diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-10 17:58:24 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-10 17:58:24 +0200 |
commit | ca8cd0e68ba73f297665bd50ff3967001f617250 (patch) | |
tree | cdc6aac8d86252f9f499100d3dd3d7296c0e0ce0 | |
parent | 374eebc4ba601caefbb95fb5b91396f6894298a8 (diff) | |
download | queue-3.18-ca8cd0e68ba73f297665bd50ff3967001f617250.tar.gz |
patches are merged
18 files changed, 0 insertions, 1016 deletions
diff --git a/abort-file_remove_privs-for-non-reg.-files.patch b/abort-file_remove_privs-for-non-reg.-files.patch deleted file mode 100644 index 19003b5..0000000 --- a/abort-file_remove_privs-for-non-reg.-files.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f69e749a49353d96af1a293f56b5b56de59c668a Mon Sep 17 00:00:00 2001 -From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de> -Date: Fri, 14 Dec 2018 11:55:52 +0100 -Subject: Abort file_remove_privs() for non-reg. files - -From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de> - -commit f69e749a49353d96af1a293f56b5b56de59c668a upstream. - -file_remove_privs() might be called for non-regular files, e.g. -blkdev inode. There is no reason to do its job on things -like blkdev inodes, pipes, or cdevs. Hence, abort if -file does not refer to a regular inode. - -AV: more to the point, for devices there might be any number of -inodes refering to given device. Which one to strip the permissions -from, even if that made any sense in the first place? All of them -will be observed with contents modified, after all. - -Found by LockDoc (Alexander Lochmann, Horst Schirmeier and Olaf -Spinczyk) - -Reviewed-by: Jan Kara <jack@suse.cz> -Signed-off-by: Alexander Lochmann <alexander.lochmann@tu-dortmund.de> -Signed-off-by: Horst Schirmeier <horst.schirmeier@tu-dortmund.de> -Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> -Cc: Zubin Mithra <zsm@chromium.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/inode.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/fs/inode.c -+++ b/fs/inode.c -@@ -1643,8 +1643,13 @@ int file_remove_suid(struct file *file) - int killpriv; - int error = 0; - -- /* Fast path for nothing security related */ -- if (IS_NOSEC(inode)) -+ /* -+ * Fast path for nothing security related. -+ * As well for non-regular files, e.g. blkdev inodes. -+ * For example, blkdev_write_iter() might get here -+ * trying to remove privs which it is not allowed to. -+ */ -+ if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode)) - return 0; - - killsuid = should_remove_suid(dentry); diff --git a/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/apparmor-enforce-nullbyte-at-end-of-tag-string.patch deleted file mode 100644 index 2f047c6..0000000 --- a/apparmor-enforce-nullbyte-at-end-of-tag-string.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Tue, 28 May 2019 17:32:26 +0200 -Subject: apparmor: enforce nullbyte at end of tag string - -From: Jann Horn <jannh@google.com> - -commit 8404d7a674c49278607d19726e0acc0cae299357 upstream. - -A packed AppArmor policy contains null-terminated tag strings that are read -by unpack_nameX(). However, unpack_nameX() uses string functions on them -without ensuring that they are actually null-terminated, potentially -leading to out-of-bounds accesses. - -Make sure that the tag string is null-terminated before passing it to -strcmp(). - -Cc: stable@vger.kernel.org -Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: John Johansen <john.johansen@canonical.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - security/apparmor/policy_unpack.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/security/apparmor/policy_unpack.c -+++ b/security/apparmor/policy_unpack.c -@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext * - char *tag = NULL; - size_t size = unpack_u16_chunk(e, &tag); - /* if a name is specified it must match. otherwise skip tag */ -- if (name && (!size || strcmp(name, tag))) -+ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) - goto fail; - } else if (name) { - /* if a name is specified and there is no name tag fail */ diff --git a/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch b/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch deleted file mode 100644 index 2d54197..0000000 --- a/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch +++ /dev/null @@ -1,52 +0,0 @@ -From d5bb334a8e171b262e48f378bd2096c0ea458265 Mon Sep 17 00:00:00 2001 -From: Marcel Holtmann <marcel@holtmann.org> -Date: Wed, 24 Apr 2019 22:19:17 +0200 -Subject: Bluetooth: Align minimum encryption key size for LE and BR/EDR connections - -From: Marcel Holtmann <marcel@holtmann.org> - -commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream. - -The minimum encryption key size for LE connections is 56 bits and to -align LE with BR/EDR, enforce 56 bits of minimum encryption key size for -BR/EDR connections as well. - -Signed-off-by: Marcel Holtmann <marcel@holtmann.org> -Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/net/bluetooth/hci_core.h | 3 +++ - net/bluetooth/hci_conn.c | 8 ++++++++ - 2 files changed, 11 insertions(+) - ---- a/include/net/bluetooth/hci_core.h -+++ b/include/net/bluetooth/hci_core.h -@@ -145,6 +145,9 @@ struct oob_data { - - #define HCI_MAX_SHORT_NAME_LENGTH 10 - -+/* Min encryption key size to match with SMP */ -+#define HCI_MIN_ENC_KEY_SIZE 7 -+ - /* Default LE RPA expiry time, 15 minutes */ - #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60) - ---- a/net/bluetooth/hci_conn.c -+++ b/net/bluetooth/hci_conn.c -@@ -932,6 +932,14 @@ int hci_conn_check_link_mode(struct hci_ - !