ * log root item because it was not created yet. -+ */ -+ ret = update_log_root(trans, log); -+ /* - * IO has been started, blocks of the log tree have WRITTEN flag set - * in their headers. new modifications of the log will be written to - * new positions. so it's safe to allow log writers to go in. -@@ -2583,8 +2589,6 @@ int btrfs_sync_log(struct btrfs_trans_ha - - mutex_unlock(&log_root_tree->log_mutex); - -- ret = update_log_root(trans, log); -- - mutex_lock(&log_root_tree->log_mutex); - if (atomic_dec_and_test(&log_root_tree->log_writers)) { - smp_mb(); diff --git a/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch b/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch deleted file mode 100644 index 70a083d..0000000 --- a/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 00abf69dd24f4444d185982379c5cc3bb7b6d1fc Mon Sep 17 00:00:00 2001 -From: Jeff Layton <jlayton@kernel.org> -Date: Tue, 7 May 2019 09:20:54 -0400 -Subject: ceph: flush dirty inodes before proceeding with remount - -From: Jeff Layton <jlayton@kernel.org> - -commit 00abf69dd24f4444d185982379c5cc3bb7b6d1fc upstream. - -xfstest generic/452 was triggering a "Busy inodes after umount" warning. -ceph was allowing the mount to go read-only without first flushing out -dirty inodes in the cache. Ensure we sync out the filesystem before -allowing a remount to proceed. - -Cc: stable@vger.kernel.org -Link: http://tracker.ceph.com/issues/39571 -Signed-off-by: Jeff Layton <jlayton@kernel.org> -Reviewed-by: "Yan, Zheng" <zyan@redhat.com> -Signed-off-by: Ilya Dryomov <idryomov@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/ceph/super.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/fs/ceph/super.c -+++ b/fs/ceph/super.c -@@ -705,6 +705,12 @@ static void ceph_umount_begin(struct sup - return; - } - -+static int ceph_remount(struct super_block *sb, int *flags, char *data) -+{ -+ sync_filesystem(sb); -+ return 0; -+} -+ - static const struct super_operations ceph_super_ops = { - .alloc_inode = ceph_alloc_inode, - .destroy_inode = ceph_destroy_inode, -@@ -712,6 +718,7 @@ static const struct super_operations cep - .drop_inode = ceph_drop_inode, - .sync_fs = ceph_sync_fs, - .put_super = ceph_put_super, -+ .remount_fs = ceph_remount, - .show_options = ceph_show_options, - .statfs = ceph_statfs, - .umount_begin = ceph_umount_begin, diff --git a/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch b/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch deleted file mode 100644 index eab5190..0000000 --- a/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 31fad7d41e73731f05b8053d17078638cf850fa6 Mon Sep 17 00:00:00 2001 -From: Roberto Bergantinos Corpas <rbergant@redhat.com> -Date: Tue, 28 May 2019 09:38:14 +0200 -Subject: CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM - -From: Roberto Bergantinos Corpas <rbergant@redhat.com> - -commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream. - - In cifs_read_allocate_pages, in case of ENOMEM, we go through -whole rdata->pages array but we have failed the allocation before -nr_pages, therefore we may end up calling put_page with NULL -pointer, causing oops - -Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com> -Acked-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -CC: Stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/cifs/file.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/fs/cifs/file.c -+++ b/fs/cifs/file.c -@@ -2836,7 +2836,9 @@ cifs_read_allocate_pages(struct cifs_rea - } - - if (rc) { -- for (i = 0; i < nr_pages; i++) { -+ unsigned int nr_page_failed = i; -+ -+ for (i = 0; i < nr_page_failed; i++) { - put_page(rdata->pages[i]); - rdata->pages[i] = NULL; - } diff --git a/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch b/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch deleted file mode 100644 index 47dec05..0000000 --- a/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb Mon Sep 17 00:00:00 2001 -From: Christoph Probst <kernel@probst.it> -Date: Tue, 7 May 2019 17:16:40 +0200 -Subject: cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() - -From: Christoph Probst <kernel@probst.it> - -commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream. - -Change strcat to strncpy in the "None" case to fix a buffer overflow -when cinode->oplock is reset to 0 by another thread accessing the same -cinode. It is never valid to append "None" to any other message. - -Consolidate multiple writes to cinode->oplock to reduce raciness. - -Signed-off-by: Christoph Probst <kernel@probst.it> -Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -CC: Stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/cifs/smb2ops.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - ---- a/fs/cifs/smb2ops.c -+++ b/fs/cifs/smb2ops.c -@@ -1201,26 +1201,28 @@ smb21_set_oplock_level(struct cifsInodeI - unsigned int epoch, bool *purge_cache) - { - char message[5] = {0}; -+ unsigned int new_oplock = 0; - - oplock &= 0xFF; - if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) - return; - -- cinode->oplock = 0; - if (oplock & SMB2_LEASE_READ_CACHING_HE) { -- cinode->oplock |= CIFS_CACHE_READ_FLG; -+ new_oplock |= CIFS_CACHE_READ_FLG; - strcat(message, "R"); - } - if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { -- cinode->oplock |= CIFS_CACHE_HANDLE_FLG; -+ new_oplock |= CIFS_CACHE_HANDLE_FLG; - strcat(message, "H"); - } - if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { -- cinode->oplock |= CIFS_CACHE_WRITE_FLG; -+ new_oplock |= CIFS_CACHE_WRITE_FLG; - strcat(message, "W"); - } -- if (!cinode->oplock) -- strcat(message, "None"); -+ if (!new_oplock) -+ strncpy(message, "None", sizeof(message)); -+ -+ cinode->oplock = new_oplock; - cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, - &cinode->vfs_inode); - } diff --git a/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch b/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch deleted file mode 100644 index 293a80a..0000000 --- a/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001 -From: Dmitry Osipenko <digetx@gmail.com> -Date: Fri, 12 Apr 2019 00:48:34 +0300 -Subject: clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider - -From: Dmitry Osipenko <digetx@gmail.com> - -commit 40db569d6769ffa3864fd1b89616b1a7323568a8 upstream. - -There are wrongly set parenthesis in the code that are resulting in a -wrong configuration being programmed for PLLM. The original fix was made -by Danny Huang in the downstream kernel. The patch was tested on Nyan Big -Tegra124 chromebook, PLLM rate changing works correctly now and system -doesn't lock up after changing the PLLM rate due to EMC scaling. - -Cc: <stable@vger.kernel.org> -Tested-by: Steev Klimaszewski <steev@kali.org> -Signed-off-by: Dmitry Osipenko <digetx@gmail.com> -Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com> -Signed-off-by: Stephen Boyd <sboyd@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/clk/tegra/clk-pll.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/clk/tegra/clk-pll.c -+++ b/drivers/clk/tegra/clk-pll.c -@@ -492,8 +492,8 @@ static void _update_pll_mnp(struct tegra - pll_override_writel(val, params->pmc_divp_reg, pll); - - val = pll_override_readl(params->pmc_divnm_reg, pll); -- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) | -- ~(divn_mask(pll) << div_nmp->override_divn_shift); -+ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) | -+ (divn_mask(pll) << div_nmp->override_divn_shift)); - val |= (cfg->m << div_nmp->override_divm_shift) | - (cfg->n << div_nmp->override_divn_shift); - pll_override_writel(val, params->pmc_divnm_reg, pll); diff --git a/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch b/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch deleted file mode 100644 index 6ebfc20..0000000 --- a/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 767f015ea0b7ab9d60432ff6cd06b664fd71f50f Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Tue, 9 Apr 2019 23:46:31 -0700 -Subject: crypto: arm/aes-neonbs - don't access already-freed walk.iv - -From: Eric Biggers <ebiggers@google.com> - -commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream. - -If the user-provided IV needs to be aligned to the algorithm's -alignmask, then skcipher_walk_virt() copies the IV into a new aligned -buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then -if the caller unconditionally accesses walk.iv, it's a use-after-free. - -arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't -affected by this despite unconditionally accessing walk.iv. However -this is more subtle than desired, and it was actually broken prior to -the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes - -replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to -start checking the return value of skcipher_walk_virt(). - -Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") -Cc: <stable@vger.kernel.org> # v3.13+ -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - - ---- - arch/arm/crypto/aesbs-glue.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/arch/arm/crypto/aesbs-glue.c -+++ b/arch/arm/crypto/aesbs-glue.c -@@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkc - - blkcipher_walk_init(&walk, dst, src, nbytes); - err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); -+ if (err) -+ return err; - - /* generate the initial tweak */ - AES_encrypt(walk.iv, walk.iv, &ctx->twkey); -@@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkc - - blkcipher_walk_init(&walk, dst, src, nbytes); - err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); -+ if (err) -+ return err; - - /* generate the initial tweak */ - AES_encrypt(walk.iv, walk.iv, &ctx->twkey); diff --git a/crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch b/crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch deleted file mode 100644 index d032c1c..0000000 --- a/crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 307508d1072979f4435416f87936f87eaeb82054 Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Sun, 31 Mar 2019 13:04:12 -0700 -Subject: crypto: crct10dif-generic - fix use via crypto_shash_digest() - -From: Eric Biggers <ebiggers@google.com> - -commit 307508d1072979f4435416f87936f87eaeb82054 upstream. - -The ->digest() method of crct10dif-generic reads the current CRC value -from the shash_desc context. But this value is uninitialized, causing -crypto_shash_digest() to compute the wrong result. Fix it. - -Probably this wasn't noticed before because lib/crc-t10dif.c only uses -crypto_shash_update(), not crypto_shash_digest(). Likewise, -crypto_shash_digest() is not yet tested by the crypto self-tests because -those only test the ahash API which only uses shash init/update/final. - -This bug was detected by my patches that improve testmgr to fuzz -algorithms against their generic implementation. - -Fixes: 2d31e518a428 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework") -Cc: <stable@vger.kernel.org> # v3.11+ -Cc: Tim Chen <tim.c.chen@linux.intel.com> -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - crypto/crct10dif_generic.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - ---- a/crypto/crct10dif_generic.c -+++ b/crypto/crct10dif_generic.c -@@ -65,10 +65,9 @@ static int chksum_final(struct shash_des - return 0; - } - --static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len, -- u8 *out) -+static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out) - { -- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len); -+ *(__u16 *)out = crc_t10dif_generic(crc, data, len); - return 0; - } - -@@ -77,15 +76,13 @@ static int chksum_finup(struct shash_des - { - struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); - -- return __chksum_finup(&ctx->crc, data, len, out); -+ return __chksum_finup(ctx->crc, data, len, out); - } - - static int chksum_digest(struct shash_desc *desc, const u8 *data, - unsigned int length, u8 *out) - { -- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); -- -- return __chksum_finup(&ctx->crc, data, length, out); -+ return __chksum_finup(0, data, length, out); - } - - static struct shash_alg alg = { diff --git a/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch b/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch deleted file mode 100644 index 4666e4b..0000000 --- a/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9b40f79c08e81234d759f188b233980d7e81df6c Mon Sep 17 00:00:00 2001 -From: Wei Yongjun <weiyongjun1@huawei.com> -Date: Mon, 17 Oct 2016 15:10:06 +0000 -Subject: crypto: gcm - Fix error return code in crypto_gcm_create_common() - -From: Wei Yongjun <weiyongjun1@huawei.com> - -commit 9b40f79c08e81234d759f188b233980d7e81df6c upstream. - -Fix to return error code -EINVAL from the invalid alg ivsize error -handling case instead of 0, as done elsewhere in this function. - -Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - crypto/gcm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/crypto/gcm.c -+++ b/crypto/gcm.c -@@ -742,11 +742,11 @@ static struct crypto_instance *crypto_gc - ctr = crypto_skcipher_spawn_alg(&ctx->ctr); - - /* We only support 16-byte blocks. */ -+ err = -EINVAL; - if (ctr->cra_ablkcipher.ivsize != 16) - goto out_put_ctr; - - /* Not a stream cipher? */ -- err = -EINVAL; - if (ctr->cra_blocksize != 1) - goto out_put_ctr; - diff --git a/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch b/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch deleted file mode 100644 index 023c521..0000000 --- a/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch +++ /dev/null @@ -1,139 +0,0 @@ -From f699594d436960160f6d5ba84ed4a222f20d11cd Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Thu, 18 Apr 2019 14:43:02 -0700 -Subject: crypto: gcm - fix incompatibility between "gcm" and "gcm_base" - -From: Eric Biggers <ebiggers@google.com> - -commit f699594d436960160f6d5ba84ed4a222f20d11cd upstream. - -GCM instances can be created by either the "gcm" template, which only -allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base", -which allows choosing the ctr and ghash implementations, e.g. -"gcm_base(ctr(aes-generic),ghash-generic)". - -However, a "gcm_base" instance prevents a "gcm" instance from being -registered using the same implementations. Nor will the instance be -found by lookups of "gcm". This can be used as a denial of service. -Moreover, "gcm_base" instances are never tested by the crypto -self-tests, even if there are compatible "gcm" tests. - -The root cause of these problems is that instances of the two templates -use different cra_names. Therefore, fix these problems by making -"gcm_base" instances set the same cra_name as "gcm" instances, e.g. -"gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)". - -This requires extracting the block cipher name from the name of the ctr -algorithm. It also requires starting to verify that the algorithms are -really ctr and ghash, not something else entirely. But it would be -bizarre if anyone were actually using non-gcm-compatible algorithms with -gcm_base, so this shouldn't break anyone in practice. - -Fixes: d00aa19b507b ("[CRYPTO] gcm: Allow block cipher parameter") -Cc: stable@vger.kernel.org -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - - -diff --git a/crypto/gcm.c b/crypto/gcm.c -index f1c16589af8bb..9d3bffc0238f0 100644 ---- a/crypto/gcm.c -+++ b/crypto/gcm.c -@@ -616,7 +616,6 @@ static void crypto_gcm_free(struct aead_instance *inst) - - static int crypto_gcm_create_common(struct crypto_template *tmpl, - struct rtattr **tb, -- const char *full_name, - const char *ctr_name, - const char *ghash_name) - { -@@ -657,7 +656,8 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, - goto err_free_inst; - - err = -EINVAL; -- if (ghash->digestsize != 16) -+ if (strcmp(ghash->base.cra_name, "ghash") != 0 || -+ ghash->digestsize != 16) - goto err_drop_ghash; - - crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst)); -@@ -669,24 +669,24 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, - - ctr = crypto_skcipher_spawn_alg(&ctx->ctr); - -- /* We only support 16-byte blocks. */ -+ /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */ - err = -EINVAL; -- if (ctr->cra_ablkcipher.ivsize != 16) -+ if (strncmp(ctr->cra_name, "ctr(", 4) != 0 || -+ ctr->cra_ablkcipher.ivsize != 16 || -+ ctr->cra_blocksize != 1) - goto out_put_ctr; - -- /* Not a stream cipher? */ -- if (ctr->cra_blocksize != 1) -+ err = -ENAMETOOLONG; -+ if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, -+ "gcm(%s", ctr->cra_name + 4) >= CRYPTO_MAX_ALG_NAME) - goto out_put_ctr; - -- err = -ENAMETOOLONG; - if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, - "gcm_base(%s,%s)", ctr->cra_driver_name, - ghash_alg->cra_driver_name) >= - CRYPTO_MAX_ALG_NAME) - goto out_put_ctr; - -- memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); -- - inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) & - CRYPTO_ALG_ASYNC; - inst->alg.base.cra_priority = (ghash->base.cra_priority + -@@ -727,7 +727,6 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) - { - const char *cipher_name; - char ctr_name[CRYPTO_MAX_ALG_NAME]; -- char full_name[CRYPTO_MAX_ALG_NAME]; - - cipher_name = crypto_attr_alg_name(tb[1]); - if (IS_ERR(cipher_name)) -@@ -737,12 +736,7 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) - CRYPTO_MAX_ALG_NAME) - return -ENAMETOOLONG; - -- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >= -- CRYPTO_MAX_ALG_NAME) -- return -ENAMETOOLONG; -- -- return crypto_gcm_create_common(tmpl, tb, full_name, -- ctr_name, "ghash"); -+ return crypto_gcm_create_common(tmpl, tb, ctr_name, "ghash"); - } - - static struct crypto_template crypto_gcm_tmpl = { -@@ -756,7 +750,6 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl, - { - const char *ctr_name; - const char *ghash_name; -- char full_name[CRYPTO_MAX_ALG_NAME]; - - ctr_name = crypto_attr_alg_name(tb[1]); - if (IS_ERR(ctr_name)) -@@ -766,12 +759,7 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl, - if (IS_ERR(ghash_name)) - return PTR_ERR(ghash_name); - -- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)", -- ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME) -- return -ENAMETOOLONG; -- -- return crypto_gcm_create_common(tmpl, tb, full_name, -- ctr_name, ghash_name); -+ return crypto_gcm_create_common(tmpl, tb, ctr_name, ghash_name); - } - - static struct crypto_template crypto_gcm_base_tmpl = { --- -2.21.0.1020.gf2820cf01a-goog - diff --git a/crypto-salsa20-don-t-access-already-freed-walk.iv.patch b/crypto-salsa20-don-t-access-already-freed-walk.iv.patch deleted file mode 100644 index 2e94806..0000000 --- a/crypto-salsa20-don-t-access-already-freed-walk.iv.patch +++ /dev/null @@ -1,45 +0,0 @@ -From edaf28e996af69222b2cb40455dbb5459c2b875a Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Tue, 9 Apr 2019 23:46:30 -0700 -Subject: crypto: salsa20 - don't access already-freed walk.iv - -From: Eric Biggers <ebiggers@google.com> - -commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream. - -If the user-provided IV needs to be aligned to the algorithm's -alignmask, then skcipher_walk_virt() copies the IV into a new aligned -buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then -if the caller unconditionally accesses walk.iv, it's a use-after-free. - -salsa20-generic doesn't set an alignmask, so currently it isn't affected -by this despite unconditionally accessing walk.iv. However this is more -subtle than desired, and it was actually broken prior to the alignmask -being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup -and convert to skcipher API"). - -Since salsa20-generic does not update the IV and does not need any IV -alignment, update it to use req->iv instead of walk.iv. - -Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") -Cc: stable@vger.kernel.org -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - - ---- - crypto/salsa20_generic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/crypto/salsa20_generic.c -+++ b/crypto/salsa20_generic.c -@@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc - blkcipher_walk_init(&walk, dst, src, nbytes); - err = blkcipher_walk_virt_block(desc, &walk, 64); - -- salsa20_ivsetup(ctx, walk.iv); -+ salsa20_ivsetup(ctx, desc->info); - - while (walk.nbytes >= 64) { - salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, diff --git a/crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch b/crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch deleted file mode 100644 index 0c91aeb..0000000 --- a/crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch +++ /dev/null @@ -1,68 +0,0 @@ -From dec3d0b1071a0f3194e66a83d26ecf4aa8c5910e Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Sun, 31 Mar 2019 13:04:13 -0700 -Subject: crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() - -From: Eric Biggers <ebiggers@google.com> - -commit dec3d0b1071a0f3194e66a83d26ecf4aa8c5910e upstream. - -The ->digest() method of crct10dif-pclmul reads the current CRC value -from the shash_desc context. But this value is uninitialized, causing -crypto_shash_digest() to compute the wrong result. Fix it. - -Probably this wasn't noticed before because lib/crc-t10dif.c only uses -crypto_shash_update(), not crypto_shash_digest(). Likewise, -crypto_shash_digest() is not yet tested by the crypto self-tests because -those only test the ahash API which only uses shash init/update/final. - -Fixes: 0b95a7f85718 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform") -Cc: <stable@vger.kernel.org> # v3.11+ -Cc: Tim Chen <tim.c.chen@linux.intel.com> -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/crypto/crct10dif-pclmul_glue.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - ---- a/arch/x86/crypto/crct10dif-pclmul_glue.c -+++ b/arch/x86/crypto/crct10dif-pclmul_glue.c -@@ -76,15 +76,14 @@ static int chksum_final(struct shash_des - return 0; - } - --static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len, -- u8 *out) -+static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out) - { - if (irq_fpu_usable()) { - kernel_fpu_begin(); -- *(__u16 *)out = crc_t10dif_pcl(*crcp, data, len); -+ *(__u16 *)out = crc_t10dif_pcl(crc, data, len); - kernel_fpu_end(); - } else -- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len); -+ *(__u16 *)out = crc_t10dif_generic(crc, data, len); - return 0; - } - -@@ -93,15 +92,13 @@ static int chksum_finup(struct shash_des - { - struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); - -- return __chksum_finup(&ctx->crc, data, len, out); -+ return __chksum_finup(ctx->crc, data, len, out); - } - - static int chksum_digest(struct shash_desc *desc, const u8 *data, - unsigned int length, u8 *out) - { -- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); -- -- return __chksum_finup(&ctx->crc, data, length, out); -+ return __chksum_finup(0, data, length, out); - } - - static struct shash_alg alg = { diff --git a/dm-delay-fix-a-crash-when-invalid-device-is-specified.patch b/dm-delay-fix-a-crash-when-invalid-device-is-specified.patch deleted file mode 100644 index 901d466..0000000 --- a/dm-delay-fix-a-crash-when-invalid-device-is-specified.