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) - return 0; - -+ /* The minimum encryption key size needs to be enforced by the -+ * host stack before establishing any L2CAP connections. The -+ * specification in theory allows a minimum of 1, but to align -+ * BR/EDR and LE transports, a minimum of 7 is chosen. -+ */ -+ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) -+ return 0; -+ - return 1; - } - diff --git a/bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch b/bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch deleted file mode 100644 index 0f7bb19..0000000 --- a/bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 693cd8ce3f882524a5d06f7800dd8492411877b3 Mon Sep 17 00:00:00 2001 -From: Marcel Holtmann <marcel@holtmann.org> -Date: Sat, 22 Jun 2019 15:47:01 +0200 -Subject: Bluetooth: Fix regression with minimum encryption key size alignment - -From: Marcel Holtmann <marcel@holtmann.org> - -commit 693cd8ce3f882524a5d06f7800dd8492411877b3 upstream. - -When trying to align the minimum encryption key size requirement for -Bluetooth connections, it turns out doing this in a central location in -the HCI connection handling code is not possible. - -Original Bluetooth version up to 2.0 used a security model where the -L2CAP service would enforce authentication and encryption. Starting -with Bluetooth 2.1 and Secure Simple Pairing that model has changed into -that the connection initiator is responsible for providing an encrypted -ACL link before any L2CAP communication can happen. - -Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and -before devices are causing a regression. The encryption key size check -needs to be moved out of the HCI connection handling into the L2CAP -channel setup. - -To achieve this, the current check inside hci_conn_security() has been -moved into l2cap_check_enc_key_size() helper function and then called -from four decisions point inside L2CAP to cover all combinations of -Secure Simple Pairing enabled devices and device using legacy pairing -and legacy service security model. - -Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643 -Signed-off-by: Marcel Holtmann <marcel@holtmann.org> -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/bluetooth/hci_conn.c | 18 +++++++++--------- - net/bluetooth/l2cap_core.c | 33 ++++++++++++++++++++++++++++----- - 2 files changed, 37 insertions(+), 14 deletions(-) - ---- a/net/bluetooth/hci_conn.c -+++ b/net/bluetooth/hci_conn.c -@@ -932,14 +932,6 @@ int hci_conn_check_link_mode(struct hci_ - !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) - return 0; - -- /* The minimum encryption key size needs to be enforced by the -- * host stack before establishing any L2CAP connections. The -- * specification in theory allows a minimum of 1, but to align -- * BR/EDR and LE transports, a minimum of 7 is chosen. -- */ -- if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) -- return 0; -- - return 1; - } - -@@ -1056,8 +1048,16 @@ auth: - return 0; - - encrypt: -- if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) -+ if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { -+ /* Ensure that the encryption key size has been read, -+ * otherwise stall the upper layer responses. -+ */ -+ if (!conn->enc_key_size) -+ return 0; -+ -+ /* Nothing else needed, all requirements are met */ - return 1; -+ } - - hci_conn_encrypt(conn); - return 0; ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -1301,6 +1301,21 @@ static void l2cap_request_info(struct l2 - sizeof(req), &req); - } - -+static bool l2cap_check_enc_key_size(struct hci_conn *hcon) -+{ -+ /* The minimum encryption key size needs to be enforced by the -+ * host stack before establishing any L2CAP connections. The -+ * specification in theory allows a minimum of 1, but to align -+ * BR/EDR and LE transports, a minimum of 7 is chosen. -+ * -+ * This check might also be called for unencrypted connections -+ * that have no key size requirements. Ensure that the link is -+ * actually encrypted before enforcing a key size. -+ */ -+ return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || -+ hcon->enc_key_size > HCI_MIN_ENC_KEY_SIZE); -+} -+ - static void l2cap_do_start(struct l2cap_chan *chan) - { - struct l2cap_conn *conn = chan->conn; -@@ -1318,9 +1333,14 @@ static void l2cap_do_start(struct l2cap_ - if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) - return; - -- if (l2cap_chan_check_security(chan, true) && -- __l2cap_no_conn_pending(chan)) -+ if (!l2cap_chan_check_security(chan, true) || -+ !__l2cap_no_conn_pending(chan)) -+ return; -+ -+ if (l2cap_check_enc_key_size(conn->hcon)) - l2cap_start_connection(chan); -+ else -+ __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); - } - - static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) -@@ -1399,7 +1419,10 @@ static void l2cap_conn_start(struct l2ca - continue; - } - -- l2cap_start_connection(chan); -+ if (l2cap_check_enc_key_size(conn->hcon)) -+ l2cap_start_connection(chan); -+ else -+ l2cap_chan_close(chan, ECONNREFUSED); - - } else if (chan->state == BT_CONNECT2) { - struct l2cap_conn_rsp rsp; -@@ -7355,7 +7378,7 @@ int l2cap_security_cfm(struct hci_conn * - } - - if (chan->state == BT_CONNECT) { -- if (!status) -+ if (!status && l2cap_check_enc_key_size(hcon)) - l2cap_start_connection(chan); - else - __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); -@@ -7363,7 +7386,7 @@ int l2cap_security_cfm(struct hci_conn * - struct l2cap_conn_rsp rsp; - __u16 res, stat; - -- if (!status) { -+ if (!status && l2cap_check_enc_key_size(hcon)) { - if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { - res = L2CAP_CR_PEND; - stat = L2CAP_CS_AUTHOR_PEND; diff --git a/bonding-always-enable-vlan-tx-offload.patch b/bonding-always-enable-vlan-tx-offload.patch deleted file mode 100644 index 36d05e3..0000000 --- a/bonding-always-enable-vlan-tx-offload.patch +++ /dev/null @@ -1,51 +0,0 @@ -From foo@baz Tue 02 Jul 2019 06:20:09 AM CEST -From: YueHaibing <yuehaibing@huawei.com> -Date: Wed, 26 Jun 2019 16:08:44 +0800 -Subject: bonding: Always enable vlan tx offload - -From: YueHaibing <yuehaibing@huawei.com> - -[ Upstream commit 30d8177e8ac776d89d387fad547af6a0f599210e ] - -We build vlan on top of bonding interface, which vlan offload -is off, bond mode is 802.3ad (LACP) and xmit_hash_policy is -BOND_XMIT_POLICY_ENCAP34. - -Because vlan tx offload is off, vlan tci is cleared and skb push -the vlan header in validate_xmit_vlan() while sending from vlan -devices. Then in bond_xmit_hash, __skb_flow_dissect() fails to -get information from protocol headers encapsulated within vlan, -because 'nhoff' is points to IP header, so bond hashing is based -on layer 2 info, which fails to distribute packets across slaves. - -This patch always enable bonding's vlan tx offload, pass the vlan -packets to the slave devices with vlan tci, let them to handle -vlan implementation. - -Fixes: 278339a42a1b ("bonding: propogate vlan_features to bonding master") -Suggested-by: Jiri Pirko <jiri@resnulli.us> -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Acked-by: Jiri Pirko <jiri@mellanox.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/bonding/bond_main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -4039,13 +4039,13 @@ void bond_setup(struct net_device *bond_ - bond_dev->features |= NETIF_F_NETNS_LOCAL; - - bond_dev->hw_features = BOND_VLAN_FEATURES | -- NETIF_F_HW_VLAN_CTAG_TX | - NETIF_F_HW_VLAN_CTAG_RX | - NETIF_F_HW_VLAN_CTAG_FILTER; - - bond_dev->hw_features &= ~(NETIF_F_ALL_CSUM & ~NETIF_F_HW_CSUM); - bond_dev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; - bond_dev->features |= bond_dev->hw_features; -+ bond_dev->features |= NETIF_F_HW_VLAN_CTAG_TX; - } - - /* Destroy a bonding device. diff --git a/btrfs-fix-race-between-readahead-and-device-replace-removal.patch b/btrfs-fix-race-between-readahead-and-device-replace-removal.patch deleted file mode 100644 index 68eeea0..0000000 --- a/btrfs-fix-race-between-readahead-and-device-replace-removal.patch +++ /dev/null @@ -1,81 +0,0 @@ -From ce7791ffee1e1ee9f97193b817c7dd1fa6746aad Mon Sep 17 00:00:00 2001 -From: Filipe Manana <fdmanana@suse.com> -Date: Fri, 20 May 2016 01:57:20 +0100 -Subject: Btrfs: fix race between readahead and device replace/removal - -From: Filipe Manana <fdmanana@suse.com> - -commit ce7791ffee1e1ee9f97193b817c7dd1fa6746aad upstream. - -The list of devices is protected by the device_list_mutex and the device -replace code, in its finishing phase correctly takes that mutex before -removing the source device from that list. However the readahead code was -iterating that list without acquiring the respective mutex leading to -crashes later on due to invalid memory accesses: - -[125671.831036] general protection fault: 0000 [#1] PREEMPT SMP -[125671.832129] Modules linked in: btrfs dm_flakey dm_mod crc32c_generic xor raid6_pq acpi_cpufreq tpm_tis tpm ppdev evdev parport_pc psmouse sg parport -processor ser -[125671.834973] CPU: 10 PID: 19603 Comm: kworker/u32:19 Tainted: G W 4.6.0-rc7-btrfs-next-29+ #1 -[125671.834973] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014 -[125671.834973] Workqueue: btrfs-readahead btrfs_readahead_helper [btrfs] -[125671.834973] task: ffff8801ac520540 ti: ffff8801ac918000 task.ti: ffff8801ac918000 -[125671.834973] RIP: 0010:[<ffffffff81270479>] [<ffffffff81270479>] __radix_tree_lookup+0x6a/0x105 -[125671.834973] RSP: 0018:ffff8801ac91bc28 EFLAGS: 00010206 -[125671.834973] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6a RCX: 0000000000000000 -[125671.834973] RDX: 0000000000000000 RSI: 