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 81bc6d150ace6250503b825d9d0c10f7bbd24095 Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka <mpatocka@redhat.com> -Date: Thu, 25 Apr 2019 12:07:54 -0400 -Subject: dm delay: fix a crash when invalid device is specified - -From: Mikulas Patocka <mpatocka@redhat.com> - -commit 81bc6d150ace6250503b825d9d0c10f7bbd24095 upstream. - -When the target line contains an invalid device, delay_ctr() will call -delay_dtr() with NULL workqueue. Attempting to destroy the NULL -workqueue causes a crash. - -Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> -Cc: stable@vger.kernel.org -Signed-off-by: Mike Snitzer <snitzer@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/md/dm-delay.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/md/dm-delay.c -+++ b/drivers/md/dm-delay.c -@@ -215,7 +215,8 @@ static void delay_dtr(struct dm_target * - { - struct delay_c *dc = ti->private; - -- destroy_workqueue(dc->kdelayd_wq); -+ if (dc->kdelayd_wq) -+ destroy_workqueue(dc->kdelayd_wq); - - dm_put_device(ti, dc->dev_read); - diff --git a/drm-gma500-cdv-check-vbt-config-bits-when-detecting-lvds-panels.patch b/drm-gma500-cdv-check-vbt-config-bits-when-detecting-lvds-panels.patch deleted file mode 100644 index 0bc8260..0000000 --- a/drm-gma500-cdv-check-vbt-config-bits-when-detecting-lvds-panels.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 7c420636860a719049fae9403e2c87804f53bdde Mon Sep 17 00:00:00 2001 -From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> -Date: Tue, 16 Apr 2019 13:46:07 +0200 -Subject: drm/gma500/cdv: Check vbt config bits when detecting lvds panels - -From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> - -commit 7c420636860a719049fae9403e2c87804f53bdde upstream. - -Some machines have an lvds child device in vbt even though a panel is -not attached. To make detection more reliable we now also check the lvds -config bits available in the vbt. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1665766 -Cc: stable@vger.kernel.org -Reviewed-by: Hans de Goede <hdegoede@redhat.com> -Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> -Link: https://patchwork.freedesktop.org/patch/msgid/20190416114607.1072-1-patrik.r.jakobsson@gmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++ - drivers/gpu/drm/gma500/intel_bios.c | 3 +++ - drivers/gpu/drm/gma500/psb_drv.h | 1 + - 3 files changed, 7 insertions(+) - ---- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c -+++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c -@@ -620,6 +620,9 @@ void cdv_intel_lvds_init(struct drm_devi - int pipe; - u8 pin; - -+ if (!dev_priv->lvds_enabled_in_vbt) -+ return; -+ - pin = GMBUS_PORT_PANEL; - if (!lvds_is_present_in_vbt(dev, &pin)) { - DRM_DEBUG_KMS("LVDS is not present in VBT\n"); ---- a/drivers/gpu/drm/gma500/intel_bios.c -+++ b/drivers/gpu/drm/gma500/intel_bios.c -@@ -436,6 +436,9 @@ parse_driver_features(struct drm_psb_pri - if (driver->lvds_config == BDB_DRIVER_FEATURE_EDP) - dev_priv->edp.support = 1; - -+ dev_priv->lvds_enabled_in_vbt = driver->lvds_config != 0; -+ DRM_DEBUG_KMS("LVDS VBT config bits: 0x%x\n", driver->lvds_config); -+ - /* This bit means to use 96Mhz for DPLL_A or not */ - if (driver->primary_lfp_id) - dev_priv->dplla_96mhz = true; ---- a/drivers/gpu/drm/gma500/psb_drv.h -+++ b/drivers/gpu/drm/gma500/psb_drv.h -@@ -533,6 +533,7 @@ struct drm_psb_private { - int lvds_ssc_freq; - bool is_lvds_on; - bool is_mipi_on; -+ bool lvds_enabled_in_vbt; - u32 mipi_ctrl_display; - - unsigned int core_freq; diff --git a/ethtool-check-the-return-value-of-get_regs_len.patch b/ethtool-check-the-return-value-of-get_regs_len.patch deleted file mode 100644 index 0b9b704..0000000 --- a/ethtool-check-the-return-value-of-get_regs_len.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f9fc54d313fab2834f44f516459cdc8ac91d797f Mon Sep 17 00:00:00 2001 -From: Yunsheng Lin <linyunsheng@huawei.com> -Date: Wed, 26 Dec 2018 19:51:46 +0800 -Subject: ethtool: check the return value of get_regs_len - -From: Yunsheng Lin <linyunsheng@huawei.com> - -commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream. - -The return type for get_regs_len in struct ethtool_ops is int, -the hns3 driver may return error when failing to get the regs -len by sending cmd to firmware. - -Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Cc: Michal Kubecek <mkubecek@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/core/ethtool.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - ---- a/net/core/ethtool.c -+++ b/net/core/ethtool.c -@@ -404,8 +404,13 @@ static noinline_for_stack int ethtool_ge - if (rc >= 0) - info.n_priv_flags = rc; - } -- if (ops->get_regs_len) -- info.regdump_len = ops->get_regs_len(dev); -+ if (ops->get_regs_len) { -+ int ret = ops->get_regs_len(dev); -+ -+ if (ret > 0) -+ info.regdump_len = ret; -+ } -+ - if (ops->get_eeprom_len) - info.eedump_len = ops->get_eeprom_len(dev); - -@@ -856,6 +861,9 @@ static int ethtool_get_regs(struct net_d - return -EFAULT; - - reglen = ops->get_regs_len(dev); -+ if (reglen <= 0) -+ return reglen; -+ - if (regs.len > reglen) - regs.len = reglen; - diff --git a/ethtool-fix-potential-userspace-buffer-overflow.patch b/ethtool-fix-potential-userspace-buffer-overflow.patch deleted file mode 100644 index 38843a2..0000000 --- a/ethtool-fix-potential-userspace-buffer-overflow.patch +++ /dev/null @@ -1,54 +0,0 @@ -From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST -From: Vivien Didelot <vivien.didelot@gmail.com> -Date: Mon, 3 Jun 2019 16:57:13 -0400 -Subject: ethtool: fix potential userspace buffer overflow - -From: Vivien Didelot <vivien.didelot@gmail.com> - -[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ] - -ethtool_get_regs() allocates a buffer of size ops->get_regs_len(), -and pass it to the kernel driver via ops->get_regs() for filling. - -There is no restriction about what the kernel drivers can or cannot do -with the open ethtool_regs structure. They usually set regs->version -and ignore regs->len or set it to the same size as ops->get_regs_len(). - -But if userspace allocates a smaller buffer for the registers dump, -we would cause a userspace buffer overflow in the final copy_to_user() -call, which uses the regs.len value potentially reset by the driver. - -To fix this, make this case obvious and store regs.len before calling -ops->get_regs(), to only copy as much data as requested by userspace, -up to the value returned by ops->get_regs_len(). - -While at it, remove the redundant check for non-null regbuf. - -Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com> -Reviewed-by: Michal Kubecek <mkubecek@suse.cz> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/core/ethtool.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/net/core/ethtool.c -+++ b/net/core/ethtool.c -@@ -863,13 +863,16 @@ static int ethtool_get_regs(struct net_d - if (reglen && !regbuf) - return -ENOMEM; - -+ if (regs.len < reglen) -+ reglen = regs.len; -+ - ops->get_regs(dev, ®s, regbuf); - - ret = -EFAULT; - if (copy_to_user(useraddr, ®s, sizeof(regs))) - goto out; - useraddr += offsetof(struct ethtool_regs, data); -- if (regbuf && copy_to_user(useraddr, regbuf, regs.len)) -+ if (copy_to_user(useraddr, regbuf, reglen)) - goto out; - ret = 0; - diff --git a/ext4-actually-request-zeroing-of-inode-table-after-grow.patch b/ext4-actually-request-zeroing-of-inode-table-after-grow.patch deleted file mode 100644 index 73740fc..0000000 --- a/ext4-actually-request-zeroing-of-inode-table-after-grow.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 310a997fd74de778b9a4848a64be9cda9f18764a Mon Sep 17 00:00:00 2001 -From: Kirill Tkhai <ktkhai@virtuozzo.com> -Date: Thu, 25 Apr 2019 13:06:18 -0400 -Subject: ext4: actually request zeroing of inode table after grow - -From: Kirill Tkhai <ktkhai@virtuozzo.com> - -commit 310a997fd74de778b9a4848a64be9cda9f18764a upstream. - -It is never possible, that number of block groups decreases, -since only online grow is supported. - -But after a growing occured, we have to zero inode tables -for just created new block groups. - -Fixes: 19c5246d2516 ("ext4: add new online resize interface") -Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Reviewed-by: Jan Kara <jack@suse.cz> -Cc: stable@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/ext4/ioctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/ext4/ioctl.c -+++ b/fs/ext4/ioctl.c -@@ -577,7 +577,7 @@ group_add_out: - if (err == 0) - err = err2; - mnt_drop_write_file(filp); -- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) && -+ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) && - ext4_has_group_desc_csum(sb) && - test_opt(sb, INIT_INODE_TABLE)) - err = ext4_register_li_request(sb, o_group); diff --git a/ext4-do-not-delete-unlinked-inode-from-orphan-list-on-failed-truncate.patch b/ext4-do-not-delete-unlinked-inode-from-orphan-list-on-failed-truncate.patch deleted file mode 100644 index b0f9192..0000000 --- a/ext4-do-not-delete-unlinked-inode-from-orphan-list-on-failed-truncate.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ee0ed02ca93ef1ecf8963ad96638795d55af2c14 Mon Sep 17 00:00:00 2001 -From: Jan Kara <jack@suse.cz> -Date: Thu, 23 May 2019 23:35:28 -0400 -Subject: ext4: do not delete unlinked inode from orphan list on failed truncate - -From: Jan Kara <jack@suse.cz> - -commit ee0ed02ca93ef1ecf8963ad96638795d55af2c14 upstream. - -It is possible that unlinked inode enters ext4_setattr() (e.g. if -somebody calls ftruncate(2) on unlinked but still open file). In such -case we should not delete the inode from the orphan list if truncate -fails. Note that this is mostly a theoretical concern as filesystem is -corrupted if we reach this path anyway but let's be consistent in our -orphan handling. - -Reviewed-by: Ira Weiny <ira.weiny@intel.com> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Cc: stable@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/ext4/inode.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4606,7 +4606,7 @@ int ext4_setattr(struct dentry *dentry, - up_write(&EXT4_I(inode)->i_data_sem); - ext4_journal_stop(handle); - if (error) { -- if (orphan) -+ if (orphan && inode->i_nlink) - ext4_orphan_del(NULL, inode); - goto err_out; - } diff --git a/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch deleted file mode 100644 index e81ef9a..0000000 --- a/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001 -From: Sriram Rajagopalan <sriramr@arista.com> -Date: Fri, 10 May 2019 19:28:06 -0400 -Subject: ext4: zero out the unused memory region in the extent tree block - -From: Sriram Rajagopalan <sriramr@arista.com> - -commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. - -This commit zeroes out the unused memory region in the buffer_head -corresponding to the extent metablock after writing the extent header -and the corresponding extent node entries. - -This is done to prevent random uninitialized data from getting into -the filesystem when the extent block is synced. - -This fixes CVE-2019-11833. - -Signed-off-by: Sriram Rajagopalan <sriramr@arista.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Cc: stable@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/ext4/extents.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -1043,6 +1043,7 @@ static int ext4_ext_split(handle_t *hand - __le32 border; - ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ - int err = 0; -+ size_t ext_size = 0; - - /* make decision: where to split? */ - /* FIXME: now decision is simplest: at current extent */ -@@ -1134,6 +1135,10 @@ static int ext4_ext_split(handle_t *hand - le16_add_cpu(&neh->eh_entries, m); - } - -+ /* zero out unused area in the extent block */ -+ ext_size = sizeof(struct ext4_extent_header) + -+ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); -+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); - ext4_extent_block_csum_set(inode, neh); - set_buffer_uptodate(bh); - unlock_buffer(bh); -@@ -1213,6 +1218,11 @@ static int ext4_ext_split(handle_t *hand - sizeof(struct ext4_extent_idx) * m); - le16_add_cpu(&neh->eh_entries, m); - } -+ /* zero out unused area in the extent block */ -+ ext_size = sizeof(struct ext4_extent_header) + -+ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); -+ memset(bh->b_data + ext_size, 0, -+ inode->i_sb->s_blocksize - ext_size); - ext4_extent_block_csum_set(inode, neh); - set_buffer_uptodate(bh); - unlock_buffer(bh); -@@ -1278,6 +1288,7 @@ static int ext4_ext_grow_indepth(handle_ - ext4_fsblk_t newblock, goal = 0; - struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; - int err = 0; -+ size_t ext_size = 0; - - /* Try to prepend new index to old one */ - if (ext_depth(inode)) -@@ -1303,9 +1314,11 @@ static int ext4_ext_grow_indepth(handle_ - goto out; - } - -+ ext_size = sizeof(EXT4_I(inode)->i_data); - /* move top-level index/leaf into new block */ -- memmove(bh->b_data, EXT4_I(inode)->i_data, -- sizeof(EXT4_I(inode)->i_data)); -+ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); -+ /* zero out unused area in the extent block */ -+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); - - /* set size of new block */ - neh = ext_block_hdr(bh); diff --git a/fbdev-fix-divide-error-in-fb_var_to_videomode.patch b/fbdev-fix-divide-error-in-fb_var_to_videomode.patch deleted file mode 100644 index 7f0e101..0000000 --- a/fbdev-fix-divide-error-in-fb_var_to_videomode.patch +++ /dev/null @@ -1,81 +0,0 @@ -From cf84807f6dd0be5214378e66460cfc9187f532f9 Mon Sep 17 00:00:00 2001 -From: Shile Zhang <shile.zhang@linux.alibaba.com> -Date: Mon, 1 Apr 2019 17:47:00 +0200 -Subject: fbdev: fix divide error in fb_var_to_videomode - -From: Shile Zhang <shile.zhang@linux.alibaba.com> - -commit cf84807f6dd0be5214378e66460cfc9187f532f9 upstream. - -To fix following divide-by-zero error found by Syzkaller: - - divide error: 0000 [#1] SMP PTI - CPU: 7 PID: 8447 Comm: test Kdump: loaded Not tainted 4.19.24-8.al7.x86_64 #1 - Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 - RIP: 0010:fb_var_to_videomode+0xae/0xc0 - Code: 04 44 03 46 78 03 4e 7c 44 03 46 68 03 4e 70 89 ce d1 ee 69 c0 e8 03 00 00 f6 c2 01 0f 45 ce 83 e2 02 8d 34 09 0f 45 ce 31 d2 <41> f7 f0 31 d2 f7 f1 89 47 08 f3 c3 66 0f 1f 44 00 00 0f 1f 44 00 - RSP: 0018:ffffb7e189347bf0 EFLAGS: 00010246 - RAX: 00000000e1692410 RBX: ffffb7e189347d60 RCX: 0000000000000000 - RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb7e189347c10 - RBP: ffff99972a091c00 R08: 0000000000000000 R09: 0000000000000000 - R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000100 - R13: 0000000000010000 R14: 00007ffd66baf6d0 R15: 0000000000000000 - FS: 00007f2054d11740(0000) GS:ffff99972fbc0000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00007f205481fd20 CR3: 00000004288a0001 CR4: 00000000001606a0 - Call Trace: - fb_set_var+0x257/0x390 - ? lookup_fast+0xbb/0x2b0 - ? fb_open+0xc0/0x140 - ? chrdev_open+0xa6/0x1a0 - do_fb_ioctl+0x445/0x5a0 - do_vfs_ioctl+0x92/0x5f0 - ? __alloc_fd+0x3d/0x160 - ksys_ioctl+0x60/0x90 - __x64_sys_ioctl+0x16/0x20 - do_syscall_64+0x5b/0x190 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - RIP: 0033:0x7f20548258d7 - Code: 44 00 00 48 8b 05 b9 15 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 15 2d 00 f7 d8 64 89 01 48 - -It can be triggered easily with following test code: - - #include <linux/fb.h> - #include <fcntl.h> - #include <sys/ioctl.h> - int main(void) - { - struct fb_var_screeninfo var = {.activate = 0x100, .pixclock = 60}; - int fd = open("/dev/fb0", O_RDWR); - if (fd < 0) - return 1; - - if (ioctl(fd, FBIOPUT_VSCREENINFO, &var)) - return 1; - - return 0; - } - -Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com> -Cc: Fredrik Noring <noring@nocrew.org> -Cc: Daniel Vetter <daniel.vetter@ffwll.ch> -Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> -Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/video/fbdev/core/modedb.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/video/fbdev/core/modedb.c -+++ b/drivers/video/fbdev/core/modedb.c -@@ -822,6 +822,9 @@ void fb_var_to_videomode(struct fb_video - if (var->vmode & FB_VMODE_DOUBLE) - vtotal *= 2; - -+ if (!htotal || !vtotal) -+ return; -+ - hfreq = pixclock/htotal; - mode->refresh = hfreq/vtotal; - } diff --git a/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch b/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch deleted file mode 100644 index b7f5e91..0000000 --- a/fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f Mon Sep 17 00:00:00 2001 -From: Jiufei Xue <jiufei.xue@linux.alibaba.com> -Date: Thu, 11 Apr 2019 19:25:12 +0200 -Subject: fbdev: fix WARNING in __alloc_pages_nodemask bug - -From: Jiufei Xue <jiufei.xue@linux.alibaba.com> - -commit 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f upstream. - -Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug. - -WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377 -__alloc_pages_nodemask+0x4da/0x2130 -Kernel panic - not syncing: panic_on_warn set ... - -Call Trace: - alloc_pages_current+0xb1/0x1e0 - kmalloc_order+0x1f/0x60 - kmalloc_order_trace+0x1d/0x120 - fb_alloc_cmap_gfp+0x85/0x2b0 - fb_set_user_cmap+0xff/0x370 - do_fb_ioctl+0x949/0xa20 - fb_ioctl+0xdd/0x120 - do_vfs_ioctl+0x186/0x1070 - ksys_ioctl+0x89/0xa0 - __x64_sys_ioctl+0x74/0xb0 - do_syscall_64+0xc8/0x550 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -This is a warning about order >= MAX_ORDER and the order is from -userspace ioctl. Add flag __NOWARN to silence this warning. - -Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com> -Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/video/fbdev/core/fbcmap.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/video/fbdev/core/fbcmap.c -+++ b/drivers/video/fbdev/core/fbcmap.c -@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm - int size = len * sizeof(u16); - int ret = -ENOMEM; - -+ flags |= __GFP_NOWARN; -+ - if (cmap->len != len) { - fb_dealloc_cmap(cmap); - if (!len) diff --git a/fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch b/fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch deleted file mode 100644 index b7f2272..0000000 --- a/fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch +++ /dev/null @@ -1,644 +0,0 @@ -From 10dce8af34226d90fa56746a934f8da5dcdba3df Mon Sep 17 00:00:00 2001 -From: Kirill Smelkov <kirr@nexedi.com> -Date: Tue, 26 Mar 2019 22:20:43 +0000 -Subject: fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock - -From: Kirill Smelkov <kirr@nexedi.com> - -commit 10dce8af34226d90fa56746a934f8da5dcdba3df upstream. - -Commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") added -locking for file.f_pos access and in particular made concurrent read and -write not possible - now both those functions take f_pos lock for the -whole run, and so if e.g. a read is blocked waiting for data, write will -deadlock waiting for that read to complete. - -This caused regression for stream-like files where previously read and -write could run simultaneously, but after that patch could not do so -anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes -to /proc/xen/xenbus") which fixes such regression for particular case of -/proc/xen/xenbus. - -The patch that added f_pos lock in 2014 did so to guarantee POSIX thread -safety for read/write/lseek and added the locking to file descriptors of -all regular files. In 2014 that thread-safety problem was not new as it -was already discussed earlier in 2006. - -However even though 2006'th version of Linus's patch was adding f_pos -locking "only for files that are marked seekable with FMODE_LSEEK (thus -avoiding the stream-like objects like pipes and sockets)", the 2014 -version - the one that actually made it into the tree as 9c225f2655e3 - -is doing so irregardless of whether a file is seekable or not. - -See - - https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/ - https://lwn.net/Articles/180387 - https://lwn.net/Articles/180396 - -for historic context. - -The reason that it did so is, probably, that there are many files that -are marked non-seekable, but e.g. their read implementation actually -depends on knowing current position to correctly handle the read. Some -examples: - - kernel/power/user.c snapshot_read - fs/debugfs/file.c u32_array_read - fs/fuse/control.c fuse_conn_waiting_read + ... - drivers/hwmon/asus_atk0110.c atk_debugfs_ggrp_read - arch/s390/hypfs/inode.c hypfs_read_iter - ... - -Despite that, many nonseekable_open users implement read and write with -pure stream semantics - they don't depend on passed ppos at all. And for -those cases where read could wait for something inside, it creates a -situation similar to xenbus - the write could be never made to go until -read is done, and read is waiting for some, potentially external, event, -for potentially unbounded time -> deadlock. - -Besides xenbus, there are 14 such places in the kernel that I've found -with semantic patch (see below): - - drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write() - drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write() - drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write() - drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write() - net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write() - drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write() - drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write() - drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write() - net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write() - drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write() - drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write() - drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write() - drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write() - drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write() - -In