00000000000c1bff RDI: ffff88002ebd62a8 -[125671.834973] RBP: ffff8801ac91bc70 R08: 0000000000000001 R09: 0000000000000000 -[125671.834973] R10: ffff8801ac91bc70 R11: 0000000000000000 R12: ffff88002ebd62a8 -[125671.834973] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000000c1bff -[125671.834973] FS: 0000000000000000(0000) GS:ffff88023fd40000(0000) knlGS:0000000000000000 -[125671.834973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[125671.834973] CR2: 000000000073cae4 CR3: 00000000b7723000 CR4: 00000000000006e0 -[125671.834973] Stack: -[125671.834973] 0000000000000000 ffff8801422d5600 ffff8802286bbc00 0000000000000000 -[125671.834973] 0000000000000001 ffff8802286bbc00 00000000000c1bff 0000000000000000 -[125671.834973] ffff88002e639eb8 ffff8801ac91bc80 ffffffff81270541 ffff8801ac91bcb0 -[125671.834973] Call Trace: -[125671.834973] [<ffffffff81270541>] radix_tree_lookup+0xd/0xf -[125671.834973] [<ffffffffa04ae6a6>] reada_peer_zones_set_lock+0x3e/0x60 [btrfs] -[125671.834973] [<ffffffffa04ae8b9>] reada_pick_zone+0x29/0x103 [btrfs] -[125671.834973] [<ffffffffa04af42f>] reada_start_machine_worker+0x129/0x2d3 [btrfs] -[125671.834973] [<ffffffffa04880be>] btrfs_scrubparity_helper+0x185/0x3aa [btrfs] -[125671.834973] [<ffffffffa0488341>] btrfs_readahead_helper+0xe/0x10 [btrfs] -[125671.834973] [<ffffffff81069691>] process_one_work+0x271/0x4e9 -[125671.834973] [<ffffffff81069dda>] worker_thread+0x1eb/0x2c9 -[125671.834973] [<ffffffff81069bef>] ? rescuer_thread+0x2b3/0x2b3 -[125671.834973] [<ffffffff8106f403>] kthread+0xd4/0xdc -[125671.834973] [<ffffffff8149e242>] ret_from_fork+0x22/0x40 -[125671.834973] [<ffffffff8106f32f>] ? kthread_stop+0x286/0x286 - -So fix this by taking the device_list_mutex in the readahead code. We -can't use here the lighter approach of using a rcu_read_lock() and -rcu_read_unlock() pair together with a list_for_each_entry_rcu() call -because we end up doing calls to sleeping functions (kzalloc()) in the -respective code path. - -Signed-off-by: Filipe Manana <fdmanana@suse.com> -Reviewed-by: Josef Bacik <jbacik@fb.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/btrfs/reada.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fs/btrfs/reada.c -+++ b/fs/btrfs/reada.c -@@ -766,12 +766,14 @@ static void __reada_start_machine(struct - - do { - enqueued = 0; -+ mutex_lock(&fs_devices->device_list_mutex); - list_for_each_entry(device, &fs_devices->devices, dev_list) { - if (atomic_read(&device->reada_in_flight) < - MAX_IN_FLIGHT) - enqueued += reada_start_machine_dev(fs_info, - device); - } -+ mutex_unlock(&fs_devices->device_list_mutex); - total += enqueued; - } while (enqueued && total < 10000); - diff --git a/btrfs-start-readahead-also-in-seed-devices.patch b/btrfs-start-readahead-also-in-seed-devices.patch deleted file mode 100644 index 402e253..0000000 --- a/btrfs-start-readahead-also-in-seed-devices.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c4e0540d0ad49c8ceab06cceed1de27c4fe29f6e Mon Sep 17 00:00:00 2001 -From: Naohiro Aota <naohiro.aota@wdc.com> -Date: Thu, 6 Jun 2019 16:54:44 +0900 -Subject: btrfs: start readahead also in seed devices - -From: Naohiro Aota <naohiro.aota@wdc.com> - -commit c4e0540d0ad49c8ceab06cceed1de27c4fe29f6e upstream. - -Currently, btrfs does not consult seed devices to start readahead. As a -result, if readahead zone is added to the seed devices, btrfs_reada_wait() -indefinitely wait for the reada_ctl to finish. - -You can reproduce the hung by modifying btrfs/163 to have larger initial -file size (e.g. xfs_io pwrite 4M instead of current 256K). - -Fixes: 7414a03fbf9e ("btrfs: initial readahead code and prototypes") -Cc: stable@vger.kernel.org # 3.2+: ce7791ffee1e: Btrfs: fix race between readahead and device replace/removal -Cc: stable@vger.kernel.org # 3.2+ -Reviewed-by: Filipe Manana <fdmanana@suse.com> -Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> -Signed-off-by: David Sterba <dsterba@suse.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/btrfs/reada.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/fs/btrfs/reada.c -+++ b/fs/btrfs/reada.c -@@ -764,6 +764,7 @@ static void __reada_start_machine(struct - u64 total = 0; - int i; - -+again: - do { - enqueued = 0; - mutex_lock(&fs_devices->device_list_mutex); -@@ -776,6 +777,10 @@ static void __reada_start_machine(struct - mutex_unlock(&fs_devices->device_list_mutex); - total += enqueued; - } while (enqueued && total < 10000); -+ if (fs_devices->seed) { -+ fs_devices = fs_devices->seed; -+ goto again; -+ } - - if (enqueued == 0) - return; diff --git a/can-purge-socket-error-queue-on-sock-destruct.patch b/can-purge-socket-error-queue-on-sock-destruct.patch deleted file mode 100644 index 21e97d3..0000000 --- a/can-purge-socket-error-queue-on-sock-destruct.patch +++ /dev/null @@ -1,33 +0,0 @@ -From fd704bd5ee749d560e86c4f1fd2ef486d8abf7cf Mon Sep 17 00:00:00 2001 -From: Willem de Bruijn <willemb@google.com> -Date: Fri, 7 Jun 2019 16:46:07 -0400 -Subject: can: purge socket error queue on sock destruct - -From: Willem de Bruijn <willemb@google.com> - -commit fd704bd5ee749d560e86c4f1fd2ef486d8abf7cf upstream. - -CAN supports software tx timestamps as of the below commit. Purge -any queued timestamp packets on socket destroy. - -Fixes: 51f31cabe3ce ("ip: support for TX timestamps on UDP and RAW sockets") -Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com -Signed-off-by: Willem de Bruijn <willemb@google.com> -Cc: linux-stable <stable@vger.kernel.org> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/can/af_can.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/can/af_can.c -+++ b/net/can/af_can.c -@@ -114,6 +114,7 @@ EXPORT_SYMBOL(can_ioctl); - static void can_sock_destruct(struct sock *sk) - { - skb_queue_purge(&sk->sk_receive_queue); -+ skb_queue_purge(&sk->sk_error_queue); - } - - static const struct can_proto *can_get_proto(int protocol) diff --git a/cfg80211-fix-memory-leak-of-wiphy-device-name.patch b/cfg80211-fix-memory-leak-of-wiphy-device-name.patch deleted file mode 100644 index b125b5c..0000000 --- a/cfg80211-fix-memory-leak-of-wiphy-device-name.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4f488fbca2a86cc7714a128952eead92cac279ab Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Mon, 10 Jun 2019 13:02:19 -0700 -Subject: cfg80211: fix memory leak of wiphy device name - -From: Eric Biggers <ebiggers@google.com> - -commit 4f488fbca2a86cc7714a128952eead92cac279ab upstream. - -In wiphy_new_nm(), if an error occurs after dev_set_name() and -device_initialize() have already been called, it's necessary to call -put_device() (via wiphy_free()) to avoid a memory leak. - -Reported-by: syzbot+7fddca22578bc67c3fe4@syzkaller.appspotmail.com -Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support") -Cc: stable@vger.kernel.org -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/wireless/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/wireless/core.c -+++ b/net/wireless/core.c -@@ -437,7 +437,7 @@ use_default_name: - &rdev->rfkill_ops, rdev); - - if (!rdev->rfkill) { -- kfree(rdev); -+ wiphy_free(&rdev->wiphy); - return NULL; - } - diff --git a/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch b/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch deleted file mode 100644 index d3240f0..0000000 --- a/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 867bfa4a5fcee66f2b25639acae718e8b28b25a5 Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Fri, 28 Jun 2019 12:06:46 -0700 -Subject: fs/binfmt_flat.c: make load_flat_shared_library() work - -From: Jann Horn <jannh@google.com> - -commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream. - -load_flat_shared_library() is broken: It only calls load_flat_file() if -prepare_binprm() returns zero, but prepare_binprm() returns the number of -bytes read - so this only happens if the file is empty. - -Instead, call into load_flat_file() if the number of bytes read is -non-negative. (Even if the number of bytes is zero - in that case, -load_flat_file() will see nullbytes and return a nice -ENOEXEC.) - -In addition, remove the code related to bprm creds and stop using -prepare_binprm() - this code is loading a library, not a main executable, -and it only actually uses the members "buf", "file" and "filename" of the -linux_binprm struct. Instead, call kernel_read() directly. - -Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com -Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") -Signed-off-by: Jann Horn <jannh@google.com> -Cc: Alexander Viro <viro@zeniv.linux.org.uk> -Cc: Kees Cook <keescook@chromium.org> -Cc: Nicolas Pitre <nicolas.pitre@linaro.org> -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: Geert Uytterhoeven <geert@linux-m68k.org> -Cc: Russell King <linux@armlinux.org.uk> -Cc: Greg Ungerer <gerg@linux-m68k.org> -Cc: <stable@vger.kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/binfmt_flat.c | 24 +++++++----------------- - 1 file changed, 7 insertions(+), 17 deletions(-) - ---- a/fs/binfmt_flat.c -+++ b/fs/binfmt_flat.c -@@ -808,9 +808,14 @@ err: - - static int load_flat_shared_library(int id, struct lib_info *libs) - { -+ /* -+ * This is a fake bprm struct; only the members "buf", "file" and -+ * "filename" are actually used. -+ */ - struct linux_binprm bprm; - int res; - char buf[16]; -+ loff_t pos = 0; - - memset(&bprm, 0, sizeof(bprm)); - -@@ -824,25 +829,10 @@ static int load_flat_shared_library(int - if (IS_ERR(bprm.file)) - return res; - -- bprm.cred = prepare_exec_creds(); -- res = -ENOMEM; -- if (!bprm.cred) -- goto out; -- -- /* We don't really care about recalculating credentials at this point -- * as we're past the point of no return and are dealing with shared -- * libraries. -- */ -- bprm.cred_prepared = 1; -- -- res = prepare_binprm(&bprm); -- -- if (!IS_ERR_VALUE(res)) -+ res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); -+ if (res >= 0) - res = load_flat_file(&bprm, libs, id, NULL); - -- abort_creds(bprm.cred); -- --out: - allow_write_access(bprm.file); - fput(bprm.file); - diff --git a/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch b/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch deleted file mode 100644 index e66d48f..0000000 --- a/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001 -From: Andrey Smirnov <andrew.smirnov@gmail.com> -Date: Thu, 23 May 2019 12:55:26 -0700 -Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD - -From: Andrey Smirnov <andrew.smirnov@gmail.com> - -commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream. - -In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and -UI_END_FF_UPLOAD need to be adjusted before being passed on -uinput_ioctl_handler() since code built with -m32 will be passing -slightly different values. Extend the code already covering -UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well. - -Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com> -Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> -Cc: stable@vger.kernel.org -Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/input/misc/uinput.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - ---- a/drivers/input/misc/uinput.c -+++ b/drivers/input/misc/uinput.c -@@ -896,13 +896,31 @@ static long uinput_ioctl(struct file *fi - - #ifdef CONFIG_COMPAT - --#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) -+/* -+ * These IOCTLs change their size and thus their numbers between -+ * 32 and 64 bits. -+ */ -+#define UI_SET_PHYS_COMPAT \ -+ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t) -+#define UI_BEGIN_FF_UPLOAD_COMPAT \ -+ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat) -+#define UI_END_FF_UPLOAD_COMPAT \ -+ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat) - - static long uinput_compat_ioctl(struct file *file, - unsigned int cmd, unsigned long arg) - { -- if (cmd == UI_SET_PHYS_COMPAT) -+ switch (cmd) { -+ case UI_SET_PHYS_COMPAT: - cmd = UI_SET_PHYS; -+ break; -+ case UI_BEGIN_FF_UPLOAD_COMPAT: -+ cmd = UI_BEGIN_FF_UPLOAD; -+ break; -+ case UI_END_FF_UPLOAD_COMPAT: -+ cmd = UI_END_FF_UPLOAD; -+ break; -+ } - - return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg)); - } diff --git a/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch b/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch deleted file mode 100644 index d3107a7..0000000 --- a/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch +++ /dev/null @@ -1,34 +0,0 @@ -From foo@baz Tue 02 Jul 2019 06:26:14 AM CEST -From: Stephen Suryaputra <ssuryaextr@gmail.com> -Date: Mon, 24 Jun 2019 20:14:06 -0400 -Subject: ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop - -From: Stephen Suryaputra <ssuryaextr@gmail.com> - -[ Upstream commit 38c73529de13e1e10914de7030b659a2f8b01c3b ] - -In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local -traffic"), the dif argument to __raw_v4_lookup() is coming from the -returned value of inet_iif() but the change was done only for the first -lookup. Subsequent lookups in the while loop still use skb->dev->ifIndex. - -Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic") -Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> -Reviewed-by: David Ahern <dsahern@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv4/raw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -186,7 +186,7 @@ static int raw_v4_input(struct sk_buff * - } - sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol, - iph->saddr, iph->daddr, -- skb->dev->ifindex); -+ dif); - } - out: - read_unlock(&raw_v4_hashinfo.lock); diff --git a/perf-help-remove-needless-use-of-strncpy.patch b/perf-help-remove-needless-use-of-strncpy.patch deleted file mode 100644 index 7bb7345..0000000 --- a/perf-help-remove-needless-use-of-strncpy.patch +++ /dev/null @@ -1,48 +0,0 @@ -From b6313899f4ed2e76b8375cf8069556f5b94fbff0 Mon Sep 17 00:00:00 2001 -From: Arnaldo Carvalho de Melo <acme@redhat.com> -Date: Thu, 6 Dec 2018 11:20:21 -0300 -Subject: perf help: Remove needless use of strncpy() - -From: Arnaldo Carvalho de Melo <acme@redhat.com> - -commit b6313899f4ed2e76b8375cf8069556f5b94fbff0 upstream. - -Since we make sure the destination buffer has at least strlen(orig) + 1, -no need to do a strncpy(dest, orig, strlen(orig)), just use strcpy(dest, -orig). - -This silences this gcc 8.2 warning on Alpine Linux: - - In function 'add_man_viewer', - inlined from 'perf_help_config' at builtin-help.c:284:3: - builtin-help.c:192:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation] - strncpy((*p)->name, name, len); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - builtin-help.c: In function 'perf_help_config': - builtin-help.c:187:15: note: length computed here - size_t len = strlen(name); - ^~~~~~~~~~~~ - -Cc: Adrian Hunter <adrian.hunter@intel.com> -Cc: Jiri Olsa <jolsa@kernel.org> -Cc: Namhyung Kim <namhyung@kernel.org> -Fixes: 078006012401 ("perf_counter tools: add in basic glue from Git") -Link: https://lkml.kernel.org/n/tip-2f69l7drca427ob4km8i7kvo@git.kernel.org -Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - tools/perf/builtin-help.