addition to the cases above another regression caused by f_pos -locking is that now FUSE filesystems that implement open with -FOPEN_NONSEEKABLE flag, can no longer implement bidirectional -stream-like files - for the same reason as above e.g. read can deadlock -write locking on file.f_pos in the kernel. - -FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f715 ("fuse: -implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp -in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and -write routines not depending on current position at all, and with both -read and write being potentially blocking operations: - -See - - https://github.com/libfuse/osspd - https://lwn.net/Articles/308445 - - https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406 - https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477 - https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510 - -Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as -"somewhat pipe-like files ..." with read handler not using offset. -However that test implements only read without write and cannot exercise -the deadlock scenario: - - https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131 - https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163 - https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216 - -I've actually hit the read vs write deadlock for real while implementing -my FUSE filesystem where there is /head/watch file, for which open -creates separate bidirectional socket-like stream in between filesystem -and its user with both read and write being later performed -simultaneously. And there it is semantically not easy to split the -stream into two separate read-only and write-only channels: - - https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169 - -Let's fix this regression. The plan is: - -1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS - - doing so would break many in-kernel nonseekable_open users which - actually use ppos in read/write handlers. - -2. Add stream_open() to kernel to open stream-like non-seekable file - descriptors. Read and write on such file descriptors would never use - nor change ppos. And with that property on stream-like files read and - write will be running without taking f_pos lock - i.e. read and write - could be running simultaneously. - -3. With semantic patch search and convert to stream_open all in-kernel - nonseekable_open users for which read and write actually do not - depend on ppos and where there is no other methods in file_operations - which assume @offset access. - -4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via - steam_open if that bit is present in filesystem open reply. - - It was tempting to change fs/fuse/ open handler to use stream_open - instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but - grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE, - and in particular GVFS which actually uses offset in its read and - write handlers - - https://codesearch.debian.net/search?q=-%3Enonseekable+%3D - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481 - - so if we would do such a change it will break a real user. - -5. Add stream_open and FOPEN_STREAM handling to stable kernels starting - from v3.14+ (the kernel where 9c225f2655 first appeared). - - This will allow to patch OSSPD and other FUSE filesystems that - provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE - in their open handler and this way avoid the deadlock on all kernel - versions. This should work because fs/fuse/ ignores unknown open - flags returned from a filesystem and so passing FOPEN_STREAM to a - kernel that is not aware of this flag cannot hurt. In turn the kernel - that is not aware of FOPEN_STREAM will be < v3.14 where just - FOPEN_NONSEEKABLE is sufficient to implement streams without read vs - write deadlock. - -This patch adds stream_open, converts /proc/xen/xenbus to it and adds -semantic patch to automatically locate in-kernel places that are either -required to be converted due to read vs write deadlock, or that are just -safe to be converted because read and write do not use ppos and there -are no other funky methods in file_operations. - -Regarding semantic patch I've verified each generated change manually - -that it is correct to convert - and each other nonseekable_open instance -left - that it is either not correct to convert there, or that it is not -converted due to current stream_open.cocci limitations. - -The script also does not convert files that should be valid to convert, -but that currently have .llseek = noop_llseek or generic_file_llseek for -unknown reason despite file being opened with nonseekable_open (e.g. -drivers/input/mousedev.c) - -Cc: Michael Kerrisk <mtk.manpages@gmail.com> -Cc: Yongzhi Pan <panyongzhi@gmail.com> -Cc: Jonathan Corbet <corbet@lwn.net> -Cc: David Vrabel <david.vrabel@citrix.com> -Cc: Juergen Gross <jgross@suse.com> -Cc: Miklos Szeredi <miklos@szeredi.hu> -Cc: Tejun Heo <tj@kernel.org> -Cc: Kirill Tkhai <ktkhai@virtuozzo.com> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: Christoph Hellwig <hch@lst.de> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Cc: Julia Lawall <Julia.Lawall@lip6.fr> -Cc: Nikolaus Rath <Nikolaus@rath.org> -Cc: Han-Wen Nienhuys <hanwen@google.com> -[ backport to 3.18: actually fixed deadlock on /proc/xen/xenbus as 581d21a2d02a was not backported to 3.18 ] -Signed-off-by: Kirill Smelkov <kirr@nexedi.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/xen/xenbus/xenbus_dev_frontend.c | 2 - fs/open.c | 18 + - fs/read_write.c | 5 - include/linux/fs.h | 4 - scripts/coccinelle/api/stream_open.cocci | 363 +++++++++++++++++++++++++++++++ - 5 files changed, 389 insertions(+), 3 deletions(-) - ---- a/drivers/xen/xenbus/xenbus_dev_frontend.c -+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c -@@ -536,7 +536,7 @@ static int xenbus_file_open(struct inode - if (xen_store_evtchn == 0) - return -ENOENT; - -- nonseekable_open(inode, filp); -+ stream_open(inode, filp); - - u = kzalloc(sizeof(*u), GFP_KERNEL); - if (u == NULL) ---- a/fs/open.c -+++ b/fs/open.c -@@ -1126,3 +1126,21 @@ int nonseekable_open(struct inode *inode - } - - EXPORT_SYMBOL(nonseekable_open); -+ -+/* -+ * stream_open is used by subsystems that want stream-like file descriptors. -+ * Such file descriptors are not seekable and don't have notion of position -+ * (file.f_pos is always 0). Contrary to file descriptors of other regular -+ * files, .read() and .write() can run simultaneously. -+ * -+ * stream_open never fails and is marked to return int so that it could be -+ * directly used as file_operations.open . -+ */ -+int stream_open(struct inode *inode, struct file *filp) -+{ -+ filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS); -+ filp->f_mode |= FMODE_STREAM; -+ return 0; -+} -+ -+EXPORT_SYMBOL(stream_open); ---- a/fs/read_write.c -+++ b/fs/read_write.c -@@ -551,12 +551,13 @@ EXPORT_SYMBOL(vfs_write); - - static inline loff_t file_pos_read(struct file *file) - { -- return file->f_pos; -+ return file->f_mode & FMODE_STREAM ? 0 : file->f_pos; - } - - static inline void file_pos_write(struct file *file, loff_t pos) - { -- file->f_pos = pos; -+ if ((file->f_mode & FMODE_STREAM) == 0) -+ file->f_pos = pos; - } - - SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -133,6 +133,9 @@ typedef void (dio_iodone_t)(struct kiocb - /* Has write method(s) */ - #define FMODE_CAN_WRITE ((__force fmode_t)0x40000) - -+/* File is stream-like */ -+#define FMODE_STREAM ((__force fmode_t)0x200000) -+ - /* File was opened by fanotify and shouldn't generate fanotify events */ - #define FMODE_NONOTIFY ((__force fmode_t)0x1000000) - -@@ -2499,6 +2502,7 @@ extern loff_t fixed_size_llseek(struct f - int whence, loff_t size); - extern int generic_file_open(struct inode * inode, struct file * filp); - extern int nonseekable_open(struct inode * inode, struct file * filp); -+extern int stream_open(struct inode * inode, struct file * filp); - - #ifdef CONFIG_FS_XIP - extern ssize_t xip_file_read(struct file *filp, char __user *buf, size_t len, ---- /dev/null -+++ b/scripts/coccinelle/api/stream_open.cocci -@@ -0,0 +1,363 @@ -+// SPDX-License-Identifier: GPL-2.0 -+// Author: Kirill Smelkov (kirr@nexedi.com) -+// -+// Search for stream-like files that are using nonseekable_open and convert -+// them to stream_open. A stream-like file is a file that does not use ppos in -+// its read and write. Rationale for the conversion is to avoid deadlock in -+// between read and write. -+ -+virtual report -+virtual patch -+virtual explain // explain decisions in the patch (SPFLAGS="-D explain") -+ -+// stream-like reader & writer - ones that do not depend on f_pos. -+@ stream_reader @ -+identifier readstream, ppos; -+identifier f, buf, len; -+type loff_t; -+@@ -+ ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos) -+ { -+ ... when != ppos -+ } -+ -+@ stream_writer @ -+identifier writestream, ppos; -+identifier f, buf, len; -+type loff_t; -+@@ -+ ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos) -+ { -+ ... when != ppos -+ } -+ -+ -+// a function that blocks -+@ blocks @ -+identifier block_f; -+identifier wait_event =~ "^wait_event_.*"; -+@@ -+ block_f(...) { -+ ... when exists -+ wait_event(...) -+ ... when exists -+ } -+ -+// stream_reader that can block inside. -+// -+// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait()) -+// XXX currently reader_blocks supports only direct and 1-level indirect cases. -+@ reader_blocks_direct @ -+identifier stream_reader.readstream; -+identifier wait_event =~ "^wait_event_.*"; -+@@ -+ readstream(...) -+ { -+ ... when exists -+ wait_event(...) -+ ... when exists -+ } -+ -+@ reader_blocks_1 @ -+identifier stream_reader.readstream; -+identifier blocks.block_f; -+@@ -+ readstream(...) -+ { -+ ... when exists -+ block_f(...) -+ ... when exists -+ } -+ -+@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @ -+identifier stream_reader.readstream; -+@@ -+ readstream(...) { -+ ... -+ } -+ -+ -+// file_operations + whether they have _any_ .read, .write, .llseek ... at all. -+// -+// XXX add support for file_operations xxx[N] = ... (sound/core/pcm_native.c) -+@ fops0 @ -+identifier fops; -+@@ -+ struct file_operations fops = { -+ ... -+ }; -+ -+@ has_read @ -+identifier fops0.fops; -+identifier read_f; -+@@ -+ struct file_operations fops = { -+ .read = read_f, -+ }; -+ -+@ has_read_iter @ -+identifier fops0.fops; -+identifier read_iter_f; -+@@ -+ struct file_operations fops = { -+ .read_iter = read_iter_f, -+ }; -+ -+@ has_write @ -+identifier fops0.fops; -+identifier write_f; -+@@ -+ struct file_operations fops = { -+ .write = write_f, -+ }; -+ -+@ has_write_iter @ -+identifier fops0.fops; -+identifier write_iter_f; -+@@ -+ struct file_operations fops = { -+ .write_iter = write_iter_f, -+ }; -+ -+@ has_llseek @ -+identifier fops0.fops; -+identifier llseek_f; -+@@ -+ struct file_operations fops = { -+ .llseek = llseek_f, -+ }; -+ -+@ has_no_llseek @ -+identifier fops0.fops; -+@@ -+ struct file_operations fops = { -+ .llseek = no_llseek, -+ }; -+ -+@ has_mmap @ -+identifier fops0.fops; -+identifier mmap_f; -+@@ -+ struct file_operations fops = { -+ .mmap = mmap_f, -+ }; -+ -+@ has_copy_file_range @ -+identifier fops0.fops; -+identifier copy_file_range_f; -+@@ -+ struct file_operations fops = { -+ .copy_file_range = copy_file_range_f, -+ }; -+ -+@ has_remap_file_range @ -+identifier fops0.fops; -+identifier remap_file_range_f; -+@@ -+ struct file_operations fops = { -+ .remap_file_range = remap_file_range_f, -+ }; -+ -+@ has_splice_read @ -+identifier fops0.fops; -+identifier splice_read_f; -+@@ -+ struct file_operations fops = { -+ .splice_read = splice_read_f, -+ }; -+ -+@ has_splice_write @ -+identifier fops0.fops; -+identifier splice_write_f; -+@@ -+ struct file_operations fops = { -+ .splice_write = splice_write_f, -+ }; -+ -+ -+// file_operations that is candidate for stream_open conversion - it does not -+// use mmap and other methods that assume @offset access to file. -+// -+// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now. -+// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops". -+@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @ -+identifier fops0.fops; -+@@ -+ struct file_operations fops = { -+ }; -+ -+ -+// ---- conversions ---- -+ -+// XXX .open = nonseekable_open -> .open = stream_open -+// XXX .open = func -> openfunc -> nonseekable_open -+ -+// read & write -+// -+// if both are used in the same file_operations together with an opener - -+// under that conditions we can use stream_open instead of nonseekable_open. -+@ fops_rw depends on maybe_stream @ -+identifier fops0.fops, openfunc; -+identifier stream_reader.readstream; -+identifier stream_writer.writestream; -+@@ -+ struct file_operations fops = { -+ .open = openfunc, -+ .read = readstream, -+ .write = writestream, -+ }; -+ -+@ report_rw depends on report @ -+identifier fops_rw.openfunc; -+position p1; -+@@ -+ openfunc(...) { -+ <... -+ nonseekable_open@p1 -+ ...> -+ } -+ -+@ script:python depends on report && reader_blocks @ -+fops << fops0.fops; -+p << report_rw.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,)) -+ -+@ script:python depends on report && !reader_blocks @ -+fops << fops0.fops; -+p << report_rw.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) -+ -+ -+@ explain_rw_deadlocked depends on explain && reader_blocks @ -+identifier fops_rw.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* read & write (was deadlock) */ -+ ...> -+ } -+ -+ -+@ explain_rw_nodeadlock depends on explain && !reader_blocks @ -+identifier fops_rw.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* read & write (no direct deadlock) */ -+ ...> -+ } -+ -+@ patch_rw depends on patch @ -+identifier fops_rw.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ stream_open -+ ...> -+ } -+ -+ -+// read, but not write -+@ fops_r depends on maybe_stream && !has_write @ -+identifier fops0.fops, openfunc; -+identifier stream_reader.readstream; -+@@ -+ struct file_operations fops = { -+ .open = openfunc, -+ .read = readstream, -+ }; -+ -+@ report_r depends on report @ -+identifier fops_r.openfunc; -+position p1; -+@@ -+ openfunc(...) { -+ <... -+ nonseekable_open@p1 -+ ...> -+ } -+ -+@ script:python depends on report @ -+fops << fops0.fops; -+p << report_r.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) -+ -+@ explain_r depends on explain @ -+identifier fops_r.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* read only */ -+ ...> -+ } -+ -+@ patch_r depends on patch @ -+identifier fops_r.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ stream_open -+ ...> -+ } -+ -+ -+// write, but not read -+@ fops_w depends on maybe_stream && !has_read @ -+identifier fops0.fops, openfunc; -+identifier stream_writer.writestream; -+@@ -+ struct file_operations fops = { -+ .open = openfunc, -+ .write = writestream, -+ }; -+ -+@ report_w depends on report @ -+identifier fops_w.openfunc; -+position p1; -+@@ -+ openfunc(...) { -+ <... -+ nonseekable_open@p1 -+ ...> -+ } -+ -+@ script:python depends on report @ -+fops << fops0.fops; -+p << report_w.p1; -+@@ -+coccilib.report.print_report(p[0], -+ "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) -+ -+@ explain_w depends on explain @ -+identifier fops_w.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ nonseekable_open /* write only */ -+ ...> -+ } -+ -+@ patch_w depends on patch @ -+identifier fops_w.openfunc; -+@@ -+ openfunc(...) { -+ <... -+- nonseekable_open -++ stream_open -+ ...> -+ } -+ -+ -+// no read, no write - don't change anything diff --git a/fuse-add-fopen_stream-to-use-stream_open.patch b/fuse-add-fopen_stream-to-use-stream_open.patch deleted file mode 100644 index f2a4042..0000000 --- a/fuse-add-fopen_stream-to-use-stream_open.patch +++ /dev/null @@ -1,86 +0,0 @@ -From bbd84f33652f852ce5992d65db4d020aba21f882 Mon Sep 17 00:00:00 2001 -From: Kirill Smelkov <kirr@nexedi.com> -Date: Wed, 24 Apr 2019 07:13:57 +0000 -Subject: fuse: Add FOPEN_STREAM to use stream_open() - -From: Kirill Smelkov <kirr@nexedi.com> - -commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream. - -Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per -POSIX") files opened even via nonseekable_open gate read and write via lock -and do not allow them to be run simultaneously. This can create read vs -write deadlock if a filesystem is trying to implement a socket-like file -which is intended to be simultaneously used for both read and write from -filesystem client. See commit 10dce8af3422 ("fs: stream_open - opener for -stream-like files so that read and write can run simultaneously without -deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock -on writes to /proc/xen/xenbus") for a similar deadlock example on -/proc/xen/xenbus. - -To avoid such deadlock it was tempting to adjust fuse_finish_open to use -stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, -but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE, -and in particular GVFS which actually uses offset in its read and write -handlers - - https://codesearch.debian.net/search?q=-%3Enonseekable+%3D - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346 - https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481 - -so if we would do such a change it will break a real user. - -Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the -opened handler is having stream-like semantics; does not use file position -and thus the kernel is free to issue simultaneous read and write request on -opened file handle. - -This patch together with stream_open() should be added to stable kernels -starting from v3.14+. This will allow to patch OSSPD and other FUSE -filesystems that provide stream-like files to return FOPEN_STREAM | -FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all -kernel versions. This should work because fuse_finish_open ignores unknown -open flags returned from a filesystem and so passing FOPEN_STREAM to a -kernel that is not aware of this flag cannot hurt. In turn the kernel that -is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE -is sufficient to implement streams without read vs write deadlock. - -Cc: stable@vger.kernel.org # v3.14+ -Signed-off-by: Kirill Smelkov <kirr@nexedi.com> -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/file.c | 4 +++- - include/uapi/linux/fuse.h | 2 ++ - 2 files changed, 5 insertions(+), 1 deletion(-) - ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -213,7 +213,9 @@ void fuse_finish_open(struct inode *inod - file->f_op = &fuse_direct_io_file_operations; - if (!(ff->open_flags & FOPEN_KEEP_CACHE)) - invalidate_inode_pages2(inode->i_mapping); -- if (ff->open_flags & FOPEN_NONSEEKABLE) -+ if (ff->open_flags & FOPEN_STREAM) -+ stream_open(inode, file); -+ else if (ff->open_flags & FOPEN_NONSEEKABLE) - nonseekable_open(inode, file); - if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) { - struct fuse_inode *fi = get_fuse_inode(inode); ---- a/include/uapi/linux/fuse.h -+++ b/include/uapi/linux/fuse.h -@@ -205,10 +205,12 @@ struct fuse_file_lock { - * FOPEN_DIRECT_IO: bypass page cache for this open file - * FOPEN_KEEP_CACHE: don't invalidate the data cache on open - * FOPEN_NONSEEKABLE: the file is not seekable -+ * FOPEN_STREAM: the file is stream-like (no file position at all) - */ - #define FOPEN_DIRECT_IO (1 << 0) - #define FOPEN_KEEP_CACHE (1 << 1) - #define FOPEN_NONSEEKABLE (1 << 2) -+#define FOPEN_STREAM (1 << 4) - - /** - * INIT request/reply flags diff --git a/fuse-fallocate-fix-return-with-locked-inode.patch b/fuse-fallocate-fix-return-with-locked-inode.patch deleted file mode 100644 index 88aac4b..0000000 --- a/fuse-fallocate-fix-return-with-locked-inode.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 35d6fcbb7c3e296a52136347346a698a35af3fda Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi <mszeredi@redhat.com> -Date: Mon, 27 May 2019 11:42:07 +0200 -Subject: fuse: fallocate: fix return with locked inode - -From: Miklos Szeredi <mszeredi@redhat.com> - -commit 35d6fcbb7c3e296a52136347346a698a35af3fda upstream. - -Do the proper cleanup in case the size check fails. - -Tested with xfstests:generic/228 - -Reported-by: kbuild test robot <lkp@intel.com> -Reported-by: Dan Carpenter <dan.carpenter@oracle.com> -Fixes: 0cbade024ba5 ("fuse: honor RLIMIT_FSIZE in fuse_file_fallocate") -Cc: Liu Bo <bo.liu@linux.alibaba.com> -Cc: <stable@vger.kernel.org> # v3.5 -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -3011,7 +3011,7 @@ static long fuse_file_fallocate(struct f - offset + length > i_size_read(inode)) { - err = inode_newsize_ok(inode, offset + length); - if (err) -- return err; -+ goto out; - } - - if (!(mode & FALLOC_FL_KEEP_SIZE)) diff --git a/fuse-fix-writepages-on-32bit.patch b/fuse-fix-writepages-on-32bit.patch deleted file mode 100644 index d404cc2..0000000 --- a/fuse-fix-writepages-on-32bit.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi <mszeredi@redhat.com> -Date: Wed, 24 Apr 2019 17:05:06 +0200 -Subject: fuse: fix writepages on 32bit - -From: Miklos Szeredi <mszeredi@redhat.com> - -commit 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 upstream. - -Writepage requests were cropped to i_size & 0xffffffff, which meant that -mmaped writes to any file larger than 4G might be silently discarded. - -Fix by storing the file size in a properly sized variable (loff_t instead -of size_t). - -Reported-by: Antonio SJ Musumeci <trapexit@spawn.link> -Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests") -Cc: <stable@vger.kernel.org> # v3.13 -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/file.