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/tools/perf/builtin-help.c -+++ b/tools/perf/builtin-help.c -@@ -179,7 +179,7 @@ static void add_man_viewer(const char *n - while (*p) - p = &((*p)->next); - *p = zalloc(sizeof(**p) + len + 1); -- strncpy((*p)->name, name, len); -+ strcpy((*p)->name, name); - } - - static int supported_man_viewer(const char *name, size_t len) diff --git a/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch b/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch deleted file mode 100644 index 7bd5fe6..0000000 --- a/sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch +++ /dev/null @@ -1,51 +0,0 @@ -From foo@baz Tue 02 Jul 2019 06:37:32 AM CEST -From: Xin Long <lucien.xin@gmail.com> -Date: Tue, 25 Jun 2019 00:21:45 +0800 -Subject: sctp: change to hold sk after auth shkey is created successfully - -From: Xin Long <lucien.xin@gmail.com> - -[ Upstream commit 25bff6d5478b2a02368097015b7d8eb727c87e16 ] - -Now in sctp_endpoint_init(), it holds the sk then creates auth -shkey. But when the creation fails, it doesn't release the sk, -which causes a sk defcnf leak, - -Here to fix it by only holding the sk when auth shkey is created -successfully. - -Fixes: a29a5bd4f5c3 ("[SCTP]: Implement SCTP-AUTH initializations.") -Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com -Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com -Signed-off-by: Xin Long <lucien.xin@gmail.com> -Acked-by: Neil Horman <nhorman@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sctp/endpointola.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/net/sctp/endpointola.c -+++ b/net/sctp/endpointola.c -@@ -126,10 +126,6 @@ static struct sctp_endpoint *sctp_endpoi - /* Initialize the bind addr area */ - sctp_bind_addr_init(&ep->base.bind_addr, 0); - -- /* Remember who we are attached to. */ -- ep->base.sk = sk; -- sock_hold(ep->base.sk); -- - /* Create the lists of associations. */ - INIT_LIST_HEAD(&ep->asocs); - -@@ -165,6 +161,10 @@ static struct sctp_endpoint *sctp_endpoi - ep->auth_hmacs_list = auth_hmacs; - ep->auth_chunk_list = auth_chunks; - -+ /* Remember who we are attached to. */ -+ ep->base.sk = sk; -+ sock_hold(ep->base.sk); -+ - return ep; - - nomem_hmacs: @@ -1,21 +0,0 @@ -fs-binfmt_flat.c-make-load_flat_shared_library-work.patch -tracing-silence-gcc-9-array-bounds-warning.patch -input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch -apparmor-enforce-nullbyte-at-end-of-tag-string.patch -btrfs-fix-race-between-readahead-and-device-replace-removal.patch -btrfs-start-readahead-also-in-seed-devices.patch -can-purge-socket-error-queue-on-sock-destruct.patch -bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch -bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch -smb3-retry-on-status_insufficient_resources-instead-of-failing-write.patch -cfg80211-fix-memory-leak-of-wiphy-device-name.patch -perf-help-remove-needless-use-of-strncpy.patch -abort-file_remove_privs-for-non-reg.-files.patch -sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch -team-always-enable-vlan-tx-offload.patch -ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch -bonding-always-enable-vlan-tx-offload.patch -bluetooth-fix-faulty-expression-for-minimum-encryption-key-size-check.patch -crypto-user-prevent-operating-on-larval-algorithms.patch -alsa-seq-fix-incorrect-order-of-dest_client-dest_ports-arguments.patch -lib-mpi-fix-karactx-leak-in-mpi_powm.patch diff --git a/smb3-retry-on-status_insufficient_resources-instead-of-failing-write.patch b/smb3-retry-on-status_insufficient_resources-instead-of-failing-write.patch deleted file mode 100644 index f1d9b94..0000000 --- a/smb3-retry-on-status_insufficient_resources-instead-of-failing-write.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8d526d62db907e786fd88948c75d1833d82bd80e Mon Sep 17 00:00:00 2001 -From: Steve French <stfrench@microsoft.com> -Date: Mon, 17 Jun 2019 14:49:07 -0500 -Subject: SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write - -From: Steve French <stfrench@microsoft.com> - -commit 8d526d62db907e786fd88948c75d1833d82bd80e upstream. - -Some servers such as Windows 10 will return STATUS_INSUFFICIENT_RESOURCES -as the number of simultaneous SMB3 requests grows (even though the client -has sufficient credits). Return EAGAIN on STATUS_INSUFFICIENT_RESOURCES -so that we can retry writes which fail with this status code. - -This (for example) fixes large file copies to Windows 10 on fast networks. - -Signed-off-by: Steve French <stfrench@microsoft.com> -CC: Stable <stable@vger.kernel.org> -Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> -Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/cifs/smb2maperror.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/cifs/smb2maperror.c -+++ b/fs/cifs/smb2maperror.c -@@ -455,7 +455,7 @@ static const struct status_to_posix_erro - {STATUS_FILE_INVALID, -EIO, "STATUS_FILE_INVALID"}, - {STATUS_ALLOTTED_SPACE_EXCEEDED, -EIO, - "STATUS_ALLOTTED_SPACE_EXCEEDED"}, -- {STATUS_INSUFFICIENT_RESOURCES, -EREMOTEIO, -+ {STATUS_INSUFFICIENT_RESOURCES, -EAGAIN, - "STATUS_INSUFFICIENT_RESOURCES"}, - {STATUS_DFS_EXIT_PATH_FOUND, -EIO, "STATUS_DFS_EXIT_PATH_FOUND"}, - {STATUS_DEVICE_DATA_ERROR, -EIO, "STATUS_DEVICE_DATA_ERROR"}, diff --git a/team-always-enable-vlan-tx-offload.patch b/team-always-enable-vlan-tx-offload.patch deleted file mode 100644 index c7e765d..0000000 --- a/team-always-enable-vlan-tx-offload.