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -1593,7 +1593,7 @@ __acquires(fc->lock) - { - struct fuse_conn *fc = get_fuse_conn(inode); - struct fuse_inode *fi = get_fuse_inode(inode); -- size_t crop = i_size_read(inode); -+ loff_t crop = i_size_read(inode); - struct fuse_req *req; - - while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) { diff --git a/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch b/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch deleted file mode 100644 index 95b4295..0000000 --- a/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0cbade024ba501313da3b7e5dd2a188a6bc491b5 Mon Sep 17 00:00:00 2001 -From: Liu Bo <bo.liu@linux.alibaba.com> -Date: Thu, 18 Apr 2019 04:04:41 +0800 -Subject: fuse: honor RLIMIT_FSIZE in fuse_file_fallocate - -From: Liu Bo <bo.liu@linux.alibaba.com> - -commit 0cbade024ba501313da3b7e5dd2a188a6bc491b5 upstream. - -fstests generic/228 reported this failure that fuse fallocate does not -honor what 'ulimit -f' has set. - -This adds the necessary inode_newsize_ok() check. - -Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> -Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation") -Cc: <stable@vger.kernel.org> # v3.5 -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/file.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -3007,6 +3007,13 @@ static long fuse_file_fallocate(struct f - } - } - -+ if (!(mode & FALLOC_FL_KEEP_SIZE) && -+ offset + length > i_size_read(inode)) { -+ err = inode_newsize_ok(inode, offset + length); -+ if (err) -+ return err; -+ } -+ - if (!(mode & FALLOC_FL_KEEP_SIZE)) - set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); - diff --git a/futex-fix-futex-lock-the-wrong-page.patch b/futex-fix-futex-lock-the-wrong-page.patch new file mode 100644 index 0000000..4f01f6a --- /dev/null +++ b/futex-fix-futex-lock-the-wrong-page.patch @@ -0,0 +1,41 @@ +From zhangxiaoxu5@huawei.com Wed Jun 12 13:03:33 2019 +From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> +Date: Wed, 12 Jun 2019 09:54:25 +0800 +Subject: futex: Fix futex lock the wrong page +To: <tglx@linutronix.de>, <mingo@redhat.com>, <peterz@infradead.org>, <dvhart@infradead.org>, <linux-kernel@vger.kernel.org>, <zhangxiaoxu5@huawei.com> +Message-ID: <1560304465-68966-1-git-send-email-zhangxiaoxu5@huawei.com> + +From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> + +The upstram commit 65d8fc777f6d ("futex: Remove requirement +for lock_page() in get_futex_key()") use variable 'page' as +the page head, when merge it to stable branch, the variable +`page_head` is page head. + +In the stable branch, the variable `page` not means the page +head, when lock the page head, we should lock 'page_head', +rather than 'page'. + +It maybe lead a hung task problem. + +Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> +Cc: stable@vger.kernel.org +Cc: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/futex.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -516,8 +516,8 @@ again: + * applies. If this is really a shmem page then the page lock + * will prevent unexpected transitions. + */ +- lock_page(page); +- shmem_swizzled = PageSwapCache(page) || page->mapping; ++ lock_page(page_head); ++ shmem_swizzled = PageSwapCache(page_head) || page_head->mapping; + unlock_page(page_head); + put_page(page_head); + diff --git a/genwqe-prevent-an-integer-overflow-in-the-ioctl.patch b/genwqe-prevent-an-integer-overflow-in-the-ioctl.patch deleted file mode 100644 index d85e878..0000000 --- a/genwqe-prevent-an-integer-overflow-in-the-ioctl.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Tue, 7 May 2019 11:36:34 +0300 -Subject: genwqe: Prevent an integer overflow in the ioctl - -From: Dan Carpenter <dan.carpenter@oracle.com> - -commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream. - -There are a couple potential integer overflows here. - - round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE); - -The first thing is that the "m->size + (...)" addition could overflow, -and the second is that round_up() overflows to zero if the result is -within PAGE_SIZE of the type max. - -In this code, the "m->size" variable is an u64 but we're saving the -result in "map_size" which is an unsigned long and genwqe_user_vmap() -takes an unsigned long as well. So I have used ULONG_MAX as the upper -bound. From a practical perspective unsigned long is fine/better than -trying to change all the types to u64. - -Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/misc/genwqe/card_dev.c | 2 ++ - drivers/misc/genwqe/card_utils.c | 4 ++++ - 2 files changed, 6 insertions(+) - ---- a/drivers/misc/genwqe/card_dev.c -+++ b/drivers/misc/genwqe/card_dev.c -@@ -782,6 +782,8 @@ static int genwqe_pin_mem(struct genwqe_ - - if ((m->addr == 0x0) || (m->size == 0)) - return -EINVAL; -+ if (m->size > ULONG_MAX - PAGE_SIZE - (m->addr & ~PAGE_MASK)) -+ return -EINVAL; - - map_addr = (m->addr & PAGE_MASK); - map_size = round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE); ---- a/drivers/misc/genwqe/card_utils.c -+++ b/drivers/misc/genwqe/card_utils.c -@@ -581,6 +581,10 @@ int genwqe_user_vmap(struct genwqe_dev * - /* determine space needed for page_list. */ - data = (unsigned long)uaddr; - offs = offset_in_page(data); -+ if (size > ULONG_MAX - PAGE_SIZE - offs) { -+ m->size = 0; /* mark unused and not added */ -+ return -EINVAL; -+ } - m->nr_pages = DIV_ROUND_UP(offs + size, PAGE_SIZE); - - m->page_list = kcalloc(m->nr_pages, diff --git a/ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch b/ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch deleted file mode 100644 index 7422d58..0000000 --- a/ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Fri 31 May 2019 04:27:54 PM PDT -From: Mike Manning <mmanning@vyatta.att-mail.com> -Date: Mon, 20 May 2019 19:57:17 +0100 -Subject: ipv6: Consider sk_bound_dev_if when binding a raw socket to an address - -From: Mike Manning <mmanning@vyatta.att-mail.com> - -[ Upstream commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f ] - -IPv6 does not consider if the socket is bound to a device when binding -to an address. The result is that a socket can be bound to eth0 and -then bound to the address of eth1. If the device is a VRF, the result -is that a socket can only be bound to an address in the default VRF. - -Resolve by considering the device if sk_bound_dev_if is set. - -Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com> -Reviewed-by: David Ahern <dsahern@gmail.com> -Tested-by: David Ahern <dsahern@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv6/raw.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/ipv6/raw.c -+++ b/net/ipv6/raw.c -@@ -283,7 +283,9 @@ static int rawv6_bind(struct sock *sk, s - /* Binding to link-local address requires an interface */ - if (!sk->sk_bound_dev_if) - goto out_unlock; -+ } - -+ if (sk->sk_bound_dev_if) { - err = -ENODEV; - dev = dev_get_by_index_rcu(sock_net(sk), - sk->sk_bound_dev_if); diff --git a/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch b/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch deleted file mode 100644 index 2475872..0000000 --- a/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 98af37d624ed8c83f1953b1b6b2f6866011fc064 Mon Sep 17 00:00:00 2001 -From: Zhenliang Wei <weizhenliang@huawei.com> -Date: Fri, 31 May 2019 22:30:52 -0700 -Subject: kernel/signal.c: trace_signal_deliver when signal_group_exit - -From: Zhenliang Wei <weizhenliang@huawei.com> - -commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream. - -In the fixes commit, removing SIGKILL from each thread signal mask and -executing "goto fatal" directly will skip the call to -"trace_signal_deliver". At this point, the delivery tracking of the -SIGKILL signal will be inaccurate. - -Therefore, we need to add trace_signal_deliver before "goto fatal" after -executing sigdelset. - -Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info. - -Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com -Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT") -Signed-off-by: Zhenliang Wei <weizhenliang@huawei.com> -Reviewed-by: Christian Brauner <christian@brauner.io> -Reviewed-by: Oleg Nesterov <oleg@redhat.com> -Cc: Eric W. Biederman <ebiederm@xmission.com> -Cc: Ivan Delalande <colona@arista.com> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Deepa Dinamani <deepa.kernel@gmail.com> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Cc: <stable@vger.kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - kernel/signal.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -2287,6 +2287,8 @@ relock: - if (signal_group_exit(signal)) { - ksig->info.si_signo = signr = SIGKILL; - sigdelset(¤t->pending.signal, SIGKILL); -+ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO, -+ &sighand->action[SIGKILL - 1]); - recalc_sigpending(); - goto fatal; - } diff --git a/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch b/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch deleted file mode 100644 index 37942a9..0000000 --- a/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 Mon Sep 17 00:00:00 2001 -From: Sean Christopherson <sean.j.christopherson@intel.com> -Date: Tue, 2 Apr 2019 08:19:15 -0700 -Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes - -From: Sean Christopherson <sean.j.christopherson@intel.com> - -commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream. - -KVM allows userspace to violate consistency checks related to the -guest's CPUID model to some degree. Generally speaking, userspace has -carte blanche when it comes to guest state so long as jamming invalid -state won't negatively affect the host. - -Currently this is seems to be a non-issue as most of the interesting -EFER checks are missing, e.g. NX and LME, but those will be added -shortly. Proactively exempt userspace from the CPUID checks so as not -to break userspace. - -Note, the efer_reserved_bits check still applies to userspace writes as -that mask reflects the host's capabilities, e.g. KVM shouldn't allow a -guest to run with NX=1 if it has been disabled in the host. - -Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set") -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/kvm/x86.c | 33 ++++++++++++++++++++++----------- - 1 file changed, 22 insertions(+), 11 deletions(-) - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -935,11 +935,8 @@ static const u32 emulated_msrs[] = { - MSR_IA32_MCG_CTL, - }; - --bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) -+static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) - { -- if (efer & efer_reserved_bits) -- return false; -- - if (efer & EFER_FFXSR) { - struct kvm_cpuid_entry2 *feat; - -@@ -957,19 +954,33 @@ bool kvm_valid_efer(struct kvm_vcpu *vcp - } - - return true; -+ -+} -+bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) -+{ -+ if (efer & efer_reserved_bits) -+ return false; -+ -+ return __kvm_valid_efer(vcpu, efer); - } - EXPORT_SYMBOL_GPL(kvm_valid_efer); - --static int set_efer(struct kvm_vcpu *vcpu, u64 efer) -+static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - { - u64 old_efer = vcpu->arch.efer; -+ u64 efer = msr_info->data; - -- if (!kvm_valid_efer(vcpu, efer)) -- return 1; -+ if (efer & efer_reserved_bits) -+ return false; - -- if (is_paging(vcpu) -- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) -- return 1; -+ if (!msr_info->host_initiated) { -+ if (!__kvm_valid_efer(vcpu, efer)) -+ return 1; -+ -+ if (is_paging(vcpu) && -+ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) -+ return 1; -+ } - - efer &= ~EFER_LMA; - efer |= vcpu->arch.efer & EFER_LMA; -@@ -2097,7 +2108,7 @@ int kvm_set_msr_common(struct kvm_vcpu * - break; - - case MSR_EFER: -- return set_efer(vcpu, data); -+ return set_efer(vcpu, msr_info); - case MSR_K7_HWCR: - data &= ~(u64)0x40; /* ignore flush filter disable */ - data &= ~(u64)0x100; /* ignore ignne emulation enable */ diff --git a/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch b/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch deleted file mode 100644 index bf4bfad..0000000 --- a/llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch +++ /dev/null @@ -1,84 +0,0 @@ -From foo@baz Fri 31 May 2019 04:27:54 PM PDT -From: Eric Dumazet <edumazet@google.com> -Date: Mon, 27 May 2019 17:35:52 -0700 -Subject: llc: fix skb leak in llc_build_and_send_ui_pkt() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ] - -If llc_mac_hdr_init() returns an error, we must drop the skb -since no llc_build_and_send_ui_pkt() caller will take care of this. - -BUG: memory leak -unreferenced object 0xffff8881202b6800 (size 2048): - comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s) - hex dump (first 32 bytes): - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ - backtrace: - [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] - [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline] - [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline] - [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline] - [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669 - [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline] - [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608 - [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662 - [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950 - [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173 - [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430 - [<000000008bdec225>] sock_create net/socket.c:1481 [inline] - [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523 - [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline] - [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline] - [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530 - [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 - [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -BUG: memory leak -unreferenced object 0xffff88811d750d00 (size 224): - comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s) - hex dump (first 32 bytes): - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ .... - backtrace: - [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] - [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline] - [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline] - [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 - [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 - [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline] - [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 - [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 - [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 - [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 - [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline] - [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671 - [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 - [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline] - [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline] - [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972 - [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 - [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/llc/llc_output.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/llc/llc_output.c -+++ b/net/llc/llc_output.c -@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc - rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); - if (likely(!rc)) - rc = dev_queue_xmit(skb); -+ else -+ kfree_skb(skb); - return rc; - } - diff --git a/md-raid-raid5-preserve-the-writeback-action-after-the-parity-check.patch b/md-raid-raid5-preserve-the-writeback-action-after-the-parity-check.patch deleted file mode 100644 index 8ec4432..0000000 --- a/md-raid-raid5-preserve-the-writeback-action-after-the-parity-check.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b2176a1dfb518d870ee073445d27055fea64dfb8 Mon Sep 17 00:00:00 2001 -From: Nigel Croxon <ncroxon@redhat.com> -Date: Tue, 16 Apr 2019 09:50:09 -0700 -Subject: md/raid: raid5 preserve the writeback action after the parity check - -From: Nigel Croxon <ncroxon@redhat.com> - -commit b2176a1dfb518d870ee073445d27055fea64dfb8 upstream. - -The problem is that any 'uptodate' vs 'disks' check is not precise -in this path. Put a "WARN_ON(!test_bit(R5_UPTODATE, &dev->flags)" on the -device that might try to kick off writes and then skip the action. -Better to prevent the raid driver from taking unexpected action *and* keep -the system alive vs killing the machine with BUG_ON. - -Note: fixed warning reported by kbuild test robot <lkp@intel.com> - -Signed-off-by: Dan Williams <dan.j.williams@intel.com> -Signed-off-by: Nigel Croxon <ncroxon@redhat.com> -Signed-off-by: Song Liu <songliubraving@fb.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/md/raid5.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -3378,7 +3378,7 @@ static void handle_parity_checks6(struct - /* now write out any block on a failed drive, - * or P or Q if they were recomputed - */ -- BUG_ON(s->uptodate < disks - 1); /* We don't need Q to recover */ -+ dev = NULL; - if (s->failed == 2) { - dev = &sh->dev[s->failed_num[1]]; - s->locked++; -@@ -3403,6 +3403,14 @@ static void handle_parity_checks6(struct - set_bit(R5_LOCKED, &dev->flags); - set_bit(R5_Wantwrite, &dev->flags); - } -+ if (WARN_ONCE(dev && !test_bit(R5_UPTODATE, &dev->flags), -+ "%s: disk%td not up to date\n", -+ mdname(conf->mddev), -+ dev - (struct r5dev *) &sh->dev)) { -+ clear_bit(R5_LOCKED, &dev->flags); -+ clear_bit(R5_Wantwrite, &dev->flags); -+ s->locked--; -+ } - clear_bit(STRIPE_DEGRADED, &sh->state); - - set_bit(STRIPE_INSYNC, &sh->state); diff --git a/media-cpia2-fix-use-after-free-in-cpia2_exit.patch b/media-cpia2-fix-use-after-free-in-cpia2_exit.patch deleted file mode 100644 index 500f425..0000000 --- a/media-cpia2-fix-use-after-free-in-cpia2_exit.patch +++ /dev/null @@ -1,124 +0,0 @@ -From dea37a97265588da604c6ba80160a287b72c7bfd Mon Sep 17 00:00:00 2001 -From: YueHaibing <yuehaibing@huawei.com> -Date: Wed, 6 Mar 2019 07:45:08 -0500 -Subject: media: cpia2: Fix use-after-free in cpia2_exit - -From: YueHaibing <yuehaibing@huawei.com> - -commit dea37a97265588da604c6ba80160a287b72c7bfd upstream. - -Syzkaller report this: - -BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 -Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363 - -CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0xfa/0x1ce lib/dump_stack.c:113 - print_address_description+0x65/0x270 mm/kasan/report.c:187 - kasan_report+0x149/0x18d mm/kasan/report.c:317 - sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 - sysfs_remove_file include/linux/sysfs.h:519 [inline] - driver_remove_file+0x40/0x50 drivers/base/driver.c:122 - usb_remove_newid_files drivers/usb/core/driver.c:212 [inline] - usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005 - cpia2_exit+0xa/0x16 [cpia2] - __do_sys_delete_module kernel/module.c:1018 [inline] - __se_sys_delete_module kernel/module.c:961 [inline] - __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x462e99 -Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 -RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 -RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 -RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc -R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff - -Allocated by task 8363: - set_track mm/kasan/common.c:85 [inline] - __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495 - kmalloc include/linux/slab.h:545 [inline] - kzalloc include/linux/slab.h:740 [inline] - bus_add_driver+0xc0/0x610 drivers/base/bus.c:651 - driver_register+0x1bb/0x3f0 drivers/base/driver.c:170 - usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965 - 0xffffffffc1b4817c - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 8363: - set_track mm/kasan/common.c:85 [inline] - __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457 - slab_free_hook mm/slub.c:1430 [inline] - slab_free_freelist_hook mm/slub.c:1457 [inline] - slab_free mm/slub.c:3005 [inline] - kfree+0xe1/0x270 mm/slub.c:3957 - kobject_cleanup lib/kobject.c:662 [inline] - kobject_release lib/kobject.c:691 [inline] - kref_put include/linux/kref.h:67 [inline] - kobject_put+0x146/0x240 lib/kobject.c:708 - bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732 - driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 - usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980 - 0xffffffffc1b4817c - do_one_initcall+0xfa/0x5ca init/main.c:887 - do_init_module+0x204/0x5f6 kernel/module.c:3460 - load_module+0x66b2/0x8570 kernel/module.c:3808 - __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 - do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -The buggy address belongs to the object at ffff8881f59a6b40 - which belongs to the cache kmalloc-256 of size 256 -The buggy address is located 48 bytes inside of - 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40) -The buggy address belongs to the page: -page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0 -flags: 0x2fffc0000000200(slab) -raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00 -raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ->ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb - ^ - ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc - -cpia2_init does not check return value of cpia2_init, if it failed -in usb_register_driver, there is already cleanup using driver_unregister. -No need call cpia2_usb_cleanup on module exit. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/usb/cpia2/cpia2_v4l.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/drivers/media/usb/cpia2/cpia2_v4l.c -+++ b/drivers/media/usb/cpia2/cpia2_v4l.c -@@ -1248,8 +1248,7 @@ static int __init cpia2_init(void) - LOG("%s v%s\n", - ABOUT, CPIA_VERSION); - check_parameters(); -- cpia2_usb_init(); -- return 0; -+ return cpia2_usb_init(); - } - - diff --git a/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch b/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch deleted file mode 100644 index c80a187..0000000 --- a/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 Mon Sep 17 00:00:00 2001 -From: Janusz Krzysztofik <jmkrzyszt@gmail.com> -Date: Sun, 24 Mar 2019 20:21:12 -0400 -Subject: media: ov6650: Fix sensor possibly not detected on probe - -From: Janusz Krzysztofik <jmkrzyszt@gmail.com> - -commit 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 upstream. - -After removal of clock_start() from before soc_camera_init_i2c() in -soc_camera_probe() by commit 9aea470b399d ("[media] soc-camera: switch -I2C subdevice drivers to use v4l2-clk") introduced in v3.11, the ov6650 -driver could no longer probe the sensor successfully because its clock -was no longer turned on in advance. The issue was initially worked -around by adding that missing clock_start() equivalent to OMAP1 camera -interface driver - the only user of this sensor - but a propoer fix -should be rather implemented in the sensor driver code itself. - -Fix the issue by inserting a delay between the clock is turned on and -the sensor I2C registers are read for the first time. - -Tested on Amstrad Delta with now out of tree but still locally -maintained omap1_camera host driver. - -Fixes: 9aea470b399d ("[media] soc-camera: switch I2C subdevice drivers to use v4l2-clk") - -Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com> -Cc: stable@vger.kernel.org -Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/i2c/soc_camera/ov6650.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/media/i2c/soc_camera/ov6650.c -+++ b/drivers/media/i2c/soc_camera/ov6650.c -@@ -829,6 +829,8 @@ static int ov6650_video_probe(struct i2c - if (ret < 0) - return ret; - -+ msleep(20); -+ - /* - * check and show product ID and manufacturer ID - */ diff --git a/media-usb-siano-fix-false-positive-uninitialized-variable-warning.patch b/media-usb-siano-fix-false-positive-uninitialized-variable-warning.patch deleted file mode 100644 index 6584a07..0000000 --- a/media-usb-siano-fix-false-positive-uninitialized-variable-warning.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 45457c01171fd1488a7000d1751c06ed8560ee38 Mon Sep 17 00:00:00 2001 -From: Alan Stern <stern@rowland.harvard.edu> -Date: Tue, 21 May 2019 11:38:07 -0400 -Subject: media: usb: siano: Fix false-positive "uninitialized variable" warning - -From: Alan Stern <stern@rowland.harvard.edu> - -commit 45457c01171fd1488a7000d1751c06ed8560ee38 upstream. - -GCC complains about an apparently uninitialized variable recently -added to smsusb_init_device(). It's a false positive, but to silence -the warning this patch adds a trivial initialization. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-by: kbuild test robot <lkp@intel.com> -CC: <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/usb/siano/smsusb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/media/usb/siano/smsusb.c -+++ b/drivers/media/usb/siano/smsusb.c -@@ -351,7 +351,7 @@ static int smsusb_init_device(struct usb - struct smsdevice_params_t params; - struct smsusb_device_t *dev; - int i, rc; -- int in_maxp; -+ int in_maxp = 0; - - /* create device object */ - dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); diff --git a/media-usb-siano-fix-general-protection-fault-in-smsusb.patch b/media-usb-siano-fix-general-protection-fault-in-smsusb.patch deleted file mode 100644 index 879a3a2..0000000 --- a/media-usb-siano-fix-general-protection-fault-in-smsusb.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 31e0456de5be379b10fea0fa94a681057114a96e Mon Sep 17 00:00:00 2001 -From: Alan Stern <stern@rowland.harvard.edu> -Date: Tue, 7 May 2019 12:39:47 -0400 -Subject: media: usb: siano: Fix general protection fault in smsusb - -From: Alan Stern <stern@rowland.harvard.edu> - -commit 31e0456de5be379b10fea0fa94a681057114a96e upstream. - -The syzkaller USB fuzzer found a general-protection-fault bug in the -smsusb part of the Siano DVB driver. The fault occurs during probe -because the driver assumes without checking that the device has both -IN and OUT endpoints and the IN endpoint is ep1. - -By slightly rearranging the driver's initialization code, we can make -the appropriate checks early on and thus avoid the problem. If the -expected endpoints aren't present, the new code safely returns -ENODEV -from the probe routine. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com -CC: <stable@vger.kernel.org> -Reviewed-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/usb/siano/smsusb.c | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - ---- a/drivers/media/usb/siano/smsusb.c -+++ b/drivers/media/usb/siano/smsusb.c -@@ -351,6 +351,7 @@ static int smsusb_init_device(struct usb - struct smsdevice_params_t params; - struct smsusb_device_t *dev; - int i, rc; -+ int in_maxp; - - /* create device object */ - dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); -@@ -364,6 +365,24 @@ static int smsusb_init_device(struct usb - dev->udev = interface_to_usbdev(intf); - dev->state = SMSUSB_DISCONNECTED; - -+ for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { -+ struct usb_endpoint_descriptor *desc = -+ &intf->cur_altsetting->endpoint[i].desc; -+ -+ if (desc->bEndpointAddress & USB_DIR_IN) { -+ dev->in_ep = desc->bEndpointAddress; -+ in_maxp = usb_endpoint_maxp(desc); -+ } else { -+ dev->out_ep = desc->bEndpointAddress; -+ } -+ } -+ -+ sms_info("in_ep = %02x, out_ep = %02x", dev->in_ep, dev->out_ep); -+ if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */ -+ smsusb_term_device(intf); -+ return -ENODEV; -+ } -+ - params.device_type = sms_get_board(board_id)->type; - - switch (params.device_type) { -@@ -378,24 +397,12 @@ static int smsusb_init_device(struct usb - /* fall-thru */ - default: - dev->buffer_size = USB2_BUFFER_SIZE; -- dev->response_alignment = -- le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) - -- sizeof(struct sms_msg_hdr); -+ dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr); - - params.flags |= SMS_DEVICE_FAMILY2; - break; - } - -- for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { -- if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN) -- dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; -- else -- dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; -- } -- -- sms_info("in_ep = %02x, out_ep = %02x", -- dev->in_ep, dev->out_ep); -- - params.device = &dev->udev->dev; - params.buffer_size = dev->buffer_size; - params.num_buffers = MAX_BUFFERS; diff --git a/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch b/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch deleted file mode 100644 index aac3153..0000000 --- a/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 89dd34caf73e28018c58cd193751e41b1f8bdc56 Mon Sep 17 00:00:00 2001 -From: Nadav Amit <namit@vmware.com> -Date: Mon, 4 Jun 2018 09:47:13 -0400 -Subject: media: uvcvideo: Fix uvc_alloc_entity() allocation alignment - -From: Nadav Amit <namit@vmware.com> - -commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream. - -The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of -(entity->pads) is not a power of two. As a stop-gap, until a better -solution is adapted, use roundup() instead. - -Found by a static assertion. Compile-tested only. - -Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity") - -Signed-off-by: Nadav Amit <namit@vmware.com> -Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Cc: Doug Anderson <dianders@chromium.org> -Cc: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/usb/uvc/uvc_driver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/media/usb/uvc/uvc_driver.c -+++ b/drivers/media/usb/uvc/uvc_driver.c -@@ -826,7 +826,7 @@ static struct uvc_entity *uvc_alloc_enti - unsigned int size; - unsigned int i; - -- extra_size = ALIGN(extra_size, sizeof(*entity->pads)); -+ extra_size = roundup(extra_size, sizeof(*entity->pads)); - num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1; - size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads - + num_inputs; diff --git a/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch b/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch deleted file mode 100644 index 40f85a9..0000000 --- a/media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch +++ /dev/null @@ -1,37 +0,0 @@ -From dad7e270ba712ba1c99cd2d91018af6044447a06 Mon Sep 17 00:00:00 2001 -From: Alexander Potapenko <glider@google.com> -Date: Thu, 4 Apr 2019 10:56:46 -0400 -Subject: media: vivid: use vfree() instead of kfree() for dev->bitmap_cap - -From: Alexander Potapenko <glider@google.com> - -commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream. - -syzkaller reported crashes on kfree() called from -vivid_vid_cap_s_selection(). This looks like a simple typo, as -dev->bitmap_cap is allocated with vzalloc() throughout the file. - -Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output -parts") - -Signed-off-by: Alexander Potapenko <glider@google.com> -Reported-by: Syzbot <syzbot+6c0effb5877f6b0344e2@syzkaller.appspotmail.com> -Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/media/platform/vivid/vivid-vid-cap.c -+++ b/drivers/media/platform/vivid/vivid-vid-cap.c -@@ -955,7 +955,7 @@ int vivid_vid_cap_s_selection(struct fil - rect_map_inside(&s->r, &dev->fmt_cap_rect); - if (dev->bitmap_cap && (compose->width != s->r.width || - compose->height != s->r.height)) { -- kfree(dev->bitmap_cap); -+ vfree(dev->bitmap_cap); - dev->bitmap_cap = NULL; - } - *compose = s->r; diff --git a/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch b/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch deleted file mode 100644 index e35cb17..0000000 --- a/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 6b4814a9451add06d457e198be418bf6a3e6a990 Mon Sep 17 00:00:00 2001 -From: Steve Twiss <stwiss.opensource@diasemi.com> -Date: Fri, 26 Apr 2019 14:33:35 +0100 -Subject: mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L - -From: Steve Twiss <stwiss.opensource@diasemi.com> - -commit 6b4814a9451add06d457e198be418bf6a3e6a990 upstream. - -Mismatch between what is found in the Datasheets for DA9063 and DA9063L -provided by Dialog Semiconductor, and the register names provided in the -MFD registers file. The changes are for the OTP (one-time-programming) -control registers. The two naming errors are OPT instead of OTP, and -COUNT instead of CONT (i.e. control). - -Cc: Stable <stable@vger.kernel.org> -Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> -Signed-off-by: Lee Jones <lee.jones@linaro.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/linux/mfd/da9063/registers.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/include/linux/mfd/da9063/registers.h -+++ b/include/linux/mfd/da9063/registers.h -@@ -215,9 +215,9 @@ - - /* DA9063 Configuration registers */ - /* OTP */ --#define DA9063_REG_OPT_COUNT 0x101 --#define DA9063_REG_OPT_ADDR 0x102 --#define DA9063_REG_OPT_DATA 0x103 -+#define DA9063_REG_OTP_CONT 0x101 -+#define DA9063_REG_OTP_ADDR 0x102 -+#define DA9063_REG_OTP_DATA 0x103 - - /* Customer Trim and Configuration */ - #define DA9063_REG_T_OFFSET 0x104 diff --git a/net-avoid-weird-emergency-message.patch b/net-avoid-weird-emergency-message.patch deleted file mode 100644 index 132a200..0000000 --- a/net-avoid-weird-emergency-message.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Wed 22 May 2019 07:39:52 PM CEST -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 16 May 2019 08:09:57 -0700 -Subject: net: avoid weird emergency message - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ] - -When host is under high stress, it is very possible thread -running netdev_wait_allrefs() returns from msleep(250) -10 seconds late. - -This leads to these messages in the syslog : - -[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0 - -If the device refcount is zero, the wait is over. - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/core/dev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -6463,7 +6463,7 @@ static void netdev_wait_allrefs(struct n - - refcnt = netdev_refcnt_read(dev); - -- if (time_after(jiffies, warning_time + 10 * HZ)) { -+ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) { - pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n", - dev->name, refcnt); - warning_time = jiffies; diff --git a/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch b/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch deleted file mode 100644 index c276f95..0000000 --- a/net-gro-fix-use-after-free-read-in-napi_gro_frags.patch +++ /dev/null @@ -1,69 +0,0 @@ -From foo@baz Fri 31 May 2019 04:27:54 PM PDT -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 29 May 2019 15:36:10 -0700 -Subject: net-gro: fix use-after-free read in napi_gro_frags() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ] - -If a network driver provides to napi_gro_frags() an -skb with a page fragment of exactly 14 bytes, the call -to gro_pull_from_frag0() will 'consume' the fragment -by calling skb_frag_unref(skb, 0), and the page might -be freed and reused. - -Reading eth->h_proto at the end of napi_frags_skb() might -read mangled data, or crash under specific debugging features. - -BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline] -BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841 -Read of size 2 at addr ffff88809366840c by task syz-executor599/8957 - -CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x172/0x1f0 lib/dump_stack.c:113 - print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 - __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 - kasan_report+0x12/0x20 mm/kasan/common.c:614 - __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142 - napi_frags_skb net/core/dev.c:5833 [inline] - napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841 - tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991 - tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037 - call_write_iter include/linux/fs.h:1872 [inline] - do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693 - do_iter_write fs/read_write.c:970 [inline] - do_iter_write+0x184/0x610 fs/read_write.c:951 - vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015 - do_writev+0x15b/0x330 fs/read_write.c:1058 - -Fixes: a50e233c50db ("net-gro: restore frag0 optimization") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/core/dev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -4264,7 +4264,6 @@ static struct sk_buff *napi_frags_skb(st - skb_reset_mac_header(skb); - skb_gro_reset_offset(skb); - -- eth = skb_gro_header_fast(skb, 0); - if (unlikely(skb_gro_header_hard(skb, hlen))) { - eth = skb_gro_header_slow(skb, hlen, 0); - if (unlikely(!eth)) { -@@ -4272,6 +4271,7 @@ static struct sk_buff *napi_frags_skb(st - return NULL; - } - } else { -+ eth = (const struct ethhdr *)skb->data; - gro_pull_from_frag0(skb, hlen); - NAPI_GRO_CB(skb)->frag0 += hlen; - NAPI_GRO_CB(skb)->frag0_len -= hlen; diff --git a/net-mlx4_core-change-the-error-print-to-info-print.patch b/net-mlx4_core-change-the-error-print-to-info-print.patch deleted file mode 100644 index 560decb..0000000 --- a/net-mlx4_core-change-the-error-print-to-info-print.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Wed 22 May 2019 07:39:52 PM CEST -From: Yunjian Wang <wangyunjian@huawei.com> -Date: Tue, 14 May 2019 19:03:19 +0800 -Subject: net/mlx4_core: Change the error print to info print - -From: Yunjian Wang <wangyunjian@huawei.com> - -[ Upstream commit 00f9fec48157f3734e52130a119846e67a12314b ] - -The error print within mlx4_flow_steer_promisc_add() should -be a info print. - -Fixes: 592e49dda812 ('net/mlx4: Implement promiscuous mode with device managed flow-steering') -Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> -Reviewed-by: Tariq Toukan <tariqt@mellanox.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/mellanox/mlx4/mcg.c -+++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c -@@ -1463,7 +1463,7 @@ int mlx4_flow_steer_promisc_add(struct m - rule.port = port; - rule.qpn = qpn; - INIT_LIST_HEAD(&rule.list); -- mlx4_err(dev, "going promisc on %x\n", port); -+ mlx4_info(dev, "going promisc on %x\n", port); - - return mlx4_flow_attach(dev, &rule, regid_p); - } diff --git a/net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch b/net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch deleted file mode 100644 index e65107c..0000000 --- a/net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch +++ /dev/null @@ -1,57 +0,0 @@ -From foo@baz Fri 31 May 2019 03:24:14 PM PDT -From: Antoine Tenart <antoine.tenart@bootlin.com> -Date: Wed, 29 May 2019 15:59:48 +0200 -Subject: net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value - -From: Antoine Tenart <antoine.tenart@bootlin.com> - -[ Upstream commit 21808437214637952b61beaba6034d97880fbeb3 ] - -MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but -the current code is passing the global tx queue offset, so it ends -up writing to unknown registers (between 0x8280 and 0x82fc, which -seemed to be unused by the hardware). This fixes the issue by using -the logical queue id instead. - -Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") -Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ethernet/marvell/mvpp2.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - ---- a/drivers/net/ethernet/marvell/mvpp2.c -+++ b/drivers/net/ethernet/marvell/mvpp2.c -@@ -3918,7 +3918,7 @@ static inline void mvpp2_gmac_max_rx_siz - /* Set defaults to the MVPP2 port */ - static void mvpp2_defaults_set(struct mvpp2_port *port) - { -- int tx_port_num, val, queue, ptxq, lrxq; -+ int tx_port_num, val, queue, lrxq; - - /* Configure port to loopback if needed */ - if (port->flags & MVPP2_F_LOOPBACK) -@@ -3938,11 +3938,9 @@ static void mvpp2_defaults_set(struct mv - mvpp2_write(port->priv, MVPP2_TXP_SCHED_CMD_1_REG, 0); - - /* Close bandwidth for all queues */ -- for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) { -- ptxq = mvpp2_txq_phys(port->id, queue); -+ for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) - mvpp2_write(port->priv, -- MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(ptxq), 0); -- } -+ MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(queue), 0); - - /* Set refill period to 1 usec, refill tokens - * and bucket size to maximum -@@ -4689,7 +4687,7 @@ static void mvpp2_txq_deinit(struct mvpp - txq->descs_phys = 0; - - /* Set minimum bandwidth for disabled TXQs */ -- mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->id), 0); -+ mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->log_id), 0); - - /* Set Tx descriptors queue starting address and size */ - mvpp2_write(port->priv, MVPP2_TXQ_NUM_REG, txq->id); diff --git a/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch b/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch deleted file mode 100644 index fc62a11..0000000 --- a/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch +++ /dev/null @@ -1,90 +0,0 @@ -From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST -From: Zhu Yanjun <yanjun.zhu@oracle.com> -Date: Thu, 6 Jun 2019 04:00:03 -0400 -Subject: net: rds: fix memory leak in rds_ib_flush_mr_pool - -From: Zhu Yanjun <yanjun.zhu@oracle.com> - -[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ] - -When the following tests last for several hours, the problem will occur. - -Server: - rds-stress -r 1.1.1.16 -D 1M -Client: - rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30 - -The following will occur. - -" -Starting up.... -tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu -% - 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 - 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 - 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 - 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00 -" ->From vmcore, we can find that clean_list is NULL. - ->From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker. -Then rds_ib_mr_pool_flush_worker calls -" - rds_ib_flush_mr_pool(pool, 0, NULL); -" -Then in function -" -int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, - int free_all, struct rds_ib_mr **ibmr_ret) -" -ibmr_ret is NULL. - -In the source code, -" -... -list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); -if (ibmr_ret) - *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); - -/* more than one entry in llist nodes */ -if (clean_nodes->next) - llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); -... -" -When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next -instead of clean_nodes is added in clean_list. -So clean_nodes is discarded. It can not be used again. -The workqueue is executed periodically. So more and more clean_nodes are -discarded. Finally the clean_list is NULL. -Then this problem will occur. - -Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist") -Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com> -Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/rds/ib_rdma.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/net/rds/ib_rdma.c -+++ b/net/rds/ib_rdma.c -@@ -663,12 +663,14 @@ static int rds_ib_flush_mr_pool(struct r - wait_clean_list_grace(); - - list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); -- if (ibmr_ret) -+ if (ibmr_ret) { - *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); -- -+ clean_nodes = clean_nodes->next; -+ } - /* more than one entry in llist nodes */ -- if (clean_nodes->next) -- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); -+ if (clean_nodes) -+ llist_add_batch(clean_nodes, clean_tail, -+ &pool->clean_list); - - } - diff --git a/net-stmmac-fix-reset-gpio-free-missing.patch b/net-stmmac-fix-reset-gpio-free-missing.patch deleted file mode 100644 index ede1da9..0000000 --- a/net-stmmac-fix-reset-gpio-free-missing.patch +++ /dev/null @@ -1,35 +0,0 @@ -From foo@baz Fri 31 May 2019 04:27:54 PM PDT -From: Jisheng Zhang <Jisheng.Zhang@synaptics.com> -Date: Wed, 22 May 2019 10:05:09 +0000 -Subject: net: stmmac: fix reset gpio free missing - -From: Jisheng Zhang <Jisheng.Zhang@synaptics.com> - -[ Upstream commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 ] - -Commit 984203ceff27 ("net: stmmac: mdio: remove reset gpio free") -removed the reset gpio free, when the driver is unbinded or rmmod, -we miss the gpio free. - -This patch uses managed API to request the reset gpio, so that the -gpio could be freed properly. - -Fixes: 984203ceff27 ("net: stmmac: mdio: remove reset gpio free") -Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c -+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c -@@ -159,7 +159,7 @@ int stmmac_mdio_reset(struct mii_bus *bu - reset_gpio = data->reset_gpio; - active_low = data->active_low; - -- if (!gpio_request(reset_gpio, "mdio-reset")) { -+ if (!devm_gpio_request(reset_gpio, "mdio-reset")) { - gpio_direction_output(reset_gpio, active_low ? 1 : 0); - udelay(data->delays[0]); - gpio_set_value(reset_gpio, active_low ? 0 : 1); diff --git a/nfs4-fix-v4.0-client-state-corruption-when-mount.patch b/nfs4-fix-v4.0-client-state-corruption-when-mount.patch deleted file mode 100644 index d72ae1d..0000000 --- a/nfs4-fix-v4.0-client-state-corruption-when-mount.