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Tue 02 Jul 2019 06:20:09 AM CEST -From: YueHaibing <yuehaibing@huawei.com> -Date: Thu, 27 Jun 2019 00:03:39 +0800 -Subject: team: Always enable vlan tx offload - -From: YueHaibing <yuehaibing@huawei.com> - -[ Upstream commit ee4297420d56a0033a8593e80b33fcc93fda8509 ] - -We should rather have vlan_tci filled all the way down -to the transmitting netdevice and let it do the hw/sw -vlan implementation. - -Suggested-by: Jiri Pirko <jiri@resnulli.us> -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/team/team.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/team/team.c -+++ b/drivers/net/team/team.c -@@ -2079,12 +2079,12 @@ static void team_setup(struct net_device - dev->features |= NETIF_F_NETNS_LOCAL; - - dev->hw_features = TEAM_VLAN_FEATURES | -- NETIF_F_HW_VLAN_CTAG_TX | - NETIF_F_HW_VLAN_CTAG_RX | - NETIF_F_HW_VLAN_CTAG_FILTER; - - dev->hw_features &= ~(NETIF_F_ALL_CSUM & ~NETIF_F_HW_CSUM); - dev->features |= dev->hw_features; -+ dev->features |= NETIF_F_HW_VLAN_CTAG_TX; - } - - static int team_newlink(struct net *src_net, struct net_device *dev, diff --git a/tracing-silence-gcc-9-array-bounds-warning.patch b/tracing-silence-gcc-9-array-bounds-warning.patch deleted file mode 100644 index 0a590a8..0000000 --- a/tracing-silence-gcc-9-array-bounds-warning.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 0c97bf863efce63d6ab7971dad811601e6171d2f Mon Sep 17 00:00:00 2001 -From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> -Date: Thu, 23 May 2019 14:45:35 +0200 -Subject: tracing: Silence GCC 9 array bounds warning - -From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> - -commit 0c97bf863efce63d6ab7971dad811601e6171d2f upstream. - -Starting with GCC 9, -Warray-bounds detects cases when memset is called -starting on a member of a struct but the size to be cleared ends up -writing over further members. - -Such a call happens in the trace code to clear, at once, all members -after and including `seq` on struct trace_iterator: - - In function 'memset', - inlined from 'ftrace_dump' at kernel/trace/trace.c:8914:3: - ./include/linux/string.h:344:9: warning: '__builtin_memset' offset - [8505, 8560] from the object at 'iter' is out of the bounds of - referenced subobject 'seq' with type 'struct trace_seq' at offset - 4368 [-Warray-bounds] - 344 | return __builtin_memset(p, c, size); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In order to avoid GCC complaining about it, we compute the address -ourselves by adding the offsetof distance instead of referring -directly to the member. - -Since there are two places doing this clear (trace.c and trace_kdb.c), -take the chance to move the workaround into a single place in -the internal header. - -Link: http://lkml.kernel.org/r/20190523124535.GA12931@gmail.com - -Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> -[ Removed unnecessary parenthesis around "iter" ] -Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - kernel/trace/trace.c | 6 +----- - kernel/trace/trace.h | 18 ++++++++++++++++++ - kernel/trace/trace_kdb.c | 6 +----- - 3 files changed, 20 insertions(+), 10 deletions(-) - ---- a/kernel/trace/trace.c -+++ b/kernel/trace/trace.c -@@ -6896,12 +6896,8 @@ void ftrace_dump(enum ftrace_dump_mode o - - cnt++; - -- /* reset all but tr, trace, and overruns */ -- memset(&iter.seq, 0, -- sizeof(struct trace_iterator) - -- offsetof(struct trace_iterator, seq)); -+ trace_iterator_reset(&iter); - iter.iter_flags |= TRACE_FILE_LAT_FMT; -- iter.pos = -1; - - if (trace_find_next_entry_inc(&iter) != NULL) { - int ret; ---- a/kernel/trace/trace.h -+++ b/kernel/trace/trace.h -@@ -1325,4 +1325,22 @@ static inline void __init trace_event_in - #endif - - -+/* -+ * Reset the state of the trace_iterator so that it can read consumed data. -+ * Normally, the trace_iterator is used for reading the data when it is not -+ * consumed, and must retain state. -+ */ -+static __always_inline void trace_iterator_reset(struct trace_iterator *iter) -+{ -+ const size_t offset = offsetof(struct trace_iterator, seq); -+ -+ /* -+ * Keep gcc from complaining about overwriting more than just one -+ * member in the structure. -+ */ -+ memset((char *)iter + offset, 0, sizeof(struct trace_iterator) - offset); -+ -+ iter->pos = -1; -+} -+ - #endif /* _LINUX_KERNEL_TRACE_H */ ---- a/kernel/trace/trace_kdb.c -+++ b/kernel/trace/trace_kdb.c -@@ -36,12 +36,8 @@ static void ftrace_dump_buf(int skip_lin - - kdb_printf("Dumping ftrace buffer:\n"); - -- /* reset all but tr, trace, and overruns */ -- memset(&iter.seq, 0, -- sizeof(struct trace_iterator) - -- offsetof(struct trace_iterator, seq)); -+ trace_iterator_reset(&iter); - iter.iter_flags |= TRACE_FILE_LAT_FMT; -- iter.pos = -1; - - if (cpu_file == RING_BUFFER_ALL_CPUS) { - for_each_tracing_cpu(cpu) { |