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f02f3755dbd14fb935d24b14650fff9ba92243b8 Mon Sep 17 00:00:00 2001 -From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> -Date: Mon, 6 May 2019 11:57:03 +0800 -Subject: NFS4: Fix v4.0 client state corruption when mount - -From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> - -commit f02f3755dbd14fb935d24b14650fff9ba92243b8 upstream. - -stat command with soft mount never return after server is stopped. - -When alloc a new client, the state of the client will be set to -NFS4CLNT_LEASE_EXPIRED. - -When the server is stopped, the state manager will work, and accord -the state to recover. But the state is NFS4CLNT_LEASE_EXPIRED, it -will drain the slot table and lead other task to wait queue, until -the client recovered. Then the stat command is hung. - -When discover server trunking, the client will renew the lease, -but check the client state, it lead the client state corruption. - -So, we need to call state manager to recover it when detect server -ip trunking. - -Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> -Cc: stable@vger.kernel.org -Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/nfs/nfs4state.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/fs/nfs/nfs4state.c -+++ b/fs/nfs/nfs4state.c -@@ -140,6 +140,10 @@ int nfs40_discover_server_trunking(struc - /* Sustain the lease, even if it's empty. If the clientid4 - * goes stale it's of no use for trunking discovery. */ - nfs4_schedule_state_renewal(*result); -+ -+ /* If the client state need to recover, do it. */ -+ if (clp->cl_state) -+ nfs4_schedule_state_manager(clp); - } - out: - return status; diff --git a/pci-mark-atheros-ar9462-to-avoid-bus-reset.patch b/pci-mark-atheros-ar9462-to-avoid-bus-reset.patch deleted file mode 100644 index 2446aec..0000000 --- a/pci-mark-atheros-ar9462-to-avoid-bus-reset.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6afb7e26978da5e86e57e540fdce65c8b04f398a Mon Sep 17 00:00:00 2001 -From: James Prestwood <james.prestwood@linux.intel.com> -Date: Mon, 7 Jan 2019 13:32:48 -0800 -Subject: PCI: Mark Atheros AR9462 to avoid bus reset - -From: James Prestwood <james.prestwood@linux.intel.com> - -commit 6afb7e26978da5e86e57e540fdce65c8b04f398a upstream. - -When using PCI passthrough with this device, the host machine locks up -completely when starting the VM, requiring a hard reboot. Add a quirk to -avoid bus resets on this device. - -Fixes: c3e59ee4e766 ("PCI: Mark Atheros AR93xx to avoid bus reset") -Link: https://lore.kernel.org/linux-pci/20190107213248.3034-1-james.prestwood@linux.intel.com -Signed-off-by: James Prestwood <james.prestwood@linux.intel.com> -Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> -CC: stable@vger.kernel.org # v3.14+ -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/pci/quirks.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -3082,6 +3082,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset); - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); - - #ifdef CONFIG_ACPI - /* diff --git a/pktgen-do-not-sleep-with-the-thread-lock-held.patch b/pktgen-do-not-sleep-with-the-thread-lock-held.patch deleted file mode 100644 index c1b803c..0000000 --- a/pktgen-do-not-sleep-with-the-thread-lock-held.patch +++ /dev/null @@ -1,96 +0,0 @@ -From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST -From: Paolo Abeni <pabeni@redhat.com> -Date: Thu, 6 Jun 2019 15:45:03 +0200 -Subject: pktgen: do not sleep with the thread lock held. - -From: Paolo Abeni <pabeni@redhat.com> - -[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ] - -Currently, the process issuing a "start" command on the pktgen procfs -interface, acquires the pktgen thread lock and never release it, until -all pktgen threads are completed. The above can blocks indefinitely any -other pktgen command and any (even unrelated) netdevice removal - as -the pktgen netdev notifier acquires the same lock. - -The issue is demonstrated by the following script, reported by Matteo: - -ip -b - <<'EOF' - link add type dummy - link add type veth - link set dummy0 up -EOF -modprobe pktgen -echo reset >/proc/net/pktgen/pgctrl -{ - echo rem_device_all - echo add_device dummy0 -} >/proc/net/pktgen/kpktgend_0 -echo count 0 >/proc/net/pktgen/dummy0 -echo start >/proc/net/pktgen/pgctrl & -sleep 1 -rmmod veth - -Fix the above releasing the thread lock around the sleep call. - -Additionally we must prevent racing with forcefull rmmod - as the -thread lock no more protects from them. Instead, acquire a self-reference -before waiting for any thread. As a side effect, running - -rmmod pktgen - -while some thread is running now fails with "module in use" error, -before this patch such command hanged indefinitely. - -Note: the issue predates the commit reported in the fixes tag, but -this fix can't be applied before the mentioned commit. - -v1 -> v2: - - no need to check for thread existence after flipping the lock, - pktgen threads are freed only at net exit time - - - -Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.") -Reported-and-tested-by: Matteo Croce <mcroce@redhat.com> -Signed-off-by: Paolo Abeni <pabeni@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/core/pktgen.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - ---- a/net/core/pktgen.c -+++ b/net/core/pktgen.c -@@ -3089,7 +3089,13 @@ static int pktgen_wait_thread_run(struct - { - while (thread_is_running(t)) { - -+ /* note: 't' will still be around even after the unlock/lock -+ * cycle because pktgen_thread threads are only cleared at -+ * net exit -+ */ -+ mutex_unlock(&pktgen_thread_lock); - msleep_interruptible(100); -+ mutex_lock(&pktgen_thread_lock); - - if (signal_pending(current)) - goto signal; -@@ -3104,6 +3110,10 @@ static int pktgen_wait_all_threads_run(s - struct pktgen_thread *t; - int sig = 1; - -+ /* prevent from racing with rmmod */ -+ if (!try_module_get(THIS_MODULE)) -+ return sig; -+ - mutex_lock(&pktgen_thread_lock); - - list_for_each_entry(t, &pn->pktgen_threads, th_list) { -@@ -3117,6 +3127,7 @@ static int pktgen_wait_all_threads_run(s - t->control |= (T_STOP); - - mutex_unlock(&pktgen_thread_lock); -+ module_put(THIS_MODULE); - return sig; - } - diff --git a/ppp-deflate-fix-possible-crash-in-deflate_init.patch b/ppp-deflate-fix-possible-crash-in-deflate_init.patch deleted file mode 100644 index 41726b0..0000000 --- a/ppp-deflate-fix-possible-crash-in-deflate_init.patch +++ /dev/null @@ -1,86 +0,0 @@ -From foo@baz Wed 22 May 2019 07:39:52 PM CEST -From: YueHaibing <yuehaibing@huawei.com> -Date: Tue, 14 May 2019 22:55:32 +0800 -Subject: ppp: deflate: Fix possible crash in deflate_init - -From: YueHaibing <yuehaibing@huawei.com> - -[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ] - -BUG: unable to handle kernel paging request at ffffffffa018f000 -PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0 -Oops: 0000 [#1] PREEMPT SMP -CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS -rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 -RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic] -Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0 -75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74 -RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287 -RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a -RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000 -RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080 -R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78 -FS: 00007f2339557540(0000) GS:ffff888237a00000(0000) -knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0 -Call Trace: - ? 0xffffffffa01a3000 - deflate_init+0x11/0x1000 [ppp_deflate] - ? 0xffffffffa01a3000 - do_one_initcall+0x6c/0x3cc - ? kmem_cache_alloc_trace+0x248/0x3b0 - do_init_module+0x5b/0x1f1 - load_module+0x1db1/0x2690 - ? m_show+0x1d0/0x1d0 - __do_sys_finit_module+0xc5/0xd0 - __x64_sys_finit_module+0x15/0x20 - do_syscall_64+0x6b/0x1d0 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -If ppp_deflate fails to register in deflate_init, -module initialization failed out, however -ppp_deflate_draft may has been regiestred and not -unregistered before return. -Then the seconed modprobe will trigger crash like this. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Acked-by: Guillaume Nault <gnault@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ppp/ppp_deflate.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - ---- a/drivers/net/ppp/ppp_deflate.c -+++ b/drivers/net/ppp/ppp_deflate.c -@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_dra - - static int __init deflate_init(void) - { -- int answer = ppp_register_compressor(&ppp_deflate); -- if (answer == 0) -- printk(KERN_INFO -- "PPP Deflate Compression module registered\n"); -- ppp_register_compressor(&ppp_deflate_draft); -- return answer; -+ int rc; -+ -+ rc = ppp_register_compressor(&ppp_deflate); -+ if (rc) -+ return rc; -+ -+ rc = ppp_register_compressor(&ppp_deflate_draft); -+ if (rc) { -+ ppp_unregister_compressor(&ppp_deflate); -+ return rc; -+ } -+ -+ pr_info("PPP Deflate Compression module registered\n"); -+ return 0; - } - - static void __exit deflate_cleanup(void) diff --git a/revert-don-t-jump-to-compute_result-state-from-check_result-state.patch b/revert-don-t-jump-to-compute_result-state-from-check_result-state.patch deleted file mode 100644 index ef1503a..0000000 --- a/revert-don-t-jump-to-compute_result-state-from-check_result-state.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a25d8c327bb41742dbd59f8c545f59f3b9c39983 Mon Sep 17 00:00:00 2001 -From: Song Liu <songliubraving@fb.com> -Date: Tue, 16 Apr 2019 09:34:21 -0700 -Subject: Revert "Don't jump to compute_result state from check_result state" - -From: Song Liu <songliubraving@fb.com> - -commit a25d8c327bb41742dbd59f8c545f59f3b9c39983 upstream. - -This reverts commit 4f4fd7c5798bbdd5a03a60f6269cf1177fbd11ef. - -Cc: Dan Williams <dan.j.williams@intel.com> -Cc: Nigel Croxon <ncroxon@redhat.com> -Cc: Xiao Ni <xni@redhat.com> -Signed-off-by: Song Liu <songliubraving@fb.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/md/raid5.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -3414,15 +3414,26 @@ static void handle_parity_checks6(struct - case check_state_check_result: - sh->check_state = check_state_idle; - -- if (s->failed > 1) -- break; - /* handle a successful check operation, if parity is correct - * we are done. Otherwise update the mismatch count and repair - * parity if !MD_RECOVERY_CHECK - */ - if (sh->ops.zero_sum_result == 0) { -- /* Any parity checked was correct */ -- set_bit(STRIPE_INSYNC, &sh->state); -+ /* both parities are correct */ -+ if (!s->failed) -+ set_bit(STRIPE_INSYNC, &sh->state); -+ else { -+ /* in contrast to the raid5 case we can validate -+ * parity, but still have a failure to write -+ * back -+ */ -+ sh->check_state = check_state_compute_result; -+ /* Returning at this point means that we may go -+ * off and bring p and/or q uptodate again so -+ * we make sure to check zero_sum_result again -+ * to verify if p or q need writeback -+ */ -+ } - } else { - atomic64_add(STRIPE_SECTORS, &conf->mddev->resync_mismatches); - if (test_bit(MD_RECOVERY_CHECK, &conf->mddev->recovery)) diff --git a/revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch b/revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch deleted file mode 100644 index a25ff99..0000000 --- a/revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8acf608e602f6ec38b7cc37b04c80f1ce9a1a6cc Mon Sep 17 00:00:00 2001 -From: "Martin K. Petersen" <martin.petersen@oracle.com> -Date: Mon, 20 May 2019 10:57:18 -0400 -Subject: Revert "scsi: sd: Keep disk read-only when re-reading partition" - -From: Martin K. Petersen <martin.petersen@oracle.com> - -commit 8acf608e602f6ec38b7cc37b04c80f1ce9a1a6cc upstream. - -This reverts commit 20bd1d026aacc5399464f8328f305985c493cde3. - -This patch introduced regressions for devices that come online in -read-only state and subsequently switch to read-write. - -Given how the partition code is currently implemented it is not -possible to persist the read-only flag across a device revalidate -call. This may need to get addressed in the future since it is common -for user applications to proactively call BLKRRPART. - -Reverting this commit will re-introduce a regression where a -device-initiated revalidate event will cause the admin state to be -forgotten. A separate patch will address this issue. - -Fixes: 20bd1d026aac ("scsi: sd: Keep disk read-only when re-reading partition") -Cc: <stable@vger.kernel.org> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/scsi/sd.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/drivers/scsi/sd.c -+++ b/drivers/scsi/sd.c -@@ -2324,7 +2324,6 @@ sd_read_write_protect_flag(struct scsi_d - int res; - struct scsi_device *sdp = sdkp->device; - struct scsi_mode_data data; -- int disk_ro = get_disk_ro(sdkp->disk); - int old_wp = sdkp->write_prot; - - set_disk_ro(sdkp->disk, 0); -@@ -2365,7 +2364,7 @@ sd_read_write_protect_flag(struct scsi_d - "Test WP failed, assume Write Enabled\n"); - } else { - sdkp->write_prot = ((data.device_specific & 0x80) != 0); -- set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro); -+ set_disk_ro(sdkp->disk, sdkp->write_prot); - if (sdkp->first_scan || old_wp != sdkp->write_prot) { - sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n", - sdkp->write_prot ? "on" : "off"); diff --git a/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-ebusy-from-port_remove.patch b/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-ebusy-from-port_remove.patch deleted file mode 100644 index b2d4d46..0000000 --- a/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-ebusy-from-port_remove.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 Mon Sep 17 00:00:00 2001 -From: Steffen Maier <maier@linux.ibm.com> -Date: Thu, 23 May 2019 15:23:45 +0200 -Subject: scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove - -From: Steffen Maier <maier@linux.ibm.com> - -commit d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 upstream. - -With this early return due to zfcp_unit child(ren), we don't use the -zfcp_port reference from the earlier zfcp_get_port_by_wwpn() anymore and -need to put it. - -Signed-off-by: Steffen Maier <maier@linux.ibm.com> -Fixes: d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove") -Cc: <stable@vger.kernel.org> #3.7+ -Reviewed-by: Jens Remus <jremus@linux.ibm.com> -Reviewed-by: Benjamin Block <bblock@linux.ibm.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/s390/scsi/zfcp_sysfs.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/s390/scsi/zfcp_sysfs.c -+++ b/drivers/s390/scsi/zfcp_sysfs.c -@@ -261,6 +261,7 @@ static ssize_t zfcp_sysfs_port_remove_st - if (atomic_read(&port->units) > 0) { - retval = -EBUSY; - mutex_unlock(&zfcp_sysfs_port_units_mutex); -+ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ - goto out; - } - /* port is about to be removed, so no more unit_add */ diff --git a/scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-scan-luns-only-sdevs.patch b/scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-scan-luns-only-sdevs.patch deleted file mode 100644 index ab9934e..0000000 --- a/scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-scan-luns-only-sdevs.patch +++ /dev/null @@ -1,186 +0,0 @@ -From ef4021fe5fd77ced0323cede27979d80a56211ca Mon Sep 17 00:00:00 2001 -From: Steffen Maier <maier@linux.ibm.com> -Date: Thu, 23 May 2019 15:23:46 +0200 -Subject: scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) - -From: Steffen Maier <maier@linux.ibm.com> - -commit ef4021fe5fd77ced0323cede27979d80a56211ca upstream. - -When the user tries to remove a zfcp port via sysfs, we only rejected it if -there are zfcp unit children under the port. With purely automatically -scanned LUNs there are no zfcp units but only SCSI devices. In such cases, -the port_remove erroneously continued. We close the port and this -implicitly closes all LUNs under the port. The SCSI devices survive with -their private zfcp_scsi_dev still holding a reference to the "removed" -zfcp_port (still allocated but invisible in sysfs) [zfcp_get_port_by_wwpn -in zfcp_scsi_slave_alloc]. This is not a problem as long as the fc_rport -stays blocked. Once (auto) port scan brings back the removed port, we -unblock its fc_rport again by design. However, there is no mechanism that -would recover (open) the LUNs under the port (no "ersfs_3" without -zfcp_unit [zfcp_erp_strategy_followup_success]). Any pending or new I/O to -such LUN leads to repeated: - - Done: NEEDS_RETRY Result: hostbyte=DID_IMM_RETRY driverbyte=DRIVER_OK - -See also v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race -with LUN recovery"). Even a manual LUN recovery -(echo 0 > /sys/bus/scsi/devices/H:C:T:L/zfcp_failed) -does not help, as the LUN links to the old "removed" port which remains -to lack ZFCP_STATUS_COMMON_RUNNING [zfcp_erp_required_act]. -The only workaround is to first ensure that the fc_rport is blocked -(e.g. port_remove again in case it was re-discovered by (auto) port scan), -then delete the SCSI devices, and finally re-discover by (auto) port scan. -The port scan includes an fc_rport unblock, which in turn triggers -a new scan on the scsi target to freshly get new pure auto scan LUNs. - -Fix this by rejecting port_remove also if there are SCSI devices -(even without any zfcp_unit) under this port. Re-use mechanics from v3.7 -commit d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove"). -However, we have to give up zfcp_sysfs_port_units_mutex earlier in unit_add -to prevent a deadlock with scsi_host scan taking shost->scan_mutex first -and then zfcp_sysfs_port_units_mutex now in our zfcp_scsi_slave_alloc(). - -Signed-off-by: Steffen Maier <maier@linux.ibm.com> -Fixes: b62a8d9b45b9 ("[SCSI] zfcp: Use SCSI device data zfcp scsi dev instead of zfcp unit") -Fixes: f8210e34887e ("[SCSI] zfcp: Allow midlayer to scan for LUNs when running in NPIV mode") -Cc: <stable@vger.kernel.org> #2.6.37+ -Reviewed-by: Benjamin Block <bblock@linux.ibm.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/s390/scsi/zfcp_ext.h | 1 - drivers/s390/scsi/zfcp_scsi.c | 9 ++++++ - drivers/s390/scsi/zfcp_sysfs.c | 54 ++++++++++++++++++++++++++++++++++++----- - drivers/s390/scsi/zfcp_unit.c | 8 +++++- - 4 files changed, 65 insertions(+), 7 deletions(-) - ---- a/drivers/s390/scsi/zfcp_ext.h -+++ b/drivers/s390/scsi/zfcp_ext.h -@@ -148,6 +148,7 @@ extern const struct attribute_group *zfc - extern struct mutex zfcp_sysfs_port_units_mutex; - extern struct device_attribute *zfcp_sysfs_sdev_attrs[]; - extern struct device_attribute *zfcp_sysfs_shost_attrs[]; -+bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port); - - /* zfcp_unit.c */ - extern int zfcp_unit_add(struct zfcp_port *, u64); ---- a/drivers/s390/scsi/zfcp_scsi.c -+++ b/drivers/s390/scsi/zfcp_scsi.c -@@ -147,6 +147,15 @@ static int zfcp_scsi_slave_alloc(struct - - zfcp_sdev->erp_action.port = port; - -+ mutex_lock(&zfcp_sysfs_port_units_mutex); -+ if (zfcp_sysfs_port_is_removing(port)) { -+ /* port is already gone */ -+ mutex_unlock(&zfcp_sysfs_port_units_mutex); -+ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ -+ return -ENXIO; -+ } -+ mutex_unlock(&zfcp_sysfs_port_units_mutex); -+ - unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev)); - if (unit) - put_device(&unit->dev); ---- a/drivers/s390/scsi/zfcp_sysfs.c -+++ b/drivers/s390/scsi/zfcp_sysfs.c -@@ -235,6 +235,53 @@ static ZFCP_DEV_ATTR(adapter, port_resca - - DEFINE_MUTEX(zfcp_sysfs_port_units_mutex); - -+static void zfcp_sysfs_port_set_removing(struct zfcp_port *const port) -+{ -+ lockdep_assert_held(&zfcp_sysfs_port_units_mutex); -+ atomic_set(&port->units, -1); -+} -+ -+bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port) -+{ -+ lockdep_assert_held(&zfcp_sysfs_port_units_mutex); -+ return atomic_read(&port->units) == -1; -+} -+ -+static bool zfcp_sysfs_port_in_use(struct zfcp_port *const port) -+{ -+ struct zfcp_adapter *const adapter = port->adapter; -+ unsigned long flags; -+ struct scsi_device *sdev; -+ bool in_use = true; -+ -+ mutex_lock(&zfcp_sysfs_port_units_mutex); -+ if (atomic_read(&port->units) > 0) -+ goto unlock_port_units_mutex; /* zfcp_unit(s) under port */ -+ -+ spin_lock_irqsave(adapter->scsi_host->host_lock, flags); -+ __shost_for_each_device(sdev, adapter->scsi_host) { -+ const struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); -+ -+ if (sdev->sdev_state == SDEV_DEL || -+ sdev->sdev_state == SDEV_CANCEL) -+ continue; -+ if (zsdev->port != port) -+ continue; -+ /* alive scsi_device under port of interest */ -+ goto unlock_host_lock; -+ } -+ -+ /* port is about to be removed, so no more unit_add or slave_alloc */ -+ zfcp_sysfs_port_set_removing(port); -+ in_use = false; -+ -+unlock_host_lock: -+ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags); -+unlock_port_units_mutex: -+ mutex_unlock(&zfcp_sysfs_port_units_mutex); -+ return in_use; -+} -+ - static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, - struct device_attribute *attr, - const char *buf, size_t count) -@@ -257,16 +304,11 @@ static ssize_t zfcp_sysfs_port_remove_st - else - retval = 0; - -- mutex_lock(&zfcp_sysfs_port_units_mutex); -- if (atomic_read(&port->units) > 0) { -+ if (zfcp_sysfs_port_in_use(port)) { - retval = -EBUSY; -- mutex_unlock(&zfcp_sysfs_port_units_mutex); - put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ - goto out; - } -- /* port is about to be removed, so no more unit_add */ -- atomic_set(&port->units, -1); -- mutex_unlock(&zfcp_sysfs_port_units_mutex); - - write_lock_irq(&adapter->port_list_lock); - list_del(&port->list); ---- a/drivers/s390/scsi/zfcp_unit.c -+++ b/drivers/s390/scsi/zfcp_unit.c -@@ -122,7 +122,7 @@ int zfcp_unit_add(struct zfcp_port *port - int retval = 0; - - mutex_lock(&zfcp_sysfs_port_units_mutex); -- if (atomic_read(&port->units) == -1) { -+ if (zfcp_sysfs_port_is_removing(port)) { - /* port is already gone */ - retval = -ENODEV; - goto out; -@@ -166,8 +166,14 @@ int zfcp_unit_add(struct zfcp_port *port - write_lock_irq(&port->unit_list_lock); - list_add_tail(&unit->list, &port->unit_list); - write_unlock_irq(&port->unit_list_lock); -+ /* -+ * lock order: shost->scan_mutex before zfcp_sysfs_port_units_mutex -+ * due to zfcp_unit_scsi_scan() => zfcp_scsi_slave_alloc() -+ */ -+ mutex_unlock(&zfcp_sysfs_port_units_mutex); - - zfcp_unit_scsi_scan(unit); -+ return retval; - - out: - mutex_unlock(&zfcp_sysfs_port_units_mutex); @@ -1,77 +1 @@ -crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch -crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch -alsa-usb-audio-fix-a-memory-leak-bug.patch -alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch -alsa-hda-realtek-eapd-turn-on-later.patch -asoc-max98090-fix-restore-of-dapm-muxes.patch -mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch -tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch -ext4-actually-request-zeroing-of-inode-table-after-grow.patch -bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch -bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch -crypto-salsa20-don-t-access-already-freed-walk.iv.patch -crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch -ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch -alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch -kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch -net-avoid-weird-emergency-message.patch -net-mlx4_core-change-the-error-print-to-info-print.patch -ppp-deflate-fix-possible-crash-in-deflate_init.patch -cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch -media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch -nfs4-fix-v4.0-client-state-corruption-when-mount.patch -clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch -fuse-fix-writepages-on-32bit.patch -fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch -ceph-flush-dirty-inodes-before-proceeding-with-remount.patch -tracing-fix-partial-reading-of-trace-event-s-id-file.patch -pci-mark-atheros-ar9462-to-avoid-bus-reset.patch -dm-delay-fix-a-crash-when-invalid-device-is-specified.patch -xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch -xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch -vti4-ipip-tunnel-deregistration-fixes.patch -alsa-usb-audio-fix-uaf-decrement-if-card-has-no-live-interfaces-in-card.c.patch -revert-don-t-jump-to-compute_result-state-from-check_result-state.patch -md-raid-raid5-preserve-the-writeback-action-after-the-parity-check.patch -ext4-do-not-delete-unlinked-inode-from-orphan-list-on-failed-truncate.patch -revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch -fbdev-fix-divide-error-in-fb_var_to_videomode.patch -fbdev-fix-warning-in-__alloc_pages_nodemask-bug.patch -media-cpia2-fix-use-after-free-in-cpia2_exit.patch -media-vivid-use-vfree-instead-of-kfree-for-dev-bitmap_cap.patch -at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch -x86-purgatory-build-suppress-kexec-purgatory.c-is-up-to-date-message.patch -ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch -llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch -net-gro-fix-use-after-free-read-in-napi_gro_frags.patch -usbnet-fix-kernel-crash-after-disconnect.patch -tipc-avoid-copying-bytes-beyond-the-supplied-data.patch -net-stmmac-fix-reset-gpio-free-missing.patch -net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch -usb-xhci-avoid-null-pointer-deref-when-bos-field-is-null.patch -usb-fix-slab-out-of-bounds-write-in-usb_get_bos_descriptor.patch -usb-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch -usb-add-lpm-quirk-for-surface-dock-gige-adapter.patch -usb-rio500-refuse-more-than-one-device-at-a-time.patch -usb-rio500-fix-memory-leak-in-close-after-disconnect.patch -media-usb-siano-fix-general-protection-fault-in-smsusb.patch -media-usb-siano-fix-false-positive-uninitialized-variable-warning.patch -scsi-zfcp-fix-missing-zfcp_port-reference-put-on-ebusy-from-port_remove.patch -scsi-zfcp-fix-to-prevent-port_remove-with-pure-auto-scan-luns-only-sdevs.patch -btrfs-fix-race-updating-log-root-item-during-fsync.patch -tty-max310x-fix-external-crystal-register-setup.patch -kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch -cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch -usb-gadget-fix-request-length-error-for-isoc-transfer.patch -media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch -ethtool-fix-potential-userspace-buffer-overflow.patch -net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch -pktgen-do-not-sleep-with-the-thread-lock-held.patch -crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch -fuse-fallocate-fix-return-with-locked-inode.patch -genwqe-prevent-an-integer-overflow-in-the-ioctl.patch -drm-gma500-cdv-check-vbt-config-bits-when-detecting-lvds-panels.patch -fs-stream_open-opener-for-stream-like-files-so-that-read-and-write-can-run-simultaneously-without-deadlock.patch -fuse-add-fopen_stream-to-use-stream_open.patch -ethtool-check-the-return-value-of-get_regs_len.patch -crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch +futex-fix-futex-lock-the-wrong-page.patch diff --git a/tipc-avoid-copying-bytes-beyond-the-supplied-data.patch b/tipc-avoid-copying-bytes-beyond-the-supplied-data.patch deleted file mode 100644 index 9a6d81a..0000000 --- a/tipc-avoid-copying-bytes-beyond-the-supplied-data.patch +++ /dev/null @@ -1,67 +0,0 @@ -From foo@baz Fri 31 May 2019 04:27:54 PM PDT -From: Chris Packham <chris.packham@alliedtelesis.co.nz> -Date: Mon, 20 May 2019 15:45:36 +1200 -Subject: tipc: Avoid copying bytes beyond the supplied data - -From: Chris Packham <chris.packham@alliedtelesis.co.nz> - -TLV_SET is called with a data pointer and a len parameter that tells us -how many bytes are pointed to by data. When invoking memcpy() we need -to careful to only copy len bytes. - -Previously we would copy TLV_LENGTH(len) bytes which would copy an extra -4 bytes past the end of the data pointer which newer GCC versions -complain about. - - In file included from test.c:17: - In function 'TLV_SET', - inlined from 'test' at test.c:186:5: - /usr/include/linux/tipc_config.h:317:3: - warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32] - of object 'bearer_name' with type 'char[32]' [-Warray-bounds] - memcpy(TLV_DATA(tlv_ptr), data, tlv_len); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - test.c: In function 'test': - test.c::161:10: note: - 'bearer_name' declared here - char bearer_name[TIPC_MAX_BEARER_NAME]; - ^~~~~~~~~~~ - -We still want to ensure any padding bytes at the end are initialised, do -this with a explicit memset() rather than copy bytes past the end of -data. Apply the same logic to TCM_SET. - -Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - include/uapi/linux/tipc_config.h | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/include/uapi/linux/tipc_config.h -+++ b/include/uapi/linux/tipc_config.h -@@ -281,8 +281,10 @@ static inline int TLV_SET(void *tlv, __u - tlv_ptr = (struct tlv_desc *)tlv; - tlv_ptr->tlv_type = htons(type); - tlv_ptr->tlv_len = htons(tlv_len); -- if (len && data) -- memcpy(TLV_DATA(tlv_ptr), data, tlv_len); -+ if (len && data) { -+ memcpy(TLV_DATA(tlv_ptr), data, len); -+ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len); -+ } - return TLV_SPACE(len); - } - -@@ -379,8 +381,10 @@ static inline int TCM_SET(void *msg, __u - tcm_hdr->tcm_len = htonl(msg_len); - tcm_hdr->tcm_type = htons(cmd); - tcm_hdr->tcm_flags = htons(flags); -- if (data_len && data) -+ if (data_len && data) { - memcpy(TCM_DATA(msg), data, data_len); -+ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len); -+ } - return TCM_SPACE(data_len); - } - diff --git a/tracing-fix-partial-reading-of-trace-event-s-id-file.patch b/tracing-fix-partial-reading-of-trace-event-s-id-file.patch deleted file mode 100644 index fe8c548..0000000 --- a/tracing-fix-partial-reading-of-trace-event-s-id-file.patch +++ /dev/null @@ -1,77 +0,0 @@ -From cbe08bcbbe787315c425dde284dcb715cfbf3f39 Mon Sep 17 00:00:00 2001 -From: Elazar Leibovich <elazar@lightbitslabs.com> -Date: Mon, 31 Dec 2018 13:58:37 +0200 -Subject: tracing: Fix partial reading of trace event's id file - -From: Elazar Leibovich <elazar@lightbitslabs.com> - -commit cbe08bcbbe787315c425dde284dcb715cfbf3f39 upstream. - -When reading only part of the id file, the ppos isn't tracked correctly. -This is taken care by simple_read_from_buffer. - -Reading a single byte, and then the next byte would result EOF. - -While this seems like not a big deal, this breaks abstractions that -reads information from files unbuffered. See for example -https://github.com/golang/go/issues/29399 - -This code was mentioned as problematic in -commit cd458ba9d5a5 -("tracing: Do not (ab)use trace_seq in event_id_read()") - -An example C code that show this bug is: - - #include <stdio.h> - #include <stdint.h> - - #include <sys/types.h> - #include <sys/stat.h> - #include <fcntl.h> - #include <unistd.h> - - int main(int argc, char **argv) { - if (argc < 2) - return 1; - int fd = open(argv[1], O_RDONLY); - char c; - read(fd, &c, 1); - printf("First %c\n", c); - read(fd, &c, 1); - printf("Second %c\n", c); - } - -Then run with, e.g. - - sudo ./a.out /sys/kernel/debug/tracing/events/tcp/tcp_set_state/id - -You'll notice you're getting the first character twice, instead of the -first two characters in the id file. - -Link: http://lkml.kernel.org/r/20181231115837.4932-1-elazar@lightbitslabs.com - -Cc: Orit Wasserman <orit.was@gmail.com> -Cc: Oleg Nesterov <oleg@redhat.com> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: stable@vger.kernel.org -Fixes: 23725aeeab10b ("ftrace: provide an id file for each event") -Signed-off-by: Elazar Leibovich <elazar@lightbitslabs.com> -Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - kernel/trace/trace_events.c | 3 --- - 1 file changed, 3 deletions(-) - ---- a/kernel/trace/trace_events.c -+++ b/kernel/trace/trace_events.c -@@ -1009,9 +1009,6 @@ event_id_read(struct file *filp, char __ - char buf[32]; - int len; - -- if (*ppos) -- return 0; -- - if (unlikely(!id)) - return -ENODEV; - diff --git a/tty-max310x-fix-external-crystal-register-setup.patch b/tty-max310x-fix-external-crystal-register-setup.patch deleted file mode 100644 index 5f46c3a..0000000 --- a/tty-max310x-fix-external-crystal-register-setup.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 5d24f455c182d5116dd5db8e1dc501115ecc9c2c Mon Sep 17 00:00:00 2001 -From: Joe Burmeister <joe.burmeister@devtank.co.uk> -Date: Mon, 13 May 2019 11:23:57 +0100 -Subject: tty: max310x: Fix external crystal register setup - -From: Joe Burmeister <joe.burmeister@devtank.co.uk> - -commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream. - -The datasheet states: - - Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking -(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable -clocking - Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal -oscillator. When using an external clock source at XIN, CrystalEn must -be set low. - -The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not. - -This was required to make the MAX3107 with an external crystal on our -board able to send or receive data. - -Signed-off-by: Joe Burmeister <joe.burmeister@devtank.co.uk> -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/serial/max310x.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/tty/serial/max310x.c -+++ b/drivers/tty/serial/max310x.c -@@ -568,7 +568,7 @@ static int max310x_set_ref_clk(struct ma - } - - /* Configure clock source */ -- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT; -+ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0); - - /* Configure PLL */ - if (pllcfg) { diff --git a/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch b/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch deleted file mode 100644 index 69382db..0000000 --- a/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 46ca3f735f345c9d87383dd3a09fa5d43870770e Mon Sep 17 00:00:00 2001 -From: Sergei Trofimovich <slyfox@gentoo.org> -Date: Sun, 10 Mar 2019 21:24:15 +0000 -Subject: tty/vt: fix write/write race in ioctl(KDSKBSENT) handler - -From: Sergei Trofimovich <slyfox@gentoo.org> - -commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream. - -The bug manifests as an attempt to access deallocated memory: - - BUG: unable to handle kernel paging request at ffff9c8735448000 - #PF error: [PROT] [WRITE] - PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161 - Oops: 0003 [#1] PREEMPT SMP - CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91 - Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013 - RIP: 0010:__memmove+0x81/0x1a0 - Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49 - RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203 - RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf - RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb - RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b - R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000 - R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c - FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0 - Call Trace: - vt_do_kdgkb_ioctl+0x34d/0x440 - vt_ioctl+0xba3/0x1190 - ? __bpf_prog_run32+0x39/0x60 - ? mem_cgroup_commit_charge+0x7b/0x4e0 - tty_ioctl+0x23f/0x920 - ? preempt_count_sub+0x98/0xe0 - ? __seccomp_filter+0x67/0x600 - do_vfs_ioctl+0xa2/0x6a0 - ? syscall_trace_enter+0x192/0x2d0 - ksys_ioctl+0x3a/0x70 - __x64_sys_ioctl+0x16/0x20 - do_syscall_64+0x54/0xe0 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -The bug manifests on systemd systems with multiple vtcon devices: - # cat /sys/devices/virtual/vtconsole/vtcon0/name - (S) dummy device - # cat /sys/devices/virtual/vtconsole/vtcon1/name - (M) frame buffer device - -There systemd runs 'loadkeys' tool in tapallel for each vtcon -instance. This causes two parallel ioctl(KDSKBSENT) calls to -race into adding the same entry into 'func_table' array at: - - drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl() - -The function has no locking around writes to 'func_table'. - -The simplest reproducer is to have initrams with the following -init on a 8-CPU machine x86_64: - - #!/bin/sh - - loadkeys -q windowkeys ru4 & - loadkeys -q windowkeys ru4 & - loadkeys -q windowkeys ru4 & - loadkeys -q windowkeys ru4 & - - loadkeys -q windowkeys ru4 & - loadkeys -q windowkeys ru4 & - loadkeys -q windowkeys ru4 & - loadkeys -q windowkeys ru4 & - wait - -The change adds lock on write path only. Reads are still racy. - -CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -CC: Jiri Slaby <jslaby@suse.com> -Link: https://lkml.org/lkml/2019/2/17/256 -Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/vt/keyboard.c | 33 +++++++++++++++++++++++++++------ - 1 file changed, 27 insertions(+), 6 deletions(-) - ---- a/drivers/tty/vt/keyboard.c -+++ b/drivers/tty/vt/keyboard.c -@@ -120,6 +120,7 @@ static const int NR_TYPES = ARRAY_SIZE(m - static struct input_handler kbd_handler; - static DEFINE_SPINLOCK(kbd_event_lock); - static DEFINE_SPINLOCK(led_lock); -+static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */ - static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ - static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ - static bool dead_key_next; -@@ -1865,11 +1866,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb - char *p; - u_char *q; - u_char __user *up; -- int sz; -+ int sz, fnw_sz; - int delta; - char *first_free, *fj, *fnw; - int i, j, k; - int ret; -+ unsigned long flags; - - if (!capable(CAP_SYS_TTY_CONFIG)) - perm = 0; -@@ -1912,7 +1914,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb - goto reterr; - } - -+ fnw = NULL; -+ fnw_sz = 0; -+ /* race aginst other writers */ -+ again: -+ spin_lock_irqsave(&func_buf_lock, flags); - q = func_table[i]; -+ -+ /* fj pointer to next entry after 'q' */ - first_free = funcbufptr + (funcbufsize - funcbufleft); - for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++) - ; -@@ -1920,10 +1929,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb - fj = func_table[j]; - else - fj = first_free; -- -+ /* buffer usage increase by new entry */ - delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string); -+ - if (delta <= funcbufleft) { /* it fits in current buf */ - if (j < MAX_NR_FUNC) { -+ /* make enough space for new entry at 'fj' */ - memmove(fj + delta, fj, first_free - fj); - for (k = j; k < MAX_NR_FUNC; k++) - if (func_table[k]) -@@ -1936,20 +1947,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb - sz = 256; - while (sz < funcbufsize - funcbufleft + delta) - sz <<= 1; -- fnw = kmalloc(sz, GFP_KERNEL); -- if(!fnw) { -- ret = -ENOMEM; -- goto reterr; -+ if (fnw_sz != sz) { -+ spin_unlock_irqrestore(&func_buf_lock, flags); -+ kfree(fnw); -+ fnw = kmalloc(sz, GFP_KERNEL); -+ fnw_sz = sz; -+ if (!fnw) { -+ ret = -ENOMEM; -+ goto reterr; -+ } -+ goto again; - } - - if (!q) - func_table[i] = fj; -+ /* copy data before insertion point to new location */ - if (fj > funcbufptr) - memmove(fnw, funcbufptr, fj - funcbufptr); - for (k = 0; k < j; k++) - if (func_table[k]) - func_table[k] = fnw + (func_table[k] - funcbufptr); - -+ /* copy data after insertion point to new location */ - if (first_free > fj) { - memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj); - for (k = j; k < MAX_NR_FUNC; k++) -@@ -1962,7 +1981,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb - funcbufleft = funcbufleft - delta + sz - funcbufsize; - funcbufsize = sz; - } -+ /* finally insert item itself */ - strcpy(func_table[i], kbs->kb_string); -+ spin_unlock_irqrestore(&func_buf_lock, flags); - break; - } - ret = 0; diff --git a/usb-add-lpm-quirk-for-surface-dock-gige-adapter.patch b/usb-add-lpm-quirk-for-surface-dock-gige-adapter.patch deleted file mode 100644 index 5cd85b5..0000000 --- a/usb-add-lpm-quirk-for-surface-dock-gige-adapter.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ea261113385ac0a71c2838185f39e8452d54b152 Mon Sep 17 00:00:00 2001 -From: Maximilian Luz <luzmaximilian@gmail.com> -Date: Thu, 16 May 2019 17:08:31 +0200 -Subject: USB: Add LPM quirk for Surface Dock GigE adapter - -From: Maximilian Luz <luzmaximilian@gmail.com> - -commit ea261113385ac0a71c2838185f39e8452d54b152 upstream. - -Without USB_QUIRK_NO_LPM ethernet will not work and rtl8152 will -complain with - - r8152 <device...>: Stop submitting intr, status -71 - -Adding the quirk resolves this. As the dock is externally powered, this -should not have any drawbacks. - -Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/core/quirks.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/usb/core/quirks.c -+++ b/drivers/usb/core/quirks.c -@@ -56,6 +56,9 @@ static const struct usb_device_id usb_qu - /* Microsoft LifeCam-VX700 v2.0 */ - { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME }, - -+ /* Microsoft Surface Dock Ethernet (RTL8153 GigE) */ -+ { USB_DEVICE(0x045e, 0x07c6), .driver_info = USB_QUIRK_NO_LPM }, -+ - /* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */ - { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME }, - diff --git a/usb-fix-slab-out-of-bounds-write-in-usb_get_bos_descriptor.patch b/usb-fix-slab-out-of-bounds-write-in-usb_get_bos_descriptor.patch deleted file mode 100644 index 376197a..0000000 --- a/usb-fix-slab-out-of-bounds-write-in-usb_get_bos_descriptor.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a03ff54460817c76105f81f3aa8ef655759ccc9a Mon Sep 17 00:00:00 2001 -From: Alan Stern <stern@rowland.harvard.edu> -Date: Mon, 13 May 2019 13:14:29 -0400 -Subject: USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor - -From: Alan Stern <stern@rowland.harvard.edu> - -commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream. - -The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the -USB core, caused by a failure to check the actual size of a BOS -descriptor. This patch adds a check to make sure the descriptor is at -least as large as it is supposed to be, so that the code doesn't -inadvertently access memory beyond the end of the allocated region -when assigning to dev->bos->desc->bNumDeviceCaps later on. - -Signed-off-by: Alan Stern <stern@rowland.harvard.edu> -Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com -CC: <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/core/config.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/usb/core/config.c -+++ b/drivers/usb/core/config.c -@@ -818,8 +818,8 @@ int usb_get_bos_descriptor(struct usb_de - - /* Get BOS descriptor */ - ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); -- if (ret < USB_DT_BOS_SIZE) { -- dev_err(ddev, "unable to get BOS descriptor\n"); -+ if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { -+ dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); - if (ret >= 0) - ret = -ENOMSG; - kfree(bos); diff --git a/usb-gadget-fix-request-length-error-for-isoc-transfer.patch b/usb-gadget-fix-request-length-error-for-isoc-transfer.patch deleted file mode 100644 index b4d3db5..0000000 --- a/usb-gadget-fix-request-length-error-for-isoc-transfer.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 Mon Sep 17 00:00:00 2001 -From: Peter Chen <peter.chen@nxp.com> -Date: Tue, 8 Nov 2016 10:08:24 +0800 -Subject: usb: gadget: fix request length error for isoc transfer - -From: Peter Chen <peter.chen@nxp.com> - -commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream. - -For isoc endpoint descriptor, the wMaxPacketSize is not real max packet -size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation), -it may contain the number of packet, so the real max packet should be -ep->desc->wMaxPacketSize && 0x7ff. - -Cc: Felipe F. Tonello <eu@felipetonello.com> -Cc: Felipe Balbi <felipe.balbi@linux.intel.com> -Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe - endianness and new usb_ep_aligna") - -Signed-off-by: Peter Chen <peter.chen@nxp.com> -Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> -Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/linux/usb/gadget.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/include/linux/usb/gadget.h -+++ b/include/linux/usb/gadget.h -@@ -590,7 +590,9 @@ static inline struct usb_gadget *dev_to_ - */ - static inline size_t usb_ep_align(struct usb_ep *ep, size_t len) - { -- return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize)); -+ int max_packet_size = (size_t)usb_endpoint_maxp(ep->desc) & 0x7ff; -+ -+ return round_up(len, max_packet_size); - } - - /** diff --git a/usb-rio500-fix-memory-leak-in-close-after-disconnect.patch b/usb-rio500-fix-memory-leak-in-close-after-disconnect.patch deleted file mode 100644 index ac32e9d..0000000 --- a/usb-rio500-fix-memory-leak-in-close-after-disconnect.patch +++ /dev/null @@ -1,47 +0,0 @@ -From e0feb73428b69322dd5caae90b0207de369b5575 Mon Sep 17 00:00:00 2001 -From: Oliver Neukum <oneukum@suse.com> -Date: Thu, 9 May 2019 11:30:59 +0200 -Subject: USB: rio500: fix memory leak in close after disconnect - -From: Oliver Neukum <oneukum@suse.com> - -commit e0feb73428b69322dd5caae90b0207de369b5575 upstream. - -If a disconnected device is closed, rio_close() must free -the buffers. - -Signed-off-by: Oliver Neukum <oneukum@suse.com> -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/rio500.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - ---- a/drivers/usb/misc/rio500.c -+++ b/drivers/usb/misc/rio500.c -@@ -103,9 +103,22 @@ static int close_rio(struct inode *inode - { - struct rio_usb_data *rio = &rio_instance; - -- rio->isopen = 0; -+ /* against disconnect() */ -+ mutex_lock(&rio500_mutex); -+ mutex_lock(&(rio->lock)); - -- dev_info(&rio->rio_dev->dev, "Rio closed.\n"); -+ rio->isopen = 0; -+ if (!rio->present) { -+ /* cleanup has been delayed */ -+ kfree(rio->ibuf); -+ kfree(rio->obuf); -+ rio->ibuf = NULL; -+ rio->obuf = NULL; -+ } else { -+ dev_info(&rio->rio_dev->dev, "Rio closed.\n"); -+ } -+ mutex_unlock(&(rio->lock)); -+ mutex_unlock(&rio500_mutex); - return 0; - } - diff --git a/usb-rio500-refuse-more-than-one-device-at-a-time.patch b/usb-rio500-refuse-more-than-one-device-at-a-time.patch deleted file mode 100644 index eec3f33..0000000 --- a/usb-rio500-refuse-more-than-one-device-at-a-time.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 3864d33943b4a76c6e64616280e98d2410b1190f Mon Sep 17 00:00:00 2001 -From: Oliver Neukum <oneukum@suse.com> -Date: Thu, 9 May 2019 11:30:58 +0200 -Subject: USB: rio500: refuse more than one device at a time - -From: Oliver Neukum <oneukum@suse.com> - -commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream. - -This driver is using a global variable. It cannot handle more than -one device at a time. The issue has been existing since the dawn -of the driver. - -Signed-off-by: Oliver Neukum <oneukum@suse.com> -Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/rio500.c | 24 ++++++++++++++++++------ - 1 file changed, 18 insertions(+), 6 deletions(-) - ---- a/drivers/usb/misc/rio500.c -+++ b/drivers/usb/misc/rio500.c -@@ -464,15 +464,23 @@ static int probe_rio(struct usb_interfac - { - struct usb_device *dev = interface_to_usbdev(intf); - struct rio_usb_data *rio = &rio_instance; -- int retval; -+ int retval = 0; - -- dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); -+ mutex_lock(&rio500_mutex); -+ if (rio->present) { -+ dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum); -+ retval = -EBUSY; -+ goto bail_out; -+ } else { -+ dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); -+ } - - retval = usb_register_dev(intf, &usb_rio_class); - if (retval) { - dev_err(&dev->dev, - "Not able to get a minor for this device.\n"); -- return -ENOMEM; -+ retval = -ENOMEM; -+ goto bail_out; - } - - rio->rio_dev = dev; -@@ -481,7 +489,8 @@ static int probe_rio(struct usb_interfac - dev_err(&dev->dev, - "probe_rio: Not enough memory for the output buffer\n"); - usb_deregister_dev(intf, &usb_rio_class); -- return -ENOMEM; -+ retval = -ENOMEM; -+ goto bail_out; - } - dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf); - -@@ -490,7 +499,8 @@ static int probe_rio(struct usb_interfac - "probe_rio: Not enough memory for the input buffer\n"); - usb_deregister_dev(intf, &usb_rio_class); - kfree(rio->obuf); -- return -ENOMEM; -+ retval = -ENOMEM; -+ goto bail_out; - } - dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf); - -@@ -498,8 +508,10 @@ static int probe_rio(struct usb_interfac - - usb_set_intfdata (intf, rio); - rio->present = 1; -+bail_out: -+ mutex_unlock(&rio500_mutex); - -- return 0; -+ return retval; - } - - static void disconnect_rio(struct usb_interface *intf) diff --git a/usb-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch b/usb-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch deleted file mode 100644 index 93ec2c7..0000000 --- a/usb-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 9a5729f68d3a82786aea110b1bfe610be318f80a Mon Sep 17 00:00:00 2001 -From: Oliver Neukum <oneukum@suse.com> -Date: Thu, 9 May 2019 14:41:50 +0200 -Subject: USB: sisusbvga: fix oops in error path of sisusb_probe - -From: Oliver Neukum <oneukum@suse.com> - -commit 9a5729f68d3a82786aea110b1bfe610be318f80a upstream. - -The pointer used to log a failure of usb_register_dev() must -be set before the error is logged. - -v2: fix that minor is not available before registration - -Signed-off-by: oliver Neukum <oneukum@suse.com> -Reported-by: syzbot+a0cbdbd6d169020c8959@syzkaller.appspotmail.com -Fixes: 7b5cd5fefbe02 ("USB: SisUSB2VGA: Convert printk to dev_* macros") -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/sisusbvga/sisusb.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - ---- a/drivers/usb/misc/sisusbvga/sisusb.c -+++ b/drivers/usb/misc/sisusbvga/sisusb.c -@@ -3093,6 +3093,13 @@ static int sisusb_probe(struct usb_inter - - mutex_init(&(sisusb->lock)); - -+ sisusb->sisusb_dev = dev; -+ sisusb->vrambase = SISUSB_PCI_MEMBASE; -+ sisusb->mmiobase = SISUSB_PCI_MMIOBASE; -+ sisusb->mmiosize = SISUSB_PCI_MMIOSIZE; -+ sisusb->ioportbase = SISUSB_PCI_IOPORTBASE; -+ /* Everything else is zero */ -+ - /* Register device */ - if ((retval = usb_register_dev(intf, &usb_sisusb_class))) { - dev_err(&sisusb->sisusb_dev->dev, "Failed to get a minor for device %d\n", -@@ -3101,13 +3108,7 @@ static int sisusb_probe(struct usb_inter - goto error_1; - } - -- sisusb->sisusb_dev = dev; -- sisusb->minor = intf->minor; -- sisusb->vrambase = SISUSB_PCI_MEMBASE; -- sisusb->mmiobase = SISUSB_PCI_MMIOBASE; -- sisusb->mmiosize = SISUSB_PCI_MMIOSIZE; -- sisusb->ioportbase = SISUSB_PCI_IOPORTBASE; -- /* Everything else is zero */ -+ sisusb->minor = intf->minor; - - /* Allocate buffers */ - sisusb->ibufsize = SISUSB_IBUF_SIZE; diff --git a/usb-xhci-avoid-null-pointer-deref-when-bos-field-is-null.patch b/usb-xhci-avoid-null-pointer-deref-when-bos-field-is-null.patch deleted file mode 100644 index d1d6e23..0000000 --- a/usb-xhci-avoid-null-pointer-deref-when-bos-field-is-null.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e Mon Sep 17 00:00:00 2001 -From: Carsten Schmid <carsten_schmid@mentor.com> -Date: Wed, 22 May 2019 14:33:59 +0300 -Subject: usb: xhci: avoid null pointer deref when bos field is NULL - -From: Carsten Schmid <carsten_schmid@mentor.com> - -commit 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e upstream. - -With defective USB sticks we see the following error happen: -usb 1-3: new high-speed USB device number 6 using xhci_hcd -usb 1-3: device descriptor read/64, error -71 -usb 1-3: device descriptor read/64, error -71 -usb 1-3: new high-speed USB device number 7 using xhci_hcd -usb 1-3: device descriptor read/64, error -71 -usb 1-3: unable to get BOS descriptor set -usb 1-3: New USB device found, idVendor=0781, idProduct=5581 -usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 -... -BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 - -This comes from the following place: -[ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] -[ 1660.222092] PGD 0 P4D 0 -[ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI -[ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P U W O 4.14.67-apl #1 -[ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore] -[ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000 -[ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] -[ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046 -[ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002 -[ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2 -[ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001 -[ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000 -[ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000 -[ 1660.499494] FS: 0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000 -[ 1660.508530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0 -[ 1660.522917] Call Trace: -[ 1660.525657] usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore] -[ 1660.531792] usb_disable_device+0x242/0x260 [usbcore] -[ 1660.537439] usb_disconnect+0xc1/0x2b0 [usbcore] -[ 1660.542600] hub_event+0x596/0x18f0 [usbcore] -[ 1660.547467] ? trace_preempt_on+0xdf/0x100 -[ 1660.552040] ? process_one_work+0x1c1/0x410 -[ 1660.556708] process_one_work+0x1d2/0x410 -[ 1660.561184] ? preempt_count_add.part.3+0x21/0x60 -[ 1660.566436] worker_thread+0x2d/0x3f0 -[ 1660.570522] kthread+0x122/0x140 -[ 1660.574123] ? process_one_work+0x410/0x410 -[ 1660.578792] ? kthread_create_on_node+0x60/0x60 -[ 1660.583849] ret_from_fork+0x3a/0x50 -[ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00 -[ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70 -[ 1660.617921] CR2: 0000000000000008 - -Tracking this down shows that udev->bos is NULL in the following code: -(xhci.c, in xhci_set_usb2_hardware_lpm) - field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); <<<<<<< here - - xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", - enable ? "enable" : "disable", port_num + 1); - - if (enable) { - /* Host supports BESL timeout instead of HIRD */ - if (udev->usb2_hw_lpm_besl_capable) { - /* if device doesn't have a preferred BESL value use a - * default one which works with mixed HIRD and BESL - * systems. See XHCI_DEFAULT_BESL definition in xhci.h - */ - if ((field & USB_BESL_SUPPORT) && - (field & USB_BESL_BASELINE_VALID)) - hird = USB_GET_BESL_BASELINE(field); - else - hird = udev->l1_params.besl; - -The failing case is when disabling LPM. So it is sufficient to avoid -access to udev->bos by moving the instruction into the "enable" clause. - -Cc: Stable <stable@vger.kernel.org> -Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com> -Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/host/xhci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -4137,7 +4137,6 @@ int xhci_set_usb2_hardware_lpm(struct us - pm_addr = port_array[port_num] + PORTPMSC; - pm_val = readl(pm_addr); - hlpm_addr = port_array[port_num] + PORTHLPMC; -- field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); - - xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", - enable ? "enable" : "disable", port_num + 1); -@@ -4149,6 +4148,7 @@ int xhci_set_usb2_hardware_lpm(struct us - * default one which works with mixed HIRD and BESL - * systems. See XHCI_DEFAULT_BESL definition in xhci.h - */ -+ field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); - if ((field & USB_BESL_SUPPORT) && - (field & USB_BESL_BASELINE_VALID)) - hird = USB_GET_BESL_BASELINE(field); diff --git a/usbnet-fix-kernel-crash-after-disconnect.patch b/usbnet-fix-kernel-crash-after-disconnect.patch deleted file mode 100644 index 19e3168..0000000 --- a/usbnet-fix-kernel-crash-after-disconnect.patch +++ /dev/null @@ -1,90 +0,0 @@ -From foo@baz Fri 31 May 2019 04:27:54 PM PDT -From: Kloetzke Jan <Jan.Kloetzke@preh.de> -Date: Tue, 21 May 2019 13:18:40 +0000 -Subject: usbnet: fix kernel crash after disconnect - -From: Kloetzke Jan <Jan.Kloetzke@preh.de> - -[ Upstream commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d ] - -When disconnecting cdc_ncm the kernel sporadically crashes shortly -after the disconnect: - - [ 57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000 - ... - [ 58.006653] PC is at 0x0 - [ 58.009202] LR is at call_timer_fn+0xec/0x1b4 - [ 58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145 - [ 58.020976] sp : ffffff8008003da0 - [ 58.024295] x29: ffffff8008003da0 x28: 0000000000000001 - [ 58.029618] x27: 000000000000000a x26: 0000000000000100 - [ 58.034941] x25: 0000000000000000 x24: ffffff8008003e68 - [ 58.040263] x23: 0000000000000000 x22: 0000000000000000 - [ 58.045587] x21: 0000000000000000 x20: ffffffc68fac1808 - [ 58.050910] x19: 0000000000000100 x18: 0000000000000000 - [ 58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10 - [ 58.061556] x15: 0000000000000001 x14: 000000000000006e - [ 58.066878] x13: 0000000000000000 x12: 00000000000000ba - [ 58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020 - [ 58.077524] x9 : 8000100008001000 x8 : 0000000000000001 - [ 58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70 - [ 58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b - [ 58.093492] x3 : 0000000000000000 x2 : 0000000000000000 - [ 58.098814] x1 : 0000000000000000 x0 : 0000000000000000 - ... - [ 58.205800] [< (null)>] (null) - [ 58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c - [ 58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128 - [ 58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348 - [ 58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc - [ 58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac - [ 58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac - ... - -The crash happens roughly 125..130ms after the disconnect. This -correlates with the 'delay' timer that is started on certain USB tx/rx -errors in the URB completion handler. - -The problem is a race of usbnet_stop() with usbnet_start_xmit(). In -usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in -flight. This only makes sense if no new URBs are submitted -concurrently, though. But the usbnet_start_xmit() can run at the same -time on another CPU which almost unconditionally submits an URB. The -error callback of the new URB will then schedule the timer after it was -already stopped. - -The fix adds a check if the tx queue is stopped after the tx list lock -has been taken. This should reliably prevent the submission of new URBs -while usbnet_terminate_urbs() does its job. The same thing is done on -the rx side even though it might be safe due to other flags that are -checked there. - -Signed-off-by: Jan Klötzke <Jan.Kloetzke@preh.de> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/usb/usbnet.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -493,6 +493,7 @@ static int rx_submit (struct usbnet *dev - - if (netif_running (dev->net) && - netif_device_present (dev->net) && -+ test_bit(EVENT_DEV_OPEN, &dev->flags) && - !test_bit (EVENT_RX_HALT, &dev->flags) && - !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) { - switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) { -@@ -1368,6 +1369,11 @@ netdev_tx_t usbnet_start_xmit (struct sk - spin_unlock_irqrestore(&dev->txq.lock, flags); - goto drop; - } -+ if (netif_queue_stopped(net)) { -+ usb_autopm_put_interface_async(dev->intf); -+ spin_unlock_irqrestore(&dev->txq.lock, flags); -+ goto drop; -+ } - - #ifdef CONFIG_PM - /* if this triggers the device is still a sleep */ diff --git a/vti4-ipip-tunnel-deregistration-fixes.patch b/vti4-ipip-tunnel-deregistration-fixes.patch deleted file mode 100644 index 9328436..0000000 --- a/vti4-ipip-tunnel-deregistration-fixes.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f668a8ba91f02a52b86a3a628606b186065fba92 Mon Sep 17 00:00:00 2001 -From: Jeremy Sowden <jeremy@azazel.net> -Date: Tue, 19 Mar 2019 15:39:20 +0000 -Subject: vti4: ipip tunnel deregistration fixes. - -[ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ] - -If tunnel registration failed during module initialization, the module -would fail to deregister the IPPROTO_COMP protocol and would attempt to -deregister the tunnel. - -The tunnel was not deregistered during module-exit. - -Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel") -Signed-off-by: Jeremy Sowden <jeremy@azazel.net> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv4/ip_vti.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/net/ipv4/ip_vti.c -+++ b/net/ipv4/ip_vti.c -@@ -618,9 +618,9 @@ static int __init vti_init(void) - return err; - - rtnl_link_failed: -- xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); --xfrm_tunnel_failed: - xfrm4_tunnel_deregister(&ipip_handler, AF_INET); -+xfrm_tunnel_failed: -+ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); - xfrm_proto_comp_failed: - xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); - xfrm_proto_ah_failed: -@@ -635,6 +635,7 @@ pernet_dev_failed: - static void __exit vti_fini(void) - { - rtnl_link_unregister(&vti_link_ops); -+ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); - xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); - xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); - xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP); diff --git a/x86-purgatory-build-suppress-kexec-purgatory.c-is-up-to-date-message.patch b/x86-purgatory-build-suppress-kexec-purgatory.c-is-up-to-date-message.patch deleted file mode 100644 index c9e821d..0000000 --- a/x86-purgatory-build-suppress-kexec-purgatory.c-is-up-to-date-message.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3ea4b8ee2419e21295cabab66c317612c5a55d26 Mon Sep 17 00:00:00 2001 -From: WANG Chao <chaowang@redhat.com> -Date: Tue, 14 Oct 2014 12:46:58 +0800 -Subject: x86/purgatory, build: Suppress kexec-purgatory.c is up to date message - -From: WANG Chao <chaowang@redhat.com> - -commit 3ea4b8ee2419e21295cabab66c317612c5a55d26 upstream. - -Suppress this unnecessary message during kernel re-build -(CONFIG_KEXEC_FILE=y): - -make[1]: `arch/x86/purgatory/kexec-purgatory.c' is up to date. - -Signed-off-by: WANG Chao <chaowang@redhat.com> -Link: http://lkml.kernel.org/r/1413262019-3759-1-git-send-email-chaowang@redhat.com -Signed-off-by: H. Peter Anvin <hpa@zytor.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/purgatory/Makefile | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/x86/purgatory/Makefile -+++ b/arch/x86/purgatory/Makefile -@@ -25,6 +25,7 @@ quiet_cmd_bin2c = BIN2C $@ - - $(obj)/kexec-purgatory.c: $(obj)/purgatory.ro FORCE - $(call if_changed,bin2c) -+ @: - - - obj-$(CONFIG_KEXEC_FILE) += kexec-purgatory.o diff --git a/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch b/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch deleted file mode 100644 index 25fc927..0000000 --- a/xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 139e4b56034f179a53e41e3037df24bb7ce92cb0 Mon Sep 17 00:00:00 2001 -From: YueHaibing <yuehaibing@huawei.com> -Date: Thu, 28 Feb 2019 15:18:59 +0800 -Subject: xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink - -[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ] - -UBSAN report this: - -UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 -index 6 is out of range for type 'unsigned int [6]' -CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 - 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4 - 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80 - ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8 -Call Trace: - <IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline] - <IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51 - [<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 - [<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382 - [<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289 - [<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309 - [<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243 - [<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144 - [<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline] - [<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401 - [<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273 - [<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline] - [<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391 - [<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline] - [<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926 - [<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735 - <EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52 - [<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline] - [<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446 - [<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437 - [<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92 - [<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline] - [<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline] - [<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299 - [<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245 - -The issue is triggered as this: - -xfrm_add_policy - -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX - //In my case, the index is 0x6E6BB6, so it pass the check. - -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer - -->xfrm_policy_insert - --> __xfrm_policy_link //use the orgin dir, in my case is 2 - --> xfrm_gen_index //generate policy index, there is 0x6E6BB6 - -then xfrm_policy_timer be fired - -xfrm_policy_timer - --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6 - --> xfrm_policy_delete - --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access - -Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is -valid, to fix the issue. - -Reported-by: Hulk Robot <hulkci@huawei.com> -Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/xfrm/xfrm_user.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -1313,7 +1313,7 @@ static int verify_newpolicy_info(struct - ret = verify_policy_dir(p->dir); - if (ret) - return ret; -- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir)) -+ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) - return -EINVAL; - - return 0; diff --git a/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch b/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch deleted file mode 100644 index d99adb9..0000000 --- a/xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch +++ /dev/null @@ -1,34 +0,0 @@ -From fe62e481297878a35494219232c66d7b0e58cecb Mon Sep 17 00:00:00 2001 -From: Su Yanjun <suyj.fnst@cn.fujitsu.com> -Date: Thu, 14 Mar 2019 14:59:42 +0800 -Subject: xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module - -[ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ] - -When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly -frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the -xfrm6_tunnel_spi, so need to wait it. - -Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion") -Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com> -Acked-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv6/xfrm6_tunnel.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/net/ipv6/xfrm6_tunnel.c -+++ b/net/ipv6/xfrm6_tunnel.c -@@ -391,6 +391,10 @@ static void __exit xfrm6_tunnel_fini(voi - xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); - xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); - unregister_pernet_subsys(&xfrm6_tunnel_net_ops); -+ /* Someone maybe has gotten the xfrm6_tunnel_spi. -+ * So need to wait it. -+ */ -+ rcu_barrier(); - kmem_cache_destroy(xfrm6_tunnel_spi_kmem); - } - |